Malware Analysis Report

2024-12-07 03:19

Sample ID 241017-124ajszbjf
Target c1b4d4e3543dea727bc4c39f3b4de3f504e0aba64a7520a4173bf39671abf022.bin
SHA256 c1b4d4e3543dea727bc4c39f3b4de3f504e0aba64a7520a4173bf39671abf022
Tags
ajina banker collection credential_access evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1b4d4e3543dea727bc4c39f3b4de3f504e0aba64a7520a4173bf39671abf022

Threat Level: Known bad

The file c1b4d4e3543dea727bc4c39f3b4de3f504e0aba64a7520a4173bf39671abf022.bin was found to be: Known bad.

Malicious Activity Summary

ajina banker collection credential_access evasion infostealer rat trojan

Ajina family

Ajina

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 22:09

Signatures

Ajina family

ajina

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 22:09

Reported

2024-10-17 22:12

Platform

android-x86-arm-20240910-en

Max time kernel

122s

Max time network

151s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 109.120.135.42:8080 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 172.217.16.228:80 tcp
GB 172.217.16.228:443 tcp
GB 142.250.200.35:80 tcp
GB 216.58.212.234:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 46f274ffc44d0212ffe642dc85e65994
SHA1 5596be6621434077849abcdafd4170e4b536c8eb
SHA256 84f04ac3ef2fe1ad9a86ac62141cec3a2df1b37b734fba2277eb4d5f27e157ab
SHA512 0bf88289e269d1a421764804c100b5efb36b2cd959f47c9291d9881e5cc856ba81b92fa94e44a105c9d1c55e4fbf6f7a6482274a23fe5f0cc0f7f5c4e5a217fa

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 7fc453b0f1648d62b5ca65408c5fd600
SHA1 b172745fef3557f359d1edc648ba99311a9ba6cf
SHA256 66c6a1a4e4bd869d8b523d66fb510e436bd108eca73ffd1a092fe832bf1dad39
SHA512 9224e8f692b8094bb7dc35b7058624c810921433875c1380eb01a097ebd3b81404d9926e3c638cb09a88e2ae491b41f1ce32a65d7e742cb4f348d59382fb1f4d

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 e58f86ef896a6206e05547b65fe66031
SHA1 57fe84f00207fd118a171f01e8d5c2db9eef00bc
SHA256 3f480c00d2dd3a0c885105a5a6bfea54f6ea8678a2d79919874dd4dcd3ad8a2f
SHA512 8654333039a6bf781a56499979c761b991dffa31a8725271a7f8c08796923e2f95ebcf5e28c08285ec034e7ab6ed55c11ab81209d590ac3fb285123f6b8220ef

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 2aa60792574f6309e7aeb368d13514fa
SHA1 3a91e3c93b620fc6f6d49cfc9dfd566a4317ffc3
SHA256 83ae704d2eeae930b36690ba3732fa235b7db16499c4839d0b05441576769999
SHA512 77040ffa8088d87f6f7b58adf0fc2d9d12428be6545795e05b081c4d490aa97dfdfed101a0d3725442fecddbbe5b90df72eabf932186ceec4c78261562eef0b3

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 22:09

Reported

2024-10-17 22:12

Platform

android-x64-20240910-en

Max time kernel

121s

Max time network

151s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
GB 216.58.212.238:443 tcp
GB 142.250.180.14:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 109.120.135.42:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 46f274ffc44d0212ffe642dc85e65994
SHA1 5596be6621434077849abcdafd4170e4b536c8eb
SHA256 84f04ac3ef2fe1ad9a86ac62141cec3a2df1b37b734fba2277eb4d5f27e157ab
SHA512 0bf88289e269d1a421764804c100b5efb36b2cd959f47c9291d9881e5cc856ba81b92fa94e44a105c9d1c55e4fbf6f7a6482274a23fe5f0cc0f7f5c4e5a217fa

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 e13db8f88647b31c4f29498555fe5e23
SHA1 7eb6f1378966a3286e305a6ccbbe4c0aeac67871
SHA256 1b6493aed43d601f8ab483f667f37e20272b82fed612e4701ae70ed8c5ddf187
SHA512 6e3515f0651ed2b62258f54c7ded32bc9f17cee57bec7b8b91bd02ab238ff529603d06ff27a78e70b7792b246ed4fe62b725b23766d78f0a2c1651037ce68d51

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 94152002d6fb47a5b729dd1b65a3e81e
SHA1 041b7f054870c1432891c56f868653a74119612b
SHA256 b526464a15c1f541a97a9d133798a90b62709f107b90adaf8af70c9d31b7ddf0
SHA512 da456b685c57845c6bd7ca7e2ae725dd2592b618835f07beaabafde1abd60dbee64c3177ccdc2f0a83bf5267fe2f3e3d32aca466f17c560cfc2cc0f4160389f5

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 45e48f8b83e8ced7dd22121624916d34
SHA1 aa2b09c8389a681396f66a2a6ce7a31a97d7a490
SHA256 5476e12b7899528abf634e96059590d7b0e49e3ace04b6b201973ba3f52252fc
SHA512 d2ce24ac8a417764e048422ef2d460620a787bd1b4211ed7c490d59f9bd223600d998117d6615101f2c74ab17e54f013d4ecfcc54ac009352b82e0b7a162ae79

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-17 22:09

Reported

2024-10-17 22:12

Platform

android-x64-arm64-20240910-en

Max time kernel

132s

Max time network

150s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 216.239.32.223:443 tcp
GB 109.120.135.42:8080 tcp
GB 142.250.187.193:443 tcp
US 216.239.32.223:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.32.223:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 46f274ffc44d0212ffe642dc85e65994
SHA1 5596be6621434077849abcdafd4170e4b536c8eb
SHA256 84f04ac3ef2fe1ad9a86ac62141cec3a2df1b37b734fba2277eb4d5f27e157ab
SHA512 0bf88289e269d1a421764804c100b5efb36b2cd959f47c9291d9881e5cc856ba81b92fa94e44a105c9d1c55e4fbf6f7a6482274a23fe5f0cc0f7f5c4e5a217fa

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 6939bc214ee4c56bf953d452d9414be1
SHA1 547e3c2a1eebe30637a3d34f6b5c18d7c0e17ea0
SHA256 e45563c2c040adcf1df5eefa57e3b8e511f4961f3da8c5b98d9b10bd16321ce9
SHA512 6e987902ce5d73c8e58375bb1134d18daa07c93cf048e60cea12a17bdc631a77ba3db0e44951e30a861d1f835984bfde937be54a3168e609e11bcea97c2f4ca7

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 27720f0ff064c733dca79ec79ea964df
SHA1 8ded0a780bd7f8ae89dce465e9169b9cfa1426d7
SHA256 f33c8aefb13b8c728238e366986e97ed7537d165ea8cf67f6eb1d931b824402b
SHA512 bf2aa22617dd38b696eb5701880fc23ef64fd4c9e05a8005284808275eaa877ba837ea4eff2aec1931368667b4a6eb1a1c5948adfe41cecd5832b15750ff85ee