trickmo | d4f5730188d3e9bb6ccd428ca36c934e6a83fffb45afd717d9f1d7a2aa866235

Analysis

max time kernel
125s
max time network
153s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
21/03/2025, 19:02 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deper.apk
Size

7.0MB
MD5

36293c4041b160762326ca6a4cb1ac67
SHA1

9caf849114740c2020ba95367cfc7e9588521dff
SHA256

a1729baa1a8e959d01453ab87906b9d6711886a48f04a2d48320320361ef1d95
SHA512

73f8f959f81a37d143f4d889add7c5676e267de93e709b965deb14666c366e39549de9c9d42f6414414a025cf5a5ea36e02737816e72cd291858147f2575478c
SSDEEP

196608:XvCojoIc9v96Dv85B6gkQQ9ceP14W8xf9D:FUIc19cv8j6gkXcIq9D

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://somakeawish.com/hpuex9yu0lfad7pjoxcl

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/kegvi.nfec906.cyc/app_venue/EEj.json	5227	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_venue/EEj.json!classes2.dex	5227	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_venue/EEj.json!classes3.dex	5227	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_venue/EEj.json!classes4.dex	5227	kegvi.nfec906.cyc

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	kegvi.nfec906.cyc

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	kegvi.nfec906.cyc

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	kegvi.nfec906.cyc

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	kegvi.nfec906.cyc

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	kegvi.nfec906.cyc

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	kegvi.nfec906.cyc

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	kegvi.nfec906.cyc

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	kegvi.nfec906.cyc

kegvi.nfec906.cyc
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5227

Network

DNS

appassets.androidplatform.net

Remote address:

1.1.1.1:53

Request

appassets.androidplatform.net

IN A

Response
DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.180.14

216.58.201.110:443

tls, https

914 B
40 B
1
1
216.58.201.110:443

tls, https

914 B
40 B
1
1
142.250.180.14:443

android.apis.google.com

tls

2.9kB
6.8kB
15
15
142.250.180.14:443

android.apis.google.com

52 B
1
142.250.180.14:443

android.apis.google.com

364 B
7
216.58.213.2:443

520 B
10

224.0.0.251:5353

3.7kB
11
1.1.1.1:53

appassets.androidplatform.net

dns

75 B
135 B
1
1

DNS Request

appassets.androidplatform.net
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

142.250.180.14

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/kegvi.nfec906.cyc/app_venue/EEj.json

Filesize
4.9MB

MD5
9777db128498ba58dac28af4896a7199

SHA1
00005a4ba363e9a7e36f3bcb20c1e388853fcdbc

SHA256
27330fe29e29b779cfcc585713c4921ae55bdec6ce77a1d4e04f340de1dfc2d1

SHA512
fb7c077b36f69f6195e6e14d60d1a100e283589f119bfb627dc7417d62982b5b240299f365699ec250af3f3440bc44411f559659502ecf9dfd4d2aed07aad94e

Download Submit
/data/data/kegvi.nfec906.cyc/app_venue/EEj.json

Filesize
4.9MB

MD5
b2b3075bcdbadfb4908010604f7ad84d

SHA1
73955041895296de3ecae14ed0613e8ddcee5abe

SHA256
46ff52f6360c0325af20f94126ffc1c3d8d72d8965f51b203d8f41541a655568

SHA512
a42a506292899578dda6bb27e8ef50a66519a93b4338312107bfd6f633636935f9414aa7446a9a538dfb1192bad24706cf33f71684827f21a9790803c919a630

Download Submit
/data/data/kegvi.nfec906.cyc/cache/clicker.json

Filesize
20KB

MD5
2a08aa3691d360c2ff0815d0b7812fde

SHA1
50c37f212fd78fb89ecb00f81656723ef28fd53f

SHA256
ec0eacdcb736f245853bb430a97dfcd3dbf0e6abf43733470db53fbebcdd0e2c

SHA512
d9243b6ea042f3d0014ecd1f1afc1e71e9da1fca40f36d3a3e0bcdcb91badc7e892a2944c994a267ad3efdd94e78c17db9afd461d2858d189f4b42c622897b89

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a

Filesize
20KB

MD5
93e7f88ba7fd4f0152e8e5dc56f1acc0

SHA1
f29883585567a32fe4d487e5df14173c39c09e65

SHA256
dc6bc98e7f294d8994b3120cb87c0ed1d998e559daab810a68323a8968c60c2c

SHA512
be40cb85f75181627e2e4f7fb01e371ad4ce5051416d7e931ae45479a1357526e89a017aa461de03076c0b650eb5c851c239e88556677e859bb9b7c28e48d745

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
512B

MD5
d09a18d3b157b74811a7b24760d71b69

SHA1
5c96b537e52bb0ac041a897c8ddb745e07996607

SHA256
219bfa12fc1333e890d854dbb1666623e8d5e997130ec2ac80b1b9402fbe51c6

SHA512
cb4d0cbe42716dcff57207ded9f349fd802fb488718014937789e46f8a66b3f562791593b4b8c7ef52bca5402082aed0a551873b0a8d194050030e3188e5f6fe

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
8KB

MD5
b1898027dd40dfd50852cbf7847507ec

SHA1
b006d7909dc96afb45c04c01f22d33db82582fc3

SHA256
abb12155a832ce0fd949c36eb6d5554b6c1934a56c92176ac75de35b8ab897b7

SHA512
96c3fd40ea589051bc7518066f669ab2d088a69a2686ae75e41d8b17e9eb79c03907b7cd355f4a00a9782f51b0ae15a2bc581e4065c5b75d16db286ef4a17362

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
8KB

MD5
ef935f15fadb49c07352389f2e9b0e7d

SHA1
d62e6c79257b833e58bd4e3c6848026731852d51

SHA256
43498676e550efe1af583241cf15fd8f2a66e3733e48d3532177a4ac12debf0e

SHA512
c2e0c9f0832ba96207b377ea5f63a9b350f6633c005b1718110963677a71e8e0b388c4ece7ec33ec93516f05694c3b7407184966519a03c1fba0a452dbcb7af5

Download Submit
/data/data/kegvi.nfec906.cyc/files/kegvi.nfec906.cyc

Filesize
256B

MD5
9774c3e0912fdfd445e2ee039c7eae0f

SHA1
d46447d173b80a6a7ef6e46e227c7d0672d2cad5

SHA256
668b07358178d874f18fb3f2b517c8fce41cebd4239715d329b40bafa587217d

SHA512
ded240db57031975823b645993452b4af011622405d1295c0d5de859ad5ba19039992a0d5adec900371f2d8af9f3093eee7781c4759adbeb0d3f9244e68b9d0b

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
7021429083315cf02c3bf5b6f565a2ed

SHA1
4d97b4e41643f6a02eddc26313990df335237123

SHA256
ae157318b7fb3ecd604795f4286b4f9dc5c2b08392e06d73a2f2c333e37b045c

SHA512
ec720e2ba4a459c26578d7f189975dc5a05742f0fac42fb4986f8232dcaabe428f6d144475daae9cbedd55b7fe5def57b5f9c2ef9932f10fc4de0142978ac85b

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
cf67a399d00e0b76b39a410c54e3586e

SHA1
9b4edb602df6adcf5b67640b05c12cde5f702d52

SHA256
3b8ee3d125703fb9b2d5c42807441c2b66b89ec44cf8bb42873f040f8e109a52

SHA512
c471ea734c322653ede45c44af0d5d6040e63454f7226b0b4fd7c815272319474c10354500e33385fa76e0687d67ee545921332d29e2be214b5c36c1c5da48f1

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
379aea46ead9a7ca2135e70e26e3d2f9

SHA1
b2ddcdcdba061d8f2e50087e8f5d98bafb4aa777

SHA256
7f5169c0ab2dd274be2ede233a2f25c9fde9b855ebedc27b272a54f28697b983

SHA512
b8e067534bce6a69cc846e7ac0293db17c818a3b40f7edafc0abc2e9a9d00f8ba3c7604aabf2c51058886691cbeca46547589bc24ddccfb70693fb3d91eedbc6

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
625301e432cce25a70f676301474e81b

SHA1
a473fd16454cb0628ca5991aac5544c6602fd795

SHA256
96cf54dde9b1c66e1ae5b9c1f2f8083b6e49ea3499e0983336c2c6f649e388bb

SHA512
2fc75bd749a40eeee59bb4c5e679f35ec9908a1247a9ea2dc166e05c8036204cd6084ce1c668f8bbfd5c83d24fe602220129dddb9db55fb945cd8c20a3497ad2

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_venue/EEj.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_venue/EEj.json!classes2.dex

Filesize
308KB

MD5
c4f1bf1c779a21a25c3dbf5a15efedc5

SHA1
e525c2e12234f6eca7690f2bf0e29ae48f958e33

SHA256
410e18df84f39a134073269b355ae5e6473f689ed9bf3f9903a6eb38af2fcadd

SHA512
ab612b7ef8de98b3943600cc39c26149e520ede008366a2efcf9d1e76e17ca53068c9f4699e6b5e40aa8f99b5339bc8e35091fb264bcf3ec640fbf68c465476a

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_venue/EEj.json!classes3.dex

Filesize
265KB

MD5
c6abf8a6dbc7699cb23c034ae965fb05

SHA1
1a420d700e47d712acc84641fad51a4b40041cfe

SHA256
c3cd0d23cf49de955c9bcd893cafb62ef3396c0e2d52b631eaf78726913bf958

SHA512
9061fda1a71959cbfbf9effc673213c0678ef91b4958a4674c11e1ababcd433541f0298852b785cc66cff1c945816230309111127923ea21795ed2ad31ddb287

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_venue/EEj.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/kegvi.nfec906.cyc/cache/logs/log.txt

Filesize
83B

MD5
c6ab9434db769061b44229db566ac6a8

SHA1
2833598372e484ccdbeb7f1a8ad80d6b0f2a5754

SHA256
b688af1954a205a7389eeba8b763d183c9357ab3fcfb95d98520abe77ec74c06

SHA512
c9920a8eb38c5800abeb1dba88e3f22ae8764d25bcacfcd9b89a855cc9b9db1336c7aeab4fb661808c7906579a349d32760a4c179a3c6e3ea5193d0e21ec4d75

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.