Analysis
-
max time kernel
29s -
max time network
29s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system -
submitted
22/03/2025, 00:41
Static task
static1
Behavioral task
behavioral1
Sample
345e172356ee2b29eb4d9a0f7b6ee7dd726e8795e1dbd245b4be5e2b7796b0f0.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral2
Sample
345e172356ee2b29eb4d9a0f7b6ee7dd726e8795e1dbd245b4be5e2b7796b0f0.apk
Resource
android-x86-arm-20240910-en
General
-
Target
345e172356ee2b29eb4d9a0f7b6ee7dd726e8795e1dbd245b4be5e2b7796b0f0.apk
-
Size
8.9MB
-
MD5
80d89d1f2000ec6e41ec686e6c2499b7
-
SHA1
97517bde058bbd3d1a785edc1a55a76573bd8925
-
SHA256
345e172356ee2b29eb4d9a0f7b6ee7dd726e8795e1dbd245b4be5e2b7796b0f0
-
SHA512
eafae525d54ca46be783c8398848651c43bd5136f62eb54f50996d149ee1274f6aa6c33b74627733a0af76370b4bf75e8041268c47c9070d090d60c4a07c7e71
-
SSDEEP
196608:Sjcvj4HDaHNva2kIbcHJcUyOJNy6Uo5Zkajv5LQy:zr4Hutvazc8J9zT5ZnRLQy
Malware Config
Extracted
trickmo
http://b-fulltime.org/u3n6hcu6te3b46gc
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json 4501 bakeph.dist292.blog /data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes2.dex 4501 bakeph.dist292.blog /data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes3.dex 4501 bakeph.dist292.blog /data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes4.dex 4501 bakeph.dist292.blog -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId bakeph.dist292.blog -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener bakeph.dist292.blog -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener bakeph.dist292.blog -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule bakeph.dist292.blog -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal bakeph.dist292.blog -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo bakeph.dist292.blog -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo bakeph.dist292.blog
Processes
-
bakeph.dist292.blog1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4501
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5956ec6d809a6e35ddd3155b0a2a93bac
SHA1560a650bb0055c4d11f008d2aa8c6abde9146987
SHA256e24376abaa5c9c55a63480ab7c274b9d678abf4a08b9ab83106d43dad05d0d11
SHA5122ab03b754c3595c537f06268d5043a7311ba2cb272de2533410a5e53c9d234b9316fb2c8ac012ac1e217457bf714dfbcd43ab70d7c88dbf107210a8f5bcf1c42
-
Filesize
4.9MB
MD573102177b62492c2a7935c4417376461
SHA1fa32afcfae2593c05099b15876b567477ee91d7e
SHA256914f1fc352b3b866fe36e776775484208ff7eef2a20a63e171e82c3c80c68c45
SHA512a1ecba1e72774fb153e60a5fbf24b86e82c7567256da412d517ac11963c874d9b88f355843d1ac774dc8edad2bdcc9000134244708101b5399edfde52ac25b59
-
Filesize
17KB
MD5d780f836fe54e51872bf31220a4dcb77
SHA15136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae
SHA25632abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17
SHA51262842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635
-
Filesize
20KB
MD591af32c14839a2828ca58297e0861362
SHA1bd758cc0bb47b570da2061d4633aa998a87ed971
SHA2565d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923
SHA5129810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7
-
Filesize
20KB
MD5571a8c2a8b2f9b562c8dc2024b2225d0
SHA1a834b100ece9a18f99855c02c2d6238960f07aa7
SHA2565101243ce1c17439b14da0b8dc7886994c6b9f0bb21e9357f0d722a975e85ac5
SHA51265f715bc47efc49dbac824c1a24c25eec29eb51668f14eba5e5b749054199d1058d88815b42807f16c39f974a19dc6803812dd934cd1885cf13748f9bd30affb
-
Filesize
512B
MD502c22e03eb7fae406d3a373a9d52833b
SHA1862dae0c0fc0ee8e70441f66cc45e97bedcd7313
SHA256a6244b931b7faa277cdc540cbbb43f220de01bf0139ea8b8357b33a390c9bfb5
SHA5127b15448c1479e0a8864e0516e6bbd2e1135ac6236e9948b6b66a6d5b29069f67a4397360da6b15dabf55cbb114d5efdeb7b0d462b0af80f64ff23592b761e947
-
Filesize
8KB
MD5582e7e37147d8492b01dd8dd55c3610e
SHA11cb49d6dfad845b04821e51705e86eead6ca30b1
SHA256bebdd6a7171fcffa4590222c26718e0e3b412892f3eee54903591aca09eabaa6
SHA5123528887c5499d435ebeecc0ddee6de80414180a31b33dd07843dca94ef66c27834c425e37d51dbab00af41d87a8104d15676f52e6a70078953f047bc07a7ada9
-
Filesize
8KB
MD50f141caddecbeac5eb3c46985fc2db66
SHA1b9ece3ce7b55d3201d2747ce9df2735a7d4759fc
SHA256a1e876385052f7631b004d27211151b720026796c33627e73f739dfb1c741fbe
SHA51219a39c451e6884ba6017b98b3b54b145fcbf3c4bdae9d443ea2cb5e8b5819fe36b10abb32d0c54074b065bb18ceb532e80c1bfc00aaa3d33fa4bb2f66c934568
-
Filesize
12KB
MD568210b6a4897f05e0a7a0bb5600a7c33
SHA165e521f9fb68a853f1264ee6f07c13087c2d017a
SHA25620019a0c115f4f61afa5cf1f62292982161f02f113862e7867aa1182363ea4f8
SHA512b6e47ab54203944e85ff207a10de288f3a7a3768fcea06964194641ecee256c70bd9b51abd28663beb3ecd92645da85f406ba58802e10124e40cb2ff0bc02b81
-
Filesize
256B
MD55457b24e59b41b1469679771ea2337aa
SHA10b9d309f6a00ce8f02d64d60b22e8cf833e0831a
SHA2563293e98dce4f62d4321d791e906a9ec15129155cfa9beb15f0b836a1f5b29f6e
SHA512470a04fdc3376403a0a74cd72c2cf92813f2575d209c28af579524c49ba0680c540d3a4d2e3733bb7573f46d2c78e051c76a3addf2c655702032fd2807f2307e
-
Filesize
4KB
MD50eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1fee434f784e73cc7916322e949f727caf8363102
SHA256b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8
-
Filesize
512B
MD5abf9dc440f96b31a44c02f538e73bc87
SHA10b77d3c0ec872075c0c24666dd09d5f001d413cc
SHA2563d7fd1b0eadac5b455e7202bd9b007717127f6af532312486f372eccc3e8efc2
SHA512dd164cdd6c797f237bf3c2a0fe0a9a24584cffd69ff46414fb2f339fa21d1cc04bba2bd3fabf5789bf46888bd0d70d1339ce87efec939055daefad6f352859da
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
173KB
MD5b1d721e31e3aa436241024de10fb8d14
SHA1b11d43a13ce4d999de40f2448218deb041af235a
SHA25691474d3d9f98a69a846ca21a26971e36ce79f8fbb835c56330c5f924a482f3b8
SHA512434f55b551729e955f8d8b183becc044a43639e2e553bc27ec0527f60193f36fe09c4dd40a6bb60974210b027414bd910eb3b7aa1a762c5e700d6fbbd7ce9392
-
Filesize
16KB
MD59f3f18384c24bcfca2087d2bec657fc5
SHA1152a0f9a079b98110b48445bd148b2506a409de3
SHA25626f2afd320b87262ec3bfb228a914e9bd514a41dc250746a23526d161e7b3f7b
SHA512e76102f7796305386fc2a993aaba6bfbc75864c7dea3dc76e38d647af00e6ac2eac17d0373a10380a0a2ff474c5cd21e09b87e837be9deef08b405de2cdd3493
-
Filesize
108KB
MD5a73312fa4c526812fb81a9e0dbf154bd
SHA1ad0402aa6eb99e38d9b0cc2ecbb64c7b0644738a
SHA2564a945f1ae35ecc98482e484425356f231bc7f352df8a60b0e27f2a9da59d7492
SHA51201d3108488a645305d24f90caed18a71d518f6fb88be809bdd122d126bf6dfaa5653dfa6a2b682baf68c997ba11470ed1a2d77906388d151498230360a3af610
-
Filesize
10.9MB
MD535d4cda95e19e9be467673c78e1e2fa2
SHA13868d4dda794c360f57ba650c332b39ce5c68d8e
SHA2566c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746
SHA512577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7
-
Filesize
308KB
MD5f6b89acc1728c7d64be4b042fb787711
SHA1a1839b0bbfe36db9e1de750895093a41872dee58
SHA256e38f1a99e3b77b0d416161420651ed11a069de45e9cfae7e41585a3c9ddde806
SHA512ad74d6dcbea2ee263d451353b773701165d6334dafde8b4254fad369eb544996bbf64d5db2b2423932751fbfd9d7e42faec67dd552384e1d6a00a89c0ecdd7e2
-
Filesize
266KB
MD553410124d4dbd239d7962deabcce6d8a
SHA185f8e02449fdb7eb7a4a7d6f95603c0c381bd135
SHA2561b5a77a13977c67a4bfe73584e22103aa7656a5750abdb3c7bcc302269b72073
SHA51259b2796a1d1b7ccc6f7887e4d674d9bfd0cc4c4b851265e7fed0839d754a0058008cd622062c610471e5ff7eab0f269da16a9e0d5d75c19dbbfb16c05bbb4d7b
-
Filesize
1.7MB
MD530465152db261852e3a226a666ec4304
SHA1442a188e07db85653022734d0a8537d4312aef38
SHA256c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4
SHA5123b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63
-
Filesize
83B
MD5d6f80fa7d64eb37bf76717d95e2e7306
SHA1d34d821b268cd68f6b67dcdc93b9310b8797715d
SHA2568d3a4f732f8bda9a33680f93e90852b758debe3b6846c804b1080d835de8d7f6
SHA512bd623f79c06d4f402e501ba4376b1e7e20cf868eddadfac5fcc51af6b3171041f29fc496055a72d7692085ed54b5c2a47729de915dad10d57d38ff1be6d27d29