Overview

overview

10

Static

static

6

GossApp.apk

android-10-x64

10

GossApp.apk

android-11-x64

10

GossApp.apk

android-13-x64

10

GossApp.apk

android-9-x86

10

Resubmissions

08-03-2024 06:59

240308-hr38paaa23 10

27-03-2023 09:49

230327-lthxbacg65 10

Analysis

  • max time kernel
    300s
  • max time network
    309s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    08-03-2024 06:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GossApp.apk

  • Size

    4.7MB

  • MD5

    5cee458cb64d9c7a76783b571053adca

  • SHA1

    b89773087c9796b8088cfc4271829dffa156b4bc

  • SHA256

    bcbabb9b07b4d8e4b592dfaf3c8e261b66896134121b576b17f069eaeaeaa01f

  • SHA512

    8ea6bff4e67afc35a52ea5dfdb58cdb2e7dc26073d4ddfd2cc4e9757b1e769e9dca0fc5b43c56325aa54b98655d3dfa4a302e883bc9ffd33135894c8c30647a6

  • SSDEEP

    98304:Gwpw2RmWRq8ePkCcbBfowwD+6Qw+zJgT/gh002GD:G72Rb1eMCc4DiFdKa

Score
10/10
sovabankercollectionevasioninfostealerstealthtrojan

Malware Config

Extracted

Family

sova

C2

http://85.217.144.114

http://85.217.144.115

Signatures

  • SOVA_v5 payload 2 IoCs
  • Sova

    Android banker first seen in July 2021.

    bankertrojaninfostealersova
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion

Processes

  • com.pulp.high
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Reads the contacts stored on the device.
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4277
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.pulp.high/app_DynamicOptDex/SjP.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.pulp.high/app_DynamicOptDex/oat/x86/SjP.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4305

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.pulp.high/app_DynamicOptDex/SjP.json
    Filesize

    2.2MB

    MD5

    3b6bd6be37bf8b85ea8062cbdc5794de

    SHA1

    a1cdc1bfb25bd9b74e29000597f3c9eb5b6beb1f

    SHA256

    c2c885c6181e300e48b63da3087f6d1bf5031f39fc8f519147d25e5f829d5516

    SHA512

    b5b01094fb759c5fdc45737111dd112157a3d47e57974d56db43b134ffab43c175ceb2eb70a35b2dce787a503b06e224a34a5e0271e49d111399b5c345875af8

    Download Submit

  • /data/data/com.pulp.high/app_DynamicOptDex/SjP.json
    Filesize

    2.2MB

    MD5

    17f313ce36446626bdc5ac9d7d12f2c5

    SHA1

    e04f6236b2888dd711f00e2f2a92bce50098e428

    SHA256

    6137ead111797d23124ee7088015d0961c07cb0f15c05b2008fbb417bc522635

    SHA512

    ff7e878391587aab6472ad0b6d239f8716a1f9d20e58301695417aef8752fd77dda5598d57fa1810174fe150eee733d26ff44a121b93bda5e3894263eb536230

    Download Submit

  • /data/data/com.pulp.high/app_DynamicOptDex/oat/SjP.json.cur.prof
    Filesize

    2KB

    MD5

    8ac14dd52374163834cf746b414729a1

    SHA1

    f66af2d6223351617cfe5b390c05f92fd960ca52

    SHA256

    b917fd3674ea3c2cc88ca38d83434a44731132b808f448a524729171314414bc

    SHA512

    a58af52ac39552b18bf046ce3d9181463bf6dfd0750c3b9eed9da8c98e22fc9c154f6a66e004a8f4e526429898745a369d25179bc1bc6e68b35c1f55379a2eaf

    Download Submit

  • /data/data/com.pulp.high/app_DynamicOptDex/oat/SjP.json.cur.prof
    Filesize

    2KB

    MD5

    f1cd9c2b6d2895b5dcbf6cd41716666b

    SHA1

    810b9333d2a8f5da2fc601905359b3bef3af1a20

    SHA256

    908e3d3f3b042cdff12d25367ac81d39cea0f1aabf40fd9b739ecd8855559991

    SHA512

    9afe05f9c6d8bfa53fa4256ecca2f455b748c48e9dfaf76c464de78323691408930b5a32ed61a982c12f72896930110be29c33df6002c4b5f0dddaa5a97e27ca

    Download Submit

  • /data/data/com.pulp.high/app_DynamicOptDex/oat/SjP.json.cur.prof
    Filesize

    2KB

    MD5

    0727065f808bb0dbf7f189f4d998adf9

    SHA1

    c8daad8a517b3beb4f5649893b01abcbde9fb1cd

    SHA256

    814577a798314ca3a9ea338ba9f0571a1a53b22833db197a9c2f5ff297648446

    SHA512

    0e098b1362bfe2fa647dd4f0bcf551ebe530ec05fe541c1e79f814a03238577cc991206031e9fe792c98bd2f4d85e62d57666a328281739a6a458cd1ee718420

    Download Submit

  • /data/data/com.pulp.high/app_DynamicOptDex/oat/SjP.json.cur.prof
    Filesize

    2KB

    MD5

    c62b52204f642dfe65cbcb041ce06078

    SHA1

    3518d6a8649a1b9584ad5848aababb41974250bc

    SHA256

    cb699e099828802d598696e2f66a782a443aebbbc4c204dd8bf72e54474a3c44

    SHA512

    e0488e6207b8b49c2181fa03c9e47b7c33ccf309158f5e5281fe8d6a41912f03e20d897889cf1699b65fcf9132749a5fb99f0ab1bad98ea5371db9969c5ce070

    Download Submit

  • /data/data/com.pulp.high/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.pulp.high/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    c5d953e413eb65877b73768a06c5e38b

    SHA1

    d68c488aaf56573142a626ce95dc069fa9b87329

    SHA256

    7807160ae3ab2e5ecc19dafe4a6e4adc0d26734a701ebf4cb528434fb6781434

    SHA512

    556cb2846e87fa8ef040e43c8c9a5f89ae9b40f4dae46ebc6e8efb8aa7fd6dea5a995a1076c8c9886dffc5b31e2c260c75f1953f720d9c8796a604cb101f2c45

    Download Submit

  • /data/data/com.pulp.high/no_backup/androidx.work.workdb-shm
    Filesize

    28KB

    MD5

    cf845a781c107ec1346e849c9dd1b7e8

    SHA1

    b44ccc7f7d519352422e59ee8b0bdbac881768a7

    SHA256

    18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

    SHA512

    4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

    Download Submit

  • /data/data/com.pulp.high/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    bca9d32e534a928fb96bad932e692fa8

    SHA1

    316d53a8cdd2101ff0c608b9c59a13b915c66f46

    SHA256

    7eb3640af7f07ffb61067da674f8973ba187dd8a0c70aad5efa766e6181b3d23

    SHA512

    2405603d119e65cfa0b34e67af52aea4a303875c7fda3d966968602bc7e0e9dad38b89eb6f989d39e51c60b8a2d34eaed121c6d516c8e05bc169478f12677257

    Download Submit

  • /data/data/com.pulp.high/no_backup/androidx.work.workdb-wal
    Filesize

    156KB

    MD5

    2dd2b57991f5fad22cc52187085717c8

    SHA1

    e8d6a2432f22b94b0888ce417210eeb87c44c362

    SHA256

    c24e993197067c004f7686c70b039daef5083a2061b96df1ff9728c14a32827a

    SHA512

    cbbb9e20857b3420c2c403440739de3ae078168d2b06aa8d4099061c5da6a11ed9f90497ce3d6f66af3e4598c7a4debde3044a3b82df02dee9153d65b0d85d15

    Download Submit

  • /data/data/com.pulp.high/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    811717eb2e81d3c4431c872424e1830f

    SHA1

    b2126c7745e4de9300fad3d8ad96a1eeb080db1d

    SHA256

    bb6498eb7892400c84b0e2101a0c68e976bff66c667f0de6cda82fedd7584b12

    SHA512

    777132595d957d521e56fc1c7af8e925c8430b8d3956dc774cc19933f2c80cbb41efc31886b95a9d00e1f1369e681783cdb0e9ec0189313250d955217e84ec6f

    Download Submit

  • /data/user/0/com.pulp.high/app_DynamicOptDex/SjP.json
    Filesize

    6.1MB

    MD5

    7abdd291fd926bcfca1dbfbe9e6d2809

    SHA1

    776883386dde6515f84bae2a221a89c91b5ffc7e

    SHA256

    009e048ee999b81d70156045b122927ee4f78d2d408f60eaf0d43b674d026d2b

    SHA512

    340a19bb6ccc9b39df85663a483430d61ef904d6ff4b5790b7234c23a66b4695fdfbba3daf0d3895643cc72eb0af2f024f4d435020986b22ab65acf032a04e81

    Download Submit

  • /data/user/0/com.pulp.high/app_DynamicOptDex/SjP.json
    Filesize

    5.3MB

    MD5

    134396a8b1e9ecb3dfec1798ab6a3f44

    SHA1

    1c59c9d5a69ca01630bb34951b3875c37d86c789

    SHA256

    a2d1bdccde35c5bf837cd0ecd37e4b420934286ac8071d4c7c1d7086049ddb07

    SHA512

    8936845a4de6326bffbc777f00c4543ed344652f55a3522c57d3e180d51f0b69a1315ddaca72321c903910b07b6d8d538456eda014fa0fd9d0d64afe06d6de96

    Download Submit