Analysis
-
max time kernel
21s -
max time network
29s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
21/03/2025, 18:37
Static task
static1
Behavioral task
behavioral1
Sample
779d85d15301a42e8d84312322730cbae0557dd8e509cf80fbb7d77d70212fd2.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral2
Sample
779d85d15301a42e8d84312322730cbae0557dd8e509cf80fbb7d77d70212fd2.apk
Resource
android-x86-arm-20240910-en
General
-
Target
779d85d15301a42e8d84312322730cbae0557dd8e509cf80fbb7d77d70212fd2.apk
-
Size
7.4MB
-
MD5
8bfb509f30d63ed32bb6e11a75e46816
-
SHA1
7e3291c26b7fd90d5df27eab5405b9a0937d517d
-
SHA256
779d85d15301a42e8d84312322730cbae0557dd8e509cf80fbb7d77d70212fd2
-
SHA512
96713d07bb0140dfad82059ec3410bd4ccc19352a4f2fa20a8e6a03dca857fbca8cff4aec353b91d54480ac0f5fdbb3f752d25c42dfc0f369200a52232517aa5
-
SSDEEP
196608:4oSq14iAuaZ7FFGduvx90YnLpyglv2HjiIHpCxIQjv5Ll:h4iRaZ7FFV7pn8QwjiIJCxPRLl
Malware Config
Extracted
trickmo
http://b-fulltime.org/u3n6hcu6te3b46gc
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 8 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/inwet.con500.na/app_relax/ot.json 4431 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/inwet.con500.na/app_relax/ot.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/inwet.con500.na/app_relax/oat/x86/ot.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/inwet.con500.na/app_relax/ot.json!classes2.dex 4431 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/inwet.con500.na/app_relax/ot.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/inwet.con500.na/app_relax/oat/x86/ot.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/inwet.con500.na/app_relax/ot.json!classes3.dex 4431 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/inwet.con500.na/app_relax/ot.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/inwet.con500.na/app_relax/oat/x86/ot.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/inwet.con500.na/app_relax/ot.json!classes4.dex 4431 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/inwet.con500.na/app_relax/ot.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/inwet.con500.na/app_relax/oat/x86/ot.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/inwet.con500.na/app_relax/ot.json 4360 inwet.con500.na /data/user/0/inwet.con500.na/app_relax/ot.json!classes2.dex 4360 inwet.con500.na /data/user/0/inwet.con500.na/app_relax/ot.json!classes3.dex 4360 inwet.con500.na /data/user/0/inwet.con500.na/app_relax/ot.json!classes4.dex 4360 inwet.con500.na -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId inwet.con500.na -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone inwet.con500.na -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver inwet.con500.na -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule inwet.con500.na -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal inwet.con500.na -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo inwet.con500.na -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo inwet.con500.na
Processes
-
inwet.con500.na1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4360 -
/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/inwet.con500.na/app_relax/ot.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/inwet.con500.na/app_relax/oat/x86/ot.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4431
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD589b3ef5d581853dd635f3c3cdacdfe08
SHA18df04f195c28a0ecde4b8c425e3920dc0d7af6f7
SHA2569b6b8acab9c9062338a516e7ae343758ad11c05f376411fe08a7f51552e572bc
SHA5123d8fe4983d1bd021747536472973d0fbf1b1983cbb325b5d7a8c05a6fd85476766345ab5ff6ab6b4786e96f68f7a3c62bda72d8286ae9da3bcfdb7714aa1c1eb
-
Filesize
4.9MB
MD58054396083d548b3655ce5a73f2e60bf
SHA19242b6268f0023a9fc50bf5c1f8919b37642ac57
SHA256b8813335a3693f85144474a518ff039d5b08e5853a9016f07e7226b602444e98
SHA512f4aae3cd86a3143a7992335e1eb837e1fbf5b4ccd2518c9e44850bb40facc608981b8e952bb850ad8a425a711d44feafb1c232dc48a8f738dca1e793a22fefe5
-
Filesize
17KB
MD5d780f836fe54e51872bf31220a4dcb77
SHA15136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae
SHA25632abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17
SHA51262842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635
-
Filesize
512B
MD55556beec5ce66a22c88f79ff90e6f17f
SHA1c2b2ee7a890e447884ede4d0b5dafd42bcba112c
SHA2567d192fa56f02580b1598d638da85ef70e54327b335dc1ee4431a2b1166211e20
SHA5125d122b74302ebddb7b909999f4fd928ff8f062876d69150f736468de4b8e2c0352353120c9264c62264a3b78bb9c0cc1594635ceb79aba30e362f700395a5ee2
-
Filesize
32KB
MD54082d2234ea76537c0331c5c93875b1b
SHA1856497c4e45506266b88faff122db19bc4924040
SHA2566c3f363bd25bf00b69afc48d81749075a049be5f13503fa37f19e611a832c8f9
SHA512543ece7ec127f14f44728e813111353a3e48cc0f412cf693b92666848146d6a5ed0a8d881454ce5ee069c5bfc14229bdc8863f2794b92a034d8eb8ef3556f8c0
-
Filesize
256B
MD56f054fd075236b61b626d4d8460aead8
SHA12099d0ac2f98ad830738aeda1741600f55a46ed2
SHA2560a2476fa2f9d8708175fd03d1f76a8cd8c4df41c75a1e960c51e32b0d4162ee2
SHA51251af5dcd85505ee69a90cbf03e62504b85ab270abd9f462cc8e9fb536345fff53158d22a9ff8e6edb9c35aac72dce9fd62dad0cb400828ffe4de92954bf761f1
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD51ff056e66d7c0b7da3e087a0c3fe6587
SHA1899f3f66413f873525c4fb525333b73401356ff3
SHA2569ec18a6873a33207c8e514d12f27e2c75e8ba7fa82a6508c0d5f9eafa94b182e
SHA51272e105e2500ce584fd2084fee58cdf48ba86b872a2549deb47da9427cda84661a24d0d1236022231648d9b2abb1587b6f8a65524c50720648ba8ae5e0f7f6648
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD562d8cafd027208344d8814793638871d
SHA10afca214cc2e38621ea36a228c4bb8a1d443fb5a
SHA2560f78fca4b85b0a816411f46a4993eedada07923fbeab1056b08f42451b24f1c7
SHA5125a93618e9665db3a7358d1e79b2ccb0765ef7b509b462170be484b1ae6e657e1f0757e0e50189677e6bd3d43b6c058b07e1a91a6fa955345bf1b4cbefe62ce65
-
Filesize
173KB
MD54fc9e9f183608cc307d5225d1d1ed28e
SHA19ae5179af23f7e9fe0f93842ba3d6aa1c4ec4428
SHA256f7bcd71d7732141e2eeed232b7a375e9c066d984cd583b2c1953152a9e17d0ef
SHA5127552611fba728afeb52b00985b05c80ca27ccef04924c636989e7675202e84498c545d68cb0fa736843a879f52e40bed5d4973d7287cbce6c7ffcc70e5fda8a6
-
Filesize
16KB
MD583aa1d420f5d254636aa09108f566e93
SHA11c8f57eb673161090362184fe009c583c4d99d8b
SHA256c12222d4bff0d04243c4c006ebdc8be763ba46fbc3e7cb5974e8fa1c1532b8b4
SHA512b6d993f55de7a833e7278da04bde80c2ea784bf8538286260a1895ba0769aae31402ddd3f2af3c3719211cebe66ad288f627f90a45ba3be3d1833ccfecbe212e
-
Filesize
10.9MB
MD535d4cda95e19e9be467673c78e1e2fa2
SHA13868d4dda794c360f57ba650c332b39ce5c68d8e
SHA2566c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746
SHA512577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7
-
Filesize
308KB
MD57723068245261ada3212130aa8372459
SHA15ba84c7eab28559750cc0c820ac7ab5c79c9c383
SHA256dbe0a10d12cd4b76d99a3a6881eae6b90f37611739b0baf44ca70287be976a60
SHA512445000c9636dadce32054acf13693eee210e600de8311fdd8398f7becd10c789322912312b259a6f1537d5f0df36204754a10d886c8f0c9acbd962b0ca236a6f
-
Filesize
265KB
MD5cdb734ac42d5cc86fb4c3477148fd40a
SHA11440abc288d35324384138e103a5c3b1d24e3d71
SHA25663a0fe737e67c644a1115d76cdd068c8e93046da8fd81eb3036eca10a9dee9e0
SHA512ed280eeb3e2c36be74936745b2a13dec6d196d7d3ef1d80f3341a18887cd865785776de6d67e3c8caab49298cfc068121a3e9165beccf5af8b9e6f423cc9713f
-
Filesize
1.7MB
MD530465152db261852e3a226a666ec4304
SHA1442a188e07db85653022734d0a8537d4312aef38
SHA256c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4
SHA5123b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63
-
Filesize
83B
MD591b58d77b1760f4c487b5101d8f3321a
SHA1718632b08331cb41660a6907a70dcf5aef441e08
SHA2569fcb764cac08b85e66b1f8a8a256e20851af80f304375c6471b3cfc2ffb5381e
SHA512335e7653ce6ca49a24f6cf10e2b3acc93fbf9e021725dfc1b2d5e0560ade381782b84a93b4ef8df8fd9137d5e46466ae260db782504310766a26622c8efe339f