trickmo | 779d85d15301a42e8d84312322730cbae0557dd8e509cf80fbb7d77d70212fd2

Analysis

max time kernel
29s
max time network
30s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
21/03/2025, 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

779d85d15301a42e8d84312322730cbae0557dd8e509cf80fbb7d77d70212fd2.apk
Size

7.4MB
MD5

8bfb509f30d63ed32bb6e11a75e46816
SHA1

7e3291c26b7fd90d5df27eab5405b9a0937d517d
SHA256

779d85d15301a42e8d84312322730cbae0557dd8e509cf80fbb7d77d70212fd2
SHA512

96713d07bb0140dfad82059ec3410bd4ccc19352a4f2fa20a8e6a03dca857fbca8cff4aec353b91d54480ac0f5fdbb3f752d25c42dfc0f369200a52232517aa5
SSDEEP

196608:4oSq14iAuaZ7FFGduvx90YnLpyglv2HjiIHpCxIQjv5Ll:h4iRaZ7FFV7pn8QwjiIJCxPRLl

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://b-fulltime.org/u3n6hcu6te3b46gc

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/inwet.con500.na/app_relax/ot.json	4461	inwet.con500.na
/data/user/0/inwet.con500.na/app_relax/ot.json!classes2.dex	4461	inwet.con500.na
/data/user/0/inwet.con500.na/app_relax/ot.json!classes3.dex	4461	inwet.con500.na
/data/user/0/inwet.con500.na/app_relax/ot.json!classes4.dex	4461	inwet.con500.na

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	inwet.con500.na

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	inwet.con500.na

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	inwet.con500.na

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	inwet.con500.na

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	inwet.con500.na

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	inwet.con500.na

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	inwet.con500.na

inwet.con500.na
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4461

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/inwet.con500.na/app_relax/ot.json

Filesize
4.9MB

MD5
89b3ef5d581853dd635f3c3cdacdfe08

SHA1
8df04f195c28a0ecde4b8c425e3920dc0d7af6f7

SHA256
9b6b8acab9c9062338a516e7ae343758ad11c05f376411fe08a7f51552e572bc

SHA512
3d8fe4983d1bd021747536472973d0fbf1b1983cbb325b5d7a8c05a6fd85476766345ab5ff6ab6b4786e96f68f7a3c62bda72d8286ae9da3bcfdb7714aa1c1eb

Download Submit
/data/data/inwet.con500.na/app_relax/ot.json

Filesize
4.9MB

MD5
8054396083d548b3655ce5a73f2e60bf

SHA1
9242b6268f0023a9fc50bf5c1f8919b37642ac57

SHA256
b8813335a3693f85144474a518ff039d5b08e5853a9016f07e7226b602444e98

SHA512
f4aae3cd86a3143a7992335e1eb837e1fbf5b4ccd2518c9e44850bb40facc608981b8e952bb850ad8a425a711d44feafb1c232dc48a8f738dca1e793a22fefe5

Download Submit
/data/data/inwet.con500.na/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/inwet.con500.na/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/inwet.con500.na/databases/a

Filesize
20KB

MD5
9eb550d7ce23ac75cf094f97751513ee

SHA1
7d52d13d6488c5a04af30af43aa0e5f5086ce2bf

SHA256
eb88ea5c4a3389d5c552ef558ce0317857bdf91f657c44b03078ece16dda0127

SHA512
6b61110ce199db46ecc967b3f5fc68c8f0b56d6716c83c3bafac595399549cf07897d396c7f85780bfabe8996efe76b11fcecd73db5d4e3f956e822f30da1fae

Download Submit
/data/data/inwet.con500.na/databases/a-journal

Filesize
512B

MD5
022307d9bd2c699b2d5251ca91f5a56a

SHA1
9cee84a90d77d7dc96cea3ad0328d7af053fcb1a

SHA256
7f4b6e7c90414265f46824cb6b5876cb40c4989019af64c264b3c1be63769396

SHA512
83b728342d269b704148841d0a941551198bb29125e360a0b51cd5f6f4b5bfb5329021c29a85662b100c63a1e46f1aee1ab14bef0817626825c5db8fab7956b3

Download Submit
/data/data/inwet.con500.na/databases/a-journal

Filesize
8KB

MD5
ba59a5537d317231336a52651757b5c3

SHA1
57b7189358bdc4135666fea43ef00e9b38dc6273

SHA256
364ad11c7dfbf48db5fed4de4c29f5b8aa9236237b50bef854b51ea724c38492

SHA512
45d63d1a660239a74ffcb023632a452f2f1ae65e7df0a9e1287aa6d1d5245000a197e02accd640d677d9781dc553099de3d6caee77e17094f92208de6501809a

Download Submit
/data/data/inwet.con500.na/databases/a-journal

Filesize
8KB

MD5
fe36c71b7139add9418860ceda566c36

SHA1
fc72c96660327b5028d80e4df2636b619eabd563

SHA256
f63e6ccc4179a135ae050be868dbdcf5f7e3e489a014454087e7b5f8c99f1402

SHA512
e659df1e83ced234e7066e2fdb68bb1cd504f0919f2df1fa5e7155f35205155b9c3471c485cafdf7ae655e64a62380c33bb477b0e6e391e237af3053c6d2c5e6

Download Submit
/data/data/inwet.con500.na/databases/a-journal

Filesize
12KB

MD5
5b3478fc5e19df370449a7374517c866

SHA1
b18e8ce60c433a09983e8b9caadce66126020676

SHA256
83f568084484ec47ac198a0616174fd868f7c23e325bdbf1f6c8dc13653cbd13

SHA512
cdd95f7314cdfde37af8efed50a2bde3564e48116583800bb0f377b883caf939870a909703168970e3f9bdb828d2598b3cef99ad16cc1b9a35b39c41586afd88

Download Submit
/data/data/inwet.con500.na/files/inwet.con500.na

Filesize
256B

MD5
af9015f066c69aacdea4720f8029f61b

SHA1
bb35b3a81de3767b07d2a0ef507836facd357729

SHA256
e18f81655f837de9ff21203539d91c44d80e1a2ed048523edff57c910aea598f

SHA512
4eb49818d7b941cd0d6d051cd966a1894df6fcee44cbc2bd1ae78679fa503f61147a00326738248603a4c20b109479bbfe04489da5fde33419a9b8b59677ca39

Download Submit
/data/data/inwet.con500.na/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/inwet.con500.na/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
0816c2cf96b24dc3871807d410e7322a

SHA1
9b128b5b11828d5ca4585e3f2cae43c887ede92c

SHA256
90ab68174810eda5794894efa3303e8490a670abe3b697baee2a4484ec2becd8

SHA512
e96b75d7a87c328ad0f025fdaaf663448084e45128ab3161b66ee6bb0063b6e0a53788a10dbb0aa621395bcf37879eca36432ebfb08727460561e0217cb59799

Download Submit
/data/data/inwet.con500.na/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/inwet.con500.na/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
df60e39c929de6f359af68b09d4c9581

SHA1
21395f0ea49597ae9f22bd6403e9db8162cd3d05

SHA256
d301b87f9918bbf4d2640694e955929abf79f8458b1378d89bc78f703a061941

SHA512
dd052e42bfeb5d3225c7e135f9a19f33112d2b568fc02cc7622150d79e5422418d7048307cdfd9ba3044bfa4c40e36c28bf17f3cd631181add19aa4ad0d2f20e

Download Submit
/data/data/inwet.con500.na/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
6e022457459c5fef5c2b1239466ed103

SHA1
d270171391588236ab396acef8f25498bbe85d68

SHA256
5de3869488651b91d534a6febc7699658a7320e991ec5a8bbe5c53c30dd1a478

SHA512
c59222fcf75dc4243bd8244833be4eb926be971e7b4209face052eada648b7946882c83ae77fe6e13d8cb5a2ecc21154420af2d12333a1f737cbb1755c183c51

Download Submit
/data/data/inwet.con500.na/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
fe1b99ab03800ac3d88bf923d28ac4bb

SHA1
9796dd7d08c87f6b703efba1aa496c755665d385

SHA256
1aece973655837e238d49559e3f814805a9a7d59863aa3ef9d7826d7b6263c9b

SHA512
1c62a1c3860af06e33f1756d4dc83d96d1702ca472f98fc91d2d564ca55318f2e33e9ad0fe4552f8918632b8c27015a2f4cc6c4a23bed36a9fc5c1374498d71e

Download Submit
/data/user/0/inwet.con500.na/app_relax/ot.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/inwet.con500.na/app_relax/ot.json!classes2.dex

Filesize
308KB

MD5
7723068245261ada3212130aa8372459

SHA1
5ba84c7eab28559750cc0c820ac7ab5c79c9c383

SHA256
dbe0a10d12cd4b76d99a3a6881eae6b90f37611739b0baf44ca70287be976a60

SHA512
445000c9636dadce32054acf13693eee210e600de8311fdd8398f7becd10c789322912312b259a6f1537d5f0df36204754a10d886c8f0c9acbd962b0ca236a6f

Download Submit
/data/user/0/inwet.con500.na/app_relax/ot.json!classes3.dex

Filesize
265KB

MD5
cdb734ac42d5cc86fb4c3477148fd40a

SHA1
1440abc288d35324384138e103a5c3b1d24e3d71

SHA256
63a0fe737e67c644a1115d76cdd068c8e93046da8fd81eb3036eca10a9dee9e0

SHA512
ed280eeb3e2c36be74936745b2a13dec6d196d7d3ef1d80f3341a18887cd865785776de6d67e3c8caab49298cfc068121a3e9165beccf5af8b9e6f423cc9713f

Download Submit
/data/user/0/inwet.con500.na/app_relax/ot.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/inwet.con500.na/cache/logs/log.txt

Filesize
83B

MD5
91b58d77b1760f4c487b5101d8f3321a

SHA1
718632b08331cb41660a6907a70dcf5aef441e08

SHA256
9fcb764cac08b85e66b1f8a8a256e20851af80f304375c6471b3cfc2ffb5381e

SHA512
335e7653ce6ca49a24f6cf10e2b3acc93fbf9e021725dfc1b2d5e0560ade381782b84a93b4ef8df8fd9137d5e46466ae260db782504310766a26622c8efe339f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads