sova | 7c805f51ee3b2994e742d73954e51d7c2c24c76455b0b9a1b44d61cb4e280502

Analysis

max time kernel
3676898s
max time network
34s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
05/01/2024, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sova.apk
Size

4.0MB
MD5

74b8956dc35fd8a5eb2f7a5d313e60ca
SHA1

322bfcfc2f2cfcfb759bc61b021a498c1955937b
SHA256

7c805f51ee3b2994e742d73954e51d7c2c24c76455b0b9a1b44d61cb4e280502
SHA512

772e0ae703b9cb3bb62c490366023026845aa80d793211dbc95606795659f88fa58e510ab1fdb129ee01159560ae071312c9de98cbcdbf574b015a791a0960ac
SSDEEP

98304:zQEneeg1QRd7c43GVDssvvO9h9CwfLyEefawrQ:zQEnzg2RD2Vjgfzyzawk

Score

10^/10

sova banker infostealer trojan

Malware Config

Signatures

SOVA_v5 payload 2 IoCs

resource	yara_rule
behavioral1/memory/4448-0.dex	family_sova_v5
behavioral1/memory/4404-0.dex	family_sova_v5

Sova
Android banker first seen in July 2021.
banker trojan infostealer sova

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.bean.cousin/app_DynamicOptDex/CtaDwII.json	4448	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bean.cousin/app_DynamicOptDex/CtaDwII.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bean.cousin/app_DynamicOptDex/oat/x86/CtaDwII.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.bean.cousin/app_DynamicOptDex/CtaDwII.json	4404	com.bean.cousin

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.bean.cousin

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	ip-api.com
51	ip-api.com
53	ip-api.com
54	ip-api.com
38	ip-api.com
46	ip-api.com
49	ip-api.com
50	ip-api.com
52	ip-api.com
45	ip-api.com
47	ip-api.com

com.bean.cousin
1⤵
- Loads dropped Dex/Jar
- Acquires the wake lock
PID:4404
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bean.cousin/app_DynamicOptDex/CtaDwII.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bean.cousin/app_DynamicOptDex/oat/x86/CtaDwII.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.bean.cousin/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.bean.cousin/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
13aa8fbf672bcdf5cff938279106d883

SHA1
a4fdcbeb8b3261cf6282cbe6922a1177c26ac864

SHA256
c5fa64575f83e80b39c8fab902aedbb6cb1460e56b682795c816f4c38e77556f

SHA512
ce0b5c68870a8b5a0feaa7e406649c60c77e96f250b6fcfe04d6afe5cf682cbdf8e19fe5ee98ef8e2aa66bafebde8ff315a36bee76cb9e7eca5df93260b1db04

Download Submit
/data/data/com.bean.cousin/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
409760295016be11f6fff33a1d518a92

SHA1
5121507d163faa36f24148a1d14339e091c6439f

SHA256
66de365be265e7d3204832300d91e66d818c27df67613db6923b03f407e07fc6

SHA512
a1a4cc53173fbe4eccd1ba8107cf093b997efa92ced24070fa8f26fe4e16d819f646c2f0a6ba26005d5024d7ee5be87ce91991a0081dc1c5f6ecd6a348e975f8

Download Submit
/data/data/com.bean.cousin/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
da38a7ef23c565cabe2c2ea0675895d1

SHA1
d7323a2a8bc2d1cb393d804c5af9807c5b8f3990

SHA256
f4e6ac3da1a16783a14cf5fb26f99f0dbf7742c2cf426f04f4c463ece28c9f78

SHA512
1cc8f273071c5940cec69855eaf04bc93ad7718fdd6d1d5cd3df288766552bad4138a81cf8af820cb3443e9874b50348efefa6369dd746821531772fd3f2df8a

Download Submit
/data/data/com.bean.cousin/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
497cd374f7715afdaf2d23b4a7d35117

SHA1
a23cc4a29bad9d9430a8fd7c08894a4ae2d0305b

SHA256
34a768714995148e17921c4fbe326853d34730f24e585aaa951b8881facbc9ec

SHA512
e8729ae498fdc8de149d028f7e658c753e89cdaa62200d7ed272269374bbad26db5f8fe2c6375734bd6be3e8b53f9c6b6674b928cf8932eadac896e831b048af

Download Submit
/data/user/0/com.bean.cousin/app_DynamicOptDex/CtaDwII.json

Filesize
6.0MB

MD5
7650b4c1c441ffaa06c64c9ea181597d

SHA1
02b3192f88802366e32b02db6b491853f0474143

SHA256
6ca21973ebc73fb856040fd1be00603287494bed8fc7849e656ae5ec84689bff

SHA512
df47092217b7c6fe04f49db05d1983990b06f2b441e08895eda86b5ec2319d1eb631f3f2c8518d1f75e68fb344dc2f513e48d51caa59792d23b02e99c10674ea

Download Submit
/data/user/0/com.bean.cousin/app_DynamicOptDex/CtaDwII.json

Filesize
6.0MB

MD5
cb83525904c2bff0cb586d662c5fe2b9

SHA1
2d63ff2e85b34006a5517f85deb470ff48734df5

SHA256
acd7234022738f4e8499749de805c474879fea06de0d7ca066483d03e7ef02f5

SHA512
33eced5d3bead49bb238f08bac960044c7359262fdd58ab559cb38c47528859e24f8578e32743ba6a1630ce7e45497c9f99edb0b96c5c8fa6c0a4ca7fb15fd3e

Download Submit