trickmo | 345e172356ee2b29eb4d9a0f7b6ee7dd726e8795e1dbd245b4be5e2b7796b0f0

Analysis

max time kernel
149s
max time network
149s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
22/03/2025, 00:43 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

345e172356ee2b29eb4d9a0f7b6ee7dd726e8795e1dbd245b4be5e2b7796b0f0.apk
Size

8.9MB
MD5

80d89d1f2000ec6e41ec686e6c2499b7
SHA1

97517bde058bbd3d1a785edc1a55a76573bd8925
SHA256

345e172356ee2b29eb4d9a0f7b6ee7dd726e8795e1dbd245b4be5e2b7796b0f0
SHA512

eafae525d54ca46be783c8398848651c43bd5136f62eb54f50996d149ee1274f6aa6c33b74627733a0af76370b4bf75e8041268c47c9070d090d60c4a07c7e71
SSDEEP

196608:Sjcvj4HDaHNva2kIbcHJcUyOJNy6Uo5Zkajv5LQy:zr4Hutvazc8J9zT5ZnRLQy

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://b-fulltime.org/u3n6hcu6te3b46gc

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 8 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json	4370	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/bakeph.dist292.blog/app_traffic/oat/x86/MctgTq.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes2.dex	4370	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/bakeph.dist292.blog/app_traffic/oat/x86/MctgTq.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes3.dex	4370	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/bakeph.dist292.blog/app_traffic/oat/x86/MctgTq.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes4.dex	4370	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/bakeph.dist292.blog/app_traffic/oat/x86/MctgTq.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json	4345	bakeph.dist292.blog
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes2.dex	4345	bakeph.dist292.blog
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes3.dex	4345	bakeph.dist292.blog
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes4.dex	4345	bakeph.dist292.blog

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	bakeph.dist292.blog

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	bakeph.dist292.blog

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	bakeph.dist292.blog

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	bakeph.dist292.blog

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	bakeph.dist292.blog

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	bakeph.dist292.blog

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	bakeph.dist292.blog

bakeph.dist292.blog
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4345
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/bakeph.dist292.blog/app_traffic/oat/x86/MctgTq.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4370

Network

DNS

appassets.androidplatform.net

Remote address:

1.1.1.1:53

Request

appassets.androidplatform.net

IN A

Response
DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.200.46

216.58.201.110:443

tls, https

915 B
40 B
1
1
216.58.201.110:443

tls, https

915 B
40 B
1
1
216.58.201.110:443

tls, https

915 B
40 B
1
1
142.250.200.46:443

android.apis.google.com

tls

4.3kB
8.4kB
15
22
142.250.179.227:80

260 B
5
142.250.179.228:80

260 B
5
142.250.179.228:443

tls

135 B
40 B
2
1

224.0.0.251:5353

3.7kB
11
1.1.1.1:53

appassets.androidplatform.net

dns

75 B
135 B
1
1

DNS Request

appassets.androidplatform.net
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

142.250.200.46

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/bakeph.dist292.blog/app_traffic/MctgTq.json

Filesize
4.9MB

MD5
956ec6d809a6e35ddd3155b0a2a93bac

SHA1
560a650bb0055c4d11f008d2aa8c6abde9146987

SHA256
e24376abaa5c9c55a63480ab7c274b9d678abf4a08b9ab83106d43dad05d0d11

SHA512
2ab03b754c3595c537f06268d5043a7311ba2cb272de2533410a5e53c9d234b9316fb2c8ac012ac1e217457bf714dfbcd43ab70d7c88dbf107210a8f5bcf1c42

Download Submit
/data/data/bakeph.dist292.blog/app_traffic/MctgTq.json

Filesize
4.9MB

MD5
73102177b62492c2a7935c4417376461

SHA1
fa32afcfae2593c05099b15876b567477ee91d7e

SHA256
914f1fc352b3b866fe36e776775484208ff7eef2a20a63e171e82c3c80c68c45

SHA512
a1ecba1e72774fb153e60a5fbf24b86e82c7567256da412d517ac11963c874d9b88f355843d1ac774dc8edad2bdcc9000134244708101b5399edfde52ac25b59

Download Submit
/data/data/bakeph.dist292.blog/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/bakeph.dist292.blog/databases/a-journal

Filesize
512B

MD5
dba7511e5f2b5961eb6834307840ae0a

SHA1
0483f59d6fb9cbd7ce901851b731be292f759847

SHA256
9787112fecf5f1e6fe28d58ab23859c23bd712b9ee72e47990ad30f2faf9c98c

SHA512
01f78e55a2ad4ae286342fbee73b3ff8ca2440aa067175aca2e569500b4a7166f1c5c58d50905d44729b36531e152f3a99c13a391b07e3a25b2af848a1e1173d

Download Submit
/data/data/bakeph.dist292.blog/databases/a-wal

Filesize
32KB

MD5
e7b301e4977f7a87950508be9392ed4d

SHA1
7709a1b1fdc6a4a126c44fc2abe73e603f48e18e

SHA256
6b86be1adff1fe7e58c83cb4ff1bceebb33ba601c505878df685c01188fd2b48

SHA512
f81919b6685b8294face8b1d6af7869d8f38a502e8f17802639483390e61f601c5542977d5932a21e76fba29be151ae42e064135528aa2b491b6be11d82137bb

Download Submit
/data/data/bakeph.dist292.blog/files/bakeph.dist292.blog

Filesize
256B

MD5
27a0abea07e7046613a932fed9671f08

SHA1
d60f0abc61b5a7586bc5b48d1f6cdd69581c8478

SHA256
817ef92540b21f14b0601ddbf094e478d4174d75f7720ceb369698e5d57aba9f

SHA512
c0b561d4103eb5f8025e1e5de5ba93644bb509e9354d07736b40f5809b7e5cf8bc6e294c53c5e24267953826259a7c4880ca255d76b9e0e9d16acba77e5d0009

Download Submit
/data/data/bakeph.dist292.blog/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/bakeph.dist292.blog/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
e8bdd7a74546f4c6600af734d50c1f86

SHA1
ac3a9a2d02d6abf9fe4e7193f32a09fdc780aeba

SHA256
c1c4c4980b1a61d2dc91831b7a5871532f7ff31a27aa8892d706d571cec547d9

SHA512
fdb2ad9093ca14d01ba1eff4bfdaee870319f2c66b92129bfa70e69e590c2404c38cd9d00dacfd6d93422a8faa32a8a864edd94d20bf3b41ebbb82066cfc31b4

Download Submit
/data/data/bakeph.dist292.blog/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/bakeph.dist292.blog/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
663e34d3223955777715a0a76a4d5d0a

SHA1
a8c9729b434985f7ee14762c9c7035beb4bfd981

SHA256
baf53a45401bdc4b3b93129c797e9b6f85278fe8091768f36f1b41b57522c9ce

SHA512
32fd435130844d9b995b908d02f6e310c56d03c6060a5c02602c7b11aaf0f9113ce46b11b166bc28031a7e3c2f6f7dbef7382930292d11ce007fe0b071b03b94

Download Submit
/data/data/bakeph.dist292.blog/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
38ed262ba11aae6ca3747caeb149597f

SHA1
c69fabbfd8e8c27a2d08c341e56bcbc59318b23a

SHA256
685631b66a2cb29da417bf68c08debd776743c36139da50b99d9b8f5e30a2170

SHA512
27b3e60c6b6cdb0abfe6a66a824b4a24ff93e2cc90bfb7c0d4ae90eb1e8bbf6af55b16ae4ba5b26c075db7ee74f7597f771554c3c4186c49055244333f6a2302

Download Submit
/data/data/bakeph.dist292.blog/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
b14d398377ff8482f9c5a66ced97e65b

SHA1
49c935d002031757b1592cec3e0dedb262857c77

SHA256
7f54fe6daf0f7707a9f95eb92d449f9541dc371e6dd8d38c3518c68e65c4a53b

SHA512
cc5e3f3e045c02bd9bd53c27794898dc91991e7e1ced4ba94b56f543298012c1542038151dfb18a372c7c8f96d036549864f1bba451c52e6a734e6646615a73f

Download Submit
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes2.dex

Filesize
308KB

MD5
f6b89acc1728c7d64be4b042fb787711

SHA1
a1839b0bbfe36db9e1de750895093a41872dee58

SHA256
e38f1a99e3b77b0d416161420651ed11a069de45e9cfae7e41585a3c9ddde806

SHA512
ad74d6dcbea2ee263d451353b773701165d6334dafde8b4254fad369eb544996bbf64d5db2b2423932751fbfd9d7e42faec67dd552384e1d6a00a89c0ecdd7e2

Download Submit
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes3.dex

Filesize
266KB

MD5
53410124d4dbd239d7962deabcce6d8a

SHA1
85f8e02449fdb7eb7a4a7d6f95603c0c381bd135

SHA256
1b5a77a13977c67a4bfe73584e22103aa7656a5750abdb3c7bcc302269b72073

SHA512
59b2796a1d1b7ccc6f7887e4d674d9bfd0cc4c4b851265e7fed0839d754a0058008cd622062c610471e5ff7eab0f269da16a9e0d5d75c19dbbfb16c05bbb4d7b

Download Submit
/data/user/0/bakeph.dist292.blog/app_traffic/MctgTq.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/bakeph.dist292.blog/cache/logs/log.txt

Filesize
83B

MD5
6b2aa403760e2a8b763d897af4952170

SHA1
3c64c8ef747a90ec41be41317f257fbb893b7b49

SHA256
91edfc3e0ed71d5e78265fe8eb19c9530eef808b58247d790cd958cfcde08753

SHA512
d1c37527b15e72d2525649cfde92dc31dfb966163b4d25a7ac9bbb9b35e3c92aa67c6c66008675ad81b1c5ff0141de3d66e895a89df4432ba057cc7a552012cf

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.