Analysis Overview
SHA256
9ad84e0064d9b478c23ac530fb1d182c02525b99f6c41ca52bddd4bb704661f4
Threat Level: Known bad
The file 9ad84e0064d9b478c23ac530fb1d182c02525b99f6c41ca52bddd4bb704661f4.bin was found to be: Known bad.
Malicious Activity Summary
Ajina family
Ajina
Makes use of the framework's Accessibility service
Declares services with permission to bind to the system
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-05 22:06
Signatures
Ajina family
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-05 22:06
Reported
2024-10-05 22:09
Platform
android-x86-arm-20240624-en
Max time kernel
116s
Max time network
143s
Command Line
Signatures
Ajina
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.74:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| SE | 5.42.75.200:8080 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 9bf7e2169b64fcfb6247e9713dc14b15 |
| SHA1 | f7bb6ff94246db17a264fbde7a96d70eba885dd9 |
| SHA256 | fed76045c99550d64f0237d82228f5d564e1a50f629215fb5d41de6e44c1a15c |
| SHA512 | d8213f8a94e784f42bdd571c2ef9a4e7fee02cf0628f0e1fac85f44275e24cac10a375059512cbf2bcac5fc8dd65dbc4956f41f274f62f2ff437010208b90865 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 5b5305f0379616d965431ba09bef0ca6 |
| SHA1 | 92c5b1b8f7f95572a17e789919e6fa4ddf1bf644 |
| SHA256 | c9ad493fe46da6c4cc92efaadf24aa5af231c0cba41b1d5f70c794aa4b72b7e0 |
| SHA512 | 61022530686ec588f84135349dff0b109b016a207c36f0e5e5b8e72cb7c826a3c8ef28b5b656cf4592623f202e951ca0a855469eef3c71c9eb2cc5d41ed8badd |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | 0119ed8ed3796da9c833d3551ae5ceae |
| SHA1 | 0951b2131ca3bf2c0bbdd5e102bddb7b8598bf50 |
| SHA256 | b3d5082eca166ce4e4ced7ea3cffe077f86f21d55ea6301fe94795780c47dbf2 |
| SHA512 | 59cb6dfc11e069d1282bf1931c40f5646a98bbfc9b2697f9a3d2847d77c37419546f8553d0b90b3944520330735d2307190ec35f8d69ea36d2129335fd2b7b73 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 11a20f8a0472f542a37c3267c27e65a4 |
| SHA1 | c3bda3b0673b50bd0c981d1125ea15e2161dadb7 |
| SHA256 | d94740bc3b99c8ad0f1984c4acdb59f023991b0b2478709a98f5fc34b1328886 |
| SHA512 | b8f223c64197f8fa261bdc05ec97d1cbf4c54a0cc9157e686d9ed546f0d6dfb0e3e1d1a6ec8b60f27dfc569fa009af693c9edd6b9f91564c019974cf25506768 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-05 22:06
Reported
2024-10-05 22:09
Platform
android-x64-20240624-en
Max time kernel
117s
Max time network
146s
Command Line
Signatures
Ajina
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| SE | 5.42.75.200:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.169.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.180.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.213.14:443 | android.apis.google.com | tcp |
| GB | 172.217.16.228:443 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| GB | 216.58.213.10:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 9bf7e2169b64fcfb6247e9713dc14b15 |
| SHA1 | f7bb6ff94246db17a264fbde7a96d70eba885dd9 |
| SHA256 | fed76045c99550d64f0237d82228f5d564e1a50f629215fb5d41de6e44c1a15c |
| SHA512 | d8213f8a94e784f42bdd571c2ef9a4e7fee02cf0628f0e1fac85f44275e24cac10a375059512cbf2bcac5fc8dd65dbc4956f41f274f62f2ff437010208b90865 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 389fa807e1b54e0706bd4780eed494b2 |
| SHA1 | e6dcf9d20aaf6a6bea15d4e3d0a4f4b0b3fca674 |
| SHA256 | e1f56efcffb68bf0e3a97f45b5326484d308fe42c79166b97f7e6daca79ddfba |
| SHA512 | c3b7be94fb4c87443ca5be20fb713148211ec56ad118bd9e38a71ba878f7df20da971b1dda1ecf576290802d1472fe489df706ef5029c2d6ba946236188f2a94 |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | 8e3f133b6a7241fc8348c8a77010e59d |
| SHA1 | 49fcfe4384f01d4c60bf2d83c7813fc0b9034655 |
| SHA256 | 5a5e6bcbce3d0f34d598228856ba39f9e1b640cc22d016a3cc2a8bf17e9bec4d |
| SHA512 | 334bf30f0441b92b2801d984b51307c3fda37be40887ddcda80be56e5c945d2e104d2d0866a8ed26cea731501fa336bdfff18ada7f55b8cac5b88a24d34941b2 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | c27e7019a8eb8b4b190ee3e8b950316d |
| SHA1 | d34eb2c4ea1a4c6141d4165239271af159cd69e7 |
| SHA256 | 4a777c8b75d03fd4c30eb7e99277fa6c678fad8b4d62c9ed768db1a8aa602e5b |
| SHA512 | c890876d93dd813d03486003b24f63f794be14ce8e71ef26064dad46557740023f82c8389cf0bcbcc59c68d335204b8868a2499802fabf54e812418346464daf |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-05 22:06
Reported
2024-10-05 22:09
Platform
android-x64-arm64-20240910-en
Max time kernel
119s
Max time network
151s
Command Line
Signatures
Ajina
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.169.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| GB | 142.250.178.14:443 | www.youtube.com | tcp |
| GB | 172.217.16.238:443 | www.youtube.com | udp |
| GB | 172.217.16.238:443 | www.youtube.com | tcp |
| GB | 142.250.178.14:443 | www.youtube.com | tcp |
| US | 216.239.38.223:443 | tcp | |
| SE | 5.42.75.200:8080 | tcp | |
| US | 216.239.38.223:443 | tcp | |
| GB | 142.250.200.14:443 | www.youtube.com | tcp |
| GB | 172.217.169.33:443 | tcp | |
| GB | 216.58.201.97:443 | tcp | |
| US | 216.239.38.223:443 | tcp | |
| US | 216.239.38.223:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 9bf7e2169b64fcfb6247e9713dc14b15 |
| SHA1 | f7bb6ff94246db17a264fbde7a96d70eba885dd9 |
| SHA256 | fed76045c99550d64f0237d82228f5d564e1a50f629215fb5d41de6e44c1a15c |
| SHA512 | d8213f8a94e784f42bdd571c2ef9a4e7fee02cf0628f0e1fac85f44275e24cac10a375059512cbf2bcac5fc8dd65dbc4956f41f274f62f2ff437010208b90865 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 1d1f5add9440cc361a67914abc0ee3c6 |
| SHA1 | 4d04e7655ac747e0ef378790a2d92e69edfab774 |
| SHA256 | 3f7b8f3b5f25e2a1623b532c91b475a1c4d22d35ec54c94519fb7a339bda5606 |
| SHA512 | 6a8bbca993787ee3224fddb7f75b4efb1ea81cd5e759dd029d2ea58ec23cd692038883ff246aba0da9b9908da124ea5374bfb3750f995b7ada2a3f015f05e637 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 1a6d4da42d247ad20fc31945231a02c9 |
| SHA1 | 8bc892b763355377a01238ec94abbbdde3f09a39 |
| SHA256 | f42d531a33185f70739dacdab401657f806b463dc68e7a68300feed254c92765 |
| SHA512 | 5872152d5e0c249e64c9a60b665ab9957c4d0a03926f592b89c0ceef2cfa0e2959d28384b594611582b2870e2ec07de3bdbc06b24e4ee70efb31ddc26bd3336d |