trickmo | 90cb5d17c0ce8cc794bdc4a6b03382dd56e7ec9b831a290764035b794c7a7495

Analysis

max time kernel
29s
max time network
30s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
21/03/2025, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90cb5d17c0ce8cc794bdc4a6b03382dd56e7ec9b831a290764035b794c7a7495.apk
Size

9.2MB
MD5

8a58d7aa7729a84e4ee0ef963caa5be3
SHA1

87e933bec88b736f1de6f70cec42a81e9e36e9a1
SHA256

90cb5d17c0ce8cc794bdc4a6b03382dd56e7ec9b831a290764035b794c7a7495
SHA512

589cb13f9cbd044f14f910ffce806d8c8df05ed54fdbd6062ab0705162df4863cfce187db6ddfa757e6eef365e3c4459f218de65932431dd85ad63d497d6960d
SSDEEP

196608:OBO3phigDUUVdYknQNPLJTlbE/ZdYwr0PMCx0jv5LtE:OI5YEJnYVTlbQZdYURLtE

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://b-fulltime.org/u3n6hcu6te3b46gc

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/efja.fast805.touchs/app_yard/IJ.json	4462	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes2.dex	4462	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes3.dex	4462	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes4.dex	4462	efja.fast805.touchs

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	efja.fast805.touchs

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	efja.fast805.touchs

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	efja.fast805.touchs

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	efja.fast805.touchs

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	efja.fast805.touchs

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	efja.fast805.touchs

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	efja.fast805.touchs

efja.fast805.touchs
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4462

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/efja.fast805.touchs/app_yard/IJ.json

Filesize
4.9MB

MD5
45039e907203a7f1bfd2a46c495d678d

SHA1
0a946711f6738db293680968bd05ee77d9c9c7b8

SHA256
70ca8442c5c04c35f4c341e4d91492356a70a9e435233ad955e9374b9e2945da

SHA512
f3aa051af7bf4e77f6a62eb0acd2a68fc79d12b61f2f2e98a1cea6c1e700b9dafc9287d9c37957653298c3ec29a88c2ba7dc56aa2e05a379cd87010f98181523

Download Submit
/data/data/efja.fast805.touchs/app_yard/IJ.json

Filesize
4.9MB

MD5
569de88fc6ba465b63b734683daa8af7

SHA1
ae8b7054ed78707c8eeb295889b102c02689f985

SHA256
abd9619c98bcf1ef70811daf2f1eeed2f8f7291b685dcaa4e09dc1008207d38c

SHA512
d09c3f136c512089569867146e634d1126d039bd319ebbe160b547736994cea3ff372abf411b6c5cd7afae9a97c043b0d98bca5ad254041d6be2c61ee0a5312f

Download Submit
/data/data/efja.fast805.touchs/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/efja.fast805.touchs/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/efja.fast805.touchs/databases/a

Filesize
20KB

MD5
df0ee2a2fba4b3f0d7f36ecefa5d6b93

SHA1
29aaedb4dc5cad6e79389ad3a77d707e871e0f23

SHA256
1bd13c0592c4bcb13173eda3d28d28d711366017ea1ee23d9c31dd935b6736d6

SHA512
566f4d871e0804fb2b7d8a0598a037893bdd440bd1865bf43ca20f44853c1bc5920ad12b2a9449ae59ad840423d014b54e3eca4343d05239d2396c3dbde5f4eb

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
512B

MD5
273f6b76d5cbaf2df6409051f420511e

SHA1
2b7ecd7538cb77ce7905246a206150a244bd3896

SHA256
189fad39d5ba684508c6c22bf12e68a86a08b06c4961709a8caf92090ff956d7

SHA512
c7269a987a060a68bbd7751190fd994649cb3e50a11c02702a5754e74e7e6684d99ad7499d5cfdd174b7a017ed0bf318dd8b06ef9c4a7a19775c526e1b16cc95

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
8KB

MD5
659b4e6feb2893aab433bc2e7ba9a5eb

SHA1
4aae05847b374329fbb47d81f68bf47cca99d2f4

SHA256
b1ecdd74d1a791cd24025bb79eb742bec3ce882785b56933439817fd79efd728

SHA512
482ab87ae153bac92f8d3a6d093248c01a1f4b4c9819c037279e3cf4bc2597b267312dbfd3c6e2e68290e4c262fa8aad4cb2bdd9f3f6aee03d6ad8c34dd21f41

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
8KB

MD5
d03626ab42bd5c39c01877b2c48f7a04

SHA1
2f630794b057476fda7724e770e91d5db8349d8e

SHA256
c45a028790855a97c8c6196564b2e78fde73f7a6fdc0c27e4fd1b22e55b44bfa

SHA512
9cf5346e954ab769ac2a5d319e779180631e9778d7622faff5a177821539c151dca72624555913d82eb843be8e8062de0afbe5e5d91f5e49908d5866a00a4633

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
12KB

MD5
02d9f2b21734ce45f855194e64015f6b

SHA1
622e207feea056905e567184d43a089723866237

SHA256
74a868d954d75cc4938039c2d49a71447c633b039dac9c5f2aef84249823dc9b

SHA512
b83a524521fc515730f193d6fcd059e8f8f0251f64bb2c8dd7bc3c4e2f84f4cbefe5164dd5b77e16fa04fdf5d503c55b5f92af9212ad1977a95bf8c0a70cfa49

Download Submit
/data/data/efja.fast805.touchs/files/efja.fast805.touchs

Filesize
256B

MD5
baccab6b23b7a475ae8efb58f7889453

SHA1
532b401f601262009422b2402293da0b807ecceb

SHA256
8ea67c20e58cbde9a3eae399925bec0fa7f78cca8f147d052600cffe7dd8ef82

SHA512
c7b575b377c8afbc0bd03944489575889b89c70f1caf315e37bf11f1002310fa6431b80a254584da5f07964c358d8d495974384714d8c927161f3c9b962c3a46

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
1188e5df19aa49e447b3c2bb39b9b415

SHA1
c325bcf1c5be204c96fab3563102fbbc2ae9da84

SHA256
abe5a9c6aaa45ee098be98f2d62dc95ed6e6e6f4ee942fe014ebde3862a3fb64

SHA512
c64b8d70dfffc67225d705a8be59587dc5ad7f89e14f65dfda9499e2ebebef7deadde6079d00efc0dd2a127bf68736e33a4b212445f8a0b21e47cb8f98bc4392

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
447a3f4ce4b06ff620816866a8a8d918

SHA1
aafc40d7a01122433b217aeb958a713b6b13f71c

SHA256
2faf7d9f0469c0dc3115cf46e8bc4cc60fa08d16d523e1d29e43a99710685773

SHA512
19eef1af2873533a32c5962b10e4b9f40acf9868d2027f409776c17f9e7a11ec50b697755a78a6670747c5d04e61ec8607b2697b533fb0b150b50cd794f0b99a

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
7121f758683f94303ecd7a53815f0424

SHA1
aa125320fbdf9bfe746543633f39072d4c4fe4d2

SHA256
d2a04339a7a1d31a5de2aa51d9b321483d888005e8b133218e29631ab608d2fd

SHA512
f58edb531a7e552595ffe17449a0d1eec0456f83aa6c20bb4f2439bedecff9838a757c6d0266edf56121b6dab5a4d442c99998066546418fe62f2446bbad11ab

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
c1aec9d14f5d1c52a1d65ed65bdeb26b

SHA1
187dc310c16ac519c329a9b6a2c23d702b8f3193

SHA256
1a2ab1ff9498be042e2a04c08146ef05e0dfb75001e3a54940691b6d7892d868

SHA512
7ffaf2d6c1d65b531e92367905dabdad3bbacdfac72f99f03be4e13ea42355935a4a29a656c112ae404b6e6114f94c1e30b32aeff1272a7c47b0fbb57e1b07cb

Download Submit
/data/user/0/efja.fast805.touchs/app_yard/IJ.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes2.dex

Filesize
308KB

MD5
af76bf112a1486f959993ab101d1dfb3

SHA1
d38bd79b0d58135807b7e9038f35e099bc8b18ac

SHA256
9a149d4662611b4d051f7b4c53b4581f840ee6494eca90cc29bef8bef4b8c326

SHA512
de3a977a5167c361a46516739e8e18ea064749e51a72eedaa0470064c8577c8d7b72d5a5bb7fc83208c1f6a6d462aaf2014d4ca46a3c2ba95063f25afa337825

Download Submit
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes3.dex

Filesize
266KB

MD5
0c7e31c4fa49c111285906ca8c2e0672

SHA1
b1b42dfa3d36dbc0a1a0f1cb69616022ff635891

SHA256
a9381cbba32fbad21246ea5f933317f0577abbc1c1d0451ea80b079763f77389

SHA512
6d3fa945dc48f48d322161d17771f459f8e80b2ef5760b460bd1ee70b5b339e8981421bd50983ef6d810983a4381be3c7a0227cabb9f74241a32b3f7f284e2ab

Download Submit
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/efja.fast805.touchs/cache/logs/log.txt

Filesize
83B

MD5
e3dea80181292c373e97a6fb843c123c

SHA1
57996273dfc584d2f94d4bb4a0d9076052675897

SHA256
d3f1c36e1775cb6d7a17e238d765cdb43687231fe042fae06475822ccc0aab65

SHA512
9f6ec47bff0446fce638b87cc8b995572616b9d157aaa24f9e44dd49f3b2de886824e0a0b4f760776de5d7a5fa8a0a1d8b49c780f0082393ae71a11504ef7fe1

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads