Analysis
-
max time kernel
30s -
max time network
31s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system -
submitted
21/03/2025, 18:05
Static task
static1
Behavioral task
behavioral1
Sample
56a74028bfc73c08da282de29a19d26d0539ea5cee846d6364671fe59e6d99d5.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral2
Sample
56a74028bfc73c08da282de29a19d26d0539ea5cee846d6364671fe59e6d99d5.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral3
Sample
deper.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral4
Sample
deper.apk
Resource
android-x86-arm-20240910-en
General
-
Target
deper.apk
-
Size
8.4MB
-
MD5
6fd72f1bcccd204a9e0f99a72b423657
-
SHA1
06e4d4fd5d84371150bdc541136c873c081f8559
-
SHA256
c2925e1433a7f8667540b473c1b7cab2ecce965cf2e8400db81bc740d48f6982
-
SHA512
4826b304f119b97d7531d35e32efb59af3675b30c093884827d0b8a58f55cdbe14a77c4068a8cca0c8f499d3c3c09c63c519141ab8422fae774c0666daeae286
-
SSDEEP
196608:iBj5dbmzbVdw7Dteuo8cLlqfhGRN9ibn0CyNJn:0qpdw77LslyGsbTcV
Malware Config
Extracted
trickmo
http://somakeawish.com/hpuex9yu0lfad7pjoxcl
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/kegvi.nfec906.cyc/app_candy/bofs.json 4509 kegvi.nfec906.cyc /data/user/0/kegvi.nfec906.cyc/app_candy/bofs.json!classes2.dex 4509 kegvi.nfec906.cyc /data/user/0/kegvi.nfec906.cyc/app_candy/bofs.json!classes3.dex 4509 kegvi.nfec906.cyc /data/user/0/kegvi.nfec906.cyc/app_candy/bofs.json!classes4.dex 4509 kegvi.nfec906.cyc -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId kegvi.nfec906.cyc -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener kegvi.nfec906.cyc -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener kegvi.nfec906.cyc -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule kegvi.nfec906.cyc -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal kegvi.nfec906.cyc -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo kegvi.nfec906.cyc -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo kegvi.nfec906.cyc
Processes
-
kegvi.nfec906.cyc1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4509
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5897919be20d4c434b795378516bc7141
SHA130e0205c068150d8e33fd979a80e40c5958badea
SHA256ac516ae78e961941f3d77731589db90a5ad60a77bb2a589f033eea4e2a2a723c
SHA5121dc39dc9e86aac180b420b83084d078b6ebcb541b5958ccbea97fa10a5a40af8c41bb49b36633493c9c13372ace0d0ac36d0db8b8a7b92925aa29e7af4e20ac2
-
Filesize
4.9MB
MD544df4ebbf927174833e43c712252f4b3
SHA12a8b7cc64b6ef8303c2edb7666b3eabf816f83a3
SHA2569d98d41bf0c3bc1ad00bfde87d31d81654859436754a531328e7b718dcd2f396
SHA512139e8ef82d16d15e2cc63b76969c16e387c67be8b3808c301e64059da3fe6cb2f8dbe897bfbe1578d83194848289c017ceff86985e2945bf4f41c34c345057d8
-
Filesize
20KB
MD52a08aa3691d360c2ff0815d0b7812fde
SHA150c37f212fd78fb89ecb00f81656723ef28fd53f
SHA256ec0eacdcb736f245853bb430a97dfcd3dbf0e6abf43733470db53fbebcdd0e2c
SHA512d9243b6ea042f3d0014ecd1f1afc1e71e9da1fca40f36d3a3e0bcdcb91badc7e892a2944c994a267ad3efdd94e78c17db9afd461d2858d189f4b42c622897b89
-
Filesize
20KB
MD591af32c14839a2828ca58297e0861362
SHA1bd758cc0bb47b570da2061d4633aa998a87ed971
SHA2565d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923
SHA5129810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7
-
Filesize
20KB
MD54d8409217c63b23fa78a0692eca368d7
SHA159e6406628b5410806617bb80c59f8b9b909b91a
SHA2565478da9601ae5a7f0d0b0a7c9cc9497bc77f369fbaba8db99a9e03211ae6714c
SHA512e19b145c2d5adb2cc9dc1c515b1146755621e2d10fe204db86dd17afe76996bfbe3b94a81caabfcab3100ffd57573da5d1f419a2e6f7df78403a85689d088dd5
-
Filesize
512B
MD599272416d649db62d9ba66bdbfebc42b
SHA1e2a44e99cc59699ea29787fceab1b5fc66181972
SHA2563c240f4586fac910f59d22c9f60efc1cff0cfdbc3681a353035e93b15668603d
SHA512db830402b77c16bde3ae7d54fe2e4e508c04abdbe7b154ef24c4437325be8b001c3286aaa67b7ceababe8d85940e80b1fc293c25c0123a9ecf1a5c2a3980edc4
-
Filesize
8KB
MD5744e2c7767ecdff25c16395f92e6e969
SHA1eebd957dfc3c31eba45b5b5449daf13e13d40da1
SHA25608ca2cc5f984f58f9eba7a852b762bf8e5f72c760beafe9ff865bef6236b4b12
SHA51281e099ac978693adadc51d3d5d740a40aebeadb299e71d98c6d925b4bc2734bee0ec9b8f027ffd2fc303bd138b07d16f7c187916c0a4c88a906e57b945b77294
-
Filesize
8KB
MD5ed6657b9dc7da69e0c55eafacf64c8ad
SHA19c6ad9557776cd48964f19c05ed6b9cb7b89f6f2
SHA2569965e7a8862cdab6104953507e6838e0ba1efbd7190caf199323ead33b8e2cea
SHA512fd51df76525c0481204280814f87e547793355d1d7e0dd3f652ab513b0c4afb0398ec5a450467e76fffef387e9d126816c53f15553b129f6be54c5f4d1898d24
-
Filesize
12KB
MD5e344e3102ff4059d4457db850dfc9954
SHA13db63881e106b28c7421e8cc5a3c3f4e07eb2054
SHA256700a6eaac3b0feaa3bee8735278300056650173d87d51167c50f2f6a1428605b
SHA512abe526385c4eab7ee4c89451d0ba977790298cfa80bebc479e9d8aa59aa044d049eb8336f72f2bfaba3d75dac6c36461298066276fae51117a9b88cf01ff897a
-
Filesize
256B
MD559fcbcf10a8faebe6bc462b0a9a6e100
SHA1f178ce0264fdc9ce55ee868031f2279bc2f49a1a
SHA256c3a2f3e147182b81d5537471c8fd11d45fbc6601eb30bdba0594aec4bcd81980
SHA5124095097474de97333c78462cd05f89c27c7180495fcb0039c6aab200e2e7bb82dd269a6d3f3463cf962ff1c9108a4b88484f2b5083645a801f386cca6f3c0e7d
-
Filesize
4KB
MD50eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1fee434f784e73cc7916322e949f727caf8363102
SHA256b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8
-
Filesize
512B
MD57506e355b31d4de2533a72156aa50fa7
SHA133766b873a85bc9fc8aee9b19c39aea9229a7f0d
SHA256fbc379c21d002b4c241add92527ccbfc39448bde767561c3bfbaea9f7f9ac1d2
SHA5126c0aaf4fac2ee2bf0115c1c8d237e36218f51d37a293f4eaac4e3598347b0927f68ebfca174755d56085633c8caacc9e82f41362a6456e1294069a8841572e15
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
173KB
MD5b0050ad916ef11e5b2f17be744897bfc
SHA1b9ad3a344076be0bd0cc6488309b804d2e6edbb9
SHA25612d799747366a117cdfb1ec753f44ea4dc9abdece074c1ecbb7e94daab6f2cfa
SHA51251da64db1023ad44199e0ced3ed222d2e580a78504fcfe44bb29924205879e560920ece2b7d97956f23071aaf2fc096f56eb60f80d6b66cb5d0a5a09ec97a73a
-
Filesize
16KB
MD5aa08ccba835dc1753bf42782aaa7c5fd
SHA12b67bed9ebb4e14b5eb62d3af6c35aa3fcc1acc9
SHA256fda81d3be263ec42d643150e23c52ad73f5f90b0e3b591b964b1954dc742e5db
SHA5124cd41634381e84d56f09c7ed1c21d63b2f225345243820aaf805bcece073773059aa1d3123823f4b79e90044c8136d215e9f336aaee5fbf689dfb0084ff7b285
-
Filesize
108KB
MD5b82f5b422fccd99267016f952e108806
SHA17f79ca61ab54d246ae69ba595e4b62541e30da6c
SHA2563a455285c4d01c5ee4b63c02cda36f96e573d68e4f6c8edd793dc70419a95add
SHA51205dc31765ff75ab5d65e208d0082f7e86fe9b37e7f763df75c2844c13b26777087908533ecda5849c1a3faaa5494fd27b421a538c7b08b620d6601dfa2212111
-
Filesize
10.9MB
MD535d4cda95e19e9be467673c78e1e2fa2
SHA13868d4dda794c360f57ba650c332b39ce5c68d8e
SHA2566c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746
SHA512577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7
-
Filesize
308KB
MD5c4f1bf1c779a21a25c3dbf5a15efedc5
SHA1e525c2e12234f6eca7690f2bf0e29ae48f958e33
SHA256410e18df84f39a134073269b355ae5e6473f689ed9bf3f9903a6eb38af2fcadd
SHA512ab612b7ef8de98b3943600cc39c26149e520ede008366a2efcf9d1e76e17ca53068c9f4699e6b5e40aa8f99b5339bc8e35091fb264bcf3ec640fbf68c465476a
-
Filesize
265KB
MD5c6abf8a6dbc7699cb23c034ae965fb05
SHA11a420d700e47d712acc84641fad51a4b40041cfe
SHA256c3cd0d23cf49de955c9bcd893cafb62ef3396c0e2d52b631eaf78726913bf958
SHA5129061fda1a71959cbfbf9effc673213c0678ef91b4958a4674c11e1ababcd433541f0298852b785cc66cff1c945816230309111127923ea21795ed2ad31ddb287
-
Filesize
1.7MB
MD530465152db261852e3a226a666ec4304
SHA1442a188e07db85653022734d0a8537d4312aef38
SHA256c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4
SHA5123b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63
-
Filesize
83B
MD5c47e8cf5c28a606dbb448ef0a85f0663
SHA1d8145716f133f1155b1ed96734e11becdc216c15
SHA256ae9b7be896b0af77b46c3e5fcf34de998db6544af3b26b3379f7e6feb706ee3a
SHA51253bed7a79edefd454cac141c9a290322a7bb34a4c73a8f4357dd12131150181d942c3c16a8f9ea4a734639746c5d4e5b579ae8d0fc722b7394c301e9c12ed5f6