trickmo | 637c727cd4f78d893569dc713ee427b90394cfe0f56f0f6f480b076b7713f275

Analysis

max time kernel
29s
max time network
31s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
21/03/2025, 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

637c727cd4f78d893569dc713ee427b90394cfe0f56f0f6f480b076b7713f275.apk
Size

7.1MB
MD5

e250e6668454a72b896cca90e49b486b
SHA1

e377280b6633e4e9ae2e75f9fe4d1dbb9c78f094
SHA256

637c727cd4f78d893569dc713ee427b90394cfe0f56f0f6f480b076b7713f275
SHA512

1277ac42858b558f8605866a4b186f70bf1c7fdf64f0006a0b1fe8a8ff981add8a2aa9d4b927ce09b33e4f2789492c71aed68a443b2266032613b9a033170011
SSDEEP

196608:G4tTU24z1siG6V5tIzbMzcWrAq5EbOvqYRjv5LEs:jU2W1siXVAAzcyEbOiWRL1

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://b-fulltime.org/u3n6hcu6te3b46gc

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/heartdisk.sen673.in/app_desert/BDNq.json	4506	heartdisk.sen673.in
/data/user/0/heartdisk.sen673.in/app_desert/BDNq.json!classes2.dex	4506	heartdisk.sen673.in
/data/user/0/heartdisk.sen673.in/app_desert/BDNq.json!classes3.dex	4506	heartdisk.sen673.in
/data/user/0/heartdisk.sen673.in/app_desert/BDNq.json!classes4.dex	4506	heartdisk.sen673.in

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	heartdisk.sen673.in

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	heartdisk.sen673.in

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	heartdisk.sen673.in

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	heartdisk.sen673.in

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	heartdisk.sen673.in

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	heartdisk.sen673.in

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	heartdisk.sen673.in

heartdisk.sen673.in
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4506

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/heartdisk.sen673.in/app_desert/BDNq.json

Filesize
4.9MB

MD5
b219d34306690731a8a20ee5cf3fd07d

SHA1
44f6f0921bcc66667b2b68ef714d5e71cb2198a8

SHA256
c2a2e2c6fc70338b6a806ec5145ea981b0d4ae69b30152f6da0860133ecd21c5

SHA512
4f381bd7c95b3e7c13a0eee8e79fdfeab3428f5c60fd4c6ebae3e52b8a3eed15720b4d4e798c7d8c303156797d84de55c033c7a5cb33c38e8cfc9947625efb0c

Download Submit
/data/data/heartdisk.sen673.in/app_desert/BDNq.json

Filesize
4.9MB

MD5
dd78f0b8f81dc72635350133350c0768

SHA1
12c91fba4bc0bbce73fb6c66baa56b73cd1716bd

SHA256
a11a2cffee640b27856052bf70f1fabcd1278f224bf7569b1b53821aadf3c1c7

SHA512
bc1a166b886d005619853837750062f1e71dd71b39df57f5fdd365aa867499965b635f3b5fe87e57305f2ad71725eeffb079861aa9daca98f8c5b91a4ec01618

Download Submit
/data/data/heartdisk.sen673.in/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/heartdisk.sen673.in/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/heartdisk.sen673.in/databases/a

Filesize
20KB

MD5
ca446fd90fa5dc90e0a71e9f56c56dfa

SHA1
eb27f958507008851222a11b42d19804d77e958c

SHA256
90ee6a55210ea46847fdc3e6eff0c56984abe99ce0876df8eb4af519fc4a8b7a

SHA512
85306c3b845c1db5b1fe7bbf5e92ed89d28cbf4cbc4fe752bfd1ad21e495cefc35890c661bf75e21a92d9087d56aae2611562cbc45c7662f70cc8b3410e35b98

Download Submit
/data/data/heartdisk.sen673.in/databases/a-journal

Filesize
512B

MD5
03135a5b0df1de03b05bcb66a1a36a99

SHA1
0b9046d89c1ae49ab7171b1d26c4b2004462f198

SHA256
61c4eaca2a69556c9b3a789b2ac546dee84096609bbb4482a498494f9d5fc6b9

SHA512
10d16e29113a942bec8921155043bade0f609969818080872d1080f56ead8ff6935a280947fa32ef5fdb45282c663a1ee93982462903f3c2a5ba39b8a750479c

Download Submit
/data/data/heartdisk.sen673.in/databases/a-journal

Filesize
8KB

MD5
1fb94203ac9cb4c9b47ce0622ea50745

SHA1
050ac4383acfd02e772ff995c276949965dfbf7c

SHA256
f9f61aa5261dd697a0fb044352358f31c03535f10368f8acab6289d531334639

SHA512
92d1dbab9dbdf5cda948e6e4ec19392ef45ad2542db50b4040c9670ff6ec9682b10bbf345e62cfd2e2223680074e1ba01cb64497819427e5d766eb46a391399c

Download Submit
/data/data/heartdisk.sen673.in/databases/a-journal

Filesize
8KB

MD5
f21d596d89c5a65de795f621636f0354

SHA1
1c8d4b7e0d24734e26e595b178b5df87a62612ad

SHA256
b642b375a59b4eb009082201ce2a6c1492b4088df94d793c25b81c8f0a02905a

SHA512
396577f9c4a3bd5570e941d697611b8690d8112071b6e23a7cc74323c242c6359fe8f86988dbacbb316baf9ef8719c87cba8ab626679143e08a3e36a2ac07d43

Download Submit
/data/data/heartdisk.sen673.in/databases/a-journal

Filesize
12KB

MD5
0bf63acf5cf9c2a1e7a3515ef8781506

SHA1
aacf833d3eeb0b517f9f9e451b20dbb16f0271af

SHA256
552fedc650869ceac0225479fd511cc87a28f2dc9ce96b05222f490277690f4e

SHA512
b64867199075bbeb7d3a7acb0fed689cb2b41725a14a1a5dea23c6a365a6a298619368e7544cd47d2e3bfb0d98b89f781d9425d603cd0009f9775ac1485f9a05

Download Submit
/data/data/heartdisk.sen673.in/files/heartdisk.sen673.in

Filesize
256B

MD5
1b7b8ccc5dd1f0fa88749946b3cfd2f0

SHA1
d8819cf32236c25aadcf15807088d58ec1629732

SHA256
307fa5e37eb630a02e21202afa879673f0d69354c46de0c272a09595a35f84fd

SHA512
9ab508a8bded2c8889ca39f1e1d80d291326092216991a40161394fe2444398458fd3a312a4815188957096f055127952d5b812659086e7e4e8af38889535a68

Download Submit
/data/data/heartdisk.sen673.in/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/heartdisk.sen673.in/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
f697d2efb3d6b39eacb025c8a7aad6b1

SHA1
9efbf1fb611e408033c78a5bda9dbc4cb9126ec2

SHA256
51884a84288226cb6e41f92477ee06f52a2d10ed6e4f13f277fdde5e8fd4919d

SHA512
5222c2d6ce9792886d76a98bf6e33715de87df6601d9146c2ef0ac799acb5fd4aa75b5140d24f1349ae2bce924694286250646a7cecafefad8d2b53e5e281834

Download Submit
/data/data/heartdisk.sen673.in/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/heartdisk.sen673.in/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
4ec64bc39509d78c0bbb5d51a18c12be

SHA1
b65765cbafa24555dbbf6c6b7f04e8ff4146da9f

SHA256
ae5bbe403268c3c60b5e6c3114f5aece02ecd39da5d8b298cb21d54d9176f94a

SHA512
b85774152eb52b528cd0a24b25bb5bb960ecd08765ce083c758b28728b6fcadf3db2683fd1cfa7fdc42a516a9dbdc094b04198556d3236c057dbcdd0ce3b4c58

Download Submit
/data/data/heartdisk.sen673.in/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
63bfc2c30621512be67965c629ba08e9

SHA1
33a61b50867f3ce56d6225a40ba642cdf4b56f2c

SHA256
7284d2ad1b63522d346b47f122efe095685751209b484ab2204b80ae50d89f6a

SHA512
e0a96f8916a7e52b7b2dc5854678dc97e1458e5a3fb8d994bdd9d05a58ed4e5555cd3ee2646019b2796fa17e98778608bffdf07ec0dac778a50acb477c167492

Download Submit
/data/data/heartdisk.sen673.in/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
78ccac858921118c9901e65e02870f8b

SHA1
bbf1b79fb14484fde9a8ac280fb06b77271131cc

SHA256
5b6d51b60bde6985ac489035b47d6e820d7dcae9712524ff7999c7c2ac5e6233

SHA512
a5c6ff06fce179979b3766905780f9c826aae000a87c0896f5d3473f5525369b965338b2cb20fd83c8c7d1834c4d0ec89962275bca812377f6c913e6c41ef369

Download Submit
/data/user/0/heartdisk.sen673.in/app_desert/BDNq.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/heartdisk.sen673.in/app_desert/BDNq.json!classes2.dex

Filesize
308KB

MD5
939ee1b8b1f134b84d9b366c3ea059d6

SHA1
604b4bef2e0788ff17a49d38f8fe7a67cb07a635

SHA256
8b37b8ae99c99e69da5b845d5005ed90a0f455ab4edb15a08982b59b4cacc6d9

SHA512
92f3a25085319cd46cdbae19be60e6310f97817e6db72379db3693200b36a835290fe46d96c76ab997d874cbf6dbc3b38ade80bb5d17c6001e89d6b806c6b4c1

Download Submit
/data/user/0/heartdisk.sen673.in/app_desert/BDNq.json!classes3.dex

Filesize
266KB

MD5
8ba6c9e0bd4de67aa98cecddbe071264

SHA1
d4fe31afcc3e06a9c9fd986818c97d8333c4a716

SHA256
ef358b4c6fdfd4bc1ec1fba4747174e2deb4c969f292ab9992129e2c74c366c8

SHA512
4c87d11fa7b2cdc8a3b3572dae2329be2cebe28fb1a0821085861e650ea65464edd86542ea6326a93c2a68a46198ff4852c50bff6e5316db4487d919da021136

Download Submit
/data/user/0/heartdisk.sen673.in/app_desert/BDNq.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/heartdisk.sen673.in/cache/logs/log.txt

Filesize
83B

MD5
d61b599c40ab04524ae14be49dfa8147

SHA1
c609fb36551df7a0a5078386c9c9671ea182688c

SHA256
7ecc517739f98e5f07e7d3ae18fc5d97ee0d5df79f65fbf89c74702b65a960d7

SHA512
24d6862f412a1f47a3c9cbc0b78ab8122e2130ef7d53e049abdefe4beb6b5659102e0037740bea7a8f3ad99bcfe104da7571764be7071d0526d0029c862b622a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads