sova | 923f9740c518cee69d82f77c19944a1976c4d4516b859f519369bff120ff47cd

General

Target

376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4.apk
Size

4.6MB
MD5

d4c6871dbd078685cb138a499113d280
SHA1

60b64c8481f9de5b92634efc70a9ff42f451c78f
SHA256

376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4
SHA512

e8823b7c73140af88ad6fd8c52a6619d245281170ddb31feb9d4e726ee47a8f34575f687048947272fabfb13dbed2c24f50d6fbd6117d40c1db577305955af59
SSDEEP

98304:M0C+HR25SOeU0lhoBenZFOw2QxW74PNTcG/bZ7vf0sc:jCmtO/07oEOw2QU74PNT9/t7nc

Score

10^/10

sova banker infostealer trojan

Malware Config

Extracted

Family

sova

C2

http://193.42.32.84/

http://193.42.32.87/

Signatures

SOVA_v5 payload 2 IoCs

resource	yara_rule
behavioral1/memory/4177-0.dex	family_sova_v5
behavioral1/memory/4124-0.dex	family_sova_v5

Sova
Android banker first seen in July 2021.
banker trojan infostealer sova

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.help.marine
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.help.marine

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.help.marine

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.help.marine/app_DynamicOptDex/nx.json	4177	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.help.marine/app_DynamicOptDex/nx.json --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/user/0/com.help.marine/app_DynamicOptDex/oat/x86/nx.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.help.marine/app_DynamicOptDex/nx.json	4124	com.help.marine

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ip-api.com

com.help.marine
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
PID:4124
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.help.marine/app_DynamicOptDex/nx.json --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/user/0/com.help.marine/app_DynamicOptDex/oat/x86/nx.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4177

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.help.marine/app_DynamicOptDex/nx.json

Filesize
2.2MB

MD5
cf9772416a747ac509ec2970cb9c9e74

SHA1
128bcf36307203dbb198d45c3560f30cd63bbd8d

SHA256
6e9478358dbfbefe00e28c9bf85255a8706873479cf8f0746a2246bbbab03c04

SHA512
9f0789d68ba6143d289a066db215a06b64adafa7967bd6915516f12ee416a02cb70bb52dc6cef945ed8965640e8d969093b33c2ce0fc35c480b9cfc57c8da014

Download Submit
/data/user/0/com.help.marine/app_DynamicOptDex/nx.json

Filesize
6.1MB

MD5
6ba5d8b283cb3d7df00d355c9d6cb055

SHA1
4f1a98fc354850f0093f74e0e9a642bcfb259b6e

SHA256
051b52ef6e08ee095ee9f6b3a9de041fb653ab51d9ec9fa638202d1939443c56

SHA512
ba71c02f9b087a0ebed42d4ceb0f01af45a4e1c9a737f5e391ca2958038879df1e732f6c6b55161905514d231942dd5589c32835d1ca7eff38a8385594c467c2

Download Submit
/data/user/0/com.help.marine/app_DynamicOptDex/nx.json

Filesize
6.1MB

MD5
781a5fd150ae010085b1e7ff4501a0f4

SHA1
bfbe600cec76f9f00f02a6f0eca5f4bbd5eb1e71

SHA256
9ae5523ea2a7080ac97ef5443bf4b781f775c67fefaec687e58b5b983caf3146

SHA512
d5dafba7a47802f4312d03557c428e4834d1ca02f0e49f60bb59873ca674deb7be340cb6d0a714295c29894746512869d480da21ab3862eeb27fee9265a98bde

Download Submit
/data/user/0/com.help.marine/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/user/0/com.help.marine/no_backup/androidx.work.workdb-journal

Filesize
524B

MD5
52b1a33506f9db09df5585a6d4bf3774

SHA1
7783afffb29a410b1d0d12d3d778e52636465d6d

SHA256
4a94b4853e2b9188d76af3c613c3ad978d0310abe34881748d792a66d919c245

SHA512
9fd814fb25013af050a0621dafe0d4493d7062972fd52dd6aba246413d95ae312de5b675abcacfb5d800657af4435ae4dbac26e728101e26958c71533ed48f0d

Download Submit
/data/user/0/com.help.marine/no_backup/androidx.work.workdb-shm

Filesize
8B

MD5
7dea362b3fac8e00956a4952a3d4f474

SHA1
05fe405753166f125559e7c9ac558654f107c7e9

SHA256
af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc

SHA512
1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

Download Submit
/data/user/0/com.help.marine/no_backup/androidx.work.workdb-wal

Filesize
197KB

MD5
835dcdd2475f863491329ba907d744a9

SHA1
9cecac1112b49f98f598755672836be8f2142b33

SHA256
bf63d2cdee971dd258068598f3ce264eac7f0f74a76566c08b693f876e2412c6

SHA512
26a51294b72bee6243e0552723f4a1b16754e20721fc8d8bdd8dd20fdc81d330963682696afd0e01c119fd57930c0bc2772b8a43a42074a576f6b9e5c0cd0821

Download Submit
/data/user/0/com.help.marine/shared_prefs/prefs.xml

Filesize
135B

MD5
7736f4ed63020ad4ffc2f5359a7c9d64

SHA1
58116665dafceb7ae0aaee3bc59717a9a5c00cee

SHA256
6fd2c6ee0cc04113fdff44195a45da423aa4643da5653e9220be0fe531c410b8

SHA512
10e555b9ff4baa4dbf8ad8fef7563e4756b194595b7794845ea54856e01745bb8eaeef9a5c67da76174fe1832025c9c0d220b49f839b3702d24f5372716a700c

Download Submit

Analysis

Sharing