sova | b2e592c5cf8ccc944c06a11ff156efdfa4233fe46e2281bab3fd238f03b505e3

Resubmissions

06-10-2022 16:35

221006-t3rjtaabhq 10

29-09-2021 15:14

210929-smfa6sfbg7 8

29-09-2021 15:11

210929-sk47hsfbg5 8

Analysis

max time kernel
2921804s
max time network
32s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
06-10-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2e592c5cf8ccc944c06a11ff156efdfa4233fe46e2281bab3fd238f03b505e3 (1).apk
Size

6.8MB
MD5

b1101bb941285fc54a21c271ee7bf60e
SHA1

e883525faf27f91493f17a657577289be038cd64
SHA256

b2e592c5cf8ccc944c06a11ff156efdfa4233fe46e2281bab3fd238f03b505e3
SHA512

c6368129febea4c32145c3f941590afdea9370ceb4ea10d7920125da8807bd733cc27b70d248750afffad832012a5bc2131e08717af1e89a30d1a74539efe881
SSDEEP

196608:1afUNP3J+obzYV6zNRxxdXBoWu3FGw0IMweI5Q/Dt7Xo3Ub:gcNvJ+LwRPxdxoNAw0IMCU78Ub

Score

10^/10

sova banker evasion infostealer trojan

Malware Config

Signatures

SOVA_v3 payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4406-0.dex	family_sova_v3

Sova
Android banker first seen in July 2021.
banker trojan infostealer sova

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.faax.kcnbvlo.dtojtuo

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.faax.kcnbvlo.dtojtuo
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.faax.kcnbvlo.dtojtuo

Acquires the wake lock. 1 IoCs

Processes:

com.faax.kcnbvlo.dtojtuo

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.faax.kcnbvlo.dtojtuo

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.faax.kcnbvlo.dtojtuo

ioc	pid	Process
/data/user/0/com.faax.kcnbvlo.dtojtuo/code_cache/secondary-dexes/base.apk.classes1.zip	4406	com.faax.kcnbvlo.dtojtuo
/data/user/0/com.faax.kcnbvlo.dtojtuo/code_cache/secondary-dexes/base.apk.classes2.zip	4406	com.faax.kcnbvlo.dtojtuo

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
56	ip-api.com

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

Processes:

com.faax.kcnbvlo.dtojtuo

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.faax.kcnbvlo.dtojtuo

com.faax.kcnbvlo.dtojtuo
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4406

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.faax.kcnbvlo.dtojtuo/code_cache/secondary-dexes/MultiDex.lock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.faax.kcnbvlo.dtojtuo/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
638KB

MD5
165f5a75a92503a0a5162be087516215

SHA1
bfbf5c54195b2b3689fd830904a53095f29601c3

SHA256
b768505db146d767d5bda612b571aae893f6be86935138216bea5c8dca2e6380

SHA512
90421eb1b6d91a6d4195bd52815fcb0b7e138e58f33aa142876570680b83eb1792965d8c9223808f52fe0b0c3e793fd64d4c92f3b9a45a3ec8bf9596bbb2a83e

Download Submit
/data/user/0/com.faax.kcnbvlo.dtojtuo/code_cache/secondary-dexes/base.apk.classes2.zip

Filesize
9.6MB

MD5
3b55d53283d52b2ac766a0fe0f660ba9

SHA1
a28298da0c0e4da3bc81a718878827329e8db167

SHA256
ac136409fc101cb64871eb78afd19c7b9e81e160c81d1f8ad818c7b50dc04c8c

SHA512
5e8e9f4fd7fe25e7562a99afe9b71fd8d610f35c46d87c9516409917cca227cec7281c0c629338595aac38eb5bad7bafad580049515dfb560bbf2207837c1a85

Download Submit
/data/user/0/com.faax.kcnbvlo.dtojtuo/code_cache/secondary-dexes/tmp-base.apk.classes1925436671186161862.zip

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.faax.kcnbvlo.dtojtuo/code_cache/secondary-dexes/tmp-base.apk.classes5989633002572480963.zip

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit