Malware Analysis Report

2024-12-07 03:19

Sample ID 241005-11kf2sthnm
Target 9ad84e0064d9b478c23ac530fb1d182c02525b99f6c41ca52bddd4bb704661f4.bin
SHA256 9ad84e0064d9b478c23ac530fb1d182c02525b99f6c41ca52bddd4bb704661f4
Tags
ajina banker collection credential_access evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ad84e0064d9b478c23ac530fb1d182c02525b99f6c41ca52bddd4bb704661f4

Threat Level: Known bad

The file 9ad84e0064d9b478c23ac530fb1d182c02525b99f6c41ca52bddd4bb704661f4.bin was found to be: Known bad.

Malicious Activity Summary

ajina banker collection credential_access evasion infostealer rat trojan

Ajina family

Ajina

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 22:06

Signatures

Ajina family

ajina

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 22:06

Reported

2024-10-05 22:09

Platform

android-x86-arm-20240624-en

Max time kernel

116s

Max time network

143s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
SE 5.42.75.200:8080 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 9bf7e2169b64fcfb6247e9713dc14b15
SHA1 f7bb6ff94246db17a264fbde7a96d70eba885dd9
SHA256 fed76045c99550d64f0237d82228f5d564e1a50f629215fb5d41de6e44c1a15c
SHA512 d8213f8a94e784f42bdd571c2ef9a4e7fee02cf0628f0e1fac85f44275e24cac10a375059512cbf2bcac5fc8dd65dbc4956f41f274f62f2ff437010208b90865

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 5b5305f0379616d965431ba09bef0ca6
SHA1 92c5b1b8f7f95572a17e789919e6fa4ddf1bf644
SHA256 c9ad493fe46da6c4cc92efaadf24aa5af231c0cba41b1d5f70c794aa4b72b7e0
SHA512 61022530686ec588f84135349dff0b109b016a207c36f0e5e5b8e72cb7c826a3c8ef28b5b656cf4592623f202e951ca0a855469eef3c71c9eb2cc5d41ed8badd

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 0119ed8ed3796da9c833d3551ae5ceae
SHA1 0951b2131ca3bf2c0bbdd5e102bddb7b8598bf50
SHA256 b3d5082eca166ce4e4ced7ea3cffe077f86f21d55ea6301fe94795780c47dbf2
SHA512 59cb6dfc11e069d1282bf1931c40f5646a98bbfc9b2697f9a3d2847d77c37419546f8553d0b90b3944520330735d2307190ec35f8d69ea36d2129335fd2b7b73

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 11a20f8a0472f542a37c3267c27e65a4
SHA1 c3bda3b0673b50bd0c981d1125ea15e2161dadb7
SHA256 d94740bc3b99c8ad0f1984c4acdb59f023991b0b2478709a98f5fc34b1328886
SHA512 b8f223c64197f8fa261bdc05ec97d1cbf4c54a0cc9157e686d9ed546f0d6dfb0e3e1d1a6ec8b60f27dfc569fa009af693c9edd6b9f91564c019974cf25506768

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 22:06

Reported

2024-10-05 22:09

Platform

android-x64-20240624-en

Max time kernel

117s

Max time network

146s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
SE 5.42.75.200:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 216.58.213.10:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 9bf7e2169b64fcfb6247e9713dc14b15
SHA1 f7bb6ff94246db17a264fbde7a96d70eba885dd9
SHA256 fed76045c99550d64f0237d82228f5d564e1a50f629215fb5d41de6e44c1a15c
SHA512 d8213f8a94e784f42bdd571c2ef9a4e7fee02cf0628f0e1fac85f44275e24cac10a375059512cbf2bcac5fc8dd65dbc4956f41f274f62f2ff437010208b90865

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 389fa807e1b54e0706bd4780eed494b2
SHA1 e6dcf9d20aaf6a6bea15d4e3d0a4f4b0b3fca674
SHA256 e1f56efcffb68bf0e3a97f45b5326484d308fe42c79166b97f7e6daca79ddfba
SHA512 c3b7be94fb4c87443ca5be20fb713148211ec56ad118bd9e38a71ba878f7df20da971b1dda1ecf576290802d1472fe489df706ef5029c2d6ba946236188f2a94

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 8e3f133b6a7241fc8348c8a77010e59d
SHA1 49fcfe4384f01d4c60bf2d83c7813fc0b9034655
SHA256 5a5e6bcbce3d0f34d598228856ba39f9e1b640cc22d016a3cc2a8bf17e9bec4d
SHA512 334bf30f0441b92b2801d984b51307c3fda37be40887ddcda80be56e5c945d2e104d2d0866a8ed26cea731501fa336bdfff18ada7f55b8cac5b88a24d34941b2

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 c27e7019a8eb8b4b190ee3e8b950316d
SHA1 d34eb2c4ea1a4c6141d4165239271af159cd69e7
SHA256 4a777c8b75d03fd4c30eb7e99277fa6c678fad8b4d62c9ed768db1a8aa602e5b
SHA512 c890876d93dd813d03486003b24f63f794be14ce8e71ef26064dad46557740023f82c8389cf0bcbcc59c68d335204b8868a2499802fabf54e812418346464daf

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-05 22:06

Reported

2024-10-05 22:09

Platform

android-x64-arm64-20240910-en

Max time kernel

119s

Max time network

151s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
GB 172.217.16.238:443 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 216.239.38.223:443 tcp
SE 5.42.75.200:8080 tcp
US 216.239.38.223:443 tcp
GB 142.250.200.14:443 www.youtube.com tcp
GB 172.217.169.33:443 tcp
GB 216.58.201.97:443 tcp
US 216.239.38.223:443 tcp
US 216.239.38.223:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 9bf7e2169b64fcfb6247e9713dc14b15
SHA1 f7bb6ff94246db17a264fbde7a96d70eba885dd9
SHA256 fed76045c99550d64f0237d82228f5d564e1a50f629215fb5d41de6e44c1a15c
SHA512 d8213f8a94e784f42bdd571c2ef9a4e7fee02cf0628f0e1fac85f44275e24cac10a375059512cbf2bcac5fc8dd65dbc4956f41f274f62f2ff437010208b90865

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 1d1f5add9440cc361a67914abc0ee3c6
SHA1 4d04e7655ac747e0ef378790a2d92e69edfab774
SHA256 3f7b8f3b5f25e2a1623b532c91b475a1c4d22d35ec54c94519fb7a339bda5606
SHA512 6a8bbca993787ee3224fddb7f75b4efb1ea81cd5e759dd029d2ea58ec23cd692038883ff246aba0da9b9908da124ea5374bfb3750f995b7ada2a3f015f05e637

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 1a6d4da42d247ad20fc31945231a02c9
SHA1 8bc892b763355377a01238ec94abbbdde3f09a39
SHA256 f42d531a33185f70739dacdab401657f806b463dc68e7a68300feed254c92765
SHA512 5872152d5e0c249e64c9a60b665ab9957c4d0a03926f592b89c0ceef2cfa0e2959d28384b594611582b2870e2ec07de3bdbc06b24e4ee70efb31ddc26bd3336d