Analysis Overview
SHA256
1138cdd5b3f8b317726aca14fc30a8b1f7f59bd454132ed08c653e5372796b43
Threat Level: Shows suspicious behavior
The file 1138cdd5b3f8b317726aca14fc30a8b1f7f59bd454132ed08c653e5372796b43.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Makes use of the framework's Accessibility service
Declares services with permission to bind to the system
Requests dangerous framework permissions
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-12 19:36
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 19:36
Reported
2024-06-12 19:39
Platform
android-x86-arm-20240611.1-en
Max time kernel
149s
Max time network
131s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 77.221.137.252:8080 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.206:443 | android.apis.google.com | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 6951f329d521baa8f9e5b65f166f1ee8 |
| SHA1 | 9917af1f527f9caac157cdd1f27e68265598ead0 |
| SHA256 | 0102b5ac0adfbaa2b77cc6b0cb8f7fe8fcb5588d4e4a990c56f85e4f9afbd698 |
| SHA512 | 48bfd38097c3cdd4f2ea2b445cc5283fc62deed67e19df001334d552cb579bbead8b1cacf86b3b335d37a6d15e6301cc8a74d69904acdca55bdabe73b900bda1 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 4f79ab7bace8f3c2485b5fb742376e8f |
| SHA1 | 916c57245f3c755f56bd8387068f776db0210835 |
| SHA256 | ff12fae5d91be958f6f360ad6aab217929fc67804dea2a878513e82457a9be43 |
| SHA512 | e62211981218cc6e7dc523022e1b62e25797ebb35e60701158d2b9e143b24d8ce757eec1d30a2f260ca277f10393fff250c5a63073cf898198a527d0bf2dd931 |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | c863d64ab6c2f528e109534391ab08cd |
| SHA1 | ad60d184bc069b309066d29d173c6cad096993af |
| SHA256 | bc0c4f0a2bc88871029368d1fe743ebb7887015887a9535c06cb416a9d86fbc7 |
| SHA512 | 8ce7bcac01c22c3179803d9052ecc6294cb6e64685d4a287e9abae65c1a3b14bdeab1a07cf1e069c38b29192183e01f1fd4b670b984bc7fa79503da959342ee7 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | d927cca3e732608937a92790781f0954 |
| SHA1 | 197d01d34a3d98419af18c865d8f3ddc439f8e3c |
| SHA256 | 098669333ad6f307b7624265522deb99ad18278538dd28b745a513bba3d94476 |
| SHA512 | e27c42009027b9f2f382bcb38a52806536124bdca9be5ad6a036ea68b639a2c2fec399b0aca5972266ab93c047fe56dcfaffc08e9af8abc9091f663d0ab72e49 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 19:36
Reported
2024-06-12 19:39
Platform
android-x64-20240611.1-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 77.221.137.252:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| GB | 172.217.169.68:443 | tcp | |
| GB | 172.217.169.68:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| GB | 142.250.200.2:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 6951f329d521baa8f9e5b65f166f1ee8 |
| SHA1 | 9917af1f527f9caac157cdd1f27e68265598ead0 |
| SHA256 | 0102b5ac0adfbaa2b77cc6b0cb8f7fe8fcb5588d4e4a990c56f85e4f9afbd698 |
| SHA512 | 48bfd38097c3cdd4f2ea2b445cc5283fc62deed67e19df001334d552cb579bbead8b1cacf86b3b335d37a6d15e6301cc8a74d69904acdca55bdabe73b900bda1 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | f29a33c93b868d844360f6b3defa6719 |
| SHA1 | ec8283b89c481476ca5ea8f1590cbd65d261491c |
| SHA256 | cf23bcb1f7aa8e5153fbfa297740e0df7c0725b3f34bbe650c137ad84ef527de |
| SHA512 | b154bdfd63d5a268dbe3d9b2ca11da4d62862d02d20d74ac5bd50f8c4f843e51eb45ae6af625ce2e50da033a0f24e729b1b391596d6722eedf8d67c6070a90e1 |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | 28717a57157f0907725f5077d42aa5a1 |
| SHA1 | acb757443eb74479e5533cb054ac1095cda0b07d |
| SHA256 | f366de6b9f73b3b5f29e20a33dec944922e1e95a7704e5ab319495a185178faa |
| SHA512 | 63a52a3e4d4059494eee5bcfa5f2285e24a28eafafd91cafe1a82ebf5367f2197f258f74ace8c856e69e48d30167fcdd663f6aba5ea1c9c8eac1426918e698c8 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | d6da3ad59e9803d97f0891dcf08b2020 |
| SHA1 | eb3dbab167e49632282066181b50c0116ce15d42 |
| SHA256 | 690bd79768c48b5bbcf7de7bafcc86413526a86dc54858927b434797e60548c2 |
| SHA512 | a7512b41f0054354ef599678c6124cca0beb898b0ce73fb33431d763859d75e6c03010adfe4e90585fec99b538d824676a8fa475730d94b0eb066ff58cdcb12f |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-12 19:36
Reported
2024-06-12 19:39
Platform
android-x64-arm64-20240611.1-en
Max time kernel
147s
Max time network
132s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 77.221.137.252:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.212.232:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 6951f329d521baa8f9e5b65f166f1ee8 |
| SHA1 | 9917af1f527f9caac157cdd1f27e68265598ead0 |
| SHA256 | 0102b5ac0adfbaa2b77cc6b0cb8f7fe8fcb5588d4e4a990c56f85e4f9afbd698 |
| SHA512 | 48bfd38097c3cdd4f2ea2b445cc5283fc62deed67e19df001334d552cb579bbead8b1cacf86b3b335d37a6d15e6301cc8a74d69904acdca55bdabe73b900bda1 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 421997629af1d0d62dcce8409c261961 |
| SHA1 | acf6989432e890e9a2f3985b4742112818258f7d |
| SHA256 | 3717cedccc9fa766636488d2bb92717a0b6acf4fcc7376dc85d3701f8feed662 |
| SHA512 | 4c2004a8ee5de5b8039e53e8632f3d7ebb73077eda5a7feca058e776a61793d0029cd5c3a88cba6bd380114279dfe8d947696167d78c67cdf40d6c595bddffd1 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | f6844cb1261f0ad06bc722f5e9d6ac60 |
| SHA1 | ecea342a0169d9ff168521c8904698519131a0f9 |
| SHA256 | 8b650efacba49af408b9ac5d104c61d07e1daf498e9489df960d10fa794ba223 |
| SHA512 | 2b6c79ae2131971ad6244f16febe8c2bdfe1ff5508b6016f894f139657244bead2ad1f6b200176524df7367765bbbd835fd799fde24b72d498b7192a2c8dcb6a |