trickmo | 26b7c0b09bf02742ce0a07d7584a20c3bf78382d696e5e76f0dcc4b5da9425bb

Analysis

max time kernel
143s
max time network
151s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
22/03/2025, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

base.apk
Size

7.9MB
MD5

f525baeadeacf35b7ad1a678704ddad6
SHA1

6126abb50a4842799ac33e4a39434e43475a6a0d
SHA256

8773345e94b7f8ec7ed5515e507f72ad7358ecf7efca360a719ac7a39d18456c
SHA512

daa597e2f6d2eefc9fb8f7c349b6a51a9e059a3a7d90ceed9f6c7ed71776ebf4a2b7c8aeabd984f800420cf3cdef0f3526dcf0685a94db7380bf0df2bb4cab7e
SSDEEP

98304:wNDTv2Eq7sH83EhsrdbQ6r9dFb2LhqtVTKMiXPGYMKNG0rz4fqW7HCfGsG+x6zZV:ubc+8bQmO0XTg/GY5NGxlJPzZvjv5Lt1

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://b-always-free.org/u3n6hcu6te3b46gc

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json	5164	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes2.dex	5164	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes3.dex	5164	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes4.dex	5164	efja.fast805.touchs

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	efja.fast805.touchs

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	efja.fast805.touchs

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	efja.fast805.touchs

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	efja.fast805.touchs

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	efja.fast805.touchs

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	efja.fast805.touchs

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	efja.fast805.touchs

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	efja.fast805.touchs

efja.fast805.touchs
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5164

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/efja.fast805.touchs/app_idea/OXkJrO.json

Filesize
4.9MB

MD5
21c32f1c942e4042d945422612bc878b

SHA1
33abf93c234aead3770df1ece78bf0802da9f667

SHA256
f8076c7bd8963ea1d98939e6b047fc5f11d43c5119533b2136789531d498f347

SHA512
9c6860f3e9bb4d523704cae8604627016bb06e1ff2593ff475a3c2a141cac1be22624ef67808582d5ee15f7055152fc399d966df613f89b1be2e84d64dc9f79f

Download Submit
/data/data/efja.fast805.touchs/app_idea/OXkJrO.json

Filesize
4.9MB

MD5
534f0d2a0aa52111ec0ccd561f57c578

SHA1
b06fdb7079904e2b0a8f56693159678424c474aa

SHA256
6aafa7a8cf9dd18d1a768073d12e1996cd1ba055bc4c8a00a162a455d692e0c1

SHA512
4f46211fffe9953311adea27b2a0a7781903f90bb280488458814943def9bdc7c4e2a89cb647797d0c3fe2ed600c2de4ced84aab2df2319138742690f54d5c72

Download Submit
/data/data/efja.fast805.touchs/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/efja.fast805.touchs/databases/a

Filesize
20KB

MD5
93e7f88ba7fd4f0152e8e5dc56f1acc0

SHA1
f29883585567a32fe4d487e5df14173c39c09e65

SHA256
dc6bc98e7f294d8994b3120cb87c0ed1d998e559daab810a68323a8968c60c2c

SHA512
be40cb85f75181627e2e4f7fb01e371ad4ce5051416d7e931ae45479a1357526e89a017aa461de03076c0b650eb5c851c239e88556677e859bb9b7c28e48d745

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
512B

MD5
bb2dd70a27930234c7ba942d90f79b5d

SHA1
d25f327780aa229101f68540c63c40c038a9adcf

SHA256
8f1e5907296523991136bbda1d69e4e4fff76bb99e20720888a0c15c8f8ff062

SHA512
a96e0168f32651d5df5323ebfb5242e7ec1bf195b0c7a8eaae4172e58d985eb217730d2da7d27af6c82421554f51b7c85efad25fd31615e4410860d13c39c7d2

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
8KB

MD5
9a6467585141a0e0dd79aee04e342515

SHA1
d374a3d0ed64b79bcdbcc49ea1fb89a783ab2ce9

SHA256
6756bbc2684935de1f9c0e0c978aaa7e5d5b51dc77f6a47cfcdbe50d0f90e118

SHA512
e6693cd71d5f922b7a41d857d57bacf46046f768bd41c20616e67ac20c7e0a5d6613b990c7556a0d125ed978ef672a283025133f580ba2d9a5655dbf9fac91c7

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
8KB

MD5
91bf8e0f193d3264bc62b6f69d9fc097

SHA1
9bcb2d9a93b727769017275dfa31b40ee687c590

SHA256
2adef5b843a6b1947ee8085c68574b5f8090c537c00a4cf4889acc85f39ad1f1

SHA512
6abd1525922ba5e6139d0a0a5cead1c730b809dded1cb73a9d4b576154c406ace48dd60794c66bf697a1390c7780902ea4a934b51e95cdcff295623716190497

Download Submit
/data/data/efja.fast805.touchs/files/efja.fast805.touchs

Filesize
256B

MD5
148d435b8fabc855fceabd4f08b41214

SHA1
e98a7a940106c0856807a071792ab12870511dd0

SHA256
3e610da173fa8af18aabce97ce8e4437290218d1a2cc94fb9af6fe8794bede93

SHA512
4c44096b07bda17ffceec8b4953172e736e6390717ba873f12c0b3137c5593bbc37d7f977113dc098d45472a251058805836320f6b8b8200348919cefe384caa

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
c0d093474965bb77d2c415ce0f2f413e

SHA1
0970c7c0a96d5a8c41e30b09bc5012e80963c3f4

SHA256
4ed532218abae27e7f971f0452369b2882e14543f526edbe13c74b475071871b

SHA512
cea91dcbc99746dcba834a7bdf96da1b285dbd5e79a5fec3bf0040716690ed299289de76b54201f529373f27fc16e674587e765f8ab2f4c95180aa81ec424bd5

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
1578b2be56b06d2a962a5a8a8ef64c34

SHA1
442a8c513c8ad0a020eac88c25333746effabb0b

SHA256
de91d75725491fa909508c24ab4cc7d75e6fc3a2fe3d680bd5cd1ae5f0842519

SHA512
9bfee34ec4f4aa23994c9ace9e16a120d96f279159d1bb1b08e4319ddcb2c012c7f6ff1cae8f9f2d87058f1df4cd00d7876909e980e89eb04ba462240272f4b8

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
16436f80fd79bb5cfe0568879c3fe4f0

SHA1
3f9b187bbd894d1c34d40dad62e062201f465763

SHA256
c65497d66df3c098ce0c172b9e944f985f052ce57916f31f5f445d40583df4ce

SHA512
70fb08e311a3fd5f6b2c5c3fa4ba1ea5e80aa040bab38d4eaf76e7b07b912c29075603f4a7f63679af37b7e7320fd7cc1da06f4bbe293e4e5dbb80d7b965c8c0

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
e37b6f8b59d889464016f8dbb3fd81b0

SHA1
cf6d97fc57253af877e3152020167e94e9868726

SHA256
d7a9ad563f4be1cf6d0bdcb302ce6ed4f000e39bec5e5edf2c793cd9c54adc6c

SHA512
a50136f1f312edd27b3ba75902ce28b58c96f6e132b55263d6e93c08b1f9da8dead9ba56b5a0ce43839db97d965f8030ca8b3e4b59ad71fb689c5dab8e5e5cd4

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes2.dex

Filesize
308KB

MD5
af76bf112a1486f959993ab101d1dfb3

SHA1
d38bd79b0d58135807b7e9038f35e099bc8b18ac

SHA256
9a149d4662611b4d051f7b4c53b4581f840ee6494eca90cc29bef8bef4b8c326

SHA512
de3a977a5167c361a46516739e8e18ea064749e51a72eedaa0470064c8577c8d7b72d5a5bb7fc83208c1f6a6d462aaf2014d4ca46a3c2ba95063f25afa337825

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes3.dex

Filesize
266KB

MD5
1c44e8e0e2db37651e10a075ffdcfa22

SHA1
533915cbeb1f912075f5cdb7f77d0310d875d40f

SHA256
ec90a6c423e42ba5fce0e72dd68e623c388870eba3a3c98358d6a749985ed192

SHA512
7541ede26f7dbcaa2cdd92ca05a4415340901354c422fbafa4aac3424e0a365f2087656c0b873a8934976d4f63c35fbf9923babcab39a1cafc20baba4720d391

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/efja.fast805.touchs/cache/logs/log.txt

Filesize
83B

MD5
f69771020fa1af0685f24da95c833e0e

SHA1
3fd62bf4d384854160859b86896d8d5994e647f8

SHA256
53ded5c9ce648b5f76de94949f8b0002e53a7e6a4039bf8faa618615d9db9d07

SHA512
6b08db6b66f4dad8e248aae8473cda32b64e5340e755dd3a1131c6771bb49fe84aab46a52f0acaa124adfdee2be6e4f0e1950b33287e1144d00cf0bba3339de8

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads