trickmo | 26b7c0b09bf02742ce0a07d7584a20c3bf78382d696e5e76f0dcc4b5da9425bb

Analysis

max time kernel
23s
max time network
29s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
22/03/2025, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

base.apk
Size

7.9MB
MD5

f525baeadeacf35b7ad1a678704ddad6
SHA1

6126abb50a4842799ac33e4a39434e43475a6a0d
SHA256

8773345e94b7f8ec7ed5515e507f72ad7358ecf7efca360a719ac7a39d18456c
SHA512

daa597e2f6d2eefc9fb8f7c349b6a51a9e059a3a7d90ceed9f6c7ed71776ebf4a2b7c8aeabd984f800420cf3cdef0f3526dcf0685a94db7380bf0df2bb4cab7e
SSDEEP

98304:wNDTv2Eq7sH83EhsrdbQ6r9dFb2LhqtVTKMiXPGYMKNG0rz4fqW7HCfGsG+x6zZV:ubc+8bQmO0XTg/GY5NGxlJPzZvjv5Lt1

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://b-always-free.org/u3n6hcu6te3b46gc

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 8 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json	4368	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_idea/oat/x86/OXkJrO.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes2.dex	4368	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_idea/oat/x86/OXkJrO.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes3.dex	4368	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_idea/oat/x86/OXkJrO.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes4.dex	4368	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_idea/oat/x86/OXkJrO.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json	4341	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes2.dex	4341	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes3.dex	4341	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes4.dex	4341	efja.fast805.touchs

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	efja.fast805.touchs

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	efja.fast805.touchs

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	efja.fast805.touchs

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	efja.fast805.touchs

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	efja.fast805.touchs

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	efja.fast805.touchs

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	efja.fast805.touchs

efja.fast805.touchs
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4341
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_idea/oat/x86/OXkJrO.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4368

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/efja.fast805.touchs/app_idea/OXkJrO.json

Filesize
4.9MB

MD5
21c32f1c942e4042d945422612bc878b

SHA1
33abf93c234aead3770df1ece78bf0802da9f667

SHA256
f8076c7bd8963ea1d98939e6b047fc5f11d43c5119533b2136789531d498f347

SHA512
9c6860f3e9bb4d523704cae8604627016bb06e1ff2593ff475a3c2a141cac1be22624ef67808582d5ee15f7055152fc399d966df613f89b1be2e84d64dc9f79f

Download Submit
/data/data/efja.fast805.touchs/app_idea/OXkJrO.json

Filesize
4.9MB

MD5
534f0d2a0aa52111ec0ccd561f57c578

SHA1
b06fdb7079904e2b0a8f56693159678424c474aa

SHA256
6aafa7a8cf9dd18d1a768073d12e1996cd1ba055bc4c8a00a162a455d692e0c1

SHA512
4f46211fffe9953311adea27b2a0a7781903f90bb280488458814943def9bdc7c4e2a89cb647797d0c3fe2ed600c2de4ced84aab2df2319138742690f54d5c72

Download Submit
/data/data/efja.fast805.touchs/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
512B

MD5
ca79a4b6b0b63dae2011b25ebc49aaf0

SHA1
6f59365f807aa0397c7128b9bb15d285d8583350

SHA256
f2f14faf26e97f439896a793a0a9f684063481d4d07414cc6db806857338eb9a

SHA512
7731e48090adb0ba71224564d0ab4a76e9d24f13d271ebdc8068a08f20882e1418b0cc387e3828118a191c73327a8d0c21286375becc8f49dcc76b6ff7d31d64

Download Submit
/data/data/efja.fast805.touchs/databases/a-wal

Filesize
32KB

MD5
844e9bb2e6d2c54fd3ba61f90ff4503a

SHA1
52f001891341c3c0ff55e13f254e74138c0fe072

SHA256
6aa465bc1cec96db369e550e75b4c7db35da7dbea47682e273050cd062a8d7ab

SHA512
39ef0f49cc73b103c6d715cca80891854fb4cb1592e5da77fa1048a2c8dc471a65a8a2e8ba6067d397e0e3c69cbc256acd2fed30622f664a4303048fc4b03720

Download Submit
/data/data/efja.fast805.touchs/files/efja.fast805.touchs

Filesize
256B

MD5
c91c328789d44e7f0d9b8cb3f47aa7dd

SHA1
4bdd76cf9c98e009e9a9320c75351a6f7be6e273

SHA256
d47cda04428c6181f3b827e364b24244aeb4c68a1d40dd7ee26b51076ff93341

SHA512
0dea4cd27a83469af18b9885531579865af304d7afd73cc9d6061781a9ec5b07932525bb7c4c79b7bd0b53e6cdaa349ef6f1d32429e88742d2879d8271e53a75

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
4c8c76a41e052ca90f4d1286c430802e

SHA1
c5d0a6e8d628a5abb9de49d4dc0b47f1006b101a

SHA256
ae22162330640feac1da6a0c5e9ba2ddb92b2d37c56fe81abaa3189103dbcc36

SHA512
2c86106c7e11951066818bf1559dbc84cb67ee2054122656792d95003b356bfc9f9718fbf881ec6b681f460e77c34fbd1eb8ce1b9fd34c73415c063102c7e50f

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
084e8904b9d4cfcafd2e17f180742ef9

SHA1
615e14094e10ba4f831f7497cea26334a659377d

SHA256
0ba1b4c6e16eee77daceb5da22e2e8587034aeec5771a82bb9e964eefd7ef4a1

SHA512
dedd50dac7ca79452aaeaeb07b295c532ab468a27d53bd9b92dc873de343b83ef114b526984a881e5c39b940ae3ef06d8d706ada8ae6c75abd9df73275760ed8

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
a576432a1b6af68c865c4ffcb877e7f7

SHA1
7b7123dd3d0e3b4e644ab49d789c80e8f6635bea

SHA256
b290ca45e5191c8c7b5943b7035314672ee1567d82178d2ef9510214fb576d36

SHA512
9e7086f1fd9fb3828d85808fa2adef52c041c4439e483f4054b7a6a23df99acee81c3a22445f604286a6412623fd6f18a9a0079dafced7eb2cd9394872af6634

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
3d67698f4485342f97d94ac2b51563a4

SHA1
371410ebb43e62daf51b67347a2346f727b50443

SHA256
a2b47dfb89ae4ae09952da2db0aa906842190886177faa5dac166e45f578b58d

SHA512
49c96c1144e841ffa5386701ca12bb663d40c018d8142df4707824150043154de687588a7f210d4604d3ea072adc22ef7f708e16a34879495c3e267c87e5ce79

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes2.dex

Filesize
308KB

MD5
af76bf112a1486f959993ab101d1dfb3

SHA1
d38bd79b0d58135807b7e9038f35e099bc8b18ac

SHA256
9a149d4662611b4d051f7b4c53b4581f840ee6494eca90cc29bef8bef4b8c326

SHA512
de3a977a5167c361a46516739e8e18ea064749e51a72eedaa0470064c8577c8d7b72d5a5bb7fc83208c1f6a6d462aaf2014d4ca46a3c2ba95063f25afa337825

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes3.dex

Filesize
266KB

MD5
1c44e8e0e2db37651e10a075ffdcfa22

SHA1
533915cbeb1f912075f5cdb7f77d0310d875d40f

SHA256
ec90a6c423e42ba5fce0e72dd68e623c388870eba3a3c98358d6a749985ed192

SHA512
7541ede26f7dbcaa2cdd92ca05a4415340901354c422fbafa4aac3424e0a365f2087656c0b873a8934976d4f63c35fbf9923babcab39a1cafc20baba4720d391

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/efja.fast805.touchs/cache/logs/log.txt

Filesize
83B

MD5
7f342fb9602b792495544a0ee74b6054

SHA1
408016a2311d69fa636db306ec073922de6c250b

SHA256
f41e4f245283b360c891066f91c4d16be7a039b334a6d7abed1ff2c3a4a2e5ae

SHA512
dc7c1d7afe85a2e0e75278163cf16a42f9839baaa3e5df6d3fb90863e571d9c0085e4c5218527bdae8743cb559ed45caeaa08713ece2fae8366ee6bbaadd52ed

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads