Analysis
-
max time kernel
29s -
max time network
27s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
21/03/2025, 17:02
General
-
Target
37c6da21e2e37daee70d4920b38defb1dc8ffad8cd2488c24f4217b8cb71a33c.apk
-
Size
8.1MB
-
MD5
6cdd2c4acee3178b7edd646e86813eb8
-
SHA1
5a3f87bca9fc8341125922a10d0b530fe6e1edfc
-
SHA256
37c6da21e2e37daee70d4920b38defb1dc8ffad8cd2488c24f4217b8cb71a33c
-
SHA512
3b9923d3d052cc23fd9bfd76f9bf5b302585d06d9ab1fb037e929be20fe550ed2c9e8660a11e9744382efa7209e2aea4b3ae5702c0abb377caebd6a8bd30945e
-
SSDEEP
196608:WTRxN22XpL6iSgGP/4T/1s6GW78I+KulzSbXIU7Apjv5Lb:YdMI/oI+K7zI39RLb
Malware Config
Extracted
trickmo
http://b-fulltime.org/u3n6hcu6te3b46gc
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 8 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
framos.ma581.en1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/framos.ma581.en/app_color/TRAR.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/framos.ma581.en/app_color/oat/x86/TRAR.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5c303e02c6071f2d06ab8d70eb37f106c
SHA10d19128af08462702f7ce35880b4f391439f9198
SHA256eca9df8eb5552fb55c212a33e2d2b5cfc0d39ee884993991f7c0ff0ecc66de0e
SHA512a345994c2d93aad3fa628cd2b81ed60129c2dcebe4294c4c0d8719b1342f266c565c15ade873297f8678e4e2f85cbd6dcc77b1c3a947a152d6eecc99dc1d6a3d
-
Filesize
4.9MB
MD5f6a1ddcf76dbf4ba7f354d008e54bc06
SHA14e343c35c409575aec5e10faaa7ec339148b04e4
SHA2564767a6beefd359f82b729c144b6048baf16fc19e5ed654b6f69458c0a0827e85
SHA512e58640ce6cc4e18a692bfca6c907d2a802fe05c06655ae20c8f65f534107da288dea21cbb1a54f9ed03f93e3337b7e6f010faf60bbe1fbe183823f4417b2a5ff
-
Filesize
17KB
MD5d780f836fe54e51872bf31220a4dcb77
SHA15136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae
SHA25632abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17
SHA51262842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635
-
Filesize
512B
MD5a02786ce55aeb72e82f198817ce523dd
SHA12c2640b194a59ec0b68530f1bdad73607098b68d
SHA2567f7649640b04da23b781f711439df4ff8b6fb1389d3c0ec30dbfee743259ec1f
SHA5124b492a3d4ce188e0e7a5de1954ee8a5e602e6ebe14444a9c9bcd0b87895b73777aab03a723ae2151e146240746c41a12b5e8f0393fc3f0ed77569e88d0c614b3
-
Filesize
32KB
MD5ffc343fdd965f911699d6d22d359d186
SHA19b303daf0ddc221bd4e48afff49bc90308fd0e37
SHA2561106f2800056600e3f00a62b97e4f98a9d354e685d44737c0848aaaa9cb51476
SHA512d32939eafdc4825f1b858b29ef7338a4ff9fbcf7e78de76cf8d47953832a11a4ac3ba58063bf311563c8680aabee6bad2cbd230c0f18dcf0736db90b2690a1b5
-
Filesize
256B
MD513378c249bbdc64bd8fb44b3d6224450
SHA180b808f076596791941958b8329a0a5183cb6eb1
SHA2569bf3d81032083c956cf64b6f0fa424916d97842b0d228e62e0facc3bb4809f01
SHA512a87c5b6b22b8a52cab013e6258555b1733a2b9d7e6b9e4a5ce41b49b6fe820841b75a5d6d2fe4219fa898bd638692672dfd61eafa79da6813f82823492d0bd77
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD577810fd39644cf8336947ed6be575964
SHA1c00ec7ac714604b28f253303eec70dfeae6e7cbe
SHA25613cffdf28e809719e73f018bcc61c42d368be7acc7b7699798867cd6883b43d9
SHA512111cb0df78c4d78e74ecbd48a3c150ab265db751c5e173491a312432b99d600ecc0810436473c47728f358df10ff5f61cc29d90ad98c36be87ad7c52dd405b73
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5854df86873447731521cceafd88a2ca2
SHA1c7b917095e30aba876058f6be6f6286b6ac81db8
SHA256389ff7aff87b3f7d6a6e308a4970e082abd68a06d4eef99805840f4b32292baa
SHA512b16dd5b54aada03bd31966376f583fcb9461a67811132c3755bbe21945961f03a6974eb7ca1fe34108b8d156cf51fcfa5a86c22a441fc5dc00aaef9a2666aec0
-
Filesize
173KB
MD570f4189fcd34e2b989a47eb0f383d5aa
SHA133dbb609004de28c93021116980d947543a70672
SHA256e923ba7dffa39259964efe81afce6ad676b71aec6e74338f39627a1b57619be0
SHA5126e1314853806b19f6f954c6d73eb072d84aab25e40694ea8af60e1d096574e7304e0db779d477559aa46b42b4ede4725100b8df42f011e04f68045e0e1ce6667
-
Filesize
16KB
MD585a95c403d796c50fdc89fdb337f6722
SHA10d4a83ada7fe3396ca334b9bcf0ee62f2e545118
SHA2568947c34fafc4e072d2ca4725ed300faba98ce62ef2d5642db9e5f6d276253fa7
SHA5126cae576f8f5eaee4811b08349f008c47cfa61336d156046f6fc9949888bf60532a676a43895825da405e58fd152a51b96e7c61eaaef161e74d784f2143cd7cf1
-
Filesize
10.9MB
MD535d4cda95e19e9be467673c78e1e2fa2
SHA13868d4dda794c360f57ba650c332b39ce5c68d8e
SHA2566c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746
SHA512577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7
-
Filesize
308KB
MD576e304dbdf41c2a5273aab2d96aaf04a
SHA125f8b53f1200fa92938408279bac568d6b266e53
SHA25625230fe4edc293753e49079e014984510c447c5ff2b0fc690cc52bd7749690fe
SHA5129e58560c1dcea1e5105c51ce22d5e6286d24383bf28cdd5241c009f3fcaecdb0ec4dc2441967a7977e14963a340d405a8eb6d3c3286a734aa98ba811a6146f4d
-
Filesize
265KB
MD50fb703879afb0f2a30ed760031c209a4
SHA1040a7447e04eb4b7b901acd3808e1198b4901dec
SHA256b88c1487aadeec90bee8d5af7e4aa3d245f6992ccd67dc09d1c4bec527f2e79d
SHA512219b314c2486780ea7f1cd8b49e50b38f5d179d7965204586c1cebd22b909cf92674ba82dbbd5e611aa04e1e04f5211c2f60387b4aa5491085b52810b7f96b1f
-
Filesize
1.7MB
MD530465152db261852e3a226a666ec4304
SHA1442a188e07db85653022734d0a8537d4312aef38
SHA256c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4
SHA5123b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63
-
Filesize
83B
MD53d40172a6014ccd018f1ddce24ab4316
SHA1492660be680f1d7d592a7b38fd302313642bedee
SHA256bf90eda507fe4c682d66a863230aa70cb105c48f7690461d385799a952141916
SHA5124e6a879b10d81ffd46a274b6eb99221c17699901b211bf2c34b38521d4cf85a086c6b1f1a09855899354728f7b25b688c6090864c88db9efdc6a9bdb44d47fe3