trickmo | 20c21a0bf466412118a8b79e890e2ce5dd068a9a2d354f43f6b4b7c94ee16509

Resubmissions

21/10/2024, 05:56

241021-gm124atekm 10

26/07/2024, 10:06

26/07/2024, 09:57

26/07/2024, 09:52

26/07/2024, 09:48

Analysis

max time kernel
279s
max time network
306s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
21/10/2024, 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

base.apk
Size

7.6MB
MD5

ca99cd533c8f93ab900b9eaa2368b6b0
SHA1

e9dfe27df482d853a8072bacb734bccd05227d35
SHA256

8e8470ed0fd881e9c7ad3db2bcb9515a9dc8fbbcf9fdf38169330514524059ef
SHA512

f1f495744e9cac629412e7e9eb0828f6d1197a84bfa2692a5bf34022f3a754d4a78907fba0ec8cb5b2eda6d03ff17b59ae7d7f93fb6cceed2be87e909885ab4d
SSDEEP

196608:X1H7QE5m9OHWTpCiAIR4dpMy3Vhx+KOs4G:X1H7Qgm9dMICFf

Score

10^/10

trickmo banker collection credential_access discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://starnow.cn.com/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/pekers.car413.qui/app_rude/ZMnj.json	4491	pekers.car413.qui
/data/user/0/pekers.car413.qui/app_rude/ZMnj.json!classes2.dex	4491	pekers.car413.qui
/data/user/0/pekers.car413.qui/app_rude/ZMnj.json!classes3.dex	4491	pekers.car413.qui
/data/user/0/pekers.car413.qui/app_rude/ZMnj.json!classes4.dex	4491	pekers.car413.qui

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	pekers.car413.qui

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	pekers.car413.qui

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Reads the content of SMS inbox messages. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://sms/inbox	pekers.car413.qui

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	pekers.car413.qui

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	pekers.car413.qui

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	pekers.car413.qui

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	pekers.car413.qui

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	pekers.car413.qui

pekers.car413.qui
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Reads the content of SMS inbox messages.
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4491

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Protected User Data

T1636

SMS Messages

T1636.004

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/pekers.car413.qui/app_rude/ZMnj.json

Filesize
5.1MB

MD5
055e11f346de40ad4a6abad3546ea225

SHA1
8c9cf7cb825b2411146a3b4e2aad27f9229e3fa9

SHA256
516c9d7ac13f1c36aa6daa4831b468300e38d770fe406a986b29a7eb0d93d400

SHA512
2b1b011be419297887194fd269879138db8d9be461aa93f5443e9b6aecdc4048b99611343cb69357c78dfea5f6eba3d06fdf3e528c54e8c2563b74ea07e4537b

Download Submit
/data/data/pekers.car413.qui/app_rude/ZMnj.json

Filesize
5.1MB

MD5
7dd2673821338d19e639cb56a823ed65

SHA1
d0aa9e03240bc7d8985603005e69044b7de7c724

SHA256
d1596837b8e5bc67ca3a3206f065a4bd7e8ed8d4c062daf348f138647cee8b2b

SHA512
d5bdfc9702f43d6452584c4b137581688d6586345cffcdf169abe7acb26a58cb226504e84f1cc5320474019bfb3cce8c03c41e73beea359f9de4fdcfa0a39798

Download Submit
/data/data/pekers.car413.qui/cache/clicker.json

Filesize
17KB

MD5
636e55d791176f11d06b28d2e3bef86d

SHA1
685a82b348877c97f50def61ac0bedc02035255b

SHA256
c890742667132d62ea76f4f9ccb64a67e06ee6f4dddd39da458fcf46fd567b5c

SHA512
4d656078ae7ca93daa3267cd08af620a7ca375a51ee07f998c1a33607665fcfa6a786f80bc2ca022b7629de3b095d7c29cacdbd9581a58cf1f101df3de5924d2

Download Submit
/data/data/pekers.car413.qui/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/pekers.car413.qui/databases/a

Filesize
20KB

MD5
3aba570f839453adf2c7d96f34a7f2e2

SHA1
207c08fccaaa811215ace5ab16d62dbc6e09ec06

SHA256
a63879d9d77cceb4ce0226371ab684f8814b51042a50139a568a802a4551a0d5

SHA512
2745abc35fabb9a40513bd598e1a240e4c7be0aaa13a208f84e1549d1e69a13e887edfc5ca90187cf0543e90f3c89264271db44fa30ebe28d91a50bc578043f8

Download Submit
/data/data/pekers.car413.qui/databases/a

Filesize
16KB

MD5
78c8184372d027d8cc29b87b6e893cd5

SHA1
24452c5ae9dee0f9b660b8e5e22b3df1c172ff02

SHA256
57903572de2856488a014e78d9798813924e0b9473fa6aad671f793ffb734af0

SHA512
ddb14e1d263d61e6155d4f62d5ca09991a77acb2e12971409d65262874e886a890eeda183a4494fb117a803ad16b9eb10994838e8677ae2a1c386f06b1f79190

Download Submit
/data/data/pekers.car413.qui/databases/a-journal

Filesize
512B

MD5
24fdc6c50a047b46e6cf72838fedb139

SHA1
8fdbbbc9e37eeea11b71d0870decf7526cb716ad

SHA256
5a696d0936512bb5988cd22299a829d9fcfd547a25662c168f8fc96cc6b4e936

SHA512
770336eb1ea00b84becf9e5529faa354308d912751e16f68cf623cef4c52e8579cbc9413b8587229267de13ffa96dfab9c7d83f5a033938ffe8e418f44efdcae

Download Submit
/data/data/pekers.car413.qui/databases/a-journal

Filesize
8KB

MD5
629f49d7d324d5314fbd0bf4c0fb560e

SHA1
02c185fdb4ea8f3fd65c2c2a511c2d56c158f5b3

SHA256
98cbd793a574a582f47eaa3f91e04b1b5ae6f6cbf7b538b0f275d6c695b44761

SHA512
bddf781a7a8a779574d922cee5b5ab3e814571d59a78141d05194a5ec5d9c3ca857461514c5cc40ae7d618237f744dfedd1879b6ade14347dbab4e5c3474e43c

Download Submit
/data/data/pekers.car413.qui/databases/a-journal

Filesize
8KB

MD5
482f81d1c50511413d35ed3975b0f9de

SHA1
3f4541d94b1a4dd8ecc732a5c2a90f3301412636

SHA256
98782de59e360cfb37667578c4f938bc862adbfc04fd2c0625ea9618e15b0485

SHA512
a0c014fbb1d978d370ae9ed31ee588db5885fd00cf4840f79a605037ab63b0661314ed8cae23be94e59b3912a06a627cfa73ca532f6453a207122f8b2e1e0b14

Download Submit
/data/data/pekers.car413.qui/databases/a-journal

Filesize
12KB

MD5
2904fab653e5ef5125b9da71470a1f93

SHA1
e88c6ce4135ec43f4d23f735e5714b1dc9fe13b3

SHA256
224dc3e3bc98ff3e5c5e045ec14152820e06dd2485e18da50780187d6c0ed817

SHA512
11e0388b66c00e5875e9805a7544a2681d5c96847cbe5460323a71b28bbade42c41a8e48260b69cc7e34cd4aa677c344f55f27a890c48e98fe424074dddd6b86

Download Submit
/data/data/pekers.car413.qui/databases/a-journal

Filesize
8KB

MD5
f791e29120c71bb0364bb27695b2a695

SHA1
0f3008104651123303bee7b58bbad18d3ff051ab

SHA256
cbaaf84fcf10fe28e3fe426bca7846798e3fb7b2b83670317450ccef0dd03688

SHA512
76ef9e544e1ff8ae1ecd3db2fc0946e8a3a0370fab9afc43a4f5aec170fd1efface0e8bc75218d38206a6d9b7edff4467f72c653d05d3a490d5a3e4538caeb2e

Download Submit
/data/data/pekers.car413.qui/files/pekers.car413.qui

Filesize
256B

MD5
a7e43d253c7f6730d1a413ce7279f43e

SHA1
abc3d58d75964ed2816439698a1ea045ff379c6e

SHA256
1981cead9b8c98d94da8e34f3696dd6b94136f44b974fb2e7227a2313600c436

SHA512
40f75116b0f354dad86594befe01d3ad25fa98c395a09b7b2da969729003469761fc8962e6f9a7c7f86152ed782749abf9d18891c4dac718210c73e238a98446

Download Submit
/data/data/pekers.car413.qui/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/pekers.car413.qui/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
55c272203405a9a48f901746a9583f4b

SHA1
7923b134feed4da7e7616945789a692d144a065c

SHA256
13257fe2581620cd977368a18b24ba7ab661da807923cf4dee5de731e176eb11

SHA512
dd6c7e1c7c966b67af2cd2ad6abcfc42b62c3d62b559707f6e3ef821c3554466d53982419c9de61944063fdb397ad260a332abea7094879e7f31166ca4724ada

Download Submit
/data/data/pekers.car413.qui/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/pekers.car413.qui/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
f7a6863f9c11a52777bc3edde0054505

SHA1
f1ed1a57ea86d53db3dff791f65c388b5b4f73e7

SHA256
463e1d5dbd7cc281a6008027b16502779a4b30c9ecdf3af5e214fb690162ca65

SHA512
a7931d156614778ee431414d244b6668e75ea6295a7b8de03ae2cc04f4b7604dfb4a8729e82561d4237ac0e100c0fec2b6bd2ae2394ea7c791e89543e44a1f83

Download Submit
/data/data/pekers.car413.qui/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
0b0311fbf062852e8220e04fb3735c80

SHA1
0ccd92c68c53da615ea697de52f38d99f3ef7886

SHA256
8b31b93ccff1db69bbeed7a287ed89ace839f1dae4a28ff641b2f5170c19f80f

SHA512
7d3011756b0a17da43c465a75f05ce3b38c574bdefb84607c3cc360b7468b77da42fa84d679f2918f1367bf4551076e5d514459911118eb65b41e9d3975e7b3a

Download Submit
/data/data/pekers.car413.qui/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
a6686e77776463c23bf33d0c8701564b

SHA1
28d84c20408f21611ac3ab2c68ac903da8bc5378

SHA256
09c48d5fb98c360e11830c86e2e178af51af24f0a50f34f38ee1bdc8e003ca87

SHA512
bb97b2e760e1ab5af4241946441f8af1019cee58f4a77a973395e56899db7293102290e89117113864429df47b2959fb0c519e2a78965e05d61a757015586ecc

Download Submit
/data/user/0/pekers.car413.qui/app_rude/ZMnj.json

Filesize
11.1MB

MD5
b2dd75b19e82fd1b6f8c1bbd80b00d43

SHA1
fbcc0c095a6951f1c268c3534e80182275cf56dd

SHA256
57b7c8e0879f6b3cd3bb169533f8069072322b178dd2efb8cedf5d77761e32e0

SHA512
078089605d533d1d8dddae498383e79eb37275bb034666cfc5d2b2df13883f9fa417374f1461d091fe0d5d37d09a5d18a2f9c42228e72b68ac8dff01de380395

Download Submit
/data/user/0/pekers.car413.qui/app_rude/ZMnj.json!classes2.dex

Filesize
354KB

MD5
e111d110016c06792f99189957bf5768

SHA1
ba1b4f6e7c7170239e9c001779ef9ff2995ef5fd

SHA256
c6114bf54ee58e37657467acfdf8e5d147b778a1e718e085e1f0a6a14e0a480c

SHA512
c98bc318f555b059ee1c5b0ef9bef2076b1bd265ada3d303a05e2fe481e2dcb40fb041e1e136d7a1ec0094e08020b0064bbddcc5efc5c32caa71ab42bb27a215

Download Submit
/data/user/0/pekers.car413.qui/app_rude/ZMnj.json!classes3.dex

Filesize
253KB

MD5
6a828a2f97a63e9bfb7a8479ab4c6832

SHA1
6bc2017f672b3c68b6a19d2226f46f5519d168bc

SHA256
5e60365bd94ccf2533cc24ffeb4b69ee1b66283e4472e92ee8741b821f26c72b

SHA512
b58c4f1caf85196de0572544e00a51d62e11b2c59fb60b7f66ed5ec77b4b587f02aeacae1602a7c68532be8990ef84e6c3887bb35f66b2725c2b651ad7193937

Download Submit
/data/user/0/pekers.car413.qui/app_rude/ZMnj.json!classes4.dex

Filesize
1.9MB

MD5
32579b28ea9ce1c5fa1f35bd4f9818bd

SHA1
8a262963232c8e2e43d755281f46ad7565e62a9f

SHA256
217bb9f5b5728b6373d10962cffa93c3b263049601ce4bfdc30f1b89c0e69c53

SHA512
dfb21bbe5a06aa760e412d05e9a91dc14b44928b8f88e6e01f96bfbd3d9a6637c33e8cf5d02dddb038cbd8dba5dd0cc382debb31c66f8f7d6ce3f176b2a6873e

Download Submit
/storage/emulated/0/Android/data/pekers.car413.qui/cache/logs/log.txt

Filesize
293B

MD5
4952674abc35d5cdb3c0fdfa54857aed

SHA1
eb54ac6bf1fd6b4ba63676dc1340c03bbfdea116

SHA256
84523316c3c51f922fca08e6d4b0e246d1f853cdaa98c1b97d420fb8b496d892

SHA512
07cfc9408daed2981fc447f030da65627f45e29d7567b23a671fcebce4e41081fa8804af478b29d46a1c325c31c196851921a6ec2d128199859cded103676c9e

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads