Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

13/01/2025, 14:36 UTC

250113-rytr9svqgy 10

20/11/2024, 14:41 UTC

241120-r2pbysyeqn 10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    20/11/2024, 14:41 UTC

General

  • Target

    520d7902587dfc26a058e1ef5a7e6b9946bb668d03a41ee153ea54492e77f660.apk

  • Size

    3.3MB

  • MD5

    2f5c4325f77280b2b58be981f9051f04

  • SHA1

    9730491a85455b4fc005582751e554ba1dac7a6e

  • SHA256

    520d7902587dfc26a058e1ef5a7e6b9946bb668d03a41ee153ea54492e77f660

  • SHA512

    e8eead2284b244c9a11cad49cb699a80d1d487ab6c2a07f07d43d4fd806c5eedd6be74cb936b9a9ab864a27f88d5a40eba10c1b61c3aba1e9385ffdcd30628ce

  • SSDEEP

    98304:myd2ofrE2KqIrLT9wsm3L4qffBS5ymTEpb5+wkBc:cqIrvc9HBSUbr+pc

Malware Config

Extracted

Family

tgtoxic

AES_key
1
303632335532354b545433594f385039

Signatures

  • TgToxic

    TgToxic is an Android banking trojan first seen in July 2022.

  • Tgtoxic family
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 13 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.example.mysoul
    1⤵
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4615

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.187.206
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.200.8
  • flag-us
    DNS
    ctrl.dksu.top
    Remote address:
    1.1.1.1:53
    Request
    ctrl.dksu.top
    IN A
    Response
    ctrl.dksu.top
    IN A
    38.60.198.218
  • flag-sg
    GET
    https://ctrl.dksu.top/adv.php?apk=10803&cmode=test&device=3ef6fc141f8016bc1423f339c87db30e
    Remote address:
    38.60.198.218:443
    Request
    GET /adv.php?apk=10803&cmode=test&device=3ef6fc141f8016bc1423f339c87db30e HTTP/2.0
    host: ctrl.dksu.top
    user-agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1062.0 Safari/536.3
    accept-encoding: gzip
    Response
    HTTP/2.0 200
    server: nginx
    date: Wed, 20 Nov 2024 14:41:53 GMT
    content-type: text/html;charset=utf-8
    vary: Accept-Encoding
    set-cookie: PHPSESSID=eosjjaej3hgirm2io7t8h4g9jq; path=/
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-store, no-cache, must-revalidate
    pragma: no-cache
    content-encoding: gzip
    strict-transport-security: max-age=31536000
  • flag-us
    DNS
    eu.dksu.top
    Remote address:
    1.1.1.1:53
    Request
    eu.dksu.top
    IN A
    Response
    eu.dksu.top
    IN A
    38.60.198.218
  • flag-sg
    GET
    https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776
    Remote address:
    38.60.198.218:443
    Request
    GET /io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776 HTTP/1.1
    Upgrade: websocket
    Connection: Upgrade
    Sec-WebSocket-Key: rVCZtE2TaLuKE95uiVdMjA==
    Sec-WebSocket-Version: 13
    Sec-WebSocket-Extensions: permessage-deflate
    Host: eu.dksu.top
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.3
    Response
    HTTP/1.1 503 Service Temporarily Unavailable
    Server: nginx
    Date: Wed, 20 Nov 2024 14:41:55 GMT
    Content-Type: text/html
    Content-Length: 190
    Connection: keep-alive
  • flag-sg
    GET
    https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776
    Remote address:
    38.60.198.218:443
    Request
    GET /io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776 HTTP/1.1
    Upgrade: websocket
    Connection: Upgrade
    Sec-WebSocket-Key: x4yj/Ktf+XWKyc/qV7Zzgg==
    Sec-WebSocket-Version: 13
    Sec-WebSocket-Extensions: permessage-deflate
    Host: eu.dksu.top
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.3
    Response
    HTTP/1.1 503 Service Temporarily Unavailable
    Server: nginx
    Date: Wed, 20 Nov 2024 14:42:05 GMT
    Content-Type: text/html
    Content-Length: 190
    Connection: keep-alive
  • flag-sg
    GET
    https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776
    Remote address:
    38.60.198.218:443
    Request
    GET /io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776 HTTP/1.1
    Upgrade: websocket
    Connection: Upgrade
    Sec-WebSocket-Key: LIE5JmAcbExJH0r6HSLchw==
    Sec-WebSocket-Version: 13
    Sec-WebSocket-Extensions: permessage-deflate
    Host: eu.dksu.top
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.3
    Response
    HTTP/1.1 101 Switching Protocols
    Server: nginx
    Date: Wed, 20 Nov 2024 14:42:31 GMT
    Content-Length: 0
    Connection: upgrade
    Upgrade: websocket
    Sec-WebSocket-Version: 13
    Sec-WebSocket-Accept: vixVmXnjEhfIPowfGtQEGE/B01E=
  • 142.250.187.238:443
    tls, https
    695 B
    40 B
    1
    1
  • 142.250.187.238:443
    tls, https
    695 B
    40 B
    1
    1
  • 142.250.187.238:443
    android.apis.google.com
    tls
    1.1kB
    4.5kB
    9
    7
  • 142.250.187.206:443
    android.apis.google.com
    tls
    6.3kB
    9.4kB
    26
    26
  • 142.250.200.8:443
    ssl.google-analytics.com
    tls
    1.4kB
    6.3kB
    10
    9
  • 38.60.198.218:443
    https://ctrl.dksu.top/adv.php?apk=10803&cmode=test&device=3ef6fc141f8016bc1423f339c87db30e
    tls, http2
    1.7kB
    5.1kB
    15
    16

    HTTP Request

    GET https://ctrl.dksu.top/adv.php?apk=10803&cmode=test&device=3ef6fc141f8016bc1423f339c87db30e

    HTTP Response

    200
  • 38.60.198.218:443
    https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776
    tls, http
    8.7kB
    6.0kB
    23
    22

    HTTP Request

    GET https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776

    HTTP Response

    503

    HTTP Request

    GET https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776

    HTTP Response

    503

    HTTP Request

    GET https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776

    HTTP Response

    101
  • 142.250.200.36:443
    tls, https
    850 B
    40 B
    2
    1
  • 142.250.200.36:443
    www.google.com
    tls
    11.0kB
    10.4kB
    28
    32
  • 38.60.198.218:443
    eu.dksu.top
    300 B
    5
  • 38.60.198.218:443
    eu.dksu.top
    300 B
    5
  • 38.60.198.218:443
    eu.dksu.top
    300 B
    5
  • 38.60.198.218:443
    eu.dksu.top
    300 B
    5
  • 38.60.198.218:443
    eu.dksu.top
    300 B
    5
  • 38.60.198.218:443
    eu.dksu.top
    180 B
    3
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.187.206

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.200.8

  • 1.1.1.1:53
    ctrl.dksu.top
    dns
    59 B
    75 B
    1
    1

    DNS Request

    ctrl.dksu.top

    DNS Response

    38.60.198.218

  • 1.1.1.1:53
    eu.dksu.top
    dns
    57 B
    73 B
    1
    1

    DNS Request

    eu.dksu.top

    DNS Response

    38.60.198.218

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.example.mysoul/cache/sb11997683485809607075.mp3

    Filesize

    940B

    MD5

    fd42b38a64ffb153df0fc0d1cedf780f

    SHA1

    21ab32c80465f7f1a760bedf4782a6292220f31a

    SHA256

    b5d7217edaf72ae337e805c1cf70cf5d4697e2c62a1c7d2ec51e78b5399927ba

    SHA512

    916026ce46e5b40bc5bf9b6705c4160d87a432e533ee8490d8f2013c114d85eab3bfa4f0f621c2e658c20fe377cd12f470ee0162ee64831322c237de6d1bd7f9

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.