trickmo | 26b7c0b09bf02742ce0a07d7584a20c3bf78382d696e5e76f0dcc4b5da9425bb

Analysis

max time kernel
142s
max time network
151s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
22/03/2025, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

base.apk
Size

7.9MB
MD5

f525baeadeacf35b7ad1a678704ddad6
SHA1

6126abb50a4842799ac33e4a39434e43475a6a0d
SHA256

8773345e94b7f8ec7ed5515e507f72ad7358ecf7efca360a719ac7a39d18456c
SHA512

daa597e2f6d2eefc9fb8f7c349b6a51a9e059a3a7d90ceed9f6c7ed71776ebf4a2b7c8aeabd984f800420cf3cdef0f3526dcf0685a94db7380bf0df2bb4cab7e
SSDEEP

98304:wNDTv2Eq7sH83EhsrdbQ6r9dFb2LhqtVTKMiXPGYMKNG0rz4fqW7HCfGsG+x6zZV:ubc+8bQmO0XTg/GY5NGxlJPzZvjv5Lt1

Score

10^/10

trickmo banker collection credential_access defense_evasion evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://b-always-free.org/u3n6hcu6te3b46gc

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json	4600	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes2.dex	4600	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes3.dex	4600	efja.fast805.touchs
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes4.dex	4600	efja.fast805.touchs

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	efja.fast805.touchs

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	efja.fast805.touchs

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	efja.fast805.touchs

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	efja.fast805.touchs

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	efja.fast805.touchs

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	efja.fast805.touchs

efja.fast805.touchs
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4600

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Information Discovery

T1426

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/efja.fast805.touchs/app_idea/OXkJrO.json

Filesize
4.9MB

MD5
21c32f1c942e4042d945422612bc878b

SHA1
33abf93c234aead3770df1ece78bf0802da9f667

SHA256
f8076c7bd8963ea1d98939e6b047fc5f11d43c5119533b2136789531d498f347

SHA512
9c6860f3e9bb4d523704cae8604627016bb06e1ff2593ff475a3c2a141cac1be22624ef67808582d5ee15f7055152fc399d966df613f89b1be2e84d64dc9f79f

Download Submit
/data/data/efja.fast805.touchs/app_idea/OXkJrO.json

Filesize
4.9MB

MD5
534f0d2a0aa52111ec0ccd561f57c578

SHA1
b06fdb7079904e2b0a8f56693159678424c474aa

SHA256
6aafa7a8cf9dd18d1a768073d12e1996cd1ba055bc4c8a00a162a455d692e0c1

SHA512
4f46211fffe9953311adea27b2a0a7781903f90bb280488458814943def9bdc7c4e2a89cb647797d0c3fe2ed600c2de4ced84aab2df2319138742690f54d5c72

Download Submit
/data/data/efja.fast805.touchs/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/efja.fast805.touchs/databases/a

Filesize
20KB

MD5
57baf3e42a94e8dd82e267b2f0619330

SHA1
76512dd29fbaf3cfd2efeae0ac2ab5108b81af19

SHA256
49a98902c1ffb97354f0e8f0f9208b84dfabaa826635f6ade1fc782169a3ec7c

SHA512
227f9d10a39fb0d8ae0a562e3b983fde44de62b3dbcd577172451e0e1f669e5721ba653c324af7c4d022032edd951cc417805a4eeafd5e84f28d378b9126a690

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
512B

MD5
3ed13a081dd04b0faa8be9d9b26e40ac

SHA1
be6e8369ad68e1093502ca58115b50c7f56d402e

SHA256
473851fb0e377515ad403cca549966b682db832c739b8322cf4d2de6217e0812

SHA512
829a9942c43542b13f04c7b754d33dd603124566dc9f948df863b17c3cf3fdf222a893ca3614a59707b794240c242d32ece291ac4182dd2552bb3f19ebb7a1b5

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
8KB

MD5
9e4fae05f944e9c4724299543304e754

SHA1
e26cacf16c3365f27f2a0a8a1e386d69935c56fb

SHA256
9f037f32fca79cc17f4c5202b22e8c017fb8a0cc3d55373772afd2fab40b1faa

SHA512
53530d9e06dae4bf1da69e51ea156418f4b82204ee0a4de24d257435fcc41d2b69473e853d233478ca53abed37f7766241b4bf23a2b709c5a846924331f8b2b3

Download Submit
/data/data/efja.fast805.touchs/databases/a-journal

Filesize
8KB

MD5
6643ce6c9c1b9b6b95a2d09a30201606

SHA1
d4ecaeb4f01291af74bb05f0629bf082fe15b1e1

SHA256
497d2e0fcc4e6a2f44e1f2642469fc20f6685ab1d794b1be306e7fd2493dbe7e

SHA512
8e32eda1e36844966f17d4d3d840a6a5784b866e0a116533452bc215e95459056cfa09a6c7b0fb7a98e5e8454056bb02a1bd1e869e4efa372c75991b486f0b61

Download Submit
/data/data/efja.fast805.touchs/files/efja.fast805.touchs

Filesize
256B

MD5
fdb4f43ea6c3c0c449271e0c74462030

SHA1
b16c142724c3d464493838b6af065d6c9013bca3

SHA256
8a2df30b71e52ec5806637985e198d97f9732edbfe11f0b5f2974c8437dd47ff

SHA512
d2db7e8a742b928f0334d2c1241994a1f6d8f5721002bbb201fce84a01a7fcbd889bc13a5d0a9a3deacd84eebc9ca6cdb5d9bfd017299e470ac6a8f112c31050

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb

Filesize
4KB

MD5
7e858c4054eb00fcddc653a04e5cd1c6

SHA1
2e056bf31a8d78df136f02a62afeeca77f4faccf

SHA256
9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

SHA512
d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
d0b1b5db89ff6bc9dc2fbf5c09e60ee8

SHA1
5eafcc1bc3d3bb418d6cf65f7187e7ff24acfc6f

SHA256
7022910391d8baf4229cc2a5e5c1e0dfb380060979afb2a913d37911b6ad367e

SHA512
d02fc7374a58dca61d11b1c7026b661cbccdfd5ef8ab61b6e1b31d7c1421fa2cbad8106659bd39affb047ab5d674906972cbb4ae3e4adef32c452e137d503b64

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
686bb7eef6fe75e544ada0264b8f4687

SHA1
b5fc6502ea8c7b505db5b16294be4419151d8b17

SHA256
935418acc0ed857efec8faeb04407ae8ffac68e2b0a64aa799ed4e78bd744f47

SHA512
eccb83b6a664ac18924c9d00a9d14b7a5de6f9c10663ef2d3d9f7a5fd3d4eea80af2d8e87fe801b9c07209e2a07d78f609c3da35daa7a455f6aeaf56b2ab1ce3

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
842a0d051a627e900570594e6ef8c0a8

SHA1
67571a8ab170073a2c0978e176d050835f858b98

SHA256
16dbe0e4be931f088c3a8210fb41993c4c9e9166cadd0ab84c2f5cdc0af4eacd

SHA512
ac6383df9ee16b932ca5143823056b79f9995ebe1ec0f6040c0b87cfab5e65199eee0721b25ceb2231e273feada13838f67f9cc943b164284baead0a177f8e1e

Download Submit
/data/data/efja.fast805.touchs/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
ceaf03eb9bb10e7fa313b1b053b853fa

SHA1
4cd5c8b306624337d33e814efcce5e858c7a2bb4

SHA256
816776772478a7db7a643e62f23aca98c6c006c83dc0136a3604351109bff38f

SHA512
8088ad96e73b76535802c6a9ad750025f9e62d0d0248798fa56fcb76d17bc836efb43bd53730052119e17f82186ecc4cd6e1e17b25cb4517285cc4e46026e394

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes2.dex

Filesize
308KB

MD5
af76bf112a1486f959993ab101d1dfb3

SHA1
d38bd79b0d58135807b7e9038f35e099bc8b18ac

SHA256
9a149d4662611b4d051f7b4c53b4581f840ee6494eca90cc29bef8bef4b8c326

SHA512
de3a977a5167c361a46516739e8e18ea064749e51a72eedaa0470064c8577c8d7b72d5a5bb7fc83208c1f6a6d462aaf2014d4ca46a3c2ba95063f25afa337825

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes3.dex

Filesize
266KB

MD5
1c44e8e0e2db37651e10a075ffdcfa22

SHA1
533915cbeb1f912075f5cdb7f77d0310d875d40f

SHA256
ec90a6c423e42ba5fce0e72dd68e623c388870eba3a3c98358d6a749985ed192

SHA512
7541ede26f7dbcaa2cdd92ca05a4415340901354c422fbafa4aac3424e0a365f2087656c0b873a8934976d4f63c35fbf9923babcab39a1cafc20baba4720d391

Download Submit
/data/user/0/efja.fast805.touchs/app_idea/OXkJrO.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/efja.fast805.touchs/cache/logs/log.txt

Filesize
83B

MD5
ebaa3044d81aaf39219b61b5009330c5

SHA1
01564e96a4f0cc13f9fc8027326c7cc294730e12

SHA256
a75e88b2a30d2e324236b716f6ddf3e5a2c3967ad8af4050e07b6343e86d2d3e

SHA512
ac571ef5698d5c999e9d023515b1eca5213d5f2aaab50d664aa55eac054733fac2b00d4f564efb67e7a48cdb822f771d68c24eae4248e23a1ccdb66d1bc52517

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads