trickmo | cfa37c111d5d86aa348a8411c39fe1c54034c437a5c15777a42638c6a9d03eb0

Resubmissions

05/02/2025, 11:04

250205-m584bavngp 10

05/02/2025, 11:01

250205-m4n2ravnbr 10

05/02/2025, 10:18

250205-mcbmcatmck 10

Analysis

max time kernel
153s
max time network
160s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
05/02/2025, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfa37c111d5d86aa348a8411c39fe1c54034c437a5c15777a42638c6a9d03eb0.apk
Size

8.1MB
MD5

c889e75eb26de5a53531ca1d799a777e
SHA1

4c9ae2c8bc9a2bc02926ee2a9a49730881907a69
SHA256

cfa37c111d5d86aa348a8411c39fe1c54034c437a5c15777a42638c6a9d03eb0
SHA512

cbe94441f6ea06b1c9c9de0933e9755d3ac7deb3197d795570cde4d0680c87f25c8c3e34c189a8b8d898b8afa9140093dfbf731852cbc6bf02cfc03c00bd5941
SSDEEP

196608:5erveQWOfAMidD+traG/iYVS9MEY2HWv7ecSb5xW:47eQqMidD+hjpVSe/2Uu2

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://mainworkapp.com/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/aner.fos540.ex/app_fragile/py.json	4650	aner.fos540.ex
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes2.dex	4650	aner.fos540.ex
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes3.dex	4650	aner.fos540.ex
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes4.dex	4650	aner.fos540.ex

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	aner.fos540.ex

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	aner.fos540.ex

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	aner.fos540.ex

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	aner.fos540.ex

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	aner.fos540.ex

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	aner.fos540.ex

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	aner.fos540.ex

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	aner.fos540.ex

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	aner.fos540.ex

aner.fos540.ex
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4650

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/aner.fos540.ex/app_fragile/py.json

Filesize
4.9MB

MD5
aae2fff1e66e2ed7098e6a244c9fafc9

SHA1
cb45aa08a26f26d57e4ff2c38c87445baddd88bf

SHA256
1f4ecd2ff4e128f1ff3da8e59d77d3b64eda9ba8514d76abae1f786bbe65420b

SHA512
757310e3bb6855040b4b2a631f221e806721f5666257add6bf834c29b37a19fb953c42d3d04bbeedcd53d1ae1a2337bc61e36db046e46f1de18103e324fefb73

Download Submit
/data/data/aner.fos540.ex/app_fragile/py.json

Filesize
4.9MB

MD5
ad4a8dddb4b956662516a5353912f97c

SHA1
52b4eee991f8eac17572bc57f2b06dba9a6fddce

SHA256
19fd2538eb94df4e5713d9bca304527c08f27a84118ee583fc263cda1ef3b10d

SHA512
37ce05314e1e2a0edbe07f91208265e3c35a63142da54f60732736aa9cb8201dc78025682cb489e0e607826a21df38932ddbaa199fc86d246a91f42a614b2dd4

Download Submit
/data/data/aner.fos540.ex/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/aner.fos540.ex/databases/a

Filesize
20KB

MD5
57baf3e42a94e8dd82e267b2f0619330

SHA1
76512dd29fbaf3cfd2efeae0ac2ab5108b81af19

SHA256
49a98902c1ffb97354f0e8f0f9208b84dfabaa826635f6ade1fc782169a3ec7c

SHA512
227f9d10a39fb0d8ae0a562e3b983fde44de62b3dbcd577172451e0e1f669e5721ba653c324af7c4d022032edd951cc417805a4eeafd5e84f28d378b9126a690

Download Submit
/data/data/aner.fos540.ex/databases/a

Filesize
20KB

MD5
e5f344662d57b3ad296aae93ab7965a3

SHA1
56ced149e3de0daa3b12d4db11bbd0b2aa920838

SHA256
aa5ecb1a9eb7e59cbfd7507586918255caf410cdf80bbca51856b8d5d9147d96

SHA512
795a2b97cb7006ca1a0045f440fbfbf3df23ec21a6498291b34b2f8ece1ed89774f62481b311e66ceae80b6c5815d732b64861fb0ce6ddfa6b4e9618dac44a48

Download Submit
/data/data/aner.fos540.ex/databases/a-journal

Filesize
512B

MD5
1d04a7fb3175a043ad8333dfe77fca38

SHA1
1dba65ad9dae8d31355d2c1937d266a5c65f8f7d

SHA256
629a480d3cb7eee322cde2a82b8acf0300f672244cb679953d3363b2f744c9ef

SHA512
36341ac7073d16500c206faec50499e1f3465595997703058e7aedace471a970ff75c5805fcac0a5522fb928ae8de6ad41c87df98c4af0cd5b3356b7c0b18a61

Download Submit
/data/data/aner.fos540.ex/databases/a-journal

Filesize
8KB

MD5
109bc01cd73c5629265e3ccd46714f48

SHA1
9935bfd5cbe5f6906b9b61b94a62093cff3d3f98

SHA256
861942881b05cf3a3047dfaf99c7a35195e7e59f78c4ecbc4248b1d5ed53c6ec

SHA512
da0e712030ec6081ea2237dbf2f8df75c6bb5b2ce6a61721fa6f86d055c787a5b3f795364e721be22fcb246f82fc58f4160e5b0cd52ba7cb57bef77f9e7cc939

Download Submit
/data/data/aner.fos540.ex/databases/a-journal

Filesize
8KB

MD5
4887505bc8ec3c12a9099be877e123a3

SHA1
d618f680a8c8ecb34cf9260ad05b0b9a8c609a13

SHA256
4c83f778a8d455f1335a94d54ecd280affe1a1ceb849d76e2d91138b4bee1038

SHA512
1f8b7e352d13653bf75e939e2569c997e8d2b2ae56cee31b37d2c0bfccc2165c79eb3c5edff0b1d3aebd737a7e0ed84bb951a5545355f80fd8fcd95a364082d9

Download Submit
/data/data/aner.fos540.ex/databases/a-journal

Filesize
12KB

MD5
f7d995e03a37153d7b2d2a114db14d08

SHA1
1216eeadf7e58dff640cebb6c361c27c4882d411

SHA256
4e6f6f51e1eb30ddaf5753ddd90a6392fa55e2291ad975914e8bee6242c25d6a

SHA512
1846489a2af2bb94cb50b7d8a12264043646dcbf39bff799e11827682ebf00ef4645b46ef84b811bf6e8c2dd829370c33ce920e1edea38af021996b7dc7d9966

Download Submit
/data/data/aner.fos540.ex/files/aner.fos540.ex

Filesize
256B

MD5
e85116b13be2dea945c1bcb869013869

SHA1
39193698f01ab8de36a8bc12144dbb0977c4c9e9

SHA256
854bcd2ce331ca0e91cd3b5f56c1dc39e0ab29bd8436e76cff9ec5ec6b531c47

SHA512
9ba0b02b882b31de91d3163b774e5c969986f8208fc94486debca383e9c5ce8d2c255a6f31b88fdd08e5c0862605b6354154858ba475ccd8cf569b70aafb2545

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb

Filesize
4KB

MD5
7e858c4054eb00fcddc653a04e5cd1c6

SHA1
2e056bf31a8d78df136f02a62afeeca77f4faccf

SHA256
9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

SHA512
d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
12e6e342e968040648d0628ef9b49fbf

SHA1
65e65ff8d13e8d9cac477024bf0961b937c9a032

SHA256
418490f6a116129d0f79bdd7baa56dabefdc243b9e6094c514f73a2a48d8290b

SHA512
c54038d6eaaa9027901a534184e8b5bbc82782bc36b845b5a3b694144441b3793c012c038ce410390888c1a63dd969fbe43d3f689335d40e3a0c0b3145f65307

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
8a22b9248b96dd8a12ae155b17c4951c

SHA1
70a5e55e33168820f5751130f23431297fecda2b

SHA256
099f72ddb5cdc6eecb582fe057f2d23d6a5ec90154563fdbe5776397faf865d3

SHA512
2bbbf63f72172b9872c79e63a81c88b11513c4d4e76abdcdabd95e8904ffcc0067a78cf861128e6c3c57ba6e9903f7afbfb2801499f80909025ffa58f2ad4652

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
2d3cd8cf0d8b929d1c61af6a416fc469

SHA1
2853f05cb1d4278836c44b96865e6d371f86d2c3

SHA256
3eb9250f6c9af078266e545913b16e6018547e56bd863af7af58e5855a7cfdd5

SHA512
0ea79eb0ddf1e3750ba8f199dc660ea97ae8cf59b6f6a22844465722507734449412ec289b81dcb54b16ab8a4c1ab392a3379a2785519654fda0ead7ab03130d

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
64b9e02c3973abcb54c261670c3618bc

SHA1
d6b870791c7fbe82af11f82063e1ed5c337f02df

SHA256
7ddfa1dd12090e48099363d4b54f8b95ef402fc5e2d94f22431d904ab0d2e138

SHA512
4a4198438d6a488a7799fcec14edaafd93de66163951f1bcccb09768f6de1d2ead3dd71523411d7dc65c21c066851405d6343e560339e1e32af7f9f5eeb01808

Download Submit
/data/user/0/aner.fos540.ex/app_fragile/py.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes2.dex

Filesize
308KB

MD5
87fbf4277c7b1354b07ab66e7841e5fc

SHA1
f171167c1e22209bfe6f8e826763fbba7e2dd195

SHA256
d604f9e58075636656da343d9efe1c1af4f225def49e4d288fc8a7442cb07555

SHA512
c74f9f44d6b8d4b3c78b79a2710b66ebf851c6401b8e01926f910e44e4be7ce911286b385558797802eba7ae26b0d0ed06faee79e9e8bbe8ca798f7ce4e4f9fa

Download Submit
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes3.dex

Filesize
264KB

MD5
336b36c9bac9108ef167e46ecd780cf8

SHA1
2f2053b4858cbc16a7fd71634187b829e816e3ec

SHA256
f144ad2da806b72948617d8d35426c21fb682d58c20c5002b3d41eefd80a07b2

SHA512
faaee8913953353783666ec7917e9cbb6774c024369e069de530904a3664cd96ddf7bb0a4b261f7aa8458b33028b39c3af7d66fb62bd3885e7f7fde001c67401

Download Submit
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/logs/log.txt

Filesize
83B

MD5
2f1620a6c0c4381e4d595d25172dee2e

SHA1
c2958956e8016c05c1d2a7730c24aabbb7c83692

SHA256
3922fe45ead5a0bf64f9246a51997cead1f82cf307ba3ca64bc477799a075839

SHA512
7949cd04deb4f7e2d8d95e8ae582e0e7faf8ae364cebbeb0f577b5ef8d8bedffa27368b2dfcd6b7391367709ce4fe9d8735a416693c96a28a73e748dd63177bb

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-54.txt

Filesize
61KB

MD5
74cbf8b78510dacb14e7f5dd793e1875

SHA1
26bfc8550ee79ceec6dcc90d08135f50f4b898ca

SHA256
fb038c0f43658b4154793104d674651626557c5e15c2c81f5e38a44d40916e85

SHA512
a072e30fd04e0d5a3261df802fa3aed7c98f432719e6fd9b7e7e425c5eb8b4e16007dda63a142b718b1a0fa95bca0f084918e1d8727d30e0111e69fe2d20f5fa

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-54.txt

Filesize
91KB

MD5
8874a4f8faa3a7914d36e0f727e7d1c3

SHA1
0d2627d3fa0f27de5a7661fe17631c974cf79bc7

SHA256
cae4ed4147cbc5d0277b8b54398a4e6cb7ea16ed2014a8fab090aacda3d1f634

SHA512
3e7f3b5d29377fe918ec3299619cc1ea19aab207dcd2b614b0e6c3f1b17e526ba2c31c7df717edc0448a2610ceaf9a088085ae672aa5a60af1d2ea00179aa163

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-54.txt

Filesize
122KB

MD5
747a4fd06481dcf7a77e3d29497c0890

SHA1
0b47b0ed3d9237bc826a9d91970fbafb8557cff2

SHA256
7194be2a980b92521f14ea8cdaec9aa624c97832732a9bc22f59b6ed84b5171f

SHA512
26168ec5281088695ace770977771f0366b48ac7cdb6f65280ad0230b294cc64785c5346f712bbd654621eca2be23df5b69fe025c9291907b16fe4b761b7b32e

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-54.txt

Filesize
153KB

MD5
cfb2d86896ca68203244e0ed54141fc7

SHA1
fd4ecf9f8ddf42f69e11cbe63bffa41e559cb4f5

SHA256
f440afffdc68de497ced92dfc6c06751ef57c945f1cc4e566e7dd556edf05686

SHA512
e6b3f98ea565d95a70ee6e9f2027f82688a07d164d84de16b4f9ca5eb6e8c2639b96a421541f6e6de484a8f36f58307a96cf7a1b63fa3d64ade05ae535775ba4

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-54.txt

Filesize
1001B

MD5
1c56b419f043be564ccf85c040ba4758

SHA1
28c97c81599d098b2034aa18abfc72c6c26ea956

SHA256
e37f82553044557524cb0b7d2de8623384e03ba01d61cf1de79b2335577c00e5

SHA512
ccdc36a1535485c1b62c64ed3ab1f1ae630494e4590506147468bbf0cddd5f5aad538a576a124da28637cd6e138c25ef91433d048ae8422b0d40772d6ae6fd24

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-54.txt

Filesize
525KB

MD5
c54e3f78effc24704b7e1d20ba1d62a0

SHA1
d2967e1eeb9337e3229e7925f9ef55a741d53c2e

SHA256
d049aabc466b8bdcc99a0cd10e924b3d8c98f7772446170f3e74ba737a9da8e7

SHA512
fda6a38edcef0a7f7b502b7ebffc8398cfde6ef99bb2183bb31f254555b064cf1457bda114977766d8ddce189ec997df908e5519bcae48d0106afb9beb9b0c03

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-54.txt (deleted)

Filesize
30KB

MD5
da4045480642a414233a5cf8b4daac2b

SHA1
21751fb075dfd6396c2dd341da0fd51d0ddc066a

SHA256
1346e760efd99af770d706f879154814ae6ce15213d29dc4ad3c14e36ae0fe2f

SHA512
146255b982cedae0094aa029fe63daadfc374734f9c5ce4cc98fe214dc25dd7f1443962984b3e5d80b4d5fd91b151bc2c500b8e17840aea4ea02eedf63e9d34e

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-54.txt.zip (deleted)

Filesize
12KB

MD5
6a62625a30bd1960353c6c70c01eea0a

SHA1
0b5ea02909f1deb8a65a858e1421aae77d85d93b

SHA256
5d984d636c72a740b97f9149b1a8172ef5baacbcfd8a83c01d6dc2ac2756958a

SHA512
e001c82042397a48518ab7e1cffe003f3394301a470cfd076a5154c27c95d4db3e2777bb65e9c531014a3c423399fd48dac985a796bf79cebf1e957692dc944f

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads