trickmo | bbefddee16638eedbea8c970dbf9f052aa4e42c5cc7cee59b8758788a27e98d2

Analysis

max time kernel
4s
max time network
31s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
22/03/2025, 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbefddee16638eedbea8c970dbf9f052aa4e42c5cc7cee59b8758788a27e98d2.apk
Size

7.4MB
MD5

b228cff097466d7a5077ef6ac94ac862
SHA1

3405bbe0c7703dbb6e5829b90e25d0efebe6b9d7
SHA256

bbefddee16638eedbea8c970dbf9f052aa4e42c5cc7cee59b8758788a27e98d2
SHA512

f807fadd8e450c7b2a53ed387211059046cdd4fa030a0f7c6525e983e4fa3d263ce86bb9e4c9804fa239a0e57e016d703761b055e3dc0efd68327d5ca4e8b4ba
SSDEEP

196608:8XBBT18xyoVgPdynjh9Z7qNK3zI7cS83nP4/nh7jTi72I+5FZzorwUWDV:+XT1Mcc9Z7wb7of4/h7jQ2jOrRM

Score

10^/10

trickmo banker evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://techpoint.cn.com/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/hinjohn.dad249.ta/app_love/By.json	4460	hinjohn.dad249.ta
/data/user/0/hinjohn.dad249.ta/app_love/By.json!classes2.dex	4460	hinjohn.dad249.ta
/data/user/0/hinjohn.dad249.ta/app_love/By.json!classes3.dex	4460	hinjohn.dad249.ta
/data/user/0/hinjohn.dad249.ta/app_love/By.json!classes4.dex	4460	hinjohn.dad249.ta

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	hinjohn.dad249.ta

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	hinjohn.dad249.ta

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	hinjohn.dad249.ta

hinjohn.dad249.ta
1⤵
- Loads dropped Dex/Jar
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks memory information
PID:4460

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/hinjohn.dad249.ta/app_love/By.json

Filesize
5.2MB

MD5
4fbb4028718532d32e22239261a76c29

SHA1
21291bfaab1fe037a003feaf8fd8ca01c800dd6a

SHA256
ad0581c6e1a840d93765648b854037e116402f247126ff01eaf6e37e6298c120

SHA512
92bde62f07d7953ed5f048acc0349ff6ffab105abf6dfcc1e4011873df7d649ddbbbd68bd0d6f47677f8ea08d6f1912e653ee274ba3895c07a70c9499c078979

Download Submit
/data/data/hinjohn.dad249.ta/app_love/By.json

Filesize
5.2MB

MD5
02bb31370c476d5d188123d472930ccd

SHA1
41423584d5c1cc00ee94541e7a42c7b75d215079

SHA256
daed2788794875c06c74734d96fa2ce8de613defa13b7355f3be5033f66a1055

SHA512
17b5dbb3fa3dbed0e9bfa2702ec7c25b43794b7b70bed37810d8b45f0e4d1a50951f2c350fde2d5ecd7b77d961c20cc70e39d24ac7492e965d6977dd7b4741d2

Download Submit
/data/data/hinjohn.dad249.ta/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/hinjohn.dad249.ta/databases/a-journal

Filesize
512B

MD5
9e8f377018477b2fa6676175cd4e91ac

SHA1
6884e689a23ca748066b5cfb0b80537bb9d40fae

SHA256
b8a38bc4e2b25106d948238a4e9905ec8b7d753a052b467965fda2af2e3add7e

SHA512
a7603d28167bdd00f0fd2d828cfd1094fa329c18b511ebf57e884d418130a64b2b1e2712c27a146387a42e027f5117e75050521dff7b698ff7afa4487b54890a

Download Submit
/data/data/hinjohn.dad249.ta/databases/a-journal

Filesize
8KB

MD5
2fa71f2b1e6368bfbc186f1a248d0ba8

SHA1
3147463be3981a4b0d352a3f9d1bd0918499cfbf

SHA256
4403cdb2a711d1a20ec2cfe2ec1301b3ff4b952f554e8faa77a0cf27896649aa

SHA512
54248d7475ebc50d202bafc14b90349b68aede4e63b92f9742d13663a3bbfd8fb1e7e2d3ede45d1be7305ecdffafcafa4b4f458cea86099735c83d9bbd39856d

Download Submit
/data/data/hinjohn.dad249.ta/databases/a-journal

Filesize
8KB

MD5
c35f3d5244d9dd65776175ec5489d868

SHA1
bf1d30364a69abbcde31c5ad4db258db0c4730e3

SHA256
de1f27294730dabe8e2ce998c36c8097bf582eb390b7b15ed217c50267174579

SHA512
560c8b10179027a3fa7c336da99ec41b90a2cf4559de34bb739f7ff98125957b953a9474ffabf5974203930c4a982abf0b1a6524111bf380dc102dda9f1f8866

Download Submit
/data/data/hinjohn.dad249.ta/files/hinjohn.dad249.ta

Filesize
256B

MD5
5a3d23de920b850e2fab19b15d36a567

SHA1
91fda64907627fc6026d1d2896c1ab09b1661d30

SHA256
4be50a49efe44b6fd4f2199c5776a2a2a93cdcfd72d3cbc0d5fe47e1873e93c2

SHA512
e8638d48a448812cada29d673eac3e07b2aa1e3bb4dff1ab8003d3cedcf3d0f647d5a0df8ba384536e3bbd42968f96411fb0092c22087f96195484911640fcdd

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
18f85a8999ffae7148d7c92a34c98e3f

SHA1
e1952733a378f406728e37d7e3a037a18cfffe0d

SHA256
d1c8a08e2dcbfc31cdec0c96bd1d6b958b762b0a5bd57e9fb6c1a39ed0f2be6c

SHA512
358694a553558c167b1369e86c9753418014743ab4764b9491f51639b4de1f3ac665674356bd5f38042ae1596a232de37535865d29bf77a2998e7d33c00b1c6d

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
ac3e7f2b62e94afdb90e41dc8aa9d83a

SHA1
b89bba99ff8ac7663dbf4423de495583bcb65cc5

SHA256
d7f342f15736e087d9987183343de3f28b0ffb875621c55dd8a99809aa481db2

SHA512
dda0d9a8b46c817350f51f25dfcbe2644a19676989ec060af5025fb2844ae0745e3e2efaab7a9d9f26af032897952b4cb3d95ab6826bdfb24a32b0ec5806b695

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
9a7145714b48c6d7da967ba789759280

SHA1
8b936551a06958bb2391785e0764655f8433e80e

SHA256
49a84f000f4ef95eb22319d438e1b6d6d8510cfc35e34b98f7966886e9ab56a6

SHA512
6ed48632c63df992faf6f2dc2949a384f5f98d1ac48d155c4a020ba7f653a4e5a4c6d1ca37305b1bb17cf110c2bdd9851682c4da9f4c88398c392b0caaeceff6

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
f915ad42a4e07aacfe1491396ffb74a0

SHA1
25ff723d3373cce65c276b44332576c3025526af

SHA256
1c214c7b30d9c28b6f207978adc6b8381e4421bc71ba69df223c0dc06246385a

SHA512
97cbee2bb37e1d6b294069699e51ce8e764b251c7e46978c0f981c1c46a203130b0d3dc18752fd7be7c5072b1e4f97655fe4c887b9ccfb80ce587cc3165110ae

Download Submit
/data/user/0/hinjohn.dad249.ta/app_love/By.json

Filesize
11.1MB

MD5
28041432b0c51e3e887643272629c83e

SHA1
fbea5dfc62f03e1ff784b410ec0d547de0e8156b

SHA256
85c845feaa13eb5b0d02b64a996bf1a84b3aa77b6cf616f3db8ae5b4c70e9902

SHA512
7e69a4dffce031e990827d655b83ce66bfca72ecdc5bba4a264f877e0a3788953c41e2f6766e8327127d1b68b63775569648340fda09b4ce13684f0aaca6438f

Download Submit
/data/user/0/hinjohn.dad249.ta/app_love/By.json!classes2.dex

Filesize
351KB

MD5
5a6c21c97564f9a1e87f8d7f10c4a768

SHA1
1e5f3c0425f58d762043761315dbe272245a6be6

SHA256
0560c1387efd41865f075e176b7d4875340db043d943c95f0ad11f0f684fc519

SHA512
e823cfa4c5dd345e9f68aeeac384d42797ed1419eb70ea99d122a6c20a066a97fb94ce7dd6037b743d82eaa21bab2974213027c5e3a03af95c6c8ec513b7ec6b

Download Submit
/data/user/0/hinjohn.dad249.ta/app_love/By.json!classes3.dex

Filesize
257KB

MD5
b9c73c4d9fcf118ac64a47bdfb8bb561

SHA1
f74dec2bb9dc1c5050ad66937ecb844b915a06b9

SHA256
31b28132c9fac2f1062b7eeb45e2c281d65d19dc03805a7e4e4122fa492ffb1c

SHA512
750c57fa2798de21de00d20cd86cab0c12e4e7d5d3c8978f6c674fec404b6aacfa9b3bdf03d0da0f0bb16fd62928dc625e3ccb135699757bd16ec3e7e379d375

Download Submit
/data/user/0/hinjohn.dad249.ta/app_love/By.json!classes4.dex

Filesize
1.9MB

MD5
2d73c5997273e3910c1ac1d8db7ba145

SHA1
25737e75ed15863e69d02a14efa781370dfec798

SHA256
411c3194c11f6254e4bb6cdbf247518a4696ce9bffc6d373ba7e949889db9965

SHA512
7adca729d74394232c26ee76272a85342fd88c9101d417ba3a0b1018f29cdbe4a852a3458548e4e333db55520cf8b0a7700f6bcb3cfee77a12ec3d272c4dc13a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads