trickmo | 353e47a046b3af6212f98844b18a2ae79963cb8d2b98eb6bd5184296299ec372

Analysis

max time kernel
29s
max time network
30s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
21/03/2025, 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deper.apk
Size

8.1MB
MD5

720c616bd3e4f7fadde344194a5cd7a4
SHA1

001fea85badda450146082038c6a5ce8b9878fd2
SHA256

42009a836376a2ca77ca8fc1dad73eca3634df7b6c5ac2091ee0ea53661dd725
SHA512

282e2a9256318201caeeff668f4fcd1e93bae0b63d708ac99fb267369299b4b128338b727d55f2d7ef3460295b75e3be0dbd0710beca4c3d5bfdc9bc166ffd3e
SSDEEP

196608:lyiCDijCX0oAES/KCmxU7UBnBsXmpF56Wf2GGUTx:q6dE8KRgUFBs2pF5bYUTx

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://mikejprdanorg.com/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json	4447	landtual.pomf70.ta
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes2.dex	4447	landtual.pomf70.ta
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes3.dex	4447	landtual.pomf70.ta
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes4.dex	4447	landtual.pomf70.ta

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	landtual.pomf70.ta

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	landtual.pomf70.ta

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	landtual.pomf70.ta

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	landtual.pomf70.ta

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	landtual.pomf70.ta

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	landtual.pomf70.ta

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	landtual.pomf70.ta

landtual.pomf70.ta
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4447

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/landtual.pomf70.ta/app_suggest/EdZ.json

Filesize
4.9MB

MD5
7eda39fb990a24bac58f5d6e955ee667

SHA1
e90608e181ac701ddf0b7898a588a4788d62a2f3

SHA256
e1ac88df0be2b14ff34eab4e9150fcb075987e47cc3bc8b4660d5c7e43f5b328

SHA512
ce741115cc895767eba73712ca5bc82416cd16226a666611a623f1b4c876d19472c01289842ecaf74528763b8d8a61149fcca67da138b31cf42cf99b1ae5dee4

Download Submit
/data/data/landtual.pomf70.ta/app_suggest/EdZ.json

Filesize
4.9MB

MD5
73b51fb51a7c1838642325dd9aa03732

SHA1
f1963286c4e4fae80593fa5555613bfce95c9f51

SHA256
a612724a99d62d5bce2470e91cb7d114ff90dea5c722fad0559eb3ab310b80cb

SHA512
c0d2201da10c0817b608c881263557432c88864fb97c5ce67d2d7ab7a257f3f7ca979555eaac33322c96e09f08ea1ed002c0ada0f624864ae01c7dd37f5141cf

Download Submit
/data/data/landtual.pomf70.ta/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/landtual.pomf70.ta/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/landtual.pomf70.ta/databases/a

Filesize
20KB

MD5
551c1efc95e5c1584d4ba9b09906a724

SHA1
f96bd153481c607e4c33e127c0e61003a7ad6b55

SHA256
9d5c9d0653e5caac8ce7b54fa338e009744faae7b0f890321eb00c35dbcd7c07

SHA512
d21464400d3f9a969ccaa113839ca4973ed01b8ac21d20085f8fd32a7f9b42fbb9171f3de5f8d9f20788aafee495a30783b24fc462badef0dc89432766890f66

Download Submit
/data/data/landtual.pomf70.ta/databases/a-journal

Filesize
512B

MD5
88010b310fe0461f94384cbed9ce2ed5

SHA1
2ef718a63db4a7e94df95935de9f8fa4a30cc460

SHA256
755cd64a0f510153b651da9b04dca71617847be5a379ab901bf5fee9216eaad2

SHA512
f3bc93a823773c1758ef59ff56de1c63b1d6fe548bb60661549302d63f642aa207c6ddf5a51b72c430951223957eabf8a5044f49d1778997a50a2a6193e3072d

Download Submit
/data/data/landtual.pomf70.ta/databases/a-journal

Filesize
8KB

MD5
e7781138d8a762ece532aa8826a9de63

SHA1
1be44b95bdc889acf6a589306ea66b8d3790a45c

SHA256
dc0ec584984a07e208f5cb2aa7806cad7fd3ad2aad42dbce0d11f21397fd3dd7

SHA512
45ff8f3906de410ad062572753b5791d5e8e05a00a44ffddc85d68da79ec042f5143ee7998b701bf86728435c3908c78cdfc186ba248fed5cfa86c3f0fe26025

Download Submit
/data/data/landtual.pomf70.ta/databases/a-journal

Filesize
8KB

MD5
27073517cfd4787db88e48c4fd42ad4b

SHA1
fd07a971658eb9a66b9fa6606b7d32689397451f

SHA256
c6ac743b2e78444f2ddf504537fedd5027adf92f67cd8e4c789b8b9e3649c5bb

SHA512
364370f85b8dfb5ee9718a31d780d861d388516119c6bab6ebc405eb1d9e700dec63ac1fa4861d1902dc4ebefd704357e1267971ca6cab04fe146a9dd8f3bdc2

Download Submit
/data/data/landtual.pomf70.ta/databases/a-journal

Filesize
12KB

MD5
3d483de43baba93e9ca0754b1b3bd23b

SHA1
5ee8a8ca3d4ff7e19eb30d681651347c8b37ab7e

SHA256
2ce16b36d8c213fb596d79f29eb84b4d6343fb94be1b02a6849b63330650358f

SHA512
2b5bb545b1fd11feab4e56153d1812bfd773f06b8d3c4deb439554ff9115a9e9afa86fa7ca45ee3b64e2f768c604e803472b6ffaa56fd20a95eba255e2c79d67

Download Submit
/data/data/landtual.pomf70.ta/files/landtual.pomf70.ta

Filesize
256B

MD5
9f491424028a3681d168ef5e790612c2

SHA1
d681e20a7d5e82167fc2d09a93bc1de14efdb0b0

SHA256
f402d51bd6fe6e2d10dff74373e7a3a935cb9a95999e683234df6d01c3a2e871

SHA512
e157d35fec175692f2e5bafc6836be265629342126a5720496235915f978eeed0f66a3bd15371bccc00dd7eabfe57f949df701ed4a79aa598f7fe5c5cda5d816

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
9981db5dc2a3d69eb010c0c2d3c419de

SHA1
4cf5a16501c4a7fd107e49d639600d5e630ca227

SHA256
5313bb2303b883ca58bb9e44b927b9a8d4020821fd3e842afb86f957f3c8ef84

SHA512
4fc9d013e8d23206c78eb7cc8b0c1de95937767b76d428b9efc402045245bc851928a92572ff6a39e85700483bb57e073e06ec62ab557e39e7048bef9e6e9a23

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
5c4a43f547d9d62443884b0fa70e1036

SHA1
526373c25ebb0e94fe486d975181df0dce6bc98b

SHA256
a50886313852e3a8ed9938470fa8a797330a2e01977f8827add1939703853459

SHA512
86126891469bb01446a1c632a04b9554beee1f98dc510dbac9e93dba6c7f32101e85fbe49956049fba79af4dd5df01db79e49e94d7be39590db14e4b2e1b5e3e

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
a07690dbf38b4b445e169a58a4b2f9c9

SHA1
6f7de8e7cb7ca374cafb51393a90dacf6556dab3

SHA256
416218f66a24b4af01929124aede72213481aaaf29a3eb87fad36ae6f73902ae

SHA512
6e8b596cc402a57f075123b6680458496f8e800816af545048008bfb269351d626ad6efb01301c1a785a7e13ccd8802bbb17f5a809788a8215db1a5c603d4802

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
990d1dccd58340060d40c0f379cd0b36

SHA1
789e654960f7bcd974b7d0d821eeed71ca5424cd

SHA256
f151581ceeccc16dd3dd64eb71a5ccf1a552573b5e4f7aeba46b6656bd27a420

SHA512
b3bf7579cdc906977e7d4aa03dcef187dca10aec4457515b502ec74cc53f799231d5f839c190db9786a0aab2f5ec03be11482d146bec2681fbad10c0d93bbdeb

Download Submit
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes2.dex

Filesize
308KB

MD5
7f553f50925945c7d7138227ae983377

SHA1
d7d3afcd10dd4e03daefa0e8e242c1a7b77a7162

SHA256
10d07387bd954b877c1d1205814d36bf526108b16f8fc55fe48398d350166637

SHA512
2202dad0a09b8359f4b07f2f5da2777f4d3a70931825440da3d4bb13639b981917616f6fe394dc093aab044bd6ec7e47e363d2665b47aea21a0540008083ec1b

Download Submit
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes3.dex

Filesize
265KB

MD5
9be81be1b34d2c5b45f8ca690fbcdfb6

SHA1
10300ac02fd9b57f4de8edda3f68ccc1bfab9e6f

SHA256
a9081622945a79c3a4209e8d84c8cdeeb30a6b4ac5e8c4c80703d04fd1841b04

SHA512
6969fd501aedfce16d2f1d3c2381765687f8f978072a7fa81ead3e1d9e5dec3cf98bcf6403fec47772fd01d137232fd645deddf8c7d640af887f896c2087658d

Download Submit
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/landtual.pomf70.ta/cache/logs/log.txt

Filesize
83B

MD5
8d7a07d896e675e10efc37527453119b

SHA1
74bf7f4e10d0ecb8f249971a731ced03a90646db

SHA256
769a8bd5fd0583c0a16a983f086a9cab96ae6f59f08d4096b15ee3f21777d37b

SHA512
9615c3cd426fa1908c96b45ae93bc353c9f35fd2434ec83e503ada470e4835f7727595806341b5bb6a205a7b7293791c826bd3114dc95838dfcd5a14da82d04f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads