Analysis Overview
SHA256
f8240798cc84e86aa0095502314ae89896c3f5e8b473f05f1d994680e65428dd
Threat Level: Known bad
The file f8240798cc84e86aa0095502314ae89896c3f5e8b473f05f1d994680e65428dd.bin was found to be: Known bad.
Malicious Activity Summary
Ajina family
Makes use of the framework's Accessibility service
Declares services with permission to bind to the system
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-03 22:21
Signatures
Ajina family
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-03 22:21
Reported
2024-10-03 22:24
Platform
android-x86-arm-20240910-en
Max time kernel
110s
Max time network
150s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| FI | 5.42.66.38:8080 | tcp | |
| GB | 216.58.201.110:443 | tcp | |
| GB | 216.58.201.110:443 | tcp | |
| GB | 216.58.201.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| GB | 142.250.187.196:443 | tcp | |
| GB | 172.217.169.10:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 570f01b618dd59913f636a1cfc14e70f |
| SHA1 | c68ce7f358b3ea0e3341cce228a4bf0ff58e66d1 |
| SHA256 | 8e8dc3cfa573bb3dde6f5b4aeab61056085f0f889465a59251bd3e3a99710574 |
| SHA512 | 29bec398b450f4fbd17cdbb21a8b493e38f3276c07234c6ceb90d614a99c9c95b1424d94b5fd2e8747c4782338e5338835ca239727013471b9ce9ec099fd36c1 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 0e6c907bc69d885841f92b913672498f |
| SHA1 | e4548a9bbce9b2322030aef7cef463dabc0ca68b |
| SHA256 | b01ed339ebcfe7962ed2ccb298e4ce80e118aabb40d7f8bd1816a41f6068da41 |
| SHA512 | 1eb3671d751c2fbde0b36fe3c0b32adeb2538effa06e0a4af136b44f27a6b00586291fa6800dd5dca2b22f7bd5b8a9775b427d2b2b976109de19ebd5d926bcc1 |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | b8d07d248a28aa821efc093f4743b96b |
| SHA1 | bfe89548bfecfdd7f70bdc6d8d289566bf6db259 |
| SHA256 | 5a67cca75c05deb9afffab3503404ca48751e8fe4a95fedabf342c0f1b93d55b |
| SHA512 | 1bd635ecd7e372f7abad5ca120efc4fbace9ab90be10eebf4e19bd545e517d2e08049964459cd1bf8bdd652eb0500f82a36d860b5441614d51a12c7200d20b38 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 9366b632a9b857781a9bdadd83970b10 |
| SHA1 | f9ea6e14cfddf93fdaf59905d157e9eeacfad674 |
| SHA256 | 29e788d5456b98aae04b84f7716097c392af8ba1d28b5010a6c283cfe55c221e |
| SHA512 | e86f3249f4c6d0d3bfcdabe4999b49c6ab9f8d38928add504ae986eac3548550fe3b076e0fbb7170b362bbdc998d442c2b99d1ae7733b11dacd23b8008445a7c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-03 22:21
Reported
2024-10-03 22:24
Platform
android-x64-20240624-en
Max time kernel
143s
Max time network
154s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| FI | 5.42.66.38:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.179.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| GB | 142.250.180.4:443 | tcp | |
| GB | 142.250.180.4:443 | tcp | |
| GB | 216.58.201.98:443 | tcp | |
| GB | 172.217.169.46:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 570f01b618dd59913f636a1cfc14e70f |
| SHA1 | c68ce7f358b3ea0e3341cce228a4bf0ff58e66d1 |
| SHA256 | 8e8dc3cfa573bb3dde6f5b4aeab61056085f0f889465a59251bd3e3a99710574 |
| SHA512 | 29bec398b450f4fbd17cdbb21a8b493e38f3276c07234c6ceb90d614a99c9c95b1424d94b5fd2e8747c4782338e5338835ca239727013471b9ce9ec099fd36c1 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 6eeb1093b177b5cc1b40d4360a293668 |
| SHA1 | 8c6b714b433ecb04c9b4d42b29cac62330351567 |
| SHA256 | 9fa17644800af4f33d24c74ae289d45ba793a696946e2bac662457f00db4cc49 |
| SHA512 | fb8c7ea63c545d02239628f5bdd86ad0f306f7c3a12b4a7c95f3bae9d20a9c8032d3e0c08d601410c37ee3312d694f90c9f415ade60b7e8b2dac63b9eec18553 |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | f8f2fd2a7791379691017da099036a4a |
| SHA1 | b9e19500711aecd5836f529349295fdeb0eb683e |
| SHA256 | 583af6841560d5c9b5f184d8ab080589f6a9cd1961a9fd78210811d0a0ab48c4 |
| SHA512 | 67dfb0d9609f8e3b3c04adf104b254250f711411e4cf4aa8b68612bfd06c44ecb932fad882aae41a5b444647bc36016975ecea310fe34d53c10108daac55c210 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 1964682134d852d7901cd141e03188e5 |
| SHA1 | b96e870ddf1e0401909cc9070d2608cf656f3432 |
| SHA256 | 55b68a70c27ea7742c6e1522041750ff5de43cd91cece240a7783490107f0978 |
| SHA512 | 989553333b724f8f11c2c4c6134544a68a4c98caa161082286000c5a2b5774034c9e0ee8b561f86e3ef84e98def2011ac767b605cffa0ba9d53f8240d0cdc0ca |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-03 22:21
Reported
2024-10-03 22:23
Platform
android-x64-arm64-20240910-en
Max time kernel
99s
Max time network
150s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.169.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.180.14:443 | android.apis.google.com | tcp |
| GB | 142.250.180.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| GB | 216.58.212.238:443 | www.youtube.com | tcp |
| US | 216.239.32.223:443 | tcp | |
| FI | 5.42.66.38:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.200:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.193:443 | tcp | |
| GB | 142.250.187.225:443 | tcp | |
| US | 216.239.32.223:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 570f01b618dd59913f636a1cfc14e70f |
| SHA1 | c68ce7f358b3ea0e3341cce228a4bf0ff58e66d1 |
| SHA256 | 8e8dc3cfa573bb3dde6f5b4aeab61056085f0f889465a59251bd3e3a99710574 |
| SHA512 | 29bec398b450f4fbd17cdbb21a8b493e38f3276c07234c6ceb90d614a99c9c95b1424d94b5fd2e8747c4782338e5338835ca239727013471b9ce9ec099fd36c1 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | cb8b605304e9e90d3d83fb9ad60592ba |
| SHA1 | 04bb162aa9a319a9f70527c10837a838fe2b62d1 |
| SHA256 | 62f9665565bfd6ac85669b72e94f0b49f2416d068aac0a69b7829eb10d7fac9a |
| SHA512 | e9d496a20aed6e437729cab5a3ba34107d2612a8895153d5c1c3982686fa47ddb7a51b2caa1c88f1c7242be4da9862022e4f62e06497bc23556744be3568dec5 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 096ce2027f4abd8c19ab4533201beeca |
| SHA1 | 0b5e88fba1fcc332bfeffaab9ab92083ec8c0be5 |
| SHA256 | efa7f4fff8b2167de2d11965ebbf3c3524742962165753024f91b44383001dcf |
| SHA512 | 83efbd516896b2a171adad137ca26f011821121690fc230b7eafbfc958c9ebe209dae438da28539d4efbdddb0899e62a884abcc3520e37b2217c2a51523554aa |