trickmo | 26b7c0b09bf02742ce0a07d7584a20c3bf78382d696e5e76f0dcc4b5da9425bb

Analysis

max time kernel
143s
max time network
150s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
22/03/2025, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

base.apk
Size

7.9MB
MD5

f525baeadeacf35b7ad1a678704ddad6
SHA1

6126abb50a4842799ac33e4a39434e43475a6a0d
SHA256

8773345e94b7f8ec7ed5515e507f72ad7358ecf7efca360a719ac7a39d18456c
SHA512

daa597e2f6d2eefc9fb8f7c349b6a51a9e059a3a7d90ceed9f6c7ed71776ebf4a2b7c8aeabd984f800420cf3cdef0f3526dcf0685a94db7380bf0df2bb4cab7e
SSDEEP

98304:wNDTv2Eq7sH83EhsrdbQ6r9dFb2LhqtVTKMiXPGYMKNG0rz4fqW7HCfGsG+x6zZV:ubc+8bQmO0XTg/GY5NGxlJPzZvjv5Lt1

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://b-always-free.org/u3n6hcu6te3b46gc

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 8 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json	4435	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_idea/oat/x86/OXkJrO.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes2.dex	4435	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_idea/oat/x86/OXkJrO.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes3.dex	4435	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_idea/oat/x86/OXkJrO.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes4.dex	4435	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_idea/oat/x86/OXkJrO.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json	4361	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes2.dex	4361	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes3.dex	4361	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes4.dex	4361	efja.fast805.touchs

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	efja.fast805.touchs

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	efja.fast805.touchs

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	efja.fast805.touchs

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	efja.fast805.touchs

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	efja.fast805.touchs

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	efja.fast805.touchs

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	efja.fast805.touchs

efja.fast805.touchs
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4361
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/efja.fast805.touchs/app_idea/oat/x86/OXkJrO.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4435

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/efja.fast805.touchs/app_idea/OXkJrO.json

Filesize
4.9MB

MD5
21c32f1c942e4042d945422612bc878b

SHA1
33abf93c234aead3770df1ece78bf0802da9f667

SHA256
f8076c7bd8963ea1d98939e6b047fc5f11d43c5119533b2136789531d498f347

SHA512
9c6860f3e9bb4d523704cae8604627016bb06e1ff2593ff475a3c2a141cac1be22624ef67808582d5ee15f7055152fc399d966df613f89b1be2e84d64dc9f79f

Download Submit
/data/data/efja.fast805.touchs/app_idea/OXkJrO.json

Filesize
4.9MB

MD5
534f0d2a0aa52111ec0ccd561f57c578

SHA1
b06fdb7079904e2b0a8f56693159678424c474aa

SHA256
6aafa7a8cf9dd18d1a768073d12e1996cd1ba055bc4c8a00a162a455d692e0c1

SHA512
4f46211fffe9953311adea27b2a0a7781903f90bb280488458814943def9bdc7c4e2a89cb647797d0c3fe2ed600c2de4ced84aab2df2319138742690f54d5c72

Download Submit
/data/data/efja.fast805.touchs/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
512B

MD5
83104e31ac9c7f24023f55d21a9760ee

SHA1
c754ac91745c8c5529644e617900f4ca11712068

SHA256
95e2f44a01c1d8dfc73e596495e4359bcf784d6ce4df5926cb46b5ec93f4832e

SHA512
02689b456cf78a34accb9c42051f8a0eefcb735b004a887021bb759896f9dbfcf99c5743f9cd36110f4ebbaf83bcd5eec6f46478fc568f941980c5ccfd8f95f2

Download Submit
/data/data/efja.fast805.touchs/databases/a-wal

Filesize
32KB

MD5
805eb5a453c041fe38e89ed33feebe46

SHA1
eea3fc7ce196ee513404f70f70f04cf65e5bf802

SHA256
61332ef158f183e8e1cdbec391bf3db3119cec71b5687da5d652a0c1fc58633b

SHA512
ff060c88b975eddc87fcea53ec18ce1d628f466cc8eee53f4ac57c9579b1a88b5daa0eaec528ad015cd2d97d8be8a116c2735e3e1b7b504665f76a1992ffe821

Download Submit
/data/data/efja.fast805.touchs/files/efja.fast805.touchs

Filesize
256B

MD5
552adb3d3216b0bf7e93b623d43c3356

SHA1
c5cd333e4c220574632114e58cc882183837b09c

SHA256
985b409d884a662225649b713278a3887bc2932cde50f9f92b82419594d39979

SHA512
27ad265858f1a1a1c1246afb67c0967d26b20ffe7ab98b857c6efc400e90d6cffe695f5f8e4cf5e93502197ac95c04ebd1ca47a6651d411be822addd74ba5c05

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
dda54b828b3338a8bd75a5cce39161db

SHA1
4634f9c2904f324e283a0832e745e1f60f8e6b30

SHA256
7e654f3d94bf77c0698e44f465921139c8ed37c29934bac9f16b9617ec9a150e

SHA512
d904002f65a38a837138c27c8bb706e3c5757f8c4c2ae4a6a4856c2fbd80983c9c34e24cadf91b487aa34db10aea6f0940106b8cc868c9d0de4a40514f3a635e

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
d08ecd8e3c33439e4ec08946cb016cc3

SHA1
d94edf04b0f810d086b6c56bb576f2de1c123cd4

SHA256
978d683aafc06e26496d70ced247368577acd9da65cfe162a0d0abc81d33298c

SHA512
a1a74fb9cc1ba8ff97f7cc73f9ecbc73d951a053b0c6073be35186fe989665795e2561d6d120cd4f8ca92517bdf29d808ad567e75aea0e2285437bac4ebb036a

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
67463d1f6dbafd5680dc7d692a0f8a3c

SHA1
54ba35f280a65f1b67a40e89e7992ecf3c40b9c7

SHA256
ad7f0b918f70bb124ee1fdb7de2d657dffd0d5350c2c9ea545c573731df7d531

SHA512
f2e7f017998711e2da1fe79fdc898b20f38795041f04f43228896d0206d9edd73515c57e3b44f33f3f9c50e3f1ffe83f8f905b042b72b5e713bc7b1b6d61ca67

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
25b5fbe4bb082e3c453a8d528456a53c

SHA1
6689d716d5114496445111bda5f3d180310aa81c

SHA256
61437000c1a62c80e804d8bc42aade5c664d50375b418e03f7d0ec56d9ab2ef9

SHA512
05656ea8a6c09a63d5feb47750340091f79e8b3f87eed78653a74ea9c372e65f492861cd15b9cd1292e6d5807a964435ed75a6af9657df4cee777b6e8658842a

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes2.dex

Filesize
308KB

MD5
af76bf112a1486f959993ab101d1dfb3

SHA1
d38bd79b0d58135807b7e9038f35e099bc8b18ac

SHA256
9a149d4662611b4d051f7b4c53b4581f840ee6494eca90cc29bef8bef4b8c326

SHA512
de3a977a5167c361a46516739e8e18ea064749e51a72eedaa0470064c8577c8d7b72d5a5bb7fc83208c1f6a6d462aaf2014d4ca46a3c2ba95063f25afa337825

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes3.dex

Filesize
266KB

MD5
1c44e8e0e2db37651e10a075ffdcfa22

SHA1
533915cbeb1f912075f5cdb7f77d0310d875d40f

SHA256
ec90a6c423e42ba5fce0e72dd68e623c388870eba3a3c98358d6a749985ed192

SHA512
7541ede26f7dbcaa2cdd92ca05a4415340901354c422fbafa4aac3424e0a365f2087656c0b873a8934976d4f63c35fbf9923babcab39a1cafc20baba4720d391

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/efja.fast805.touchs/cache/logs/log.txt

Filesize
83B

MD5
f69771020fa1af0685f24da95c833e0e

SHA1
3fd62bf4d384854160859b86896d8d5994e647f8

SHA256
53ded5c9ce648b5f76de94949f8b0002e53a7e6a4039bf8faa618615d9db9d07

SHA512
6b08db6b66f4dad8e248aae8473cda32b64e5340e755dd3a1131c6771bb49fe84aab46a52f0acaa124adfdee2be6e4f0e1950b33287e1144d00cf0bba3339de8

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads