General
-
Target
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15
-
Size
4.5MB
-
Sample
241116-ve652atpaq
-
MD5
4295dfdd9d9fad74ee08d48d13e2b856
-
SHA1
526d4db2c11f33d24ca4ec727ac119c677e46b52
-
SHA256
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15
-
SHA512
07b80e9e1db7f811fb2c97dc1b1df9cceb8c3f752ad1d39f4aaa41df01123170b5deacb28902c3ebfa66804ab8782dd8a3ce8e8ab129c4d907deced43698581e
-
SSDEEP
98304:cjQ2sNAKHdW7C7LMD4747C56myn92vuXCNBPZqnAejSyB4Lb20B:cjj7C7LH74+56hn9FyNgSyr0B
Static task
static1
Behavioral task
behavioral1
Sample
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15.apk
Resource
android-x64-arm64-20240624-en
Malware Config
Extracted
tgtoxic
https://ctrl.dksu.top
-
uri
/adv.php?apk=
Extracted
tgtoxic
https://d.aykn.top/loading2.html
Targets
-
-
Target
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15
-
Size
4.5MB
-
MD5
4295dfdd9d9fad74ee08d48d13e2b856
-
SHA1
526d4db2c11f33d24ca4ec727ac119c677e46b52
-
SHA256
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15
-
SHA512
07b80e9e1db7f811fb2c97dc1b1df9cceb8c3f752ad1d39f4aaa41df01123170b5deacb28902c3ebfa66804ab8782dd8a3ce8e8ab129c4d907deced43698581e
-
SSDEEP
98304:cjQ2sNAKHdW7C7LMD4747C56myn92vuXCNBPZqnAejSyB4Lb20B:cjj7C7LH74+56hn9FyNgSyr0B
-
TgToxic payload
-
TgToxic_v2 payload
-
Tgtoxic family
-
Makes use of the framework's Accessibility service
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries information about running processes on the device
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Acquires the wake lock
-
Makes use of the framework's foreground persistence service
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user
Application may abuse the accessibility service to prevent their removal.
-
Queries information about active data network
-
Queries the mobile country code (MCC)
-
Requests disabling of battery optimizations (often used to enable hiding in the background).
-
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
1System Network Connections Discovery
1