Resubmissions
24-04-2024 11:50
240424-nzl72ahe3w 1012-04-2024 13:59
240412-ravpnaah86 1028-02-2024 13:25
240228-qnw9zacf2t 828-02-2024 12:56
240228-p6fjhacb22 1019-02-2024 08:01
240219-jw15kaba7y 1003-01-2024 08:46
240103-kpajpscdcp 10Analysis
-
max time kernel
3464586s -
max time network
41s -
platform
android_x86 -
resource
android-x86-arm-20231215-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system -
submitted
03-01-2024 08:46
Static task
static1
Behavioral task
behavioral1
Sample
sova.apk
Resource
android-x86-arm-20231215-en
Behavioral task
behavioral2
Sample
sova.apk
Resource
android-x64-20231215-en
General
-
Target
sova.apk
-
Size
569KB
-
MD5
01b6f0220794476fe19a54c049600ab3
-
SHA1
eb9dfde47a393bca666e947f285f16c20baf6c32
-
SHA256
8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57
-
SHA512
ac3031a6dbc5bb0d1e609979336487f14efe58f8e87480e5ef7f79c2abae56977ca444bbb5bbc7970d9c416f9c754b9fedf2bdef3b7b311c2e95e07350f9c892
-
SSDEEP
12288:C89uYjYV1jiNQ7l5DFQo2d8GmEFDipRdWp8+iZiZ5t:9jYniCF6d8iiXg825t
Malware Config
Signatures
-
Sova
Android banker first seen in July 2021.
-
Makes use of the framework's Accessibility service 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.adobe.flashplayerdescription ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.adobe.flashplayer Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.adobe.flashplayer -
Processes:
com.adobe.flashplayerpid Process 4254 com.adobe.flashplayer -
Acquires the wake lock 1 IoCs
Processes:
com.adobe.flashplayerdescription ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.adobe.flashplayer -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 api.ipify.org -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
com.adobe.flashplayerdescription ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.adobe.flashplayer