Malware Analysis Report

2024-12-07 03:19

Sample ID 241119-rwbtnsxbpe
Target 91135fdeeab900ad00302f025096741e3fbfe3e5ba2aee57c7d513564ff24d86.bin
SHA256 91135fdeeab900ad00302f025096741e3fbfe3e5ba2aee57c7d513564ff24d86
Tags
collection credential_access evasion ajina
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91135fdeeab900ad00302f025096741e3fbfe3e5ba2aee57c7d513564ff24d86

Threat Level: Known bad

The file 91135fdeeab900ad00302f025096741e3fbfe3e5ba2aee57c7d513564ff24d86.bin was found to be: Known bad.

Malicious Activity Summary

collection credential_access evasion ajina

Ajina family

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 14:32

Signatures

Ajina family

ajina

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 14:32

Reported

2024-11-19 14:35

Platform

android-x64-20240624-en

Max time kernel

93s

Max time network

155s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
SE 46.226.160.5:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 5276a38e2c2eb135639987d2a0486e84
SHA1 38a08350c707b7f77fd1bb370e83954096c684de
SHA256 6eefcbb1574779d599607010d03118f29488ac7797d100defd82246d556325df
SHA512 4358486e00a9cd395d0d27971569660203ae8cef66afccaef95a42cfa3e4abf767799312a7cec6c636bb65f29c338cddd64181845e20e5cf4afafd4bdce9de1b

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 636f4d61658719dbf8e4fcba6443e617
SHA1 001c2e01a6fb96da9f48fd2635fedde337e18c4b
SHA256 6a1ba89d344e46eb7a27d332b74ebf0c622c54ff30fcd5646e5e8b3100bd548b
SHA512 e35b537f7b8cb367181e7808d56bae6f0cd701a7a7addccc7349b527fd8e1e09c65df24a712e4659258c5023f1998626a59cb9ec5db21e457e6b9f5daec7ab6f

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 ca70d20b40b073264ed73a38964b4db4
SHA1 0a249d13905745d8317a7564c9f107d371bd8b2f
SHA256 385f0db04f038554ec91c3b19a9bb3467969cbac7c25b2fa14d86e47d0578b4c
SHA512 da1e6e15d8f7e87441c64f0331fb88d4336e19aa1104312e9cf3c12a22b3f84b5935cacf48d1222cbc85df291450bc3c99711fd904bc88557234770829652a47

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 6f14904c0594d7b5c08c4311ce4f0bb9
SHA1 6253e9fa4e6dd18c8fc924ab0a1ba6f5a0efd402
SHA256 b156fbe6614688930f00b4c980c0ebcb016530e72adcd33ae96e8e81347d4c70
SHA512 47008c25f1f7fa5d004b2d619e4ac997a72f0ec8aa97bab8fe2571c553abd94ae970c3ba2bcb1228a3ce76132ef995c2528bd5112999fffc44203277698650cd

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 14:32

Reported

2024-11-19 14:35

Platform

android-x64-arm64-20240624-en

Max time kernel

93s

Max time network

133s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
SE 46.226.160.5:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 5276a38e2c2eb135639987d2a0486e84
SHA1 38a08350c707b7f77fd1bb370e83954096c684de
SHA256 6eefcbb1574779d599607010d03118f29488ac7797d100defd82246d556325df
SHA512 4358486e00a9cd395d0d27971569660203ae8cef66afccaef95a42cfa3e4abf767799312a7cec6c636bb65f29c338cddd64181845e20e5cf4afafd4bdce9de1b

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 fd81f97c54231987fbb7c95484f864da
SHA1 9ebc63f8944e2c5f32a3b5ffbd7bfc6552b8454a
SHA256 9c56cb4a5c1b02bf0a33856e1d85e107a374041d94e1649857a01107b54220e1
SHA512 e6cb873e6c3714d8dfe7d19a9f76c2e4bbbfe40052042dca6358e498161db0d55d7bd079164ce213b0000f8f7990e7afccdb1bb286d714103733e7497a3d11fa

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 a75bfef2900048173bf1290b5999389a
SHA1 7c1471d0f11d0374cc1cb4ff02b1cf076d2cd1b6
SHA256 3e9724402cfbd7f1f3d871be88db6671fcaa50496d995adf45dbec0d5742b568
SHA512 2394d1a16cf903e6e32ecab52177f84948d678892f8597586b7bb2dbf24f982268bb8cae8e1de85b30290d9c6529ea54aae08f0253eb71e24fa6f034489931cc

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-19 14:32

Reported

2024-11-19 14:35

Platform

android-33-x64-arm64-20240624-en

Max time kernel

130s

Max time network

133s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
N/A 224.0.0.251:5353 udp
SE 46.226.160.5:8080 tcp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.178.3:443 tcp
US 172.64.41.3:443 udp
GB 142.250.178.3:443 udp
GB 216.58.201.100:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
GB 216.58.201.100:443 udp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 2150ddf4997818177c4706462e145061
SHA1 527f4f19ccc62bfdcf4ba58b19ccf6d2facd2f79
SHA256 e2d41ac98cfc23f54dc50590274f151368455f6a6bfd113cbc576617eb93a59f
SHA512 a619641bfde689f8f0b61353bb8bb9235992037b833b9db8831bac262dedc02f8d6e66ca005fc3a34787dbf716b3120d455df7a49daa6dead6ecd30a3dd6a77f

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 601d14753b7e339a3c137bfd064e3168
SHA1 34f37dd1f3c11c372fe38e0ba148a8cb8bea0a27
SHA256 bc0bfda2e68d20ff980215ec28be23313730b2eb3dfdf4b8ce7d697aed977460
SHA512 d080e28342a03c4921b34c95c129e6adc344727c0d866cbeac4148a79725d8f34fe45614bc12ba88304eee245093b6c83ef97f74fdc99e721413796a2a11767d

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 c4921ba0e2ed5b99dfcfc971d59b4b00
SHA1 92caad647dbb1eb492bfb51b8616ea870d16b4d0
SHA256 a0a97543e1b446fb35fc74819350e51c48fb4325479f7e87d14410f4b55bdb42
SHA512 8b83c07d83f87ac8def411136607b10fea20fd3b4815604d5de2865543f52fee2dee773d40609e0acc5c7be11801b4cc2e8739a9741333e5cfd53ef9335377e0

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-19 14:32

Reported

2024-11-19 14:35

Platform

android-x86-arm-20240624-en

Max time kernel

93s

Max time network

132s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
SE 46.226.160.5:8080 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 5276a38e2c2eb135639987d2a0486e84
SHA1 38a08350c707b7f77fd1bb370e83954096c684de
SHA256 6eefcbb1574779d599607010d03118f29488ac7797d100defd82246d556325df
SHA512 4358486e00a9cd395d0d27971569660203ae8cef66afccaef95a42cfa3e4abf767799312a7cec6c636bb65f29c338cddd64181845e20e5cf4afafd4bdce9de1b

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 e50ec54e8786675d9689b337f9743d55
SHA1 ac59efd2189d5f3cec2016cf11a8b6d7c768e8ac
SHA256 0f5f1b17b2d21bd7ce26caa9e7b8aa9d73eea9c50bc54c78802c9f3cece23efb
SHA512 25d5eb1b6e7c451a1cdf9627a5df53b28c1306c561428f7d70a36a4f7143b3b7b3da955474e5f4485666af3646cd300257d2ab52c30f8ed98ce46c9c3a23980b

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 781db4f77e3c690c8e77ead822a0265c
SHA1 3107b0c9dddf51dbcba516ae9682f01b8c0d201b
SHA256 3a5f6e93fd7eae4ebc937eb6c9554cc381597f8f8631f7195595c72bbef07194
SHA512 86fece3391eff56aa00deb333910ccb9155d81fe61f071190573c57a2faad712be1e3ddf23306652b655bd542d92636c32dd9289d61c0535af275902fbc2003d

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 664709f366dd89536ad59274e8354699
SHA1 a8b3bb10635ff19f0e3feb475d868cc5d3b3f3ab
SHA256 d20fac568b680f691210f03e2af9df41ffb3769cd69372f01aceac4d14b15bb9
SHA512 77f5b18256cf02ab6d595747c5104ef42639241fb1fbb3a8bf99b00e2e9c1112d0ecc9146685f6945c519e14f0ccd1204c7aa438c1b2ed271b83a505479fcaf3