Malware Analysis Report

2024-12-07 03:19

Sample ID 241012-1yh57stdrg
Target 59a60aa90fbc7fb8dd6b4f2b9b60c6c70fd57cda68c584d045813d2e6b1414a1.bin
SHA256 59a60aa90fbc7fb8dd6b4f2b9b60c6c70fd57cda68c584d045813d2e6b1414a1
Tags
ajina banker collection credential_access evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59a60aa90fbc7fb8dd6b4f2b9b60c6c70fd57cda68c584d045813d2e6b1414a1

Threat Level: Known bad

The file 59a60aa90fbc7fb8dd6b4f2b9b60c6c70fd57cda68c584d045813d2e6b1414a1.bin was found to be: Known bad.

Malicious Activity Summary

ajina banker collection credential_access evasion infostealer rat trojan

Ajina family

Ajina

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 22:03

Signatures

Ajina family

ajina

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 22:03

Reported

2024-10-12 22:06

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

131s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
SE 77.221.136.21:8080 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 823d51b198f663453291d3f30bc4b175
SHA1 1eff274dd30ca18597c375f38edc50b8cb4bc5c6
SHA256 3688c05b04398eb3316a32163868f4070d7cfff641a2563372b58062dea8cd70
SHA512 838edc238acf051d97f40d3311aba017c00e4693ab8b1cea5c89c932b19204e53184b44b4ac8a2f00410a3070e27121079ac7ec897af2b8fdabf452b1639b804

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 5dc8c4215216b962589d3f007ca3f658
SHA1 aa9411709bd3450be130e0bd08b717d480db317c
SHA256 57de2250df20c0205517730fd018212181bc0a644bfad9220f93f093a7021d62
SHA512 ff903fdd20211841fb80019d6917d225cc9e6066482103cd332155e17338d06e5740bf9180e3141820e3b81517ee19b2b95b093835dedf02475e52696a737762

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 2670fc4947b7a7ec2119891b3864d84c
SHA1 f27f7dc9c9c6d4c55a5cd580b2138f15d763cb28
SHA256 a52b7ff7a49d6621850c43504c8773903cf8308d7f7ab797d6970f591bdd3610
SHA512 7d7f1fa8c386124afe2f33b1872b414c0fdaee5b6815040fc6d23f6f4b20e7e3b51632f8cb7e143cee160b1c3c4742b4445766cdf8582f5877800d570ebba5bf

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 6adbff2138750f656628ed05b6154702
SHA1 9fab6fa174bfafd70d642acd280a08d6762988dd
SHA256 0dd9b76c63450913dc75bf30b8071e711fcbd4a0ac6d85f7e74bb66a7fbcd266
SHA512 da0770983a29a1bee621aa526d096d067a925aba6dcaad7ccfe1db0e6b59d4cd60b1168788f331eff77a761989c85bdf38bc3799697d8faa34bb6c1832126d45

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 22:03

Reported

2024-10-12 22:06

Platform

android-x64-20240910-en

Max time kernel

97s

Max time network

150s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
SE 77.221.136.21:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 823d51b198f663453291d3f30bc4b175
SHA1 1eff274dd30ca18597c375f38edc50b8cb4bc5c6
SHA256 3688c05b04398eb3316a32163868f4070d7cfff641a2563372b58062dea8cd70
SHA512 838edc238acf051d97f40d3311aba017c00e4693ab8b1cea5c89c932b19204e53184b44b4ac8a2f00410a3070e27121079ac7ec897af2b8fdabf452b1639b804

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 df3e7c0e6d7c6a25f4ef60badd62b914
SHA1 7a24404ecf49fb8c224c85fcb27008cfd1cf052f
SHA256 048e0e846599edd4225fb091d725f3d58c8ae904cbb840c9672483813fad5bb5
SHA512 a4397645432a5f3a25ea4781ad945af0cef11a45ae40bc602f782e1dc65c9da3f2776fff2404946e6325d86dc371d00367ea10c5b972098dc4da56d269139ee0

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 bd9026be937c73011e4d42b1d930c682
SHA1 e38b2f222f1546687d70afe3ba00c04db7986a34
SHA256 ecdbc1fdad24ae19302172ff7828f24baffd6f286048bb60cf548b1c7251509d
SHA512 b4895ed93158e9674ce98d71de54db6eeeb8e9c055d18302e5a1bde3d5781a990455b20320e149284acb0dcc35dfcc3d98a5cbef15c2156e0c4d0b21846347e4

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 95dcfe6457b51757d03572b62e02f9fa
SHA1 5732f066a7ec78b01021e7156f423149e7bea199
SHA256 4f6d3206e27bf2c27038889948cb918f570d434545e91692b6f8d475015986a1
SHA512 d4e908531d721ad4ae3eff0b58dd620df90464c1d51e3164c084eaf462a1684a333cd867cf358319f4141596a67bdaadb739b39cb5320b21c87797b2033af4e9

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-12 22:03

Reported

2024-10-12 22:06

Platform

android-x64-arm64-20240624-en

Max time kernel

147s

Max time network

132s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
SE 77.221.136.21:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 823d51b198f663453291d3f30bc4b175
SHA1 1eff274dd30ca18597c375f38edc50b8cb4bc5c6
SHA256 3688c05b04398eb3316a32163868f4070d7cfff641a2563372b58062dea8cd70
SHA512 838edc238acf051d97f40d3311aba017c00e4693ab8b1cea5c89c932b19204e53184b44b4ac8a2f00410a3070e27121079ac7ec897af2b8fdabf452b1639b804

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 4fe9fbc920c67714664d412077cd881d
SHA1 1d9404c0e601f74ef92478d742a63fea85532231
SHA256 7eafec6f586c8d827c4bbd7ac9bd4aa2b7e58ef3c94bb756c518cc62f93941ef
SHA512 cbdfd5669a76f5120df71e3520e42b08c7e4d6d1058d4235b23e17a57dc5b6f4efa9002dad0c0a40809873252afa81db65f98081dd00978dedba49d39bbdbe98

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 f7f207887b3f55f2bf58dc56bebe8c8c
SHA1 f66571026da82b146f5efa2ed5520ba25ec53242
SHA256 b21cf48e2df1de0d3420167ee523d3ceac8f0612d045fa8fd726c56f7d7a6d2b
SHA512 da40fda0842c4b98e61967cbeaaf6d6e2fd5a64bf9dde6906049d229a1b440afdb72f020a2753043932139513bcea1ce83a80f54cbade94ba5dea38a265b124f