Analysis Overview
SHA256
3a84ca08bce61750bcbac1d1d899d96da3ab150d1d03982c0ea84f55a2c819d2
Threat Level: Shows suspicious behavior
The file 3a84ca08bce61750bcbac1d1d899d96da3ab150d1d03982c0ea84f55a2c819d2.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Makes use of the framework's Accessibility service
Declares services with permission to bind to the system
Requests dangerous framework permissions
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-15 00:24
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 00:24
Reported
2024-06-15 00:27
Platform
android-x86-arm-20240611.1-en
Max time kernel
136s
Max time network
140s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.178.10:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 109.120.134.161:8080 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 350c811c04f8a17d65d24ff8dc9ddab6 |
| SHA1 | 68b473c16db5d0976ed2f9db106abb3edb3bd254 |
| SHA256 | c1fdbaf61209609b6b5d1ac43d9a02512747c5632f2fb773915b920d60c9d131 |
| SHA512 | 34a844abdd348387454dca002b46951400ce83872ad242cf659e34546ed63e106ffebee318f39a572f7b9208fced8bbf6eb46985ba769d6699b54bc8d747ef17 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | e3e92561168cacc91135a1fae20ff219 |
| SHA1 | 5e7fe6604a9e548cf39595148c570fc2bdaf0726 |
| SHA256 | 8ea714b5a9ed2a019d84e03417ff17ba340881b84d6467b0437924e37d712338 |
| SHA512 | 737cecc94d1cfbc3a3d205dc64fd2d4bafe875be97c73f58a9974d6e5f7ac91ff35916cf54a0d859e5fac37572fc5eb376c9a6a0680289d5317952a082c7df69 |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | 931eda86af5ee95a365bcc39e1be658f |
| SHA1 | 1fd074781faf126601ba4a76a373d508092b6577 |
| SHA256 | d30c3278f4277cabeff3bca98e3c37c468193af6a9a95d91de880047eefd971e |
| SHA512 | ee4a9506351d243be6135e7af9b76a4885e4f3f1008c0e0defa535d6b79462e619910f1533c0d4bdb8fd753e3ba0ba5609af0539cdfeb55d91dd310eb89c876c |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | e876d9288f963e005535e6808698dc09 |
| SHA1 | 9bf9a251ab53acbd5143bf33bc39e9964bd162d3 |
| SHA256 | 4379e51b01572c3a2e4091ed5e29acac06355226514dfea85a259b7d4cbd9693 |
| SHA512 | ced8befe9bfddcd51e2610de9ff32924aeffff3c71d74b0b18868ad282ef8b403ab109795e74362788f549783e9741f19b9c4c99b008062fd2470d3a072ace2d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 00:24
Reported
2024-06-15 00:27
Platform
android-x64-20240611.1-en
Max time kernel
136s
Max time network
154s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 109.120.134.161:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.8:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.16.234:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| GB | 172.217.169.46:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| GB | 172.217.16.226:443 | tcp | |
| GB | 142.250.178.14:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 350c811c04f8a17d65d24ff8dc9ddab6 |
| SHA1 | 68b473c16db5d0976ed2f9db106abb3edb3bd254 |
| SHA256 | c1fdbaf61209609b6b5d1ac43d9a02512747c5632f2fb773915b920d60c9d131 |
| SHA512 | 34a844abdd348387454dca002b46951400ce83872ad242cf659e34546ed63e106ffebee318f39a572f7b9208fced8bbf6eb46985ba769d6699b54bc8d747ef17 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 3b9efe99bd6f7bd0f1bc95a2c35ac10e |
| SHA1 | 42064411c64030fd96d04a560025d3aa11e6f59e |
| SHA256 | b6b72d27d28015de4c5fa50e75866e303f05df790910203cd5df8cbefce23610 |
| SHA512 | 7f19abd60e98c7a48e08a9db0e643db3b56e9913e1f23091527201dad461ebffde7f38bebd7e166f3489da8ff056bc4ee9bdc33c5e58ad0f3d027707fefb0ceb |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | 6aff557a82a347ab35160afad246cba4 |
| SHA1 | 5a1e4e83915f30b24c10f74f0ecb20e2ed3dd10d |
| SHA256 | f522eb72000da8e7b02b87f1352692ef7552c78e1693dd4adaf0b65fd343f1ab |
| SHA512 | ce604c1847fa380ed443b0c4e1341dba8a9eda2da06755002a3fd22a6361ca96f41e3bc1c076203ef3a28b44d6855917f54631b740ac696d85c1816b7b02b3f5 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | c4f01481ff6245ec3661ac2bf22134fe |
| SHA1 | 4a68618a41cf05924be8f0c4f2b1ee9b6562bca2 |
| SHA256 | 6238ddb4262463d1e200808061446fdb4aa96c3f1032203791e9d96d18186d8b |
| SHA512 | 9b74df34a6f410a56009a3417eceb16c26de8cefec8dc33965c14a5c6d731bd3f1f56c7c48023fced03c3cd9635cd0fadaf178e265a914af36561de0f810881a |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-15 00:24
Reported
2024-06-15 00:27
Platform
android-x64-arm64-20240611.1-en
Max time kernel
136s
Max time network
132s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.178.10:443 | tcp | |
| GB | 142.250.178.10:443 | tcp | |
| RU | 109.120.134.161:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.40:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 350c811c04f8a17d65d24ff8dc9ddab6 |
| SHA1 | 68b473c16db5d0976ed2f9db106abb3edb3bd254 |
| SHA256 | c1fdbaf61209609b6b5d1ac43d9a02512747c5632f2fb773915b920d60c9d131 |
| SHA512 | 34a844abdd348387454dca002b46951400ce83872ad242cf659e34546ed63e106ffebee318f39a572f7b9208fced8bbf6eb46985ba769d6699b54bc8d747ef17 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 36cc73d77475820cc86004bf6667f2b3 |
| SHA1 | afbb93e3c57bce78485c6a2479b7c9829fbb2a5b |
| SHA256 | 60ff3745cc5c9d4ce4c699607bbc559b9ee4ec4c796cd9bfd71e938234d91174 |
| SHA512 | c69121b2da253d232babed6727cb52a34fa62c75c8cc74ac7b7549fd40f4909b96645c60c129fc13fd971d6687b9785ae5305bec2dd667f7e2ee770ac4630a84 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 7bbf7901e3f06431bc44d34c73c1d26b |
| SHA1 | d2fdfab95204c888b88658b3d55c38461fe7ddf0 |
| SHA256 | a3e7309edaf6bed981fb8015f5d7bfe0c5ef6c5ac51619872ffea30f5f56e2f4 |
| SHA512 | 2aaca9a1e2569bb2898c9eac1f2a6e15fea00e235c7420525f0700d3fc5d687a051d70cd9ab8ceb6ee467d9e733c05153d165617face849915ddd4a9d9737ef3 |