Malware Analysis Report

2024-12-07 03:19

Sample ID 241017-1zj4wssdml
Target cc3584c5fe2224ee115db9b9f632bd3d590e1ee106afd678b7431012e8a9ba50.bin
SHA256 cc3584c5fe2224ee115db9b9f632bd3d590e1ee106afd678b7431012e8a9ba50
Tags
ajina banker collection credential_access evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc3584c5fe2224ee115db9b9f632bd3d590e1ee106afd678b7431012e8a9ba50

Threat Level: Known bad

The file cc3584c5fe2224ee115db9b9f632bd3d590e1ee106afd678b7431012e8a9ba50.bin was found to be: Known bad.

Malicious Activity Summary

ajina banker collection credential_access evasion infostealer rat trojan

Ajina

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 22:05

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 22:05

Reported

2024-10-17 22:08

Platform

android-x86-arm-20240910-en

Max time kernel

120s

Max time network

153s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
FR 77.105.166.215:8080 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 704e449913aeeb9475823f2d3d94d3e4
SHA1 d994a30f597d846b235d7b1f651025c15115ed3d
SHA256 59ca077e825c0d23ebc48e281be6569e2d4818e0d3251e3d449dfccf22cde956
SHA512 a6615ffc775dd978ea81e5806828e97c7054dae024d8c8851975cd578d5fdc8fa6a6a832b99fdbf33e54075180039be93e9c907b9310bc50fffbf9d4fc2bf92d

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 9e4cb4198b8bd1d0e8c5668551e2a485
SHA1 ed45afab6ea619d3cffb311b53448fdb321ad01a
SHA256 cfe43d07f13bfe9ada971fc49526ff1027412ad073f1fa816738bd930465fede
SHA512 788620ba7d21f7a868d50c02405b878391658be0f67196429296df2d6fa1f0584200f710bf8b78f00740da7fdc3c478561872bf2cdd9a8e07af551f98bca7674

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 ccbf449e9de992cb3b5984e9db2a98c3
SHA1 5a6a3f72c7a39444186ca5b36295b24b8bb261bc
SHA256 42edd15b261da28b0fa022d7c732674e1ff961dbe2da6011f94965d4614b8962
SHA512 85857c5ec994f0b90a3ad74bde5a61c93de653d9bb820cba163a26997d0830c866de9d076b933f3e2faa2f835a11ddca275137e10b87f2a0af176d38108e5562

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 24f5cab31e8359500d94f41ac36609d0
SHA1 4b59a9f1b9feb12c8889550ea6fedf6148fc73ab
SHA256 08fe97b8e270a6db1bdd8f8967d1a0321bc8cd8183f2a0edb78d30cef1a6a0aa
SHA512 06e145cbe584f4f1fcf93c6b92c91ae47a56794ac65f827a5fabd5b6871f7b0857394887488da7f6bf3e2fb1ffc54bf4bd2f5c4eae82960905b02be8f11782a4

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 22:05

Reported

2024-10-17 22:08

Platform

android-x64-20240910-en

Max time kernel

115s

Max time network

152s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
FR 77.105.166.215:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 216.58.201.98:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 704e449913aeeb9475823f2d3d94d3e4
SHA1 d994a30f597d846b235d7b1f651025c15115ed3d
SHA256 59ca077e825c0d23ebc48e281be6569e2d4818e0d3251e3d449dfccf22cde956
SHA512 a6615ffc775dd978ea81e5806828e97c7054dae024d8c8851975cd578d5fdc8fa6a6a832b99fdbf33e54075180039be93e9c907b9310bc50fffbf9d4fc2bf92d

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 bf6f8966f35685b47034c0e2e9cbbe83
SHA1 c90d63a251200cf66160a8e4b84ed17e18eccabd
SHA256 4da9fa799cb8255355abf7c983bdb4aeaacf85d6beb14e4b7cee86eb83a1a546
SHA512 a0bb068a6b1ce3993462cde14ed91a25b032fb049f911162e9c725044d5b29dcb6a5924632c4b9d3f17970802aefddc599239d340ca28057e8a08878f87af4fa

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 904265412a272fc96a2c0ed1f6f3502a
SHA1 44d8a1b86ed59b420ff9fea1bb7cd853e069ac61
SHA256 eec1c4f45aaaed6c36432c6ae644f870f3c7c85c6e798065c580200fd5ff133b
SHA512 ba48efb2140f828708f7dfb57977ca0c79a0a2afb64e784a099b9436e3e06c58dfc99faca35dba3ada94b5739efbd09be91d21864ec73957969fc3be19e20e4a

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 f527f2a1db268cc798fdbe4e2bd67c1c
SHA1 e2536bf93049f8098830f8ecd66bbd90355b7652
SHA256 28d6387421a95ca04b83c8c6b2f414ecbfe90d47d81ee2f1d645e2d7a0834c70
SHA512 643b82c327798ba12c1754888318ef74956719d50f74b440899cf845261847ff321eff8a92a59b1fb9e8ee1da376fa8251b6bdd38d4118af74024d3768174bd4

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-17 22:05

Reported

2024-10-17 22:08

Platform

android-x64-arm64-20240910-en

Max time kernel

113s

Max time network

154s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.204.78:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 216.239.34.223:443 tcp
FR 77.105.166.215:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.187.193:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.34.223:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 704e449913aeeb9475823f2d3d94d3e4
SHA1 d994a30f597d846b235d7b1f651025c15115ed3d
SHA256 59ca077e825c0d23ebc48e281be6569e2d4818e0d3251e3d449dfccf22cde956
SHA512 a6615ffc775dd978ea81e5806828e97c7054dae024d8c8851975cd578d5fdc8fa6a6a832b99fdbf33e54075180039be93e9c907b9310bc50fffbf9d4fc2bf92d

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 e5b4c461ea31b9087272657493367b77
SHA1 aefec47ceb866ad560a0c5801e757cad0708af1f
SHA256 6142badd174ab8168df9d358a082fa45e8a80807304ccad991c4debf2a21f930
SHA512 20370c8a36d2490166794d580a8f1acca58bb89a961cde095c3c8ca300fa6fe10f8e709cd0a27ce1218ad5df4b6fee18fcff478a3f27ab2bad0c88500c83f84b

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 6ba01750b751685edda63f40a16d1a83
SHA1 0d3cf40fb01bfa0161e02478d756e672140d0141
SHA256 9d4fa67df6c52d78353565f6323108c39ab395fe1f96523676f1550931aeb5f8
SHA512 0bd35222ea58493525c0b484de69925cae7383de361636972af946e87f63f28682557dc35b18e70b5ecc749faf73a4b8dcf0496d5b9e3576de0cc75a498dbf0d