trickmo | 56a74028bfc73c08da282de29a19d26d0539ea5cee846d6364671fe59e6d99d5

Analysis

max time kernel
30s
max time network
31s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
21/03/2025, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deper.apk
Size

8.4MB
MD5

6fd72f1bcccd204a9e0f99a72b423657
SHA1

06e4d4fd5d84371150bdc541136c873c081f8559
SHA256

c2925e1433a7f8667540b473c1b7cab2ecce965cf2e8400db81bc740d48f6982
SHA512

4826b304f119b97d7531d35e32efb59af3675b30c093884827d0b8a58f55cdbe14a77c4068a8cca0c8f499d3c3c09c63c519141ab8422fae774c0666daeae286
SSDEEP

196608:iBj5dbmzbVdw7Dteuo8cLlqfhGRN9ibn0CyNJn:0qpdw77LslyGsbTcV

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://somakeawish.com/hpuex9yu0lfad7pjoxcl

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/kegvi.nfec906.cyc/app_candy/bofs.json	4509	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_candy/bofs.json!classes2.dex	4509	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_candy/bofs.json!classes3.dex	4509	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_candy/bofs.json!classes4.dex	4509	kegvi.nfec906.cyc

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	kegvi.nfec906.cyc

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	kegvi.nfec906.cyc

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	kegvi.nfec906.cyc

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	kegvi.nfec906.cyc

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	kegvi.nfec906.cyc

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	kegvi.nfec906.cyc

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	kegvi.nfec906.cyc

kegvi.nfec906.cyc
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4509

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/kegvi.nfec906.cyc/app_candy/bofs.json

Filesize
4.9MB

MD5
897919be20d4c434b795378516bc7141

SHA1
30e0205c068150d8e33fd979a80e40c5958badea

SHA256
ac516ae78e961941f3d77731589db90a5ad60a77bb2a589f033eea4e2a2a723c

SHA512
1dc39dc9e86aac180b420b83084d078b6ebcb541b5958ccbea97fa10a5a40af8c41bb49b36633493c9c13372ace0d0ac36d0db8b8a7b92925aa29e7af4e20ac2

Download Submit
/data/data/kegvi.nfec906.cyc/app_candy/bofs.json

Filesize
4.9MB

MD5
44df4ebbf927174833e43c712252f4b3

SHA1
2a8b7cc64b6ef8303c2edb7666b3eabf816f83a3

SHA256
9d98d41bf0c3bc1ad00bfde87d31d81654859436754a531328e7b718dcd2f396

SHA512
139e8ef82d16d15e2cc63b76969c16e387c67be8b3808c301e64059da3fe6cb2f8dbe897bfbe1578d83194848289c017ceff86985e2945bf4f41c34c345057d8

Download Submit
/data/data/kegvi.nfec906.cyc/cache/clicker.json

Filesize
20KB

MD5
2a08aa3691d360c2ff0815d0b7812fde

SHA1
50c37f212fd78fb89ecb00f81656723ef28fd53f

SHA256
ec0eacdcb736f245853bb430a97dfcd3dbf0e6abf43733470db53fbebcdd0e2c

SHA512
d9243b6ea042f3d0014ecd1f1afc1e71e9da1fca40f36d3a3e0bcdcb91badc7e892a2944c994a267ad3efdd94e78c17db9afd461d2858d189f4b42c622897b89

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a

Filesize
20KB

MD5
4d8409217c63b23fa78a0692eca368d7

SHA1
59e6406628b5410806617bb80c59f8b9b909b91a

SHA256
5478da9601ae5a7f0d0b0a7c9cc9497bc77f369fbaba8db99a9e03211ae6714c

SHA512
e19b145c2d5adb2cc9dc1c515b1146755621e2d10fe204db86dd17afe76996bfbe3b94a81caabfcab3100ffd57573da5d1f419a2e6f7df78403a85689d088dd5

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
512B

MD5
99272416d649db62d9ba66bdbfebc42b

SHA1
e2a44e99cc59699ea29787fceab1b5fc66181972

SHA256
3c240f4586fac910f59d22c9f60efc1cff0cfdbc3681a353035e93b15668603d

SHA512
db830402b77c16bde3ae7d54fe2e4e508c04abdbe7b154ef24c4437325be8b001c3286aaa67b7ceababe8d85940e80b1fc293c25c0123a9ecf1a5c2a3980edc4

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
8KB

MD5
744e2c7767ecdff25c16395f92e6e969

SHA1
eebd957dfc3c31eba45b5b5449daf13e13d40da1

SHA256
08ca2cc5f984f58f9eba7a852b762bf8e5f72c760beafe9ff865bef6236b4b12

SHA512
81e099ac978693adadc51d3d5d740a40aebeadb299e71d98c6d925b4bc2734bee0ec9b8f027ffd2fc303bd138b07d16f7c187916c0a4c88a906e57b945b77294

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
8KB

MD5
ed6657b9dc7da69e0c55eafacf64c8ad

SHA1
9c6ad9557776cd48964f19c05ed6b9cb7b89f6f2

SHA256
9965e7a8862cdab6104953507e6838e0ba1efbd7190caf199323ead33b8e2cea

SHA512
fd51df76525c0481204280814f87e547793355d1d7e0dd3f652ab513b0c4afb0398ec5a450467e76fffef387e9d126816c53f15553b129f6be54c5f4d1898d24

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
12KB

MD5
e344e3102ff4059d4457db850dfc9954

SHA1
3db63881e106b28c7421e8cc5a3c3f4e07eb2054

SHA256
700a6eaac3b0feaa3bee8735278300056650173d87d51167c50f2f6a1428605b

SHA512
abe526385c4eab7ee4c89451d0ba977790298cfa80bebc479e9d8aa59aa044d049eb8336f72f2bfaba3d75dac6c36461298066276fae51117a9b88cf01ff897a

Download Submit
/data/data/kegvi.nfec906.cyc/files/kegvi.nfec906.cyc

Filesize
256B

MD5
59fcbcf10a8faebe6bc462b0a9a6e100

SHA1
f178ce0264fdc9ce55ee868031f2279bc2f49a1a

SHA256
c3a2f3e147182b81d5537471c8fd11d45fbc6601eb30bdba0594aec4bcd81980

SHA512
4095097474de97333c78462cd05f89c27c7180495fcb0039c6aab200e2e7bb82dd269a6d3f3463cf962ff1c9108a4b88484f2b5083645a801f386cca6f3c0e7d

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
7506e355b31d4de2533a72156aa50fa7

SHA1
33766b873a85bc9fc8aee9b19c39aea9229a7f0d

SHA256
fbc379c21d002b4c241add92527ccbfc39448bde767561c3bfbaea9f7f9ac1d2

SHA512
6c0aaf4fac2ee2bf0115c1c8d237e36218f51d37a293f4eaac4e3598347b0927f68ebfca174755d56085633c8caacc9e82f41362a6456e1294069a8841572e15

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
b0050ad916ef11e5b2f17be744897bfc

SHA1
b9ad3a344076be0bd0cc6488309b804d2e6edbb9

SHA256
12d799747366a117cdfb1ec753f44ea4dc9abdece074c1ecbb7e94daab6f2cfa

SHA512
51da64db1023ad44199e0ced3ed222d2e580a78504fcfe44bb29924205879e560920ece2b7d97956f23071aaf2fc096f56eb60f80d6b66cb5d0a5a09ec97a73a

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
aa08ccba835dc1753bf42782aaa7c5fd

SHA1
2b67bed9ebb4e14b5eb62d3af6c35aa3fcc1acc9

SHA256
fda81d3be263ec42d643150e23c52ad73f5f90b0e3b591b964b1954dc742e5db

SHA512
4cd41634381e84d56f09c7ed1c21d63b2f225345243820aaf805bcece073773059aa1d3123823f4b79e90044c8136d215e9f336aaee5fbf689dfb0084ff7b285

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
b82f5b422fccd99267016f952e108806

SHA1
7f79ca61ab54d246ae69ba595e4b62541e30da6c

SHA256
3a455285c4d01c5ee4b63c02cda36f96e573d68e4f6c8edd793dc70419a95add

SHA512
05dc31765ff75ab5d65e208d0082f7e86fe9b37e7f763df75c2844c13b26777087908533ecda5849c1a3faaa5494fd27b421a538c7b08b620d6601dfa2212111

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_candy/bofs.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_candy/bofs.json!classes2.dex

Filesize
308KB

MD5
c4f1bf1c779a21a25c3dbf5a15efedc5

SHA1
e525c2e12234f6eca7690f2bf0e29ae48f958e33

SHA256
410e18df84f39a134073269b355ae5e6473f689ed9bf3f9903a6eb38af2fcadd

SHA512
ab612b7ef8de98b3943600cc39c26149e520ede008366a2efcf9d1e76e17ca53068c9f4699e6b5e40aa8f99b5339bc8e35091fb264bcf3ec640fbf68c465476a

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_candy/bofs.json!classes3.dex

Filesize
265KB

MD5
c6abf8a6dbc7699cb23c034ae965fb05

SHA1
1a420d700e47d712acc84641fad51a4b40041cfe

SHA256
c3cd0d23cf49de955c9bcd893cafb62ef3396c0e2d52b631eaf78726913bf958

SHA512
9061fda1a71959cbfbf9effc673213c0678ef91b4958a4674c11e1ababcd433541f0298852b785cc66cff1c945816230309111127923ea21795ed2ad31ddb287

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_candy/bofs.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/kegvi.nfec906.cyc/cache/logs/log.txt

Filesize
83B

MD5
c47e8cf5c28a606dbb448ef0a85f0663

SHA1
d8145716f133f1155b1ed96734e11becdc216c15

SHA256
ae9b7be896b0af77b46c3e5fcf34de998db6544af3b26b3379f7e6feb706ee3a

SHA512
53bed7a79edefd454cac141c9a290322a7bb34a4c73a8f4357dd12131150181d942c3c16a8f9ea4a734639746c5d4e5b579ae8d0fc722b7394c301e9c12ed5f6

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads