Analysis Overview
SHA256
5e8021a72a74124cf95e5417594d2c813c701a82e1ad92bc7200c0b6e4473ed6
Threat Level: Shows suspicious behavior
The file 5e8021a72a74124cf95e5417594d2c813c701a82e1ad92bc7200c0b6e4473ed6.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Makes use of the framework's Accessibility service
Declares services with permission to bind to the system
Requests dangerous framework permissions
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 23:14
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 23:14
Reported
2024-06-13 23:17
Platform
android-x86-arm-20240611.1-en
Max time kernel
163s
Max time network
140s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 46.226.160.19:8080 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 30e8f9f0d065da376c5f929b00d66d99 |
| SHA1 | 30e1cf6db1af33a5179c7c2bd00ee5f3e1176433 |
| SHA256 | 6f1a126d9dc2045a00e1b20c233ca64d1d86bea7c005f01392d9cd8ad9aa53ce |
| SHA512 | d5c0489bb984bc30ff90fc2455d2cb39b7c202d9f2c615ab2acc8198225b3339e117310f417a5830a363087b63b1c84515a7148ff94b0e5136bd61014ed3ee52 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | da6af4bc2c7ffaa68b56f2bd7cd0c3b8 |
| SHA1 | b7e7eab07ba42f766b0cbf42c4b4eed5689bad93 |
| SHA256 | 09159f695d6fcf9a98db06c8b2bb5721f3653fd0f2da25b1844f5f226098b61d |
| SHA512 | 09b7e87d46964818bf1a658193a9265620810e65163622d2dcaa668a40b4769a784015d3db1850a816b5de2bf0e8679f517c7bd290b7efb5bc5baa3344bcc134 |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | 58daf6de9569fa76e9d07817c9629362 |
| SHA1 | edb87de1efba79670095cbb174c2227bb67487be |
| SHA256 | fc0909477ec710a0f75e67ccdc560f448b02bfdfee1863422083a45f18e17cce |
| SHA512 | 6a1e87973d025c8df9b24902e0c176fe3dd449d1501bbc7e1a4b553bbaa64281dce3aa7f75591b0b9a69cc5dae55a076dc5cdc75d93eca742831a59968d67593 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | ba386cefe1037aec5539aeed04b25e9a |
| SHA1 | f6b75e3fd088065c2f0c993bde05a646dd8a1b1b |
| SHA256 | dd76c8ded9e96c01a6a8851a7a79399a9fd4580495bc1ec5a1d7cc73eabe65e7 |
| SHA512 | cda2ab106bf98f9bda240dd3d2f7e2e3987390d11b276483e6a1cecb9a183ef7c7ef5497fec8d427e7d03c51ba5691d4ebc426fc401e259ae70925a7e7e1f2a6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 23:14
Reported
2024-06-13 23:17
Platform
android-x64-20240611.1-en
Max time kernel
163s
Max time network
151s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 46.226.160.19:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.10:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| GB | 172.217.169.68:443 | tcp | |
| GB | 172.217.169.68:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| GB | 142.250.200.2:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 30e8f9f0d065da376c5f929b00d66d99 |
| SHA1 | 30e1cf6db1af33a5179c7c2bd00ee5f3e1176433 |
| SHA256 | 6f1a126d9dc2045a00e1b20c233ca64d1d86bea7c005f01392d9cd8ad9aa53ce |
| SHA512 | d5c0489bb984bc30ff90fc2455d2cb39b7c202d9f2c615ab2acc8198225b3339e117310f417a5830a363087b63b1c84515a7148ff94b0e5136bd61014ed3ee52 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | d302751aa59572dcda14ebdf3ef2a9c7 |
| SHA1 | 370becec9575d573b04129dcd80a58a6d532b2d5 |
| SHA256 | 871ecc80aecda646b2f7790bc15fdefdb50e5cfe745b69318b19e379a5be58d2 |
| SHA512 | bbada194f65e41fb4dd9dd670f6c3a70218554a6ee2a1d1284f8669b8455a3f89122a1f0f63fef2f4486c7356d1071d39110811091b84cea3f4b149585f77285 |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | a84896b32d56c8a1514ed62c58930aa7 |
| SHA1 | 561264f35db0ee09f05acc819b9859194487d523 |
| SHA256 | bca1f09a73d8a14aeccd0df518f87c1e202ba9f239bfb2b0e493f92e4611f2cc |
| SHA512 | ea37af03edf3c802165257d2855999c24826fe47063fb42bba9d801a2b6718ad9bfcc0b4440d8b7a81ed27da0af9f27a2ccc5ba8f870cc5f662166a1978f3114 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | e4b7b12d877a730f22e9becbcf826333 |
| SHA1 | 8d379f5766be1ff1c530602869339e48de71837b |
| SHA256 | 72729c51dc67be769450eeb615eac165ae6c9e695c53b32765b0552e59acf80b |
| SHA512 | d976bcd5668d10da7e4296e4ac1a2640c9fba93de9b5728ffcb7ccbe24cd77b902ec9e467eff5b76b694e464955494d81fe3bd3bb898cb3747f9ca61f6e60fc1 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 23:14
Reported
2024-06-13 23:17
Platform
android-x64-arm64-20240611.1-en
Max time kernel
165s
Max time network
132s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.178.10:443 | tcp | |
| RU | 46.226.160.19:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 30e8f9f0d065da376c5f929b00d66d99 |
| SHA1 | 30e1cf6db1af33a5179c7c2bd00ee5f3e1176433 |
| SHA256 | 6f1a126d9dc2045a00e1b20c233ca64d1d86bea7c005f01392d9cd8ad9aa53ce |
| SHA512 | d5c0489bb984bc30ff90fc2455d2cb39b7c202d9f2c615ab2acc8198225b3339e117310f417a5830a363087b63b1c84515a7148ff94b0e5136bd61014ed3ee52 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 23d987f506cc8ef98f8ccd84dad40dfe |
| SHA1 | f2851eb92ad8b8ff7f9e4cddbeb7bd70786793ea |
| SHA256 | 3ff45d37129b1f18e04dfd9085d48816703dc462d88c0c0a30ff49872cf3a984 |
| SHA512 | 8c93407a2cd31eac1a0fb5e1af008d28858a04413a7fe2a4dc684d463cb65e4a7d3d031a50af797fa87d19fd21cbe99ba48cab184e4ebca78cd14e95367cec18 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | ebbce72790ffd338e8fc8e7da024ace8 |
| SHA1 | 2fafdc6eb75f097f2e3706903a6214d0d831fce9 |
| SHA256 | 5bfc9ed9663217a9779d5ada9ff2410c77b70ad55bf424931b5d9303840a4fa7 |
| SHA512 | 21816f7f4c95398b9583377f80445fcb4ffcec28633c9cd125f0223d6a46f85737071528741677a16cc6ad8580009135c639df1f12983dbf5d123265d5945a05 |