Analysis
-
max time kernel
149s -
max time network
154s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
31/01/2025, 22:00
General
-
Target
e4cfd6fc03feee2e8b6e687068cc8430f2c2d3f055f4e69a91c6f83605da128e.apk
-
Size
2.2MB
-
MD5
dcbb515f5cb46f88305c943bed265fba
-
SHA1
b65450ef390d23ca3796962da1e2f6c8441395d3
-
SHA256
e4cfd6fc03feee2e8b6e687068cc8430f2c2d3f055f4e69a91c6f83605da128e
-
SHA512
57560f2b96e706efc46ffbec4deb552cc8b5df6755de91d2d465196e18e16f6058603efaa8c563f7b64338b703ad1c272e5da73fcfc87afbaf47aac1d497e8d9
-
SSDEEP
49152:88SFlgBMebdvOy+CSlNaFloWNmY3NNKvGvb8A5R9:88SMBMI2yRSlIFloWN93fz8AF
Malware Config
Signatures
-
TeaBot
TeaBot is an android banker first seen in January 2021.
-
TeaBot payload 2 IoCs
-
Teabot family
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Acquires the wake lock 1 IoCs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 7 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
purple.haze.outs1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/purple.haze.outs/app_apkprotector_dex/classes-v1.bin --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/purple.haze.outs/app_apkprotector_dex/oat/x86/classes-v1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
716KB
MD520b48fc67169ed72dfb374a5362e98a8
SHA168a79ef09a19ce7814c0773ff0f987aeb435ab4b
SHA25615db7567c747708f3aec8bd08bfec5cda211fdc29c69650a542ee3d211395e5b
SHA512426dc5dc827931604573056bd6736dd06a3470aea96772a5a13e926168d80807e1fd16a67adb29c839a43e2dc5fd487b0f484c69c4dd9e48c0b05c084ee98d59
-
Filesize
716KB
MD5b31bc81440c4fe6c074f46851efe159e
SHA145312c9cc74ee8d43461cbb5ce0ab9a473f43abe
SHA256b94a7511473af6ecf9cd547984385fab429d43241c79602724406ef9d9a9d51a
SHA5128486649edf4e738a656398358283057ca8da12496a8610273a2d6b47ac4ca2b454694df415e56280a6851f7820cb1e84b632957ff1224fab678d2457d416286c