Analysis
-
max time kernel
28s -
max time network
24s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
21/03/2025, 18:06
General
-
Target
90cb5d17c0ce8cc794bdc4a6b03382dd56e7ec9b831a290764035b794c7a7495.apk
-
Size
9.2MB
-
MD5
8a58d7aa7729a84e4ee0ef963caa5be3
-
SHA1
87e933bec88b736f1de6f70cec42a81e9e36e9a1
-
SHA256
90cb5d17c0ce8cc794bdc4a6b03382dd56e7ec9b831a290764035b794c7a7495
-
SHA512
589cb13f9cbd044f14f910ffce806d8c8df05ed54fdbd6062ab0705162df4863cfce187db6ddfa757e6eef365e3c4459f218de65932431dd85ad63d497d6960d
-
SSDEEP
196608:OBO3phigDUUVdYknQNPLJTlbE/ZdYwr0PMCx0jv5LtE:OI5YEJnYVTlbQZdYURLtE
Malware Config
Extracted
trickmo
http://b-fulltime.org/u3n6hcu6te3b46gc
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 8 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
efja.fast805.touchs1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_yard/IJ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_yard/oat/x86/IJ.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD545039e907203a7f1bfd2a46c495d678d
SHA10a946711f6738db293680968bd05ee77d9c9c7b8
SHA25670ca8442c5c04c35f4c341e4d91492356a70a9e435233ad955e9374b9e2945da
SHA512f3aa051af7bf4e77f6a62eb0acd2a68fc79d12b61f2f2e98a1cea6c1e700b9dafc9287d9c37957653298c3ec29a88c2ba7dc56aa2e05a379cd87010f98181523
-
Filesize
4.9MB
MD5569de88fc6ba465b63b734683daa8af7
SHA1ae8b7054ed78707c8eeb295889b102c02689f985
SHA256abd9619c98bcf1ef70811daf2f1eeed2f8f7291b685dcaa4e09dc1008207d38c
SHA512d09c3f136c512089569867146e634d1126d039bd319ebbe160b547736994cea3ff372abf411b6c5cd7afae9a97c043b0d98bca5ad254041d6be2c61ee0a5312f
-
Filesize
17KB
MD5d780f836fe54e51872bf31220a4dcb77
SHA15136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae
SHA25632abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17
SHA51262842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635
-
Filesize
512B
MD52151df6a734554532df8a2c0198078d4
SHA13eed1bc9d04f695cf75d416ca93f5537a583b143
SHA256cf7f57751cd49bf0773e62292f4edf3c34a6bad2e5201a89f70beb105b76f9af
SHA5126b8fca7e0068cd43f39241c938eaab297afc26695f46b0ba71eba2e293f0dac5fb2cff442faa892fe48f3d949a9c7d970aa109867ce1089c174561c820aad7fb
-
Filesize
32KB
MD5ab69dceca53d0bae09e223989fb40f40
SHA14519f0260c3c6db06d57d6a9c6bacdee8076da03
SHA25615db6b182d644d19fc507a419365d6e8e19400de1f72d966426e73d52c2d71d2
SHA5122c5021d9e5ef9358dbcede0084f5cc2b4a4067543758ca9088516c04789b4228f24004353f906df6952bc81aa20649f2add4ba23f498e565466d7a05eacd2807
-
Filesize
256B
MD5e1f6271a47039581cbd80f085a9f846a
SHA1e87a79ca906264cbfe34f18851b5fba9cd9c61ab
SHA256b1fc78b6ffac69d610b76e04a709dd7aae824301d76aa2fd227232c84432233c
SHA51260fd76d2e47ebf3710d08eaff6c96ab26d6b8c39410fef8750daf70b6efb9b7ad45e18ce4621e3df0e60854a1aebbfe67146cc38bbcbfcf7ec5eeb4cca1a910e
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5d53a89530298032a8c0852af1aada634
SHA10243ce484c18525fb3f04492c70d2d877b8375f1
SHA256ca22397b6b21326f9786c4b1dcfe3a28688251c67da3932e74f1f615c1a5ae4b
SHA5121c3ec98a7e7964082c7362c2e498ea8fb863eaa9ffab8f2438f09f3b77a8ea463857d44f9a89622002c87b746ea58bcd3befe8847ee2986fcd14ed731e7f76a5
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5dde1f7e7e15588ad430a1ba0bf7417c2
SHA11e42c88cedfd4977d5c5164eb9fc8628607e6dde
SHA2567339a4edfe84bf831f949e3ab3e0f22cd1d3dd500d9f1ddde06c14160b2fb7a1
SHA5126332729e2a8b28d354675645d538d78c585ff06c87212962d689124a5764d531b32f2d02dadeea32ca138dcc5a9940e644cd6073ff208d82d7d50f485cf4eb39
-
Filesize
173KB
MD5ad3c51a65ea4ccf2c4aebe0d7c654710
SHA16be67013ad17efc8b1292331c8ab20cae1f5ca04
SHA256b691b5b9ae754c419db4ddefa1e2622cfe59e4dea336218424527aa2ed4d845e
SHA512ebb3a969bbebba046507432f6af66b72dbde94dbb57aa9d4327905a6b842a8503c885fd8c434f55f8031180a07816ba1ad74b88243048c42783ad4820094c32e
-
Filesize
16KB
MD560951f8923220289af5004a4cedf36aa
SHA1ffddc0bc642fefb2d87897d3670d53ba4a8934ad
SHA2568653d83171cf8c45c5cec20d72f0de97c23b613661d103db9a219b6a52635e12
SHA5129d0681172b598b76f1ef62e0e12a62a6bb2017a3da73dff2376c5b67a7e46d0b9453b0c6431774b3cf4adce193d96faf71e135fb557c2cbab6b249f2cbeae114
-
Filesize
10.9MB
MD535d4cda95e19e9be467673c78e1e2fa2
SHA13868d4dda794c360f57ba650c332b39ce5c68d8e
SHA2566c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746
SHA512577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7
-
Filesize
308KB
MD5af76bf112a1486f959993ab101d1dfb3
SHA1d38bd79b0d58135807b7e9038f35e099bc8b18ac
SHA2569a149d4662611b4d051f7b4c53b4581f840ee6494eca90cc29bef8bef4b8c326
SHA512de3a977a5167c361a46516739e8e18ea064749e51a72eedaa0470064c8577c8d7b72d5a5bb7fc83208c1f6a6d462aaf2014d4ca46a3c2ba95063f25afa337825
-
Filesize
266KB
MD50c7e31c4fa49c111285906ca8c2e0672
SHA1b1b42dfa3d36dbc0a1a0f1cb69616022ff635891
SHA256a9381cbba32fbad21246ea5f933317f0577abbc1c1d0451ea80b079763f77389
SHA5126d3fa945dc48f48d322161d17771f459f8e80b2ef5760b460bd1ee70b5b339e8981421bd50983ef6d810983a4381be3c7a0227cabb9f74241a32b3f7f284e2ab
-
Filesize
1.7MB
MD530465152db261852e3a226a666ec4304
SHA1442a188e07db85653022734d0a8537d4312aef38
SHA256c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4
SHA5123b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63
-
Filesize
83B
MD5e3dea80181292c373e97a6fb843c123c
SHA157996273dfc584d2f94d4bb4a0d9076052675897
SHA256d3f1c36e1775cb6d7a17e238d765cdb43687231fe042fae06475822ccc0aab65
SHA5129f6ec47bff0446fce638b87cc8b995572616b9d157aaa24f9e44dd49f3b2de886824e0a0b4f760776de5d7a5fa8a0a1d8b49c780f0082393ae71a11504ef7fe1