Analysis
-
max time kernel
29s -
max time network
30s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system -
submitted
22/03/2025, 00:36
Static task
static1
Behavioral task
behavioral1
Sample
4df101836ec39711255b56a4fa3d2843b3ab6aab675e510953122e4bf6372fe6.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral2
Sample
4df101836ec39711255b56a4fa3d2843b3ab6aab675e510953122e4bf6372fe6.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral3
Sample
deper.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral4
Sample
deper.apk
Resource
android-x86-arm-20240910-en
General
-
Target
deper.apk
-
Size
8.1MB
-
MD5
2240488b9d8e26e7a7c5d76a915b08d0
-
SHA1
9484cc97cbd0538fe759e8d6f500b94df0c15ba5
-
SHA256
882a8aad8dcb9ec62e374a03553c5a7f2f0cc6db66050ca444e8d47d3d1838db
-
SHA512
5fd447c6a1584c9155366e806423caf37412ceedaaf5f84ae122d76c81fc8801a1fec86990554fe2ddbb33c0a7e76c89c2f48f83013e2de1d6a9ea4f60352bad
-
SSDEEP
196608:cpOsHIcaddwITP6wUAfm122Jl/aPkJ7wspYVoMW/:cpOA25SwUAuMZP87BquH
Malware Config
Extracted
trickmo
http://somakeawish.com/hpuex9yu0lfad7pjoxcl
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json 4440 kegvi.nfec906.cyc /data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json!classes2.dex 4440 kegvi.nfec906.cyc /data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json!classes3.dex 4440 kegvi.nfec906.cyc /data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json!classes4.dex 4440 kegvi.nfec906.cyc -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId kegvi.nfec906.cyc -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener kegvi.nfec906.cyc -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener kegvi.nfec906.cyc -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule kegvi.nfec906.cyc -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal kegvi.nfec906.cyc -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo kegvi.nfec906.cyc -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo kegvi.nfec906.cyc
Processes
-
kegvi.nfec906.cyc1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4440
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5dc5e64e81f6c94ea3309f8b4b295762a
SHA1e5fae8b8752ebc5a19c1c80d3dfaf0016e34588f
SHA2563ab4a086e362bc3167b70df96b2e58f925464484668b8125d5452f816c021ed2
SHA512090196b47bbaed67f0bf35a085d053c55c74383c49fed25d7fe716c5420b91247d762083c3cac926365b264de289d326c7b5e9a87b5a2d73f857c2041a9d22b8
-
Filesize
4.9MB
MD5acf53beb76bdf09e622f959c2883788d
SHA18326e8dc4ed0201ea2f2419b2926b1247fea81f3
SHA256fc045b73ff077d2f4548ddd57619ff8681e229e7ad8dfb0179f79dd931a8f187
SHA5120bfc3baac38049bc1d7f34b2a34202670c3e6b8a8e116f26bb894b5cf1f3cf8892b5b832cdf1218e0afdb0f6cb3410ed126b003dcbbbdc88c52926b2cc86613a
-
Filesize
20KB
MD52a08aa3691d360c2ff0815d0b7812fde
SHA150c37f212fd78fb89ecb00f81656723ef28fd53f
SHA256ec0eacdcb736f245853bb430a97dfcd3dbf0e6abf43733470db53fbebcdd0e2c
SHA512d9243b6ea042f3d0014ecd1f1afc1e71e9da1fca40f36d3a3e0bcdcb91badc7e892a2944c994a267ad3efdd94e78c17db9afd461d2858d189f4b42c622897b89
-
Filesize
20KB
MD591af32c14839a2828ca58297e0861362
SHA1bd758cc0bb47b570da2061d4633aa998a87ed971
SHA2565d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923
SHA5129810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7
-
Filesize
20KB
MD51132b01ff2d566763fc8a82d7412c6dc
SHA17190c159d502496c12ab0f387560faa44b379703
SHA2560f164a7677545c6f4f768b7589c8629c40c22fb478a15ce2ac7603c9a7d708db
SHA512d6dec94b6b70b3922ce2ab6ef843e887270aa1996e2b4d41e2216841bf35cf5cc4a2c7aca361ea2713de498fdcfbd2d3ee78e07e41b1c2d7e12a8d8cf9dd6ccb
-
Filesize
512B
MD5569112495180a703717cb2f5e66ec3d2
SHA14d148645f59a5cb01e5e8cfd8c4bdd4665de690c
SHA25676c7dac0b1232bd8f9396cf9009e1fa1d03446d2ccd3ae3f19a9d0ad2d2c0bb3
SHA5127b8d3f641c26ecde5bbde9a6ef60b16ecc603b6cc3440f757448c0314282536f366fbb0acb94fa958099fda0905ea7c3c9fc1751104dcffca63929adc295ac63
-
Filesize
8KB
MD56299ca083b615ad7a8c6540e84cbb68b
SHA1971a9ceb7d4cffbe51d2256e41d43135885e7285
SHA2564467e6c12c1cbcad72ef22942542a5a1f81521306b8df5af070c384ee6cfab34
SHA512afeeee1530926929dc89ea0e8b7e1eff9fde3b6180ba95398ce36410d518a7cd1e6aa48557ecf7ee8a0d6e244ec88440d9e17df978ddac21b65288774858d5ee
-
Filesize
8KB
MD53448e3e0c32201c2d97647e246e732d3
SHA1e5c50cca0ac8058077feb5634a44958f631d3ad4
SHA2567ae41218b29d1ff7329f4c942a2c6fc2085021469b6d11da315d4b14dbad8b07
SHA512a74d8cf0ac060f05214d3f5e1cbe6e9506c974cc12c08439de9a114db2042cd27c71aed9979bb2928eea679c362752099770d49e27283eba55c36d20e5eb29cb
-
Filesize
12KB
MD5d131cd0d1c11251efe34dc4ff308318a
SHA1e765859e22b7dcd07bfec54f9c7421e7e6046718
SHA256072860fe159ec87d3165559fb2564e16b345e4dbcf72d160df5e04f346013779
SHA5127c886e82db23e8541d9e1337a4544dd79019a75e7e59ef7abcbf4376ec6d7183f52a4902ca026fe16f6ecf8bcf72f1413aba57bdebe1061875f54bcdad896679
-
Filesize
256B
MD5137dcfddce6bd80f883952d8c137996c
SHA1e043070c112dd6577bff040c0f91d543a225609a
SHA256b78cc5beeb4a8c39fe5dbaf905d6b8311a37c984d08db7589f55a3001ec2565c
SHA5126eac3f73d0093f40ba4b3f4d16b03b739b6285ed8cb74a5e3c861bd38f18e1d232b5549a799f69d3b45971ba4789bcc2e864ba6d241c7a654c913e3860213cee
-
Filesize
4KB
MD50eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1fee434f784e73cc7916322e949f727caf8363102
SHA256b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8
-
Filesize
512B
MD53dce50aceee872bcf0beee8e8d2916ad
SHA13e7e3d24e3e85ed15cbaf83a357c810faea774d6
SHA256865dabae64fede133846171fdea38ee1cd0b3d53959c4542a7e9cb6867f39e90
SHA5128983838537f131cb1c59cdf5004247686458aeabffa25a887b8c5c9c4b708c09e6a6f50e29ee8dd6a4d360a822fcaef294b01cac557abe184af76f88e6f8dda2
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
173KB
MD5449fa680f71e51c6c3b5ef5acae8e915
SHA16a8a20b993c27514996e446dc56e4178d012339d
SHA256e987208c6e75a81d5553bf1b29c9ab0e837d0a906bbbacdc8147b243215e8260
SHA51296b9ec5318f8a45c04616ce16627c25720303333815dcbc5a2b574abd5e50b40983084c52ab054b16931907caf7a79e7a7d679681c67c621a917da88b0c9ab4d
-
Filesize
16KB
MD5e8c7973e413e65d8dc881f434d28e932
SHA13bffd069d7d1a724a158f77a0b879120a3e7824f
SHA2561c9aa032f986392f75516870177fc8bc1c88a130cb49489009b13e20028ee0aa
SHA512f1d4b604e66ed533399e17fc03a68c9bab745e1128017c6b124fd51a90d2a915ba6268cd91c73e73f22983353e4b196618182bac99e45c39331b40eca37dbe90
-
Filesize
108KB
MD59364fe1b3f84fdd00f5f8e1918123107
SHA19c606a06b73707f4fb46a00558a8a7f1ad2000c5
SHA25612b2002cd06392d885156501f76066dd48b6299b025b1ae3def6d8c4a78480c6
SHA512ceeacdf01fc389e902fc36841fec5347bf907af1837c226703c6fa5dac29121e12d59140810d9cfe4dc012e78a9b6d55bfc5dd6509ece51f46bd16e376212d39
-
Filesize
10.9MB
MD535d4cda95e19e9be467673c78e1e2fa2
SHA13868d4dda794c360f57ba650c332b39ce5c68d8e
SHA2566c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746
SHA512577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7
-
Filesize
308KB
MD5c4f1bf1c779a21a25c3dbf5a15efedc5
SHA1e525c2e12234f6eca7690f2bf0e29ae48f958e33
SHA256410e18df84f39a134073269b355ae5e6473f689ed9bf3f9903a6eb38af2fcadd
SHA512ab612b7ef8de98b3943600cc39c26149e520ede008366a2efcf9d1e76e17ca53068c9f4699e6b5e40aa8f99b5339bc8e35091fb264bcf3ec640fbf68c465476a
-
Filesize
265KB
MD5c6abf8a6dbc7699cb23c034ae965fb05
SHA11a420d700e47d712acc84641fad51a4b40041cfe
SHA256c3cd0d23cf49de955c9bcd893cafb62ef3396c0e2d52b631eaf78726913bf958
SHA5129061fda1a71959cbfbf9effc673213c0678ef91b4958a4674c11e1ababcd433541f0298852b785cc66cff1c945816230309111127923ea21795ed2ad31ddb287
-
Filesize
1.7MB
MD530465152db261852e3a226a666ec4304
SHA1442a188e07db85653022734d0a8537d4312aef38
SHA256c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4
SHA5123b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63
-
Filesize
83B
MD5d5732b4db0a3749d7cc49422db72cb6a
SHA1d9c26c3fcda21d6db5c7283145b6d6672fa29cc1
SHA256e6d1713a27f9f13b1af6f30e809fb0e0d13500116368c1a633268eaf19951333
SHA51291a6160c799a60837c870ae100f1a1d7abd62017549aee30dfbbce70286f96cd39e05eb412db8fb3a4144c4d3a09138a3eb22100a562c4b14b00f974f9f60890