Malware Analysis Report

2024-12-07 03:19

Sample ID 241017-1zgzjasdmj
Target 3a30f69f429724a5034e3304eb57cab41bb96b9f15d5d18daa5bea76de04d8fe.bin
SHA256 3a30f69f429724a5034e3304eb57cab41bb96b9f15d5d18daa5bea76de04d8fe
Tags
ajina banker collection credential_access evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a30f69f429724a5034e3304eb57cab41bb96b9f15d5d18daa5bea76de04d8fe

Threat Level: Known bad

The file 3a30f69f429724a5034e3304eb57cab41bb96b9f15d5d18daa5bea76de04d8fe.bin was found to be: Known bad.

Malicious Activity Summary

ajina banker collection credential_access evasion infostealer rat trojan

Ajina

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 22:05

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 22:05

Reported

2024-10-17 22:08

Platform

android-x86-arm-20240910-en

Max time kernel

126s

Max time network

151s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
FR 77.105.166.215:8080 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.2:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 704e449913aeeb9475823f2d3d94d3e4
SHA1 d994a30f597d846b235d7b1f651025c15115ed3d
SHA256 59ca077e825c0d23ebc48e281be6569e2d4818e0d3251e3d449dfccf22cde956
SHA512 a6615ffc775dd978ea81e5806828e97c7054dae024d8c8851975cd578d5fdc8fa6a6a832b99fdbf33e54075180039be93e9c907b9310bc50fffbf9d4fc2bf92d

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 171c364a60ecde6ae04e420e13506ff2
SHA1 8ea32784f0693c3ff742455d4d6826b8a0ad29c4
SHA256 a86081e13912c924e9bbd46a878ac59f5339963ea4b4375a66d9955f3eb7d7c9
SHA512 9676c7710e160eb2493ec193b99f1bdf203b05d37e0d6ca3f7df2707e7318c9e3184d858a3bd26f9107723e8ec7a90750a7a009a7f07d9bc6c9a5014e6c6ce3e

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 e467a2d2db4d543d64a266ec8e1be0df
SHA1 fc597decebb0f906c66a23a17c965ab493312171
SHA256 99e28c653554703dd563e24eda5df0190300a260a26010f694b9d28b93feeaa1
SHA512 fbb06b3a7d7a478da0966676b0bd31457f33bca680dcbccbf72252f56e9f8cc23b7a2f11e558a226df7d588aa20be06ed5d29702cafe4e23409b8c29e7d0c463

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 da02788c71e606f1d14c5efb96777bba
SHA1 f90ab852a123c98ff82d9af0dfb5066239282691
SHA256 4579cb749d659eae068896ef39377fe7651b859ed3f9215eb585850fe25a8a5c
SHA512 0cf296754e0d1d90578f37f76af4b76071a9e900bcd64bd36a93537c3036ac720a6a05e52b180ba9d9c37be270f587102aaef0d752cf15e7105242c61856693a

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 22:05

Reported

2024-10-17 22:08

Platform

android-x64-20240910-en

Max time kernel

117s

Max time network

155s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
FR 77.105.166.215:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 704e449913aeeb9475823f2d3d94d3e4
SHA1 d994a30f597d846b235d7b1f651025c15115ed3d
SHA256 59ca077e825c0d23ebc48e281be6569e2d4818e0d3251e3d449dfccf22cde956
SHA512 a6615ffc775dd978ea81e5806828e97c7054dae024d8c8851975cd578d5fdc8fa6a6a832b99fdbf33e54075180039be93e9c907b9310bc50fffbf9d4fc2bf92d

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 61fc59f5ed8930d57d77850f8583f687
SHA1 1863e8c5ceafc4527f9e472aa88cc2c02bbe6e94
SHA256 66998f8c533873fc6a7b788a7900839b75c94caeec05b00f732d9fedcd98d853
SHA512 082cbfbc94894f0719f37fc3790fb92da98e9b45b7e524637199d9e2b8a78136ed4a050c9acba17765e9486557a51d4505ea6531b038c832d18faef1494ede9d

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 90ce2f4374c74acb36fa46deb7c4b8ec
SHA1 4b2c81fa1e54f46028ad36a205bdcc2e9ba8cdd9
SHA256 f466591064ad9cfb32325d1e97e1a03dbb49ac121be66e22bf1125c98f0049f6
SHA512 eb69c6b13a407a67556d28542c86d49a2dc8ce22c472c13a962616ba21676b228d2b00510a1a880f1152e1559d3675c0c395d5f71967f35baabcd5424c45d7d8

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 abb9e65208945c970913ca9ddf2a9634
SHA1 7273c4ad56fcab66c92cc23bb2dc80d212f40463
SHA256 ca45dfd2f909ac288807838da6d75f2755968c0d9c8267688ff624d717fd07b5
SHA512 3dd3d471cef0478896bcf707b1840963fc8a4e4c701c1f7f1f9cc955055aa68946f600ba60a15b4b42e53150e3a2ee7db3c4a2c40cc2815ca69e36da7621f008

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-17 22:05

Reported

2024-10-17 22:08

Platform

android-x64-arm64-20240910-en

Max time kernel

125s

Max time network

154s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
US 216.239.36.223:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
FR 77.105.166.215:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
GB 142.250.187.225:443 tcp
GB 142.250.179.225:443 tcp
US 216.239.32.223:443 tcp
US 216.239.32.223:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 704e449913aeeb9475823f2d3d94d3e4
SHA1 d994a30f597d846b235d7b1f651025c15115ed3d
SHA256 59ca077e825c0d23ebc48e281be6569e2d4818e0d3251e3d449dfccf22cde956
SHA512 a6615ffc775dd978ea81e5806828e97c7054dae024d8c8851975cd578d5fdc8fa6a6a832b99fdbf33e54075180039be93e9c907b9310bc50fffbf9d4fc2bf92d

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 86d3ee08d14870d80cb8490ee83f4788
SHA1 b24301544aedd99beb54e27f1739fe0eadb0fda4
SHA256 1755899f898c877e9ee75d908462d681bdf492b2188474883f9e95ae3d69a426
SHA512 21e9c70bde5b599b9b5f7db71e854cf0e22696e4d4381a27748b771526ff25c5c9c858fc9053fffc0d3cb74825aae85685c8e373fa35995ec6516187585f0ca2

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 6ba01750b751685edda63f40a16d1a83
SHA1 0d3cf40fb01bfa0161e02478d756e672140d0141
SHA256 9d4fa67df6c52d78353565f6323108c39ab395fe1f96523676f1550931aeb5f8
SHA512 0bd35222ea58493525c0b484de69925cae7383de361636972af946e87f63f28682557dc35b18e70b5ecc749faf73a4b8dcf0496d5b9e3576de0cc75a498dbf0d