trickmo | 4df101836ec39711255b56a4fa3d2843b3ab6aab675e510953122e4bf6372fe6

Analysis

max time kernel
29s
max time network
30s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
22/03/2025, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deper.apk
Size

8.1MB
MD5

2240488b9d8e26e7a7c5d76a915b08d0
SHA1

9484cc97cbd0538fe759e8d6f500b94df0c15ba5
SHA256

882a8aad8dcb9ec62e374a03553c5a7f2f0cc6db66050ca444e8d47d3d1838db
SHA512

5fd447c6a1584c9155366e806423caf37412ceedaaf5f84ae122d76c81fc8801a1fec86990554fe2ddbb33c0a7e76c89c2f48f83013e2de1d6a9ea4f60352bad
SSDEEP

196608:cpOsHIcaddwITP6wUAfm122Jl/aPkJ7wspYVoMW/:cpOA25SwUAuMZP87BquH

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://somakeawish.com/hpuex9yu0lfad7pjoxcl

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json	4440	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json!classes2.dex	4440	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json!classes3.dex	4440	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json!classes4.dex	4440	kegvi.nfec906.cyc

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	kegvi.nfec906.cyc

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	kegvi.nfec906.cyc

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	kegvi.nfec906.cyc

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	kegvi.nfec906.cyc

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	kegvi.nfec906.cyc

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	kegvi.nfec906.cyc

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	kegvi.nfec906.cyc

kegvi.nfec906.cyc
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4440

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/kegvi.nfec906.cyc/app_humor/IyxDaJM.json

Filesize
4.9MB

MD5
dc5e64e81f6c94ea3309f8b4b295762a

SHA1
e5fae8b8752ebc5a19c1c80d3dfaf0016e34588f

SHA256
3ab4a086e362bc3167b70df96b2e58f925464484668b8125d5452f816c021ed2

SHA512
090196b47bbaed67f0bf35a085d053c55c74383c49fed25d7fe716c5420b91247d762083c3cac926365b264de289d326c7b5e9a87b5a2d73f857c2041a9d22b8

Download Submit
/data/data/kegvi.nfec906.cyc/app_humor/IyxDaJM.json

Filesize
4.9MB

MD5
acf53beb76bdf09e622f959c2883788d

SHA1
8326e8dc4ed0201ea2f2419b2926b1247fea81f3

SHA256
fc045b73ff077d2f4548ddd57619ff8681e229e7ad8dfb0179f79dd931a8f187

SHA512
0bfc3baac38049bc1d7f34b2a34202670c3e6b8a8e116f26bb894b5cf1f3cf8892b5b832cdf1218e0afdb0f6cb3410ed126b003dcbbbdc88c52926b2cc86613a

Download Submit
/data/data/kegvi.nfec906.cyc/cache/clicker.json

Filesize
20KB

MD5
2a08aa3691d360c2ff0815d0b7812fde

SHA1
50c37f212fd78fb89ecb00f81656723ef28fd53f

SHA256
ec0eacdcb736f245853bb430a97dfcd3dbf0e6abf43733470db53fbebcdd0e2c

SHA512
d9243b6ea042f3d0014ecd1f1afc1e71e9da1fca40f36d3a3e0bcdcb91badc7e892a2944c994a267ad3efdd94e78c17db9afd461d2858d189f4b42c622897b89

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a

Filesize
20KB

MD5
1132b01ff2d566763fc8a82d7412c6dc

SHA1
7190c159d502496c12ab0f387560faa44b379703

SHA256
0f164a7677545c6f4f768b7589c8629c40c22fb478a15ce2ac7603c9a7d708db

SHA512
d6dec94b6b70b3922ce2ab6ef843e887270aa1996e2b4d41e2216841bf35cf5cc4a2c7aca361ea2713de498fdcfbd2d3ee78e07e41b1c2d7e12a8d8cf9dd6ccb

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
512B

MD5
569112495180a703717cb2f5e66ec3d2

SHA1
4d148645f59a5cb01e5e8cfd8c4bdd4665de690c

SHA256
76c7dac0b1232bd8f9396cf9009e1fa1d03446d2ccd3ae3f19a9d0ad2d2c0bb3

SHA512
7b8d3f641c26ecde5bbde9a6ef60b16ecc603b6cc3440f757448c0314282536f366fbb0acb94fa958099fda0905ea7c3c9fc1751104dcffca63929adc295ac63

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
8KB

MD5
6299ca083b615ad7a8c6540e84cbb68b

SHA1
971a9ceb7d4cffbe51d2256e41d43135885e7285

SHA256
4467e6c12c1cbcad72ef22942542a5a1f81521306b8df5af070c384ee6cfab34

SHA512
afeeee1530926929dc89ea0e8b7e1eff9fde3b6180ba95398ce36410d518a7cd1e6aa48557ecf7ee8a0d6e244ec88440d9e17df978ddac21b65288774858d5ee

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
8KB

MD5
3448e3e0c32201c2d97647e246e732d3

SHA1
e5c50cca0ac8058077feb5634a44958f631d3ad4

SHA256
7ae41218b29d1ff7329f4c942a2c6fc2085021469b6d11da315d4b14dbad8b07

SHA512
a74d8cf0ac060f05214d3f5e1cbe6e9506c974cc12c08439de9a114db2042cd27c71aed9979bb2928eea679c362752099770d49e27283eba55c36d20e5eb29cb

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
12KB

MD5
d131cd0d1c11251efe34dc4ff308318a

SHA1
e765859e22b7dcd07bfec54f9c7421e7e6046718

SHA256
072860fe159ec87d3165559fb2564e16b345e4dbcf72d160df5e04f346013779

SHA512
7c886e82db23e8541d9e1337a4544dd79019a75e7e59ef7abcbf4376ec6d7183f52a4902ca026fe16f6ecf8bcf72f1413aba57bdebe1061875f54bcdad896679

Download Submit
/data/data/kegvi.nfec906.cyc/files/kegvi.nfec906.cyc

Filesize
256B

MD5
137dcfddce6bd80f883952d8c137996c

SHA1
e043070c112dd6577bff040c0f91d543a225609a

SHA256
b78cc5beeb4a8c39fe5dbaf905d6b8311a37c984d08db7589f55a3001ec2565c

SHA512
6eac3f73d0093f40ba4b3f4d16b03b739b6285ed8cb74a5e3c861bd38f18e1d232b5549a799f69d3b45971ba4789bcc2e864ba6d241c7a654c913e3860213cee

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
3dce50aceee872bcf0beee8e8d2916ad

SHA1
3e7e3d24e3e85ed15cbaf83a357c810faea774d6

SHA256
865dabae64fede133846171fdea38ee1cd0b3d53959c4542a7e9cb6867f39e90

SHA512
8983838537f131cb1c59cdf5004247686458aeabffa25a887b8c5c9c4b708c09e6a6f50e29ee8dd6a4d360a822fcaef294b01cac557abe184af76f88e6f8dda2

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
449fa680f71e51c6c3b5ef5acae8e915

SHA1
6a8a20b993c27514996e446dc56e4178d012339d

SHA256
e987208c6e75a81d5553bf1b29c9ab0e837d0a906bbbacdc8147b243215e8260

SHA512
96b9ec5318f8a45c04616ce16627c25720303333815dcbc5a2b574abd5e50b40983084c52ab054b16931907caf7a79e7a7d679681c67c621a917da88b0c9ab4d

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
e8c7973e413e65d8dc881f434d28e932

SHA1
3bffd069d7d1a724a158f77a0b879120a3e7824f

SHA256
1c9aa032f986392f75516870177fc8bc1c88a130cb49489009b13e20028ee0aa

SHA512
f1d4b604e66ed533399e17fc03a68c9bab745e1128017c6b124fd51a90d2a915ba6268cd91c73e73f22983353e4b196618182bac99e45c39331b40eca37dbe90

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
9364fe1b3f84fdd00f5f8e1918123107

SHA1
9c606a06b73707f4fb46a00558a8a7f1ad2000c5

SHA256
12b2002cd06392d885156501f76066dd48b6299b025b1ae3def6d8c4a78480c6

SHA512
ceeacdf01fc389e902fc36841fec5347bf907af1837c226703c6fa5dac29121e12d59140810d9cfe4dc012e78a9b6d55bfc5dd6509ece51f46bd16e376212d39

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json!classes2.dex

Filesize
308KB

MD5
c4f1bf1c779a21a25c3dbf5a15efedc5

SHA1
e525c2e12234f6eca7690f2bf0e29ae48f958e33

SHA256
410e18df84f39a134073269b355ae5e6473f689ed9bf3f9903a6eb38af2fcadd

SHA512
ab612b7ef8de98b3943600cc39c26149e520ede008366a2efcf9d1e76e17ca53068c9f4699e6b5e40aa8f99b5339bc8e35091fb264bcf3ec640fbf68c465476a

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json!classes3.dex

Filesize
265KB

MD5
c6abf8a6dbc7699cb23c034ae965fb05

SHA1
1a420d700e47d712acc84641fad51a4b40041cfe

SHA256
c3cd0d23cf49de955c9bcd893cafb62ef3396c0e2d52b631eaf78726913bf958

SHA512
9061fda1a71959cbfbf9effc673213c0678ef91b4958a4674c11e1ababcd433541f0298852b785cc66cff1c945816230309111127923ea21795ed2ad31ddb287

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/kegvi.nfec906.cyc/cache/logs/log.txt

Filesize
83B

MD5
d5732b4db0a3749d7cc49422db72cb6a

SHA1
d9c26c3fcda21d6db5c7283145b6d6672fa29cc1

SHA256
e6d1713a27f9f13b1af6f30e809fb0e0d13500116368c1a633268eaf19951333

SHA512
91a6160c799a60837c870ae100f1a1d7abd62017549aee30dfbbce70286f96cd39e05eb412db8fb3a4144c4d3a09138a3eb22100a562c4b14b00f974f9f60890

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads