Malware Analysis Report

2024-12-07 03:19

Sample ID 241114-13x5xstkf1
Target 91135fdeeab900ad00302f025096741e3fbfe3e5ba2aee57c7d513564ff24d86.bin
SHA256 91135fdeeab900ad00302f025096741e3fbfe3e5ba2aee57c7d513564ff24d86
Tags
ajina banker collection credential_access evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91135fdeeab900ad00302f025096741e3fbfe3e5ba2aee57c7d513564ff24d86

Threat Level: Known bad

The file 91135fdeeab900ad00302f025096741e3fbfe3e5ba2aee57c7d513564ff24d86.bin was found to be: Known bad.

Malicious Activity Summary

ajina banker collection credential_access evasion infostealer rat trojan

Ajina

Ajina family

Makes use of the framework's Accessibility service

Requests dangerous framework permissions

Declares services with permission to bind to the system

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 22:11

Signatures

Ajina family

ajina

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-14 22:11

Reported

2024-11-14 22:14

Platform

android-x64-arm64-20240910-en

Max time kernel

108s

Max time network

158s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Ajina family

ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
US 216.239.38.223:443 tcp
SE 46.226.160.5:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
GB 216.58.212.193:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.38.223:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 5276a38e2c2eb135639987d2a0486e84
SHA1 38a08350c707b7f77fd1bb370e83954096c684de
SHA256 6eefcbb1574779d599607010d03118f29488ac7797d100defd82246d556325df
SHA512 4358486e00a9cd395d0d27971569660203ae8cef66afccaef95a42cfa3e4abf767799312a7cec6c636bb65f29c338cddd64181845e20e5cf4afafd4bdce9de1b

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 9e1247988da017c944335999d71c02cc
SHA1 a36821eead9015705557d61886cd8d729d905da9
SHA256 e5cac8ea3b4c2ca4cbb1e4b620ed3080a134cec02fc7e18a90791e32d596c041
SHA512 f838ead21e8d0dccb4f04b4eefa9997bf6a605577dddfed3817fe3073c6bb43be8274082d09d5c99aeb34cb7ecf670e7316111e23aa9a5ccfc050cbaf4cf13a5

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 107835400bfa835a7eaaf9b5d6cb5918
SHA1 114068bdb6cc9d4a5bfbb051910b3e55a6430a41
SHA256 c28429118f40a400da5beadff5bbf89f72b5c90d5ddfbb3374e72ae2b4fceae4
SHA512 1d0d914dd3536e164a28e86e14acf08534baa40ec7021837f3c3e23e103d01d00b3b7e345cd228405590ada121717fe2b0291d39a6f54ff90bbbc490421314c4

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 22:11

Reported

2024-11-14 22:14

Platform

android-x86-arm-20240624-en

Max time kernel

92s

Max time network

137s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Ajina family

ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
SE 46.226.160.5:8080 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 5276a38e2c2eb135639987d2a0486e84
SHA1 38a08350c707b7f77fd1bb370e83954096c684de
SHA256 6eefcbb1574779d599607010d03118f29488ac7797d100defd82246d556325df
SHA512 4358486e00a9cd395d0d27971569660203ae8cef66afccaef95a42cfa3e4abf767799312a7cec6c636bb65f29c338cddd64181845e20e5cf4afafd4bdce9de1b

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 42676295800682a6429a455b2cf56188
SHA1 d3a45dd1c920c0f481be2a6c2d34ff0a32cdccf5
SHA256 fb42a139b96ceb95b264d0e572271ff244525e9ca587d4444feb2497ade617a5
SHA512 63ab9defd052e8244d968a23f39ad941998c22f0e862fd6378790a552783753d1332898e72ed6bd5eb10da823d027d896a97e285a15ff03a39a62665b47c5e63

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 01a63051e0867d700b1c8ecd0a6782e5
SHA1 a9c6d52ddb03d72f730f23050d0c0e659ba0cde1
SHA256 9d04567dd0de1ba521eaa6754821b20c22a4b377ffe80394039da228a44279b6
SHA512 9bd1fc511069a978390df10fb45863484a45f3fc0d2c5cd3950db04a9d6c3eb26a9b00cd80721e133b123130bd05bf4422ca9edcef8365a54874286ebba25da2

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 1aba5395edd2493af4e3a788ae2dc80c
SHA1 4c7066c09f04e34b03eee302de15d093da2508f2
SHA256 065405a11130d4108057046b5aa1d71abdb01030a07d89f678109823f0341d2c
SHA512 a98cd4ee55e703c71b079cd6fb3ab7011a1206e980988f8d69696c10dfa8860ce69e7a67de384660a971cc7833e536719bd8d3a19c864b6b938a3b3514dafafe

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 22:11

Reported

2024-11-14 22:13

Platform

android-x64-20240624-en

Max time kernel

97s

Max time network

137s

Command Line

org.zzzz.aaa

Signatures

Ajina

banker trojan infostealer rat ajina

Ajina family

ajina

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
SE 46.226.160.5:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 5276a38e2c2eb135639987d2a0486e84
SHA1 38a08350c707b7f77fd1bb370e83954096c684de
SHA256 6eefcbb1574779d599607010d03118f29488ac7797d100defd82246d556325df
SHA512 4358486e00a9cd395d0d27971569660203ae8cef66afccaef95a42cfa3e4abf767799312a7cec6c636bb65f29c338cddd64181845e20e5cf4afafd4bdce9de1b

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 42948d44cb19300f90d1139956f0d4e0
SHA1 bdabfa439657c41ceb11874804bd65e1dbb64726
SHA256 99c01de9016a4944d456598b20dd427f0b9e70fa3661c338ef6299f4907c0ba7
SHA512 e0f0755077487774f31de61417ba572e8d6b51d68ca967457d56493d9eff6c1f3063a514da27aa5f22390cc02288621beb5431c6dae1da7417e1af6aaaecc202

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 ea6f3a12ca79e624387b55d25ce30fc6
SHA1 a6bf52672aa53747579538083869db82a4e220f6
SHA256 8f2429ba920618bdcb8fb43e4d7ad43ee93f9e8a73aa48fca7f422709c514e50
SHA512 ee4461e36323e63344b00f366f2fa2738f98c85bfe1110d710440eb737fb4fb80503f82435b2f7b0ffadafdb676b2c683049a0298d69bfc6bf71314663b3959d

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 39083359cd0329a762f44b361d854468
SHA1 6a47e52e0b4eafcc62778d4ef341e9ca2c810660
SHA256 fffb8e3eac2454630ec54905e9df4fc723ddec575a4c168947c023ef7113b113
SHA512 a73bb02d61473c2042c336af596f8e1f46d16dc69902f22bc5c83f8d74412635f16d0dab6ce2b71a717be8ac0bc901c947071235ab8bdb6197d3ce9dabb7e65a