trickmo | bbefddee16638eedbea8c970dbf9f052aa4e42c5cc7cee59b8758788a27e98d2

Analysis

max time kernel
48s
max time network
151s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
22/03/2025, 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbefddee16638eedbea8c970dbf9f052aa4e42c5cc7cee59b8758788a27e98d2.apk
Size

7.4MB
MD5

b228cff097466d7a5077ef6ac94ac862
SHA1

3405bbe0c7703dbb6e5829b90e25d0efebe6b9d7
SHA256

bbefddee16638eedbea8c970dbf9f052aa4e42c5cc7cee59b8758788a27e98d2
SHA512

f807fadd8e450c7b2a53ed387211059046cdd4fa030a0f7c6525e983e4fa3d263ce86bb9e4c9804fa239a0e57e016d703761b055e3dc0efd68327d5ca4e8b4ba
SSDEEP

196608:8XBBT18xyoVgPdynjh9Z7qNK3zI7cS83nP4/nh7jTi72I+5FZzorwUWDV:+XT1Mcc9Z7wb7of4/h7jQ2jOrRM

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://techpoint.cn.com/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/hinjohn.dad249.ta/app_love/By.json	4515	hinjohn.dad249.ta
/data/user/0/hinjohn.dad249.ta/app_love/By.json!classes2.dex	4515	hinjohn.dad249.ta
/data/user/0/hinjohn.dad249.ta/app_love/By.json!classes3.dex	4515	hinjohn.dad249.ta
/data/user/0/hinjohn.dad249.ta/app_love/By.json!classes4.dex	4515	hinjohn.dad249.ta

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	hinjohn.dad249.ta

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	hinjohn.dad249.ta

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	hinjohn.dad249.ta

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	hinjohn.dad249.ta

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	hinjohn.dad249.ta

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	hinjohn.dad249.ta

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	hinjohn.dad249.ta

hinjohn.dad249.ta
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4515

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/hinjohn.dad249.ta/app_love/By.json

Filesize
5.2MB

MD5
4fbb4028718532d32e22239261a76c29

SHA1
21291bfaab1fe037a003feaf8fd8ca01c800dd6a

SHA256
ad0581c6e1a840d93765648b854037e116402f247126ff01eaf6e37e6298c120

SHA512
92bde62f07d7953ed5f048acc0349ff6ffab105abf6dfcc1e4011873df7d649ddbbbd68bd0d6f47677f8ea08d6f1912e653ee274ba3895c07a70c9499c078979

Download Submit
/data/data/hinjohn.dad249.ta/app_love/By.json

Filesize
5.2MB

MD5
02bb31370c476d5d188123d472930ccd

SHA1
41423584d5c1cc00ee94541e7a42c7b75d215079

SHA256
daed2788794875c06c74734d96fa2ce8de613defa13b7355f3be5033f66a1055

SHA512
17b5dbb3fa3dbed0e9bfa2702ec7c25b43794b7b70bed37810d8b45f0e4d1a50951f2c350fde2d5ecd7b77d961c20cc70e39d24ac7492e965d6977dd7b4741d2

Download Submit
/data/data/hinjohn.dad249.ta/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/hinjohn.dad249.ta/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/hinjohn.dad249.ta/databases/a

Filesize
20KB

MD5
48c3bad6b56f926c51b96f1b91a8bc7e

SHA1
78ad65e23894c9df4d3eef10b2541124d1287f7f

SHA256
aec71c74718bc0e71874ce71a6c2c9d9417665aa2c83debf0274169f4703092a

SHA512
5ac08497409c335b7bf0e8872577f476b3b6e5fa2b8661b95f021e14e3ec5a4584eafcb5b2da074e87888649bc80d2141bd8ceb6c9925fc7de0fd512605301fc

Download Submit
/data/data/hinjohn.dad249.ta/databases/a-journal

Filesize
512B

MD5
0b5e84eb31e776acf088fd40e3cda7ff

SHA1
4f8887a11ab4755b8fb1f853b64f008719dca037

SHA256
c77f8aa910c2be64fa49c7801eed85a42178a5a49de38037362f613d5a5fd1e2

SHA512
7d00d55b7a7e7e0601880fd55b82d9c4e5318b015bc8e1bafb8e54378b040aec21ef42de787a60120c63eba3e07f9025d69018570a4d9f7dce078a73647bcd72

Download Submit
/data/data/hinjohn.dad249.ta/databases/a-journal

Filesize
8KB

MD5
54f56882f6be5c959dbcea6344145b79

SHA1
b9ef11d7c4c284c9386633a34e801064218f5e1a

SHA256
550ee7c362c38735464f88acc815255d82d58325a804ed31a89b7b4fa471e694

SHA512
8e804170cc3212009daa001f408a9f953e6d00411deed838976efe6ed86bc5e91088606bba23952c5a13cbf8963dc90e6ff188d3124915a750f646f0568f8182

Download Submit
/data/data/hinjohn.dad249.ta/databases/a-journal

Filesize
8KB

MD5
a58b376d0a0cfd38f8139e5d31dfa8c0

SHA1
f56c10b896d13334c20019140d6a6bc8868cc42e

SHA256
f34a0670a7f5f1410f0038a15d01215b95a94d1b81b8f6d486097872d8786f6b

SHA512
1174637abd5b936061fa5b264586339e00fc7564f04b6fe7d70a88c541587f04203106a2345674de304a1ef8e11a69ee507f7611c45f7ff5d6a8d28dab2c7ea1

Download Submit
/data/data/hinjohn.dad249.ta/databases/a-journal

Filesize
12KB

MD5
eeeef3f73159f7b2470a336890fdfb47

SHA1
aa6d616b8e137041f2d413185d47f5dcf0531a9d

SHA256
02f88350942675c4576e4e012e733223196d475314df87269a732aa5ba3779a1

SHA512
d91263cf42a7dd2963a40114b8b5fa6254fad3c8eeabcd1bade55edb900bdd105b5555ad41ab46f27f50beaf3f1b8ff3fddbc3c81fc3c7744a2add22ec8f28b5

Download Submit
/data/data/hinjohn.dad249.ta/files/hinjohn.dad249.ta

Filesize
256B

MD5
ee81c01b3f77386853a76d9c5a9c8646

SHA1
0b276873eb1edf33f5c993fb90d661c530d126f2

SHA256
9b70e1ddc521a21ac8963a2a9dceb1deb86ecdcc56d372f57e27beb9dca9a362

SHA512
3120c0dea055a50ec550226911bc4dac018ef39be35645575f5d2c1b1ce7e430e0c65683efad93281540a97f927d3d2fcbae3fa4816d79befe5b743ad159cb63

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
1f1a90f72e701624333e6ea725b7b221

SHA1
e59e60968e7da4680116d3767363c4c9f1154a35

SHA256
1108b9af7a7fb70afe81c60356273e8d15ed1c24c43e2f0fdb69367557aeab45

SHA512
2f38f4fd5f4e4e20871ea327b80f37bee8ef8112f26c741be464e22b4c35bad608006ecdf2d8bf53e11f9b7c5a65ed099f6244ee76e235cb3d1cfd94a677a576

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
97f528deebf9f642cfd4b4acd7e1dd56

SHA1
ac3a1189d12074776b1c0853de879dbe6cc58a5b

SHA256
2b893ac2545b6259df8071b19487dfcc80d3d17ffa463659e778c442eb24872f

SHA512
95d0d1ddbf3000a237bcd1b6d504c6cbb6c6a76f5782a0ad9b8bfc85a842718901082e61749c858392c1d5aa039dbd279a359190afa796378919f381f0f687c9

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
480d6754703996ff0b7b5f63400165fa

SHA1
07dab5e2f66c7b8bfe7febb2ab55bd1c83165658

SHA256
58e73d531f8b84039664b5f78aeae1c11e650e39cfa7344c478f38251db398ae

SHA512
5e0322a87c0012eb4541c73434ce5654efbf083f2588193a006d2485dbb61781baeebb1d4740df8a76e00b1a99d448a8802c7dc93c85aad37ac3f77b2b9c187f

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
942c6e02ad71a6b085e4b6a928946381

SHA1
46adb81446facdf36f46308be3ecc6f3468a5b16

SHA256
f80790f0aa0de13e5e87bc4d4a4923c95587eaaf38f2a57aa925d3e19e87ec0f

SHA512
bcd031440c03b7420f636bcf22ec0582b6049c44115acd0303d879bf43afbe481de1c2cd38f4b1e4d5394718a9e9f20390a9505684cf59b4a8d704917cbeae3e

Download Submit
/data/user/0/hinjohn.dad249.ta/app_love/By.json

Filesize
11.1MB

MD5
28041432b0c51e3e887643272629c83e

SHA1
fbea5dfc62f03e1ff784b410ec0d547de0e8156b

SHA256
85c845feaa13eb5b0d02b64a996bf1a84b3aa77b6cf616f3db8ae5b4c70e9902

SHA512
7e69a4dffce031e990827d655b83ce66bfca72ecdc5bba4a264f877e0a3788953c41e2f6766e8327127d1b68b63775569648340fda09b4ce13684f0aaca6438f

Download Submit
/data/user/0/hinjohn.dad249.ta/app_love/By.json!classes2.dex

Filesize
351KB

MD5
5a6c21c97564f9a1e87f8d7f10c4a768

SHA1
1e5f3c0425f58d762043761315dbe272245a6be6

SHA256
0560c1387efd41865f075e176b7d4875340db043d943c95f0ad11f0f684fc519

SHA512
e823cfa4c5dd345e9f68aeeac384d42797ed1419eb70ea99d122a6c20a066a97fb94ce7dd6037b743d82eaa21bab2974213027c5e3a03af95c6c8ec513b7ec6b

Download Submit
/data/user/0/hinjohn.dad249.ta/app_love/By.json!classes3.dex

Filesize
257KB

MD5
b9c73c4d9fcf118ac64a47bdfb8bb561

SHA1
f74dec2bb9dc1c5050ad66937ecb844b915a06b9

SHA256
31b28132c9fac2f1062b7eeb45e2c281d65d19dc03805a7e4e4122fa492ffb1c

SHA512
750c57fa2798de21de00d20cd86cab0c12e4e7d5d3c8978f6c674fec404b6aacfa9b3bdf03d0da0f0bb16fd62928dc625e3ccb135699757bd16ec3e7e379d375

Download Submit
/data/user/0/hinjohn.dad249.ta/app_love/By.json!classes4.dex

Filesize
1.9MB

MD5
2d73c5997273e3910c1ac1d8db7ba145

SHA1
25737e75ed15863e69d02a14efa781370dfec798

SHA256
411c3194c11f6254e4bb6cdbf247518a4696ce9bffc6d373ba7e949889db9965

SHA512
7adca729d74394232c26ee76272a85342fd88c9101d417ba3a0b1018f29cdbe4a852a3458548e4e333db55520cf8b0a7700f6bcb3cfee77a12ec3d272c4dc13a

Download Submit
/storage/emulated/0/Android/data/hinjohn.dad249.ta/cache/logs/log.txt

Filesize
14KB

MD5
82baaf43070cb060688dbda59714c0aa

SHA1
b275200c94af07d4fc52c63bba04eb054463d173

SHA256
30640f3a898c451517d6a40157d431751815693d4ad7935ab728eb79e717d964

SHA512
cfab56832b6650e964318797306bd96b2bdb0eb19d993326ab0d6d0d658d8e89c5639c9d241f9bd0ade64783ddf8fe620cc26fe7c5b8e59883e974e00101619f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads