trickmo | de2f904d65eba7777a07c589376da441bbfa08ea3b42f66f558f17ef25e52198

Analysis

max time kernel
54s
max time network
150s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
22/03/2025, 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de2f904d65eba7777a07c589376da441bbfa08ea3b42f66f558f17ef25e52198.apk
Size

8.7MB
MD5

9b231942e29f923ef4fb97282f0f2f45
SHA1

e5a47a7adf82646459dcb07022ff7f8416e90afc
SHA256

de2f904d65eba7777a07c589376da441bbfa08ea3b42f66f558f17ef25e52198
SHA512

5e9f5319b2efdf65ce5b76858445c910cd6b787694fb6cb5e43f5ea4103f0bb57d9f8f6246fcd99e885e9355773fd54e642253a410b40049ce9b6d0b7223fb15
SSDEEP

196608:tZgnrCYktUe6gLshD/xDdhhVKGcME6JI6ynpqOLjv5Ldh:Lgn2d6FD/RXhVL3E4UPHRLD

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://monster-truck-mx.info/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/orkei.ti981.pay/app_ordinary/UsU.json	4441	orkei.ti981.pay
/data/user/0/orkei.ti981.pay/app_ordinary/UsU.json!classes2.dex	4441	orkei.ti981.pay
/data/user/0/orkei.ti981.pay/app_ordinary/UsU.json!classes3.dex	4441	orkei.ti981.pay
/data/user/0/orkei.ti981.pay/app_ordinary/UsU.json!classes4.dex	4441	orkei.ti981.pay

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	orkei.ti981.pay

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	orkei.ti981.pay

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	orkei.ti981.pay

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	orkei.ti981.pay

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	orkei.ti981.pay

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	orkei.ti981.pay

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	orkei.ti981.pay

orkei.ti981.pay
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4441

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/orkei.ti981.pay/app_ordinary/UsU.json

Filesize
5.2MB

MD5
b4122e39c8294ee9d31d50d449d63f3b

SHA1
45b43b7a92109ac0dc68f408c721c324ca083038

SHA256
f2ac7eca10fa7bbebc5baeae00dd962326265f56b7a45f346d0731a8b173d8f9

SHA512
3d825fbcb80086711030b8f2cc21c9b0b78e9e5c45bb10c9631220e77c1cc41d6c2eff1beac87c12053b92b8175edbc81c1b6c56d96c85293e313bf293f09e22

Download Submit
/data/data/orkei.ti981.pay/app_ordinary/UsU.json

Filesize
5.2MB

MD5
d930f180f1870368fbf3ba540d294141

SHA1
bc00472d426503389dc544f35c5a319f57d3f638

SHA256
e36d07269561bdc7175c07e690d2785c3940bc1627f8ba0e811e32f794575343

SHA512
8d9758c1f86cc89d43e0585ed053edd21a2c523d5801f75d7f99cbd503963e418cb9e1eb6cb05de91a7ccd5252405ac17c793406247f575a44d076d1dbed0722

Download Submit
/data/data/orkei.ti981.pay/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/orkei.ti981.pay/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/orkei.ti981.pay/databases/a

Filesize
20KB

MD5
279f42dc900f438a29f1f64d458ce18d

SHA1
fa7d7024c63bedcb15edbd2b99e5a143ae3881b3

SHA256
8e0292403a1001e60817961c9e758bc72267a83aa2cecd0a0fbd77bbee9220a6

SHA512
7f23b625cf1f52329d279befbf9abbb32342f835b320d0766ef0ad2fe6e16f570b064caeeb4bbcb867325f91652e3a403aa79cf7ec16a3f8196e9df70a3e1bfa

Download Submit
/data/data/orkei.ti981.pay/databases/a-journal

Filesize
512B

MD5
104cc8fe465ba386b5ef1fd76989815a

SHA1
089dbd397e812f32b3ee056a1658983f06ac6c2f

SHA256
2b4804a258220e91bc60ef910e451b5307fece02875670c87b5daee4dba6748b

SHA512
810ef65dcb0547425f39ff457b0f71f6251702250f7556f60146e2156a6edba8e6fcd0efa8a1efe9827e2b78f8d3a2801a61928da635dafce17193e8dd855acf

Download Submit
/data/data/orkei.ti981.pay/databases/a-journal

Filesize
8KB

MD5
0b87b91b4b4cb83fc40dcbd80e54ce34

SHA1
14c27a0d3f007425b8caee88cbb0687e20d3c630

SHA256
b1bd905504c4f6180d71bbb7cad3b23138c0de05973a6872a9c860661f99a9c8

SHA512
84f8a04f4ebbfc10dc81e9e4289f60b8715b2f93db6f339dd8ab91cdb8ce08d52c9c4a93724c20f30fa43f41653d475d4466d441025a2dc88932bae74848105d

Download Submit
/data/data/orkei.ti981.pay/databases/a-journal

Filesize
8KB

MD5
79dbe1f8fd1e267b0717988bb5884434

SHA1
6391ec2a8293cbbda2100c33d964b01b8118f5ce

SHA256
11b8ae063b9c7f581c83b6613419a739adb9510e2c04386740420eb2c0f03947

SHA512
72a2fcbfe68ede40986cd6ef055728287c31f96a17370fa9d491777da694ddb0ae49ebb33ba31c7e0b67c428e8750f4889a545c033aee044569488f133513c0b

Download Submit
/data/data/orkei.ti981.pay/databases/a-journal

Filesize
12KB

MD5
f477cc4226878e889062b72ec26ba951

SHA1
e1d98ca61dad3ebb8c8e3c8abe9a8cbaad7e2932

SHA256
3c13841891997bde22e14f8e1889809bfb0652ab002bc3b27ed67afd93a4cc6b

SHA512
4e5f2bd3b0b36c10234ccf995a6e9ff30d8502209418f4e201a8c13195c272236742840f1fb441352a7a55bb5f2dbb6bbcd6a8fa194f24d29e46650828a52cf9

Download Submit
/data/data/orkei.ti981.pay/files/orkei.ti981.pay

Filesize
256B

MD5
f6e1508c91cc9eec97c51e0ef996d905

SHA1
8d4c7482de5a0f5dc1d039aefae8f3db0e794898

SHA256
9458cc46639edd973eab5e49263080c2e417f708f662a102783f5f3550320447

SHA512
d16335a34ded44eeb903cb772a696fd640a0eb2371397b67f846f04c47c5f7e0044942e30925bdaa60b1e92760f279bee22d88b4a371a212545b2189de3cd14e

Download Submit
/data/data/orkei.ti981.pay/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/orkei.ti981.pay/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
bfef01cfce2d48d682bcb367d4512e28

SHA1
c6930cdd4c21213af676eb8f5ec49d5e77c4d391

SHA256
b1ac4375055acc55c594794538f8e4720a386820383303643f9f0d5bd07ab1cd

SHA512
4f11abb609b97c88f71fb0164ef854defcd79e0fbff023150d477b309fc1046a2e202527f9785bc0d8c9bd4e9acd0972506d8227d716197446dd029b2b1abc31

Download Submit
/data/data/orkei.ti981.pay/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/orkei.ti981.pay/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
914423229d73f383a72452bfa13ba76f

SHA1
5b469cfaa022c60b6e0fc56735a884406467ebbb

SHA256
5660124b9b79273ed6c7f1e6a87f80ef72ab9afe83339f53611bd03d51182e5b

SHA512
11b1deb8465cbf254b63f4d5c0538092259217e6382766e23b9f71826476db3cabe3347645a2bfecedee0e39b8f5d2ade1a6e13f81dc4a0d92096851b1131f9e

Download Submit
/data/data/orkei.ti981.pay/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
6b82e8cca66a8068873c71ee9ea5f994

SHA1
9c64d15b9a6317876b2af14de1963bf6836f9a63

SHA256
48ff7ceda5155b893c4dfcc6fb574b61220ef556658670776573c9ed005af05a

SHA512
dbb834e773ed704a5beecbffff621258a9faa2cf604f976c90adc36c8b3e994a78168975f9433e5deb9a090a6ede97af7ed06f17c1aa077c12973629405c497a

Download Submit
/data/data/orkei.ti981.pay/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
35bbbb82f6f4bfb0f03dd87e07a2c5aa

SHA1
61191a09afb22a7bffd4cc20e4444123e2bf88d7

SHA256
eb9267f8ec0fabf31788144898d732ba09c5a430863c1824b08f750755916bec

SHA512
44cf06dc120afa59b7374e3616a0df9adaffcbb1d3f4b704fcbd0549862a719847efae5a516a171dd668e8acaf92dc34b5cbe533380242e29189072d1160f72a

Download Submit
/data/user/0/orkei.ti981.pay/app_ordinary/UsU.json

Filesize
11.1MB

MD5
28041432b0c51e3e887643272629c83e

SHA1
fbea5dfc62f03e1ff784b410ec0d547de0e8156b

SHA256
85c845feaa13eb5b0d02b64a996bf1a84b3aa77b6cf616f3db8ae5b4c70e9902

SHA512
7e69a4dffce031e990827d655b83ce66bfca72ecdc5bba4a264f877e0a3788953c41e2f6766e8327127d1b68b63775569648340fda09b4ce13684f0aaca6438f

Download Submit
/data/user/0/orkei.ti981.pay/app_ordinary/UsU.json!classes2.dex

Filesize
351KB

MD5
09ca76eaccf11fb9b5769ba60ab9c278

SHA1
7f0e71a691459dabfac24cf1efcf0e6d04ee2d7b

SHA256
e9b22b9dffc776ab692b527cd7a4b0d2cbbdc74ac73e8f40adbdbab6b8e12115

SHA512
dd4fef6aecd6330ae1d9926e0549e383758361a05338d0520a29ad69ef4b8c69a1e6142d99adb70d4f8d8341aefb10ee989e83d00d894ddfcff071958450c13b

Download Submit
/data/user/0/orkei.ti981.pay/app_ordinary/UsU.json!classes3.dex

Filesize
265KB

MD5
0807e30b8ae3f6dc61c13bd56d2c9a03

SHA1
44f859d7c1d180d658e829d04126a39c48269ee6

SHA256
2df538d987437436baf41fadef8a4e17a1ef19f96a002372d001ff7d4ea227ce

SHA512
0dc29f85ce95d2eb3e8e9718f01f5b624458c42cca80ea55edc5d9e09410e01491e2f98603e86468fb3a2706bd6b9b100766d78cfc0f968cf4504860db016fd2

Download Submit
/data/user/0/orkei.ti981.pay/app_ordinary/UsU.json!classes4.dex

Filesize
1.9MB

MD5
2d73c5997273e3910c1ac1d8db7ba145

SHA1
25737e75ed15863e69d02a14efa781370dfec798

SHA256
411c3194c11f6254e4bb6cdbf247518a4696ce9bffc6d373ba7e949889db9965

SHA512
7adca729d74394232c26ee76272a85342fd88c9101d417ba3a0b1018f29cdbe4a852a3458548e4e333db55520cf8b0a7700f6bcb3cfee77a12ec3d272c4dc13a

Download Submit
/storage/emulated/0/Android/data/orkei.ti981.pay/cache/logs/log.txt

Filesize
16KB

MD5
27ddacbbaee4888606f0ba69358b91e5

SHA1
45935c1ab885a8ba5c70a50abc9bf2bc185944dc

SHA256
d60d662276e62edc0c05fd852eaf77936057e1df0c122c21ce84e2aa3736554b

SHA512
cd815f899500de45fce0f237d24b4f049deda5da58351687698c2e93af50a2a997afb335bd0eec2fa26f991067a3be8aa6e899df1402040493046d99233085ad

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads