trickmo | 345e172356ee2b29eb4d9a0f7b6ee7dd726e8795e1dbd245b4be5e2b7796b0f0

Analysis

max time kernel
29s
max time network
29s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
22/03/2025, 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

345e172356ee2b29eb4d9a0f7b6ee7dd726e8795e1dbd245b4be5e2b7796b0f0.apk
Size

8.9MB
MD5

80d89d1f2000ec6e41ec686e6c2499b7
SHA1

97517bde058bbd3d1a785edc1a55a76573bd8925
SHA256

345e172356ee2b29eb4d9a0f7b6ee7dd726e8795e1dbd245b4be5e2b7796b0f0
SHA512

eafae525d54ca46be783c8398848651c43bd5136f62eb54f50996d149ee1274f6aa6c33b74627733a0af76370b4bf75e8041268c47c9070d090d60c4a07c7e71
SSDEEP

196608:Sjcvj4HDaHNva2kIbcHJcUyOJNy6Uo5Zkajv5LQy:zr4Hutvazc8J9zT5ZnRLQy

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://b-fulltime.org/u3n6hcu6te3b46gc

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json	4501	bakeph.dist292.blog
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes2.dex	4501	bakeph.dist292.blog
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes3.dex	4501	bakeph.dist292.blog
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes4.dex	4501	bakeph.dist292.blog

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	bakeph.dist292.blog

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	bakeph.dist292.blog

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	bakeph.dist292.blog

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	bakeph.dist292.blog

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	bakeph.dist292.blog

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	bakeph.dist292.blog

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	bakeph.dist292.blog

bakeph.dist292.blog
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4501

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/bakeph.dist292.blog/app_traffic/MctgTq.json

Filesize
4.9MB

MD5
956ec6d809a6e35ddd3155b0a2a93bac

SHA1
560a650bb0055c4d11f008d2aa8c6abde9146987

SHA256
e24376abaa5c9c55a63480ab7c274b9d678abf4a08b9ab83106d43dad05d0d11

SHA512
2ab03b754c3595c537f06268d5043a7311ba2cb272de2533410a5e53c9d234b9316fb2c8ac012ac1e217457bf714dfbcd43ab70d7c88dbf107210a8f5bcf1c42

Download Submit
/data/data/bakeph.dist292.blog/app_traffic/MctgTq.json

Filesize
4.9MB

MD5
73102177b62492c2a7935c4417376461

SHA1
fa32afcfae2593c05099b15876b567477ee91d7e

SHA256
914f1fc352b3b866fe36e776775484208ff7eef2a20a63e171e82c3c80c68c45

SHA512
a1ecba1e72774fb153e60a5fbf24b86e82c7567256da412d517ac11963c874d9b88f355843d1ac774dc8edad2bdcc9000134244708101b5399edfde52ac25b59

Download Submit
/data/data/bakeph.dist292.blog/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/bakeph.dist292.blog/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/bakeph.dist292.blog/databases/a

Filesize
20KB

MD5
571a8c2a8b2f9b562c8dc2024b2225d0

SHA1
a834b100ece9a18f99855c02c2d6238960f07aa7

SHA256
5101243ce1c17439b14da0b8dc7886994c6b9f0bb21e9357f0d722a975e85ac5

SHA512
65f715bc47efc49dbac824c1a24c25eec29eb51668f14eba5e5b749054199d1058d88815b42807f16c39f974a19dc6803812dd934cd1885cf13748f9bd30affb

Download Submit
/data/data/bakeph.dist292.blog/databases/a-journal

Filesize
512B

MD5
02c22e03eb7fae406d3a373a9d52833b

SHA1
862dae0c0fc0ee8e70441f66cc45e97bedcd7313

SHA256
a6244b931b7faa277cdc540cbbb43f220de01bf0139ea8b8357b33a390c9bfb5

SHA512
7b15448c1479e0a8864e0516e6bbd2e1135ac6236e9948b6b66a6d5b29069f67a4397360da6b15dabf55cbb114d5efdeb7b0d462b0af80f64ff23592b761e947

Download Submit
/data/data/bakeph.dist292.blog/databases/a-journal

Filesize
8KB

MD5
582e7e37147d8492b01dd8dd55c3610e

SHA1
1cb49d6dfad845b04821e51705e86eead6ca30b1

SHA256
bebdd6a7171fcffa4590222c26718e0e3b412892f3eee54903591aca09eabaa6

SHA512
3528887c5499d435ebeecc0ddee6de80414180a31b33dd07843dca94ef66c27834c425e37d51dbab00af41d87a8104d15676f52e6a70078953f047bc07a7ada9

Download Submit
/data/data/bakeph.dist292.blog/databases/a-journal

Filesize
8KB

MD5
0f141caddecbeac5eb3c46985fc2db66

SHA1
b9ece3ce7b55d3201d2747ce9df2735a7d4759fc

SHA256
a1e876385052f7631b004d27211151b720026796c33627e73f739dfb1c741fbe

SHA512
19a39c451e6884ba6017b98b3b54b145fcbf3c4bdae9d443ea2cb5e8b5819fe36b10abb32d0c54074b065bb18ceb532e80c1bfc00aaa3d33fa4bb2f66c934568

Download Submit
/data/data/bakeph.dist292.blog/databases/a-journal

Filesize
12KB

MD5
68210b6a4897f05e0a7a0bb5600a7c33

SHA1
65e521f9fb68a853f1264ee6f07c13087c2d017a

SHA256
20019a0c115f4f61afa5cf1f62292982161f02f113862e7867aa1182363ea4f8

SHA512
b6e47ab54203944e85ff207a10de288f3a7a3768fcea06964194641ecee256c70bd9b51abd28663beb3ecd92645da85f406ba58802e10124e40cb2ff0bc02b81

Download Submit
/data/data/bakeph.dist292.blog/files/bakeph.dist292.blog

Filesize
256B

MD5
5457b24e59b41b1469679771ea2337aa

SHA1
0b9d309f6a00ce8f02d64d60b22e8cf833e0831a

SHA256
3293e98dce4f62d4321d791e906a9ec15129155cfa9beb15f0b836a1f5b29f6e

SHA512
470a04fdc3376403a0a74cd72c2cf92813f2575d209c28af579524c49ba0680c540d3a4d2e3733bb7573f46d2c78e051c76a3addf2c655702032fd2807f2307e

Download Submit
/data/data/bakeph.dist292.blog/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/bakeph.dist292.blog/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
abf9dc440f96b31a44c02f538e73bc87

SHA1
0b77d3c0ec872075c0c24666dd09d5f001d413cc

SHA256
3d7fd1b0eadac5b455e7202bd9b007717127f6af532312486f372eccc3e8efc2

SHA512
dd164cdd6c797f237bf3c2a0fe0a9a24584cffd69ff46414fb2f339fa21d1cc04bba2bd3fabf5789bf46888bd0d70d1339ce87efec939055daefad6f352859da

Download Submit
/data/data/bakeph.dist292.blog/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/bakeph.dist292.blog/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
b1d721e31e3aa436241024de10fb8d14

SHA1
b11d43a13ce4d999de40f2448218deb041af235a

SHA256
91474d3d9f98a69a846ca21a26971e36ce79f8fbb835c56330c5f924a482f3b8

SHA512
434f55b551729e955f8d8b183becc044a43639e2e553bc27ec0527f60193f36fe09c4dd40a6bb60974210b027414bd910eb3b7aa1a762c5e700d6fbbd7ce9392

Download Submit
/data/data/bakeph.dist292.blog/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
9f3f18384c24bcfca2087d2bec657fc5

SHA1
152a0f9a079b98110b48445bd148b2506a409de3

SHA256
26f2afd320b87262ec3bfb228a914e9bd514a41dc250746a23526d161e7b3f7b

SHA512
e76102f7796305386fc2a993aaba6bfbc75864c7dea3dc76e38d647af00e6ac2eac17d0373a10380a0a2ff474c5cd21e09b87e837be9deef08b405de2cdd3493

Download Submit
/data/data/bakeph.dist292.blog/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
a73312fa4c526812fb81a9e0dbf154bd

SHA1
ad0402aa6eb99e38d9b0cc2ecbb64c7b0644738a

SHA256
4a945f1ae35ecc98482e484425356f231bc7f352df8a60b0e27f2a9da59d7492

SHA512
01d3108488a645305d24f90caed18a71d518f6fb88be809bdd122d126bf6dfaa5653dfa6a2b682baf68c997ba11470ed1a2d77906388d151498230360a3af610

Download Submit
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes2.dex

Filesize
308KB

MD5
f6b89acc1728c7d64be4b042fb787711

SHA1
a1839b0bbfe36db9e1de750895093a41872dee58

SHA256
e38f1a99e3b77b0d416161420651ed11a069de45e9cfae7e41585a3c9ddde806

SHA512
ad74d6dcbea2ee263d451353b773701165d6334dafde8b4254fad369eb544996bbf64d5db2b2423932751fbfd9d7e42faec67dd552384e1d6a00a89c0ecdd7e2

Download Submit
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes3.dex

Filesize
266KB

MD5
53410124d4dbd239d7962deabcce6d8a

SHA1
85f8e02449fdb7eb7a4a7d6f95603c0c381bd135

SHA256
1b5a77a13977c67a4bfe73584e22103aa7656a5750abdb3c7bcc302269b72073

SHA512
59b2796a1d1b7ccc6f7887e4d674d9bfd0cc4c4b851265e7fed0839d754a0058008cd622062c610471e5ff7eab0f269da16a9e0d5d75c19dbbfb16c05bbb4d7b

Download Submit
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/bakeph.dist292.blog/cache/logs/log.txt

Filesize
83B

MD5
d6f80fa7d64eb37bf76717d95e2e7306

SHA1
d34d821b268cd68f6b67dcdc93b9310b8797715d

SHA256
8d3a4f732f8bda9a33680f93e90852b758debe3b6846c804b1080d835de8d7f6

SHA512
bd623f79c06d4f402e501ba4376b1e7e20cf868eddadfac5fcc51af6b3171041f29fc496055a72d7692085ed54b5c2a47729de915dad10d57d38ff1be6d27d29

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads