7c75278cde374bd26e36a893db24ecdfec8320145d94df56a93e5cd535422395 | Triage

Analysis

max time kernel
4022172s
max time network
157s
platform
android_x86_64
resource
android-x86_64_arm64
submitted
20-04-2021 14:41

Sharing

Report Analysis Logs

General

Target

7c75278cde374bd26e36a893db24ecdfec8320145d94df56a93e5cd535422395.apk
Size

3.3MB
MD5

41314ab620474f7b26e21a406fb37844
SHA1

462f4e0bb338a869536f244aab58c26cce5880af
SHA256

7c75278cde374bd26e36a893db24ecdfec8320145d94df56a93e5cd535422395
SHA512

642893067364d16b3906fdd166d86b879026f6e5af991cac93442df394caa92e8b4dea9dbf73116039b1c98598c8f219af16c4269728f1016673295f6a3d4130

Score

10^/10

obfuscation stealth trojan

Malware Config

Extracted

ARC4_key

Signatures

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.ledinstaandroidpost.android.ledanti

pid process

4129 com.ledinstaandroidpost.android.ledanti

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.ledinstaandroidpost.android.ledanti

ioc	pid	process
/data/user/0/com.ledinstaandroidpost.android.ledanti/cache/of87oaufaldjawdjkw.dex	4129	com.ledinstaandroidpost.android.ledanti
/data/user/0/com.ledinstaandroidpost.android.ledanti/cache/of87oaufaldjawdjkw.dex	4129	com.ledinstaandroidpost.android.ledanti

Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.ledinstaandroidpost.android.ledanti

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS com.ledinstaandroidpost.android.ledanti

Uses reflection 10 IoCs

Processes:

com.ledinstaandroidpost.android.ledanti

description	pid	process
Invokes method dalvik.system.CloseGuard.get	4129	com.ledinstaandroidpost.android.ledanti
Invokes method dalvik.system.CloseGuard.open	4129	com.ledinstaandroidpost.android.ledanti
Invokes method com.android.org.conscrypt.ConscryptEngineSocket.setUseSessionTickets	4129	com.ledinstaandroidpost.android.ledanti
Invokes method com.android.org.conscrypt.ConscryptEngineSocket.setHostname	4129	com.ledinstaandroidpost.android.ledanti
Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.setAlpnProtocols	4129	com.ledinstaandroidpost.android.ledanti
Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.getAlpnSelectedProtocol	4129	com.ledinstaandroidpost.android.ledanti
Invokes method dalvik.system.CloseGuard.get	4129	com.ledinstaandroidpost.android.ledanti
Invokes method dalvik.system.CloseGuard.open	4129	com.ledinstaandroidpost.android.ledanti
Invokes method dalvik.system.CloseGuard.get	4129	com.ledinstaandroidpost.android.ledanti
Invokes method dalvik.system.CloseGuard.open	4129	com.ledinstaandroidpost.android.ledanti

com.ledinstaandroidpost.android.ledanti
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Uses reflection
PID:4129

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...