trickmo | 4fcce7c445d89d7de943ec0e0c2fc285d4b25a67950ad7d6bcb50dbcbc4ac29b

Resubmissions

18/02/2025, 20:08

250218-ywn8bsxrc1 10

24/01/2025, 04:44

250124-fcwh7azqas 10

24/01/2025, 04:37

250124-e8zp2sznay 10

Analysis

max time kernel
37s
max time network
154s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
18/02/2025, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deper.apk
Size

6.8MB
MD5

2d34dbb4167ebb371e33f3ce700fdbc8
SHA1

4a20849866f90262f9a0b2793f84cc7d5e057656
SHA256

c00419b21d10a236b47b43bb1eed3dbc5298e471cf9616848a84da5baae8e611
SHA512

20365af814427670ea62987e750657a04d03c509382abe655f87952d6794981e7811c0b7aa9dede998263c2e2a98c5c008848324c4e653eba77517fc6c7c034b
SSDEEP

196608:Lh1ZR29n2MKoRk+bB5fKnQgO5SS4xx3Dajo:9BgnzRL5fKnQgkSl3Dajo

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://traktortany.org/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/lansa.sis722.sers/app_cigar/dZxFW.json	5058	lansa.sis722.sers
/data/user/0/lansa.sis722.sers/app_cigar/dZxFW.json!classes2.dex	5058	lansa.sis722.sers
/data/user/0/lansa.sis722.sers/app_cigar/dZxFW.json!classes3.dex	5058	lansa.sis722.sers
/data/user/0/lansa.sis722.sers/app_cigar/dZxFW.json!classes4.dex	5058	lansa.sis722.sers

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	lansa.sis722.sers

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	lansa.sis722.sers

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	lansa.sis722.sers

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	lansa.sis722.sers

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	lansa.sis722.sers

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	lansa.sis722.sers

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	lansa.sis722.sers

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	lansa.sis722.sers

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	lansa.sis722.sers

lansa.sis722.sers
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5058

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/lansa.sis722.sers/app_cigar/dZxFW.json

Filesize
4.9MB

MD5
9f765bbbb28171e35f6f17ee95ebdb90

SHA1
7bfb941907bea2a41e20f38e31c07566d8d3f7ef

SHA256
c552d3c465661b4bf87bac3eeb7a9000569a5b19cdc05094713076b89a776c83

SHA512
144b72da338daa9b520d181934fc63f65165e8415085efeb1fbe32aee33ac1b35305d7040829c725300ce54342ddc62bbb601bfa2ad383da3b4007bb8760c4c5

Download Submit
/data/data/lansa.sis722.sers/app_cigar/dZxFW.json

Filesize
4.9MB

MD5
cd652200aa24e4da945fcca01cf402ce

SHA1
ec15238d8fa5f5906b1725965bb5eaef3f977172

SHA256
6296249f78b601b6d29c26e49f59a99ba4074358d82e4229d1b0eb137bd03408

SHA512
7d4aa9255ba25ffe1b07cefdc0ca05daa13c12d22974c050b17ef83f07f49eebe62fd125e3f9ef96524c345e4882d6eade3220a4b2243ebeddfe63a5366aad9d

Download Submit
/data/data/lansa.sis722.sers/cache/clicker.json

Filesize
20KB

MD5
e48ae2e98ea5b39dd12819b5cceb7dc3

SHA1
219af8ebe9bb26b76eaa53356a613e5fbb806dea

SHA256
6e954b8f3df47f2444f1877d8b714e7baa19a1fa4eeca749943eadee1661eac9

SHA512
443960bd2d2d0c9a57fd5d2bd75d7efe78071ece69f020260065ae0fffae70e5559c31476156fff62b7f24f4e72b953885a0ea1a858d9205d658e9738bb181a1

Download Submit
/data/data/lansa.sis722.sers/databases/a

Filesize
20KB

MD5
44ed3cc60039b2552ae11a53458cdfe6

SHA1
9808a7657e37c8324900430809efdf2a07688b38

SHA256
d4509574a4f7ffb8f1e35b36ecf526731426610d258a5aa726f465cbc4d5e3fb

SHA512
3a51f089d9875e1a2274b3a53702811ca40f8e509082ef891d16c45db4e526bc21089a27ee74771e777d5a6c68fb39b5865780b3370d3f2c94a594ee8691d196

Download Submit
/data/data/lansa.sis722.sers/databases/a-journal

Filesize
512B

MD5
740af4177f7cbe3de8e881594a84fe3e

SHA1
a0868f5e51f98436c0412671a7ef5f4470f53e67

SHA256
570c8647049021a5ba1fcf94f2c5649fb2ddedcc237d3d4f20466fb1aa53c5e0

SHA512
3bbde19c00c285442cd0c55184de909a1be1b157a8e1a5ad5eaebeb543d54f647cbe415c940a5d3e3cb3ecf7c60feaab3f8199cc553135d4d2d4fdf9b3680408

Download Submit
/data/data/lansa.sis722.sers/databases/a-journal

Filesize
8KB

MD5
47df991c2aee1e4473e2752a714b150f

SHA1
7328a82be8e1e2dd5404cd9dfc2736e29c4caffb

SHA256
56411f285774b3cd13bfc99177c298989979600a373fd1ee151df4e82056115f

SHA512
67190d225aff6bbf921c6f7147f7164725973270c021b04d2a1361f4ffc39bc7cf47f3a11b86d9b58adeb5ac3a7a46bbd610ce8132bc7507d00b9ae1b50926cb

Download Submit
/data/data/lansa.sis722.sers/databases/a-journal

Filesize
8KB

MD5
29b24aba19e5260b5f8f6153cfbe5576

SHA1
6fdc18bcde671d99e6edce7aa034a3bf3c2a92b8

SHA256
4d758f687d1205fe44ee67dae574443904604d94042f0265af549082cafcc070

SHA512
064db9752a959bb4e6f572c5337523e3a1edb68101b59380f9b2c5a2106f7d48803feff11cea46512e89f850895f2de0a5ccc3a81850e28733d341c682de571d

Download Submit
/data/data/lansa.sis722.sers/databases/a-journal

Filesize
12KB

MD5
e1a93234119629863da27c382671a62e

SHA1
59b845faf3daa621cc2215b03262a90344bb2052

SHA256
61554bb02f439975b133df45a7a18e966ad4fc4dd22a821377bd95c828b1ace3

SHA512
89f2aabca24ddb56a8df75598fc6081ac89348fc6033cfd9473728eb6f7856b516ef9980c4a9e0350c655132df76412386e32f0550f7446e1755228c81f15cf0

Download Submit
/data/data/lansa.sis722.sers/files/lansa.sis722.sers

Filesize
256B

MD5
1eb22d63d38b2173f775f978d6218b4f

SHA1
9a19141626a6db9b30cf5a7c676a4338f83cee00

SHA256
fc020062f9fb9fcc0830a48bc25e0566f9ab2361a6cfd7063e9a2b00bf5c022b

SHA512
e24658d76fe9bf203854e3e158f4b86167ccbde1b53878e17c7579699e1d8d3ecc011ad1c826ae5c6d54d9be68b9f749d95fa408b2f097d18dab4e6aa710ce5a

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
aa35bd051f93b02eff95eae83cfc10dc

SHA1
d12825b9fd00cd1079c94beaed09f1918f229252

SHA256
584eb50c937c6d19e4ed1d067462227ae96d266ec5fa66a3783de28fdb094765

SHA512
924dd344cb7b392621c146edac18729661e5125fcccd2f1a1046abdd1115c1797ee1911ef8be265307dae68c80d99fbc56a116fe30982bd7ff5786d95bca7a1e

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
0c1697c3be0d3d9fd14c1da9462256d7

SHA1
878ac4ba63a8417fe57a39e2f18d7fef5343af54

SHA256
13579bbb010f38f3b03c3066e877eba0fd798fc33aa7ba27dfb2596dbbcfdd96

SHA512
759f1fd0c2c10eeade7a43b3c1d7e07c5f68c8807a3a41fbdb4f632da59097de1320a1333d31cf7395648c039390bb9bda796915b439d3902ebccc1e0fce088d

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
1637616533b7dabdb2b513c9ddf8d664

SHA1
6a821a6d3bd83ae79bc456baa5b14c95ad71f58a

SHA256
85c76cd3b7ab09c05994d31483663a65f820ee0510abef6d8190db87fb590dc8

SHA512
36fd122c5fc98a58ea3bf4e3fa1ee45bc25f82ac9c284858fa97214ac254c8be8732e0b3e152784ed09d1042848ebc8b6df191544d7a3edc7581378da16c54a1

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
13587cb59b5666bc5b80b43482c7da5d

SHA1
3bcef29e1aff84e02656bc73d523264f3f7db7dd

SHA256
3515bf84e16be37f21abef44a38a2c58f1e894be81b3b9c87af1cfaea68c9f54

SHA512
ebf57ddb2e870e8c6ea9b8d08974f94ab51d1993c63fcffd479ce636932115dbce7bd520140d26f7cf3176e05c3243812faf2219f36b962f725ce75820069b46

Download Submit
/data/user/0/lansa.sis722.sers/app_cigar/dZxFW.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/lansa.sis722.sers/app_cigar/dZxFW.json!classes2.dex

Filesize
308KB

MD5
5e58845043089ee3b37392fec0f23992

SHA1
5e8290a1e9b734ae423aaa5f49bef8041545ebbc

SHA256
ad60aece05f500cada31b766831e2fa87aaf6fba58b9dca20c9152f16605faba

SHA512
84387a9add5b7ea6220ecfab5773b62d9d0db6ebce799f5a090817a04d0862158e1acafccabbe99bc2dc7abb30b5ade111bd6b4769ef929f3d57e962bcb656a3

Download Submit
/data/user/0/lansa.sis722.sers/app_cigar/dZxFW.json!classes3.dex

Filesize
265KB

MD5
cc92d248d0c568e5351842d103bce7a9

SHA1
1d4950fe500f0789ca77fa4858ab8ebc3cb2441f

SHA256
0201c5566b578cf5ec8237dc7970a5a3b63afd2e035d8e94ee82230c8a2a691d

SHA512
a49aa848d7544e20d33de320faf7169c82669438394d861814fb832d8984fafe86c955484654d55cff7d5ff45e0c60d09b7b6e7c4602ef8ef312c0cafbacdfa7

Download Submit
/data/user/0/lansa.sis722.sers/app_cigar/dZxFW.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/lansa.sis722.sers/cache/logs/log.txt

Filesize
83B

MD5
d8ea8aeb98f6ad9d6178cbf1945a1bd7

SHA1
ac8ba1238034c6ee7a507816df5afa8e8cefe7a6

SHA256
f4910a95b641a1278fee5b34a50ecf2c4140c7290c93045d3fdcca607f1b88c6

SHA512
fd149f11a30a4369a660750912f9616b9d31fbfdd6e5d2ad11131aa894e0e17f4e3c004067d770bea57316a2fe4b2c59e71dff8c9005d2c7446fecc9ee15165a

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads