Analysis

  • max time kernel
    149s
  • max time network
    170s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    01/04/2025, 22:02

General

  • Target

    7861f533612ed5bc7d098075ad1f2fef1648ff02ae12fd8b41fd49b6ac73c15b.apk

  • Size

    4.0MB

  • MD5

    76d27f47fb0131c470eb637c201db4ca

  • SHA1

    1ef9d327534df860865273109070bd420780b739

  • SHA256

    7861f533612ed5bc7d098075ad1f2fef1648ff02ae12fd8b41fd49b6ac73c15b

  • SHA512

    845d2a2856c975adfd6c032e9738b87f11d5b75e3996fdcf3941b450e9b5811341e6506525e49c0efba6da6c60c8d279e0a343af8e582566ae76e4b73d61b798

  • SSDEEP

    98304:arWdNHQOiAjPWpgl1oUVifo5b60jaMdZ6NqIfs5D:aSb3jepg3oUVao5bjlZ6N7fsN

Malware Config

Signatures

  • TeaBot

    TeaBot is an android banker first seen in January 2021.

  • TeaBot payload 1 IoCs
  • Teabot family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Acquires the wake lock 1 IoCs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 7 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • usage.just.shock
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:5092

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/usage.just.shock/app_DynamicOptDex/nQAqKMR.json

    Filesize

    1.2MB

    MD5

    7b3f4df9f119dd6d984552b3ba3d734b

    SHA1

    c191313833252cf3e472fffc8b54448e4f6a4192

    SHA256

    f9fb1598df72c799c7539b94bd4d130c0428a597da6623743796d603e60a1ce8

    SHA512

    34d3c5a01b8287bfd0c52b4320528f908629dace69387aee297b3b1b930ff1d5098db6c18a11ecabf73f2e0a5cda35a4a8738b5d3d81025b006642ca5ea49a1e

  • /data/data/usage.just.shock/app_DynamicOptDex/nQAqKMR.json

    Filesize

    1.2MB

    MD5

    4c3aa4a48283e0f0e8a9c15fa14bce41

    SHA1

    f7c098941b001cca43fc25f1e8f3e0d9142cdd7f

    SHA256

    624a0a7c78214065db178215ce8248cfd630648c0f036a018b083788393bbf1e

    SHA512

    b7eb01f6925a33e168aaf10d9f9ad48543c2a2512fecad5672c428ad46cd994978029aa0b56a231515dcc7fb7c9b2cc905a4d6891e3a22cf00788f5d500a74ab

  • /data/data/usage.just.shock/app_DynamicOptDex/oat/nQAqKMR.json.cur.prof

    Filesize

    1KB

    MD5

    781dad0db881590d91e8c51f95609953

    SHA1

    af3714d309b0d96ff6f8ec6cf7d716601f151f78

    SHA256

    edb2f0920c9288d02b82c83ff21a22e6d3b75009e5b56896a878429ce31a8ffd

    SHA512

    885beb2939ec0558e4049f17e7b58eb9cae0f71bb9429d90af37ce2e4a08549cd26dc7c5f967e3422c02ea17633aa119d5afbeb514e75c60bdfe6b997f91701a