Analysis Overview
SHA256
f70b50fd873fcf6ad84ac9dbb405eae7a905ef0c14917a561504cb07f34a7e96
Threat Level: Shows suspicious behavior
The file f70b50fd873fcf6ad84ac9dbb405eae7a905ef0c14917a561504cb07f34a7e96.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Makes use of the framework's Accessibility service
Requests dangerous framework permissions
Declares services with permission to bind to the system
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-15 00:31
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 00:31
Reported
2024-06-15 00:35
Platform
android-x86-arm-20240611.1-en
Max time kernel
177s
Max time network
131s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.169.74:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 109.120.135.42:8080 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | f96ceabb66aab883a983b4f72c3d2a6b |
| SHA1 | 22e32340fce395896b6be18fefe785c7c6776465 |
| SHA256 | 33c3fa925e56010b3b746bcecefa00e95a0d09188643df0ce2fad1128f97903e |
| SHA512 | b4ddc7725651f9e1a9df9d62ecc46b477a90660c9ddf59e8a0947c2a4b404206b59b5bf54b147f9446d2d3cc085490023b70e8ee02e3ca1d0e424a3bedc926d3 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 9e2c34294f21ccbc886fd6a5202c1168 |
| SHA1 | bd3859d2b00d1a7a3bfda794bd5d0ab7efd0c2db |
| SHA256 | 4c2700a57ebfa96b09b0933467ed121b66b3097b2c1ac7d97752d02df4140aba |
| SHA512 | 32b97c9790dad5674994d8b761e386f512b1a6353278b88dc56d15362a1c1996b617d2a229c8fe39f6d07945011bbe4c981083bfc7e2d9a4e8f1995a0df50080 |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | 914017c1d417d858fcc6a5ec4b9cfdd2 |
| SHA1 | 1ce6cbb99cd4e496d82e52035d11ff2c26020e3f |
| SHA256 | f535b1b250d2e54752ec33d6e90dac1c67b332e3fbe34d7f2467af0f99f2df29 |
| SHA512 | 96b963068a4fdc7cb9057d73cd01048e1b65b91956836b1047e2c89a4fe99a2a75715d4f2f113095ee5925511291c27066022a3b09d079a85660042eabda5893 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 3b2e020b1c80719671ed49487bbc5f2e |
| SHA1 | 10eafa5cd7668ac6d4d061eb655a60d7de0cc8ee |
| SHA256 | 3bee8b76443591cc88c54ad6dd0557dce812e7f65ed194f497699e7521948489 |
| SHA512 | bab47400b2be97f098c8acc6ce904525b738dbadab9a32150b1b80dcd964bea28f1fc838fc09fc618579f250750502a83c184627094a5a88379859bcdf4de4ee |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 00:31
Reported
2024-06-15 00:35
Platform
android-x64-20240611.1-en
Max time kernel
176s
Max time network
131s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 109.120.135.42:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.179.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| GB | 142.250.178.14:443 | tcp | |
| GB | 142.250.187.226:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 216.58.204.78:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | f96ceabb66aab883a983b4f72c3d2a6b |
| SHA1 | 22e32340fce395896b6be18fefe785c7c6776465 |
| SHA256 | 33c3fa925e56010b3b746bcecefa00e95a0d09188643df0ce2fad1128f97903e |
| SHA512 | b4ddc7725651f9e1a9df9d62ecc46b477a90660c9ddf59e8a0947c2a4b404206b59b5bf54b147f9446d2d3cc085490023b70e8ee02e3ca1d0e424a3bedc926d3 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 9acff04ceb85dfd5ce45736933d0f1ed |
| SHA1 | db0a4ab6defb332486f2e21e2723ab8aa089125f |
| SHA256 | 067dbc3c849e75a973bd18f3678ef711d6656a79e9508181167ca89e3bfefb93 |
| SHA512 | 0d0bd3123d86fc2116f0b73b0410dba707155eb6bc54a49f11af513d85e4e5687bd8ddd8757defa5ce08db82f7a42032e8e4611578ea9c1c3183ee3cd111ee3b |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | 8cab954c557ae1112299b4d6df49bbee |
| SHA1 | 343adf39580e50189252dc9d52ae32a7ba3a24ce |
| SHA256 | 7ab8f8a6c2c423ad10e5c470123f1f902fffed6f9043ef4c76d6d01551eb5772 |
| SHA512 | dc1b9e3e7c02dd6ac30501bb38357003f9950a8b2c8e5518e71f8c9c4303ed9d71367f52e2a554df713ae1433804ae905881997a6f8df111ec4f3b0022e5f6db |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | eb62c98ce90825d3c50853d24984261a |
| SHA1 | 778a9cfe21d13189dd77205657ce456112ed8c8e |
| SHA256 | f5a62e18433453ede5c4083aa9577f95fcfa4795a1ae9eca539b01d4adfa4687 |
| SHA512 | f29394225cab5bfc370102634294039b0069c0244f1e4c28d4efaa1c0f906a925c135808a330088f4c68fe44101ca8bcaf192651b9d07c0283e24ea755b4bd9c |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-15 00:31
Reported
2024-06-15 00:35
Platform
android-x64-arm64-20240611.1-en
Max time kernel
177s
Max time network
132s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.16.238:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 109.120.135.42:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.169.68:443 | tcp | |
| GB | 172.217.169.68:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | f96ceabb66aab883a983b4f72c3d2a6b |
| SHA1 | 22e32340fce395896b6be18fefe785c7c6776465 |
| SHA256 | 33c3fa925e56010b3b746bcecefa00e95a0d09188643df0ce2fad1128f97903e |
| SHA512 | b4ddc7725651f9e1a9df9d62ecc46b477a90660c9ddf59e8a0947c2a4b404206b59b5bf54b147f9446d2d3cc085490023b70e8ee02e3ca1d0e424a3bedc926d3 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 2894a2e124144efbe8087be48609ef96 |
| SHA1 | e3a4fe48b4f7befd1b6bb59bf784e59d241d78bd |
| SHA256 | 08b01e6d81962897daf7d152dba085239de208769c829a7ab63f9c3fd11f2fa9 |
| SHA512 | 24a2e66549a790a8a8e7f531f59ef90ff038d08ec2eac3e3c08da53f41272be5af5f88087c21847936ecabc74c2cfd5a93b90bc8f1e193e94112238a9586eaad |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 8733f1475bd4be765ada8ec7c004aa11 |
| SHA1 | 6aa53db39b4d65ae8e27c6899f5e35da4a7ec88d |
| SHA256 | 5b0a9a5ec377f49dee2b34339e622c7af98181788a518fa097d9ab439a25312b |
| SHA512 | 4db92faa3e4578f20c7068d58b426612637bf7e4c1df8427747f009085affb5cea74c824047f0fb1b83ff6b2485ecb31340460c099d320165487e72f62237485 |