trickmo | d4f5730188d3e9bb6ccd428ca36c934e6a83fffb45afd717d9f1d7a2aa866235

Analysis

max time kernel
29s
max time network
31s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
21/03/2025, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deper.apk
Size

7.0MB
MD5

36293c4041b160762326ca6a4cb1ac67
SHA1

9caf849114740c2020ba95367cfc7e9588521dff
SHA256

a1729baa1a8e959d01453ab87906b9d6711886a48f04a2d48320320361ef1d95
SHA512

73f8f959f81a37d143f4d889add7c5676e267de93e709b965deb14666c366e39549de9c9d42f6414414a025cf5a5ea36e02737816e72cd291858147f2575478c
SSDEEP

196608:XvCojoIc9v96Dv85B6gkQQ9ceP14W8xf9D:FUIc19cv8j6gkXcIq9D

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://somakeawish.com/hpuex9yu0lfad7pjoxcl

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/kegvi.nfec906.cyc/app_venue/EEj.json	4498	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_venue/EEj.json!classes2.dex	4498	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_venue/EEj.json!classes3.dex	4498	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_venue/EEj.json!classes4.dex	4498	kegvi.nfec906.cyc

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	kegvi.nfec906.cyc

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	kegvi.nfec906.cyc

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	kegvi.nfec906.cyc

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	kegvi.nfec906.cyc

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	kegvi.nfec906.cyc

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	kegvi.nfec906.cyc

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	kegvi.nfec906.cyc

kegvi.nfec906.cyc
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4498

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/kegvi.nfec906.cyc/app_venue/EEj.json

Filesize
4.9MB

MD5
9777db128498ba58dac28af4896a7199

SHA1
00005a4ba363e9a7e36f3bcb20c1e388853fcdbc

SHA256
27330fe29e29b779cfcc585713c4921ae55bdec6ce77a1d4e04f340de1dfc2d1

SHA512
fb7c077b36f69f6195e6e14d60d1a100e283589f119bfb627dc7417d62982b5b240299f365699ec250af3f3440bc44411f559659502ecf9dfd4d2aed07aad94e

Download Submit
/data/data/kegvi.nfec906.cyc/app_venue/EEj.json

Filesize
4.9MB

MD5
b2b3075bcdbadfb4908010604f7ad84d

SHA1
73955041895296de3ecae14ed0613e8ddcee5abe

SHA256
46ff52f6360c0325af20f94126ffc1c3d8d72d8965f51b203d8f41541a655568

SHA512
a42a506292899578dda6bb27e8ef50a66519a93b4338312107bfd6f633636935f9414aa7446a9a538dfb1192bad24706cf33f71684827f21a9790803c919a630

Download Submit
/data/data/kegvi.nfec906.cyc/cache/clicker.json

Filesize
20KB

MD5
2a08aa3691d360c2ff0815d0b7812fde

SHA1
50c37f212fd78fb89ecb00f81656723ef28fd53f

SHA256
ec0eacdcb736f245853bb430a97dfcd3dbf0e6abf43733470db53fbebcdd0e2c

SHA512
d9243b6ea042f3d0014ecd1f1afc1e71e9da1fca40f36d3a3e0bcdcb91badc7e892a2944c994a267ad3efdd94e78c17db9afd461d2858d189f4b42c622897b89

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a

Filesize
20KB

MD5
95d5d1c05031c34e2717abfa4a1029fa

SHA1
d53b20c3040061dbf1d5415f8f33f8395d9eaa0c

SHA256
b87d8fdb2d164c368b3b5d0978e5a0a8e21ba8062e1d1ceae56349015cd2df1d

SHA512
aa9c400b0a5002c6e8ad807e6e6c13ad4697766f25b5ad148b8fedce630b10c5d74289996986d779b84267913f8e13077747342eb65fbcfc83452fd6c035ac25

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
512B

MD5
632f7d4e8fd28bcb5db7604cdbc7f6f1

SHA1
bd42c12b9528155a4da4ca23379b9602e3adf26a

SHA256
098deb23a622d747e7bfcb9c0c28a23d8bd4b3f3866cbe8e999c049f2cd7b13f

SHA512
921ee725b0bd20caf002fffb473641c72421056d2ade848392a55b5f273053b0d505b0992af426054da3e063c8f895f04b627573cc5c990c43d3627c1a910fc1

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
8KB

MD5
d57f856ea541df2afb0ef87dd37b6c23

SHA1
fee6e179a05ffd368f2dd293df92dd7f218223b1

SHA256
b8179053bfec0ee6b64d423a9d919b3bffc04b5cbaacf8b6e890038371f07caa

SHA512
2bf27a4767cacabc2ae4999b0e713b936fd4f58c0ec367eaf4911634dbef73025ef39b74f4e615ea59206faaf382b3ba3ed88699199c4b4e3e88589587512b65

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
8KB

MD5
8c78f9d79c5047a51c0e26cf457f30f5

SHA1
ca443248f38d1b698e0edd89cf70750a3ff67da4

SHA256
58c3b068653678fe1771d761a10597906c9555e410b6de5a079d1986a5ee15f9

SHA512
d0e6fa71d53714f2d8e35787245a3793814f2697dcd84d7cb58592a2e364385e41aa8510815cb9d6269c7457d698311a094173360dd0be962e4a1adddc64c593

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
12KB

MD5
bb1b03d33232480217aea0cb3cdf8ff1

SHA1
0ab54b4b47ca021650ad163325a92029bbbaa555

SHA256
c04f3ee6642e98e14c51bab71c2f237bdb860a915ca5a4e2cd0bf0ec8a35f1cb

SHA512
2272683822159588eec7f6ac8ddba823f78a4da889a5badb8fda5c4f6db8f90d51426b48777dc81b6a8dc4e0f40f946ed9b86352b187d5654bf13cdec7f2656d

Download Submit
/data/data/kegvi.nfec906.cyc/files/kegvi.nfec906.cyc

Filesize
256B

MD5
0e74b89f91667928beafedcd945de27f

SHA1
f977bb708d49694a9e4c495904b6934e6c97bd47

SHA256
02af8d370a56ef6f4b07c9c23d7a54770482e7b171be7bb59417a23572cd917d

SHA512
ea9238f3c1a40ab2a9abc8bf2637fbb78d9d0526b8d0c311377d714196423162ba5e5ee9bb857ff7dcc71e5ef252d1b5fb84ae1d557773501afb92e5228a0641

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
3d799fb5ade2fcb71527df04ff1f5039

SHA1
84289d0588ee89bc3434009a02851b6d5a4cbe03

SHA256
c57a0b21bb5a7f5bcc28aa342e412607ca0b1b1e2861cd5518b19fdb23d4e192

SHA512
3e4da88fde2904c5c0e1f3de67a306a76e188144238fd073b40e61d85041df1442dab312c97cf4bdba43c079587d81364505d5f88e49f967470de8de8098cf93

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
22fba67db05e1ef90641c5d4785ba820

SHA1
a72a20eebf17c9210c829d6378a2a926e59de910

SHA256
5cf4eca21b2c8552a21da86091b6e0e3293bf30fa67f387e59b9c3aae3cb991c

SHA512
3a46fc6585a875177f2bc2a0b9ec772d9e7575b729de43e711c446c5a39f45a2056e83c06cb3b908775b35b1cb5baa8199f1d42bd7d10eb74ae6ce30e352ff68

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
dafb66f04726e8173f50d63e8a23c1bc

SHA1
7c5c0f302ae842976879122480edfaabadedd936

SHA256
4c3feeb68f440cfe3dbbb3007819d73506bb765f1cb301985bd24a9d8f2f833c

SHA512
0d363d3cbd6c483fcb505b5d39916b84342769851398b2efb44100f2371ff592b30685c85b02c841c70287e0e5c62216279a65a7a8ea28c4bf1dfd2e09b6302d

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
f12cb70805aa2486b612068f6d91b388

SHA1
291e573f35f100e5b72ce70975c31a325fb62fdc

SHA256
7cb57661c5d361ede790c1f9e4a8dbe5b4967f048199d2c809a932a7d09fd686

SHA512
3e65bc2433a34ff1a382a08ca64d87d25433cb8912aa7c70efb574c734e52acdf79d1c0532b78c44fa5f141f111dbec65447b98b6f9bc78c3e0df1b367972f48

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_venue/EEj.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_venue/EEj.json!classes2.dex

Filesize
308KB

MD5
c4f1bf1c779a21a25c3dbf5a15efedc5

SHA1
e525c2e12234f6eca7690f2bf0e29ae48f958e33

SHA256
410e18df84f39a134073269b355ae5e6473f689ed9bf3f9903a6eb38af2fcadd

SHA512
ab612b7ef8de98b3943600cc39c26149e520ede008366a2efcf9d1e76e17ca53068c9f4699e6b5e40aa8f99b5339bc8e35091fb264bcf3ec640fbf68c465476a

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_venue/EEj.json!classes3.dex

Filesize
265KB

MD5
c6abf8a6dbc7699cb23c034ae965fb05

SHA1
1a420d700e47d712acc84641fad51a4b40041cfe

SHA256
c3cd0d23cf49de955c9bcd893cafb62ef3396c0e2d52b631eaf78726913bf958

SHA512
9061fda1a71959cbfbf9effc673213c0678ef91b4958a4674c11e1ababcd433541f0298852b785cc66cff1c945816230309111127923ea21795ed2ad31ddb287

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_venue/EEj.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/kegvi.nfec906.cyc/cache/logs/log.txt

Filesize
83B

MD5
5ac83b6abfff0f5b318017a15f280ed6

SHA1
04e8357363ca6593d28ccd5357fb9f9a99d1a9b9

SHA256
c532f79105bcd026a58ca8004d50dbf4f26ac8d4e39fcb1131e723c603847119

SHA512
f8f99ed4797c766cc3759c52d6171aac25a4844cc89d593a34b2f006aec577ea26910007c3a4d4daf7430a81af6dbe8090598c64aa5ffb09210aec990a9eb3a2

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads