Malware Analysis Report

2024-12-07 03:19

Sample ID 241002-1z37rsshpe
Target f824655a2c2dc26cb021bd246abec9d99fe753b5980261c7e24be0f73f264762.bin
SHA256 f824655a2c2dc26cb021bd246abec9d99fe753b5980261c7e24be0f73f264762
Tags
ajina banker collection credential_access evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f824655a2c2dc26cb021bd246abec9d99fe753b5980261c7e24be0f73f264762

Threat Level: Known bad

The file f824655a2c2dc26cb021bd246abec9d99fe753b5980261c7e24be0f73f264762.bin was found to be: Known bad.

Malicious Activity Summary

ajina banker collection credential_access evasion infostealer rat trojan

Ajina

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-02 22:06

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-02 22:06

Reported

2024-10-02 22:09

Platform

android-x86-arm-20240910-en

Max time kernel

92s

Max time network

154s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
FR 77.105.166.215:8080 tcp
US 1.1.1.1:53 www.zoplay.com udp
US 172.67.166.102:443 www.zoplay.com tcp
GB 142.250.200.2:443 tcp

Files

/data/data/org.zzzz.aaa/cache/image_manager_disk_cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/org.zzzz.aaa/cache/image_manager_disk_cache/journal

MD5 4fddcf79f41c74090652408caf261ca5
SHA1 91759364e8e7fb63676a061b60466934fd61ae15
SHA256 5fa9fc9d6b559776729fa7deb286432b87dfcebb80739b87e39166df193bbe78
SHA512 e2b59878077ebcdfc1d9c8a686a2c96e2aef08f73977fd4b1fdcccbe3010c313725c30fe8df87c14380d0c8dcd981200b42d406361e7c177fa3937d900581aa3

/data/data/org.zzzz.aaa/cache/image_manager_disk_cache/746c0412cdc0b104efafc74f829fa9fa77f5549b034decd2882460e60cbc768f.0.tmp

MD5 9629d97a50bb1adb24d1b558132b3e20
SHA1 f8e095f7f3b119d350ee7e5888bde15d38c15b2b
SHA256 a2c80460147cdd5d255f405c4968bc96099dd5a4325103035965989590d2bc03
SHA512 2a4160b22e9d93ca00de67ab651cc30e771c05eb7f8b6a1ab5ac539f28c7d6eaa7d30558f3646802f55a1433a820497221cbc2036828a0d54cdb3f5d10c0e705

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 a0291463bc7d124f09c0e226226ebc6c
SHA1 8cc15bafbbee0aaf89411c76137650a6313a8712
SHA256 04ff6955aca4a51b48828c4963f1f3a5f59cca944fe819439e0dddebb187acd9
SHA512 503d625fc93d623d426f98523e11a0b3890963a7a4856c96d48b5cd227d5dee842bba0255cd383d3189138c4cd511703103d2396ffc77ff5b1d135993f6d0617

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 78ac25dab1732d420c78c38049ed7f11
SHA1 5a0afd5bf8bcf6db451adfb403453c3bc0480ad0
SHA256 a0b5f69d8684d27ff24de88384e7c17642a7cb95eebd3aa720609a25b0de90b3
SHA512 5786d86fee1508b8568df9ed25564b8a31dc62abce4f10fa75880afae6f114e157a5406de80deae4eee056a4ede4ca58224752532190f47c4cfcc88aff3297f8

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 b7d6213c68757fbc87dc77f8d03df8c2
SHA1 080d3a92bbc899ff6fc0ff3d79a35b9c4c2b3888
SHA256 0f1c9db731f777a3a2f48842ccae7b3ad21e969be6ce3964c71a70649f29e7e4
SHA512 a93f49802fce3c00c4a8e82cba72d69bef8a0c0c5dba690f059ce2e2ad620cd9456a6299f416eef37d510b3f79555609554f51a10009bc181aa0ea94579876f5

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 e4e79ec6cd60cc2a1f78d0561ee74554
SHA1 667b46f267467cb36603208c77331cb0705255e7
SHA256 54e88975cb8defefac7150560e20d221ebe3e7a72a5687d3954ea5349db41a7b
SHA512 a167920a0f2d081a13d79f01ceacc51dcc013df1733f4740606083f3aea51000b705b984005b0dcca73b14dea65bf753fbc811344baf1aba41e7580f9684f6e7

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-02 22:06

Reported

2024-10-02 22:08

Platform

android-x64-20240910-en

Max time kernel

108s

Max time network

151s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
FR 77.105.166.215:8080 tcp
US 1.1.1.1:53 www.zoplay.com udp
US 104.21.16.49:443 www.zoplay.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.200.2:443 tcp

Files

/data/data/org.zzzz.aaa/cache/image_manager_disk_cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/org.zzzz.aaa/cache/image_manager_disk_cache/journal

MD5 4fddcf79f41c74090652408caf261ca5
SHA1 91759364e8e7fb63676a061b60466934fd61ae15
SHA256 5fa9fc9d6b559776729fa7deb286432b87dfcebb80739b87e39166df193bbe78
SHA512 e2b59878077ebcdfc1d9c8a686a2c96e2aef08f73977fd4b1fdcccbe3010c313725c30fe8df87c14380d0c8dcd981200b42d406361e7c177fa3937d900581aa3

/data/data/org.zzzz.aaa/cache/image_manager_disk_cache/746c0412cdc0b104efafc74f829fa9fa77f5549b034decd2882460e60cbc768f.0.tmp

MD5 9629d97a50bb1adb24d1b558132b3e20
SHA1 f8e095f7f3b119d350ee7e5888bde15d38c15b2b
SHA256 a2c80460147cdd5d255f405c4968bc96099dd5a4325103035965989590d2bc03
SHA512 2a4160b22e9d93ca00de67ab651cc30e771c05eb7f8b6a1ab5ac539f28c7d6eaa7d30558f3646802f55a1433a820497221cbc2036828a0d54cdb3f5d10c0e705

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 a0291463bc7d124f09c0e226226ebc6c
SHA1 8cc15bafbbee0aaf89411c76137650a6313a8712
SHA256 04ff6955aca4a51b48828c4963f1f3a5f59cca944fe819439e0dddebb187acd9
SHA512 503d625fc93d623d426f98523e11a0b3890963a7a4856c96d48b5cd227d5dee842bba0255cd383d3189138c4cd511703103d2396ffc77ff5b1d135993f6d0617

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 f150bebb45f96eaba17f90e5a7b3cf19
SHA1 db687d1cb428e32d7b7e643968bef0386db53419
SHA256 6bf81e4b2fcc6207cc71656eadbba62e197ee2febda2a14ac38925840b0d6b55
SHA512 133bff3f327021f71df3a3ed356e2b25d60b1c1f54d7c165d84f8292cf2eb7105f70e5952f056cd55ce961b711e385ca4dcef6f74a5636e2245bb1a2555e6ffd

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 8cf8226ff8056bcf3012286a4e305940
SHA1 e32133910f0b229d3da6226979bd8c1f679014e2
SHA256 056f915046fb8db7fb2791397f77193eb62dd94ca87a76a8016d26e9ec80c98c
SHA512 d299741f05e93fc6f0428eb517226619dd4698880978cbc61351d5fd8b112c2fe94d3fed2d950d520645cd7a0ecedf3388beb4d6c4a4137b68d2e7dffa1e0cbf

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 bc2719509feaf64cbd7db0220b245529
SHA1 e67fac0b1eb82c1de7a8c7ce6839f8ae07427e89
SHA256 24816ffa0f033dd889e7b27c7c495a1d73c406d79e7446e749aa4cd728661261
SHA512 ea809e1f43e3ebfe230ad44b3003e554be56600583b3d381b4535cd76aa94bfffb767c47961c1debcd8cb1d74d86eb3db6daa2bb3c8795538eb385ef8007e254

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-02 22:06

Reported

2024-10-02 22:08

Platform

android-x64-arm64-20240624-en

Max time kernel

103s

Max time network

131s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp
GB 216.58.213.10:443 tcp
FR 77.105.166.215:8080 tcp
US 1.1.1.1:53 www.zoplay.com udp
US 172.67.166.102:443 www.zoplay.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/org.zzzz.aaa/cache/image_manager_disk_cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/org.zzzz.aaa/cache/image_manager_disk_cache/journal

MD5 4fddcf79f41c74090652408caf261ca5
SHA1 91759364e8e7fb63676a061b60466934fd61ae15
SHA256 5fa9fc9d6b559776729fa7deb286432b87dfcebb80739b87e39166df193bbe78
SHA512 e2b59878077ebcdfc1d9c8a686a2c96e2aef08f73977fd4b1fdcccbe3010c313725c30fe8df87c14380d0c8dcd981200b42d406361e7c177fa3937d900581aa3

/data/data/org.zzzz.aaa/cache/image_manager_disk_cache/746c0412cdc0b104efafc74f829fa9fa77f5549b034decd2882460e60cbc768f.0.tmp

MD5 9629d97a50bb1adb24d1b558132b3e20
SHA1 f8e095f7f3b119d350ee7e5888bde15d38c15b2b
SHA256 a2c80460147cdd5d255f405c4968bc96099dd5a4325103035965989590d2bc03
SHA512 2a4160b22e9d93ca00de67ab651cc30e771c05eb7f8b6a1ab5ac539f28c7d6eaa7d30558f3646802f55a1433a820497221cbc2036828a0d54cdb3f5d10c0e705

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 a0291463bc7d124f09c0e226226ebc6c
SHA1 8cc15bafbbee0aaf89411c76137650a6313a8712
SHA256 04ff6955aca4a51b48828c4963f1f3a5f59cca944fe819439e0dddebb187acd9
SHA512 503d625fc93d623d426f98523e11a0b3890963a7a4856c96d48b5cd227d5dee842bba0255cd383d3189138c4cd511703103d2396ffc77ff5b1d135993f6d0617

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 f3ed390f47c53a17c357f40986fc2916
SHA1 62cba95d2274997d8343416bd682a7785803f531
SHA256 f5894245dac611ec8866d94426fdc4eba7afe55e069e2cc1cfd4a65db2cfb2d8
SHA512 fa755c5f66a160d2628c5d6be958987571840a5876156e5a522c0a741e63d95f38ae72d1cf199b1215c860d732d51df7a57e03d3de90212be4ee32ab27c40208