Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
157s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
20/11/2024, 14:41 UTC
Behavioral task
behavioral1
Sample
520d7902587dfc26a058e1ef5a7e6b9946bb668d03a41ee153ea54492e77f660.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
520d7902587dfc26a058e1ef5a7e6b9946bb668d03a41ee153ea54492e77f660.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
520d7902587dfc26a058e1ef5a7e6b9946bb668d03a41ee153ea54492e77f660.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
520d7902587dfc26a058e1ef5a7e6b9946bb668d03a41ee153ea54492e77f660.apk
-
Size
3.3MB
-
MD5
2f5c4325f77280b2b58be981f9051f04
-
SHA1
9730491a85455b4fc005582751e554ba1dac7a6e
-
SHA256
520d7902587dfc26a058e1ef5a7e6b9946bb668d03a41ee153ea54492e77f660
-
SHA512
e8eead2284b244c9a11cad49cb699a80d1d487ab6c2a07f07d43d4fd806c5eedd6be74cb936b9a9ab864a27f88d5a40eba10c1b61c3aba1e9385ffdcd30628ce
-
SSDEEP
98304:myd2ofrE2KqIrLT9wsm3L4qffBS5ymTEpb5+wkBc:cqIrvc9HBSUbr+pc
Malware Config
Extracted
tgtoxic
Signatures
-
TgToxic
TgToxic is an Android banking trojan first seen in July 2022.
-
Tgtoxic family
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.example.mysoul Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.example.mysoul Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.example.mysoul -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.example.mysoul -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.example.mysoul -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.example.mysoul -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.example.mysoul -
Performs UI accessibility actions on behalf of the user 1 TTPs 13 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.mysoul -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.example.mysoul -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.example.mysoul -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.example.mysoul -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.example.mysoul -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.example.mysoul -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.example.mysoul
Processes
-
com.example.mysoul1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4615
Network
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A142.250.187.206
-
Remote address:1.1.1.1:53Requestssl.google-analytics.comIN AResponsessl.google-analytics.comIN A142.250.200.8
-
Remote address:1.1.1.1:53Requestctrl.dksu.topIN AResponsectrl.dksu.topIN A38.60.198.218
-
Remote address:38.60.198.218:443RequestGET /adv.php?apk=10803&cmode=test&device=3ef6fc141f8016bc1423f339c87db30e HTTP/2.0
host: ctrl.dksu.top
user-agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1062.0 Safari/536.3
accept-encoding: gzip
ResponseHTTP/2.0 200
date: Wed, 20 Nov 2024 14:41:53 GMT
content-type: text/html;charset=utf-8
vary: Accept-Encoding
set-cookie: PHPSESSID=eosjjaej3hgirm2io7t8h4g9jq; path=/
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-encoding: gzip
strict-transport-security: max-age=31536000
-
Remote address:1.1.1.1:53Requesteu.dksu.topIN AResponseeu.dksu.topIN A38.60.198.218
-
GEThttps://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776Remote address:38.60.198.218:443RequestGET /io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776 HTTP/1.1
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: rVCZtE2TaLuKE95uiVdMjA==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: permessage-deflate
Host: eu.dksu.top
Accept-Encoding: gzip
User-Agent: okhttp/4.9.3
ResponseHTTP/1.1 503 Service Temporarily Unavailable
Date: Wed, 20 Nov 2024 14:41:55 GMT
Content-Type: text/html
Content-Length: 190
Connection: keep-alive
-
GEThttps://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776Remote address:38.60.198.218:443RequestGET /io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776 HTTP/1.1
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: x4yj/Ktf+XWKyc/qV7Zzgg==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: permessage-deflate
Host: eu.dksu.top
Accept-Encoding: gzip
User-Agent: okhttp/4.9.3
ResponseHTTP/1.1 503 Service Temporarily Unavailable
Date: Wed, 20 Nov 2024 14:42:05 GMT
Content-Type: text/html
Content-Length: 190
Connection: keep-alive
-
GEThttps://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776Remote address:38.60.198.218:443RequestGET /io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776 HTTP/1.1
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: LIE5JmAcbExJH0r6HSLchw==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: permessage-deflate
Host: eu.dksu.top
Accept-Encoding: gzip
User-Agent: okhttp/4.9.3
ResponseHTTP/1.1 101 Switching Protocols
Date: Wed, 20 Nov 2024 14:42:31 GMT
Content-Length: 0
Connection: upgrade
Upgrade: websocket
Sec-WebSocket-Version: 13
Sec-WebSocket-Accept: vixVmXnjEhfIPowfGtQEGE/B01E=
-
695 B 40 B 1 1
-
695 B 40 B 1 1
-
1.1kB 4.5kB 9 7
-
6.3kB 9.4kB 26 26
-
1.4kB 6.3kB 10 9
-
38.60.198.218:443https://ctrl.dksu.top/adv.php?apk=10803&cmode=test&device=3ef6fc141f8016bc1423f339c87db30etls, http21.7kB 5.1kB 15 16
HTTP Request
GET https://ctrl.dksu.top/adv.php?apk=10803&cmode=test&device=3ef6fc141f8016bc1423f339c87db30eHTTP Response
200 -
38.60.198.218:443https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776tls, http8.7kB 6.0kB 23 22
HTTP Request
GET https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776HTTP Response
503HTTP Request
GET https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776HTTP Response
503HTTP Request
GET https://eu.dksu.top/io1776/?cmode=test&EIO=3&transport=websocket&apkid=10803&device=3ef6fc141f8016bc1423f339c87db30e&line=1776HTTP Response
101 -
850 B 40 B 2 1
-
11.0kB 10.4kB 28 32
-
300 B 5
-
300 B 5
-
300 B 5
-
300 B 5
-
300 B 5
-
180 B 3
-
3.7kB 11
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
142.250.187.206
-
70 B 86 B 1 1
DNS Request
ssl.google-analytics.com
DNS Response
142.250.200.8
-
59 B 75 B 1 1
DNS Request
ctrl.dksu.top
DNS Response
38.60.198.218
-
57 B 73 B 1 1
DNS Request
eu.dksu.top
DNS Response
38.60.198.218
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
940B
MD5fd42b38a64ffb153df0fc0d1cedf780f
SHA121ab32c80465f7f1a760bedf4782a6292220f31a
SHA256b5d7217edaf72ae337e805c1cf70cf5d4697e2c62a1c7d2ec51e78b5399927ba
SHA512916026ce46e5b40bc5bf9b6705c4160d87a432e533ee8490d8f2013c114d85eab3bfa4f0f621c2e658c20fe377cd12f470ee0162ee64831322c237de6d1bd7f9