trickmo | 11af0da9a7c5f65bb098ed52973e814b12eba492fb3615a5fada5d4cc390928d

Analysis

max time kernel
299s
max time network
300s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
20/02/2025, 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11af0da9a7c5f65bb098ed52973e814b12eba492fb3615a5fada5d4cc390928d.apk
Size

8.5MB
MD5

4ac484f345acdf8890166cbfeaa83768
SHA1

dc2e2796fabb883ca0c78248bb9c04ed1011f3a9
SHA256

11af0da9a7c5f65bb098ed52973e814b12eba492fb3615a5fada5d4cc390928d
SHA512

98baff804466a3b02a9e1b333f58018664369f054cd5ae21869527ba63e0527e1b40e4b4edadd41abb2a34a244f6d49b0b6d827f29fdd6d9b89c63009ae1dd34
SSDEEP

196608:nHEhsSiVt8gibdDYcAIUGVwrAWH5PVc78KSg:nHc/irIDYAUGVgAWH9O78K9

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://starnow.cn.com/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 8 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/consnews.matt960.can/app_erase/MAtN.json	4329	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/consnews.matt960.can/app_erase/MAtN.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/consnews.matt960.can/app_erase/oat/x86/MAtN.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/consnews.matt960.can/app_erase/MAtN.json!classes2.dex	4329	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/consnews.matt960.can/app_erase/MAtN.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/consnews.matt960.can/app_erase/oat/x86/MAtN.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/consnews.matt960.can/app_erase/MAtN.json!classes3.dex	4329	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/consnews.matt960.can/app_erase/MAtN.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/consnews.matt960.can/app_erase/oat/x86/MAtN.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/consnews.matt960.can/app_erase/MAtN.json!classes4.dex	4329	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/consnews.matt960.can/app_erase/MAtN.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/consnews.matt960.can/app_erase/oat/x86/MAtN.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/consnews.matt960.can/app_erase/MAtN.json	4270	consnews.matt960.can
/data/user/0/consnews.matt960.can/app_erase/MAtN.json!classes2.dex	4270	consnews.matt960.can
/data/user/0/consnews.matt960.can/app_erase/MAtN.json!classes3.dex	4270	consnews.matt960.can
/data/user/0/consnews.matt960.can/app_erase/MAtN.json!classes4.dex	4270	consnews.matt960.can

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	consnews.matt960.can

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	consnews.matt960.can

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	consnews.matt960.can

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	consnews.matt960.can

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	consnews.matt960.can

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	consnews.matt960.can

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	consnews.matt960.can

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	consnews.matt960.can

consnews.matt960.can
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4270
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/consnews.matt960.can/app_erase/MAtN.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/consnews.matt960.can/app_erase/oat/x86/MAtN.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4329

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/consnews.matt960.can/app_erase/MAtN.json

Filesize
5.1MB

MD5
45bd2884cc0cf2d05b1b78cff9ae11b4

SHA1
e8e29baabf5b0aad58475d9681abb49a05bdbd9d

SHA256
5e3feb133a56c075ce9cb3f8dbe3ab445fd9541884a6712418c5d007e73a3aaa

SHA512
4d3f33d46adf49ea5ead847f392a1436e9ec5b14f47f1d90f86b0c8b25fce20b0d35ab0724c884e9a9c11c4c49ee043961bff817b70270d7beb250c9702ff640

Download Submit
/data/data/consnews.matt960.can/app_erase/MAtN.json

Filesize
5.1MB

MD5
9550548fdae0a7b2c03acfc776431f5c

SHA1
ee10833e07a7384e4c656aefffa29799473b94f7

SHA256
06a282bfd0d0b8e6f3e236650faa1bd13b54cb112f7748d0763b8031d2ae6621

SHA512
ea3d500689888e39d8fb1b6697b8c601f3cdacd304b12db176418b38ab95b04235337e0da734f12a6724d655d23edd437de3efa822df98712be308b9a6382b0e

Download Submit
/data/data/consnews.matt960.can/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/consnews.matt960.can/databases/a-journal

Filesize
512B

MD5
6fb6ac5d87bd9e55716d52d89dc49fcd

SHA1
0545916fe8028202d03e48c6225ac33c51402f7d

SHA256
37ab49b90832e9c6747d3b52c1d74748f59c51b25994e049415314b3eb2253d7

SHA512
0890780cbf19dd35a090d567b0e7f69f7a9846f1e375fcff0c419d5898e633c08849616c561bd3de54fcbae404535fe62a309d3818c7da1e45d305b8c63d65cb

Download Submit
/data/data/consnews.matt960.can/databases/a-wal

Filesize
32KB

MD5
066529ec5602c9f71fd4ea1838a28d2c

SHA1
2b0a10386c22066769041dcb684e8ebc397168ad

SHA256
4f513c9921c0364e1e56074e9697cc4af6c731de8908351767d667cf02c9ae9c

SHA512
2d8e6d90e847845555d4debd4bfeb7bda757bf2e7a1ddd35add763c2d309a1b3b481503b32a8b30647fbf51d25116ea2ddc7fcfe297a98fb2ecfc2f1accb760f

Download Submit
/data/data/consnews.matt960.can/files/consnews.matt960.can

Filesize
256B

MD5
afa0fdfa69b5db6418be42a0001ade4e

SHA1
c1a56aa916944b6a161bc4af601f0ba13a2b3067

SHA256
2ac78fb8e56b66a8227abcac739333d87e5639677ac8fb080585fd54bdb45a1d

SHA512
bcb17fd6536767f46a88efa137fbe760522e3ee6186d7be80a149b44607d8617bc1f8c7b4ec965bd6f5c4a926e2b345d690290b5354b9480e685e4773fd2f645

Download Submit
/data/data/consnews.matt960.can/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/consnews.matt960.can/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
2613180ba28845cab3f085236a7addf8

SHA1
8189644e1203a09da464eebd2809c5c3138240c3

SHA256
7de213e2bc3c84a48a8f7927e988b1d643b17c6680c21f020948a03a5cc13c36

SHA512
a0f1b62dff87408fbed5ac96ac7aeb9a39bf8a5ccb14640179c15b962dcbe16ae24ea2b4902618d75d2490096d091f753a6657d1c491d61dac8d40c2ca7e9c18

Download Submit
/data/data/consnews.matt960.can/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/consnews.matt960.can/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
a5f3c09b7417b06f9b13d5ceb882ee2c

SHA1
cfc7489b8e19ea99e7fde11931d06e6cff576645

SHA256
75091ba78f064eef136aca29eb5ef3cad552cbe33c231710656dab0d81865d59

SHA512
6af2c2c72eebb635aedce57d6aaa25bd785cbc0beff411547b896daa8ca3dd66cc4f9fa8f84d977c6570530ab7aed8ca4741dad16e9edbeaadc85b26f04292bb

Download Submit
/data/data/consnews.matt960.can/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
80baffa346691e74e2de0bc6189e39ba

SHA1
3b0375eb4cac8e4c6c717fece3dd1e712ee955f4

SHA256
2778169ab39200c6c6b039321e548f6147646fd7cb2867b9e62cb6815c2ae74b

SHA512
e531248bbe1e7bc98850401a1eefff7759bf8b191f9c11c62159c350915ab0fcf5f432434a0dab0cae0f15bb2ecb7a16ea7d2e7e32b802104d3b4a0d55a588f4

Download Submit
/data/data/consnews.matt960.can/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
559e012a243eb05233773e6febeae4e1

SHA1
968b4667819941b3a54b1675fbe237f256b66d02

SHA256
c0198eccca722823fcb5229ec559c115224dc5042691a008ac1cdce0061f97c5

SHA512
4e69d570778ef802bb1376264f25f6351d52fc6d9b5165a61950873af64a51821c71942d2edf6ab2de2165d1668bfdda18b60743bbb4f7d2300623c1c5e04cbf

Download Submit
/data/user/0/consnews.matt960.can/app_erase/MAtN.json

Filesize
11.1MB

MD5
b2dd75b19e82fd1b6f8c1bbd80b00d43

SHA1
fbcc0c095a6951f1c268c3534e80182275cf56dd

SHA256
57b7c8e0879f6b3cd3bb169533f8069072322b178dd2efb8cedf5d77761e32e0

SHA512
078089605d533d1d8dddae498383e79eb37275bb034666cfc5d2b2df13883f9fa417374f1461d091fe0d5d37d09a5d18a2f9c42228e72b68ac8dff01de380395

Download Submit
/data/user/0/consnews.matt960.can/app_erase/MAtN.json!classes2.dex

Filesize
354KB

MD5
81f38c51436583b57b99da62a839ad7f

SHA1
3719a8aa29af2656ffb554863f3f4ff36039acce

SHA256
d69d7a5de42fd2219b81e57d5f4cd328e54f9efb9c98dc7977ecca30fea50abd

SHA512
6d673091df3b7d2538fbe1da035847c88cdfd85eaf4243fd00917ed7335ebced008a24a9bf3c0ba2b71543998e23ea550dd9846d8ed78996d1c9420374630669

Download Submit
/data/user/0/consnews.matt960.can/app_erase/MAtN.json!classes3.dex

Filesize
254KB

MD5
e43a2e60e043ee737a1705cf8c36278a

SHA1
66a82c6d614798c5dde92788e974239765d9c366

SHA256
c23054ed69284e961a6d6af8cf762cead12f720031fa527c6f28fe3168c01f81

SHA512
103d93ef3273f08cc8b94ea05fb79af5cf2ec51d6201722f44c2b3285f3f29dda1b251e818e65148f13833b627604f4f55a8a1ec1528da70ddf0a204893f0d76

Download Submit
/data/user/0/consnews.matt960.can/app_erase/MAtN.json!classes4.dex

Filesize
1.9MB

MD5
32579b28ea9ce1c5fa1f35bd4f9818bd

SHA1
8a262963232c8e2e43d755281f46ad7565e62a9f

SHA256
217bb9f5b5728b6373d10962cffa93c3b263049601ce4bfdc30f1b89c0e69c53

SHA512
dfb21bbe5a06aa760e412d05e9a91dc14b44928b8f88e6e01f96bfbd3d9a6637c33e8cf5d02dddb038cbd8dba5dd0cc382debb31c66f8f7d6ce3f176b2a6873e

Download Submit
/storage/emulated/0/Android/data/consnews.matt960.can/cache/logs/log.txt

Filesize
223B

MD5
1b6458c1aec02b4deb2718917e05e0ef

SHA1
7143c0c141334b7b35d891d5845211c3dfd5a4fe

SHA256
1419429991250e32740955ead0e9b82a2e658783eb898b095e80fb59e26e6c86

SHA512
241d548bc53d34cac297a6ada85c9ccae013c95cc8923dfae90135423fa51da50d0d0952daf8b98b6548874ecc5411566ee7a97775e9d041ffe5abf02899c268

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads