trickmo | 353e47a046b3af6212f98844b18a2ae79963cb8d2b98eb6bd5184296299ec372

Analysis

max time kernel
149s
max time network
148s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
21/03/2025, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deper.apk
Size

8.1MB
MD5

720c616bd3e4f7fadde344194a5cd7a4
SHA1

001fea85badda450146082038c6a5ce8b9878fd2
SHA256

42009a836376a2ca77ca8fc1dad73eca3634df7b6c5ac2091ee0ea53661dd725
SHA512

282e2a9256318201caeeff668f4fcd1e93bae0b63d708ac99fb267369299b4b128338b727d55f2d7ef3460295b75e3be0dbd0710beca4c3d5bfdc9bc166ffd3e
SSDEEP

196608:lyiCDijCX0oAES/KCmxU7UBnBsXmpF56Wf2GGUTx:q6dE8KRgUFBs2pF5bYUTx

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://mikejprdanorg.com/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json	5255	landtual.pomf70.ta
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes2.dex	5255	landtual.pomf70.ta
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes3.dex	5255	landtual.pomf70.ta
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes4.dex	5255	landtual.pomf70.ta

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	landtual.pomf70.ta

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	landtual.pomf70.ta

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	landtual.pomf70.ta

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	landtual.pomf70.ta

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	landtual.pomf70.ta

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	landtual.pomf70.ta

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	landtual.pomf70.ta

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	landtual.pomf70.ta

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	landtual.pomf70.ta

landtual.pomf70.ta
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5255

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/landtual.pomf70.ta/app_suggest/EdZ.json

Filesize
4.9MB

MD5
7eda39fb990a24bac58f5d6e955ee667

SHA1
e90608e181ac701ddf0b7898a588a4788d62a2f3

SHA256
e1ac88df0be2b14ff34eab4e9150fcb075987e47cc3bc8b4660d5c7e43f5b328

SHA512
ce741115cc895767eba73712ca5bc82416cd16226a666611a623f1b4c876d19472c01289842ecaf74528763b8d8a61149fcca67da138b31cf42cf99b1ae5dee4

Download Submit
/data/data/landtual.pomf70.ta/app_suggest/EdZ.json

Filesize
4.9MB

MD5
73b51fb51a7c1838642325dd9aa03732

SHA1
f1963286c4e4fae80593fa5555613bfce95c9f51

SHA256
a612724a99d62d5bce2470e91cb7d114ff90dea5c722fad0559eb3ab310b80cb

SHA512
c0d2201da10c0817b608c881263557432c88864fb97c5ce67d2d7ab7a257f3f7ca979555eaac33322c96e09f08ea1ed002c0ada0f624864ae01c7dd37f5141cf

Download Submit
/data/data/landtual.pomf70.ta/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/landtual.pomf70.ta/databases/a

Filesize
20KB

MD5
93e7f88ba7fd4f0152e8e5dc56f1acc0

SHA1
f29883585567a32fe4d487e5df14173c39c09e65

SHA256
dc6bc98e7f294d8994b3120cb87c0ed1d998e559daab810a68323a8968c60c2c

SHA512
be40cb85f75181627e2e4f7fb01e371ad4ce5051416d7e931ae45479a1357526e89a017aa461de03076c0b650eb5c851c239e88556677e859bb9b7c28e48d745

Download Submit
/data/data/landtual.pomf70.ta/databases/a

Filesize
20KB

MD5
92c196e7e2a0eddc8dbb1d9c6f4f659a

SHA1
c628b541483fdbd51c4a655cb527c3aae795697f

SHA256
60bd9038c145fd5f2f6cf2fee4977c035c621a423e9000ef671d34785af2af72

SHA512
006e240e9c3a711b6705e7d0e9a87b931e23963244b6c6d8494692a21d5faafcd37b155d1eda9f4664abc10351d84fa564e64ccc2d808d1cb6a73ad8b8e7ba7d

Download Submit
/data/data/landtual.pomf70.ta/databases/a-journal

Filesize
512B

MD5
bd6e68f9aeb1c7a025aa14a3184204c0

SHA1
0a3ba1c221082dc5e1b60d9f4919021ff2750916

SHA256
c8dcec77313b3b8afa90de090f87600eda9151b6accb91388d2937d8d14edc4f

SHA512
63f8ced50cd35c1467bdf729b9be90efd44347c96b3f9fec9b829e7a7587da0ba22d2556ae30ef18064a450d33c7fe6df61dab9c8cb743e0919f4cdd7b3f40a8

Download Submit
/data/data/landtual.pomf70.ta/databases/a-journal

Filesize
8KB

MD5
9b0846e26b680ddaaeaab6fdf8317a5b

SHA1
00c1fee6cee57a4be94690174d8f325bae175ed2

SHA256
05594dee1ce88cc012c84449503b4902eddf3ce6f56496009ff70058d3628e97

SHA512
10a1c771b770670114b36bcf9c75f178d25c306fd7ac33146a487328cf75a821d5f96cf4aec6d133ac8aa8d618d77494cf40a01e1e538b2959aef708fbce77b5

Download Submit
/data/data/landtual.pomf70.ta/databases/a-journal

Filesize
8KB

MD5
bba8ec9116bd2836ae8fd4b9f524775e

SHA1
3b3872bccfc626000ae903eb344619d483ba6ee0

SHA256
254d74d6d4e263e0d208f4ca6306f364a245515b9dbd87f21f33c4fbfd46b1c0

SHA512
966c72a6dd10e658921d7b272e68347c93bf5c3e60e2110126e7a0254f781da074e2501263ea7bf2d7490e94ac65258082c7393a7d1ec783118cd6be31647a35

Download Submit
/data/data/landtual.pomf70.ta/databases/a-journal

Filesize
12KB

MD5
c4fd4d69b478136038a27e6cf3188f6b

SHA1
67857fd22486a13756ffffe3ffe5ae756d391191

SHA256
ec0c9790f35489f4387edad4e7f6527fae2ebfbf2640d15eb1bbe3a84b3428aa

SHA512
1d9e68c7c6fb4a1ca6069907b63d0bdc09273345447628b2a9ddb3c055c44215a145132e3aa73a0509082a9d29312a7efe9856c1aa70983666bc7d7d7c057e5d

Download Submit
/data/data/landtual.pomf70.ta/files/landtual.pomf70.ta

Filesize
256B

MD5
0afa94a41c25ea2abbfd1aa0bb6c1529

SHA1
18be2b5326fcd69201d7cd7269d60e14ed2c639a

SHA256
9a4539652ac960278b04f1502cc5d6c1675c6803f74b96155e7a26725d91bf2f

SHA512
2d3cede32104ad5cc1d942e03fb15900295de7bb92dafb290eb1a39fc0471e83c2495abe6c8cf666333144786023faa38bc2e4915167654e23a172dba904d69a

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
a9c44cad8cadf535b654a943a406c1b6

SHA1
25d678e79501cf4f1451bf25fcdf1b6a3b35dbbd

SHA256
cfa313033fb936ed07ee791535765b5bfb2de9e67b4a595179366cf44c5d0713

SHA512
4d9204103e0a8694637ba3cb373bea508f3e69db6d0152ffe058b0cd086088a1a159bbfee23ba0e2e4fcc791123d48c0185c13c2c82310dc5864b2854e36bbd2

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
598a0e48b695ff03c52fff85c9120c7c

SHA1
9b1d9e39965a30c10c465eec437f0fe323f16a00

SHA256
b91788e994fff4af2b10ce913fbb384860f0fb7c3f2525ff379fa00837c7312e

SHA512
391cd050047ff9c2ccf2cc6cd7c5bc6426f7c8b541c94cd154c497211850563d80218786d34e5d813861fc742cc9777e396a5b0395a9e9aae9f83e62a917a647

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
ffd27fe067554088063f9261de0ea46c

SHA1
984c98e97930315ff355c3eca71bd9cacbb5f7d5

SHA256
032ca717727fad891ce936d433fd27f3da561346460d4876a77af4a17d2a545c

SHA512
4c8e4affdc467fc8bc698704eef371850a8babed6757f1ad98a3419b15fd194f4bf5b40f08b3d5e41e8c2b947279f92e9a220dc17a1ed5ff7e6f6f484b9a75e1

Download Submit
/data/data/landtual.pomf70.ta/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
231234ea9330f534b3a28d002de9cbe0

SHA1
0ec8aa91f492d5ae0062859e24f86e10afe7ec4e

SHA256
ecc3fc4af350b94304cc76af119d4fb752e00411afcbf208ad8556822751df8f

SHA512
ef8c6ecd9cadf1ad8abd4ea878a69eaecbfa4293786bdce2ff2029a26a74b543233888be7f0d503144cd009b46b6959a9d7bbb58fa5353bc395284b82b44d279

Download Submit
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes2.dex

Filesize
308KB

MD5
7f553f50925945c7d7138227ae983377

SHA1
d7d3afcd10dd4e03daefa0e8e242c1a7b77a7162

SHA256
10d07387bd954b877c1d1205814d36bf526108b16f8fc55fe48398d350166637

SHA512
2202dad0a09b8359f4b07f2f5da2777f4d3a70931825440da3d4bb13639b981917616f6fe394dc093aab044bd6ec7e47e363d2665b47aea21a0540008083ec1b

Download Submit
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes3.dex

Filesize
265KB

MD5
9be81be1b34d2c5b45f8ca690fbcdfb6

SHA1
10300ac02fd9b57f4de8edda3f68ccc1bfab9e6f

SHA256
a9081622945a79c3a4209e8d84c8cdeeb30a6b4ac5e8c4c80703d04fd1841b04

SHA512
6969fd501aedfce16d2f1d3c2381765687f8f978072a7fa81ead3e1d9e5dec3cf98bcf6403fec47772fd01d137232fd645deddf8c7d640af887f896c2087658d

Download Submit
/data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/landtual.pomf70.ta/cache/logs/log.txt

Filesize
83B

MD5
dda1b06f8f9981cb7ae21ee8a239f3e3

SHA1
e10f4d4e40ba8618336c70526edcbcc3922e703c

SHA256
86c76a087ecd9fe50afdec0db7b16709bce83843fe078626a15899793fdc9f39

SHA512
4b08d043257349bd9a451c9e8e4525a0bb4c64a0a1c40ed2f1db530f47c3b04d21e4b1795c9c7cb9fa01aa63bd4d543eb64f1ec2d6806ed15d2da07cafaf6643

Download Submit
/storage/emulated/0/Android/data/landtual.pomf70.ta/cache/records/com.android.settings_2025-03-21-23-52-39.txt

Filesize
1001B

MD5
1c56b419f043be564ccf85c040ba4758

SHA1
28c97c81599d098b2034aa18abfc72c6c26ea956

SHA256
e37f82553044557524cb0b7d2de8623384e03ba01d61cf1de79b2335577c00e5

SHA512
ccdc36a1535485c1b62c64ed3ab1f1ae630494e4590506147468bbf0cddd5f5aad538a576a124da28637cd6e138c25ef91433d048ae8422b0d40772d6ae6fd24

Download Submit
/storage/emulated/0/Android/data/landtual.pomf70.ta/cache/records/com.android.settings_2025-03-21-23-52-39.txt

Filesize
51KB

MD5
1a3f7b01d2564add921aa060cf450881

SHA1
a8958aa45a6f896874b8cce373287ad17bf51f39

SHA256
37dab1bfaac6f240c762ff348d355bb17bb59d7aa8b98255f75a85297e9dca5c

SHA512
1d7b2da8ee8a45a49dcfc2f99148353554ba43113d5c4b0a3c0bedecaefac95c6b35c96d8a87d1a6189878ba80afcf99fdfef222a9cee8ad945fc946ef9744c9

Download Submit
/storage/emulated/0/Android/data/landtual.pomf70.ta/cache/records/com.android.settings_2025-03-21-23-52-39.txt

Filesize
102KB

MD5
9dfc9c9cc28cd5dbdd90b02eeb4a050c

SHA1
2720e028e69cda7087320d287c18c001be211f9c

SHA256
72dc70eb716f2f51ddca1b7eecc82074cad2c7b67623c78f0e4315e2ee5c397d

SHA512
2a0b1a7f09769212027d59d9e1561455f851d87ea21cf527bed3c3a1e8054772a8e8a4258b417180f97974c8c3768e73a0c0e80cb4ca87890b0f4c842deae710

Download Submit
/storage/emulated/0/Android/data/landtual.pomf70.ta/cache/records/com.android.settings_2025-03-21-23-52-39.txt.zip

Filesize
3KB

MD5
6704d622f9112e088a9b16b10b00e07f

SHA1
6d93b2e270a73c982970c95355ab1dffe01d8fbc

SHA256
e153041000a2e4192a375268ee2effa4d1ccc344a8b851998d53a08b470b87a1

SHA512
d32493edff28ebc0475c23f65934af4579ac540b6d61a6e2a3aa981bac1800c81beab31cf3489934893a12c2e4d4e720ab8629162e3e50ba24fe91b2af1a5717

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads