trickmo | 353e47a046b3af6212f98844b18a2ae79963cb8d2b98eb6bd5184296299ec372

Analysis

max time kernel
126s
max time network
150s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
21/03/2025, 23:51 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deper.apk
Size

8.1MB
MD5

720c616bd3e4f7fadde344194a5cd7a4
SHA1

001fea85badda450146082038c6a5ce8b9878fd2
SHA256

42009a836376a2ca77ca8fc1dad73eca3634df7b6c5ac2091ee0ea53661dd725
SHA512

282e2a9256318201caeeff668f4fcd1e93bae0b63d708ac99fb267369299b4b128338b727d55f2d7ef3460295b75e3be0dbd0710beca4c3d5bfdc9bc166ffd3e
SSDEEP

196608:lyiCDijCX0oAES/KCmxU7UBnBsXmpF56Wf2GGUTx:q6dE8KRgUFBs2pF5bYUTx

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://mikejprdanorg.com/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json	4280	landtual.pomf70.ta
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes2.dex	4280	landtual.pomf70.ta
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes3.dex	4280	landtual.pomf70.ta
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes4.dex	4280	landtual.pomf70.ta

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	landtual.pomf70.ta

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	landtual.pomf70.ta

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	landtual.pomf70.ta

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	landtual.pomf70.ta

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	landtual.pomf70.ta

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	landtual.pomf70.ta

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	landtual.pomf70.ta

landtual.pomf70.ta
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4280

Network

DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

216.58.204.78
DNS

appassets.androidplatform.net

Remote address:

1.1.1.1:53

Request

appassets.androidplatform.net

IN A

Response
DNS

xxxtik.com

Remote address:

1.1.1.1:53

Request

xxxtik.com

IN A

Response

xxxtik.com

IN A

164.92.225.151
DNS

a.pemsrv.com

Remote address:

1.1.1.1:53

Request

a.pemsrv.com

IN A

Response

a.pemsrv.com

IN CNAME

1108595013.rsc.cdn77.org

1108595013.rsc.cdn77.org

IN A

84.17.50.9

1108595013.rsc.cdn77.org

IN A

89.187.167.39

1108595013.rsc.cdn77.org

IN A

89.187.167.42
DNS

turbulent-divide.com

Remote address:

1.1.1.1:53

Request

turbulent-divide.com

IN A

Response

turbulent-divide.com

IN A

188.72.219.35
DNS

s.pemsrv.com

Remote address:

1.1.1.1:53

Request

s.pemsrv.com

IN A

Response

s.pemsrv.com

IN CNAME

tk6if76q.ab1n.net

tk6if76q.ab1n.net

IN A

95.211.229.246

tk6if76q.ab1n.net

IN A

95.211.229.245
DNS

s3t3d2y8.afcdn.net

Remote address:

1.1.1.1:53

Request

s3t3d2y8.afcdn.net

IN A

Response

s3t3d2y8.afcdn.net

IN CNAME

1208818836.rsc.cdn77.org

1208818836.rsc.cdn77.org

IN A

89.187.167.42

1208818836.rsc.cdn77.org

IN A

84.17.50.8

1208818836.rsc.cdn77.org

IN A

89.187.167.39

172.217.169.74:443

tls, https

1.2kB
40 B
1
1
142.250.187.238:443

tls, https

915 B
40 B
1
1
142.250.187.238:443

tls, https

915 B
40 B
1
1
216.58.204.78:443

android.apis.google.com

tls

2.8kB
6.9kB
10
15
164.92.225.151:443

xxxtik.com

tls

2.3kB
13.6kB
24
26
164.92.225.151:443

xxxtik.com

tls

10.0kB
404.8kB
171
253
84.17.50.9:443

a.pemsrv.com

tls

2.2kB
54.5kB
28
47
188.72.219.35:443

turbulent-divide.com

tls

1.3kB
3.8kB
12
11
95.211.229.246:443

s.pemsrv.com

tls

1.8kB
5.5kB
10
10
89.187.167.42:443

s3t3d2y8.afcdn.net

tls

742 B
3.4kB
9
8
89.187.167.42:443

s3t3d2y8.afcdn.net

tls

4.1kB
80.5kB
59
66
142.250.200.2:443

tls

135 B
40 B
2
1

224.0.0.251:5353

3.7kB
11
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

216.58.204.78
1.1.1.1:53

appassets.androidplatform.net

dns

75 B
135 B
1
1

DNS Request

appassets.androidplatform.net
1.1.1.1:53

xxxtik.com

dns

56 B
72 B
1
1

DNS Request

xxxtik.com

DNS Response

164.92.225.151
1.1.1.1:53

a.pemsrv.com

dns

58 B
144 B
1
1

DNS Request

a.pemsrv.com

DNS Response

84.17.50.9

89.187.167.39

89.187.167.42
1.1.1.1:53

turbulent-divide.com

dns

66 B
82 B
1
1

DNS Request

turbulent-divide.com

DNS Response

188.72.219.35
1.1.1.1:53

s.pemsrv.com

dns

58 B
121 B
1
1

DNS Request

s.pemsrv.com

DNS Response

95.211.229.246

95.211.229.245
1.1.1.1:53

s3t3d2y8.afcdn.net

dns

64 B
150 B
1
1

DNS Request

s3t3d2y8.afcdn.net

DNS Response

89.187.167.42

84.17.50.8

89.187.167.39

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/landtual.pomf70.ta/app_suggest/EdZ.json

Filesize
4.9MB

MD5
7eda39fb990a24bac58f5d6e955ee667

SHA1
e90608e181ac701ddf0b7898a588a4788d62a2f3

SHA256
e1ac88df0be2b14ff34eab4e9150fcb075987e47cc3bc8b4660d5c7e43f5b328

SHA512
ce741115cc895767eba73712ca5bc82416cd16226a666611a623f1b4c876d19472c01289842ecaf74528763b8d8a61149fcca67da138b31cf42cf99b1ae5dee4

Download Submit
/data/data/landtual.pomf70.ta/app_suggest/EdZ.json

Filesize
4.9MB

MD5
73b51fb51a7c1838642325dd9aa03732

SHA1
f1963286c4e4fae80593fa5555613bfce95c9f51

SHA256
a612724a99d62d5bce2470e91cb7d114ff90dea5c722fad0559eb3ab310b80cb

SHA512
c0d2201da10c0817b608c881263557432c88864fb97c5ce67d2d7ab7a257f3f7ca979555eaac33322c96e09f08ea1ed002c0ada0f624864ae01c7dd37f5141cf

Download Submit
/data/data/landtual.pomf70.ta/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/landtual.pomf70.ta/databases/a-journal

Filesize
512B

MD5
86af8bd75a8764f5bfa7d6e962736350

SHA1
c5cee7e7a34bfff13c1cc3bfdf1f90c7625ff961

SHA256
fbb439687233039608451e8a0345a10d7d57d8f98f94024b0ee13b3957964d1d

SHA512
1a46f34767472cbc4abab222af0e792c3f8583daaef3b142a6accee47bb2c1eeb8d0b2240dea94d0f14c561dd50181abf665dec8c6e10720d851ae72bc8a2511

Download Submit
/data/data/landtual.pomf70.ta/databases/a-wal

Filesize
32KB

MD5
49fafb4b0e3793665084d75f443e9dbc

SHA1
9b45cd681a26b93574051666537b2b467b464726

SHA256
5a2bdad0a9994b9076593b33c10b70f1f1526322254ea5648511365ea9408bea

SHA512
3c88626ade34496725e72980195860b73934fe7a89d5b263613d93fff9ab3306a6c16d00e34eb2610eeb8e4af8c66a944f475d546d30e88aa39e8e8d35e2084a

Download Submit
/data/data/landtual.pomf70.ta/files/landtual.pomf70.ta

Filesize
256B

MD5
cb89e02c15c3c9a4962c649f9254260d

SHA1
b5e6afb060b85db85b1a92eb1c19aa49ef533d8c

SHA256
128a7a806dd7e5c7129c2df0711c6cc16a92ee17474e54987050689618b70b5f

SHA512
b4ea4521421c229c2407d1cb8895a0e0d0a1c30cd4a07bb88069272329b7d4e61cf43850b8252983eec99f630f377824f7459db049150421bcb8b70821190cb0

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
9bc01c389612f2863f1dd37619b56a53

SHA1
3aea4bdc3c0998a640effc46e44bab7e46e04e4d

SHA256
8f739a8b5e84c2754d9a206ca50b63edaa8c002e6080c85644d337c97791f64a

SHA512
1c0109ac388768f7e0297521f818fa51587f21e9ea20f2d7fe167839f2dfc4dc475fcf1d64523d8e1ec17c6b1a24a9a1b51a3bf7f45a226352c88d82076b7aef

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
e0fd99fd072bd6abebd3aeac7e5c8291

SHA1
b5764ccf524627d88d64cc9fb2eee10a39a9d455

SHA256
74ef27179164e6f3d64b9829f234bad75cb456b0309e90c4158b154b31cf1d65

SHA512
c51311fce49dbd2e0bd004820e1ff94e78149cd6a7bc345f93c220fa749dde9d03fe77738b9120d16434904d5ffb5d170e383824108663e77833abd76b1b146b

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
161e3e99308b188e5f9c1001271963fd

SHA1
cf863920a6cbf8328ec774a8e3bac5af8116b76b

SHA256
18d81f2e7e3c64c9b28889fcfa5c65576f35fcbfbeb8b4f3fa96fdc4285e1931

SHA512
f6f36304ae52d8ab8a02d5bde49c1a872599bda0f4998cf872b51e30041abd66e8a3a21ec9464c894c647c3373d0b180774878d412e73b26af9a2818cc2f8553

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
456315767136f469c3a512f23cde80a5

SHA1
8e549896c0bc1825d24a37f31c34a0bce2d34566

SHA256
52746978bc82844f0b3d87f275c768d5364767725a580bea5bc107aeead5df7c

SHA512
61448a52b258e331589b6f30bd49b69943141f93e92a4eb3f0c9e3ed9bf9b520696b12a254cee42172cebaa44a81e090fb046975235cbe5a968b391848ce8113

Download Submit
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes2.dex

Filesize
308KB

MD5
7f553f50925945c7d7138227ae983377

SHA1
d7d3afcd10dd4e03daefa0e8e242c1a7b77a7162

SHA256
10d07387bd954b877c1d1205814d36bf526108b16f8fc55fe48398d350166637

SHA512
2202dad0a09b8359f4b07f2f5da2777f4d3a70931825440da3d4bb13639b981917616f6fe394dc093aab044bd6ec7e47e363d2665b47aea21a0540008083ec1b

Download Submit
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes3.dex

Filesize
265KB

MD5
9be81be1b34d2c5b45f8ca690fbcdfb6

SHA1
10300ac02fd9b57f4de8edda3f68ccc1bfab9e6f

SHA256
a9081622945a79c3a4209e8d84c8cdeeb30a6b4ac5e8c4c80703d04fd1841b04

SHA512
6969fd501aedfce16d2f1d3c2381765687f8f978072a7fa81ead3e1d9e5dec3cf98bcf6403fec47772fd01d137232fd645deddf8c7d640af887f896c2087658d

Download Submit
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/landtual.pomf70.ta/cache/logs/log.txt

Filesize
83B

MD5
9c740bf6046ba8d47e81f1e04bc51b69

SHA1
f88e203641888eda1dc8e1e0b5a3fb30485faf4f

SHA256
5d21fa74e63146ca48e5ea3b1394112ee4dec6d0dff10adc1de8f0a2593b0964

SHA512
5847559811787f17a64751652828b6b886db6486c3a3b70c0e5d5fb5c8e8ecb29cbbf2f9c7a0b203fa6874fdfe7e6add4bc3b2a4fbba4de0a620fc6e0c0dc8a3

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.