Analysis
-
max time kernel
599s -
max time network
607s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
16-11-2024 16:58
Static task
static1
Behavioral task
behavioral1
Sample
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15.apk
-
Size
4.5MB
-
MD5
4295dfdd9d9fad74ee08d48d13e2b856
-
SHA1
526d4db2c11f33d24ca4ec727ac119c677e46b52
-
SHA256
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15
-
SHA512
07b80e9e1db7f811fb2c97dc1b1df9cceb8c3f752ad1d39f4aaa41df01123170b5deacb28902c3ebfa66804ab8782dd8a3ce8e8ab129c4d907deced43698581e
-
SSDEEP
98304:cjQ2sNAKHdW7C7LMD4747C56myn92vuXCNBPZqnAejSyB4Lb20B:cjj7C7LH74+56hn9FyNgSyr0B
Malware Config
Extracted
tgtoxic
https://ctrl.dksu.top
-
uri
/adv.php?apk=
Extracted
tgtoxic
https://d.aykn.top/loading2.html
Signatures
-
TgToxic
TgToxic is an Android banking trojan first seen in July 2022.
-
TgToxic payload 1 IoCs
resource yara_rule behavioral3/memory/4514-0.dex family_tgtoxic -
TgToxic_v2 payload 1 IoCs
resource yara_rule behavioral3/memory/4514-0.dex family_tgtoxic_v2 -
Tgtoxic family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.example.mysoul/app_judge/pyai.json 4514 com.example.mysoul -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.example.mysoul Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.example.mysoul Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.example.mysoul -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.example.mysoul -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.example.mysoul -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.example.mysoul -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.example.mysoul -
Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.example.mysoul -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.example.mysoul -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.example.mysoul -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.example.mysoul -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.example.mysoul -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.example.mysoul
Processes
-
com.example.mysoul1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4514
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD54264325070d7f21b11eff78f3b168465
SHA1a848ebc8150caab12b2b229781aef05a6bb30057
SHA256ee129600b0da127afffd8795d318751d345301d3a4d2475b594f50bbe07c1666
SHA512f77c99af9a95498026ecc2f8b1f2925e8699370c48cbe88d3576d95c99d7689fc7f2109f99c15f33a6c38c6c7db339ff8eb10032e169f016b87227bb07364e8e
-
Filesize
1.5MB
MD546b58e24a61a7a5b759c0989b8580e98
SHA157f3a2f49f6b240af643d59b27fbea498b460a43
SHA2566ceaf8a1dadaf56801eef8aba7c50941099b7abf9f34dac1d7f844b7a03d2dc2
SHA5123a2f2ecc4672827da8f3e7af1ceec06fe3bba5dbdf6b0cf5c7f48c44da83b962f0bd54b9888774322326776c61ff42463cbe43c292d507200841206a9f7e2f17
-
Filesize
940B
MD5fd42b38a64ffb153df0fc0d1cedf780f
SHA121ab32c80465f7f1a760bedf4782a6292220f31a
SHA256b5d7217edaf72ae337e805c1cf70cf5d4697e2c62a1c7d2ec51e78b5399927ba
SHA512916026ce46e5b40bc5bf9b6705c4160d87a432e533ee8490d8f2013c114d85eab3bfa4f0f621c2e658c20fe377cd12f470ee0162ee64831322c237de6d1bd7f9
-
Filesize
3.4MB
MD51ef35068c2219a60eaf997eb30fc80a3
SHA14b93bb6b12d1fcf8aff67df3269e280438ce0588
SHA25642a8314562b8e32ad4aff7a65d6eedec79b599d767f731cc4947678f8cffaad2
SHA5129ff5ff4fd5489ad5862428a39f92bfd27e8b852a70c45ff06d506fabd95b081420bcf60ba158ad44d439d2f7e78e6e1ccad2f63f26edc99f62fa4566654f8b46