Malware Analysis Report

2024-12-07 03:19

Sample ID 241003-19nj3atbqh
Target f8240798cc84e86aa0095502314ae89896c3f5e8b473f05f1d994680e65428dd.bin
SHA256 f8240798cc84e86aa0095502314ae89896c3f5e8b473f05f1d994680e65428dd
Tags
ajina collection credential_access evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f8240798cc84e86aa0095502314ae89896c3f5e8b473f05f1d994680e65428dd

Threat Level: Known bad

The file f8240798cc84e86aa0095502314ae89896c3f5e8b473f05f1d994680e65428dd.bin was found to be: Known bad.

Malicious Activity Summary

ajina collection credential_access evasion

Ajina family

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-03 22:21

Signatures

Ajina family

ajina

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-03 22:21

Reported

2024-10-03 22:24

Platform

android-x86-arm-20240910-en

Max time kernel

110s

Max time network

150s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
FI 5.42.66.38:8080 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.187.196:443 tcp
GB 172.217.169.10:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 570f01b618dd59913f636a1cfc14e70f
SHA1 c68ce7f358b3ea0e3341cce228a4bf0ff58e66d1
SHA256 8e8dc3cfa573bb3dde6f5b4aeab61056085f0f889465a59251bd3e3a99710574
SHA512 29bec398b450f4fbd17cdbb21a8b493e38f3276c07234c6ceb90d614a99c9c95b1424d94b5fd2e8747c4782338e5338835ca239727013471b9ce9ec099fd36c1

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 0e6c907bc69d885841f92b913672498f
SHA1 e4548a9bbce9b2322030aef7cef463dabc0ca68b
SHA256 b01ed339ebcfe7962ed2ccb298e4ce80e118aabb40d7f8bd1816a41f6068da41
SHA512 1eb3671d751c2fbde0b36fe3c0b32adeb2538effa06e0a4af136b44f27a6b00586291fa6800dd5dca2b22f7bd5b8a9775b427d2b2b976109de19ebd5d926bcc1

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 b8d07d248a28aa821efc093f4743b96b
SHA1 bfe89548bfecfdd7f70bdc6d8d289566bf6db259
SHA256 5a67cca75c05deb9afffab3503404ca48751e8fe4a95fedabf342c0f1b93d55b
SHA512 1bd635ecd7e372f7abad5ca120efc4fbace9ab90be10eebf4e19bd545e517d2e08049964459cd1bf8bdd652eb0500f82a36d860b5441614d51a12c7200d20b38

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 9366b632a9b857781a9bdadd83970b10
SHA1 f9ea6e14cfddf93fdaf59905d157e9eeacfad674
SHA256 29e788d5456b98aae04b84f7716097c392af8ba1d28b5010a6c283cfe55c221e
SHA512 e86f3249f4c6d0d3bfcdabe4999b49c6ab9f8d38928add504ae986eac3548550fe3b076e0fbb7170b362bbdc998d442c2b99d1ae7733b11dacd23b8008445a7c

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-03 22:21

Reported

2024-10-03 22:24

Platform

android-x64-20240624-en

Max time kernel

143s

Max time network

154s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
FI 5.42.66.38:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 570f01b618dd59913f636a1cfc14e70f
SHA1 c68ce7f358b3ea0e3341cce228a4bf0ff58e66d1
SHA256 8e8dc3cfa573bb3dde6f5b4aeab61056085f0f889465a59251bd3e3a99710574
SHA512 29bec398b450f4fbd17cdbb21a8b493e38f3276c07234c6ceb90d614a99c9c95b1424d94b5fd2e8747c4782338e5338835ca239727013471b9ce9ec099fd36c1

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 6eeb1093b177b5cc1b40d4360a293668
SHA1 8c6b714b433ecb04c9b4d42b29cac62330351567
SHA256 9fa17644800af4f33d24c74ae289d45ba793a696946e2bac662457f00db4cc49
SHA512 fb8c7ea63c545d02239628f5bdd86ad0f306f7c3a12b4a7c95f3bae9d20a9c8032d3e0c08d601410c37ee3312d694f90c9f415ade60b7e8b2dac63b9eec18553

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 f8f2fd2a7791379691017da099036a4a
SHA1 b9e19500711aecd5836f529349295fdeb0eb683e
SHA256 583af6841560d5c9b5f184d8ab080589f6a9cd1961a9fd78210811d0a0ab48c4
SHA512 67dfb0d9609f8e3b3c04adf104b254250f711411e4cf4aa8b68612bfd06c44ecb932fad882aae41a5b444647bc36016975ecea310fe34d53c10108daac55c210

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 1964682134d852d7901cd141e03188e5
SHA1 b96e870ddf1e0401909cc9070d2608cf656f3432
SHA256 55b68a70c27ea7742c6e1522041750ff5de43cd91cece240a7783490107f0978
SHA512 989553333b724f8f11c2c4c6134544a68a4c98caa161082286000c5a2b5774034c9e0ee8b561f86e3ef84e98def2011ac767b605cffa0ba9d53f8240d0cdc0ca

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-03 22:21

Reported

2024-10-03 22:23

Platform

android-x64-arm64-20240910-en

Max time kernel

99s

Max time network

150s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.212.238:443 www.youtube.com tcp
US 216.239.32.223:443 tcp
FI 5.42.66.38:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.187.193:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.32.223:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 570f01b618dd59913f636a1cfc14e70f
SHA1 c68ce7f358b3ea0e3341cce228a4bf0ff58e66d1
SHA256 8e8dc3cfa573bb3dde6f5b4aeab61056085f0f889465a59251bd3e3a99710574
SHA512 29bec398b450f4fbd17cdbb21a8b493e38f3276c07234c6ceb90d614a99c9c95b1424d94b5fd2e8747c4782338e5338835ca239727013471b9ce9ec099fd36c1

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 cb8b605304e9e90d3d83fb9ad60592ba
SHA1 04bb162aa9a319a9f70527c10837a838fe2b62d1
SHA256 62f9665565bfd6ac85669b72e94f0b49f2416d068aac0a69b7829eb10d7fac9a
SHA512 e9d496a20aed6e437729cab5a3ba34107d2612a8895153d5c1c3982686fa47ddb7a51b2caa1c88f1c7242be4da9862022e4f62e06497bc23556744be3568dec5

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 096ce2027f4abd8c19ab4533201beeca
SHA1 0b5e88fba1fcc332bfeffaab9ab92083ec8c0be5
SHA256 efa7f4fff8b2167de2d11965ebbf3c3524742962165753024f91b44383001dcf
SHA512 83efbd516896b2a171adad137ca26f011821121690fc230b7eafbfc958c9ebe209dae438da28539d4efbdddb0899e62a884abcc3520e37b2217c2a51523554aa