trickmo | 20c21a0bf466412118a8b79e890e2ce5dd068a9a2d354f43f6b4b7c94ee16509

Resubmissions

21/10/2024, 05:56

241021-gm124atekm 10

26/07/2024, 10:06

26/07/2024, 09:57

26/07/2024, 09:52

26/07/2024, 09:48

Analysis

max time kernel
68s
max time network
282s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
21/10/2024, 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

base.apk
Size

7.6MB
MD5

ca99cd533c8f93ab900b9eaa2368b6b0
SHA1

e9dfe27df482d853a8072bacb734bccd05227d35
SHA256

8e8470ed0fd881e9c7ad3db2bcb9515a9dc8fbbcf9fdf38169330514524059ef
SHA512

f1f495744e9cac629412e7e9eb0828f6d1197a84bfa2692a5bf34022f3a754d4a78907fba0ec8cb5b2eda6d03ff17b59ae7d7f93fb6cceed2be87e909885ab4d
SSDEEP

196608:X1H7QE5m9OHWTpCiAIR4dpMy3Vhx+KOs4G:X1H7Qgm9dMICFf

Score

10^/10

trickmo banker collection credential_access discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://starnow.cn.com/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/pekers.car413.qui/app_rude/ZMnj.json	5176	pekers.car413.qui
/data/user/0/pekers.car413.qui/app_rude/ZMnj.json!classes2.dex	5176	pekers.car413.qui
/data/user/0/pekers.car413.qui/app_rude/ZMnj.json!classes3.dex	5176	pekers.car413.qui
/data/user/0/pekers.car413.qui/app_rude/ZMnj.json!classes4.dex	5176	pekers.car413.qui

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	pekers.car413.qui

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	pekers.car413.qui

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	pekers.car413.qui

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	pekers.car413.qui

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	pekers.car413.qui

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	pekers.car413.qui

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	pekers.car413.qui

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	pekers.car413.qui

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	pekers.car413.qui

pekers.car413.qui
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5176

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/pekers.car413.qui/app_rude/ZMnj.json

Filesize
5.1MB

MD5
055e11f346de40ad4a6abad3546ea225

SHA1
8c9cf7cb825b2411146a3b4e2aad27f9229e3fa9

SHA256
516c9d7ac13f1c36aa6daa4831b468300e38d770fe406a986b29a7eb0d93d400

SHA512
2b1b011be419297887194fd269879138db8d9be461aa93f5443e9b6aecdc4048b99611343cb69357c78dfea5f6eba3d06fdf3e528c54e8c2563b74ea07e4537b

Download Submit
/data/data/pekers.car413.qui/app_rude/ZMnj.json

Filesize
5.1MB

MD5
7dd2673821338d19e639cb56a823ed65

SHA1
d0aa9e03240bc7d8985603005e69044b7de7c724

SHA256
d1596837b8e5bc67ca3a3206f065a4bd7e8ed8d4c062daf348f138647cee8b2b

SHA512
d5bdfc9702f43d6452584c4b137581688d6586345cffcdf169abe7acb26a58cb226504e84f1cc5320474019bfb3cce8c03c41e73beea359f9de4fdcfa0a39798

Download Submit
/data/data/pekers.car413.qui/cache/clicker.json

Filesize
17KB

MD5
636e55d791176f11d06b28d2e3bef86d

SHA1
685a82b348877c97f50def61ac0bedc02035255b

SHA256
c890742667132d62ea76f4f9ccb64a67e06ee6f4dddd39da458fcf46fd567b5c

SHA512
4d656078ae7ca93daa3267cd08af620a7ca375a51ee07f998c1a33607665fcfa6a786f80bc2ca022b7629de3b095d7c29cacdbd9581a58cf1f101df3de5924d2

Download Submit
/data/data/pekers.car413.qui/databases/a

Filesize
20KB

MD5
93e7f88ba7fd4f0152e8e5dc56f1acc0

SHA1
f29883585567a32fe4d487e5df14173c39c09e65

SHA256
dc6bc98e7f294d8994b3120cb87c0ed1d998e559daab810a68323a8968c60c2c

SHA512
be40cb85f75181627e2e4f7fb01e371ad4ce5051416d7e931ae45479a1357526e89a017aa461de03076c0b650eb5c851c239e88556677e859bb9b7c28e48d745

Download Submit
/data/data/pekers.car413.qui/databases/a-journal

Filesize
512B

MD5
15cd25ee51924fce43f608033b936edd

SHA1
4ea2328d0c715bbec48cd21dd5628e12510070cf

SHA256
cb4b65ee91b3e8b4a21ec86cd3a431b9d251faf965908a4212c260cc91e93743

SHA512
bc7db7f1dfdcf69e8ba17a6f11cca077f8907b174e384fd72bf25b4b22ae40da3d6fb403af0a3e7a23c757f9c7d26f436141e0c8b577a3b142b613a4b4681417

Download Submit
/data/data/pekers.car413.qui/databases/a-journal

Filesize
8KB

MD5
51f9ce70d576397bcf965cda12963815

SHA1
dd150717defc36119348d9fff10b38dd8b51dc6c

SHA256
1e8c2f66ea7cb132bc5326b9274b5037cda1c97e919fec9eb3e1e5354408137c

SHA512
09594c54df588686c13e5846573887214c283d831530c2c21583dbdcd1a0ef6ed929923b7049f79c44f8698e7e8d60134e18fdf9a9c73743c2634fa8cdb527f1

Download Submit
/data/data/pekers.car413.qui/databases/a-journal

Filesize
8KB

MD5
9ae4e5efb3af96c57a3efb44658cb615

SHA1
3922e55c37071b8025b1285df758b9a0931d0aad

SHA256
fd2f494b19f242f63a00882549f80394f61599372d25ffbf608d5f7918cc4ff1

SHA512
a8d116b7c450ddfc74a8163fea6c836ea9cf76190bb213184426f82aa948d2d43324ea4a7497a18d831b85fdcfc74ef469f1e92dec32c8f5aacc8068206dc16f

Download Submit
/data/data/pekers.car413.qui/files/pekers.car413.qui

Filesize
256B

MD5
d567d3fae13994e17ec7c1996911e377

SHA1
7c22fb18c78df349222788cbbd4addc9c28c6c96

SHA256
e51526d746f6b2e2cd1c92abd52fae01097c38d5417ce5c3da27d6a7bfd96784

SHA512
f33b1501d80c3f512aaf9d642f5c49958c45bacef0054746c3540e49dee897eed17480c1d6bedb385b6a3c35a85c0fb3c17eae38cab581016d3600f308797680

Download Submit
/data/data/pekers.car413.qui/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/pekers.car413.qui/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
77d5f08284f880bbee6b40ff571c22c9

SHA1
aafc2f3c011047d9357d36ca5f4e52eaa1d51471

SHA256
8e3972b5ecf47c3b49c057209cf82bbd55e2cf7d6c7deafdf31cd3af24486d39

SHA512
f3fd837030d2fd0b3ec973528fb9e21457f67ce8b1ab3aa4c947cc510edc0ce4bbc95ee8529498a37618e9ed0d676048bfc6be65a7cfc9ac88947be8fa5d4627

Download Submit
/data/data/pekers.car413.qui/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/pekers.car413.qui/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
9ebe2c4a089d3726a650dd3102d15a87

SHA1
c9211c9c84edc6c6678dad04d5fdc847d05251ff

SHA256
29070eaa45020f02ef23cb6a11d1ad5799524b92589a8134a063ddf77e10f915

SHA512
9e41ecfe8619ef37c24ca2b0099f4f5d83fd2335850dd4bd1d13b4067b6bd1ef4726a6c546a12356be9e6212098dc7da1170c7f2e2fd40b89cf2649d7cc544f7

Download Submit
/data/data/pekers.car413.qui/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
6c94f34c6133b5ec2c446df4fafb090a

SHA1
2eebb992728b2dde5475b07d6c84abe51720552b

SHA256
e40ab9d94bfbc6584c26b54353c33c564d0b1f66d2b35f25e217a2c5a02ac177

SHA512
38c6c4463143fe018a31dd05449f39e2cf657d011c4392ecc839d9ee12d8d49ad1b20a1187fe0daf6bc7e107d7c780433527e9c08d5f92e780bbb70e72eac94f

Download Submit
/data/data/pekers.car413.qui/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
01ebe706afcf887528ff05a570e6193d

SHA1
c07c548570acf3e68773b7e59ae6bf3456499291

SHA256
715e14f93cfca18edbc6b35404347e91a3b87dcb68ab8cd8705a54cc04cab176

SHA512
f118e7bf5bb10287531a4cbe181c5dcc5c19c24332434c388396f308214e090d2dc502e6f038a4dce9a4b061d646dc6e5612c31558d11fad0a5f173c8ad0d683

Download Submit
/data/user/0/pekers.car413.qui/app_rude/ZMnj.json

Filesize
11.1MB

MD5
b2dd75b19e82fd1b6f8c1bbd80b00d43

SHA1
fbcc0c095a6951f1c268c3534e80182275cf56dd

SHA256
57b7c8e0879f6b3cd3bb169533f8069072322b178dd2efb8cedf5d77761e32e0

SHA512
078089605d533d1d8dddae498383e79eb37275bb034666cfc5d2b2df13883f9fa417374f1461d091fe0d5d37d09a5d18a2f9c42228e72b68ac8dff01de380395

Download Submit
/data/user/0/pekers.car413.qui/app_rude/ZMnj.json!classes2.dex

Filesize
354KB

MD5
e111d110016c06792f99189957bf5768

SHA1
ba1b4f6e7c7170239e9c001779ef9ff2995ef5fd

SHA256
c6114bf54ee58e37657467acfdf8e5d147b778a1e718e085e1f0a6a14e0a480c

SHA512
c98bc318f555b059ee1c5b0ef9bef2076b1bd265ada3d303a05e2fe481e2dcb40fb041e1e136d7a1ec0094e08020b0064bbddcc5efc5c32caa71ab42bb27a215

Download Submit
/data/user/0/pekers.car413.qui/app_rude/ZMnj.json!classes3.dex

Filesize
253KB

MD5
6a828a2f97a63e9bfb7a8479ab4c6832

SHA1
6bc2017f672b3c68b6a19d2226f46f5519d168bc

SHA256
5e60365bd94ccf2533cc24ffeb4b69ee1b66283e4472e92ee8741b821f26c72b

SHA512
b58c4f1caf85196de0572544e00a51d62e11b2c59fb60b7f66ed5ec77b4b587f02aeacae1602a7c68532be8990ef84e6c3887bb35f66b2725c2b651ad7193937

Download Submit
/data/user/0/pekers.car413.qui/app_rude/ZMnj.json!classes4.dex

Filesize
1.9MB

MD5
32579b28ea9ce1c5fa1f35bd4f9818bd

SHA1
8a262963232c8e2e43d755281f46ad7565e62a9f

SHA256
217bb9f5b5728b6373d10962cffa93c3b263049601ce4bfdc30f1b89c0e69c53

SHA512
dfb21bbe5a06aa760e412d05e9a91dc14b44928b8f88e6e01f96bfbd3d9a6637c33e8cf5d02dddb038cbd8dba5dd0cc382debb31c66f8f7d6ce3f176b2a6873e

Download Submit
/storage/emulated/0/Android/data/pekers.car413.qui/cache/logs/log.txt

Filesize
223B

MD5
80aa231f1dd5145455d3f6033e55f683

SHA1
9a8dafd895965c2121d4c437141c01274ce9f4d3

SHA256
30d0dba0579a76ad2b8871839759b6909e3e7378fb92b3a4c7869d58a3842d6e

SHA512
e0254d4ecf6a51f63282f6f0278e7928277e39e6e91ec918f626a08f978e2addeb48ae087349f27ebe3b6520c41d16c5d8aa48f947829486b245b5b7ed6feb11

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads