trickmo | cfa37c111d5d86aa348a8411c39fe1c54034c437a5c15777a42638c6a9d03eb0

Resubmissions

27/03/2025, 13:56

250327-q86ddavmz5 10

27/03/2025, 13:16

250327-qjakeasvct 10

27/03/2025, 13:14

250327-qg4qgavjy4 10

07/03/2025, 10:37

250307-mntbjazlt8 10

Analysis

max time kernel
79s
max time network
83s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-de
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-delocale:de-deos:android-13-x64system
submitted
27/03/2025, 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfa37c111d5d86aa348a8411c39fe1c54034c437a5c15777a42638c6a9d03eb0_2025-01-31.apk
Size

8.1MB
MD5

c889e75eb26de5a53531ca1d799a777e
SHA1

4c9ae2c8bc9a2bc02926ee2a9a49730881907a69
SHA256

cfa37c111d5d86aa348a8411c39fe1c54034c437a5c15777a42638c6a9d03eb0
SHA512

cbe94441f6ea06b1c9c9de0933e9755d3ac7deb3197d795570cde4d0680c87f25c8c3e34c189a8b8d898b8afa9140093dfbf731852cbc6bf02cfc03c00bd5941
SSDEEP

196608:5erveQWOfAMidD+traG/iYVS9MEY2HWv7ecSb5xW:47eQqMidD+hjpVSe/2Uu2

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://mainworkapp.com/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/aner.fos540.ex/app_fragile/py.json	4512	aner.fos540.ex
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes2.dex	4512	aner.fos540.ex
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes3.dex	4512	aner.fos540.ex
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes4.dex	4512	aner.fos540.ex

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	aner.fos540.ex

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	aner.fos540.ex

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	aner.fos540.ex

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	aner.fos540.ex

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	aner.fos540.ex

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	aner.fos540.ex

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	aner.fos540.ex

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	aner.fos540.ex

aner.fos540.ex
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Requests enabling of the accessibility settings.
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4512

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/aner.fos540.ex/app_fragile/py.json

Filesize
4.9MB

MD5
aae2fff1e66e2ed7098e6a244c9fafc9

SHA1
cb45aa08a26f26d57e4ff2c38c87445baddd88bf

SHA256
1f4ecd2ff4e128f1ff3da8e59d77d3b64eda9ba8514d76abae1f786bbe65420b

SHA512
757310e3bb6855040b4b2a631f221e806721f5666257add6bf834c29b37a19fb953c42d3d04bbeedcd53d1ae1a2337bc61e36db046e46f1de18103e324fefb73

Download Submit
/data/data/aner.fos540.ex/app_fragile/py.json

Filesize
4.9MB

MD5
ad4a8dddb4b956662516a5353912f97c

SHA1
52b4eee991f8eac17572bc57f2b06dba9a6fddce

SHA256
19fd2538eb94df4e5713d9bca304527c08f27a84118ee583fc263cda1ef3b10d

SHA512
37ce05314e1e2a0edbe07f91208265e3c35a63142da54f60732736aa9cb8201dc78025682cb489e0e607826a21df38932ddbaa199fc86d246a91f42a614b2dd4

Download Submit
/data/data/aner.fos540.ex/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/aner.fos540.ex/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/aner.fos540.ex/databases/a

Filesize
20KB

MD5
6f04b83d573f63ed1ab257f14b30b5be

SHA1
78ac3d46d4ae006f62c1fa4bd0717e475e97bc09

SHA256
fc276f5f05c5992794e24ace5d372217119d1f559b5efbaaf097ba2af4232969

SHA512
68a4b59feb1b8c762524f827d79da63978e92cf9c2c67ec193104c2781dd98d29fbc8757971910ed0092f3c86da19e5d07d3121afe394229ab47e965167dee5e

Download Submit
/data/data/aner.fos540.ex/databases/a-journal

Filesize
512B

MD5
c719478050699d0f5b79199ae53a7220

SHA1
d12175707062cbbfda421ccd0088ac86029addd0

SHA256
e6c97bfa87d614b74f8caf058dfad3e2086ea8aa4888fcd65368d6aa26d7fea3

SHA512
29f61627923c6dab44538444c7f05fe3cf1802ba389c4c7f3cbca24c158160700c7b2c4898112283a5f4a63db5c677e581a34e0878b2f9a7af8e3a14baff3f00

Download Submit
/data/data/aner.fos540.ex/databases/a-journal

Filesize
8KB

MD5
d37db47f9b6822e8a26b8b540267ca8d

SHA1
9ea963a1e9715e2c3c0ecd947abaaf5c07e82a94

SHA256
06529a72411f6939bee7d8fc0410bdcb9f763a898267042e1bb6d383f87f5ff3

SHA512
7a703cb7735e8eac6c6ee82860ff51f334e7f72e2bd366f44c89f65a7934fe6c3900d8a1b2477b92a7ed8fc91a5e0c1fb63a211f19b16fa643221053509e4efb

Download Submit
/data/data/aner.fos540.ex/databases/a-journal

Filesize
8KB

MD5
e9dae7f47e5b250300e5b0a75addc1b3

SHA1
8c7a00deb9c35fe48d961500bcdc9ac08454eaaf

SHA256
ebbf62df82ce230885465b1751426635458c33dbcaaad1881dea0017e1f41abf

SHA512
50b76e55cd649fefa7783ddbab5b7c0835feac74053374b2dce63c52c797ce6e7bde186ee4f9ca0bb28a23714f124a652503f4e775f006edd8529f3fc4f38dd6

Download Submit
/data/data/aner.fos540.ex/databases/a-journal

Filesize
12KB

MD5
e004e1e46fa9b5f612f69059f5bae875

SHA1
e2f4a3fce27c726829009ba57c259aa205a6c4f0

SHA256
e70eaa50fb42bf8bcc3fb7c289c90a12b6f707dce14ef676216088cb4761fd44

SHA512
234b27516d4746632b56f55d7f8cffb8dfd32d7881ebc9fd267b1743ef01fd295385ce0d109c4209d08df59b5c2d5b1c3d473c5a3565691e7594b8166f971b89

Download Submit
/data/data/aner.fos540.ex/files/aner.fos540.ex

Filesize
256B

MD5
3b11ce08b093a10e81b15652dca9ff42

SHA1
1d26ed946fd59ab9865b80840a8301e9202fec11

SHA256
adbe5a2a83f6a51267bea59c9826c9f8bfc81fa384bb5a31935d7e6cd2f57c0f

SHA512
fbeed96ed51e17afcde6eca3a2e45f3b89fdac5cbec38515d84c9309a94daa2231c3cad8cfb23ce80ccbcd2099d8481914c0b0aa5bf9a62427e0edb47e273ade

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
777c29dd46eeeb56f8af56fb09540d0f

SHA1
d59b935e0b266fab63db73feb76f618c40d0cb26

SHA256
1b728bf6d29f0ac9f43c6420893ffaab98ed8aaf5bf5734bb3ecd363a4f721f2

SHA512
f47ffa097e3e3ac6c33e44014d6b6f8ef5e8bdaa867b89fecb68b6f7cc89c30eccd5bb4dd629ef2f53bc03f20575d6d0b59368f2ec490f9ffaaf2b362e660dc0

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
65b65bf4fa9df7bae1433c55807a95b9

SHA1
87545ccbc78a1401c6b82f90ccd4a6b2cb469d32

SHA256
993af23b8e178e9f197a758688d92c39352f13d5ac242c3242644cd996174364

SHA512
2747b08c05ee7861954d573083fdc36aef09ec7d71e469a84af0799e99a3ce44a96b73369db7797ea010e72cc40f54b77380a6f563d9f1ed08ab04b36b34655b

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
735aecd54ddb622f3abdea5d23df5544

SHA1
1ea6da6b8ba8c3fad2c030bbfe17d3cffc7f3deb

SHA256
aa3907b6422917d3c61a95f28957faf8b3789261d3e1c749afd64d9925f1e4db

SHA512
8b4c96e75894dc7fda3191a4fd4cb6b4fa733aa08c710414fd7dc104d7c1bd22c01ac7ff9c980b671a4aa5ca49376335fdfdabfc90e9890582db70b7a910773f

Download Submit
/data/data/aner.fos540.ex/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
e6ab37de80476449439da3b04caf3177

SHA1
11779e8d2f9c86c892e691b2a310e60eb8588310

SHA256
66546e23d28cb91d518684880d7223b29432dcc3935b2ff37428d1e75d5a8b04

SHA512
712070ef58ef42374948c95ee9946979572883756c4dca4b3d90f922374170bdca88758a58fe8fb9b91369f393b56b722ef7080694a94212c3fbca74c968d598

Download Submit
/data/user/0/aner.fos540.ex/app_fragile/py.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes2.dex

Filesize
308KB

MD5
87fbf4277c7b1354b07ab66e7841e5fc

SHA1
f171167c1e22209bfe6f8e826763fbba7e2dd195

SHA256
d604f9e58075636656da343d9efe1c1af4f225def49e4d288fc8a7442cb07555

SHA512
c74f9f44d6b8d4b3c78b79a2710b66ebf851c6401b8e01926f910e44e4be7ce911286b385558797802eba7ae26b0d0ed06faee79e9e8bbe8ca798f7ce4e4f9fa

Download Submit
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes3.dex

Filesize
264KB

MD5
336b36c9bac9108ef167e46ecd780cf8

SHA1
2f2053b4858cbc16a7fd71634187b829e816e3ec

SHA256
f144ad2da806b72948617d8d35426c21fb682d58c20c5002b3d41eefd80a07b2

SHA512
faaee8913953353783666ec7917e9cbb6774c024369e069de530904a3664cd96ddf7bb0a4b261f7aa8458b33028b39c3af7d66fb62bd3885e7f7fde001c67401

Download Submit
/data/user/0/aner.fos540.ex/app_fragile/py.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/logs/log.txt

Filesize
83B

MD5
7c0ee412af4ec38af8e63c5f16827604

SHA1
a32d3045f152e12ae9534b4a166f2467ee8cdbb2

SHA256
58f5d48f1861fd4fd45444142d3d831e4ecfe3354be96f7ff1f276ed174138d5

SHA512
d32b8b43f8c9c059f166bc52da7d728820d2ab150b0b9281cf59a0539f5e79e7a08253646640df144b1956c274f4ef0c91be6316dbabaa32cd73315498d4575a

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-03-27-13-16-05.txt

Filesize
63KB

MD5
956a5b9cbf99bbba53fc06bfb6ac8f50

SHA1
4b5b9eadb5b42dcbbc7a14539768de4335c01b3a

SHA256
f045ae118c9a964a0d9993d0b153f086869a00b6a1776f5d0e2fc7001d97c4db

SHA512
911ce8c11d451f6a7eb02fc3e2cac02fb48472f3a3cfd2b12e86282548c708d60af2e9383a06287a6bf61c8bcc4140a487c265da6f770998834e766f9aca5cd7

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-03-27-13-16-05.txt

Filesize
95KB

MD5
6670256c3b457c03030c676c349158b7

SHA1
859e8eae14aff73d351848b174bc3406e8768b37

SHA256
bdc9cd8e113eb1a30ee29a1f15f3b694cd470f824a26433ceac83a2118145fda

SHA512
c0b26a07d3811f6d6fbdaada6040ee8a6c864d9ec07891ad972344cbea3c7bee86899b2ece067a5e7fbd9fcc4d4cd969ad598d3b6383804082d7b8638c33993c

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-03-27-13-16-05.txt

Filesize
127KB

MD5
fde58843618eecde1caf46b13e2f5ee9

SHA1
0d89ce974f3f505d742983dac65bd97d49013035

SHA256
d1a20abfbe6d56101d4a7ce93278155815ebf080eafdff1396710f7d0af9bb6c

SHA512
d5b3711723373d1c844771d12a762651f1eb9ffb5a48019307f24b35e38e3f6fb96f3291c634ce5446a26f34e9a9ff5fcae064858a835ebcbb8d90bd22a279b4

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-03-27-13-16-05.txt

Filesize
159KB

MD5
2e8bb3164f3bb8cb0f27f39ce30e1138

SHA1
5460a8731b7d7c131962a43cdd12f06394aed598

SHA256
96198a9f049c874f471671129b179be82f9d80c8f94eddc7160d726b2f24521a

SHA512
df0316619ea07607dc5749a61c7f9f3d94dd28c2485658c4df837c2934a1720d810a182e5baf3a756f14d45e8e3509d90f2d49bacbff10fd13990e2766613b1c

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-03-27-13-16-05.txt

Filesize
191KB

MD5
b62ac7588e1f429dbe5232f6f32a17ec

SHA1
1222361010dc20fb5a632a3be6af8e5379b74c3d

SHA256
82854de5b2ce647a598be0b52cae30451bc1f89203f338c34edf4dcb0f0f4527

SHA512
51a6134b5435d1515ec9c499c7a644f0121b4c9b1c83ab42d45564998cf5d8545ee8251be52fadbdffcde9795c6fc7bbc6e040327a030ca582f0b706cdab4750

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-03-27-13-16-05.txt

Filesize
959KB

MD5
aaeee5230b2f494cb4043e2864a8bfe0

SHA1
38a3b299e83b0102fbc120028f358c2c69b09179

SHA256
97866b23837b02b918a3e05e1a73ffa9e0e533fca0d8f6ff99d6f902f5ef4eb1

SHA512
dd07f94ab1baf39abbb5968fb2890de45c10da5452951e66663f5a93dc41d0d3fadd876a5593717177cde240c17f2281ecff2fba3dda883bc5a8d0d8d1e229a4

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-03-27-13-16-05.txt (deleted)

Filesize
31KB

MD5
267700fca3af714174e2718a20155567

SHA1
a27bd19b76f8c66b05ab17b20b9ae10a4e8b4009

SHA256
591723da333d85347cf437527f2cb30d815dcbeaaf81093ea4ee3e5e627d49a8

SHA512
baf1ac86583f09a99e30d9f894c6cf0a70a8de2b1dd5c51bd4b05b137a66d3e126f4ed8ba3376e11eda6351aa7c0a3820b45e67e1a5418326fb8267a3edee50b

Download Submit
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-03-27-13-16-05.txt.zip (deleted)

Filesize
33KB

MD5
3e1a9e1bcd92ebe0cfe4cbff940a6196

SHA1
0390870a295f58a7801648b5ba4cb017c73317c6

SHA256
93ccd88ff3672911e0260f66a2a159b0477272c8110dae9150c2830fc2896684

SHA512
4bbf5c271993b80b215c4e7fba81230c3de665a796f6324ccaad75637d3890387d60740d3e8ba33604902128d568d5cc547b9f3d4e54d891dc89fa5f35ff71cd

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads