Analysis
-
max time kernel
23s -
max time network
29s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
22/03/2025, 00:16
Static task
static1
Behavioral task
behavioral1
Sample
26b7c0b09bf02742ce0a07d7584a20c3bf78382d696e5e76f0dcc4b5da9425bb.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral2
Sample
26b7c0b09bf02742ce0a07d7584a20c3bf78382d696e5e76f0dcc4b5da9425bb.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral3
Sample
base.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral4
Sample
base.apk
Resource
android-x86-arm-20240910-en
General
-
Target
base.apk
-
Size
7.9MB
-
MD5
f525baeadeacf35b7ad1a678704ddad6
-
SHA1
6126abb50a4842799ac33e4a39434e43475a6a0d
-
SHA256
8773345e94b7f8ec7ed5515e507f72ad7358ecf7efca360a719ac7a39d18456c
-
SHA512
daa597e2f6d2eefc9fb8f7c349b6a51a9e059a3a7d90ceed9f6c7ed71776ebf4a2b7c8aeabd984f800420cf3cdef0f3526dcf0685a94db7380bf0df2bb4cab7e
-
SSDEEP
98304:wNDTv2Eq7sH83EhsrdbQ6r9dFb2LhqtVTKMiXPGYMKNG0rz4fqW7HCfGsG+x6zZV:ubc+8bQmO0XTg/GY5NGxlJPzZvjv5Lt1
Malware Config
Extracted
trickmo
http://b-always-free.org/u3n6hcu6te3b46gc
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 8 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json 4368 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_idea/oat/x86/OXkJrO.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes2.dex 4368 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_idea/oat/x86/OXkJrO.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes3.dex 4368 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_idea/oat/x86/OXkJrO.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes4.dex 4368 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_idea/oat/x86/OXkJrO.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json 4341 efja.fast805.touchs /data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes2.dex 4341 efja.fast805.touchs /data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes3.dex 4341 efja.fast805.touchs /data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes4.dex 4341 efja.fast805.touchs -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId efja.fast805.touchs -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone efja.fast805.touchs -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver efja.fast805.touchs -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule efja.fast805.touchs -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal efja.fast805.touchs -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo efja.fast805.touchs -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo efja.fast805.touchs
Processes
-
efja.fast805.touchs1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4341 -
/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_idea/oat/x86/OXkJrO.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4368
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD521c32f1c942e4042d945422612bc878b
SHA133abf93c234aead3770df1ece78bf0802da9f667
SHA256f8076c7bd8963ea1d98939e6b047fc5f11d43c5119533b2136789531d498f347
SHA5129c6860f3e9bb4d523704cae8604627016bb06e1ff2593ff475a3c2a141cac1be22624ef67808582d5ee15f7055152fc399d966df613f89b1be2e84d64dc9f79f
-
Filesize
4.9MB
MD5534f0d2a0aa52111ec0ccd561f57c578
SHA1b06fdb7079904e2b0a8f56693159678424c474aa
SHA2566aafa7a8cf9dd18d1a768073d12e1996cd1ba055bc4c8a00a162a455d692e0c1
SHA5124f46211fffe9953311adea27b2a0a7781903f90bb280488458814943def9bdc7c4e2a89cb647797d0c3fe2ed600c2de4ced84aab2df2319138742690f54d5c72
-
Filesize
17KB
MD5d780f836fe54e51872bf31220a4dcb77
SHA15136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae
SHA25632abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17
SHA51262842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635
-
Filesize
512B
MD5ca79a4b6b0b63dae2011b25ebc49aaf0
SHA16f59365f807aa0397c7128b9bb15d285d8583350
SHA256f2f14faf26e97f439896a793a0a9f684063481d4d07414cc6db806857338eb9a
SHA5127731e48090adb0ba71224564d0ab4a76e9d24f13d271ebdc8068a08f20882e1418b0cc387e3828118a191c73327a8d0c21286375becc8f49dcc76b6ff7d31d64
-
Filesize
32KB
MD5844e9bb2e6d2c54fd3ba61f90ff4503a
SHA152f001891341c3c0ff55e13f254e74138c0fe072
SHA2566aa465bc1cec96db369e550e75b4c7db35da7dbea47682e273050cd062a8d7ab
SHA51239ef0f49cc73b103c6d715cca80891854fb4cb1592e5da77fa1048a2c8dc471a65a8a2e8ba6067d397e0e3c69cbc256acd2fed30622f664a4303048fc4b03720
-
Filesize
256B
MD5c91c328789d44e7f0d9b8cb3f47aa7dd
SHA14bdd76cf9c98e009e9a9320c75351a6f7be6e273
SHA256d47cda04428c6181f3b827e364b24244aeb4c68a1d40dd7ee26b51076ff93341
SHA5120dea4cd27a83469af18b9885531579865af304d7afd73cc9d6061781a9ec5b07932525bb7c4c79b7bd0b53e6cdaa349ef6f1d32429e88742d2879d8271e53a75
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD54c8c76a41e052ca90f4d1286c430802e
SHA1c5d0a6e8d628a5abb9de49d4dc0b47f1006b101a
SHA256ae22162330640feac1da6a0c5e9ba2ddb92b2d37c56fe81abaa3189103dbcc36
SHA5122c86106c7e11951066818bf1559dbc84cb67ee2054122656792d95003b356bfc9f9718fbf881ec6b681f460e77c34fbd1eb8ce1b9fd34c73415c063102c7e50f
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5084e8904b9d4cfcafd2e17f180742ef9
SHA1615e14094e10ba4f831f7497cea26334a659377d
SHA2560ba1b4c6e16eee77daceb5da22e2e8587034aeec5771a82bb9e964eefd7ef4a1
SHA512dedd50dac7ca79452aaeaeb07b295c532ab468a27d53bd9b92dc873de343b83ef114b526984a881e5c39b940ae3ef06d8d706ada8ae6c75abd9df73275760ed8
-
Filesize
173KB
MD5a576432a1b6af68c865c4ffcb877e7f7
SHA17b7123dd3d0e3b4e644ab49d789c80e8f6635bea
SHA256b290ca45e5191c8c7b5943b7035314672ee1567d82178d2ef9510214fb576d36
SHA5129e7086f1fd9fb3828d85808fa2adef52c041c4439e483f4054b7a6a23df99acee81c3a22445f604286a6412623fd6f18a9a0079dafced7eb2cd9394872af6634
-
Filesize
16KB
MD53d67698f4485342f97d94ac2b51563a4
SHA1371410ebb43e62daf51b67347a2346f727b50443
SHA256a2b47dfb89ae4ae09952da2db0aa906842190886177faa5dac166e45f578b58d
SHA51249c96c1144e841ffa5386701ca12bb663d40c018d8142df4707824150043154de687588a7f210d4604d3ea072adc22ef7f708e16a34879495c3e267c87e5ce79
-
Filesize
10.9MB
MD535d4cda95e19e9be467673c78e1e2fa2
SHA13868d4dda794c360f57ba650c332b39ce5c68d8e
SHA2566c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746
SHA512577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7
-
Filesize
308KB
MD5af76bf112a1486f959993ab101d1dfb3
SHA1d38bd79b0d58135807b7e9038f35e099bc8b18ac
SHA2569a149d4662611b4d051f7b4c53b4581f840ee6494eca90cc29bef8bef4b8c326
SHA512de3a977a5167c361a46516739e8e18ea064749e51a72eedaa0470064c8577c8d7b72d5a5bb7fc83208c1f6a6d462aaf2014d4ca46a3c2ba95063f25afa337825
-
Filesize
266KB
MD51c44e8e0e2db37651e10a075ffdcfa22
SHA1533915cbeb1f912075f5cdb7f77d0310d875d40f
SHA256ec90a6c423e42ba5fce0e72dd68e623c388870eba3a3c98358d6a749985ed192
SHA5127541ede26f7dbcaa2cdd92ca05a4415340901354c422fbafa4aac3424e0a365f2087656c0b873a8934976d4f63c35fbf9923babcab39a1cafc20baba4720d391
-
Filesize
1.7MB
MD530465152db261852e3a226a666ec4304
SHA1442a188e07db85653022734d0a8537d4312aef38
SHA256c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4
SHA5123b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63
-
Filesize
83B
MD57f342fb9602b792495544a0ee74b6054
SHA1408016a2311d69fa636db306ec073922de6c250b
SHA256f41e4f245283b360c891066f91c4d16be7a039b334a6d7abed1ff2c3a4a2e5ae
SHA512dc7c1d7afe85a2e0e75278163cf16a42f9839baaa3e5df6d3fb90863e571d9c0085e4c5218527bdae8743cb559ed45caeaa08713ece2fae8366ee6bbaadd52ed