Overview

overview

10

Static

static

6

376d13affc...a4.apk

android-10-x64

10

376d13affc...a4.apk

android-11-x64

10

376d13affc...a4.apk

android-13-x64

10

376d13affc...a4.apk

android-9-x86

10

Resubmissions

08-04-2024 12:28

240408-pnlb2acd6t 10

08-03-2024 09:07

240308-k3bc6abc69 10

23-03-2023 01:50

230323-b89y8scg82 10

Analysis

  • max time kernel
    100s
  • max time network
    128s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    08-03-2024 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4.apk

  • Size

    4.6MB

  • MD5

    d4c6871dbd078685cb138a499113d280

  • SHA1

    60b64c8481f9de5b92634efc70a9ff42f451c78f

  • SHA256

    376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4

  • SHA512

    e8823b7c73140af88ad6fd8c52a6619d245281170ddb31feb9d4e726ee47a8f34575f687048947272fabfb13dbed2c24f50d6fbd6117d40c1db577305955af59

  • SSDEEP

    98304:M0C+HR25SOeU0lhoBenZFOw2QxW74PNTcG/bZ7vf0sc:jCmtO/07oEOw2QU74PNT9/t7nc

Score
10/10
sovabankercollectionevasioninfostealerstealthtrojan

Malware Config

Extracted

Family

sova

C2

http://193.42.32.84/

http://193.42.32.87/

Signatures

  • SOVA_v5 payload 2 IoCs
  • Sova

    Android banker first seen in July 2021.

    bankertrojaninfostealersova
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion

Processes

  • com.help.marine
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Reads the contacts stored on the device.
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4288
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.help.marine/app_DynamicOptDex/nx.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.help.marine/app_DynamicOptDex/oat/x86/nx.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4346

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.help.marine/app_DynamicOptDex/nx.json
    Filesize

    1.2MB

    MD5

    fb022f45fc63455ecc1d53ce277a1199

    SHA1

    f4373d0a637e280dcd5c220754b4d483e2fbeca9

    SHA256

    c3815866e0d21bcc90c03e26b374e8150c32b75b38ac8c5ccdec6a2fd808998d

    SHA512

    29bf2549a23313821b474e0f229ea17467b1144893065868550c6c30cee4a2c897a4db7a9a549da2ec1bbe6eac29d0bf79ce31cfa47a582388709aa0918e6327

    Download Submit

  • /data/data/com.help.marine/app_DynamicOptDex/oat/nx.json.cur.prof
    Filesize

    2KB

    MD5

    618e2b8623d9728899b5348b6d9e1817

    SHA1

    864e7ae0aa6128982e8aa94ec2e958a576551240

    SHA256

    159150fc8282c45cfd4a5187fc229d0c7ce614098815f2266ea47ca4c6fd62da

    SHA512

    49a23128b19f8558fbfcb4f155af35679f98199ace609d1f2a4f5558ea274ab784f99330cdb83d65936f80d99ec4e0e001c1eebd9cddf1c3c478dc664d803470

    Download Submit

  • /data/data/com.help.marine/app_DynamicOptDex/oat/nx.json.cur.prof
    Filesize

    2KB

    MD5

    a928a74235774cfdf3496eaeda6181a3

    SHA1

    76af2410da25c22ab9372ab8e6430d7acd9d2ac7

    SHA256

    1764f716ecd3f4c6ffcf34cde42074c7170b97fa186244f9331a42556c8bdba2

    SHA512

    d825d6d20b4660c1457bc6f565a41ffdd00946b4ea69652b951c3175d10fe8a5ced3a98bec492b88ed9975078be9f9919ef1ef6f1cbfec4db4a4378eab469ba6

    Download Submit

  • /data/data/com.help.marine/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.help.marine/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    e5ccf9bdd93f08818aad03b042f5af63

    SHA1

    0ae7b749f6a4f033f9984d5f96f71c65f30774ec

    SHA256

    8abb5b1a392d1489ae2c98b3fa4947ba7b143a9ac1cf49ebc498226923814c3e

    SHA512

    52419309d8c8928b70eacee91404fbf1ee2d46f0fcf9eb76a9e6842b70bba04ad6d2e37089db72528f1ddb8d782fef5184665fa4b1cb211c7f81277e63ef8f55

    Download Submit

  • /data/data/com.help.marine/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    02e2b7c048da1719b6487116081ce062

    SHA1

    87a3484a019e1cbbc7aca7764ddba1196c4e5590

    SHA256

    6db37e2e770f81ddd17e7a41e79de3b8e17b219d67f18cd4280546ff77963f1f

    SHA512

    1fe983362928f98bc53cf143908b91414f0fc33bb786a956ccf5477f41c07f06c86d896a61c8b090f18393e268885f88551974e970ef9f27f837529cde0fdb31

    Download Submit

  • /data/data/com.help.marine/no_backup/androidx.work.workdb-wal
    Filesize

    148KB

    MD5

    a327f1dfe66d001a20a93cb8409b28ec

    SHA1

    a1315c7c0a3b8338e2f69923d88c69ea3f7efb86

    SHA256

    f2ba226f16893ed010bdd232485b603f24e2c3397e968d7743e99615e06aca09

    SHA512

    269fa82c2c2b0653534a1710e524421797d737f53df413ca744beb69ed446da880c75eda2c0d3f5ef41ac994a74e61fe068960f3508a64be515e5e6747ceb3af

    Download Submit

  • /data/data/com.help.marine/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    4bc164dae625baf0de8fec853c7c9177

    SHA1

    f0f890d9bee5d5bc670ee63716a411f6981533da

    SHA256

    6ce7d80d16a6ecbf4f3a05bc07c1b4d8873b2a8d4e9a6f8557fe9c70202af131

    SHA512

    312cc296ededde383ff9ea41236935e8a6bf39abba0c6e52cc7419ba8dc08c1c1355f49898f5c05829d14ae3aa66c3a26024d0cf3c0c46a03d2fedb2def1614c

    Download Submit

  • /data/user/0/com.help.marine/app_DynamicOptDex/nx.json
    Filesize

    6.1MB

    MD5

    6ba5d8b283cb3d7df00d355c9d6cb055

    SHA1

    4f1a98fc354850f0093f74e0e9a642bcfb259b6e

    SHA256

    051b52ef6e08ee095ee9f6b3a9de041fb653ab51d9ec9fa638202d1939443c56

    SHA512

    ba71c02f9b087a0ebed42d4ceb0f01af45a4e1c9a737f5e391ca2958038879df1e732f6c6b55161905514d231942dd5589c32835d1ca7eff38a8385594c467c2

    Download Submit

  • /data/user/0/com.help.marine/app_DynamicOptDex/nx.json
    Filesize

    4.5MB

    MD5

    748ad5765a6a3fc265ce3048037511a4

    SHA1

    a4ab9afb6cfa52683864771f3cfd7acde27f7cd4

    SHA256

    a1974a882bbaad3510746be4e3ea50710d096010940bab2c4eb99c42187aa7ec

    SHA512

    5599aaf61a85fd1cefba64a462cbe2bd210f62648affb8ef742325f1035ce0814bf2d0e03b70062db3ab3db624d3ef3fc87a075eeaf6fefb4f0e9e7ada3f755a

    Download Submit