trickmo | 4df101836ec39711255b56a4fa3d2843b3ab6aab675e510953122e4bf6372fe6

Analysis

max time kernel
25s
max time network
30s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
22/03/2025, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deper.apk
Size

8.1MB
MD5

2240488b9d8e26e7a7c5d76a915b08d0
SHA1

9484cc97cbd0538fe759e8d6f500b94df0c15ba5
SHA256

882a8aad8dcb9ec62e374a03553c5a7f2f0cc6db66050ca444e8d47d3d1838db
SHA512

5fd447c6a1584c9155366e806423caf37412ceedaaf5f84ae122d76c81fc8801a1fec86990554fe2ddbb33c0a7e76c89c2f48f83013e2de1d6a9ea4f60352bad
SSDEEP

196608:cpOsHIcaddwITP6wUAfm122Jl/aPkJ7wspYVoMW/:cpOA25SwUAuMZP87BquH

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://somakeawish.com/hpuex9yu0lfad7pjoxcl

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json	4218	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json!classes2.dex	4218	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json!classes3.dex	4218	kegvi.nfec906.cyc
/data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json!classes4.dex	4218	kegvi.nfec906.cyc

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	kegvi.nfec906.cyc

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	kegvi.nfec906.cyc

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	kegvi.nfec906.cyc

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	kegvi.nfec906.cyc

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	kegvi.nfec906.cyc

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	kegvi.nfec906.cyc

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	kegvi.nfec906.cyc

kegvi.nfec906.cyc
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4218

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/kegvi.nfec906.cyc/app_humor/IyxDaJM.json

Filesize
4.9MB

MD5
dc5e64e81f6c94ea3309f8b4b295762a

SHA1
e5fae8b8752ebc5a19c1c80d3dfaf0016e34588f

SHA256
3ab4a086e362bc3167b70df96b2e58f925464484668b8125d5452f816c021ed2

SHA512
090196b47bbaed67f0bf35a085d053c55c74383c49fed25d7fe716c5420b91247d762083c3cac926365b264de289d326c7b5e9a87b5a2d73f857c2041a9d22b8

Download Submit
/data/data/kegvi.nfec906.cyc/app_humor/IyxDaJM.json

Filesize
4.9MB

MD5
acf53beb76bdf09e622f959c2883788d

SHA1
8326e8dc4ed0201ea2f2419b2926b1247fea81f3

SHA256
fc045b73ff077d2f4548ddd57619ff8681e229e7ad8dfb0179f79dd931a8f187

SHA512
0bfc3baac38049bc1d7f34b2a34202670c3e6b8a8e116f26bb894b5cf1f3cf8892b5b832cdf1218e0afdb0f6cb3410ed126b003dcbbbdc88c52926b2cc86613a

Download Submit
/data/data/kegvi.nfec906.cyc/cache/clicker.json

Filesize
20KB

MD5
2a08aa3691d360c2ff0815d0b7812fde

SHA1
50c37f212fd78fb89ecb00f81656723ef28fd53f

SHA256
ec0eacdcb736f245853bb430a97dfcd3dbf0e6abf43733470db53fbebcdd0e2c

SHA512
d9243b6ea042f3d0014ecd1f1afc1e71e9da1fca40f36d3a3e0bcdcb91badc7e892a2944c994a267ad3efdd94e78c17db9afd461d2858d189f4b42c622897b89

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-journal

Filesize
512B

MD5
9908bb4c1cb4df56095f198bd07da121

SHA1
794dd4eba3c993dd6957e153446a51a2c0255b15

SHA256
b41908c4dee64c586b8a559d140b95b973d1cff9aaeb4b5c3dc6617a25aa2f64

SHA512
6a8849006d30ffe0c9fa29a00ecdf26d537c7f822dadcaeca81c6aff3fb42d49f5077870a64f30ee7d2ebcb3f8508a645b91c2d0abea7c3439508808f65a1d61

Download Submit
/data/data/kegvi.nfec906.cyc/databases/a-wal

Filesize
32KB

MD5
3bbd3a27f6d8c8b453b81e83a2f76985

SHA1
04db035cca2fffd3a34c088c2ed7a0725cc1792d

SHA256
63c09615bd5a83fc0a739385284d59fcc88ecd3c20da59af2f372b432289b2fb

SHA512
c6fd0cfa58501eb22e459631a99f8d7b63d005ef59e06420fd6ecb2d1468e5bbbfb7d2c81f1cebd765d05fff0ab84676bd62e598b7b13742ef1cef78f276a224

Download Submit
/data/data/kegvi.nfec906.cyc/files/kegvi.nfec906.cyc

Filesize
256B

MD5
3826a4048fc670981780611f6c47c077

SHA1
57d99eb142813b18fb88255904069fbb0da01040

SHA256
b9b216b6b5305ea4463a945d8a9a9922d3a8901713047697da239206cf0b7442

SHA512
67ceaf676fc7b5dd6b50e8f2e331437d1492e49a543a5a9c1462766ed8f44ed496f2c4c13826b6b582d8a9d14cb0d51a0af738f01a9729aed41c46c4d3a2d57d

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
6518b7b25360b66c6c4535d68d1476ab

SHA1
5aa2ade41279c9397b74a874332ee1ebbdefa8d7

SHA256
d067dcae542b53c62ae5f87ca44b30418bd1572595e89e867c0b42a8de897d34

SHA512
d679a3d7f770f71d934dfbd682674f3f8dc3ded8b16e6ab969d3a796ffe0b41936b1364f89c3254605730e757743f3fa79cb5c07426f4efde8beb79259a18c3f

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
fefb1f6392ac0c224f1c372c9a3e5d9d

SHA1
e98bd1b8f02dfd36734114315325af78a27003e0

SHA256
51090852571e32da0c3bd4f328e81b1d167736d701abc0ef78f3a181635ab542

SHA512
644eb3331dee78f1892d8dd8c90451d55f6c887eff9f9881009ccef376240dc4fe7d86bc75966b550ee1ca98e2607fed1d224b8601b0a7bfe1ecf9358c56da64

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
ce43cbf1b126e8411843a989904914d0

SHA1
4c909c2da0567f79aa2c208af05c17a9b1a8bd2f

SHA256
69daf5b791f61860a17dd3dbfa47772edccd721a8ec8cff942b5a77760f94d70

SHA512
47a8c083d2d5e690c986f217571eaa94b2d615306616ebc266db0a1fbb2c520815c7d39d377a10dbeacd0a5e18b18594598b281e8868e4e9756b2708cd9effc6

Download Submit
/data/data/kegvi.nfec906.cyc/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
f0aa6dd8d7baa1dae7d38c07763b7e68

SHA1
c4bee1475a8c8972044763baf12e7997bf2a3430

SHA256
bbbfa0c2a55fe4220050798623e8888b0295dd57df41297780bac04a20a69c0d

SHA512
8a0fdb97104c8eedc18f5d7272b7c01dce8dbe58b05b45fe8d8d52ef8548979e6164c2e9fefdd77b324aa65d0152d6ddb61f83ac6f375ab2a7babbf30ed0032d

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json!classes2.dex

Filesize
308KB

MD5
c4f1bf1c779a21a25c3dbf5a15efedc5

SHA1
e525c2e12234f6eca7690f2bf0e29ae48f958e33

SHA256
410e18df84f39a134073269b355ae5e6473f689ed9bf3f9903a6eb38af2fcadd

SHA512
ab612b7ef8de98b3943600cc39c26149e520ede008366a2efcf9d1e76e17ca53068c9f4699e6b5e40aa8f99b5339bc8e35091fb264bcf3ec640fbf68c465476a

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json!classes3.dex

Filesize
265KB

MD5
c6abf8a6dbc7699cb23c034ae965fb05

SHA1
1a420d700e47d712acc84641fad51a4b40041cfe

SHA256
c3cd0d23cf49de955c9bcd893cafb62ef3396c0e2d52b631eaf78726913bf958

SHA512
9061fda1a71959cbfbf9effc673213c0678ef91b4958a4674c11e1ababcd433541f0298852b785cc66cff1c945816230309111127923ea21795ed2ad31ddb287

Download Submit
/data/user/0/kegvi.nfec906.cyc/app_humor/IyxDaJM.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/kegvi.nfec906.cyc/cache/logs/log.txt

Filesize
83B

MD5
d5732b4db0a3749d7cc49422db72cb6a

SHA1
d9c26c3fcda21d6db5c7283145b6d6672fa29cc1

SHA256
e6d1713a27f9f13b1af6f30e809fb0e0d13500116368c1a633268eaf19951333

SHA512
91a6160c799a60837c870ae100f1a1d7abd62017549aee30dfbbce70286f96cd39e05eb412db8fb3a4144c4d3a09138a3eb22100a562c4b14b00f974f9f60890

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads