trickmo | 702d8ae90b3535bf923522cdce541922065fd31c23356474d04c29245ef153ab

Analysis

max time kernel
29s
max time network
31s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
22/03/2025, 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

702d8ae90b3535bf923522cdce541922065fd31c23356474d04c29245ef153ab.apk
Size

8.6MB
MD5

1e601badb689ec4328e7206483f7fc8f
SHA1

d103db4da641e5dad66226087c45a92f5a35ec3d
SHA256

702d8ae90b3535bf923522cdce541922065fd31c23356474d04c29245ef153ab
SHA512

91b042429caf3ec6709f816d80f95930fdf4bd81965ea7e4232b7d3bdf4560aba64e0e181d5186896dff49137644915381f166835863be2627928882bd77298b
SSDEEP

196608:oOsWNIJ8HMmitHQfX1BSNlit0XvuYznJcTZBzhBfCR:/Ps01gNlit0Xv7zGLzh8R

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://somakeawish.com/hpuex9yu0lfad7pjoxcl

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/kegvi.nfec906.cyc/app_rice/ldWtltI.json	4514	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_rice/ldWtltI.json!classes2.dex	4514	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_rice/ldWtltI.json!classes3.dex	4514	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_rice/ldWtltI.json!classes4.dex	4514	kegvi.nfec906.cyc

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	kegvi.nfec906.cyc

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	kegvi.nfec906.cyc

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	kegvi.nfec906.cyc

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	kegvi.nfec906.cyc

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	kegvi.nfec906.cyc

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	kegvi.nfec906.cyc

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	kegvi.nfec906.cyc

kegvi.nfec906.cyc
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4514

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/kegvi.nfec906.cyc/app_rice/ldWtltI.json

Filesize
4.9MB

MD5
6062a6cdd52269b087ea01359d8ffadb

SHA1
1234ab4afe8f84db845705885caa1ae47060872a

SHA256
f675c72b6fc408c95fd6c71e13fd3b650ba3dccc25482eb6514a84401ad0b4b0

SHA512
4fa560e886e567e8137ddc99d30426672aad6acec89c7fbd4be2068984483624611662968dee8feb23b6062ff2631de86f961ba921cdd3ba6f7510d528a3842e

Download Submit
/data/data/kegvi.nfec906.cyc/app_rice/ldWtltI.json

Filesize
4.9MB

MD5
44df4ebbf927174833e43c712252f4b3

SHA1
2a8b7cc64b6ef8303c2edb7666b3eabf816f83a3

SHA256
9d98d41bf0c3bc1ad00bfde87d31d81654859436754a531328e7b718dcd2f396

SHA512
139e8ef82d16d15e2cc63b76969c16e387c67be8b3808c301e64059da3fe6cb2f8dbe897bfbe1578d83194848289c017ceff86985e2945bf4f41c34c345057d8

Download Submit
/data/data/kegvi.nfec906.cyc/cache/clicker.json

Filesize
20KB

MD5
2a08aa3691d360c2ff0815d0b7812fde

SHA1
50c37f212fd78fb89ecb00f81656723ef28fd53f

SHA256
ec0eacdcb736f245853bb430a97dfcd3dbf0e6abf43733470db53fbebcdd0e2c

SHA512
d9243b6ea042f3d0014ecd1f1afc1e71e9da1fca40f36d3a3e0bcdcb91badc7e892a2944c994a267ad3efdd94e78c17db9afd461d2858d189f4b42c622897b89

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a

Filesize
20KB

MD5
587536254284485a802b0ee6302caed0

SHA1
dac82e0fdcef8da222f702b8157310cf7ac1ec91

SHA256
5d093adbe5abcd7c6e945437b7f5a7a5440964e08d9929f4fe6412cc3a3968f3

SHA512
cddbe89f8b43af66e40c912be833bbf72311d3bc82d7882e51660393714f2c862e46a76765374601d7e0663c7ee4d02287c9e4e386b94040475f37c2b2c821c9

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
512B

MD5
1bc8e749a671a3a8a7c0b338369c32a4

SHA1
5d134c8884278e4450ab840f92fd62acf827dd79

SHA256
f87458f396f2404b65934e6d521b92c7c5b057863b1f4f802568c501cf53d730

SHA512
aeab07c2c359d6bb74a31612fe915ff37c6c4abe55ed0847204c57013e1aa39795f286ca023143f97f0b3620eac4d81051170841c4a908df32e7175c371b41ad

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
8KB

MD5
1dcf2aed8138e4b7fc8658e3eb6159f8

SHA1
a1b2dcfbfc5475b820e43249fec59263dab5409c

SHA256
477e8579cbecdff335e793a7246c93e9ea566d7cb2930e0195737c433c52de63

SHA512
0ce8c600b4a9da13b8ea87a6b64848195a705502e481b5374e346b5d8540db2fea3ec74e5f4425270fc5ce27c8e12ca4f1c2b0a38f7be101a033e5caaa26d30e

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
8KB

MD5
0f96ae6c094e8790ea6226cc6ab82c67

SHA1
127ee2575f2bfc9f6d3deb23d9961780907d655a

SHA256
c1f717c94d21916fb50763ea89d6dbc9b4d3916ee991b714444c2a332b92eef6

SHA512
c591c1f8e4a2c169766d6015afd220d3b7f77f344a73f8046012182a6a659d2bc4da4ffde600c83c1e3a07a8cdcd025f63e82d9f8e737fe5b2fa968a4a0a3384

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
12KB

MD5
2a5ff8caaba8864a00af87d4e079800f

SHA1
5da6bc3404d9e1049b0947383693e302cd146776

SHA256
ecde696411a25f984c033fd2d1dad7345082617b21016e55296d6e9365097db7

SHA512
870630e8ec696abcdadb7b880e35500fe16d090da263cdb2d01490a17d61f379419d25245a22bccb18cb089777d5924cb7678827836786c215968f3096616409

Download Submit
/data/data/kegvi.nfec906.cyc/files/kegvi.nfec906.cyc

Filesize
256B

MD5
8cd3edf929e583c12100c1c041d2b6fa

SHA1
5b56d6bda1dde17b3bfb11fc51a99e71b21725a7

SHA256
6a7bac0043aa23657a014624917a3abe57479cac3cee947a1161c3c2c2e61acc

SHA512
a701718205cd549d3238e2ec1b9495134611d080aede9e76bf4ecbed746e1ff7af51885572b92747a63ce0ca6d0365cd3fdaee6b485cc11bec7a47c69ede9bd4

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
b4f274c41a265d82c4de2343ba10c647

SHA1
c200b55e8e7fb3b512335ffad11efe34e8042165

SHA256
d330e7d2ed83120865283536c7a7ebb9bc53cc4fc49564d6cb6e18cd4c5213fb

SHA512
f1259d94a2da109732d18933009e05f04c974ff41a3ec0b2175db83dd8a19db91b141634e71e4a9eaee7d073f5cc7c56cf0a58cd7de0d3e3a55badf94430f04f

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
4715b61dacfcb7719e4254e0613f195c

SHA1
d6da45ebc4bf01d5dad7446fc1feb42b865d6410

SHA256
02140834088e8e8edaff2551aa710b7b4b04f2e59a95885e3f07f3a58d473103

SHA512
7fb2fedc331606a122b8c958459f913be54af25fe0f4a67f93dffb474cdc1fc0ef3dc69a1bca048a4851c4fd9aa4711ac77173e0f96d47d850ece4c7b3484b6e

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
256b8426598f45f15794ee6d88d9190c

SHA1
6f87d55fcf5842f320e1b08ca17eccc6319c4467

SHA256
499b617f4e025771fef8175a562bab6487f435f025d65c915d1c925917e4ec9d

SHA512
9ab8af488317ae49facf6ee2d8cad6b6f866d4af35555df7e27e4dff718bea1fb3d7bcf4d9958cc2d96fc9a07ce176d0bf358c8320c6546620a03df4930e1841

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
909f3db2b08c6bf07ef02702421e0c69

SHA1
ceaf353978ed415f313cd4d2b6a4e3f26c839c8c

SHA256
55156810487f0530071be88a6b85b8d6b661fade15dbb6e7271560c152094736

SHA512
e92de3cdf978a9725a0fde915187c6c1db8f3b8337ed5371c7a80d58769b954d954b6741f80f0a17056ffacb83e9bbbfb59e46b66725d1d6c943db303e6d74da

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_rice/ldWtltI.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_rice/ldWtltI.json!classes2.dex

Filesize
308KB

MD5
c4f1bf1c779a21a25c3dbf5a15efedc5

SHA1
e525c2e12234f6eca7690f2bf0e29ae48f958e33

SHA256
410e18df84f39a134073269b355ae5e6473f689ed9bf3f9903a6eb38af2fcadd

SHA512
ab612b7ef8de98b3943600cc39c26149e520ede008366a2efcf9d1e76e17ca53068c9f4699e6b5e40aa8f99b5339bc8e35091fb264bcf3ec640fbf68c465476a

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_rice/ldWtltI.json!classes3.dex

Filesize
265KB

MD5
c6abf8a6dbc7699cb23c034ae965fb05

SHA1
1a420d700e47d712acc84641fad51a4b40041cfe

SHA256
c3cd0d23cf49de955c9bcd893cafb62ef3396c0e2d52b631eaf78726913bf958

SHA512
9061fda1a71959cbfbf9effc673213c0678ef91b4958a4674c11e1ababcd433541f0298852b785cc66cff1c945816230309111127923ea21795ed2ad31ddb287

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_rice/ldWtltI.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/kegvi.nfec906.cyc/cache/logs/log.txt

Filesize
83B

MD5
2af29a228fb060a4151488316fd84ee5

SHA1
529182dc70cd88ac11ec4e1fa5e60c6bf7e4d9bb

SHA256
8913abb2574fb47886e27b6b45bdfcd2a9518cc32758f07d27130fda23b00f8b

SHA512
c91ff5303a0c3d30b5376c1058108a4e23a1410b94ce57093a45b222b0561d3511cd9e3e3bae152c3cc85b06d9177dd81696f3f8eced2638056042474b04ac57

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads