trickmo | d92c8fd829d80c9b0700fd077957d8a00ff17064b001d147233b971aea0e442f

Analysis

max time kernel
92s
max time network
151s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
22/03/2025, 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d92c8fd829d80c9b0700fd077957d8a00ff17064b001d147233b971aea0e442f.apk
Size

8.8MB
MD5

b8749ed305053ea52cb866fd6dd7444c
SHA1

cd9931622abdaca64ee70021965606a199c2bc12
SHA256

d92c8fd829d80c9b0700fd077957d8a00ff17064b001d147233b971aea0e442f
SHA512

6d2dc1cde0dd94ed4ce4abef7334f5e703559a6d2749bbed2cfa264c4b6a5cad45716fcad47f506777f3e73c6dfd23c9d538e607b4012e46227d29362935e5bc
SSDEEP

196608:JbUoY2S7vhEYoQRl90WGQ647qfsrLgbO6JL1gf408gBArrX/s0WbhJ:JbUoYvhN90LH47qUaL1g5tAXPFWbP

Score

10^/10

trickmo banker collection credential_access defense_evasion evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://somakeawish.com/hpuex9yu0lfad7pjoxcl

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json	4790	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes2.dex	4790	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes3.dex	4790	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes4.dex	4790	kegvi.nfec906.cyc

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	kegvi.nfec906.cyc

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	kegvi.nfec906.cyc

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	kegvi.nfec906.cyc

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	kegvi.nfec906.cyc

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	kegvi.nfec906.cyc

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	kegvi.nfec906.cyc

kegvi.nfec906.cyc
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4790

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Information Discovery

T1426

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/kegvi.nfec906.cyc/app_issue/uOtWWFa.json

Filesize
4.9MB

MD5
3e8400a08084ec943082a6246f7dd421

SHA1
690fdfbceacf7fcdb56d16ec6af727d98460518e

SHA256
f12d935dee605f160e2b1df9686b55d651b0ef8f86aaf4ae61e3907768ec0556

SHA512
05fe6ca0c0f7f7f9bcb1bda5668e19a522e5415098a337b2d3d1de400a90eaadf036c827d085f62b74a03a8fa5c907ddf2ec922589ac72bb6d5469bc0ecd24b4

Download Submit
/data/data/kegvi.nfec906.cyc/app_issue/uOtWWFa.json

Filesize
4.9MB

MD5
f0b0515dc0a5a55f5cd9bc40cf195ac5

SHA1
27e15c3fefd383c14d390c800c56dd749960f8c3

SHA256
53b58627764de1e0acb24cf5b377b66903aabc04cdbe1485c9ca66b319439b37

SHA512
db36b180f24d421894ac9bf250d97ed56d2105e97ade8eff9892a8f35ee7fab0ff010699eac579717a82ce23899fc119ed5a25c11f9d328061fcaca223ef11a6

Download Submit
/data/data/kegvi.nfec906.cyc/cache/clicker.json

Filesize
20KB

MD5
2a08aa3691d360c2ff0815d0b7812fde

SHA1
50c37f212fd78fb89ecb00f81656723ef28fd53f

SHA256
ec0eacdcb736f245853bb430a97dfcd3dbf0e6abf43733470db53fbebcdd0e2c

SHA512
d9243b6ea042f3d0014ecd1f1afc1e71e9da1fca40f36d3a3e0bcdcb91badc7e892a2944c994a267ad3efdd94e78c17db9afd461d2858d189f4b42c622897b89

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a

Filesize
20KB

MD5
57baf3e42a94e8dd82e267b2f0619330

SHA1
76512dd29fbaf3cfd2efeae0ac2ab5108b81af19

SHA256
49a98902c1ffb97354f0e8f0f9208b84dfabaa826635f6ade1fc782169a3ec7c

SHA512
227f9d10a39fb0d8ae0a562e3b983fde44de62b3dbcd577172451e0e1f669e5721ba653c324af7c4d022032edd951cc417805a4eeafd5e84f28d378b9126a690

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
512B

MD5
6a4f14604a61e969bf5ad80182f72920

SHA1
f2b1829ac2c798f0e13934075c0e6fe5155f81e2

SHA256
8759b42364d376435436883d2063716fe1bc451c50607827a886acbb2c2ed65b

SHA512
d14ea92f537f2d7cd67df8a0531eec4b44ab393dbcba0aa9a2fb6ab2480a3898699d98789678131603ce78fc790fad2e34e89ba0a8b83e2d993ce1ac74f6b424

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
8KB

MD5
6f850682b4f614bf65c227163b9d571d

SHA1
e1e63af18466e4d658352d3752f85271a8b1277f

SHA256
169e9d9cb0527f2462d2b43c02766d8f2f3367409dccd1c447af6715e1a32846

SHA512
8b4096145507ca26f95450366d63d0cfac6b6f2b45320f8c24aefdd423bcccc5ee94670a34623abdbeb4582e50e0125f0c203bc666b92627e42b7465e5c2fef3

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
8KB

MD5
32c17dd27148d31743628bcb2ec634c8

SHA1
734ed36e1f4d3bec2ed6af76bdbc1478928dd808

SHA256
3b73116517562ced8ed83e9acc078378272929700dbcfe8fcefbae8ef8d2aef2

SHA512
942c5d76ee0b0d878d98900745a9ab5e42f9ea7458e4c5b0eaa45674bbd4d9e9f4918f05ebec0ba2a71ce3c09c23f28b48debb1091bb00ce64701745c2668a7c

Download Submit
/data/data/kegvi.nfec906.cyc/files/kegvi.nfec906.cyc

Filesize
256B

MD5
986c4429138e72999aa2c869996a31dc

SHA1
3986583ba312296ab6869339f234b4bfb7bfeef3

SHA256
3ef660d75dc87bd22bdf43f61761b7dd4d32dae679860220f88c766ca6a0b444

SHA512
2ed8fbd3bc08f01e302ff3b99e5ee0ae513ea7fdef3847589804bfbac1a35f10693136fd20deb433db056083914f5fc67855d3f1e190cc96fa37f2503e7a2446

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb

Filesize
4KB

MD5
7e858c4054eb00fcddc653a04e5cd1c6

SHA1
2e056bf31a8d78df136f02a62afeeca77f4faccf

SHA256
9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

SHA512
d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
8e7791e116a768cd7dfcad1a5f63e147

SHA1
f05b66deb4bebe16c498286cf68f87f9af45c340

SHA256
f81baeb7265c29498b60ecb9c7b042bb81095f516b627f1e557bf0607d853960

SHA512
66c2dada028404f93a6665d0a266110a5dd03ccebd80f4da0d03a1608d7e3cb1006ec5dc5323f6ffabb3d5d96c8891afcc2c5b839639e99897b42fe702ef728a

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
900200a81fcc41b2421274a1da33dc13

SHA1
fa9f6974d7471faae79cb93243500bc7276ebe51

SHA256
fdeef9a523fb9e05786ddaa0149d6ae9abc3741c21e5b27796f84a1310ce4766

SHA512
0da72f27140ffc93e844b5e3f1700a7abc56427f43991d495432435c2e4f58cf233cd2ddcab195ae9aee4c2d14a8b7cec055f2a75382a71cc1a63eecf7202cb4

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
579e123242bb699247b9ca1c0dfdc6c0

SHA1
2a36a80cb5d2ba2e77e7575a64c057ef0a723d37

SHA256
d6f4c6166399fd89654fd251a1ea16c96cf58f14a37309b7b6aeaa5cd86b6024

SHA512
85ae50cad85cd7136ec3635d2ec9e0e668a7252890cb4e10aca5df29dce2a5546a24199a62ebc38f6735bbd7f8b56a68a2fca10747dd48513c7a88cbef473f67

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
9e650ef1a800a9dc5fb6f487e1336c06

SHA1
3e9f013c1f4372049a03028141273f54d671bd52

SHA256
f0fb4b7ec54e8014e56ef89ff5379396bb39729abb4a4ebea327fd6808447416

SHA512
9390c4c31cc7d421e273f99d240897cc3b58c986b2bb86cea6aa27f8ebc45081c5efceeb55adee5d6030a66ceed505a20bff6c78fcda075825831da978cf1ea6

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes2.dex

Filesize
308KB

MD5
c4f1bf1c779a21a25c3dbf5a15efedc5

SHA1
e525c2e12234f6eca7690f2bf0e29ae48f958e33

SHA256
410e18df84f39a134073269b355ae5e6473f689ed9bf3f9903a6eb38af2fcadd

SHA512
ab612b7ef8de98b3943600cc39c26149e520ede008366a2efcf9d1e76e17ca53068c9f4699e6b5e40aa8f99b5339bc8e35091fb264bcf3ec640fbf68c465476a

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes3.dex

Filesize
265KB

MD5
c6abf8a6dbc7699cb23c034ae965fb05

SHA1
1a420d700e47d712acc84641fad51a4b40041cfe

SHA256
c3cd0d23cf49de955c9bcd893cafb62ef3396c0e2d52b631eaf78726913bf958

SHA512
9061fda1a71959cbfbf9effc673213c0678ef91b4958a4674c11e1ababcd433541f0298852b785cc66cff1c945816230309111127923ea21795ed2ad31ddb287

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_issue/uOtWWFa.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/kegvi.nfec906.cyc/cache/logs/log.txt

Filesize
83B

MD5
d3c955fc77ded4275b9bf14d5cb9b899

SHA1
40a1231ef383b174e7eff163ad7dba4de401acb0

SHA256
546988f7cb96c46a6dd27df2cdcd5f1f6349445145215f300a39182671c4612c

SHA512
f9ec4f163c6c8ef89a9600e93c4ec53c75277f6ed426ed189430053225ff52b974b13f73f69e12e535b273b539345b5eafdc30bcc29474a36caa58f6ad9f93c9

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads