8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57

Resubmissions

24-04-2024 11:50

240424-nzl72ahe3w 10

12-04-2024 13:59

28-02-2024 13:25

28-02-2024 12:56

19-02-2024 08:01

03-01-2024 08:46

Analysis

max time kernel
274s
max time network
307s
platform
android_x64
resource
android-33-x64-arm64-20240229-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240229-enlocale:en-usos:android-13-x64system
submitted
12-04-2024 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sova.apk
Size

569KB
MD5

01b6f0220794476fe19a54c049600ab3
SHA1

eb9dfde47a393bca666e947f285f16c20baf6c32
SHA256

8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57
SHA512

ac3031a6dbc5bb0d1e609979336487f14efe58f8e87480e5ef7f79c2abae56977ca444bbb5bbc7970d9c416f9c754b9fedf2bdef3b7b311c2e95e07350f9c892
SSDEEP

12288:C89uYjYV1jiNQ7l5DFQo2d8GmEFDipRdWp8+iZiZ5t:9jYniCF6d8iiXg825t

Score

8^/10

banker collection discovery evasion

Malware Config

Signatures

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

T1516

T1513

Processes:

com.adobe.flashplayer

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.adobe.flashplayer
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.adobe.flashplayer

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422
Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.adobe.flashplayer

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS com.adobe.flashplayer
Acquires the wake lock 1 IoCs

Processes:

com.adobe.flashplayer

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.adobe.flashplayer
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 api.ipify.org
40 api.ipify.org
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

T1628.002

Processes:

com.adobe.flashplayer

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.adobe.flashplayer

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.adobe.flashplayer

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.adobe.flashplayer

flow	ioc
26	api.ipify.org
40	api.ipify.org

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.adobe.flashplayer

com.adobe.flashplayer
1⤵
- Makes use of the framework's Accessibility service
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4301

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads