Analysis Overview
SHA256
cc3584c5fe2224ee115db9b9f632bd3d590e1ee106afd678b7431012e8a9ba50
Threat Level: Known bad
The file cc3584c5fe2224ee115db9b9f632bd3d590e1ee106afd678b7431012e8a9ba50.bin was found to be: Known bad.
Malicious Activity Summary
Ajina
Makes use of the framework's Accessibility service
Declares services with permission to bind to the system
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-17 22:05
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-17 22:05
Reported
2024-10-17 22:08
Platform
android-x86-arm-20240910-en
Max time kernel
120s
Max time network
153s
Command Line
Signatures
Ajina
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| FR | 77.105.166.215:8080 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.178.14:443 | android.apis.google.com | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 704e449913aeeb9475823f2d3d94d3e4 |
| SHA1 | d994a30f597d846b235d7b1f651025c15115ed3d |
| SHA256 | 59ca077e825c0d23ebc48e281be6569e2d4818e0d3251e3d449dfccf22cde956 |
| SHA512 | a6615ffc775dd978ea81e5806828e97c7054dae024d8c8851975cd578d5fdc8fa6a6a832b99fdbf33e54075180039be93e9c907b9310bc50fffbf9d4fc2bf92d |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 9e4cb4198b8bd1d0e8c5668551e2a485 |
| SHA1 | ed45afab6ea619d3cffb311b53448fdb321ad01a |
| SHA256 | cfe43d07f13bfe9ada971fc49526ff1027412ad073f1fa816738bd930465fede |
| SHA512 | 788620ba7d21f7a868d50c02405b878391658be0f67196429296df2d6fa1f0584200f710bf8b78f00740da7fdc3c478561872bf2cdd9a8e07af551f98bca7674 |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | ccbf449e9de992cb3b5984e9db2a98c3 |
| SHA1 | 5a6a3f72c7a39444186ca5b36295b24b8bb261bc |
| SHA256 | 42edd15b261da28b0fa022d7c732674e1ff961dbe2da6011f94965d4614b8962 |
| SHA512 | 85857c5ec994f0b90a3ad74bde5a61c93de653d9bb820cba163a26997d0830c866de9d076b933f3e2faa2f835a11ddca275137e10b87f2a0af176d38108e5562 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 24f5cab31e8359500d94f41ac36609d0 |
| SHA1 | 4b59a9f1b9feb12c8889550ea6fedf6148fc73ab |
| SHA256 | 08fe97b8e270a6db1bdd8f8967d1a0321bc8cd8183f2a0edb78d30cef1a6a0aa |
| SHA512 | 06e145cbe584f4f1fcf93c6b92c91ae47a56794ac65f827a5fabd5b6871f7b0857394887488da7f6bf3e2fb1ffc54bf4bd2f5c4eae82960905b02be8f11782a4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-17 22:05
Reported
2024-10-17 22:08
Platform
android-x64-20240910-en
Max time kernel
115s
Max time network
152s
Command Line
Signatures
Ajina
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.10:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| FR | 77.105.166.215:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.201.98:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 704e449913aeeb9475823f2d3d94d3e4 |
| SHA1 | d994a30f597d846b235d7b1f651025c15115ed3d |
| SHA256 | 59ca077e825c0d23ebc48e281be6569e2d4818e0d3251e3d449dfccf22cde956 |
| SHA512 | a6615ffc775dd978ea81e5806828e97c7054dae024d8c8851975cd578d5fdc8fa6a6a832b99fdbf33e54075180039be93e9c907b9310bc50fffbf9d4fc2bf92d |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | bf6f8966f35685b47034c0e2e9cbbe83 |
| SHA1 | c90d63a251200cf66160a8e4b84ed17e18eccabd |
| SHA256 | 4da9fa799cb8255355abf7c983bdb4aeaacf85d6beb14e4b7cee86eb83a1a546 |
| SHA512 | a0bb068a6b1ce3993462cde14ed91a25b032fb049f911162e9c725044d5b29dcb6a5924632c4b9d3f17970802aefddc599239d340ca28057e8a08878f87af4fa |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | 904265412a272fc96a2c0ed1f6f3502a |
| SHA1 | 44d8a1b86ed59b420ff9fea1bb7cd853e069ac61 |
| SHA256 | eec1c4f45aaaed6c36432c6ae644f870f3c7c85c6e798065c580200fd5ff133b |
| SHA512 | ba48efb2140f828708f7dfb57977ca0c79a0a2afb64e784a099b9436e3e06c58dfc99faca35dba3ada94b5739efbd09be91d21864ec73957969fc3be19e20e4a |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | f527f2a1db268cc798fdbe4e2bd67c1c |
| SHA1 | e2536bf93049f8098830f8ecd66bbd90355b7652 |
| SHA256 | 28d6387421a95ca04b83c8c6b2f414ecbfe90d47d81ee2f1d645e2d7a0834c70 |
| SHA512 | 643b82c327798ba12c1754888318ef74956719d50f74b440899cf845261847ff321eff8a92a59b1fb9e8ee1da376fa8251b6bdd38d4118af74024d3768174bd4 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-17 22:05
Reported
2024-10-17 22:08
Platform
android-x64-arm64-20240910-en
Max time kernel
113s
Max time network
154s
Command Line
Signatures
Ajina
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| GB | 216.58.204.78:443 | www.youtube.com | tcp |
| GB | 142.250.200.46:443 | www.youtube.com | tcp |
| US | 216.239.34.223:443 | tcp | |
| FR | 77.105.166.215:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.232:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.193:443 | tcp | |
| GB | 216.58.204.65:443 | tcp | |
| US | 216.239.34.223:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 704e449913aeeb9475823f2d3d94d3e4 |
| SHA1 | d994a30f597d846b235d7b1f651025c15115ed3d |
| SHA256 | 59ca077e825c0d23ebc48e281be6569e2d4818e0d3251e3d449dfccf22cde956 |
| SHA512 | a6615ffc775dd978ea81e5806828e97c7054dae024d8c8851975cd578d5fdc8fa6a6a832b99fdbf33e54075180039be93e9c907b9310bc50fffbf9d4fc2bf92d |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | e5b4c461ea31b9087272657493367b77 |
| SHA1 | aefec47ceb866ad560a0c5801e757cad0708af1f |
| SHA256 | 6142badd174ab8168df9d358a082fa45e8a80807304ccad991c4debf2a21f930 |
| SHA512 | 20370c8a36d2490166794d580a8f1acca58bb89a961cde095c3c8ca300fa6fe10f8e709cd0a27ce1218ad5df4b6fee18fcff478a3f27ab2bad0c88500c83f84b |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 6ba01750b751685edda63f40a16d1a83 |
| SHA1 | 0d3cf40fb01bfa0161e02478d756e672140d0141 |
| SHA256 | 9d4fa67df6c52d78353565f6323108c39ab395fe1f96523676f1550931aeb5f8 |
| SHA512 | 0bd35222ea58493525c0b484de69925cae7383de361636972af946e87f63f28682557dc35b18e70b5ecc749faf73a4b8dcf0496d5b9e3576de0cc75a498dbf0d |