Analysis
-
max time kernel
301s -
max time network
312s -
platform
android_x64 -
resource
android-x64-arm64-20240221-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system -
submitted
08-03-2024 06:59
Static task
static1
Behavioral task
behavioral1
Sample
GossApp.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral2
Sample
GossApp.apk
Resource
android-x64-arm64-20240221-en
Behavioral task
behavioral3
Sample
GossApp.apk
Resource
android-33-x64-arm64-20240229-en
Behavioral task
behavioral4
Sample
GossApp.apk
Resource
android-x86-arm-20240221-en
General
-
Target
GossApp.apk
-
Size
4.7MB
-
MD5
5cee458cb64d9c7a76783b571053adca
-
SHA1
b89773087c9796b8088cfc4271829dffa156b4bc
-
SHA256
bcbabb9b07b4d8e4b592dfaf3c8e261b66896134121b576b17f069eaeaeaa01f
-
SHA512
8ea6bff4e67afc35a52ea5dfdb58cdb2e7dc26073d4ddfd2cc4e9757b1e769e9dca0fc5b43c56325aa54b98655d3dfa4a302e883bc9ffd33135894c8c30647a6
-
SSDEEP
98304:Gwpw2RmWRq8ePkCcbBfowwD+6Qw+zJgT/gh002GD:G72Rb1eMCc4DiFdKa
Malware Config
Extracted
sova
http://85.217.144.114
http://85.217.144.115
Signatures
-
SOVA_v5 payload 1 IoCs
resource yara_rule behavioral2/memory/4462-0.dex family_sova_v5 -
Sova
Android banker first seen in July 2021.
-
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.pulp.high Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.pulp.high -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.pulp.high/app_DynamicOptDex/SjP.json 4462 com.pulp.high -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.pulp.high -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.pulp.high -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 29 ip-api.com -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.pulp.high
Processes
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD53b6bd6be37bf8b85ea8062cbdc5794de
SHA1a1cdc1bfb25bd9b74e29000597f3c9eb5b6beb1f
SHA256c2c885c6181e300e48b63da3087f6d1bf5031f39fc8f519147d25e5f829d5516
SHA512b5b01094fb759c5fdc45737111dd112157a3d47e57974d56db43b134ffab43c175ceb2eb70a35b2dce787a503b06e224a34a5e0271e49d111399b5c345875af8
-
Filesize
565KB
MD59b79fe504a1b6116a9ef8d595b808163
SHA1135a46b7f91731de720b0b9b1f3c3521666fd38d
SHA256d6449efd2615d467448f86f01c8fc5ef9ffadfdfce455777d8372110778171b2
SHA51235c9e660104a572ae5224213b0e61f0d8b3b5db2d2122c428c406d8ed5e64472ec2e21e61d037a6d702d4a137755cee96a5334baa490952551014c42e0089653
-
Filesize
5KB
MD544767763946e3d94cfda9733d75bcf6f
SHA103157eff041c2262eec92bce1b4b1e91e6ba03c5
SHA256a69dc602c37b77427749ec01fcbd0cde44df4e062fd7af9edde1edd7fb70a89d
SHA512df152b300a3bdbf3525f5dc836d7dd9e5abf29ba9a29be89fd6558ce2ebb3a08b67d1304c4fc9de6b01b5f515a38888637ef7e6efbd3ba18177bdc8c79e5aba4
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD5aaadbc843c3c74ec1c7394d4b735661c
SHA1d33c9c8d65ed9f569d8e5dc3b724a10abc7fbd25
SHA2564090ab0d0a540741c8678dc19fff70d26eba6185dc61bed2df2716048d47e2af
SHA512aa21248f79fb58cfed3f045ec84616255881ec6e29f519a0882d5c5324799686cc9652072ee65c02bdc6019aae8fcd8c1117731e3f0e4d2b4c19eb78302e343a
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5edacabfb802c6ec74a00be83d16ca50a
SHA14703009522880f53ad39b161398877d93fb5fffa
SHA25684fdd72e8c1a809c1e2714acceb72a382c3a521707c5f7ee645a16817743d5ee
SHA51215fb6791711c6a084eadd4bcc3c810ea2b126e14fc0d7a2aa228f16ce167a62ae72c7aa64a2c1a1d2c5bbe5a17fc1c7bd7bb2e18a2607c138baf9e5a9c4838bf
-
Filesize
108KB
MD5ea1c75b2330f4f4b61fa0a1f91f23509
SHA1f6659a60b6385fb310306dfc41e80e287691a98e
SHA25678357f72eca8c80ec76b9ecfea700d4a0747ef00f19d458a0c292ef3f00d1b9d
SHA512a552d6cc2fbbc72c00cece2b647cc1d2dd4f5ad89573605f1263ab0677c4143a7bc080971b9d2135883019460ba6183c41872804d4bd16af9b42efe5248e8499
-
Filesize
156KB
MD5f150324d4c4ab07262b4bd9eeef51cd2
SHA138ff91c4be3d2340a720d90ee34c26d9e40229e5
SHA2564ba10b593a8962767c7cc474d14f8d3313ab0ab905f126392a527c926f2534af
SHA51227f44a4af7f9176c659be0ef103ecb9daf634dd06732e30e7ab674b6c335b85bf7aa49c89e668f6ce4e46696d33daac469ea37a10245b6db7bd17d95e1239ae4
-
Filesize
6.1MB
MD5282078461929bd3e1a32d5d7b822c737
SHA161b8e90dec9e53b195de009ee21a3fef29b2ed64
SHA2566832e8722db811e07879b8bba0d608017745d67a0174be5fd8506b030efc1a07
SHA512c973cd5127a29f5dfae57d58180c7391031487870d16be4f772e5489edb5c5dff2a9e13247b59bbc2b2c9d1a749dbee470db300c8d6b01791ecef1a6ed8114c3