trickmo | 07b114daff3e1edd5e7f1a2f813cd7dda6f3902cda03f1a8f4ecf230efa52ef9

Analysis

max time kernel
29s
max time network
32s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
22/03/2025, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deper.apk
Size

6.8MB
MD5

fb036e22c765cf7dfa625b25ed43b520
SHA1

bf36e7998e76f1b6d64b833fce4e2fbd2df67621
SHA256

0f0f6a50d4d96be437251a0029aebb34b53fdf4b3adb838dcffd217bd657e6d3
SHA512

aad2051941c707d8cbd2f2e26000d1835f11cc5ae503776213ca4e81c8d96c9fb0acbee0d46ddd3a687ef2ab8cd37df062500d29270519d27a4f60ad51c5d135
SSDEEP

196608:84NS+koOTZwleubHrPlCDruIexT2FDuxgey:5NpOissrlCvuIexiqxgey

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://traktortany.org/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/lansa.sis722.sers/app_dawn/ZldSO.json	4458	lansa.sis722.sers
/data/user/0/lansa.sis722.sers/app_dawn/ZldSO.json!classes2.dex	4458	lansa.sis722.sers
/data/user/0/lansa.sis722.sers/app_dawn/ZldSO.json!classes3.dex	4458	lansa.sis722.sers
/data/user/0/lansa.sis722.sers/app_dawn/ZldSO.json!classes4.dex	4458	lansa.sis722.sers

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	lansa.sis722.sers

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	lansa.sis722.sers

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	lansa.sis722.sers

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	lansa.sis722.sers

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	lansa.sis722.sers

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	lansa.sis722.sers

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	lansa.sis722.sers

lansa.sis722.sers
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4458

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/lansa.sis722.sers/app_dawn/ZldSO.json

Filesize
4.9MB

MD5
c061bae620d91be24cb526c28bd172f0

SHA1
5b7d9ca0978aa2ecbddac34adbc1366d346298fb

SHA256
8677bdce1bfa345d8d393ffd9b4495d0f11916c3e8b78e3c3a0e869fb1f50b26

SHA512
7cabc200ca22bc0285a424ff8ba7a974ddcc86e0d7049e02b0f0819f141f4b31f6eabcfc55725c493c511caeace038bda82c3f271fae068020bdd5797525efe4

Download Submit
/data/data/lansa.sis722.sers/app_dawn/ZldSO.json

Filesize
4.9MB

MD5
7de90707f33dcd6b4c16c5030a7cb478

SHA1
007c067a2a164d68b2a82eeb19fcaaa3633e0c1b

SHA256
7d4b7850eba8e805a62f8de97fd8bf60e61d2da62425c34ae80adc635a3053f6

SHA512
8370bba49ca500788beeacf0e895a103b9010db3b4de3098993853c70f2726a9615ec9f560ab8cc5eac01f7e196f834d04da31eb64029b552b590fcc59f5f5b1

Download Submit
/data/data/lansa.sis722.sers/cache/clicker.json

Filesize
20KB

MD5
e48ae2e98ea5b39dd12819b5cceb7dc3

SHA1
219af8ebe9bb26b76eaa53356a613e5fbb806dea

SHA256
6e954b8f3df47f2444f1877d8b714e7baa19a1fa4eeca749943eadee1661eac9

SHA512
443960bd2d2d0c9a57fd5d2bd75d7efe78071ece69f020260065ae0fffae70e5559c31476156fff62b7f24f4e72b953885a0ea1a858d9205d658e9738bb181a1

Download Submit
/data/data/lansa.sis722.sers/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/lansa.sis722.sers/databases/a

Filesize
20KB

MD5
c1df6daa801ef0309e9be64164839a82

SHA1
985b2ec6c5863dcd8817f98a7ee587dde6c44c86

SHA256
e35aa76c50cac9543e74e5cd209998dd4750ff89fcb9b86a387efafef96d1640

SHA512
c15fcd11fa2e0e11c8eb6888d1a8cccb62f8596ad7f68c26388c285439f868632bc2494206681942f57fea3f565bf20b2447ac4ad393b4f2a4f003ef28a4bf6a

Download Submit
/data/data/lansa.sis722.sers/databases/a-journal

Filesize
512B

MD5
cbfefdcb1c3473df509912fdb0224141

SHA1
8dc7c250d8471166f56bd45d3721df7c512cf2b3

SHA256
ad3b66e3e513b3301d544dc9e6ba0c7a7169a250ef7880e69b24b702539083f9

SHA512
4720157f2ae6c11cb07cdc6552547cafab1ac0779ab49e1ce1857b8a5973664aa25e1997cce1b6e69ac366492448dce98fd33b26638bc1ca3696eb63c1faee53

Download Submit
/data/data/lansa.sis722.sers/databases/a-journal

Filesize
8KB

MD5
fbce4aaf37f87c0207539cae5a0cff0a

SHA1
e662547bd64f05f78d9a549e7238d48fca5304e4

SHA256
bd0ddd989776887353815a5092d1bbb78ddb890a0d4431f95c2192bec7842b8c

SHA512
4585c400afbb4f03aba2ef5003558ac8ed41ee7533efb1db7ab29013a1ebf2d106449c0a86367a4c33ee8f9763d27ad008dfb6bab865aac319cb72f5e712b5e2

Download Submit
/data/data/lansa.sis722.sers/databases/a-journal

Filesize
8KB

MD5
c3110279fd946f9f3513f796a5df1887

SHA1
470f2ed4905f95eacd566480f2a8698e8b26d1c1

SHA256
5748b8a9cbf290aafa854bdac13bb4a7d216ad20bff4a9eac2c5237344207793

SHA512
61d42a278075946befcebcaf107f6d67170f880dc754a8a07b14d9c2082a41eb9dbc69e9cdb94dda81d5a23e1c8e6d9418d625063455929d81bca86011925af1

Download Submit
/data/data/lansa.sis722.sers/databases/a-journal

Filesize
12KB

MD5
daffee2b34e1805375f6988c33561579

SHA1
277e05c734b68d100108bc5d0dc4b9630c60b8b6

SHA256
67987869ef6ed34d4b0996d807cde16c7d95fcf3e6de252b2d231349c703f2c7

SHA512
3932a53486d9fd5c033285832e3db31f4532a474e0ec9987129e5920824bb5fe8dc3fbd785ba4459f2c75a3c583ea06f21157e0e370674107ef2cfcb25b0a0c5

Download Submit
/data/data/lansa.sis722.sers/files/lansa.sis722.sers

Filesize
256B

MD5
6184fa9a97443fbc55532b1e14c8a9a1

SHA1
6527d6c0bbdac74c4dde60611636001e34bba364

SHA256
0c77100f394383414963aa61b7a45243f277513022ea74afa7ec24d214717d55

SHA512
8804c542f5a4e1902d839e116eeb82c6c357caf9275a14e8e2dc967627221ec25b2c6491e65ec0f4dc33450e4de77832b63222361babf29cb16ae76a6de36c52

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
54029dee2d8f32bea5f7fe17f37694f5

SHA1
b86dadfdc7e32e9087f461caf864503594494dd2

SHA256
fd073caf5fe516dc049f73d668bb6400bd325a1e0edd48f075795af0f745813d

SHA512
bf38368346f41f0da5d1fd03d2a004c1335d68e306b6bbff7f8f76cb8eab69cac4fb6e87770b11c32321f3e1acd777ef1e86b070e8597ec59f0af8ea6cc145c4

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
e1776dc78fe2277cf7a079c7f752ff3c

SHA1
c710157acbd1920f852906bc72f3aaca2c01611f

SHA256
758aba0718d29167790fc1442ae22180bc1baf7246e02f14999062ae579cd8d2

SHA512
0ff13145985146772ad702cba44790bda4f590fb2325f8e39380643760ba7df0e660d47061ef8a1be9e915ccdf44afa639e2565118e80dd5eec5e5057aa8bd39

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
650992ce93900cd5de1b24aeddff0e46

SHA1
6dd98d211f42b6d585f4a3841dc465768ed20613

SHA256
30cc03f1a5d50a2697923fbe52cade9653dfdeabcc492246baa09f117780c19b

SHA512
329f5fd74a793ac2781e3c65e5f38cb775b5328ad65fa21e2a83433f1e7bc27d275e7fa7bfa3675cc2a23431b1d55c4923ed7ee82f2d8a4764f94c00749c0ba8

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
44884c7195f1dad995acef3c07f5174b

SHA1
b7bdaa97ca4254e5d7f932d9c37c92e5f787e72c

SHA256
8be2134318885f98b2a9db71afa87d4b3774022f38ee7ae14e624bfbeb49e374

SHA512
dabc0e07764eb67a2e7e7085c297e7b7849e59388bc87bcad67426340ad828bdd0b0711b16d0d984b2bc90a8e81002e346f83ba3e6aef4b1fcfd76e74e3df56c

Download Submit
/data/user/0/lansa.sis722.sers/app_dawn/ZldSO.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/lansa.sis722.sers/app_dawn/ZldSO.json!classes2.dex

Filesize
308KB

MD5
5e58845043089ee3b37392fec0f23992

SHA1
5e8290a1e9b734ae423aaa5f49bef8041545ebbc

SHA256
ad60aece05f500cada31b766831e2fa87aaf6fba58b9dca20c9152f16605faba

SHA512
84387a9add5b7ea6220ecfab5773b62d9d0db6ebce799f5a090817a04d0862158e1acafccabbe99bc2dc7abb30b5ade111bd6b4769ef929f3d57e962bcb656a3

Download Submit
/data/user/0/lansa.sis722.sers/app_dawn/ZldSO.json!classes3.dex

Filesize
265KB

MD5
cc92d248d0c568e5351842d103bce7a9

SHA1
1d4950fe500f0789ca77fa4858ab8ebc3cb2441f

SHA256
0201c5566b578cf5ec8237dc7970a5a3b63afd2e035d8e94ee82230c8a2a691d

SHA512
a49aa848d7544e20d33de320faf7169c82669438394d861814fb832d8984fafe86c955484654d55cff7d5ff45e0c60d09b7b6e7c4602ef8ef312c0cafbacdfa7

Download Submit
/data/user/0/lansa.sis722.sers/app_dawn/ZldSO.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/lansa.sis722.sers/cache/logs/log.txt

Filesize
83B

MD5
d9acd9c18bbb91b28199e86c0ed381fc

SHA1
eb5666a071f2abad9ed69a5ab330930b5bd6aa5e

SHA256
29cadc86f0f4a39d46cdae3d3dcf41872bf909aee7e0bb44de9ebfb179aca677

SHA512
4fe98e4c3303c848e9e14ad6b764630cacbca5e1983d563383e71dda3d730672041861d4041342a0b8462dbdc3a1111afc2889030c547e84be9716bb5036ddca

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads