Overview

overview

10

Static

static

6

d4f5730188...35.apk

android-9-x86

7

d4f5730188...35.apk

android-10-x64

7

d4f5730188...35.apk

android-11-x64

7

deper.apk

android-9-x86

10

deper.apk

android-10-x64

10

deper.apk

android-11-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d4f5730188d3e9bb6ccd428ca36c934e6a83fffb45afd717d9f1d7a2aa866235

  • Size

    11.6MB

  • Sample

    250321-xpr5zazm12

  • MD5

    429076ed77ff71d34def00f2a8f8e59d

  • SHA1

    3dc9b3095d33ee27f3abb7883ee061d86f941a94

  • SHA256

    d4f5730188d3e9bb6ccd428ca36c934e6a83fffb45afd717d9f1d7a2aa866235

  • SHA512

    421368282569d882b152b8b70263deaa12ba8f302dbbf040a7350eb0cc35ce405003070ee485de375443dbf917e8a3d8ca82f69214f54c93913914d0c0ad1d46

  • SSDEEP

    196608:gG//dDvCiDORp/LnSZlFAU/dL4QW7nVXx9L2RfoRRgkkwABYYZDkO8xbo0QPbs13:gK9qiDOP/LKlmU1LKBx+fongkkVYwsoG

Score
10/10
trickmoandroidbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencetrojan

Malware Config

Extracted

Family

trickmo

C2

http://somakeawish.com/hpuex9yu0lfad7pjoxcl

Targets

    • Target

      d4f5730188d3e9bb6ccd428ca36c934e6a83fffb45afd717d9f1d7a2aa866235

    • Size

      11.6MB

    • MD5

      429076ed77ff71d34def00f2a8f8e59d

    • SHA1

      3dc9b3095d33ee27f3abb7883ee061d86f941a94

    • SHA256

      d4f5730188d3e9bb6ccd428ca36c934e6a83fffb45afd717d9f1d7a2aa866235

    • SHA512

      421368282569d882b152b8b70263deaa12ba8f302dbbf040a7350eb0cc35ce405003070ee485de375443dbf917e8a3d8ca82f69214f54c93913914d0c0ad1d46

    • SSDEEP

      196608:gG//dDvCiDORp/LnSZlFAU/dL4QW7nVXx9L2RfoRRgkkwABYYZDkO8xbo0QPbs13:gK9qiDOP/LKlmU1LKBx+fongkkVYwsoG

    Score
    7/10
    evasion

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2behavioral3

    • Target

      deper.apk

    • Size

      7.0MB

    • MD5

      36293c4041b160762326ca6a4cb1ac67

    • SHA1

      9caf849114740c2020ba95367cfc7e9588521dff

    • SHA256

      a1729baa1a8e959d01453ab87906b9d6711886a48f04a2d48320320361ef1d95

    • SHA512

      73f8f959f81a37d143f4d889add7c5676e267de93e709b965deb14666c366e39549de9c9d42f6414414a025cf5a5ea36e02737816e72cd291858147f2575478c

    • SSDEEP

      196608:XvCojoIc9v96Dv85B6gkQQ9ceP14W8xf9D:FUIc19cv8j6gkXcIq9D

    Score
    10/10
    trickmobankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencetrojan

    • TrickMo

      TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.

      trojaninfostealerbankertrickmo

    • Trickmo family

      trickmo

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectiondefense_evasioncredential_access

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Queries the mobile country code (MCC)

      discovery
    behavioral4behavioral5behavioral6

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Tasks