trickmo | 16019bccb869e2c1db792b41955b14c6a0ffe4f3dda0d44c077c75e230040e07

Analysis

max time kernel
29s
max time network
31s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
22/03/2025, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16019bccb869e2c1db792b41955b14c6a0ffe4f3dda0d44c077c75e230040e07.apk
Size

7.2MB
MD5

9426cc5ac88d93aa4453a4dad3a3e707
SHA1

54b24c5bd029e111635fee3030c8271e706709a3
SHA256

16019bccb869e2c1db792b41955b14c6a0ffe4f3dda0d44c077c75e230040e07
SHA512

15904ff60802ec1d88ca759b3bc21aa4ae2c18514992f9482d7fe321f5b66db05e36bd659255e76f42ac9ec2d20c6e853560d7f891aaa824554be4d7f08a431a
SSDEEP

196608:jWbdzLLW2X11knMvQbhLi3K+JvZCeJ5bjn/0+57L:SbZW2l1kMmT+TCeJ1Qq

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://techpoint.cn.com/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/hinjohn.dad249.ta/app_praise/AxpFCZ.json	4505	hinjohn.dad249.ta
/data/user/0/hinjohn.dad249.ta/app_praise/AxpFCZ.json!classes2.dex	4505	hinjohn.dad249.ta
/data/user/0/hinjohn.dad249.ta/app_praise/AxpFCZ.json!classes3.dex	4505	hinjohn.dad249.ta
/data/user/0/hinjohn.dad249.ta/app_praise/AxpFCZ.json!classes4.dex	4505	hinjohn.dad249.ta

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	hinjohn.dad249.ta

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	hinjohn.dad249.ta

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	hinjohn.dad249.ta

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	hinjohn.dad249.ta

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	hinjohn.dad249.ta

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	hinjohn.dad249.ta

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	hinjohn.dad249.ta

hinjohn.dad249.ta
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4505

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/hinjohn.dad249.ta/app_praise/AxpFCZ.json

Filesize
5.2MB

MD5
6d0994a4c2ae2198f5145013f0524f87

SHA1
a6660852b6899365e05494d5cdfbdeb608ab3a56

SHA256
b8b100ea092f4392a6f9bc8ee3a07b2d4dfd222c631bd7ba9562aeca3889e658

SHA512
45727771753312e65bc9d0218f0f09c78011cf92b46e1b4a676f32ddafa21f789286117d89d6c74aaa798931e609fb1efa8d884768c36d6b9cef1dd2d4738fd2

Download Submit
/data/data/hinjohn.dad249.ta/app_praise/AxpFCZ.json

Filesize
5.2MB

MD5
576e16d3d41210cd4307a252035dd9d8

SHA1
a409decace5e183c7e88ea0737f5fe9849c9e4ef

SHA256
37d8c8c9193e9449b69bfc0351ea71353bd16d532faf6862b0f51c2e3cd3f9aa

SHA512
a93afec97a9e3cd1a34267cced151092208ca2df6d07957403c82c8c17384e244a3f05759d16b203098939a6cda8515201eb67208dd6c8a38031166cc11c83b8

Download Submit
/data/data/hinjohn.dad249.ta/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/hinjohn.dad249.ta/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/hinjohn.dad249.ta/databases/a

Filesize
20KB

MD5
805d37eb9969326bf4da931c9808f995

SHA1
f2a2c521144505b89b2da029a9fe13d2c49cebf0

SHA256
6d19b4d654abd3f1d5b6f3a9a84935ec6f4ea8714f6853bcc518523ec74002f7

SHA512
30c5e9d6a73c15b68934112d92e10ab8e67b554aa42d441984ede23b0b1466f09682b006c5b97b13d3ecdc3d2daa379d5f954e79530c360dd2ae9bdd7794ada3

Download Submit
/data/data/hinjohn.dad249.ta/databases/a-journal

Filesize
512B

MD5
299f8ab7be17dd2b55805354996cdd08

SHA1
321bd74eaf6e75ded471c08a374f4e21b5f1676b

SHA256
1248fa7c33c56650cf404c0b6bb4d47e7823b4529c659b889567c5324d246778

SHA512
2a892a6afef30bb052b546fc5d997001692cf25bea5b9992a04a27d541df779bb8db56a5c6e7852261aeb1ded81ac5234d6caca8843aaed3cf4096d6989cc3fd

Download Submit
/data/data/hinjohn.dad249.ta/databases/a-journal

Filesize
8KB

MD5
35b3a4e4b61cb3999aa49057bf74065d

SHA1
0a6456b78de75954b8a435e976a7a142fc622d2a

SHA256
c4ccb9b1f0c3fd082af9572722946ca60611654985144ced26217e679bda4fe9

SHA512
1f7cd3e06a2bd5f9ad6576c605dd8b99975b275f0584613a9e66edd63dab6740c44344eac4d8d11a5ceed372a5fccc7f4c852b6b5f97a9de7167826da950d0c2

Download Submit
/data/data/hinjohn.dad249.ta/databases/a-journal

Filesize
8KB

MD5
6199f745e393e704a1d394699fbfbf3e

SHA1
a4b80d580c49f7ac9455c3c002f1e51761c19efb

SHA256
058ca9f4d9698ead4dfd014f5288a3f1e3eec2b31c2079c0c244a6f0c215e617

SHA512
e3c1cd2a8a03732cfd7b8b9ffe8b80e64f901284b50d0c9c4093f2c18894afd835c12b9dd548126d22aae5f761ca157053c7f807881c963fbefe9aad0a3939a1

Download Submit
/data/data/hinjohn.dad249.ta/databases/a-journal

Filesize
12KB

MD5
0de05825bd9e52e411fc6fbe965f5110

SHA1
54def3d62902c6797b8ef3a0096ade6af299391a

SHA256
5556361135fa0fed4fa670cbe2e97b21104aaf6c133ac3bb1b243bcf77ff2e02

SHA512
f55055d7b338f5970964a0748f9b5d27fba879f5fe239c9e8a71fc8aed4138897befd858c93d13c33ee453e8e044f50149c6db1f6bf162dd7623f10f6354c677

Download Submit
/data/data/hinjohn.dad249.ta/files/hinjohn.dad249.ta

Filesize
256B

MD5
03a55c4bd35d2b5352f4e7f4bf31a430

SHA1
fddc842559ba9d4123afc23e58d9942e3bc41c60

SHA256
34a7e711f73013069a3f7d288918af26ae759946fed06e2b53466aebebe9b177

SHA512
a7e290ca88eae95622053d28d535fe5e1273f674998c4bb38da8228c53a6e43c92e8af29b3455da5791701773ed8085ccfb3c8e3330121e5fa9367f6c9d4d305

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
7b4f468e740d976fd5e4f02beb25081a

SHA1
fb4643d0469d805e53d134a8476f9f5a2ff3b05f

SHA256
811564fa4d0534384dc5a14d914e2a12ab83ca1c145a534f6b8c4351a03bbd09

SHA512
5553d88b57faa3e984ea46856416b3077fa03446df69ffd1a971911bf90bdbd1341ddf2191de7ac2c9b1cc12bf8c33bc53d99d0128a8799a980ce0ee589c8789

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
6db30b84c152ac700c40c86205cdfda1

SHA1
80f169d0af740e564bbe7999b284c9571fa914a6

SHA256
8ae37b8baa56e633c4bbb09b1145573586b434ddb5fecc4d6ab3bbeba4a0b128

SHA512
dcbb7343f21f8cb4650b43645dcbec71b5f3438da43827bad762ba7d8444b3eb89fff5c318ad825f2d938c42c1af928b5e2586a7f1e87e9020ff377f53aeb9d0

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
067cba2b596170a4c3b8fff77e865504

SHA1
bb776871d4baaf8c072c54f536753535f301162f

SHA256
a5122ea9a14ebade99476a2eb465c9e9b2f3ff535b330d02056f9de199a8c2ff

SHA512
5e01ee5aa7abcc7a729b664569b6f4a30c1213cadd0251213c76da361ccadae3203e183f535cce8894973c1006b245b9d010823fcdcce87461c84382268bd961

Download Submit
/data/data/hinjohn.dad249.ta/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
ef61db93addabf04b6f88cf01c96c135

SHA1
f4b37d54fff3282b6549481862a2b04a4edf7128

SHA256
d8d3844ba76892bdfccb582c64ed89dc5917645454215a1a8044e462634d2a5a

SHA512
30327dd57c46638441d6891d15606f89faa59ad4020d09bec73dbcab126292f1bfe6f7de090516b9d27f8e5f2ccdcf9118a08b557dd772a6fdc69c1f7334f987

Download Submit
/data/user/0/hinjohn.dad249.ta/app_praise/AxpFCZ.json

Filesize
11.1MB

MD5
28041432b0c51e3e887643272629c83e

SHA1
fbea5dfc62f03e1ff784b410ec0d547de0e8156b

SHA256
85c845feaa13eb5b0d02b64a996bf1a84b3aa77b6cf616f3db8ae5b4c70e9902

SHA512
7e69a4dffce031e990827d655b83ce66bfca72ecdc5bba4a264f877e0a3788953c41e2f6766e8327127d1b68b63775569648340fda09b4ce13684f0aaca6438f

Download Submit
/data/user/0/hinjohn.dad249.ta/app_praise/AxpFCZ.json!classes2.dex

Filesize
351KB

MD5
5a6c21c97564f9a1e87f8d7f10c4a768

SHA1
1e5f3c0425f58d762043761315dbe272245a6be6

SHA256
0560c1387efd41865f075e176b7d4875340db043d943c95f0ad11f0f684fc519

SHA512
e823cfa4c5dd345e9f68aeeac384d42797ed1419eb70ea99d122a6c20a066a97fb94ce7dd6037b743d82eaa21bab2974213027c5e3a03af95c6c8ec513b7ec6b

Download Submit
/data/user/0/hinjohn.dad249.ta/app_praise/AxpFCZ.json!classes3.dex

Filesize
257KB

MD5
b9c73c4d9fcf118ac64a47bdfb8bb561

SHA1
f74dec2bb9dc1c5050ad66937ecb844b915a06b9

SHA256
31b28132c9fac2f1062b7eeb45e2c281d65d19dc03805a7e4e4122fa492ffb1c

SHA512
750c57fa2798de21de00d20cd86cab0c12e4e7d5d3c8978f6c674fec404b6aacfa9b3bdf03d0da0f0bb16fd62928dc625e3ccb135699757bd16ec3e7e379d375

Download Submit
/data/user/0/hinjohn.dad249.ta/app_praise/AxpFCZ.json!classes4.dex

Filesize
1.9MB

MD5
2d73c5997273e3910c1ac1d8db7ba145

SHA1
25737e75ed15863e69d02a14efa781370dfec798

SHA256
411c3194c11f6254e4bb6cdbf247518a4696ce9bffc6d373ba7e949889db9965

SHA512
7adca729d74394232c26ee76272a85342fd88c9101d417ba3a0b1018f29cdbe4a852a3458548e4e333db55520cf8b0a7700f6bcb3cfee77a12ec3d272c4dc13a

Download Submit
/storage/emulated/0/Android/data/hinjohn.dad249.ta/cache/logs/log.txt

Filesize
3KB

MD5
33b0c67d89a47514134c5c4ec5acfd5e

SHA1
cce68fb0e54909c8e0d61f279a060068bb54b7f9

SHA256
111e1559e2d0ed0d78ca34c6e132f5cf9734f9af5a729149583cbbeadb64f4e9

SHA512
21df08a19b9a34f60eafecaf1095f71488f859aec60639863dde7e6d6a964a2b3ac954285f5d6a84baef2f1dc8166303182beaf9fa3f087d919d0bec6da8077e

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads