Analysis
-
max time kernel
300s -
max time network
310s -
platform
android_x64 -
resource
android-33-x64-arm64-20240229-en -
resource tags
-
submitted
08-03-2024 06:59
General
-
Target
GossApp.apk
-
Size
4.7MB
-
MD5
5cee458cb64d9c7a76783b571053adca
-
SHA1
b89773087c9796b8088cfc4271829dffa156b4bc
-
SHA256
bcbabb9b07b4d8e4b592dfaf3c8e261b66896134121b576b17f069eaeaeaa01f
-
SHA512
8ea6bff4e67afc35a52ea5dfdb58cdb2e7dc26073d4ddfd2cc4e9757b1e769e9dca0fc5b43c56325aa54b98655d3dfa4a302e883bc9ffd33135894c8c30647a6
-
SSDEEP
98304:Gwpw2RmWRq8ePkCcbBfowwD+6Qw+zJgT/gh002GD:G72Rb1eMCc4DiFdKa
Malware Config
Extracted
sova
http://85.217.144.114
http://85.217.144.115
Signatures
-
SOVA_v5 payload 1 IoCs
-
Sova
Android banker first seen in July 2021.
-
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes
-
com.pulp.high1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
- Reads the contacts stored on the device.
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.pulp.high/app_DynamicOptDex/SjP.jsonFilesize
1.9MB
MD5fa38f343e0e1accbbae962536353d7ab
SHA1c3ae14aa9ce3fd637e22d326e3126313d7f383ab
SHA2565a39f979d2f10622139e271908f474fc750a5ca548b1ecc50a020c27ff6dc4c2
SHA51240253b5f640de3df595d085bf59cedc61eca13b3532d595c48f1bc8cf92beab6471c301e2d8ecd5e7282dff887dfdd6d7facaddcce1f2c11af7f380bc918b066
-
/data/data/com.pulp.high/app_DynamicOptDex/SjP.jsonFilesize
2.2MB
MD517f313ce36446626bdc5ac9d7d12f2c5
SHA1e04f6236b2888dd711f00e2f2a92bce50098e428
SHA2566137ead111797d23124ee7088015d0961c07cb0f15c05b2008fbb417bc522635
SHA512ff7e878391587aab6472ad0b6d239f8716a1f9d20e58301695417aef8752fd77dda5598d57fa1810174fe150eee733d26ff44a121b93bda5e3894263eb536230
-
/data/data/com.pulp.high/app_DynamicOptDex/oat/SjP.json.cur.profFilesize
4KB
MD5dd14bffa9f76541e268205835f958528
SHA1d8e72608779ee9df4439ef7c93fdc308f31b55b7
SHA256ef3e75002e55f9e96f0ea692a8c789f26ad75a407fed60f737a8bdc63bc7136f
SHA5123028dc59aaabf67793fe457186ba431c2efb357211966a481b442d49bb770ee77e5ea0495c7063d747bc3f8ecc271801eeb4b65920719a166e637dc7200bd798
-
/data/data/com.pulp.high/app_DynamicOptDex/oat/x86_64/SjP.vdexFilesize
113KB
MD580924678d4e2b170af20d1e3600d074b
SHA185c116fce36ac73cd8034b3889f504dcff44f876
SHA256a28c4d459271d70240a85dbf22ab58b89dec753ab3605fc7d1cbfa66b7ac11f0
SHA5128a88c5875a7cad9a2cd534206b9a25f3476dba9edb1f418697c6c68c7b33ecff84527a9bada254a2c0f4b85b32d03fba0a51e49dc3eae2b7ccd2fe120fa696da
-
/data/data/com.pulp.high/no_backup/androidx.work.workdbFilesize
4KB
MD50eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1fee434f784e73cc7916322e949f727caf8363102
SHA256b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8
-
/data/data/com.pulp.high/no_backup/androidx.work.workdb-journalFilesize
512B
MD57beb62c70b8573b9a8092e17da5f4485
SHA1aac68f757afafd5b88b792f8a4b16d0eb1afa417
SHA25603b5c6a8e9e6c160538c5cd703139e8ce43ef7b5c1c10ef6e670f4a95f7eae82
SHA512644ecec8ce7621d1c57534177344db18ffeb569336e4621ec08e56f46066b92879205c90123caa059473768e6f59c2c6d5ad652b3724ba1727389cb1cf75d51c
-
/data/data/com.pulp.high/no_backup/androidx.work.workdb-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/com.pulp.high/no_backup/androidx.work.workdb-walFilesize
16KB
MD56262f5d94047d62cd7e7fd99c2968ee6
SHA16488ccbccabda657bb68627032542cd640abeab8
SHA2562cfc3f772065ad36d6d93edcb6c7f49835fa0f6b4d760130539384bf992f7144
SHA512e8d3e970e6b14ce09f797c2bfa16dd0fa49b37a01f55d8c30e7fbce2246f0370c7622a85a7de2638821149e00f8a02818c9a28621efae4da45c704cca8c958cb
-
/data/user/0/com.pulp.high/app_DynamicOptDex/SjP.jsonFilesize
6.1MB
MD5282078461929bd3e1a32d5d7b822c737
SHA161b8e90dec9e53b195de009ee21a3fef29b2ed64
SHA2566832e8722db811e07879b8bba0d608017745d67a0174be5fd8506b030efc1a07
SHA512c973cd5127a29f5dfae57d58180c7391031487870d16be4f772e5489edb5c5dff2a9e13247b59bbc2b2c9d1a749dbee470db300c8d6b01791ecef1a6ed8114c3