tgtoxic | 520d7902587dfc26a058e1ef5a7e6b9946bb668d03a41ee153ea54492e77f660

Resubmissions

13/01/2025, 14:36 UTC

250113-rytr9svqgy 10

20/11/2024, 14:41 UTC

241120-r2pbysyeqn 10

Analysis

max time kernel
149s
max time network
157s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
20/11/2024, 14:41 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

520d7902587dfc26a058e1ef5a7e6b9946bb668d03a41ee153ea54492e77f660.apk
Size

3.3MB
MD5

2f5c4325f77280b2b58be981f9051f04
SHA1

9730491a85455b4fc005582751e554ba1dac7a6e
SHA256

520d7902587dfc26a058e1ef5a7e6b9946bb668d03a41ee153ea54492e77f660
SHA512

e8eead2284b244c9a11cad49cb699a80d1d487ab6c2a07f07d43d4fd806c5eedd6be74cb936b9a9ab864a27f88d5a40eba10c1b61c3aba1e9385ffdcd30628ce
SSDEEP

98304:myd2ofrE2KqIrLT9wsm3L4qffBS5ymTEpb5+wkBc:cqIrvc9HBSUbr+pc

Score

10^/10

tgtoxic banker collection credential_access discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

tgtoxic

AES_key

1
303632335532354b545433594f385039

Signatures

TgToxic
TgToxic is an Android banking trojan first seen in July 2022.
infostealer trojan banker tgtoxic
Tgtoxic family
tgtoxic

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.example.mysoul
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.example.mysoul
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.example.mysoul

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.example.mysoul

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.example.mysoul

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.example.mysoul

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.example.mysoul

Performs UI accessibility actions on behalf of the user 1 TTPs 13 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.example.mysoul
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.example.mysoul
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.example.mysoul
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.example.mysoul
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.example.mysoul
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.example.mysoul
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.example.mysoul
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.example.mysoul
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.example.mysoul
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.example.mysoul
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.example.mysoul
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.example.mysoul
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.example.mysoul

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.example.mysoul

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.example.mysoul

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.example.mysoul

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.example.mysoul

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.example.mysoul

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.example.mysoul

com.example.mysoul
1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4615

Network

DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.187.206
DNS

ssl.google-analytics.com

Remote address:

1.1.1.1:53

Request

ssl.google-analytics.com

IN A

Response

ssl.google-analytics.com

IN A

142.250.200.8
DNS

ctrl.dksu.top

Remote address:

1.1.1.1:53

Request

ctrl.dksu.top

IN A

Response

ctrl.dksu.top

IN A

38.60.198.218
GET

https://ctrl.dksu.top/adv.php?apk=10803&cmode=test&device=3ef6fc141f8016bc1423f339c87db30e

Remote address:

38.60.198.218:443

Request

GET /adv.php?apk=10803&cmode=test&device=3ef6fc141f8016bc1423f339c87db30e HTTP/2.0
host: ctrl.dksu.top
user-agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1062.0 Safari/536.3
accept-encoding: gzip

Response

HTTP/2.0 200

server: nginx
date: Wed, 20 Nov 2024 14:41:53 GMT
content-type: text/html;charset=utf-8
vary: Accept-Encoding
set-cookie: PHPSESSID=eosjjaej3hgirm2io7t8h4g9jq; path=/
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-encoding: gzip
strict-transport-security: max-age=31536000
DNS

eu.dksu.top

Remote address:

1.1.1.1:53

Request

eu.dksu.top

IN A

Response

eu.dksu.top

IN A

38.60.198.218
GET

https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776

Remote address:

38.60.198.218:443

Request

GET /io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776 HTTP/1.1
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: rVCZtE2TaLuKE95uiVdMjA==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: permessage-deflate
Host: eu.dksu.top
Accept-Encoding: gzip
User-Agent: okhttp/4.9.3

Response

HTTP/1.1 503 Service Temporarily Unavailable

Server: nginx
Date: Wed, 20 Nov 2024 14:41:55 GMT
Content-Type: text/html
Content-Length: 190
Connection: keep-alive
GET

https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776

Remote address:

38.60.198.218:443

Request

GET /io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776 HTTP/1.1
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: x4yj/Ktf+XWKyc/qV7Zzgg==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: permessage-deflate
Host: eu.dksu.top
Accept-Encoding: gzip
User-Agent: okhttp/4.9.3

Response

HTTP/1.1 503 Service Temporarily Unavailable

Server: nginx
Date: Wed, 20 Nov 2024 14:42:05 GMT
Content-Type: text/html
Content-Length: 190
Connection: keep-alive
GET

https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776

Remote address:

38.60.198.218:443

Request

GET /io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776 HTTP/1.1
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: LIE5JmAcbExJH0r6HSLchw==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: permessage-deflate
Host: eu.dksu.top
Accept-Encoding: gzip
User-Agent: okhttp/4.9.3

Response

HTTP/1.1 101 Switching Protocols

Server: nginx
Date: Wed, 20 Nov 2024 14:42:31 GMT
Content-Length: 0
Connection: upgrade
Upgrade: websocket
Sec-WebSocket-Version: 13
Sec-WebSocket-Accept: vixVmXnjEhfIPowfGtQEGE/B01E=

142.250.187.238:443

tls, https

695 B
40 B
1
1
142.250.187.238:443

tls, https

695 B
40 B
1
1
142.250.187.238:443

android.apis.google.com

tls

1.1kB
4.5kB
9
7
142.250.187.206:443

android.apis.google.com

tls

6.3kB
9.4kB
26
26
142.250.200.8:443

ssl.google-analytics.com

tls

1.4kB
6.3kB
10
9
38.60.198.218:443

https://ctrl.dksu.top/adv.php?apk=10803&cmode=test&device=3ef6fc141f8016bc1423f339c87db30e

tls, http2

1.7kB
5.1kB
15
16

HTTP Request

GET https://ctrl.dksu.top/adv.php?apk=10803&cmode=test&device=3ef6fc141f8016bc1423f339c87db30e

HTTP Response

200
38.60.198.218:443

https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776

tls, http

8.7kB
6.0kB
23
22

HTTP Request

GET https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776

HTTP Response

503

HTTP Request

GET https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776

HTTP Response

503

HTTP Request

GET https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776

HTTP Response

101
142.250.200.36:443

tls, https

850 B
40 B
2
1
142.250.200.36:443

www.google.com

tls

11.0kB
10.4kB
28
32
38.60.198.218:443

eu.dksu.top

300 B
5
38.60.198.218:443

eu.dksu.top

300 B
5
38.60.198.218:443

eu.dksu.top

300 B
5
38.60.198.218:443

eu.dksu.top

300 B
5
38.60.198.218:443

eu.dksu.top

300 B
5
38.60.198.218:443

eu.dksu.top

180 B
3

224.0.0.251:5353

3.7kB
11
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

142.250.187.206
1.1.1.1:53

ssl.google-analytics.com

dns

70 B
86 B
1
1

DNS Request

ssl.google-analytics.com

DNS Response

142.250.200.8
1.1.1.1:53

ctrl.dksu.top

dns

59 B
75 B
1
1

DNS Request

ctrl.dksu.top

DNS Response

38.60.198.218
1.1.1.1:53

eu.dksu.top

dns

57 B
73 B
1
1

DNS Request

eu.dksu.top

DNS Response

38.60.198.218

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

System Information Discovery

T1426

System Network Connections Discovery

T1421

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.example.mysoul/cache/sb11997683485809607075.mp3

Filesize
940B

MD5
fd42b38a64ffb153df0fc0d1cedf780f

SHA1
21ab32c80465f7f1a760bedf4782a6292220f31a

SHA256
b5d7217edaf72ae337e805c1cf70cf5d4697e2c62a1c7d2ec51e78b5399927ba

SHA512
916026ce46e5b40bc5bf9b6705c4160d87a432e533ee8490d8f2013c114d85eab3bfa4f0f621c2e658c20fe377cd12f470ee0162ee64831322c237de6d1bd7f9

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.