trickmo | 07b114daff3e1edd5e7f1a2f813cd7dda6f3902cda03f1a8f4ecf230efa52ef9

Analysis

max time kernel
12s
max time network
149s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
22/03/2025, 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deper.apk
Size

6.8MB
MD5

fb036e22c765cf7dfa625b25ed43b520
SHA1

bf36e7998e76f1b6d64b833fce4e2fbd2df67621
SHA256

0f0f6a50d4d96be437251a0029aebb34b53fdf4b3adb838dcffd217bd657e6d3
SHA512

aad2051941c707d8cbd2f2e26000d1835f11cc5ae503776213ca4e81c8d96c9fb0acbee0d46ddd3a687ef2ab8cd37df062500d29270519d27a4f60ad51c5d135
SSDEEP

196608:84NS+koOTZwleubHrPlCDruIexT2FDuxgey:5NpOissrlCvuIexiqxgey

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://traktortany.org/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/lansa.sis722.sers/app_dawn/ZldSO.json	5069	lansa.sis722.sers
/data/user/0/lansa.sis722.sers/app_dawn/ZldSO.json!classes2.dex	5069	lansa.sis722.sers
/data/user/0/lansa.sis722.sers/app_dawn/ZldSO.json!classes3.dex	5069	lansa.sis722.sers
/data/user/0/lansa.sis722.sers/app_dawn/ZldSO.json!classes4.dex	5069	lansa.sis722.sers

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	lansa.sis722.sers

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	lansa.sis722.sers

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	lansa.sis722.sers

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	lansa.sis722.sers

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	lansa.sis722.sers

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	lansa.sis722.sers

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	lansa.sis722.sers

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	lansa.sis722.sers

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	lansa.sis722.sers

lansa.sis722.sers
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5069

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/lansa.sis722.sers/app_dawn/ZldSO.json

Filesize
4.9MB

MD5
c061bae620d91be24cb526c28bd172f0

SHA1
5b7d9ca0978aa2ecbddac34adbc1366d346298fb

SHA256
8677bdce1bfa345d8d393ffd9b4495d0f11916c3e8b78e3c3a0e869fb1f50b26

SHA512
7cabc200ca22bc0285a424ff8ba7a974ddcc86e0d7049e02b0f0819f141f4b31f6eabcfc55725c493c511caeace038bda82c3f271fae068020bdd5797525efe4

Download Submit
/data/data/lansa.sis722.sers/app_dawn/ZldSO.json

Filesize
4.9MB

MD5
7de90707f33dcd6b4c16c5030a7cb478

SHA1
007c067a2a164d68b2a82eeb19fcaaa3633e0c1b

SHA256
7d4b7850eba8e805a62f8de97fd8bf60e61d2da62425c34ae80adc635a3053f6

SHA512
8370bba49ca500788beeacf0e895a103b9010db3b4de3098993853c70f2726a9615ec9f560ab8cc5eac01f7e196f834d04da31eb64029b552b590fcc59f5f5b1

Download Submit
/data/data/lansa.sis722.sers/cache/clicker.json

Filesize
20KB

MD5
e48ae2e98ea5b39dd12819b5cceb7dc3

SHA1
219af8ebe9bb26b76eaa53356a613e5fbb806dea

SHA256
6e954b8f3df47f2444f1877d8b714e7baa19a1fa4eeca749943eadee1661eac9

SHA512
443960bd2d2d0c9a57fd5d2bd75d7efe78071ece69f020260065ae0fffae70e5559c31476156fff62b7f24f4e72b953885a0ea1a858d9205d658e9738bb181a1

Download Submit
/data/data/lansa.sis722.sers/databases/a

Filesize
20KB

MD5
4701fffdbed74694ddcfdec35563aedd

SHA1
a221c708b91968e58b4414cce3e0f77593a08de3

SHA256
90f0696b3fb17fc86b8bd7d7418f7e0632fedd4f9a4ce701830c73db392efd19

SHA512
5f237bdaf6cf7c9e217519e775c73e0aa5ca15ecc2007a7015722082b0ea5e1f8a4d45be94d3f30af0f311174e29befec4491ff8f106be78e76181322d5744cf

Download Submit
/data/data/lansa.sis722.sers/databases/a-journal

Filesize
512B

MD5
d14e65634fcf9d63323aff67ff57eee9

SHA1
30cf67e351db7e306132bc59ce9ea0d1d3424974

SHA256
7e32d55f9026975190acf56e4d96d72380aa0878e8f7c29ec30dd865d6701a26

SHA512
ac4a85ec22eae7e5929c0772b283ab023bcc7db92638559f13dd69a910aca3716886e5e61ad1277ccb85d67d8c3356b610a9d51a08012d44470942cd7df9412d

Download Submit
/data/data/lansa.sis722.sers/databases/a-journal

Filesize
8KB

MD5
fa25d4c20739ba32954ab614e5d06c1e

SHA1
9bd501d0910f368a4bf7f92dac9c5534af825ca8

SHA256
0316a01815bdfd0f64ebd0aa8ddf5dd35c040794d83aded0b089bf5d637841d9

SHA512
ea665179da99038bcc525dc22721d75848c049c585e32fcfdf0b97ecb9886a0775645b9217bbac44c71dcc12663188afc64c874325a767c8c157b1acf78c18f6

Download Submit
/data/data/lansa.sis722.sers/databases/a-journal

Filesize
8KB

MD5
abe55bbef608487f8fe1a9b569d1367d

SHA1
a7842010adb8734cc759ef848ad1bfc9b402c37d

SHA256
a12e1d85fc908ff90d265bd226aa5a3f18cf7e451bea29bbd3bfa656084d9165

SHA512
8f8ba1b3941d047b970c2bcc96968fcdd70c7eeb6c1eed3773097b576e471251c190e597af85fb43da6a058f72d52dcc984ccfda869747c15f2e7cfdfd275aa2

Download Submit
/data/data/lansa.sis722.sers/databases/a-journal

Filesize
12KB

MD5
ac8a969d51f3b459330de3e30a8ae9a6

SHA1
edf7bb291cb9d80dfb4c3d788c6aef90c8ff777c

SHA256
c77cf62cbf461e339cb1fb697ab87fcfa3a683a240585a0feecf10ce1602221d

SHA512
b7fa3e2855f19f65516190a51b9b14e742a2647ab4ba9b27c666ffa74fbb2c4cb7ac31cf5b4ad09d375c3af04cad1924983cf18c61066180c38d13dd00253f1c

Download Submit
/data/data/lansa.sis722.sers/files/lansa.sis722.sers

Filesize
256B

MD5
f4ea6feb0a3aa40e7b9784e189f448d6

SHA1
b01841cf731fae612ac6bd79f32023192c7fe8b7

SHA256
1a79f03a7646cbc85227ecf3c03cf66fcf7f164ccbbd5e5e30c9f4a7e5106edd

SHA512
ebd1addc9ba20a538cc0a3f3e7a5bb810fd2fbcfbfd3364ac193bb0bea213702451039e6539119201c26c2b5e56c841e0f329860b502eb47aad5898a5a6dc801

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
90702f0c5f6bcd7380c228f63c0d7a53

SHA1
3ba5da585a52d7b78e2b29c894834a4149794615

SHA256
98acbf72a56280c9f7d137fde223e5926750ee84e7be50a67816aec4a7c85a5f

SHA512
7cc04fd6bacf0b0ef2fa0a29e842141573255b432e9481984c446350ca9ceb7cf2e970bb61f5b42399a6331847276846e1d120144a09cedaa4ec3def199fc793

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
b18bdd317aac3e1f7d9095edaa7b7a17

SHA1
09e4674811ab202b205faa433deaf5caa38ab973

SHA256
f59efa507bec1aad870625349d25fbc910bf8f60cc4e07e2ed9693e5dfa37075

SHA512
15e1661c0170f7bd73322d637ac3a770f5193a2fb925eb1b64b8bcc8f3d1940abde3d9bdc89ecdf4f100f2264662cb7bde44e3a04a7fe0a850b20712be5f03c2

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
f784b78e29689a5650fa141b2cc1d0de

SHA1
3ce2001f4a5be04fec495cf8cb44b6a6338094bb

SHA256
2fc5a0fe2a26a98068aed4f5717a47205ff52bc71feda7844ac170093520235e

SHA512
684539d49ab545807502d0b270e58c93c052ae8bd8dd9c1c4f48f063a23e006ecb3c51b405f54b1b040635cac4e981c6620093c1a38a6c2dff71926c6c317ad5

Download Submit
/data/data/lansa.sis722.sers/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
85ec3554f04959ef3cd5598f698b0e27

SHA1
e4c2b5dc330ea0e19b42256fa62d2b60aec0813c

SHA256
9ce3c7b59a3b427c1471a5e80f6b0dcaac0cda88c9afb1114d758db9eec20a4f

SHA512
325eaaa7e3ef2600d95791826a49229d613ee7532c3ed969e05b77cfee76de1a7d178cbfe7396338d1e1566c50abd29d8745319740a536312b5f84707dbb9fc8

Download Submit
/data/user/0/lansa.sis722.sers/app_dawn/ZldSO.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/lansa.sis722.sers/app_dawn/ZldSO.json!classes2.dex

Filesize
308KB

MD5
5e58845043089ee3b37392fec0f23992

SHA1
5e8290a1e9b734ae423aaa5f49bef8041545ebbc

SHA256
ad60aece05f500cada31b766831e2fa87aaf6fba58b9dca20c9152f16605faba

SHA512
84387a9add5b7ea6220ecfab5773b62d9d0db6ebce799f5a090817a04d0862158e1acafccabbe99bc2dc7abb30b5ade111bd6b4769ef929f3d57e962bcb656a3

Download Submit
/data/user/0/lansa.sis722.sers/app_dawn/ZldSO.json!classes3.dex

Filesize
265KB

MD5
cc92d248d0c568e5351842d103bce7a9

SHA1
1d4950fe500f0789ca77fa4858ab8ebc3cb2441f

SHA256
0201c5566b578cf5ec8237dc7970a5a3b63afd2e035d8e94ee82230c8a2a691d

SHA512
a49aa848d7544e20d33de320faf7169c82669438394d861814fb832d8984fafe86c955484654d55cff7d5ff45e0c60d09b7b6e7c4602ef8ef312c0cafbacdfa7

Download Submit
/data/user/0/lansa.sis722.sers/app_dawn/ZldSO.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/lansa.sis722.sers/cache/logs/log.txt

Filesize
83B

MD5
d715aa3bf7b8a439611d752ad9e01d39

SHA1
b797fc912d74f6f7b2c7629f11af19056790851f

SHA256
64c80c9b71f5c1d9b6731436a3823a94dfefbfccc1e5b66157788b5f8443cdfe

SHA512
ba7cb0c892ed2b2ae9d8182709527a375aa733266470b0054916d05835cc9099a3f8301a65dfcf1d722b56154a02bec95fb157657501f40685775a135191372d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads