trickmo | d92c8fd829d80c9b0700fd077957d8a00ff17064b001d147233b971aea0e442f

Analysis

max time kernel
29s
max time network
29s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
21/03/2025, 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d92c8fd829d80c9b0700fd077957d8a00ff17064b001d147233b971aea0e442f.apk
Size

8.8MB
MD5

b8749ed305053ea52cb866fd6dd7444c
SHA1

cd9931622abdaca64ee70021965606a199c2bc12
SHA256

d92c8fd829d80c9b0700fd077957d8a00ff17064b001d147233b971aea0e442f
SHA512

6d2dc1cde0dd94ed4ce4abef7334f5e703559a6d2749bbed2cfa264c4b6a5cad45716fcad47f506777f3e73c6dfd23c9d538e607b4012e46227d29362935e5bc
SSDEEP

196608:JbUoY2S7vhEYoQRl90WGQ647qfsrLgbO6JL1gf408gBArrX/s0WbhJ:JbUoYvhN90LH47qUaL1g5tAXPFWbP

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://somakeawish.com/hpuex9yu0lfad7pjoxcl

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json	4469	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes2.dex	4469	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes3.dex	4469	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes4.dex	4469	kegvi.nfec906.cyc

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	kegvi.nfec906.cyc

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	kegvi.nfec906.cyc

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	kegvi.nfec906.cyc

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	kegvi.nfec906.cyc

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	kegvi.nfec906.cyc

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	kegvi.nfec906.cyc

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	kegvi.nfec906.cyc

kegvi.nfec906.cyc
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4469

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/kegvi.nfec906.cyc/app_issue/uOtWWFa.json

Filesize
4.9MB

MD5
3e8400a08084ec943082a6246f7dd421

SHA1
690fdfbceacf7fcdb56d16ec6af727d98460518e

SHA256
f12d935dee605f160e2b1df9686b55d651b0ef8f86aaf4ae61e3907768ec0556

SHA512
05fe6ca0c0f7f7f9bcb1bda5668e19a522e5415098a337b2d3d1de400a90eaadf036c827d085f62b74a03a8fa5c907ddf2ec922589ac72bb6d5469bc0ecd24b4

Download Submit
/data/data/kegvi.nfec906.cyc/app_issue/uOtWWFa.json

Filesize
4.9MB

MD5
f0b0515dc0a5a55f5cd9bc40cf195ac5

SHA1
27e15c3fefd383c14d390c800c56dd749960f8c3

SHA256
53b58627764de1e0acb24cf5b377b66903aabc04cdbe1485c9ca66b319439b37

SHA512
db36b180f24d421894ac9bf250d97ed56d2105e97ade8eff9892a8f35ee7fab0ff010699eac579717a82ce23899fc119ed5a25c11f9d328061fcaca223ef11a6

Download Submit
/data/data/kegvi.nfec906.cyc/cache/clicker.json

Filesize
20KB

MD5
2a08aa3691d360c2ff0815d0b7812fde

SHA1
50c37f212fd78fb89ecb00f81656723ef28fd53f

SHA256
ec0eacdcb736f245853bb430a97dfcd3dbf0e6abf43733470db53fbebcdd0e2c

SHA512
d9243b6ea042f3d0014ecd1f1afc1e71e9da1fca40f36d3a3e0bcdcb91badc7e892a2944c994a267ad3efdd94e78c17db9afd461d2858d189f4b42c622897b89

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a

Filesize
20KB

MD5
d776d480d57c5f014fccba6926b265a4

SHA1
07e510db91f6678a76f976570e646520a08020fa

SHA256
1f28236a41da91069497b7c6d829760c29eb8bb5916fb58120b421d73a027ea0

SHA512
816eb01e7959f207d16d43920c378199352733e8227ad7fb47e6a59c74242fdd290f6e8923f87b1aa84abe63b9d10e7c4cf8cd3ec31b9650c712761de7d01e22

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
512B

MD5
4b46076f00ac0352934b94593410252b

SHA1
a416ab21909f20772048f1cc0b5059dba8e7ed39

SHA256
1d671ce632996cd744e87e62b4ed1617eb9ccdb2ab55ca63166f4d699c5ebf93

SHA512
0ac07fd958756e33e4ae4602be412c26bbf28c0ebcc29e862f112ae167c121444511a924468ba9311163c9dd23b35023378e0fe8e0f0ff632a02d61ee6654412

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
8KB

MD5
112acf8f1406df03d6ad0dea18b60baa

SHA1
16d357339a762e5af210c57ce5e86b5332bbce7f

SHA256
b7c4af82de18559b875a59a2c5720c9f9e8602c9cc61287d8f5616ef3692ee8b

SHA512
dc0bd672b22ba105d08c7970ba704189165793481d299d93c6b8bd3af714dd43fde179656fbf4186087c8edc50fbc75b9ed01f7c5989d4acb017e6c4eac33855

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
8KB

MD5
38e5b021f916f6d602b305ba91023d30

SHA1
04f0d7b4640eefcfb1d5402f21d7772850798960

SHA256
72d8adc4cb9221c06576ecb028f86e224ca46d5fa014e4afd6265ea9486966af

SHA512
247f17a158591cd8c3da5a352f16c1d60fcaf43622c4d999bf989a67fd0c3e4a2f02f1b7e7fe9c060d3c007f5d955879dd77f079c34fd9ddfa4a927c18adff6b

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
12KB

MD5
a4374a5771000a68ca31e304b0b619d1

SHA1
1bd9bf08b2e157b31ae6441fe5300e08a8146e32

SHA256
89bb7d102faaa6364d13e2314c25ba67fed78ac7b8166b368e9725db55e07e00

SHA512
ce322b97d04c9e54e773405023bd6c7be22598a8554208850a783a69ef800f3f101b28cf7f51c27e6ad1eb996b03c4dae6a1d266eefaa832fc69eb4545bafa8f

Download Submit
/data/data/kegvi.nfec906.cyc/files/kegvi.nfec906.cyc

Filesize
256B

MD5
f1e3a16a27620cd154767872f19e22c1

SHA1
759d9e6f3c51cca8a3fbd300ade60fa2486f73b4

SHA256
efcc85994f9404b34a6290a42bb02b339cbbc0849b305d4ab8ff30b713595f35

SHA512
87ce431487ee2d8591755cc11b04318d764df53067936e5403960526671ff81552ca8b5e9e9eb0836d4b043006be5f317bce440813b3b2467f5730f5f61f816f

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
165a043c6bee001984a096bb94901332

SHA1
39765ce3d5153ee514f94fd2713fd3429695eff9

SHA256
32ee3c9634c64523f36c3f28b29b68fd498953dbb5b0c9e46223323f25576509

SHA512
fb1456dd427a27e43f0e2712a82b261cf674e046c757674dfcb008b9eadb3be26e2c8337f5bec5b48de78b524410cb067d2a48fd8492cf25695a50a4856e1663

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
42ddbba7fa7c42a94e52f21c0fb64d1e

SHA1
e59e7a2a72106f6e26bc59d6af367f51076dbfde

SHA256
1bf8c79c9def61a92148487db3ec126cb5039f7773418408331eee0822cfcb80

SHA512
5028154c18635e7f61bab3c1ab2ed49327221245649ad60076f0baace768790df16105cbf3e73f62b424acccd4b6fce1843ec8e1e3dbc685cb1128f9f460a2ef

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
ed85c86b3e886997ea959828fcc1d34f

SHA1
21f6feed209c0d30d98e59a9badac666e3a26bdb

SHA256
cdd2d22e73e5bb6fee260da2a6d7e36d44b42e8ebd8ec783e2f7aab3ff7cd3b6

SHA512
bebfef0020e3ea280578e4788a57e4caf9ce143e01ad635e5806a9216c13e03d8e8518a09dc35cf90c078c1ee53b8967da89050b49c51e02e762482b4a22d30b

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
50aa8f993ace9b2a577b365ac54a5d7a

SHA1
28a6971800813c45a92a5b4c06a3c3dfad41af10

SHA256
087fbdd5a8685f5bb4bae976c4d225eedd1f90130e0078803ebfba7d8e03acc0

SHA512
57f99f96df48205f8007fc93a91acb655805c25fc3bb62989eda6f9fb1452e56f229a77b951db9f2cc525f307c27b62a5f73c8eab4afc00f16c2aac567c8a563

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes2.dex

Filesize
308KB

MD5
c4f1bf1c779a21a25c3dbf5a15efedc5

SHA1
e525c2e12234f6eca7690f2bf0e29ae48f958e33

SHA256
410e18df84f39a134073269b355ae5e6473f689ed9bf3f9903a6eb38af2fcadd

SHA512
ab612b7ef8de98b3943600cc39c26149e520ede008366a2efcf9d1e76e17ca53068c9f4699e6b5e40aa8f99b5339bc8e35091fb264bcf3ec640fbf68c465476a

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes3.dex

Filesize
265KB

MD5
c6abf8a6dbc7699cb23c034ae965fb05

SHA1
1a420d700e47d712acc84641fad51a4b40041cfe

SHA256
c3cd0d23cf49de955c9bcd893cafb62ef3396c0e2d52b631eaf78726913bf958

SHA512
9061fda1a71959cbfbf9effc673213c0678ef91b4958a4674c11e1ababcd433541f0298852b785cc66cff1c945816230309111127923ea21795ed2ad31ddb287

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/kegvi.nfec906.cyc/cache/logs/log.txt

Filesize
83B

MD5
c32c02d61605a7f33d430aa1947da843

SHA1
82af47c997a8059ef9a0373a0cb0f1c872929052

SHA256
6c2b54a80d1fe8d7e12bd2158ca685d80a92f32e2ca9d969ea81345ddf78a280

SHA512
63100b574a5692461fa4d648f47415ddd7659b34462a7b5507dba12157f5cf6388b9d19c201396ce85d10f7e25f6240670ee1a2899711ccb0121ca593eaa122d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads