Analysis Overview
SHA256
91135fdeeab900ad00302f025096741e3fbfe3e5ba2aee57c7d513564ff24d86
Threat Level: Known bad
The file 91135fdeeab900ad00302f025096741e3fbfe3e5ba2aee57c7d513564ff24d86.bin was found to be: Known bad.
Malicious Activity Summary
Ajina
Ajina family
Makes use of the framework's Accessibility service
Requests dangerous framework permissions
Declares services with permission to bind to the system
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 22:11
Signatures
Ajina family
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-14 22:11
Reported
2024-11-14 22:14
Platform
android-x64-arm64-20240910-en
Max time kernel
108s
Max time network
158s
Command Line
Signatures
Ajina
Ajina family
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.201.110:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| GB | 142.250.200.46:443 | www.youtube.com | udp |
| GB | 142.250.200.46:443 | www.youtube.com | tcp |
| GB | 216.58.201.110:443 | www.youtube.com | tcp |
| US | 216.239.38.223:443 | tcp | |
| SE | 46.226.160.5:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| GB | 216.58.212.193:443 | tcp | |
| GB | 142.250.187.225:443 | tcp | |
| US | 216.239.38.223:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 5276a38e2c2eb135639987d2a0486e84 |
| SHA1 | 38a08350c707b7f77fd1bb370e83954096c684de |
| SHA256 | 6eefcbb1574779d599607010d03118f29488ac7797d100defd82246d556325df |
| SHA512 | 4358486e00a9cd395d0d27971569660203ae8cef66afccaef95a42cfa3e4abf767799312a7cec6c636bb65f29c338cddd64181845e20e5cf4afafd4bdce9de1b |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 9e1247988da017c944335999d71c02cc |
| SHA1 | a36821eead9015705557d61886cd8d729d905da9 |
| SHA256 | e5cac8ea3b4c2ca4cbb1e4b620ed3080a134cec02fc7e18a90791e32d596c041 |
| SHA512 | f838ead21e8d0dccb4f04b4eefa9997bf6a605577dddfed3817fe3073c6bb43be8274082d09d5c99aeb34cb7ecf670e7316111e23aa9a5ccfc050cbaf4cf13a5 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 107835400bfa835a7eaaf9b5d6cb5918 |
| SHA1 | 114068bdb6cc9d4a5bfbb051910b3e55a6430a41 |
| SHA256 | c28429118f40a400da5beadff5bbf89f72b5c90d5ddfbb3374e72ae2b4fceae4 |
| SHA512 | 1d0d914dd3536e164a28e86e14acf08534baa40ec7021837f3c3e23e103d01d00b3b7e345cd228405590ada121717fe2b0291d39a6f54ff90bbbc490421314c4 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 22:11
Reported
2024-11-14 22:14
Platform
android-x86-arm-20240624-en
Max time kernel
92s
Max time network
137s
Command Line
Signatures
Ajina
Ajina family
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| SE | 46.226.160.5:8080 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 5276a38e2c2eb135639987d2a0486e84 |
| SHA1 | 38a08350c707b7f77fd1bb370e83954096c684de |
| SHA256 | 6eefcbb1574779d599607010d03118f29488ac7797d100defd82246d556325df |
| SHA512 | 4358486e00a9cd395d0d27971569660203ae8cef66afccaef95a42cfa3e4abf767799312a7cec6c636bb65f29c338cddd64181845e20e5cf4afafd4bdce9de1b |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 42676295800682a6429a455b2cf56188 |
| SHA1 | d3a45dd1c920c0f481be2a6c2d34ff0a32cdccf5 |
| SHA256 | fb42a139b96ceb95b264d0e572271ff244525e9ca587d4444feb2497ade617a5 |
| SHA512 | 63ab9defd052e8244d968a23f39ad941998c22f0e862fd6378790a552783753d1332898e72ed6bd5eb10da823d027d896a97e285a15ff03a39a62665b47c5e63 |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | 01a63051e0867d700b1c8ecd0a6782e5 |
| SHA1 | a9c6d52ddb03d72f730f23050d0c0e659ba0cde1 |
| SHA256 | 9d04567dd0de1ba521eaa6754821b20c22a4b377ffe80394039da228a44279b6 |
| SHA512 | 9bd1fc511069a978390df10fb45863484a45f3fc0d2c5cd3950db04a9d6c3eb26a9b00cd80721e133b123130bd05bf4422ca9edcef8365a54874286ebba25da2 |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 1aba5395edd2493af4e3a788ae2dc80c |
| SHA1 | 4c7066c09f04e34b03eee302de15d093da2508f2 |
| SHA256 | 065405a11130d4108057046b5aa1d71abdb01030a07d89f678109823f0341d2c |
| SHA512 | a98cd4ee55e703c71b079cd6fb3ab7011a1206e980988f8d69696c10dfa8860ce69e7a67de384660a971cc7833e536719bd8d3a19c864b6b938a3b3514dafafe |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 22:11
Reported
2024-11-14 22:13
Platform
android-x64-20240624-en
Max time kernel
97s
Max time network
137s
Command Line
Signatures
Ajina
Ajina family
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Processes
org.zzzz.aaa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| SE | 46.226.160.5:8080 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 5276a38e2c2eb135639987d2a0486e84 |
| SHA1 | 38a08350c707b7f77fd1bb370e83954096c684de |
| SHA256 | 6eefcbb1574779d599607010d03118f29488ac7797d100defd82246d556325df |
| SHA512 | 4358486e00a9cd395d0d27971569660203ae8cef66afccaef95a42cfa3e4abf767799312a7cec6c636bb65f29c338cddd64181845e20e5cf4afafd4bdce9de1b |
/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 42948d44cb19300f90d1139956f0d4e0 |
| SHA1 | bdabfa439657c41ceb11874804bd65e1dbb64726 |
| SHA256 | 99c01de9016a4944d456598b20dd427f0b9e70fa3661c338ef6299f4907c0ba7 |
| SHA512 | e0f0755077487774f31de61417ba572e8d6b51d68ca967457d56493d9eff6c1f3063a514da27aa5f22390cc02288621beb5431c6dae1da7417e1af6aaaecc202 |
/data/data/org.zzzz.aaa/files/profileInstalled
| MD5 | ea6f3a12ca79e624387b55d25ce30fc6 |
| SHA1 | a6bf52672aa53747579538083869db82a4e220f6 |
| SHA256 | 8f2429ba920618bdcb8fb43e4d7ad43ee93f9e8a73aa48fca7f422709c514e50 |
| SHA512 | ee4461e36323e63344b00f366f2fa2738f98c85bfe1110d710440eb737fb4fb80503f82435b2f7b0ffadafdb676b2c683049a0298d69bfc6bf71314663b3959d |
/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof
| MD5 | 39083359cd0329a762f44b361d854468 |
| SHA1 | 6a47e52e0b4eafcc62778d4ef341e9ca2c810660 |
| SHA256 | fffb8e3eac2454630ec54905e9df4fc723ddec575a4c168947c023ef7113b113 |
| SHA512 | a73bb02d61473c2042c336af596f8e1f46d16dc69902f22bc5c83f8d74412635f16d0dab6ce2b71a717be8ac0bc901c947071235ab8bdb6197d3ce9dabb7e65a |