Analysis Overview
SHA256
974033aa204a786efb5c3ad11ab7a18b8de6e86fc68dd9b2afbf2c40198ec0ab
Threat Level: Shows suspicious behavior
The file 974033aa204a786efb5c3ad11ab7a18b8de6e86fc68dd9b2afbf2c40198ec0ab.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Makes use of the framework's Accessibility service
Declares services with permission to bind to the system
Requests dangerous framework permissions
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-12 19:07
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 19:07
Reported
2024-06-12 19:10
Platform
android-x86-arm-20240611.1-en
Max time kernel
131s
Max time network
139s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.178.10:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 46.226.160.19:8080 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | d63d58965296acfe683bec8b6f478168 |
| SHA1 | d18feddd10f7837e3b6d1a0540f8db96f8116592 |
| SHA256 | 54d463f55a7a8e836c33c84f4c807877dae3de2e803fcaab8ae00914e2e05ed6 |
| SHA512 | e35e93b186cb215e9b735422197e8905d9d44eb26b71fc2dd7f2de3517e354e4c364762105e179eff30f89c1ccfe58bd6a2f5760864583b9aeb656f4a6022747 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | c7e60af582ec9361c24aa2dae27cb845 |
| SHA1 | cfd3168218c38e0d503d9ba17323a8469633f90e |
| SHA256 | 24a432be912ea1d85eaef7d863ef96dd9ea62e3d0334ce748941051ffdcc0928 |
| SHA512 | 0b9ac994e9c019c9b009d78545b89c7a13cd2567da91c3eeeacb41b771371e08ea245b569b46e5d3d3088c6290e3c89ee1b30c6ee93ee6b00e60d22f3959b6cc |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | 69ceac646fd96983e3d4b424340e18ed |
| SHA1 | 607fcc28ea12719722684fe289881145e2568641 |
| SHA256 | c8dd0c3af4fcee5b2e584a1d66dc2662571e54cefd213b864e32257415b0a8e6 |
| SHA512 | 35edf322b98bfef7f1c93d4728598af7158af90b267d177df8ec9f04df4697922359b7b9bf1218da7b8b24a730c8389764b41945f20724d499a66ee9f67ff0d3 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 90c979cd94ad7666982ee7cffad3ee29 |
| SHA1 | d289836f825f8b03be9fba03236bd342e774a70c |
| SHA256 | c7d1979c869d712462751812680678e5cc467d7ea3e54852a817cdf29e8d13c2 |
| SHA512 | 4fcc81da4625830fd5275dbb1f32fb135e01c06926b7fec7d91c1cf4eb48385f3a0136aa414708560f5ccac9576cd64e4f27e03dcb9e12b28e14844d8614a5f6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 19:07
Reported
2024-06-12 19:10
Platform
android-x64-20240611.1-en
Max time kernel
132s
Max time network
151s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 46.226.160.19:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.10:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| GB | 172.217.169.68:443 | tcp | |
| GB | 172.217.169.68:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| GB | 142.250.200.2:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | d63d58965296acfe683bec8b6f478168 |
| SHA1 | d18feddd10f7837e3b6d1a0540f8db96f8116592 |
| SHA256 | 54d463f55a7a8e836c33c84f4c807877dae3de2e803fcaab8ae00914e2e05ed6 |
| SHA512 | e35e93b186cb215e9b735422197e8905d9d44eb26b71fc2dd7f2de3517e354e4c364762105e179eff30f89c1ccfe58bd6a2f5760864583b9aeb656f4a6022747 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 2351f5120256d2164297b013b5cfe940 |
| SHA1 | 1d7c2db29c74fb1d71cc4747c5b5c12200b49cc6 |
| SHA256 | ca948611fabee202951faa49e5a90864882d678b218844f4aa71ef2dfe108b26 |
| SHA512 | 311d3cddd38529a35e001153d6d1bc9dc7d7eb2820b3f599e3e0dedcfd9f7f1edc9dc95f748d94777abac9bb68a351d691fd86e8122645ab6cfdef8ace5c71e5 |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | 4a4abab57a9acf6297bb28df45ee36f4 |
| SHA1 | f5f4425ed10d601c012f9e29f4096754c0c3e627 |
| SHA256 | 4e99928c67fd58519eabe0fc5e71ca2aa4f4adfd3a5c2254ebcacd4292103a39 |
| SHA512 | 6a56b498a304cdc410019019ceeb663a11709803f9b5292646ffa7aebb02e58f3b817c241ef3c86bdb11da5f4c308e1d4db248507ca5cc34efd1189247218503 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 084e0edace3b6933fd5b706723b90e19 |
| SHA1 | 113c0b66859ca8275f206a9eeec5e22fd18ae624 |
| SHA256 | 5f64365268507aa0ba14e96395f4ce225421181277f9311fa9c825890f1bb18a |
| SHA512 | dab2dd0d5dd481b51695c7ce3000c85e2411029fe46f9c55174a04701d86735e8b76ab84a638d4f87ebb8ac4aead7fcb47539031f06358b20304d19f8839ef37 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-12 19:07
Reported
2024-06-12 19:10
Platform
android-x64-arm64-20240611.1-en
Max time kernel
131s
Max time network
132s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.78:443 | tcp | |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| RU | 46.226.160.19:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.179.232:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.178.4:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | d63d58965296acfe683bec8b6f478168 |
| SHA1 | d18feddd10f7837e3b6d1a0540f8db96f8116592 |
| SHA256 | 54d463f55a7a8e836c33c84f4c807877dae3de2e803fcaab8ae00914e2e05ed6 |
| SHA512 | e35e93b186cb215e9b735422197e8905d9d44eb26b71fc2dd7f2de3517e354e4c364762105e179eff30f89c1ccfe58bd6a2f5760864583b9aeb656f4a6022747 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | fd3df302d740708dbf39292120dc0b17 |
| SHA1 | 9b316affff74f3cf30bcb5f654f8d51499c6a7c5 |
| SHA256 | 82def913b797e55fd2ca48667ac5a77f5b78d2dfd66ad9896901a3c57a77035b |
| SHA512 | 267181e625ec2e3775d7ff915f510ad4876d7d83f769718b2b610d4a408f8afa9e67358f8adf006c8fc033ffc33b4f4e04b3c8def5754ddf3e1a52e12131d266 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | a44911d7dc1b927c5cc8848b98aa85c8 |
| SHA1 | d32bf18823f1cbb3fd11a099ad7510fbceb76a79 |
| SHA256 | 33133494199f6d72f523a63119674f43f9c14730d0de47aa4cfbc359ab6c5e31 |
| SHA512 | 6e8fa9c0cb2a920abecd7eb513451ec6ee8535c1fe82e75cbe4dded40a508165b8bded2caa1cde0990322eaf2aa4b979d9320a9ce7428ce567a242555be97b04 |