trickmo | de2f904d65eba7777a07c589376da441bbfa08ea3b42f66f558f17ef25e52198

Analysis

max time kernel
29s
max time network
30s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
22/03/2025, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de2f904d65eba7777a07c589376da441bbfa08ea3b42f66f558f17ef25e52198.apk
Size

8.7MB
MD5

9b231942e29f923ef4fb97282f0f2f45
SHA1

e5a47a7adf82646459dcb07022ff7f8416e90afc
SHA256

de2f904d65eba7777a07c589376da441bbfa08ea3b42f66f558f17ef25e52198
SHA512

5e9f5319b2efdf65ce5b76858445c910cd6b787694fb6cb5e43f5ea4103f0bb57d9f8f6246fcd99e885e9355773fd54e642253a410b40049ce9b6d0b7223fb15
SSDEEP

196608:tZgnrCYktUe6gLshD/xDdhhVKGcME6JI6ynpqOLjv5Ldh:Lgn2d6FD/RXhVL3E4UPHRLD

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://monster-truck-mx.info/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/orkei.ti981.pay/app_ordinary/UsU.json	4459	orkei.ti981.pay
/data/user/0/orkei.ti981.pay/app_ordinary/UsU.json!classes2.dex	4459	orkei.ti981.pay
/data/user/0/orkei.ti981.pay/app_ordinary/UsU.json!classes3.dex	4459	orkei.ti981.pay
/data/user/0/orkei.ti981.pay/app_ordinary/UsU.json!classes4.dex	4459	orkei.ti981.pay

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	orkei.ti981.pay

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	orkei.ti981.pay

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	orkei.ti981.pay

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	orkei.ti981.pay

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	orkei.ti981.pay

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	orkei.ti981.pay

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	orkei.ti981.pay

orkei.ti981.pay
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4459

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/orkei.ti981.pay/app_ordinary/UsU.json

Filesize
5.2MB

MD5
b4122e39c8294ee9d31d50d449d63f3b

SHA1
45b43b7a92109ac0dc68f408c721c324ca083038

SHA256
f2ac7eca10fa7bbebc5baeae00dd962326265f56b7a45f346d0731a8b173d8f9

SHA512
3d825fbcb80086711030b8f2cc21c9b0b78e9e5c45bb10c9631220e77c1cc41d6c2eff1beac87c12053b92b8175edbc81c1b6c56d96c85293e313bf293f09e22

Download Submit
/data/data/orkei.ti981.pay/app_ordinary/UsU.json

Filesize
5.2MB

MD5
d930f180f1870368fbf3ba540d294141

SHA1
bc00472d426503389dc544f35c5a319f57d3f638

SHA256
e36d07269561bdc7175c07e690d2785c3940bc1627f8ba0e811e32f794575343

SHA512
8d9758c1f86cc89d43e0585ed053edd21a2c523d5801f75d7f99cbd503963e418cb9e1eb6cb05de91a7ccd5252405ac17c793406247f575a44d076d1dbed0722

Download Submit
/data/data/orkei.ti981.pay/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/orkei.ti981.pay/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/orkei.ti981.pay/databases/a

Filesize
20KB

MD5
89aad2bae5e1c010d88d18d4f54ff473

SHA1
fe269d1228fab8318f5289394e97279d80a25176

SHA256
9407d058eb2920ec1de9365f79ad252c27d36c0abca5c6dca2ac4618dbec92e2

SHA512
1f9375287205d15fd31fa7a7393e56d31d11f232941994ef7b424399cdf14ce2f3b553647e9c5a04e443332a78691b1142a3b2cf6297bb298229f13f1aa44999

Download Submit
/data/data/orkei.ti981.pay/databases/a-journal

Filesize
512B

MD5
f82bd46cd38cf31540216ffb3647284b

SHA1
20d275458eed469bb750305dd737cab722ee2fd1

SHA256
02fff499197bd6dc01553cda93e928d28f64650cef40b8c60b8fbd48e4f70bb9

SHA512
efc5b046083016626e244c7ff53ff69f8b4025ecf1e1826f37a6f53d7684529ec43453ea4f2f05f18f93424a17a5bb8d1156810134bddbbfdbe1f6da8c9605eb

Download Submit
/data/data/orkei.ti981.pay/databases/a-journal

Filesize
8KB

MD5
4d3e55286bd61b4a90b88ed9f15095d7

SHA1
0a729771e12530385083fce77506d4b0dc89dd72

SHA256
63355f1603e8702d57a88dae1fcbca9f65afc2009500fb2e00068b6fe200a948

SHA512
6800054f41c1893bae7b9f5693b23d70dd9146556c489d84a8241d47c00b075c8c267cc0855af75b6e22ebddae06bd86e1c17ec70e2981e72cb5c124fbf1d819

Download Submit
/data/data/orkei.ti981.pay/databases/a-journal

Filesize
8KB

MD5
bbceb4dbf65042029ced7e874190947a

SHA1
949c24691d087345752bafb14ced5c0d2b2430e5

SHA256
778814f17d958e0fb6fac3a484554f90f2f48626c03416fb421864dc4ed6f54a

SHA512
1b338a55626564a6a29fcd5d1a60c1fd75750f8c35888cb7df2de55796cc2c34def1c0ad6ddf28a230f4c25563ebe600a72795c8b50afb48e4430b82defb0e70

Download Submit
/data/data/orkei.ti981.pay/databases/a-journal

Filesize
12KB

MD5
19793d0abe9910b7700a9944811c3f16

SHA1
a469aea0e7aa43cb310d17a2a7cdae954a62ad6a

SHA256
d8922edbc13a2ce7608c32898d626bb399f0235163acf97ff8da544621e8bfbb

SHA512
b42ab0952941922c8086dae2ac52709542afb5c75f0dc3a4831147b67fadbdcc5478a8886118068b58bf28fb77b92e59323c8fbea3002764a906be9896fbfa56

Download Submit
/data/data/orkei.ti981.pay/files/orkei.ti981.pay

Filesize
256B

MD5
bad9dc70be4d3d3c688fb942ccc81889

SHA1
c82399a4a4c6bf02b13e6a62a7648e8282048faa

SHA256
e63dda1d4c7e140c4a24f5c17e9e74b594c70a7f94e3916ceed1aa594037840a

SHA512
63392603b516b838ef19fdc132fd3536ba82ab978170755bf93bb466f9518a2d0ad65ed841cf299cbb2d96f49ae6ea967d3f73479df7372ce82c50b6b8e96f08

Download Submit
/data/data/orkei.ti981.pay/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/orkei.ti981.pay/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
d9328d7910083dbc35941ebf45dd59e6

SHA1
e57cefe2fed941efae0e404c6561ee1a624915da

SHA256
46cd474ff3ab1038a97a96899bba58ff56c6e44865b84c8ed7852dec78522f94

SHA512
c249c023679530f1c9c4134d6a5a0194318030aa62c4a8120a4ec40d2dd669f2a332b95e9d0df62dbdc360d6616542591d0cb9aeb636e1807a00e089429772f6

Download Submit
/data/data/orkei.ti981.pay/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/orkei.ti981.pay/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
9a1e376d34c054d7605594016d1032df

SHA1
c47093e95f2f8688d7ac264d4a61f3e510500393

SHA256
5654e142ecbab8c7945ac0832f6b4101f5e24b13fc813cc9d4182289643c453c

SHA512
d432778393b4fb369dd8ffde1f4e4c6ffeee915647030b66d74af84d0309af3316d40c028cedbbb202f9c9c7b5efef5cf83dca7d0488cef16f65afdbc6963aff

Download Submit
/data/data/orkei.ti981.pay/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
8d3aa0576780f5f7b03604804767e8e9

SHA1
ba169b4a5d1f86cb681038349993e7b1fbe2998c

SHA256
ad0c79e124630ed04962d24198a96c1d1366d5fe6b2e69c66d78b1a87e84205f

SHA512
723b62776c1c867010c94d2c0b1e199a4b23d434e020f26dd1be4f5af34518fbd3abbdbb8ada30b0868d0b84df3c4b29570b7fb2b264ae7b44d4067c384edb77

Download Submit
/data/data/orkei.ti981.pay/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
1e21037363695d784c5475e2739bbc82

SHA1
43ba381a5ea2235c08d91b2bf18da529ce835765

SHA256
7199fd59c62fd48803ee8d21d4c6577c7116d76577ee5e3e8432516835e5fdcb

SHA512
c519e06a88a9d520ab9b428c496b33e214818558a0da038d55ea9b18579b621a8cff90b00d16c3e14dfef26011201e96f2fe2f89aae01c2da1aa098d878c7c33

Download Submit
/data/user/0/orkei.ti981.pay/app_ordinary/UsU.json

Filesize
11.1MB

MD5
28041432b0c51e3e887643272629c83e

SHA1
fbea5dfc62f03e1ff784b410ec0d547de0e8156b

SHA256
85c845feaa13eb5b0d02b64a996bf1a84b3aa77b6cf616f3db8ae5b4c70e9902

SHA512
7e69a4dffce031e990827d655b83ce66bfca72ecdc5bba4a264f877e0a3788953c41e2f6766e8327127d1b68b63775569648340fda09b4ce13684f0aaca6438f

Download Submit
/data/user/0/orkei.ti981.pay/app_ordinary/UsU.json!classes2.dex

Filesize
351KB

MD5
09ca76eaccf11fb9b5769ba60ab9c278

SHA1
7f0e71a691459dabfac24cf1efcf0e6d04ee2d7b

SHA256
e9b22b9dffc776ab692b527cd7a4b0d2cbbdc74ac73e8f40adbdbab6b8e12115

SHA512
dd4fef6aecd6330ae1d9926e0549e383758361a05338d0520a29ad69ef4b8c69a1e6142d99adb70d4f8d8341aefb10ee989e83d00d894ddfcff071958450c13b

Download Submit
/data/user/0/orkei.ti981.pay/app_ordinary/UsU.json!classes3.dex

Filesize
265KB

MD5
0807e30b8ae3f6dc61c13bd56d2c9a03

SHA1
44f859d7c1d180d658e829d04126a39c48269ee6

SHA256
2df538d987437436baf41fadef8a4e17a1ef19f96a002372d001ff7d4ea227ce

SHA512
0dc29f85ce95d2eb3e8e9718f01f5b624458c42cca80ea55edc5d9e09410e01491e2f98603e86468fb3a2706bd6b9b100766d78cfc0f968cf4504860db016fd2

Download Submit
/data/user/0/orkei.ti981.pay/app_ordinary/UsU.json!classes4.dex

Filesize
1.9MB

MD5
2d73c5997273e3910c1ac1d8db7ba145

SHA1
25737e75ed15863e69d02a14efa781370dfec798

SHA256
411c3194c11f6254e4bb6cdbf247518a4696ce9bffc6d373ba7e949889db9965

SHA512
7adca729d74394232c26ee76272a85342fd88c9101d417ba3a0b1018f29cdbe4a852a3458548e4e333db55520cf8b0a7700f6bcb3cfee77a12ec3d272c4dc13a

Download Submit
/storage/emulated/0/Android/data/orkei.ti981.pay/cache/logs/log.txt

Filesize
4KB

MD5
8eb54ada9a394f20ff68f21cad1afb61

SHA1
95909d17a4f0ebae8cab0fab4ddc738427a72d51

SHA256
b6d7a158a2fef94703436dc95054be3d701b9f4b5de3a3f140ac325fd6394e97

SHA512
10b5b52f1341f27cf909dd5afb9bca0ba1b850982fcb819ec412a56afe3207ba95cd6c9f5d4a5ce72eb2116a3f6690f0d78d3a6dcdabdddf682d06574f641c6e

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads