Analysis Overview
SHA256
f9dae07aeff67f820645ba1e34c350e5a9da61c8a8c8c1ed1df36f594051ea8e
Threat Level: Shows suspicious behavior
The file f9dae07aeff67f820645ba1e34c350e5a9da61c8a8c8c1ed1df36f594051ea8e.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Makes use of the framework's Accessibility service
Declares services with permission to bind to the system
Requests dangerous framework permissions
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-12 19:25
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 19:25
Reported
2024-06-12 19:28
Platform
android-x64-20240611.1-en
Max time kernel
136s
Max time network
131s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| SE | 77.232.143.164:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| GB | 142.250.200.14:443 | tcp | |
| GB | 172.217.169.66:443 | tcp | |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.204.78:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 8947966a1269c55fce50efd32f8109d7 |
| SHA1 | 27d317ac455d6ec8766067271a6ca9bd1fc3588b |
| SHA256 | debf14ce4103b553e255c10d8b6bb61ac7be6ae5715954a57163cbdbdca76818 |
| SHA512 | e3b72eaec87b65748e9a881d0cbd31f5b9cc7571d31e18c67568af11305739f27fb399ae4aabf576740ddf2816ac0be283c0114a0afc4fe9a6b9237d7fbd108b |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 5921ca9ceae806132190287d8220e36e |
| SHA1 | 31cb543b74a0be81bded30f96a3d7125e2ba6703 |
| SHA256 | 8ef8660039c0bd982e303ad56dd6d13fd1a1fd4e9de4849c87c7de50bf4f929a |
| SHA512 | b5e0ee86af8ff3086be822cc589343ecea69951c99e7398138f8c5d416bd1a0fc78ca4176b95d5654606125f272b7cf2f883e1aa0e914b1ea82d4b74592b7363 |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | b5d829d44922ebdd51d41792991ed2cc |
| SHA1 | 6326fa6dac72156f8ed73135a475dc3f4d1da526 |
| SHA256 | a2777d519fe31657a1d203577b2039042603be3fcbcf84c72e36a17c7300e7af |
| SHA512 | 5e150a63d32070f23712270887d71b6227d5c2f962f63b77a485371dc46f7e86722a1631cd6bb969c803539793232c54479b2fcb301d55943805b320e6d3e14b |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 19a1557f917b25707b76fc3b38ad3977 |
| SHA1 | b1ad764bf477eb67bc2ef7ce32278ac24f0c6c9a |
| SHA256 | 634e09533fa37721b09b0122856842d03faf26881fcb7f5a02e84850f590281b |
| SHA512 | 3bfc536ba21be65d6a145679f4080e2f0852ffb207f06c06316faf06ac60f91b4f982261ddfec72938ff6795c0e798772384881def4cdd2ff7ba9d50a6adab8c |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-12 19:25
Reported
2024-06-12 19:28
Platform
android-x64-arm64-20240611.1-en
Max time kernel
137s
Max time network
132s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.201.110:443 | android.apis.google.com | tcp |
| SE | 77.232.143.164:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.180.4:443 | tcp | |
| GB | 142.250.180.4:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 8947966a1269c55fce50efd32f8109d7 |
| SHA1 | 27d317ac455d6ec8766067271a6ca9bd1fc3588b |
| SHA256 | debf14ce4103b553e255c10d8b6bb61ac7be6ae5715954a57163cbdbdca76818 |
| SHA512 | e3b72eaec87b65748e9a881d0cbd31f5b9cc7571d31e18c67568af11305739f27fb399ae4aabf576740ddf2816ac0be283c0114a0afc4fe9a6b9237d7fbd108b |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 3fe7eb767b5e057550a48c7433d29af9 |
| SHA1 | aabb24e918cdb4003d6f559a826ce44965360151 |
| SHA256 | 0cf3e78229e035a4038fd06d4dd5d2b75a1deedc8104fd432e0d300cea296cf2 |
| SHA512 | 904cb693038248f6666274a762567fee2ca54f651ad35fe76961ca52bf3085e205953797ce6f53ee4790dd6d1ed76f37c00debcd9e53cb6b0009e5b82ced4eee |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 032a53e02b42a8a4e9651c59a343314a |
| SHA1 | 75580bed7544fa00dd87518cabb446f4a7c73b26 |
| SHA256 | 0503f23809599d0b7ec2d6a3626210e8d599f8be7e76fe9be527dddb0daa0a0b |
| SHA512 | fedb886ded66252428bd0c7240ceefe93e1c9d98ee47c64019aa6153ce9f4e9485b3b76b8d25bfcbca0d564bebda36437ffb3770f5e17813509504c569f4c952 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 19:25
Reported
2024-06-12 19:28
Platform
android-x86-arm-20240611.1-en
Max time kernel
140s
Max time network
129s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| SE | 77.232.143.164:8080 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 8947966a1269c55fce50efd32f8109d7 |
| SHA1 | 27d317ac455d6ec8766067271a6ca9bd1fc3588b |
| SHA256 | debf14ce4103b553e255c10d8b6bb61ac7be6ae5715954a57163cbdbdca76818 |
| SHA512 | e3b72eaec87b65748e9a881d0cbd31f5b9cc7571d31e18c67568af11305739f27fb399ae4aabf576740ddf2816ac0be283c0114a0afc4fe9a6b9237d7fbd108b |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | eeff45607cf98aec851262531385f9f7 |
| SHA1 | cae3fecc984dc17a6531a7fd7390fb77503c39f8 |
| SHA256 | cd47c1e53a4d87749698e30eba4608a4ce653bebcb1ad08106a7d6e65c4ebb88 |
| SHA512 | e667f1965a27c16fde24d5e5f5a802568ad972c6f80f77673c9e961c03242c925437fb3cf9c1b94b575887bca70386dfaf52ab9e395d8ed59afd152b824119fa |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | 84b0ac93a5a984faf0398bb98f162701 |
| SHA1 | 5455dff06ca4dd77fed6fed8a3ad076fc70ac1a5 |
| SHA256 | e3776aa3e353b7075f48dde3974aa5f1a45d81d24251c5c33a0a18adcc8b13b3 |
| SHA512 | 22f2ad0f609bc95504d5b736adfb9985ec473e4b9e4def4486fa5bc5ca602fed80309c06c5197f5cfe13bc68fb41885284fb5645447e01d648acf5a8b82d6e1c |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 7ec785b086734a9a79759285fafaf054 |
| SHA1 | ea95d78233a374977923f4e3cd61e956354f9e6c |
| SHA256 | 6efd38e3fef3133f2da1df43988e8cd6e588bfb1f3d37ba8f294fb0840bcb665 |
| SHA512 | cf5503321069dae476cf5542c2cf0c13988268b791a0be0aaadfd29f4a348d29c74115b904bfeb71f3a857dcdc70e6639a834ccfd75a27ec0a92d9b03c1f0c84 |