Malware Analysis Report

2024-12-07 03:19

Sample ID 241017-1zb4aayhme
Target 9c41d8d8e4c221466a99e6f2d2dc0981d68fd57108f9e4d6d75bfa672177420e.bin
SHA256 9c41d8d8e4c221466a99e6f2d2dc0981d68fd57108f9e4d6d75bfa672177420e
Tags
ajina banker collection credential_access evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c41d8d8e4c221466a99e6f2d2dc0981d68fd57108f9e4d6d75bfa672177420e

Threat Level: Known bad

The file 9c41d8d8e4c221466a99e6f2d2dc0981d68fd57108f9e4d6d75bfa672177420e.bin was found to be: Known bad.

Malicious Activity Summary

ajina banker collection credential_access evasion infostealer rat trojan

Ajina

Ajina family

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 22:04

Signatures

Ajina family

ajina

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 22:04

Reported

2024-10-17 22:09

Platform

android-x86-arm-20240910-en

Max time kernel

126s

Max time network

145s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
SE 5.42.73.196:8080 tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 069225e52043393363bdff4d14bfddf1
SHA1 f9b612c6b20ba21a9bbb185bd3d6e1b4c632beee
SHA256 695c20cedd6c3032b9d3a3c365f350b83e7a33eba154b6e6f682baf08be1fdaa
SHA512 5d7dc54233dd9f8b337b97334c5513e313eb45a77cacea575d90e34d4e63b28099a4b2eeaebd79571e12b6d19ece55e8a4e2f97319f8252d73943cd8977732d7

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 a8529482677c0927de517f0d55a48953
SHA1 9b4cfa584d11bae5550cb11c5350c38823a6fa03
SHA256 b0d42bedff91dd3be943d90439d313fc7cbc65e4560b1e8fc7401f941ff0bfd3
SHA512 e733e39ed768ebe185be2b0285289019f0c4cabc7af01f58a04d50da2f61ab141ed26e8298018f04faef748eac8628626805a6f4269e2f89b1aea0b8a6191a18

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 2f6b8b58f3259e4d0154a61159c72f7f
SHA1 d6941879d8b7ed5917f7aac92a947c4ab3e6c06f
SHA256 22095e414495c5f6a82fba4ecc86baf419e0d09403d56317a2c55bb14e9a7e65
SHA512 5a6a9a8dee18632d25d609e74310486a69528e624a89e2fe036f924634f34f7fddf0182c23ca06f568a835aaca7990a58320241a5edbab56c843fc9bfb97224f

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 40a083474f9b4017c722c7ed7925897c
SHA1 2835a9e849c68eeb52104cd0ca69c49169ac6c0f
SHA256 ed471b026b2f6a3a51ffe6935572c3352e3b113b69ecde32d509e68e4722473e
SHA512 cb154b170b7a865376908050b34de244c3b53e8d72161031d0020ee76701b2393d28d0266073c27f0a97828e0dfaecb7c5d0b48cec1afada9299267ca4358cc1

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 22:04

Reported

2024-10-17 22:08

Platform

android-x64-20240910-en

Max time kernel

142s

Max time network

150s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
GB 216.58.212.238:443 tcp
GB 142.250.180.14:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
SE 5.42.73.196:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 069225e52043393363bdff4d14bfddf1
SHA1 f9b612c6b20ba21a9bbb185bd3d6e1b4c632beee
SHA256 695c20cedd6c3032b9d3a3c365f350b83e7a33eba154b6e6f682baf08be1fdaa
SHA512 5d7dc54233dd9f8b337b97334c5513e313eb45a77cacea575d90e34d4e63b28099a4b2eeaebd79571e12b6d19ece55e8a4e2f97319f8252d73943cd8977732d7

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 e296cd4678077d5bdc2a8365323f9865
SHA1 fc9ce21cf6851449429f95cd56145cb9ee58a530
SHA256 f069f54ab958c86bb408482d31e924ba32709f93d4df1c7b49723b1524637e03
SHA512 2b77000446ce95e4049d4c6b007f8bae1a85d337d839fade523ab3012ef9999ae6969b3d81f860013daf49ded1e56757c26ff30814d1147d640228dad1ef4bf3

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 0e0ddb6894fd4a29e86d01fe0537c0eb
SHA1 4e10c602bbd9bd412beb20fc4cd60d2192b8c396
SHA256 34642a07608c20b9b62a3bac35ffa9f4acc8787d139662022cef1e4d0b8b0b38
SHA512 071c7ac2fb01c4e76930f3055030f9875c08942fe880c534ad8210bd381d7c677d559cd8f60e0f3d883c7e579ad7cfe7487e353541ba7aee91ee79577608a030

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 ac3ef4db97e596289efdec87c4c9c89b
SHA1 bf3ca5d426f47ef6a2507073a8b2c4b87d497029
SHA256 989ade2955694640cff861f7739c99ee770be05cb44aa34d952b6f692f0bb286
SHA512 4b547d6e62b845bd9f588a68d3406d5948e1bf70c1313b71be1180c53e369714e5a1f6132b46ab9b222493d1f302655736178f52dc4120a6d93d493feb37ce2d

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-17 22:04

Reported

2024-10-17 22:08

Platform

android-x64-arm64-20240910-en

Max time kernel

146s

Max time network

152s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
US 216.239.32.223:443 tcp
SE 5.42.73.196:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 www.youtube.com tcp
GB 142.250.187.225:443 tcp
US 216.239.32.223:443 tcp
GB 142.250.178.1:443 tcp
US 216.239.32.223:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 069225e52043393363bdff4d14bfddf1
SHA1 f9b612c6b20ba21a9bbb185bd3d6e1b4c632beee
SHA256 695c20cedd6c3032b9d3a3c365f350b83e7a33eba154b6e6f682baf08be1fdaa
SHA512 5d7dc54233dd9f8b337b97334c5513e313eb45a77cacea575d90e34d4e63b28099a4b2eeaebd79571e12b6d19ece55e8a4e2f97319f8252d73943cd8977732d7

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 d467c83e17ba26d3eaa5afd9851f56a2
SHA1 d6d1486e096b75d52529fa3f789c99d77c9237c4
SHA256 bcaade619c4c6a8f966f4cf76079ad45e30f10fc207d858a500d4ecab4b1d8e8
SHA512 613e7dc4df908551a14b695c856a91cc8f5c9e3791119ff52bfed34f317a2f0d18752093217884835c6c0c368d3e62a4966ceb30150f3b1c466c6279b0c14ecf

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 0566962b3be93c121ae2c7fb4b4ec1be
SHA1 97f4787a0d7044e945afd14814b4446a5e1d439c
SHA256 3c668da193fff293ace3646305916f911c85722682ce529fd3b1b1c9ebec78af
SHA512 e60931eeb027b4cb561c10a6a68c5b605c07d5ef2bfc0774a66abd8cb9423da349e9402333024b873cd55889585886cec975245dfc5c6c1a764eecfaf14a5746