trickmo | 26b7c0b09bf02742ce0a07d7584a20c3bf78382d696e5e76f0dcc4b5da9425bb

Analysis

max time kernel
29s
max time network
30s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
22/03/2025, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

base.apk
Size

7.9MB
MD5

f525baeadeacf35b7ad1a678704ddad6
SHA1

6126abb50a4842799ac33e4a39434e43475a6a0d
SHA256

8773345e94b7f8ec7ed5515e507f72ad7358ecf7efca360a719ac7a39d18456c
SHA512

daa597e2f6d2eefc9fb8f7c349b6a51a9e059a3a7d90ceed9f6c7ed71776ebf4a2b7c8aeabd984f800420cf3cdef0f3526dcf0685a94db7380bf0df2bb4cab7e
SSDEEP

98304:wNDTv2Eq7sH83EhsrdbQ6r9dFb2LhqtVTKMiXPGYMKNG0rz4fqW7HCfGsG+x6zZV:ubc+8bQmO0XTg/GY5NGxlJPzZvjv5Lt1

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://b-always-free.org/u3n6hcu6te3b46gc

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json	4506	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes2.dex	4506	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes3.dex	4506	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes4.dex	4506	efja.fast805.touchs

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	efja.fast805.touchs

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	efja.fast805.touchs

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	efja.fast805.touchs

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	efja.fast805.touchs

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	efja.fast805.touchs

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	efja.fast805.touchs

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	efja.fast805.touchs

efja.fast805.touchs
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4506

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/efja.fast805.touchs/app_idea/OXkJrO.json

Filesize
4.9MB

MD5
21c32f1c942e4042d945422612bc878b

SHA1
33abf93c234aead3770df1ece78bf0802da9f667

SHA256
f8076c7bd8963ea1d98939e6b047fc5f11d43c5119533b2136789531d498f347

SHA512
9c6860f3e9bb4d523704cae8604627016bb06e1ff2593ff475a3c2a141cac1be22624ef67808582d5ee15f7055152fc399d966df613f89b1be2e84d64dc9f79f

Download Submit
/data/data/efja.fast805.touchs/app_idea/OXkJrO.json

Filesize
4.9MB

MD5
534f0d2a0aa52111ec0ccd561f57c578

SHA1
b06fdb7079904e2b0a8f56693159678424c474aa

SHA256
6aafa7a8cf9dd18d1a768073d12e1996cd1ba055bc4c8a00a162a455d692e0c1

SHA512
4f46211fffe9953311adea27b2a0a7781903f90bb280488458814943def9bdc7c4e2a89cb647797d0c3fe2ed600c2de4ced84aab2df2319138742690f54d5c72

Download Submit
/data/data/efja.fast805.touchs/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/efja.fast805.touchs/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/efja.fast805.touchs/databases/a

Filesize
20KB

MD5
12a2c171d259fe711d846fc7f28b48bc

SHA1
0e6fff0a61523307e6d19271bd508d3fae0816f7

SHA256
aee5b2c22ed6a8ade11a20ffbeccffc70c4e962ceabeb525c808a8b7c2bff854

SHA512
7c4f333363bbd609d3264c84ad7e0275876da9f3736920705e5509da0dcf3dd4d99258640122980e4468ca38be635f5ba402eccdd8f0b19399858789fe78cde2

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
512B

MD5
2804df42d83f5da2e124f310f55c41c3

SHA1
ba5dcd85d763a03ab365ac0acd8301494a071510

SHA256
f39a23eb58233a854229f9d9f2284c5766a8de3d70174fe0e6698cb478a3852c

SHA512
d85bb456d96bb8fd96d14151eb96b2b945310abdb97e8203b513ca43916cb1317e4f6dbe2d19d90e46750972986febfb869f4ac45be053b394322788974ac61e

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
8KB

MD5
7c653255feed65530a28137389b24a10

SHA1
f00be7f14104aa3d3834ed6a94ea1beee6cd46b4

SHA256
8f4bda8c8f27948b4bbfc75fd65c1f21307fb2bee8b1d7c36781b901e163e236

SHA512
fbddb4eccbe3daf149a0b66d64d4577227e89a042cde0760170edc7e1330dc5c3b91f3dcd2df795cc42670a08892a7f7aa3a53fcef6ed8ad347692ed26f6b667

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
8KB

MD5
e2b3ec2afc383ea588aff1a6a0d3234b

SHA1
c41137175d88f5f27d5bf242b7242ffb8a2dbbc8

SHA256
ab3a7987ef5d54f6ea2abcc748b0dc9f6aee3f82ffdeacad879eed57f7e74602

SHA512
f59d77806015c68fd8f8afa738da90e6cf2ca1eab805bcfbb4ff22e611810ac6a1c280cd0bdbffff701c4eaac7a020347796443a273618fb5c3cb63d70f9f14b

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
12KB

MD5
6a3e5a10109f085322fc11a5d7e72f72

SHA1
28a1981b99d15f5ea0fde6e98a95db9616efadda

SHA256
a4127e463f12a887e45b94ebe75b2b71a08f469f1839d5e56cb034bdc94e9d18

SHA512
d3f085ced9a22af291ee3ebd224364f3282e916ddded1e75c341b70753aef89a613d5edcc3338ced1c3b0a482835f8099ff7b02b0698e1ff1ab0bf005e288da0

Download Submit
/data/data/efja.fast805.touchs/files/efja.fast805.touchs

Filesize
256B

MD5
7c225ebfcb29dfa26c4a6fa95377c393

SHA1
ac8d09df008b9ddacd3544de36b4ee972a957fcb

SHA256
a90b62d1e3e94daa17bd685781e3044c68011680a9f45194d9021d864e7723b0

SHA512
aa65f3656ce5bfdd6920333ac3762a9bf9733c6ce52ac5f762c85ec1a84e050ff009085b1e1e250969c2b1c3c7b4899ba8034790df7feb6bb685075ad3d89ef8

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
bfc68c9f5620e9d4cb3776ed42280a22

SHA1
14610791336630c0e9348470ebb65e39efb32b91

SHA256
f0910bc463933694de13b45b062ba4f11f057fd17bd2d5d2dc3c1e1b33fb7c85

SHA512
e3c9e2ca4f0b5af6cbf70741fcda72ac192002211c01b111ea7e84030f36ff134269779cffa8c404b038b6480a10d16cf790b5b877e00b7425453d96965d4638

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
e6a11b49539feec88f3095df9c9eb306

SHA1
e679d5b39bfb6e3a0f8e1625dac00931d3e77b5d

SHA256
57a4fee025f9feb869ced148aa35effc8859ffe8c1bca5779f85f0f063e02ba9

SHA512
e1807341c72b7b09b1d3b64388d0aacbcd8bd842f1c741f0e320d3a7cd846c52c7f0b96c23ad4ea44a99549f5901cbc75ebba7cda027047093a9afc79118eee1

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
80ea267abf1869e7f9f05aa4520c68f2

SHA1
0c31bc56e53086ad0cc021132bf75bd916de663d

SHA256
0cc49e5852557d4596bcba49e6fd9db7fa8a9fa75d9aced789f3152be36988af

SHA512
f5968ea2e3b9bb3f71ddc2d0436312c08ef41e272baafaafb09712285137000283e615353b1d47e0d861c6e0ad06bf460409b69ea723c83a947a5e1ca2397970

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
de515341b29eb3f73d62de1b771c4cb4

SHA1
0291004354ed2aaeaaae96cbd07a7f908590335b

SHA256
10b7225407d29573d3f724a20d1e95d06aeb5ff42611e963620bbdf11d68643b

SHA512
f27f95f6d6a4b3f9e755aefa3a36a974af0de3363d6f984dc8083ccffe56c0daad10c4716fcb815ea67d345fdf514a6b3897ef379a8cd31476ece7688f021bc9

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes2.dex

Filesize
308KB

MD5
af76bf112a1486f959993ab101d1dfb3

SHA1
d38bd79b0d58135807b7e9038f35e099bc8b18ac

SHA256
9a149d4662611b4d051f7b4c53b4581f840ee6494eca90cc29bef8bef4b8c326

SHA512
de3a977a5167c361a46516739e8e18ea064749e51a72eedaa0470064c8577c8d7b72d5a5bb7fc83208c1f6a6d462aaf2014d4ca46a3c2ba95063f25afa337825

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes3.dex

Filesize
266KB

MD5
1c44e8e0e2db37651e10a075ffdcfa22

SHA1
533915cbeb1f912075f5cdb7f77d0310d875d40f

SHA256
ec90a6c423e42ba5fce0e72dd68e623c388870eba3a3c98358d6a749985ed192

SHA512
7541ede26f7dbcaa2cdd92ca05a4415340901354c422fbafa4aac3424e0a365f2087656c0b873a8934976d4f63c35fbf9923babcab39a1cafc20baba4720d391

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/efja.fast805.touchs/cache/logs/log.txt

Filesize
83B

MD5
fa4a5f57b6c437308988ffef42a453e5

SHA1
3a8547ba7c4c084d13037a3cd1093d39b1f8636c

SHA256
ec2db24319e6afc2a65df4d3e47630711c20b04be7360c5b955a3335ab77b0d6

SHA512
4fe9763311cb0430b25dcdb510a8941a156a0cac873371738c16a4b81cd9a2178379d9cbbf53524018f38530facfd56ff1277f01ef013a347dd1281ba851aee3

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads