trickmo | 9e5da5bf917acd4132c8b3d4b63af9b23d7bc16e71e51bffcd4a82162e598394

Analysis

max time kernel
29s
max time network
32s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
21/03/2025, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

base.apk
Size

7.6MB
MD5

3be791e432b3ef50c0c947968afb41b1
SHA1

6aecf3056085a44d709879f726b36447ee9f5610
SHA256

6c968e052fdb59730897cc37a0e61e69a8c5a20f04400c0276534ae0604c430d
SHA512

9def8ad356092a24e936c735b9fb3122a7dfa559c5b2ba2ac8e92428accf4bfadff77c51e893acb917fc6b758de99986c66bd90d8135d5ac89e99e1dd5d952b6
SSDEEP

196608:xtK7pfMaBf8C4GfJCtMJCp1Uawqy+DbufUVjv5Lpb:/u1MokCdfEwfqypkRLZ

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://monster-truck-mx.info/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/flotin.freeh272.cy/app_avoid/QjGX.json	4484	flotin.freeh272.cy
/data/user/0/flotin.freeh272.cy/app_avoid/QjGX.json!classes2.dex	4484	flotin.freeh272.cy
/data/user/0/flotin.freeh272.cy/app_avoid/QjGX.json!classes3.dex	4484	flotin.freeh272.cy
/data/user/0/flotin.freeh272.cy/app_avoid/QjGX.json!classes4.dex	4484	flotin.freeh272.cy

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	flotin.freeh272.cy

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	flotin.freeh272.cy

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	flotin.freeh272.cy

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	flotin.freeh272.cy

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	flotin.freeh272.cy

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	flotin.freeh272.cy

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	flotin.freeh272.cy

flotin.freeh272.cy
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4484

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/flotin.freeh272.cy/app_avoid/QjGX.json

Filesize
5.2MB

MD5
1d5f03498c4dbe7b67ac3b5f7389bb5f

SHA1
70ed7fbe0a7c1f0d60494b53cec06373b7d2d535

SHA256
d404331794ae327b16b249517d953e1fc79a3fb711e08a7c6fca15e968f26893

SHA512
6f09e7ce0b358eb7dbe433411754c32279d2a0a77eb1dde436063bc636724c5a3540c32c8e65fcc822acbb9e30bf7c978d689cfcf09a46f44334fabafba7e031

Download Submit
/data/data/flotin.freeh272.cy/app_avoid/QjGX.json

Filesize
5.2MB

MD5
e3356e851fa19b309543ae4ecae7bf08

SHA1
942787957c6a8fd19ebf6239b2d890585acabc47

SHA256
1ee7551d82349f97d636d868e63db5bf9b802e13a9892f58c38359c15d86a1be

SHA512
278bb1705fd0b6d3d1e4a65f4503f038d8152b5b5fa7a300a519cbe2ce152c8fd898e9b410ee422b96aa763ce5729e05da1e00b9b6c2700be93f34cd11db9c7e

Download Submit
/data/data/flotin.freeh272.cy/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/flotin.freeh272.cy/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/flotin.freeh272.cy/databases/a

Filesize
20KB

MD5
ba67515fb9d300409c3efa5181e993d8

SHA1
8f605c5dbfb5d49062000a33c23ae6fcce41b6d3

SHA256
c2cdea19f3fda1503cef17a347184f820f34aafe1f397df15cc510b52cde7526

SHA512
a725a781d90a5750b46b975a68eb7768892cdcdff4933bc4c8d243e9509cbcdc97b08267cf957f15dc130090eec49a8379f13298c6e8ca92a20f2636bc09808f

Download Submit
/data/data/flotin.freeh272.cy/databases/a-journal

Filesize
512B

MD5
384a6c1ade43f69fec2cd3003cc5a549

SHA1
d4dbf692856f9cfcf3dc1386501bde8b28c2b331

SHA256
2a61ba254cfd7892657ffea7be09a5134e5abd4028ba71ef7f1d187330df77f3

SHA512
6a2f4e31cd33bf54a58cec39ea8fa43adce9b8ef29e0e0dd80a8db5814dfc898eb33bbb5e0511331c92fca705f17d1dca5ee7681742731e4648bfa2e880adad8

Download Submit
/data/data/flotin.freeh272.cy/databases/a-journal

Filesize
8KB

MD5
e5d79100c5c6465ed69191d6957a78d6

SHA1
6311505bf39bbf1288d8bb095c8c8a067e3d805b

SHA256
8d196355e96e4b64b3a268c2d5b67a78218703a438fe8b35dc7c77f9efabc799

SHA512
722101068d9ec1f98e13b4b172ca6ee064a51369659d361aa98ec58b4b1c71d9042d7e29eeb432167b07819f76b608acc1427d06e6aba8e18f7558bf5aadfe1d

Download Submit
/data/data/flotin.freeh272.cy/databases/a-journal

Filesize
8KB

MD5
c947e2471bb53de2d514ca269ca2048f

SHA1
6933ab857c93cdcf645b1859627f581f3a34881c

SHA256
2ac3d4ef5c1a56f23b3ee22053bf02680d7e26bcd40120b3c4f1c4136f8f0419

SHA512
7ffe9e21dfc9bb63d9e01e612a78bb0d48fd332782ae74de3a5de1a3b16933dcd751663f20d51600cda23db717b7a3e97736bdf6d768df412ef631b59ab9e784

Download Submit
/data/data/flotin.freeh272.cy/databases/a-journal

Filesize
12KB

MD5
6c464b4cb526ddcea5ac87ba30076890

SHA1
7a3ca4c6a3546d4cef396a5fd8f990e99335356c

SHA256
2b80521632d9853d09c7ee762cf798f2059dba17c3aa9916323e7a6a98f9b0ba

SHA512
e751424bd6b3c2408e26287b7a847138be78baeabcf71357385d26972bf401a2e2172be9f555dfd426e265e3e6dd2705a9ebfedbb8cd9633e8e288326f8726a6

Download Submit
/data/data/flotin.freeh272.cy/files/flotin.freeh272.cy

Filesize
256B

MD5
1fc61ae04a241021cdabf34c356e69e7

SHA1
f8b7b2a98ac117435877d81185464b40d3eea26d

SHA256
772c101bb83d20efdbc81083ef67484355bc888ec0d95cc840067513151d8fae

SHA512
9a5ecf0607e1b99a99fefdcdde2d415c9fd556fbe4960d7b9b23a156ec285c1c2ebf97abac45f0b939f60542c307bd7db1088474ecdbae17f0c83bb9a24ff3fb

Download Submit
/data/data/flotin.freeh272.cy/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/flotin.freeh272.cy/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
bbf8aac87c1b5c014a8f36034cbc68d0

SHA1
311bb32007541496f4d30486ffc14b968a6e0f30

SHA256
31ea64f783cbcb8ed5302ec61fb1fb6148dff5577b8d97e5222b282d4cb31754

SHA512
53f3dedaba01fdf5e5bc37b33055f1ac0245d3947dc4fab93ccc16adb21ed2f44f520975980ebb5ee3986a12c29edf3a25ca5dbcf6144359a073e74caaac5c71

Download Submit
/data/data/flotin.freeh272.cy/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/flotin.freeh272.cy/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
598c42ef2ab7210e603d5b7a7d995bbe

SHA1
1e7cbfafc834e970828d475494d3e6a23ef7a407

SHA256
f508bb7b1c5cd5fc82e8107f9945b75b551fa28dbfed9693c58ba24336767205

SHA512
8873ad2e5e2df9cdaf56a7fd99bacc0ccd559a7a720ffd7e9201cedf25d8d64bcb8c5d03ca8400087fa98f381239b9a5be54af0cb73c67ba84ff6613ca066609

Download Submit
/data/data/flotin.freeh272.cy/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
470f4744fdde67a34cbe749a61f180b9

SHA1
f7f977fa92a4d4d6d15f20af4c6b97760a74467f

SHA256
eb2fba84e29e6ace7ad3067c3cf346d4bdf82c982a004f6dc3860034518d8074

SHA512
90e11131e8820529be79db5007a2dbc0ef6189c7404d9094fc8bac9d7f0b9ea6d91c088a62571ac0f3b5eefc4c24a7e14c86a49ca74593ca9148ef23a09cf817

Download Submit
/data/data/flotin.freeh272.cy/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
b3c3c451e9103186bb93dc5f88fd383e

SHA1
b7a82a23ac873b565ae145e7d2979bf686231e9c

SHA256
772f97b743a432350036bb81df1726ebc4d27e942cef8a7bbbdf3729403cfa70

SHA512
3527dba132bb9db6b697c1f1775370bbede227de9418d6089c4cbf74755e0b7c8bb7c51301ea96342e539c08cdb22e536b6dd0c6c31db46af5983b692fe50a3c

Download Submit
/data/user/0/flotin.freeh272.cy/app_avoid/QjGX.json

Filesize
11.1MB

MD5
28041432b0c51e3e887643272629c83e

SHA1
fbea5dfc62f03e1ff784b410ec0d547de0e8156b

SHA256
85c845feaa13eb5b0d02b64a996bf1a84b3aa77b6cf616f3db8ae5b4c70e9902

SHA512
7e69a4dffce031e990827d655b83ce66bfca72ecdc5bba4a264f877e0a3788953c41e2f6766e8327127d1b68b63775569648340fda09b4ce13684f0aaca6438f

Download Submit
/data/user/0/flotin.freeh272.cy/app_avoid/QjGX.json!classes2.dex

Filesize
351KB

MD5
57c3cd19fb542f41b9baaa891246e974

SHA1
4ba134e46f80fa0d0c6d34e50a149161b5cfd1d8

SHA256
9c74cd67633b9470e270c32a04ee6c4ff4f30bc60643804dcfc18d2362bbea78

SHA512
6cd77be465ecbaaf011fcd60b94aff79c59af163981eda1e4a77fba14527d18f69c8782e374be21724b88ff74b207fbb108659085634efe84a7ebcb2af339d14

Download Submit
/data/user/0/flotin.freeh272.cy/app_avoid/QjGX.json!classes3.dex

Filesize
267KB

MD5
39f261833dc209edb38e8bb09c57f22f

SHA1
8146eb5a3202052cb1b97f98620dbb35a2b887e1

SHA256
cb64c9dc99105911c6b6fada0fe718d9fd1110158a6f1d4a3db947243b797f4a

SHA512
8e5dda11ddefe15273a9dbe0ca2b648b0a6ef34011f88e21ae1cacfacc2ef7aa704c64151598cc556468c488cbb069b8db28ab79100f4fa66fe0425d5360097a

Download Submit
/data/user/0/flotin.freeh272.cy/app_avoid/QjGX.json!classes4.dex

Filesize
1.9MB

MD5
2d73c5997273e3910c1ac1d8db7ba145

SHA1
25737e75ed15863e69d02a14efa781370dfec798

SHA256
411c3194c11f6254e4bb6cdbf247518a4696ce9bffc6d373ba7e949889db9965

SHA512
7adca729d74394232c26ee76272a85342fd88c9101d417ba3a0b1018f29cdbe4a852a3458548e4e333db55520cf8b0a7700f6bcb3cfee77a12ec3d272c4dc13a

Download Submit
/storage/emulated/0/Android/data/flotin.freeh272.cy/cache/logs/log.txt

Filesize
4KB

MD5
04fbdf428cafd414a5c7db1aad144f5b

SHA1
79d998ccca9200144ad2d30443a4ad8be71ce88d

SHA256
c356e46101fdeebaebb602fe3ecfeacb2f608e026b588575d7c07fb6fbc6709b

SHA512
0870be1b839138a4609a66a3d1483fb9543af293045b3627065b1464d8723c837c92e01a8d1aa07d57ec92ecea703ecfd15b1bc74a79954e91140bde34cec0d8

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads