trickmo | 90cb5d17c0ce8cc794bdc4a6b03382dd56e7ec9b831a290764035b794c7a7495

Analysis

max time kernel
140s
max time network
153s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
21/03/2025, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90cb5d17c0ce8cc794bdc4a6b03382dd56e7ec9b831a290764035b794c7a7495.apk
Size

9.2MB
MD5

8a58d7aa7729a84e4ee0ef963caa5be3
SHA1

87e933bec88b736f1de6f70cec42a81e9e36e9a1
SHA256

90cb5d17c0ce8cc794bdc4a6b03382dd56e7ec9b831a290764035b794c7a7495
SHA512

589cb13f9cbd044f14f910ffce806d8c8df05ed54fdbd6062ab0705162df4863cfce187db6ddfa757e6eef365e3c4459f218de65932431dd85ad63d497d6960d
SSDEEP

196608:OBO3phigDUUVdYknQNPLJTlbE/ZdYwr0PMCx0jv5LtE:OI5YEJnYVTlbQZdYURLtE

Score

10^/10

trickmo banker collection credential_access defense_evasion evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://b-fulltime.org/u3n6hcu6te3b46gc

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/efja.fast805.touchs/app_yard/IJ.json	4785	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes2.dex	4785	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes3.dex	4785	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes4.dex	4785	efja.fast805.touchs

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	efja.fast805.touchs

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	efja.fast805.touchs

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	efja.fast805.touchs

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	efja.fast805.touchs

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	efja.fast805.touchs

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	efja.fast805.touchs

efja.fast805.touchs
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4785

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Information Discovery

T1426

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/efja.fast805.touchs/app_yard/IJ.json

Filesize
4.9MB

MD5
45039e907203a7f1bfd2a46c495d678d

SHA1
0a946711f6738db293680968bd05ee77d9c9c7b8

SHA256
70ca8442c5c04c35f4c341e4d91492356a70a9e435233ad955e9374b9e2945da

SHA512
f3aa051af7bf4e77f6a62eb0acd2a68fc79d12b61f2f2e98a1cea6c1e700b9dafc9287d9c37957653298c3ec29a88c2ba7dc56aa2e05a379cd87010f98181523

Download Submit
/data/data/efja.fast805.touchs/app_yard/IJ.json

Filesize
4.9MB

MD5
569de88fc6ba465b63b734683daa8af7

SHA1
ae8b7054ed78707c8eeb295889b102c02689f985

SHA256
abd9619c98bcf1ef70811daf2f1eeed2f8f7291b685dcaa4e09dc1008207d38c

SHA512
d09c3f136c512089569867146e634d1126d039bd319ebbe160b547736994cea3ff372abf411b6c5cd7afae9a97c043b0d98bca5ad254041d6be2c61ee0a5312f

Download Submit
/data/data/efja.fast805.touchs/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/efja.fast805.touchs/databases/a

Filesize
20KB

MD5
57baf3e42a94e8dd82e267b2f0619330

SHA1
76512dd29fbaf3cfd2efeae0ac2ab5108b81af19

SHA256
49a98902c1ffb97354f0e8f0f9208b84dfabaa826635f6ade1fc782169a3ec7c

SHA512
227f9d10a39fb0d8ae0a562e3b983fde44de62b3dbcd577172451e0e1f669e5721ba653c324af7c4d022032edd951cc417805a4eeafd5e84f28d378b9126a690

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
512B

MD5
d4fdaa72d067c7f56ff54895e9ffcd6e

SHA1
382b7b52b9cdb0eb132e884730273f3b6c2d7dd1

SHA256
724593b9e06bff643fb5cf4be16958df6d4f77e5f4620291118ed4b9848aae50

SHA512
9671bf56c3878f464be32fa1a5b61a766e88e6ec969ea6a30947863085e2cfdc10e7fd1880a1b4dca5b8337513ba17516d567b54a96f9f838d91bfd83bfac40d

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
8KB

MD5
ed8b72ce50c38c8ec7780838b380539a

SHA1
da861bd6d48af22baee722de317dab86828ab432

SHA256
a2c24883114f796fb67be65d330e3b81ce7d744b815a895809ebeebdcddfd830

SHA512
8f4ce1b89f847c6923bd857cde6e2f7510d6d9f71a4ef91a00c25f434bef44b6015cb411ea0af0639cf1ef1f8d991d9ca0a28213af6c5707d4e0d88f5437e85e

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
8KB

MD5
3996c0d781b235638e8a2ec6d095f0ed

SHA1
29cbc5fb9ad3d8ed11920601e8053607328aea09

SHA256
ce0dac8b52119c127b90c325cc78196ead14faa0e50207e7bab8d3914591d744

SHA512
d8de058841f762fffb024ab8b4d48a7ef3c299342458cb3bd757c9de1367b3c49c5646513c660ae9e7d323dc556bdbb5196250682ecf53a541d0960af498ed4b

Download Submit
/data/data/efja.fast805.touchs/files/efja.fast805.touchs

Filesize
256B

MD5
b7648be00acddf9c063a5ebd8049b39a

SHA1
fe577f726b43db4e71cc47b75c5457e6a1c946a3

SHA256
658f3c0e06fcbc8138684e04c657bf2f55b6f57bfeffe9c116f6e3c605b22cb1

SHA512
eacac8734c0904bdc0cd5182587abfa144764888126f5408469c9e075b7dd830b9ffa2500976793cdaa910c22006aa2d59187b1f3a978d1a6fa39265ac92fba9

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb

Filesize
4KB

MD5
7e858c4054eb00fcddc653a04e5cd1c6

SHA1
2e056bf31a8d78df136f02a62afeeca77f4faccf

SHA256
9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

SHA512
d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
4dfc4aa9af0f81ac43507f9e9de12631

SHA1
62e161a2af428192fcf460dee0b2582ca352e994

SHA256
4c2aa50d7f0d080abd7bfddf658b06e4fa039f795578de09a206bc03eca55776

SHA512
7f599a7ff01b02235d80718fb781ef378977e4bb6ba3df7fd6bb3b6ab4b1cbc6187fd20c6ba69b7119e5ca08c0e7bd534543f2b67dfd08759af8b6b990698f67

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
0e0722273a92988174d1d09622d40130

SHA1
6b6f2764802f2516d48d9e2f5027ef4131db3167

SHA256
d3fe4db3b0440725cf263bf1a2ed39fd614323dd04bddce3ecf30f01e3fc42e1

SHA512
d3f64fa7231e4d651476742784f9979ac81f3c078f24bfe8230fba4d6b9a950958366dc9ede2b48d8fc24fcf032f7af8f8a6949b6ee4af98f7bf729d3baadd97

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
564e33a257c31c4c59039ccb50fddae0

SHA1
98bb409bbd3e607719ccafc8e55a16ec7d26d07f

SHA256
84068f105bcfce065ff7881a3ddbab174314876cf18075c7f7f0650a91b6378d

SHA512
3d53447a3a344b35768586fb67b5a2dad72e25b5b28b05d52676b938f3444d712cfe060d34d2c40e927a8b8d1d42bd597f41320090c8dd010e6eec0072ad43de

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
970b0325dc026e82d43207190efab57d

SHA1
16b9eb7a5167902542c866abf345d9ed3273068f

SHA256
b6223de2df335523109eb7d5eeed6165dfa22a836b0577e29938481611107fa6

SHA512
505bb1153bebcf525df45d2ac8fa82515c36375632085de54b51e7c0c65d3eb3941e8db7b5b477c19d2d725c793f14fba6caf50ac2fdd41b2ac382eea32ff7fd

Download Submit
/data/user/0/efja.fast805.touchs/app_yard/IJ.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes2.dex

Filesize
308KB

MD5
af76bf112a1486f959993ab101d1dfb3

SHA1
d38bd79b0d58135807b7e9038f35e099bc8b18ac

SHA256
9a149d4662611b4d051f7b4c53b4581f840ee6494eca90cc29bef8bef4b8c326

SHA512
de3a977a5167c361a46516739e8e18ea064749e51a72eedaa0470064c8577c8d7b72d5a5bb7fc83208c1f6a6d462aaf2014d4ca46a3c2ba95063f25afa337825

Download Submit
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes3.dex

Filesize
266KB

MD5
0c7e31c4fa49c111285906ca8c2e0672

SHA1
b1b42dfa3d36dbc0a1a0f1cb69616022ff635891

SHA256
a9381cbba32fbad21246ea5f933317f0577abbc1c1d0451ea80b079763f77389

SHA512
6d3fa945dc48f48d322161d17771f459f8e80b2ef5760b460bd1ee70b5b339e8981421bd50983ef6d810983a4381be3c7a0227cabb9f74241a32b3f7f284e2ab

Download Submit
/data/user/0/efja.fast805.touchs/app_yard/IJ.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/efja.fast805.touchs/cache/logs/log.txt

Filesize
83B

MD5
c210254e66e53faa3581a676e264ae30

SHA1
d28058b61cd25e35ec710cb6c167de538ff3a291

SHA256
705c451ea13f95bfcf1d3d814c219773f3fd405ca5cadc2189e040aa312c172d

SHA512
c6ce34858e1c5a6b8e20ab45fea8c3b70ca1f7d2cb6b090cbf3fe58fc41405c8ae2d7c5ac86da4133d90b6e4fe800efbe4e6ad4e61d7d73a3881e9411cd25b56

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads