trickmo | 90cb5d17c0ce8cc794bdc4a6b03382dd56e7ec9b831a290764035b794c7a7495

Analysis

max time kernel
22s
max time network
153s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
21/03/2025, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90cb5d17c0ce8cc794bdc4a6b03382dd56e7ec9b831a290764035b794c7a7495.apk
Size

9.2MB
MD5

8a58d7aa7729a84e4ee0ef963caa5be3
SHA1

87e933bec88b736f1de6f70cec42a81e9e36e9a1
SHA256

90cb5d17c0ce8cc794bdc4a6b03382dd56e7ec9b831a290764035b794c7a7495
SHA512

589cb13f9cbd044f14f910ffce806d8c8df05ed54fdbd6062ab0705162df4863cfce187db6ddfa757e6eef365e3c4459f218de65932431dd85ad63d497d6960d
SSDEEP

196608:OBO3phigDUUVdYknQNPLJTlbE/ZdYwr0PMCx0jv5LtE:OI5YEJnYVTlbQZdYURLtE

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://b-fulltime.org/u3n6hcu6te3b46gc

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/efja.fast805.touchs/app_yard/IJ.json	5077	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes2.dex	5077	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes3.dex	5077	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes4.dex	5077	efja.fast805.touchs

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	efja.fast805.touchs

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	efja.fast805.touchs

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	efja.fast805.touchs

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	efja.fast805.touchs

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	efja.fast805.touchs

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	efja.fast805.touchs

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	efja.fast805.touchs

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	efja.fast805.touchs

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	efja.fast805.touchs

efja.fast805.touchs
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5077

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/efja.fast805.touchs/app_yard/IJ.json

Filesize
4.9MB

MD5
45039e907203a7f1bfd2a46c495d678d

SHA1
0a946711f6738db293680968bd05ee77d9c9c7b8

SHA256
70ca8442c5c04c35f4c341e4d91492356a70a9e435233ad955e9374b9e2945da

SHA512
f3aa051af7bf4e77f6a62eb0acd2a68fc79d12b61f2f2e98a1cea6c1e700b9dafc9287d9c37957653298c3ec29a88c2ba7dc56aa2e05a379cd87010f98181523

Download Submit
/data/data/efja.fast805.touchs/app_yard/IJ.json

Filesize
4.9MB

MD5
569de88fc6ba465b63b734683daa8af7

SHA1
ae8b7054ed78707c8eeb295889b102c02689f985

SHA256
abd9619c98bcf1ef70811daf2f1eeed2f8f7291b685dcaa4e09dc1008207d38c

SHA512
d09c3f136c512089569867146e634d1126d039bd319ebbe160b547736994cea3ff372abf411b6c5cd7afae9a97c043b0d98bca5ad254041d6be2c61ee0a5312f

Download Submit
/data/data/efja.fast805.touchs/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/efja.fast805.touchs/databases/a

Filesize
20KB

MD5
66404fcf9a414e14785b9086f876a186

SHA1
f2a96ad8704a7229e96884f392819d970a075605

SHA256
409e7a3443559e3a18d8a10936a71de7f816177dd1fd0b1fd15fe705eda377e0

SHA512
0f7e42d3f166c39d9bc01575b495cb3e0763fcb5ce09e4bbd5eb35ac29b8b038f4df8ca71226ac1f5c6afe476c3c68dcf30c89698c697c3b30633d799b23f083

Download Submit
/data/data/efja.fast805.touchs/databases/a

Filesize
20KB

MD5
8dff65a16670640b071b3dd5e40b7801

SHA1
21033796356ebe2679a389e08c8d952c70aba38d

SHA256
614f006904cc59ef2a827d67eb9caaa68d9ff13adf9f3a843ae3a8d7be375aff

SHA512
681d22b3a6fca5e9ee18cb4c111ff35e2379425fb440a91ae1eb3d9a648adcf6e27302cc18fbbd43ff77a9880c18a4a1199787944102b6a7d25c4ec11d47a86a

Download Submit
/data/data/efja.fast805.touchs/databases/a

Filesize
20KB

MD5
1e30d2af7ff19f51134adb3e47d7fcc9

SHA1
5a6a9fc5495c8ea7b7ed9b2a2e785d3e0eb1af24

SHA256
6e219b796fbd816f78cf9cf2781c68e191d1f31dacc2a47f4f948756780451da

SHA512
6ec92c9da1e1d176a8448b92ab08031afdd641073251d5e8ac06791998e906256aaec7d1b2c10aed567147402ba980156454d6c23fdc9e68f35cdb6254d85217

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
512B

MD5
48c5841384abab16193e36318acc690a

SHA1
408119bb59eb5aa844bc8c26517b42e1ec4704c7

SHA256
335669f65a848019d6e1d9dd64e3590f45b106582eec8306e215e12e2b9c0907

SHA512
353d07c046654ae8fe4ef8a3f2dfab2cf6272a2257470ddc4b71be7ed396aa88f3e9e224fb251c38d460b305d78c46e56ec473d36009dca4963896f8d4cbad97

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
8KB

MD5
48e82b590d373df8bb37736a778ab7df

SHA1
4d884eb825c8d98d2ef36d5322dfffbf72a7604c

SHA256
d953f24414bf9d060f61c42435f46a701494708207396d727ca37a2ded78914d

SHA512
3d1c84f06dc90755f8bdac270b55637e082446f0485543a443392ea333d05e31862b0e122b789b35cc36e7b1f265b3682b46810ccbc27fb7267c5f48ded03740

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
8KB

MD5
d5bf96879dcab837c1288ecbcc250b34

SHA1
d563edcf0b50c5ae7f5d584520a1101683b11b76

SHA256
e29ad3bad868ddb64c7d0ee1e8328741bff2debd3aec96218fe870f1bd6f692a

SHA512
98c4eef620b4500b9ab0ece12466e7f5e05d2b13b84726b0c12d0b97c1aad64e9e9372ba611413bb734f85131bbcf33a641fc282c84d182139b1451961b1fd5c

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
12KB

MD5
d0adba18501b09032c41472f20aed172

SHA1
d1ab769b066954ff28de42e0796e83c3e7d7ae4f

SHA256
9f4ef68cd0bbfca9388f6aaac0ea0967a3e8fdc0c08631d7a850fad351839865

SHA512
69ce241df1e720167ecc16d469d9bda0d5c884328d531caa568b66b65a3166b8c72cea9de88990009fed1ec952d278dcdb4f0b29acc91ebc9d415089a75af699

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
12KB

MD5
2af6f70d29b9cbfda8fd24445b0fa539

SHA1
5237f308077abbd84423998368bf54d3747cd849

SHA256
c47142df632476eae0036c1a1310e196a0180fa84adf838bafa5a7e7e924b31b

SHA512
a57ebe0c50db3c7ae757680277e41d3d158274c830aeedc51e963d9f97c575ff4679cd56feeb8898912b16e40205c21b4d6a9298a08b15e2ea0830177be40030

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
12KB

MD5
072cb8a49d622ce23cce4c079361cc88

SHA1
fe4a793564ea600e19ea84372fd2a268f33e76b1

SHA256
13dcab72b48e12e4a660419b4801316c367c3f7fe9ee4656b6a4e6420228d617

SHA512
bc7438bcf3cff3850813d5d9772a67a3edc3bbae4a8e0724ebef342503004cfca6a9ea147cfab5f0ca9240443172393a1d74a645ffb5861ac6308a16856b9c4e

Download Submit
/data/data/efja.fast805.touchs/files/efja.fast805.touchs

Filesize
256B

MD5
5d618c1ba48cb3ac1b67838926691b4e

SHA1
e758aa6d7a64e7cbe876fe9c0d32fab82c9c5d14

SHA256
4ebf5ff43d7f0d8f0f74e53fb3ca98088f54fa7b3590dae94a5a4d0aae574434

SHA512
94bdbbe4c85b1869504fecd4f36a205f3ea4c1b80cf245b4a06bbe8541f791528cd17ce0c10acab271c48e55e466235b4f3161bddd7126692e49d85dd8b523f4

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
70962c14729571ed7a65859f8c7bae8a

SHA1
d8383115a7e544895325501e1857ffe740a856f4

SHA256
f0d72bc0a8eb6374a1e6fc32a73fed9150eeaff0d34ba2d65a3fca1c6e264824

SHA512
fd2d3fc838f0650f3f42313dae4e12ae52a6d07c04bf6ced22ef9ab424d3f5c3de99da5c54c405e6d89fe69496b520a476338783cc7fc8682fabc8e75b11d564

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
a77048050d4c8125336e275f9ae8926b

SHA1
ec2ae564a1f3e82e1706ed25ad64b3637e617300

SHA256
c4471b8a26e74f9382b562b361c99f8a02c888209e5510bbd53637b196a6a2af

SHA512
0a8dabd18d97e7ff89c05c489f8f249560dae50e2499dc000d2ee2dfd481482a63bbea434457eaecc1e101f6a61ecbeb464d8af0d4c34ba4b262889ba16b83b4

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
8f33fb86f36e660a57e76ba96e7dd4ab

SHA1
ba2a07b938eaedde08a3503e42673cf68d0bedbe

SHA256
d5b1d92a829406f7374c18f2dc1ff6d55bbf85c548a425bce2a9a2c55b85ffd5

SHA512
43ef84f82b0661eccb3b373b45530b51ce2a76f6de9922a3898d39f82a029f502a86faa18c021231b2e64fc060d1cfffbd6472fa9e7615f48c51fcecaec1ecfd

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
3563489b3581bde078c157b43f736877

SHA1
846625fb1d1f6be0188e006b3bcc3cb92e77e592

SHA256
538e0fc8e2a6430521705dc0c6e8907d71b97f0a779e8cb81ab193d5ff0a9739

SHA512
026dd1787fb70a02e92f9d5749f03f666b587247438a42e548021b040f5eba50c73f2ec79d518e8d4a30c309db18ecbbfc72158e2fff2ca9d28f5f650ec710bc

Download Submit
/data/user/0/efja.fast805.touchs/app_yard/IJ.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes2.dex

Filesize
308KB

MD5
af76bf112a1486f959993ab101d1dfb3

SHA1
d38bd79b0d58135807b7e9038f35e099bc8b18ac

SHA256
9a149d4662611b4d051f7b4c53b4581f840ee6494eca90cc29bef8bef4b8c326

SHA512
de3a977a5167c361a46516739e8e18ea064749e51a72eedaa0470064c8577c8d7b72d5a5bb7fc83208c1f6a6d462aaf2014d4ca46a3c2ba95063f25afa337825

Download Submit
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes3.dex

Filesize
266KB

MD5
0c7e31c4fa49c111285906ca8c2e0672

SHA1
b1b42dfa3d36dbc0a1a0f1cb69616022ff635891

SHA256
a9381cbba32fbad21246ea5f933317f0577abbc1c1d0451ea80b079763f77389

SHA512
6d3fa945dc48f48d322161d17771f459f8e80b2ef5760b460bd1ee70b5b339e8981421bd50983ef6d810983a4381be3c7a0227cabb9f74241a32b3f7f284e2ab

Download Submit
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/efja.fast805.touchs/cache/logs/log.txt

Filesize
83B

MD5
6855c3e8e39e57cc35ae738a3a593025

SHA1
a1d1d7e049984b79dfbb4450d0dcc1854cbd32ad

SHA256
4bcf7e34e78c40f2ad4dae7ab0d2373a00779fa39154e58f3c28eddb25a2a750

SHA512
791e7a3264697f568898073a7992d6b81b87c9ab4b30a6988f4d27e20ccb0c3f6a415b829b6ed25d1dd8bc017c0f1fb21e747534f90b416b17366b19765337de

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads