Analysis
-
max time kernel
146s -
max time network
153s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
21/03/2025, 18:17
Static task
static1
Behavioral task
behavioral1
Sample
90cb5d17c0ce8cc794bdc4a6b03382dd56e7ec9b831a290764035b794c7a7495.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
90cb5d17c0ce8cc794bdc4a6b03382dd56e7ec9b831a290764035b794c7a7495.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
90cb5d17c0ce8cc794bdc4a6b03382dd56e7ec9b831a290764035b794c7a7495.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
90cb5d17c0ce8cc794bdc4a6b03382dd56e7ec9b831a290764035b794c7a7495.apk
-
Size
9.2MB
-
MD5
8a58d7aa7729a84e4ee0ef963caa5be3
-
SHA1
87e933bec88b736f1de6f70cec42a81e9e36e9a1
-
SHA256
90cb5d17c0ce8cc794bdc4a6b03382dd56e7ec9b831a290764035b794c7a7495
-
SHA512
589cb13f9cbd044f14f910ffce806d8c8df05ed54fdbd6062ab0705162df4863cfce187db6ddfa757e6eef365e3c4459f218de65932431dd85ad63d497d6960d
-
SSDEEP
196608:OBO3phigDUUVdYknQNPLJTlbE/ZdYwr0PMCx0jv5LtE:OI5YEJnYVTlbQZdYURLtE
Malware Config
Extracted
trickmo
http://b-fulltime.org/u3n6hcu6te3b46gc
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 8 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/efja.fast805.touchs/app_yard/IJ.json 4431 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_yard/IJ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_yard/oat/x86/IJ.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes2.dex 4431 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_yard/IJ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_yard/oat/x86/IJ.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes3.dex 4431 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_yard/IJ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_yard/oat/x86/IJ.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes4.dex 4431 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_yard/IJ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_yard/oat/x86/IJ.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/efja.fast805.touchs/app_yard/IJ.json 4402 efja.fast805.touchs /data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes2.dex 4402 efja.fast805.touchs /data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes3.dex 4402 efja.fast805.touchs /data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes4.dex 4402 efja.fast805.touchs -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId efja.fast805.touchs -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone efja.fast805.touchs -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver efja.fast805.touchs -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule efja.fast805.touchs -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal efja.fast805.touchs -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo efja.fast805.touchs -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo efja.fast805.touchs
Processes
-
efja.fast805.touchs1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4402 -
/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_yard/IJ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_yard/oat/x86/IJ.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4431
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD545039e907203a7f1bfd2a46c495d678d
SHA10a946711f6738db293680968bd05ee77d9c9c7b8
SHA25670ca8442c5c04c35f4c341e4d91492356a70a9e435233ad955e9374b9e2945da
SHA512f3aa051af7bf4e77f6a62eb0acd2a68fc79d12b61f2f2e98a1cea6c1e700b9dafc9287d9c37957653298c3ec29a88c2ba7dc56aa2e05a379cd87010f98181523
-
Filesize
4.9MB
MD5569de88fc6ba465b63b734683daa8af7
SHA1ae8b7054ed78707c8eeb295889b102c02689f985
SHA256abd9619c98bcf1ef70811daf2f1eeed2f8f7291b685dcaa4e09dc1008207d38c
SHA512d09c3f136c512089569867146e634d1126d039bd319ebbe160b547736994cea3ff372abf411b6c5cd7afae9a97c043b0d98bca5ad254041d6be2c61ee0a5312f
-
Filesize
17KB
MD5d780f836fe54e51872bf31220a4dcb77
SHA15136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae
SHA25632abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17
SHA51262842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635
-
Filesize
512B
MD57bd1bb3da2d2ba31628711571a28cec2
SHA14a856f9dcca5b7d0bd90c179ffa7208936b139dc
SHA2568d8b8ddd05ef72180a9e8b91faabe185c4620840deb21f0c273308725b59c8e3
SHA51299ab5d692ed27d6bce2afaf7f8366b08cd96e5a94e38442c9455ebd827b99a1175acd15ba8f9e1dbfe1e452209c2a4b3f2a9863e4bde4071d0d70284e5d7a6e8
-
Filesize
32KB
MD55492a4fc0b9800b21053d97ba5ee3c98
SHA1c477ecba6df343caf68eb616791b1447abcd5fa9
SHA2565213bc196785fc888ea7e74363390351f2d3f2b443f06a41efb6f051263d3ae0
SHA51259c3cfcb71e745d3d685ca6d404d86c9767a9e612ea65acedf0bbddef5b2edf1e10d62e6368a5bf3867f6f0dcea8c86e9e77920bfbda26cbdd9288dd99467f80
-
Filesize
256B
MD5c17aa9edc1983d2738725bceb3b1e4ad
SHA1ed0fa739fec1a88c75ace82b484d7325bbd04e58
SHA2567030a24f82fe5bff1f3e74e5219ab5288805b186d4391436c99e1455cbf7240c
SHA512d3db9dd684c72a99b2e44d0e64f96d18e19fd2ee3f55b049e1de286231e57e1cfcb969edf2f2d1100c8773c86a7f6f61f43ae66d5e399e34395e68a21e9a7322
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD56d614cf6de0bfccce145d63467c8e9f8
SHA1e06135484699b89661af71284dca119f33a25271
SHA2568047bf7e9e798912910749985eb798f9e91bfc062d0edd0e3999740c5af6342e
SHA512c65b7ae533ae0ccc6faaea39e098c97359f508465825969fd34ca8dddb6e3d8c226bcbf940f1d07a03db84baa05580198b3ca4c59fbb6be641f7a7644d1541da
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5d114de99883342f98c251a409ba04bbd
SHA1b633c656d38682af3d5dfcd7d8c05148f23f92ba
SHA2569b20894a3fc17d04cad62d16592afc0df84acd460cf8781e5386c748103057b6
SHA512655b47aae522c98a03b5545da60d8646d51f05e145daeafc4128b65d82a88d04af85d2c12d5f879baeb1671ecd0b788b0a51bd7838403213733b4021116cf9b0
-
Filesize
173KB
MD5ad66d5e1b850a368b49b20ffd8b5c3db
SHA11f2413886c7911db2a92af54b31a345f5d4a5cc7
SHA2560f4e14bcd3062deea4eafcee7e9a8008d6f5607cf767f3b59893065867522b64
SHA5128c1e7f6a756818d62e3f652462e33760efba89486aa70fd1f84f954f3c998e2d29eb563fd792ff032adbf2f4e74b1aaf02a12dba6b37645af8099d54a98dcf77
-
Filesize
16KB
MD597596b8cf22716834c9bba8ee6127e08
SHA1159f753583728e0b9dbe042c78a454a40d689a19
SHA25638af4361bc96aef217a415f6ec71180ebf272c66d8b0b9764b04d35e80675cdc
SHA512ae036bff45f508b046fda9bf92ac061a8d20019610e28a6dc734ea8a3428d4e99ef35da5696ea157792d3ee5e96b0e8ea36a1e2b55f9c5f4574f7896eb5ce0cc
-
Filesize
10.9MB
MD535d4cda95e19e9be467673c78e1e2fa2
SHA13868d4dda794c360f57ba650c332b39ce5c68d8e
SHA2566c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746
SHA512577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7
-
Filesize
308KB
MD5af76bf112a1486f959993ab101d1dfb3
SHA1d38bd79b0d58135807b7e9038f35e099bc8b18ac
SHA2569a149d4662611b4d051f7b4c53b4581f840ee6494eca90cc29bef8bef4b8c326
SHA512de3a977a5167c361a46516739e8e18ea064749e51a72eedaa0470064c8577c8d7b72d5a5bb7fc83208c1f6a6d462aaf2014d4ca46a3c2ba95063f25afa337825
-
Filesize
266KB
MD50c7e31c4fa49c111285906ca8c2e0672
SHA1b1b42dfa3d36dbc0a1a0f1cb69616022ff635891
SHA256a9381cbba32fbad21246ea5f933317f0577abbc1c1d0451ea80b079763f77389
SHA5126d3fa945dc48f48d322161d17771f459f8e80b2ef5760b460bd1ee70b5b339e8981421bd50983ef6d810983a4381be3c7a0227cabb9f74241a32b3f7f284e2ab
-
Filesize
1.7MB
MD530465152db261852e3a226a666ec4304
SHA1442a188e07db85653022734d0a8537d4312aef38
SHA256c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4
SHA5123b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63
-
Filesize
83B
MD5a0aeb2b3f6dbb8f89ccf7f65ce7de864
SHA1bfd7b6574381e84b9e167d756cfb2392bf41d3c9
SHA2569a223b728b6e075cac6eef591b7409271d69264787836663fe838e9aac7c1945
SHA512e36a3ed9c6cc3bdf2fe436338d8df5d65e1bb6fe4f5ce26efe72749ca43e6335ace48ea86f06cc797f59aa4681285801030597cc9c60ed41e5cc88b43e580b8f