Analysis Overview
SHA256
c1b4d4e3543dea727bc4c39f3b4de3f504e0aba64a7520a4173bf39671abf022
Threat Level: Known bad
The file c1b4d4e3543dea727bc4c39f3b4de3f504e0aba64a7520a4173bf39671abf022.bin was found to be: Known bad.
Malicious Activity Summary
Ajina family
Ajina
Makes use of the framework's Accessibility service
Declares services with permission to bind to the system
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-17 22:09
Signatures
Ajina family
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-17 22:09
Reported
2024-10-17 22:12
Platform
android-x86-arm-20240910-en
Max time kernel
122s
Max time network
151s
Command Line
Signatures
Ajina
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 109.120.135.42:8080 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.178.14:443 | android.apis.google.com | tcp |
| GB | 172.217.16.228:80 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| GB | 142.250.200.35:80 | tcp | |
| GB | 216.58.212.234:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 46f274ffc44d0212ffe642dc85e65994 |
| SHA1 | 5596be6621434077849abcdafd4170e4b536c8eb |
| SHA256 | 84f04ac3ef2fe1ad9a86ac62141cec3a2df1b37b734fba2277eb4d5f27e157ab |
| SHA512 | 0bf88289e269d1a421764804c100b5efb36b2cd959f47c9291d9881e5cc856ba81b92fa94e44a105c9d1c55e4fbf6f7a6482274a23fe5f0cc0f7f5c4e5a217fa |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 7fc453b0f1648d62b5ca65408c5fd600 |
| SHA1 | b172745fef3557f359d1edc648ba99311a9ba6cf |
| SHA256 | 66c6a1a4e4bd869d8b523d66fb510e436bd108eca73ffd1a092fe832bf1dad39 |
| SHA512 | 9224e8f692b8094bb7dc35b7058624c810921433875c1380eb01a097ebd3b81404d9926e3c638cb09a88e2ae491b41f1ce32a65d7e742cb4f348d59382fb1f4d |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | e58f86ef896a6206e05547b65fe66031 |
| SHA1 | 57fe84f00207fd118a171f01e8d5c2db9eef00bc |
| SHA256 | 3f480c00d2dd3a0c885105a5a6bfea54f6ea8678a2d79919874dd4dcd3ad8a2f |
| SHA512 | 8654333039a6bf781a56499979c761b991dffa31a8725271a7f8c08796923e2f95ebcf5e28c08285ec034e7ab6ed55c11ab81209d590ac3fb285123f6b8220ef |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 2aa60792574f6309e7aeb368d13514fa |
| SHA1 | 3a91e3c93b620fc6f6d49cfc9dfd566a4317ffc3 |
| SHA256 | 83ae704d2eeae930b36690ba3732fa235b7db16499c4839d0b05441576769999 |
| SHA512 | 77040ffa8088d87f6f7b58adf0fc2d9d12428be6545795e05b081c4d490aa97dfdfed101a0d3725442fecddbbe5b90df72eabf932186ceec4c78261562eef0b3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-17 22:09
Reported
2024-10-17 22:12
Platform
android-x64-20240910-en
Max time kernel
121s
Max time network
151s
Command Line
Signatures
Ajina
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.10:443 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| GB | 216.58.212.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.14:443 | android.apis.google.com | tcp |
| GB | 109.120.135.42:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 46f274ffc44d0212ffe642dc85e65994 |
| SHA1 | 5596be6621434077849abcdafd4170e4b536c8eb |
| SHA256 | 84f04ac3ef2fe1ad9a86ac62141cec3a2df1b37b734fba2277eb4d5f27e157ab |
| SHA512 | 0bf88289e269d1a421764804c100b5efb36b2cd959f47c9291d9881e5cc856ba81b92fa94e44a105c9d1c55e4fbf6f7a6482274a23fe5f0cc0f7f5c4e5a217fa |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | e13db8f88647b31c4f29498555fe5e23 |
| SHA1 | 7eb6f1378966a3286e305a6ccbbe4c0aeac67871 |
| SHA256 | 1b6493aed43d601f8ab483f667f37e20272b82fed612e4701ae70ed8c5ddf187 |
| SHA512 | 6e3515f0651ed2b62258f54c7ded32bc9f17cee57bec7b8b91bd02ab238ff529603d06ff27a78e70b7792b246ed4fe62b725b23766d78f0a2c1651037ce68d51 |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | 94152002d6fb47a5b729dd1b65a3e81e |
| SHA1 | 041b7f054870c1432891c56f868653a74119612b |
| SHA256 | b526464a15c1f541a97a9d133798a90b62709f107b90adaf8af70c9d31b7ddf0 |
| SHA512 | da456b685c57845c6bd7ca7e2ae725dd2592b618835f07beaabafde1abd60dbee64c3177ccdc2f0a83bf5267fe2f3e3d32aca466f17c560cfc2cc0f4160389f5 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 45e48f8b83e8ced7dd22121624916d34 |
| SHA1 | aa2b09c8389a681396f66a2a6ce7a31a97d7a490 |
| SHA256 | 5476e12b7899528abf634e96059590d7b0e49e3ace04b6b201973ba3f52252fc |
| SHA512 | d2ce24ac8a417764e048422ef2d460620a787bd1b4211ed7c490d59f9bd223600d998117d6615101f2c74ab17e54f013d4ecfcc54ac009352b82e0b7a162ae79 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-17 22:09
Reported
2024-10-17 22:12
Platform
android-x64-arm64-20240910-en
Max time kernel
132s
Max time network
150s
Command Line
Signatures
Ajina
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| GB | 142.250.187.238:443 | www.youtube.com | udp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| US | 216.239.32.223:443 | tcp | |
| GB | 109.120.135.42:8080 | tcp | |
| GB | 142.250.187.193:443 | tcp | |
| US | 216.239.32.223:443 | tcp | |
| GB | 216.58.204.65:443 | tcp | |
| US | 216.239.32.223:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 46f274ffc44d0212ffe642dc85e65994 |
| SHA1 | 5596be6621434077849abcdafd4170e4b536c8eb |
| SHA256 | 84f04ac3ef2fe1ad9a86ac62141cec3a2df1b37b734fba2277eb4d5f27e157ab |
| SHA512 | 0bf88289e269d1a421764804c100b5efb36b2cd959f47c9291d9881e5cc856ba81b92fa94e44a105c9d1c55e4fbf6f7a6482274a23fe5f0cc0f7f5c4e5a217fa |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 6939bc214ee4c56bf953d452d9414be1 |
| SHA1 | 547e3c2a1eebe30637a3d34f6b5c18d7c0e17ea0 |
| SHA256 | e45563c2c040adcf1df5eefa57e3b8e511f4961f3da8c5b98d9b10bd16321ce9 |
| SHA512 | 6e987902ce5d73c8e58375bb1134d18daa07c93cf048e60cea12a17bdc631a77ba3db0e44951e30a861d1f835984bfde937be54a3168e609e11bcea97c2f4ca7 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 27720f0ff064c733dca79ec79ea964df |
| SHA1 | 8ded0a780bd7f8ae89dce465e9169b9cfa1426d7 |
| SHA256 | f33c8aefb13b8c728238e366986e97ed7537d165ea8cf67f6eb1d931b824402b |
| SHA512 | bf2aa22617dd38b696eb5701880fc23ef64fd4c9e05a8005284808275eaa877ba837ea4eff2aec1931368667b4a6eb1a1c5948adfe41cecd5832b15750ff85ee |