Analysis Overview
SHA256
9c41d8d8e4c221466a99e6f2d2dc0981d68fd57108f9e4d6d75bfa672177420e
Threat Level: Known bad
The file 9c41d8d8e4c221466a99e6f2d2dc0981d68fd57108f9e4d6d75bfa672177420e.bin was found to be: Known bad.
Malicious Activity Summary
Ajina
Ajina family
Makes use of the framework's Accessibility service
Declares services with permission to bind to the system
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-17 22:04
Signatures
Ajina family
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-17 22:04
Reported
2024-10-17 22:09
Platform
android-x86-arm-20240910-en
Max time kernel
126s
Max time network
145s
Command Line
Signatures
Ajina
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| SE | 5.42.73.196:8080 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.201.110:443 | android.apis.google.com | tcp |
| GB | 172.217.169.74:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 069225e52043393363bdff4d14bfddf1 |
| SHA1 | f9b612c6b20ba21a9bbb185bd3d6e1b4c632beee |
| SHA256 | 695c20cedd6c3032b9d3a3c365f350b83e7a33eba154b6e6f682baf08be1fdaa |
| SHA512 | 5d7dc54233dd9f8b337b97334c5513e313eb45a77cacea575d90e34d4e63b28099a4b2eeaebd79571e12b6d19ece55e8a4e2f97319f8252d73943cd8977732d7 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | a8529482677c0927de517f0d55a48953 |
| SHA1 | 9b4cfa584d11bae5550cb11c5350c38823a6fa03 |
| SHA256 | b0d42bedff91dd3be943d90439d313fc7cbc65e4560b1e8fc7401f941ff0bfd3 |
| SHA512 | e733e39ed768ebe185be2b0285289019f0c4cabc7af01f58a04d50da2f61ab141ed26e8298018f04faef748eac8628626805a6f4269e2f89b1aea0b8a6191a18 |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | 2f6b8b58f3259e4d0154a61159c72f7f |
| SHA1 | d6941879d8b7ed5917f7aac92a947c4ab3e6c06f |
| SHA256 | 22095e414495c5f6a82fba4ecc86baf419e0d09403d56317a2c55bb14e9a7e65 |
| SHA512 | 5a6a9a8dee18632d25d609e74310486a69528e624a89e2fe036f924634f34f7fddf0182c23ca06f568a835aaca7990a58320241a5edbab56c843fc9bfb97224f |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 40a083474f9b4017c722c7ed7925897c |
| SHA1 | 2835a9e849c68eeb52104cd0ca69c49169ac6c0f |
| SHA256 | ed471b026b2f6a3a51ffe6935572c3352e3b113b69ecde32d509e68e4722473e |
| SHA512 | cb154b170b7a865376908050b34de244c3b53e8d72161031d0020ee76701b2393d28d0266073c27f0a97828e0dfaecb7c5d0b48cec1afada9299267ca4358cc1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-17 22:04
Reported
2024-10-17 22:08
Platform
android-x64-20240910-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Ajina
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.10:443 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| GB | 216.58.212.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.169.46:443 | android.apis.google.com | tcp |
| SE | 5.42.73.196:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 069225e52043393363bdff4d14bfddf1 |
| SHA1 | f9b612c6b20ba21a9bbb185bd3d6e1b4c632beee |
| SHA256 | 695c20cedd6c3032b9d3a3c365f350b83e7a33eba154b6e6f682baf08be1fdaa |
| SHA512 | 5d7dc54233dd9f8b337b97334c5513e313eb45a77cacea575d90e34d4e63b28099a4b2eeaebd79571e12b6d19ece55e8a4e2f97319f8252d73943cd8977732d7 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | e296cd4678077d5bdc2a8365323f9865 |
| SHA1 | fc9ce21cf6851449429f95cd56145cb9ee58a530 |
| SHA256 | f069f54ab958c86bb408482d31e924ba32709f93d4df1c7b49723b1524637e03 |
| SHA512 | 2b77000446ce95e4049d4c6b007f8bae1a85d337d839fade523ab3012ef9999ae6969b3d81f860013daf49ded1e56757c26ff30814d1147d640228dad1ef4bf3 |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | 0e0ddb6894fd4a29e86d01fe0537c0eb |
| SHA1 | 4e10c602bbd9bd412beb20fc4cd60d2192b8c396 |
| SHA256 | 34642a07608c20b9b62a3bac35ffa9f4acc8787d139662022cef1e4d0b8b0b38 |
| SHA512 | 071c7ac2fb01c4e76930f3055030f9875c08942fe880c534ad8210bd381d7c677d559cd8f60e0f3d883c7e579ad7cfe7487e353541ba7aee91ee79577608a030 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | ac3ef4db97e596289efdec87c4c9c89b |
| SHA1 | bf3ca5d426f47ef6a2507073a8b2c4b87d497029 |
| SHA256 | 989ade2955694640cff861f7739c99ee770be05cb44aa34d952b6f692f0bb286 |
| SHA512 | 4b547d6e62b845bd9f588a68d3406d5948e1bf70c1313b71be1180c53e369714e5a1f6132b46ab9b222493d1f302655736178f52dc4120a6d93d493feb37ce2d |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-17 22:04
Reported
2024-10-17 22:08
Platform
android-x64-arm64-20240910-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Ajina
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| GB | 142.250.200.14:443 | www.youtube.com | udp |
| GB | 142.250.200.14:443 | www.youtube.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| US | 216.239.32.223:443 | tcp | |
| SE | 5.42.73.196:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.169.40:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.16.238:443 | www.youtube.com | tcp |
| GB | 142.250.187.225:443 | tcp | |
| US | 216.239.32.223:443 | tcp | |
| GB | 142.250.178.1:443 | tcp | |
| US | 216.239.32.223:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 069225e52043393363bdff4d14bfddf1 |
| SHA1 | f9b612c6b20ba21a9bbb185bd3d6e1b4c632beee |
| SHA256 | 695c20cedd6c3032b9d3a3c365f350b83e7a33eba154b6e6f682baf08be1fdaa |
| SHA512 | 5d7dc54233dd9f8b337b97334c5513e313eb45a77cacea575d90e34d4e63b28099a4b2eeaebd79571e12b6d19ece55e8a4e2f97319f8252d73943cd8977732d7 |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | d467c83e17ba26d3eaa5afd9851f56a2 |
| SHA1 | d6d1486e096b75d52529fa3f789c99d77c9237c4 |
| SHA256 | bcaade619c4c6a8f966f4cf76079ad45e30f10fc207d858a500d4ecab4b1d8e8 |
| SHA512 | 613e7dc4df908551a14b695c856a91cc8f5c9e3791119ff52bfed34f317a2f0d18752093217884835c6c0c368d3e62a4966ceb30150f3b1c466c6279b0c14ecf |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 0566962b3be93c121ae2c7fb4b4ec1be |
| SHA1 | 97f4787a0d7044e945afd14814b4446a5e1d439c |
| SHA256 | 3c668da193fff293ace3646305916f911c85722682ce529fd3b1b1c9ebec78af |
| SHA512 | e60931eeb027b4cb561c10a6a68c5b605c07d5ef2bfc0774a66abd8cb9423da349e9402333024b873cd55889585886cec975245dfc5c6c1a764eecfaf14a5746 |