Analysis
-
max time kernel
29s -
max time network
32s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system -
submitted
21/03/2025, 17:46
Static task
static1
Behavioral task
behavioral1
Sample
9e5da5bf917acd4132c8b3d4b63af9b23d7bc16e71e51bffcd4a82162e598394.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral2
Sample
9e5da5bf917acd4132c8b3d4b63af9b23d7bc16e71e51bffcd4a82162e598394.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral3
Sample
base.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral4
Sample
base.apk
Resource
android-x86-arm-20240910-en
General
-
Target
base.apk
-
Size
7.6MB
-
MD5
3be791e432b3ef50c0c947968afb41b1
-
SHA1
6aecf3056085a44d709879f726b36447ee9f5610
-
SHA256
6c968e052fdb59730897cc37a0e61e69a8c5a20f04400c0276534ae0604c430d
-
SHA512
9def8ad356092a24e936c735b9fb3122a7dfa559c5b2ba2ac8e92428accf4bfadff77c51e893acb917fc6b758de99986c66bd90d8135d5ac89e99e1dd5d952b6
-
SSDEEP
196608:xtK7pfMaBf8C4GfJCtMJCp1Uawqy+DbufUVjv5Lpb:/u1MokCdfEwfqypkRLZ
Malware Config
Extracted
trickmo
http://monster-truck-mx.info/c
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/flotin.freeh272.cy/app_avoid/QjGX.json 4484 flotin.freeh272.cy /data/user/0/flotin.freeh272.cy/app_avoid/QjGX.json!classes2.dex 4484 flotin.freeh272.cy /data/user/0/flotin.freeh272.cy/app_avoid/QjGX.json!classes3.dex 4484 flotin.freeh272.cy /data/user/0/flotin.freeh272.cy/app_avoid/QjGX.json!classes4.dex 4484 flotin.freeh272.cy -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId flotin.freeh272.cy -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener flotin.freeh272.cy -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener flotin.freeh272.cy -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule flotin.freeh272.cy -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal flotin.freeh272.cy -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo flotin.freeh272.cy -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo flotin.freeh272.cy
Processes
-
flotin.freeh272.cy1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4484
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD51d5f03498c4dbe7b67ac3b5f7389bb5f
SHA170ed7fbe0a7c1f0d60494b53cec06373b7d2d535
SHA256d404331794ae327b16b249517d953e1fc79a3fb711e08a7c6fca15e968f26893
SHA5126f09e7ce0b358eb7dbe433411754c32279d2a0a77eb1dde436063bc636724c5a3540c32c8e65fcc822acbb9e30bf7c978d689cfcf09a46f44334fabafba7e031
-
Filesize
5.2MB
MD5e3356e851fa19b309543ae4ecae7bf08
SHA1942787957c6a8fd19ebf6239b2d890585acabc47
SHA2561ee7551d82349f97d636d868e63db5bf9b802e13a9892f58c38359c15d86a1be
SHA512278bb1705fd0b6d3d1e4a65f4503f038d8152b5b5fa7a300a519cbe2ce152c8fd898e9b410ee422b96aa763ce5729e05da1e00b9b6c2700be93f34cd11db9c7e
-
Filesize
17KB
MD5d780f836fe54e51872bf31220a4dcb77
SHA15136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae
SHA25632abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17
SHA51262842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635
-
Filesize
20KB
MD591af32c14839a2828ca58297e0861362
SHA1bd758cc0bb47b570da2061d4633aa998a87ed971
SHA2565d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923
SHA5129810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7
-
Filesize
20KB
MD5ba67515fb9d300409c3efa5181e993d8
SHA18f605c5dbfb5d49062000a33c23ae6fcce41b6d3
SHA256c2cdea19f3fda1503cef17a347184f820f34aafe1f397df15cc510b52cde7526
SHA512a725a781d90a5750b46b975a68eb7768892cdcdff4933bc4c8d243e9509cbcdc97b08267cf957f15dc130090eec49a8379f13298c6e8ca92a20f2636bc09808f
-
Filesize
512B
MD5384a6c1ade43f69fec2cd3003cc5a549
SHA1d4dbf692856f9cfcf3dc1386501bde8b28c2b331
SHA2562a61ba254cfd7892657ffea7be09a5134e5abd4028ba71ef7f1d187330df77f3
SHA5126a2f4e31cd33bf54a58cec39ea8fa43adce9b8ef29e0e0dd80a8db5814dfc898eb33bbb5e0511331c92fca705f17d1dca5ee7681742731e4648bfa2e880adad8
-
Filesize
8KB
MD5e5d79100c5c6465ed69191d6957a78d6
SHA16311505bf39bbf1288d8bb095c8c8a067e3d805b
SHA2568d196355e96e4b64b3a268c2d5b67a78218703a438fe8b35dc7c77f9efabc799
SHA512722101068d9ec1f98e13b4b172ca6ee064a51369659d361aa98ec58b4b1c71d9042d7e29eeb432167b07819f76b608acc1427d06e6aba8e18f7558bf5aadfe1d
-
Filesize
8KB
MD5c947e2471bb53de2d514ca269ca2048f
SHA16933ab857c93cdcf645b1859627f581f3a34881c
SHA2562ac3d4ef5c1a56f23b3ee22053bf02680d7e26bcd40120b3c4f1c4136f8f0419
SHA5127ffe9e21dfc9bb63d9e01e612a78bb0d48fd332782ae74de3a5de1a3b16933dcd751663f20d51600cda23db717b7a3e97736bdf6d768df412ef631b59ab9e784
-
Filesize
12KB
MD56c464b4cb526ddcea5ac87ba30076890
SHA17a3ca4c6a3546d4cef396a5fd8f990e99335356c
SHA2562b80521632d9853d09c7ee762cf798f2059dba17c3aa9916323e7a6a98f9b0ba
SHA512e751424bd6b3c2408e26287b7a847138be78baeabcf71357385d26972bf401a2e2172be9f555dfd426e265e3e6dd2705a9ebfedbb8cd9633e8e288326f8726a6
-
Filesize
256B
MD51fc61ae04a241021cdabf34c356e69e7
SHA1f8b7b2a98ac117435877d81185464b40d3eea26d
SHA256772c101bb83d20efdbc81083ef67484355bc888ec0d95cc840067513151d8fae
SHA5129a5ecf0607e1b99a99fefdcdde2d415c9fd556fbe4960d7b9b23a156ec285c1c2ebf97abac45f0b939f60542c307bd7db1088474ecdbae17f0c83bb9a24ff3fb
-
Filesize
4KB
MD50eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1fee434f784e73cc7916322e949f727caf8363102
SHA256b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8
-
Filesize
512B
MD5bbf8aac87c1b5c014a8f36034cbc68d0
SHA1311bb32007541496f4d30486ffc14b968a6e0f30
SHA25631ea64f783cbcb8ed5302ec61fb1fb6148dff5577b8d97e5222b282d4cb31754
SHA51253f3dedaba01fdf5e5bc37b33055f1ac0245d3947dc4fab93ccc16adb21ed2f44f520975980ebb5ee3986a12c29edf3a25ca5dbcf6144359a073e74caaac5c71
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
173KB
MD5598c42ef2ab7210e603d5b7a7d995bbe
SHA11e7cbfafc834e970828d475494d3e6a23ef7a407
SHA256f508bb7b1c5cd5fc82e8107f9945b75b551fa28dbfed9693c58ba24336767205
SHA5128873ad2e5e2df9cdaf56a7fd99bacc0ccd559a7a720ffd7e9201cedf25d8d64bcb8c5d03ca8400087fa98f381239b9a5be54af0cb73c67ba84ff6613ca066609
-
Filesize
16KB
MD5470f4744fdde67a34cbe749a61f180b9
SHA1f7f977fa92a4d4d6d15f20af4c6b97760a74467f
SHA256eb2fba84e29e6ace7ad3067c3cf346d4bdf82c982a004f6dc3860034518d8074
SHA51290e11131e8820529be79db5007a2dbc0ef6189c7404d9094fc8bac9d7f0b9ea6d91c088a62571ac0f3b5eefc4c24a7e14c86a49ca74593ca9148ef23a09cf817
-
Filesize
108KB
MD5b3c3c451e9103186bb93dc5f88fd383e
SHA1b7a82a23ac873b565ae145e7d2979bf686231e9c
SHA256772f97b743a432350036bb81df1726ebc4d27e942cef8a7bbbdf3729403cfa70
SHA5123527dba132bb9db6b697c1f1775370bbede227de9418d6089c4cbf74755e0b7c8bb7c51301ea96342e539c08cdb22e536b6dd0c6c31db46af5983b692fe50a3c
-
Filesize
11.1MB
MD528041432b0c51e3e887643272629c83e
SHA1fbea5dfc62f03e1ff784b410ec0d547de0e8156b
SHA25685c845feaa13eb5b0d02b64a996bf1a84b3aa77b6cf616f3db8ae5b4c70e9902
SHA5127e69a4dffce031e990827d655b83ce66bfca72ecdc5bba4a264f877e0a3788953c41e2f6766e8327127d1b68b63775569648340fda09b4ce13684f0aaca6438f
-
Filesize
351KB
MD557c3cd19fb542f41b9baaa891246e974
SHA14ba134e46f80fa0d0c6d34e50a149161b5cfd1d8
SHA2569c74cd67633b9470e270c32a04ee6c4ff4f30bc60643804dcfc18d2362bbea78
SHA5126cd77be465ecbaaf011fcd60b94aff79c59af163981eda1e4a77fba14527d18f69c8782e374be21724b88ff74b207fbb108659085634efe84a7ebcb2af339d14
-
Filesize
267KB
MD539f261833dc209edb38e8bb09c57f22f
SHA18146eb5a3202052cb1b97f98620dbb35a2b887e1
SHA256cb64c9dc99105911c6b6fada0fe718d9fd1110158a6f1d4a3db947243b797f4a
SHA5128e5dda11ddefe15273a9dbe0ca2b648b0a6ef34011f88e21ae1cacfacc2ef7aa704c64151598cc556468c488cbb069b8db28ab79100f4fa66fe0425d5360097a
-
Filesize
1.9MB
MD52d73c5997273e3910c1ac1d8db7ba145
SHA125737e75ed15863e69d02a14efa781370dfec798
SHA256411c3194c11f6254e4bb6cdbf247518a4696ce9bffc6d373ba7e949889db9965
SHA5127adca729d74394232c26ee76272a85342fd88c9101d417ba3a0b1018f29cdbe4a852a3458548e4e333db55520cf8b0a7700f6bcb3cfee77a12ec3d272c4dc13a
-
Filesize
4KB
MD504fbdf428cafd414a5c7db1aad144f5b
SHA179d998ccca9200144ad2d30443a4ad8be71ce88d
SHA256c356e46101fdeebaebb602fe3ecfeacb2f608e026b588575d7c07fb6fbc6709b
SHA5120870be1b839138a4609a66a3d1483fb9543af293045b3627065b1464d8723c837c92e01a8d1aa07d57ec92ecea703ecfd15b1bc74a79954e91140bde34cec0d8