Analysis
-
max time kernel
197s -
max time network
198s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
16-11-2024 16:58
Static task
static1
Behavioral task
behavioral1
Sample
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15.apk
-
Size
4.5MB
-
MD5
4295dfdd9d9fad74ee08d48d13e2b856
-
SHA1
526d4db2c11f33d24ca4ec727ac119c677e46b52
-
SHA256
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15
-
SHA512
07b80e9e1db7f811fb2c97dc1b1df9cceb8c3f752ad1d39f4aaa41df01123170b5deacb28902c3ebfa66804ab8782dd8a3ce8e8ab129c4d907deced43698581e
-
SSDEEP
98304:cjQ2sNAKHdW7C7LMD4747C56myn92vuXCNBPZqnAejSyB4Lb20B:cjj7C7LH74+56hn9FyNgSyr0B
Malware Config
Extracted
tgtoxic
https://ctrl.dksu.top
-
uri
/adv.php?apk=
Extracted
tgtoxic
https://d.aykn.top/loading2.html
Signatures
-
TgToxic
TgToxic is an Android banking trojan first seen in July 2022.
-
TgToxic payload 1 IoCs
resource yara_rule behavioral2/memory/5064-0.dex family_tgtoxic -
TgToxic_v2 payload 1 IoCs
resource yara_rule behavioral2/memory/5064-0.dex family_tgtoxic_v2 -
Tgtoxic family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.example.mysoul/app_judge/pyai.json 5064 com.example.mysoul -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.example.mysoul Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.example.mysoul -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.example.mysoul -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.example.mysoul -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.example.mysoul -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.example.mysoul -
Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.example.mysoul -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.example.mysoul -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.example.mysoul -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.example.mysoul -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.example.mysoul -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.example.mysoul -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.example.mysoul
Processes
-
com.example.mysoul1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5064
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD54264325070d7f21b11eff78f3b168465
SHA1a848ebc8150caab12b2b229781aef05a6bb30057
SHA256ee129600b0da127afffd8795d318751d345301d3a4d2475b594f50bbe07c1666
SHA512f77c99af9a95498026ecc2f8b1f2925e8699370c48cbe88d3576d95c99d7689fc7f2109f99c15f33a6c38c6c7db339ff8eb10032e169f016b87227bb07364e8e
-
Filesize
1.5MB
MD546b58e24a61a7a5b759c0989b8580e98
SHA157f3a2f49f6b240af643d59b27fbea498b460a43
SHA2566ceaf8a1dadaf56801eef8aba7c50941099b7abf9f34dac1d7f844b7a03d2dc2
SHA5123a2f2ecc4672827da8f3e7af1ceec06fe3bba5dbdf6b0cf5c7f48c44da83b962f0bd54b9888774322326776c61ff42463cbe43c292d507200841206a9f7e2f17
-
Filesize
940B
MD5fd42b38a64ffb153df0fc0d1cedf780f
SHA121ab32c80465f7f1a760bedf4782a6292220f31a
SHA256b5d7217edaf72ae337e805c1cf70cf5d4697e2c62a1c7d2ec51e78b5399927ba
SHA512916026ce46e5b40bc5bf9b6705c4160d87a432e533ee8490d8f2013c114d85eab3bfa4f0f621c2e658c20fe377cd12f470ee0162ee64831322c237de6d1bd7f9
-
Filesize
3.4MB
MD51ef35068c2219a60eaf997eb30fc80a3
SHA14b93bb6b12d1fcf8aff67df3269e280438ce0588
SHA25642a8314562b8e32ad4aff7a65d6eedec79b599d767f731cc4947678f8cffaad2
SHA5129ff5ff4fd5489ad5862428a39f92bfd27e8b852a70c45ff06d506fabd95b081420bcf60ba158ad44d439d2f7e78e6e1ccad2f63f26edc99f62fa4566654f8b46