Analysis
-
max time kernel
29s -
max time network
29s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system -
submitted
22/03/2025, 00:03
Static task
static1
Behavioral task
behavioral1
Sample
ec59004e19643019010888d239e3a0ea916788d6cafdd71392089d0b988c3048.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral2
Sample
ec59004e19643019010888d239e3a0ea916788d6cafdd71392089d0b988c3048.apk
Resource
android-x86-arm-20240910-en
General
-
Target
ec59004e19643019010888d239e3a0ea916788d6cafdd71392089d0b988c3048.apk
-
Size
7.1MB
-
MD5
4db4d4e3debd26c9e7fdd841bbc1ecf5
-
SHA1
aeefacd157edeb48cc614ffc07d17089c3c9b3b8
-
SHA256
ec59004e19643019010888d239e3a0ea916788d6cafdd71392089d0b988c3048
-
SHA512
fe75702aa070a54126f92f3f2dd5e3c5a8d0b4a8c44e6b958b9e958978d3d3d9dcb001db8ecfdad8db8a0638344152d2685665cd9b2cdea43c0faee33ce55653
-
SSDEEP
98304:zuPfGhHxNIcEIjxZEloYr4lPcxbKLBOro1g09mBsF7hzhPjJ3lrmFagKHJBb6U9S:SGFIWTplnoFBsFtR19mEgKj+p
Malware Config
Extracted
trickmo
http://mikejprdanorg.com/c
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/butttots.plum676.sai/app_wedding/jdgnHyW.json 4505 butttots.plum676.sai /data/user/0/butttots.plum676.sai/app_wedding/jdgnHyW.json!classes2.dex 4505 butttots.plum676.sai /data/user/0/butttots.plum676.sai/app_wedding/jdgnHyW.json!classes3.dex 4505 butttots.plum676.sai /data/user/0/butttots.plum676.sai/app_wedding/jdgnHyW.json!classes4.dex 4505 butttots.plum676.sai -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId butttots.plum676.sai -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener butttots.plum676.sai -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener butttots.plum676.sai -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule butttots.plum676.sai -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal butttots.plum676.sai -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo butttots.plum676.sai -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo butttots.plum676.sai
Processes
-
butttots.plum676.sai1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4505
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD59bc28fa2f41c876f1ba4a481a0c4fb58
SHA14beefc8e05143cb11ce823618e90f41d8e9ca0fd
SHA25690a3b75e1d99da9263ebf0d1bb18c3138106d0ec8739bbf52f7511f2cf432516
SHA51289ff353b74ebfa5b3de4704ce4ac844ed32e6331f536af033be29b4fa74d855a4fc7e701a23fdce9b9196495a1dd21cd9bc7b8db7218896e3bdbabf778641434
-
Filesize
4.9MB
MD5406f2d1eb0cc6751866e3a0ebf788061
SHA15e4f6a97d26c1b2a7e2be6ae30852b114622e002
SHA2566bed575fdd0782b35e71de40519f2413f4fa926784cff0af32d4360c92ef090f
SHA51206c5866ca3066d07e4b08f1b2e2e29442226daa964f5d36b6e3f2014730476428b95a1be3105767d4b4829a3f28899bae7f97b0d25b7cc02371ce630171bef85
-
Filesize
17KB
MD5d780f836fe54e51872bf31220a4dcb77
SHA15136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae
SHA25632abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17
SHA51262842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635
-
Filesize
20KB
MD591af32c14839a2828ca58297e0861362
SHA1bd758cc0bb47b570da2061d4633aa998a87ed971
SHA2565d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923
SHA5129810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7
-
Filesize
20KB
MD58905897a269384e62d84bb90870ef34b
SHA14f4b6714169ed3afcf7a02d9d4cd457b2b125eaa
SHA25680b80afdc9dac99a2731b0fbb56488a006472b150e27f1ae5254955d7f499436
SHA51218b279f3b37ea1db2b4b3f31bc39bcbfac0f5cc908fa9b900c1062367a1ca4296d59695df4e9b1345d2cad91156abc617954865818401fdd4766c83914562d4f
-
Filesize
512B
MD50c117910c67480fc9052493d944d725c
SHA1f181efdc766eb32b63d49d5dbea2ea1c961942d1
SHA256a3714beca64e163a04fee083f407b25637e5c1ca2086d97b1663453cf5d4be22
SHA512af7c26eaa51a19831923c7cee7928f92326f9512da98d1782c08f8f55ac7004acbf372f0629e3fb2fda97f6721f67c62b6909a012b29856ef31c860ca319d2ad
-
Filesize
8KB
MD5060cd65316964ca8bb9a6014d113eaea
SHA18f133c51a95d84ee7b22a3084b18b0429d35f3a1
SHA2566946caff1ffb8a7db398777f6b4d403001e98e09defdc067e504005d7aac84fe
SHA51206646db7d607f84f1d70ea975aee5960f056adc07a74df87b7e81a93f79c1337deed9197fc154dedc1f9f50e9e15be895bf93b16ff240ab4f465f7d4cbfd56bb
-
Filesize
8KB
MD5a3bf165e0b732b4ec1397a4abfe4a2ab
SHA1349aadca88fe5320e067b5068d33242b09bca0ec
SHA256a1fe6d276ac997ce35677812a7cd53ecb2c048a973f9c182e3d9ab7a18bc3027
SHA512e01032990ae96a423ea56940ba36895eda95840e18f84cda5a7e42d434482cca2e282e816e21f33a581c85ab937ffea1ab7edf780bd6b76b7d0f962d0dc4f584
-
Filesize
12KB
MD5867cbcb14e13e9424051c35f2ffad49e
SHA1b1c3d8207b2a8826930dab5b04ce011e4fc3b5c3
SHA256d4f9a5e92f31da9df2975f5298a3895dd2093ffed618d73744e621b8c3943119
SHA512c36632619e29d3eca5a03d25cb069f135318ab81a747b0a545ed1dd63e15afdf9777ad2e339c7c6d680fb71e4691b73e18a610e1e5548b64c096905bf65326c4
-
Filesize
256B
MD5ab02e3a81f1dce4c150ed01d468ceb56
SHA19859a3138d3e9db215d57f367dded859f374209c
SHA256462010decf9540fc1d3d880a3044d3ac8716b0e6f89b5e2d1c6ad3e7d66b2cbb
SHA5127c0c0d3798ec63f3cadafae1a7422886506c15cf53d70aa7dc107b9ae7babfa1a6686329eb8ec56b7747ea2a89d4b9cdd5c621910473c8ee3532fb91d842225e
-
Filesize
4KB
MD50eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1fee434f784e73cc7916322e949f727caf8363102
SHA256b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8
-
Filesize
512B
MD5ffaf6a3de8da9032c1b09a58c9946fe5
SHA1f162d9826fdc4176f2a01f89a1dd6c986d29923b
SHA256dbad97671ff5598ac07a992cef9fea8c09cd36cf8bbbeaab0f3e3a4ac3fb66f9
SHA5121c2628f2a8538310e34d62e0ac59e82c21a93092e9083488cfa14c83c56b7cac3b957adfe378dbeb0276666c31403f46d63bca1e6e165abc7345748c53abfc0b
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
173KB
MD556166a49c2f134f9a2616caa6353fa03
SHA16f1fd6ea545dc7091fb8da1bf42a7fe5bb9df3f4
SHA2565b3a55afc5b3c5561bbf748679aecab05c9c128c40f2df8e2ef3cdea02d2f2c0
SHA5121cd924656672177e56933fe095abeec606a84118f6a9579352493543ba7b3e4dfeea5a444293e54e538e7b77ada857110f2d43379eb17559491cb11c19bb7d2d
-
Filesize
16KB
MD5d5cca53fe79820b9862a13aad51af30d
SHA1dc60ebe23fb914a42ff4e1deb562caec8477ddb0
SHA256519b88bdeabd6f99e3dbc9c09780edb3dc7c54b501200bce95ccadc26d2d1f9c
SHA5126b44e7dffa2a0ede3ab8a9768d3ed74176b2715716b616e2e346139c726bf8028f73dd82775430587d0faffc31ace433f04ca04b773b70e996142eba6dba5b77
-
Filesize
108KB
MD5d0c20e083135382be2ab60bc1eda867a
SHA10384e5691a43a01b142dc913c062dacf14a52954
SHA25671b17131d9bf9498f7e9852ca500cc1358b703461d02c7fa455967652788042a
SHA51248f030d539762c3cb4801679e2bbe537b6c97293dc4c591b59a36dfd58bdf0b0266a01de8a2106190923996c15f2cd1a639db6a49bee9e44b4439422e5f4b601
-
Filesize
10.9MB
MD5b6c3becbe6aeeb86cc3690035eae8e29
SHA1b9a508864a6dffe3eb80b3eb2ccd4ae510cd62cd
SHA2560a82df303a40ec841716f73afc41ae8083f5b4d0775eee7f3ed421884c71723d
SHA512ce00cb27ebf00fec2a8ed8cb3f8eeab0a9c55c10cb3c8bb4ff5b49e4c7123248b96a784a3124cb71f7cc24c60b6801e2048eb179a1a5bb41809f3c67088b95ec
-
Filesize
309KB
MD5d1e6566482927131289b625099f039ba
SHA15fddac3b2e8da86f56284989f7907beb3388463b
SHA25616caf3fdf72c434d49cf7ecbcedffaf7c979306af2b85d658cf99c45319f401e
SHA51240bed350b98ab8ca53e99d800bc255632379835d2ae4bf26b8a45ea174b4aa280f0e7fe086148316d485e6ea94cbd4c588d8f511ef0c1d76e98709f72f1cb504
-
Filesize
267KB
MD5d2cd609fb19e6b18227f994cf893813b
SHA1a9ba8d38cc657616cc7f9833e900340e253d1495
SHA256e91a92cbc28b5459a4a1aa25deede9437439c7d577fdff17cd374fd871cd4798
SHA512cbeeb12c7d296d1ded6c5a305c123d31533ed188ecd05dcbc1c08f2fa77b05466ac7ecb511e9d6c1e153c1ae105cbd7524e4bedf664c169e936c42ba578ef8ab
-
Filesize
1.7MB
MD530465152db261852e3a226a666ec4304
SHA1442a188e07db85653022734d0a8537d4312aef38
SHA256c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4
SHA5123b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63
-
Filesize
6KB
MD5bdb8466b70e7a1b49f92379acee294a9
SHA18dbc39b9f9263307560d7ced87f99056ca5736a6
SHA256f37ed9c1bff0692ee3ce6fde3efe94e3d710dfcdd04c1f0af5c305a6eb4e4617
SHA512a7950eb77675af4fd558da844817b3e8851d409f9888c8e07ff78921f88916cf5086f5f4666375a03068864b28e5ffd8c28d5b9e67f982d5af8e16837d3721d8