trickmo | cfa37c111d5d86aa348a8411c39fe1c54034c437a5c15777a42638c6a9d03eb0

Resubmissions

05/02/2025, 11:04

250205-m584bavngp 10

05/02/2025, 11:01

250205-m4n2ravnbr 10

05/02/2025, 10:18

250205-mcbmcatmck 10

Analysis

max time kernel
38s
max time network
173s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
05/02/2025, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfa37c111d5d86aa348a8411c39fe1c54034c437a5c15777a42638c6a9d03eb0.apk
Size

8.1MB
MD5

c889e75eb26de5a53531ca1d799a777e
SHA1

4c9ae2c8bc9a2bc02926ee2a9a49730881907a69
SHA256

cfa37c111d5d86aa348a8411c39fe1c54034c437a5c15777a42638c6a9d03eb0
SHA512

cbe94441f6ea06b1c9c9de0933e9755d3ac7deb3197d795570cde4d0680c87f25c8c3e34c189a8b8d898b8afa9140093dfbf731852cbc6bf02cfc03c00bd5941
SSDEEP

196608:5erveQWOfAMidD+traG/iYVS9MEY2HWv7ecSb5xW:47eQqMidD+hjpVSe/2Uu2

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://mainworkapp.com/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/aner.fos540.ex/app_fragile/py.json	4974	aner.fos540.ex
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes2.dex	4974	aner.fos540.ex
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes3.dex	4974	aner.fos540.ex
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes4.dex	4974	aner.fos540.ex

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	aner.fos540.ex

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	aner.fos540.ex

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	aner.fos540.ex

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	aner.fos540.ex

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	aner.fos540.ex

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	aner.fos540.ex

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	aner.fos540.ex

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	aner.fos540.ex

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	aner.fos540.ex

aner.fos540.ex
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4974

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/aner.fos540.ex/app_fragile/py.json

Filesize
4.9MB

MD5
aae2fff1e66e2ed7098e6a244c9fafc9

SHA1
cb45aa08a26f26d57e4ff2c38c87445baddd88bf

SHA256
1f4ecd2ff4e128f1ff3da8e59d77d3b64eda9ba8514d76abae1f786bbe65420b

SHA512
757310e3bb6855040b4b2a631f221e806721f5666257add6bf834c29b37a19fb953c42d3d04bbeedcd53d1ae1a2337bc61e36db046e46f1de18103e324fefb73

Download Submit
/data/data/aner.fos540.ex/app_fragile/py.json

Filesize
4.9MB

MD5
ad4a8dddb4b956662516a5353912f97c

SHA1
52b4eee991f8eac17572bc57f2b06dba9a6fddce

SHA256
19fd2538eb94df4e5713d9bca304527c08f27a84118ee583fc263cda1ef3b10d

SHA512
37ce05314e1e2a0edbe07f91208265e3c35a63142da54f60732736aa9cb8201dc78025682cb489e0e607826a21df38932ddbaa199fc86d246a91f42a614b2dd4

Download Submit
/data/data/aner.fos540.ex/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/aner.fos540.ex/databases/a

Filesize
20KB

MD5
077767b0c219361860d0d8bb5e19ab00

SHA1
eab3fc4c9db16b36629eb24ff0c03493f783b8ab

SHA256
26b1bf55b5111486cc63bb1b4582c467b4829d618201804cb6fafdc24b221c09

SHA512
3f8cd81f8176aaba7712469809c03a31be2495a6588d84da9f38dea712ddc003afc203dcccdf47f494472d6738269b9e7d29793bfa4cbe7f9041294df41e67b1

Download Submit
/data/data/aner.fos540.ex/databases/a-journal

Filesize
512B

MD5
e444ac4851351123a7ededd2b41f0f01

SHA1
6ddee5ff4aac9ca357ebf8f53c4840deee8e1d9c

SHA256
5933b653aef6b5b1a95544e89472c8edeb61410b5b5d132319bedf7e1d3ea813

SHA512
19489e58b516e2697a157fbfdf66939fe9649e65542222d3a08151347cf11c66b1c77ae8d520a6d0dc337c3ce5e33a493f78b763b28f08c3ad7dfa62c5c7b7b0

Download Submit
/data/data/aner.fos540.ex/databases/a-journal

Filesize
8KB

MD5
9f47f2ec89998db38942dee9b63258f2

SHA1
bb15ede3e33d3be61e668e81c19cf469f7a67c42

SHA256
1e9a249d1b046350dfbc99feabb9563d742480a5c7f439aaf0e3d85296d69d91

SHA512
b422769799733ec4fb4e563bb08025ed77d513db5c8eb6a31002a942a6309912b66d36bb9eef9d49935713ad5a898474b2f1d7ef584424dd2203811218222359

Download Submit
/data/data/aner.fos540.ex/databases/a-journal

Filesize
8KB

MD5
3e2faa2fe0a24dd713a25f67d520dd71

SHA1
540ec0059fa1bb670ee140b7b4d93e25cf1dc965

SHA256
57dc824f5d88856cad1fa84154c0a909992e17d47f50b310885fa71e79e45ced

SHA512
fca51e5cf53dd685df663d125477afb0823d089c2589ba343c799fa0a53ad9e916158464057618ccb9b5b89e2da3ab5219740e00584d1c2ddeef132e2a277527

Download Submit
/data/data/aner.fos540.ex/databases/a-journal

Filesize
12KB

MD5
5e90d4237136a94b456c3bfd1cd379ca

SHA1
14c00877a34f26e74632b9e6d0a069355f6b0042

SHA256
98770ceb9972b5c0e98838f3213609c1de4cbaf4720130af0675ea6d603b640f

SHA512
be76db9e85d5e36d4e53aeffedcfaadbf95b5f4ba3cf567a4bb28cb7452153f09c67ffecf86c8c2727524f2a1bd095030b29be2c5a2beb8197c0243f2be6860c

Download Submit
/data/data/aner.fos540.ex/files/aner.fos540.ex

Filesize
256B

MD5
f95ed38373d6483fbe9f5714435f8016

SHA1
ee72bfd1687cad4d427627378773e8773d69f487

SHA256
54f6cbaa0ea612f9f184b87e71a5f25d1ba68f0aebb3c2fec1a6f8ed935f6927

SHA512
13954351294a7c398c5466194ae0893f28c0ca684a28e901e57d53a9aca659b795bdd31eb92ff39efd27f3c986f6a68e7d338a1133d44a637ffae60cd9f396c3

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
4cfc63d60f83646ae4b56206bcb0e94a

SHA1
b7982b7547eef21d7d293fa3fd5285a9997b4b5d

SHA256
29afc13909d82388834f70786a6511c001dbfa903ffc75aa1e0e09a0f9154649

SHA512
956ddaff1123749e2f5f3835595dc259ff81c9b90a27d547b098a02ea1b08ba242890c044d3691667f01b7664062242f321f6fd2fb1eec2a21929ec493720093

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
d329427a2d2e124bd6956efdb4ea3419

SHA1
ea675c4c173eaf72b4dea7d34f6f9eb3a72b9ede

SHA256
8919d5a53f3aa16f96a57c40314032dd0fec1fac37b4a9cab94dded8c1495e1b

SHA512
6b98e9637db99f4acc7b4a23b2503f0efe00b77ccb43ac5941cbfbec01710c5c6c19ed33d947e40a81c19d35fd86632a9242708890db0c42d165a048bde58230

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
d82df6ffe0a5056a3fa03154a10f9bdf

SHA1
ba4d7d02e1e8de058813c5e99a50a67e4b7f98ad

SHA256
1eafc2bcef3907850e513450a613c1f10563a63ea73bef70dc853fd40506cea2

SHA512
e635085020750182ca9f098e83287c3f936b891ae4efe5f93ef6e16aac71c767aeca58a799616d7827a6e103e4636dd319958bd0be7c6d5fc47beb3c5d0a29ed

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
259fca18ef1a4d6e4d0e7b242b0e3fd0

SHA1
b29e13ba763c0eab1983127dbc664d5423ff6b63

SHA256
39473c8c7f280dbc3ee0aa632faaf810c784b140111ba22dfc9da5ce2d3915f8

SHA512
42ad0142da0a831444842847dc1e1fe67bace6fdbe8101cd4706924e775a804d9e9e521cff57d59ca30002e77e49a7709c3237140e57771a46ea97bcdc7c9898

Download Submit
/data/user/0/aner.fos540.ex/app_fragile/py.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes2.dex

Filesize
308KB

MD5
87fbf4277c7b1354b07ab66e7841e5fc

SHA1
f171167c1e22209bfe6f8e826763fbba7e2dd195

SHA256
d604f9e58075636656da343d9efe1c1af4f225def49e4d288fc8a7442cb07555

SHA512
c74f9f44d6b8d4b3c78b79a2710b66ebf851c6401b8e01926f910e44e4be7ce911286b385558797802eba7ae26b0d0ed06faee79e9e8bbe8ca798f7ce4e4f9fa

Download Submit
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes3.dex

Filesize
264KB

MD5
336b36c9bac9108ef167e46ecd780cf8

SHA1
2f2053b4858cbc16a7fd71634187b829e816e3ec

SHA256
f144ad2da806b72948617d8d35426c21fb682d58c20c5002b3d41eefd80a07b2

SHA512
faaee8913953353783666ec7917e9cbb6774c024369e069de530904a3664cd96ddf7bb0a4b261f7aa8458b33028b39c3af7d66fb62bd3885e7f7fde001c67401

Download Submit
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/logs/log.txt

Filesize
83B

MD5
2f1620a6c0c4381e4d595d25172dee2e

SHA1
c2958956e8016c05c1d2a7730c24aabbb7c83692

SHA256
3922fe45ead5a0bf64f9246a51997cead1f82cf307ba3ca64bc477799a075839

SHA512
7949cd04deb4f7e2d8d95e8ae582e0e7faf8ae364cebbeb0f577b5ef8d8bedffa27368b2dfcd6b7391367709ce4fe9d8735a416693c96a28a73e748dd63177bb

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-41.txt

Filesize
1001B

MD5
1c56b419f043be564ccf85c040ba4758

SHA1
28c97c81599d098b2034aa18abfc72c6c26ea956

SHA256
e37f82553044557524cb0b7d2de8623384e03ba01d61cf1de79b2335577c00e5

SHA512
ccdc36a1535485c1b62c64ed3ab1f1ae630494e4590506147468bbf0cddd5f5aad538a576a124da28637cd6e138c25ef91433d048ae8422b0d40772d6ae6fd24

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-41.txt

Filesize
19KB

MD5
63fdb6b3ad424516aea99cd6fd5bda11

SHA1
7fd44eae842aee74f54a39f2d4a65949500c46d6

SHA256
0073f8b3cbedcfb77b00dd0a596e61e5bf92fe0e72cf698e14aa3f6c3b799737

SHA512
d9ac65be51a4fc04376ace9e694647f079e7f9532fc58657ff4e248d10cf6009d79c1d3d8aee49168ad05a2b605f44b5c24e5b0b6815c475ea1d7d15c18e0907

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-41.txt

Filesize
37KB

MD5
2d339b67def2c22acf2af687ddf6ecc7

SHA1
f61c42a3db4596621c28025da9110eb8af1963f7

SHA256
ff36a6ef44ae8391e37eac82adb519ddff3adc338c41d0721a71d2e99d3108ff

SHA512
62a8747f1e195d7a68a7c8bd5f9ac55624ca19df55fb9f019ede72c8cc889e041778ff9cad6c696f190c5f588b72068792cfbbbe44038f01878ce463d8f7f405

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-41.txt

Filesize
55KB

MD5
b40465b4bd112d2bf1beed0492174326

SHA1
b7ea2ff0c880cdac31ab7d58d3776b55e2c124ca

SHA256
16988f1267568c48685cad77d3120310ea61be0f0a48b761322b99cee76f44b0

SHA512
78385a29176e9b297a9092dbd7b1eb53df8ce4adcd495407903aac951374bae8ba19899d600700008506e013964191ac6673a57ba910a23f1531a4eca7f21636

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-41.txt

Filesize
74KB

MD5
9e1f0e3e5c351d16bda43e40e28f9ab2

SHA1
adccc76045df29b263bde90a0120d2b6d03b19e5

SHA256
34e3a46d2a27dde4afa35521c65d4d04e62b8be7f8b20140e308e369b15838aa

SHA512
993b155b878fdaebd829ce1e353bcf9bab3466574745d78fe049896e5503ac9bec21cd133311566ff1978942ea74f56820631135cc1d530b6d942f6182de518e

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-41.txt

Filesize
259KB

MD5
d25373c62b094cf609552d9e869ad46b

SHA1
32f2dcb6bbafe4517c518d2c28deb08a21e4358b

SHA256
25b5567575e383a65c0b6592e4bc7331aabeb44273c0965fcee2126a8133cbd1

SHA512
4af8bbd45a35ad28e368f7740996b6e5a11b1a3225331a14af51f340e381ac6d775ce2028f36e983bf62d66e111ef7452ce5fdc4935536e7d1a675b103ecc5f7

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-41.txt.zip

Filesize
4KB

MD5
7fbc1ca2871666ce3d69eca4c6d2f8d5

SHA1
fcd4b93314c6ee2a4af84e780d80582264d7dfbc

SHA256
6a2b5d89a6167deb0bab7251ebe03f9d2d2e8a5f3d654a6dba3bfe11ca51671d

SHA512
5e7d79f88df79a06ac70ff6b95c6c996e4552f87b882146f13edd094ad3087b6edc98b1100252cb89f2b48c4260533adf5ca4a7fadf573f7118446fdb4ca5844

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads