Resubmissions
08-04-2024 12:28
240408-pnlb2acd6t 1008-03-2024 09:07
240308-k3bc6abc69 1023-03-2023 01:50
230323-b89y8scg82 10Analysis
-
max time kernel
64s -
max time network
139s -
platform
android_x64 -
resource
android-33-x64-arm64-20240229-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240229-enlocale:en-usos:android-13-x64system -
submitted
08-03-2024 09:07
Static task
static1
Behavioral task
behavioral1
Sample
376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral2
Sample
376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4.apk
Resource
android-x64-arm64-20240221-en
Behavioral task
behavioral3
Sample
376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4.apk
Resource
android-33-x64-arm64-20240229-en
Behavioral task
behavioral4
Sample
376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4.apk
Resource
android-x86-arm-20240221-en
General
-
Target
376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4.apk
-
Size
4.6MB
-
MD5
d4c6871dbd078685cb138a499113d280
-
SHA1
60b64c8481f9de5b92634efc70a9ff42f451c78f
-
SHA256
376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4
-
SHA512
e8823b7c73140af88ad6fd8c52a6619d245281170ddb31feb9d4e726ee47a8f34575f687048947272fabfb13dbed2c24f50d6fbd6117d40c1db577305955af59
-
SSDEEP
98304:M0C+HR25SOeU0lhoBenZFOw2QxW74PNTcG/bZ7vf0sc:jCmtO/07oEOw2QU74PNT9/t7nc
Malware Config
Extracted
sova
http://193.42.32.84/
http://193.42.32.87/
Signatures
-
SOVA_v5 payload 1 IoCs
resource yara_rule behavioral3/memory/4288-0.dex family_sova_v5 -
Sova
Android banker first seen in July 2021.
-
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.help.marine Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.help.marine -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.help.marine/app_DynamicOptDex/nx.json 4288 com.help.marine -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.help.marine -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.help.marine -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 ip-api.com -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.help.marine
Processes
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5450844b54bb850691892f23de4993683
SHA19655f1a8b45b5611ea16d2d07e229a67eb7b7d29
SHA2568de419336106908cb4e8b8bd2a274e1e4fb2548b5b8c5f246bbbb498d5d4c0d7
SHA512e9931b77172a38988954b4132a7f270e84e1b5bc37941dd7a7b705f3b0af635290cda14d87a63b42be6448d1dafeba666d65277e2eea766168e7fa9ea1f8c7cb
-
Filesize
4KB
MD5d8a3982b47d26de534b78fa746dcadf0
SHA11dc846fee1621e2571f937858e0a32841687d2e7
SHA2568f1dad8456eb2ba9f182d7157e635a6a376e2f5dae34c8f17be3dc294241904b
SHA512a98574f390001d7e482478e136d5ba2474def2254b0d3e33ef8cbcf5ff50487573f2f4546f9b1ad77c68862b2479ebb1e1e2bb9f8fb8301d4a33e787475fe1cd
-
Filesize
113KB
MD5ccc40097c44dec170c02a59f9412cbe4
SHA17d8b300fa0e1f2f96545b4f6f5b9e8ccc108a01a
SHA2565153d8b9cbfa226d0b8e5fe022adf412f44a563e05d67c239091d445bff0a6e6
SHA512dab7dc19ba7d0a3ab9ca88acd3b53880119cbbb1cb1c449f4b7b9381028cdcdb1b36401d4c7a737ce7e62962d9ca8814010b87aa8d2cf72fe5482f874b692d33
-
Filesize
4KB
MD50eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1fee434f784e73cc7916322e949f727caf8363102
SHA256b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8
-
Filesize
512B
MD59f83d0cbee4d61df0068a08e62982e64
SHA1f8256f0200c68737926ddc57e4d6972ebef9d348
SHA2568923809dbda8e2a6697d8caf8225195703f21023a8ac00d6eeda5aa1136270f3
SHA51250729847648e742ed4195de6e0e8b0aed7c32794914100858ea69327377a36775310b3dcdf22d692c36ec45a4d90fe5af441a1510ae612c228279d9da7208770
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
156KB
MD5c62ecc99c9fe74c2bc707387a3baf712
SHA1a4f0cf95ce9d5128fa35a0cbc836e3e4e4fcc7c6
SHA25665293140f7d51b2d3337503a03620baa17f2ee8f1071a7dd52ccd9c943bcf52c
SHA5120b28355b5767d85df020f5031e74a0647b4f7596584a8f0665a3b73dbb77885638ef34364d907eca7309190297ba34ae0bc520e581dd544e62021d0d83c5cbb4
-
Filesize
16KB
MD5d7cd8553e95daa87b23fce5b7c5c5be4
SHA1c4104b3b01ee0c6a01b722f384d720003ae54af5
SHA256281256779e064ceca3d3507299f9e079894549dc0829ffbca3ae38216ceb3801
SHA512aa943ed879ae62a3b233eeb616893922b762878836545e6c137bb05a364acd5def21dce2dac77a5ff342e5c43646a56980476b5288cf0e8fd8d0da69ca94d0f0
-
Filesize
108KB
MD50ec4329612a7e9306646664cfa161d3f
SHA1b1a126fe791a016e3b46de6fcb879c7e93c4e406
SHA2565479da3de7e8d292451fb5cc49b4c57da21fd6c99db4096cbaf9240217e2a367
SHA5128fabbdd0409b2c403095dc14346e2d8a897a59bd55398fd4f5ec12645a9086da286e32f469ad63c0da201581ae3430494c5f467e067ce783634948a46aa070fb
-
Filesize
3.3MB
MD5fbad39910d9b4b84aa1ea5e7e2f29e27
SHA10a02ff88bfb760791c09d2f51f1bd9bd1f5d52b5
SHA2564aca18c39191facf8bc852fc0632ad3fa6ce19a8638ca9919e6e9e2027fe43b9
SHA512027c1067317ab5057860bdd808ae01e26bc993cae3f05273825a8a3bec030eb40b8a484e1870237434a5ac1b6edb4375d54fc46964a349fca061fb3f54f9cfe6