trickmo | d92c8fd829d80c9b0700fd077957d8a00ff17064b001d147233b971aea0e442f

Analysis

max time kernel
92s
max time network
151s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
22/03/2025, 00:02 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d92c8fd829d80c9b0700fd077957d8a00ff17064b001d147233b971aea0e442f.apk
Size

8.8MB
MD5

b8749ed305053ea52cb866fd6dd7444c
SHA1

cd9931622abdaca64ee70021965606a199c2bc12
SHA256

d92c8fd829d80c9b0700fd077957d8a00ff17064b001d147233b971aea0e442f
SHA512

6d2dc1cde0dd94ed4ce4abef7334f5e703559a6d2749bbed2cfa264c4b6a5cad45716fcad47f506777f3e73c6dfd23c9d538e607b4012e46227d29362935e5bc
SSDEEP

196608:JbUoY2S7vhEYoQRl90WGQ647qfsrLgbO6JL1gf408gBArrX/s0WbhJ:JbUoYvhN90LH47qUaL1g5tAXPFWbP

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://somakeawish.com/hpuex9yu0lfad7pjoxcl

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json	5164	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes2.dex	5164	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes3.dex	5164	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes4.dex	5164	kegvi.nfec906.cyc

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	kegvi.nfec906.cyc

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	kegvi.nfec906.cyc

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	kegvi.nfec906.cyc

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	kegvi.nfec906.cyc

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	kegvi.nfec906.cyc

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	kegvi.nfec906.cyc

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	kegvi.nfec906.cyc

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	kegvi.nfec906.cyc

kegvi.nfec906.cyc
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5164

Network

DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

216.58.213.14
DNS

appassets.androidplatform.net

Remote address:

1.1.1.1:53

Request

appassets.androidplatform.net

IN A

Response
DNS

ssl.google-analytics.com

Remote address:

1.1.1.1:53

Request

ssl.google-analytics.com

IN A

Response

ssl.google-analytics.com

IN A

216.58.212.200

216.58.201.110:443

tls, https

914 B
40 B
1
1
216.58.201.110:443

tls, https

914 B
40 B
1
1
216.58.201.110:443

tls, https

914 B
40 B
1
1
216.58.201.110:443

tls, https

914 B
40 B
1
1
216.58.213.14:443

android.apis.google.com

tls

3.6kB
7.6kB
14
18
216.58.212.200:443

ssl.google-analytics.com

tls

1.3kB
6.3kB
9
9

224.0.0.251:5353

3.7kB
11
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

216.58.213.14
1.1.1.1:53

appassets.androidplatform.net

dns

75 B
135 B
1
1

DNS Request

appassets.androidplatform.net
1.1.1.1:53

ssl.google-analytics.com

dns

70 B
86 B
1
1

DNS Request

ssl.google-analytics.com

DNS Response

216.58.212.200

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/kegvi.nfec906.cyc/app_issue/uOtWWFa.json

Filesize
4.9MB

MD5
3e8400a08084ec943082a6246f7dd421

SHA1
690fdfbceacf7fcdb56d16ec6af727d98460518e

SHA256
f12d935dee605f160e2b1df9686b55d651b0ef8f86aaf4ae61e3907768ec0556

SHA512
05fe6ca0c0f7f7f9bcb1bda5668e19a522e5415098a337b2d3d1de400a90eaadf036c827d085f62b74a03a8fa5c907ddf2ec922589ac72bb6d5469bc0ecd24b4

Download Submit
/data/data/kegvi.nfec906.cyc/app_issue/uOtWWFa.json

Filesize
4.9MB

MD5
f0b0515dc0a5a55f5cd9bc40cf195ac5

SHA1
27e15c3fefd383c14d390c800c56dd749960f8c3

SHA256
53b58627764de1e0acb24cf5b377b66903aabc04cdbe1485c9ca66b319439b37

SHA512
db36b180f24d421894ac9bf250d97ed56d2105e97ade8eff9892a8f35ee7fab0ff010699eac579717a82ce23899fc119ed5a25c11f9d328061fcaca223ef11a6

Download Submit
/data/data/kegvi.nfec906.cyc/cache/clicker.json

Filesize
20KB

MD5
2a08aa3691d360c2ff0815d0b7812fde

SHA1
50c37f212fd78fb89ecb00f81656723ef28fd53f

SHA256
ec0eacdcb736f245853bb430a97dfcd3dbf0e6abf43733470db53fbebcdd0e2c

SHA512
d9243b6ea042f3d0014ecd1f1afc1e71e9da1fca40f36d3a3e0bcdcb91badc7e892a2944c994a267ad3efdd94e78c17db9afd461d2858d189f4b42c622897b89

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a

Filesize
20KB

MD5
93e7f88ba7fd4f0152e8e5dc56f1acc0

SHA1
f29883585567a32fe4d487e5df14173c39c09e65

SHA256
dc6bc98e7f294d8994b3120cb87c0ed1d998e559daab810a68323a8968c60c2c

SHA512
be40cb85f75181627e2e4f7fb01e371ad4ce5051416d7e931ae45479a1357526e89a017aa461de03076c0b650eb5c851c239e88556677e859bb9b7c28e48d745

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
512B

MD5
9aeafaea5c4330cedd42bf7892d12062

SHA1
6104fe072f1ae45ea0acba9d319624374f52c735

SHA256
4ea263d4dcb25fc205ba5ab51404ee5920bce8a15e4d49e8b1be9decdf1d95c0

SHA512
0a88623005bcb8b5bd380ce3e413d0a0135c97ed62e673a3e8b9576fdbe1f9516b03274f4fb5c496cde3976281836bec80daca7e22ac60b0e1213f6317f00152

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
8KB

MD5
87982d388287bd535565528a098b3c69

SHA1
a79c928ef76fd1624f26b1946887b5308324a8dd

SHA256
7400ad76cfd41f1f1eae3b08c02ecb5141ac1f34551f0b52d6d626f5af2a57c2

SHA512
85f7adff00e11b7e51613e9a1cf4d068a8b5068846ef06ade8f2f0dffac30f286baa04487985ebcf28a0b79d6b215a73c3a1e2734f454b0a66ddc7043947bdfc

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
8KB

MD5
baf00cd77eb961e2c7b23d6f582acbb3

SHA1
f80ae188e02da82550060444ee05b03ceac32f83

SHA256
a4b536a3458de045420a7708e089e0f3d88d4c3ce5385bee83ffb6f910707c27

SHA512
91bc6f7ab931a041c9008450f0f396f86d84b527e687d42d510bfef49880d6aea45121eb9d07004d06d667e5544f5c6af6207601011ba7064bbe3c12850fcc9b

Download Submit
/data/data/kegvi.nfec906.cyc/files/kegvi.nfec906.cyc

Filesize
256B

MD5
6860e2814c8769b3d456b04599e2bea2

SHA1
d52f5c97cde094980a39273b24e79bfc7f805d68

SHA256
3e558571c9cf109ec87cd854852d88a908fca5b7b1444ba41336fb71c3cdc989

SHA512
e8bfb280cde579f7110851d5fe50d59ecd1aad0d7ec4af8b223d1010e87c93d8c0ae8478719c12e88d79c12aa564f1f61993342421a0cd0699cc087c9383b8c3

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
4b87acbdd92afef0c77392809e69353a

SHA1
49a7b24905f422dea77ab42f57a931af78ea0746

SHA256
fc11a4ba27b4be6561879677c35c9726af83061243f92717a4d5eeeb9fa7d6eb

SHA512
4f71ac03cbe643fab6d946c6a757fd633724ad3683cdbd16b92207d3e02fbfd56efea2b447f38b7a0632a25c3ff6b4c1444a091407ddee3913e7cf14052daeb1

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
8132a558c6cc250c4822300bd6be1994

SHA1
cbfe62baa22c61465b4272137e7ad466d491472c

SHA256
cfea50a35abf3e67664a10c8a588cbaa11334158fb2bb46b86c7408f993b2a72

SHA512
f1f38aa5767151d823db433d3603cc05ecacad28f5cc942d5c04736fc324667d74b6483919150ddbeaa639e42a19dc80b0e597699726a94a8589e63ae6b25daf

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
816836daaec27644a538498aed09714f

SHA1
4a1904ada85e8ad2fe778f83c63a3a856983c098

SHA256
f96d0beec13c9fa13119e4af2ab9fd5ff3838074dbc95cd6a608617eda2474e4

SHA512
0268e310cede22d26d55cc6ef15460dbd66da2b64bb872a4598e1213b8ddcb3b41452d3c8fa9aac85dcd4862b81edbb8a206c10cee6b9f18bf802f6882beb14c

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
07b6eeaa25d47ebb4dff8f718eb0e17b

SHA1
d973cd997d25c02ed0cce6a7e7aa3bf4e4b443ba

SHA256
f80ca3bea09af629f0228c0ef2ffa879bc419edf2c14ef9345a7331812a93976

SHA512
bb09fa1a8fb1e7907d05aa9384ee2139f4ee8189e31c6a299575851325b579a9437335b24deaa78969829ac8b578561d649054f371088beb7ce567548897b844

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes2.dex

Filesize
308KB

MD5
c4f1bf1c779a21a25c3dbf5a15efedc5

SHA1
e525c2e12234f6eca7690f2bf0e29ae48f958e33

SHA256
410e18df84f39a134073269b355ae5e6473f689ed9bf3f9903a6eb38af2fcadd

SHA512
ab612b7ef8de98b3943600cc39c26149e520ede008366a2efcf9d1e76e17ca53068c9f4699e6b5e40aa8f99b5339bc8e35091fb264bcf3ec640fbf68c465476a

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes3.dex

Filesize
265KB

MD5
c6abf8a6dbc7699cb23c034ae965fb05

SHA1
1a420d700e47d712acc84641fad51a4b40041cfe

SHA256
c3cd0d23cf49de955c9bcd893cafb62ef3396c0e2d52b631eaf78726913bf958

SHA512
9061fda1a71959cbfbf9effc673213c0678ef91b4958a4674c11e1ababcd433541f0298852b785cc66cff1c945816230309111127923ea21795ed2ad31ddb287

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/kegvi.nfec906.cyc/cache/logs/log.txt

Filesize
83B

MD5
d3c955fc77ded4275b9bf14d5cb9b899

SHA1
40a1231ef383b174e7eff163ad7dba4de401acb0

SHA256
546988f7cb96c46a6dd27df2cdcd5f1f6349445145215f300a39182671c4612c

SHA512
f9ec4f163c6c8ef89a9600e93c4ec53c75277f6ed426ed189430053225ff52b974b13f73f69e12e535b273b539345b5eafdc30bcc29474a36caa58f6ad9f93c9

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.