Malware analysis LazyMedia+Deluxe+Pro+3.381-@EasyAPK.apk Malicious activity

Add for printing

File name:	LazyMedia+Deluxe+Pro+3.381-@EasyAPK.apk
Full analysis:	https://app.any.run/tasks/4e8376fd-6e45-4106-81ee-1e924d2ed89d
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	April 23, 2025, 19:24:36
OS:	Android 14
Tags:	evasion loader github pastebin
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	FFD7CDDB5673C4659BC91D2E0B4AC8B9
SHA1:	CB31EC736764045F824731631D2E98493BD7899A
SHA256:	58CE1C37CBCD0BBB2797953580DA56435654A2AA9C2E0480E1548270E2375095
SSDEEP:	98304:VS+AaZ2XnDBlbkJLczdCZNOkEuz9KqNPa9lGtvDEGwXAwpEg5C9pKThacfyLdwVu:t091XnDFqHevtkdN91

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- Hides app icon from display
  - app_process64 (PID: 2346)
SUSPICIOUS
- Collects data about the device's environment (JVM version)
  - app_process64 (PID: 2273)
  - app_process64 (PID: 2346)
- Launches a new activity
  - app_process64 (PID: 2346)
  - app_process64 (PID: 2273)
- Sets file permissions, owner, and group for a specified path
  - app_process64 (PID: 2346)
- Accesses system-level resources
  - app_process64 (PID: 2273)
  - app_process64 (PID: 2346)
- Checks for external IP
  - netd (PID: 341)
  - app_process64 (PID: 2273)
  - app_process64 (PID: 2346)
- Process requests binary or script from the Internet
  - app_process64 (PID: 2273)
  - app_process64 (PID: 2346)
- Connects to the server without a host name
  - app_process64 (PID: 2273)
  - app_process64 (PID: 2346)
INFO
- Gets the display metrics associated with the device's screen
  - app_process64 (PID: 2346)
- Stores data using SQLite database
  - app_process64 (PID: 2273)
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 2273)
  - app_process64 (PID: 2346)
- Dynamically registers broadcast event listeners
  - app_process64 (PID: 2273)
- Retrieves the value of a global system setting
  - app_process64 (PID: 2346)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.apk	\|	Android Package (62.8)
.jar	\|	Java Archive (17.3)
.vym	\|	VYM Mind Map (14.9)
.zip	\|	ZIP compressed archive (4.7)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0800
ZipCompression:	Deflated
ZipModifyDate:	2025:04:20 10:28:44
ZipCRC:	0x4a754e02
ZipCompressedSize:	10380
ZipUncompressedSize:	58080
ZipFileName:	AndroidManifest.xml

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

127

Monitored processes

3

Malicious processes

2

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Parent process
341	/system/bin/netd	/system/bin/netd	init
User: root Integrity Level: UNKNOWN
2273	com.lazycatsoftware.lmd	/system/bin/app_process64	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2346	com.lazycatsoftware.lmd	/system/bin/app_process64	app_process64
User: root Integrity Level: UNKNOWN

Add for printing

Total events

0

Read events

0

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

0

Suspicious files

6

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
2273	app_process64	/data/user/0/com.lazycatsoftware.lmd/no_backup/androidx.work.workdb-journal		binary
		MD5:—	SHA256:—
2273	app_process64	/data/user/0/com.lazycatsoftware.lmd/no_backup/androidx.work.workdb-wal		binary
		MD5:—	SHA256:—
2273	app_process64	/data/user/0/com.lazycatsoftware.lmd/cache/oat_primary/arm64/base.2273.tmp		binary
		MD5:—	SHA256:—
2346	app_process64	/data/user/0/com.lazycatsoftware.lmd/cache/oat_primary/arm64/base.art		binary
		MD5:—	SHA256:—
2346	app_process64	/data/user/0/com.lazycatsoftware.lmd/no_backup/androidx.work.workdb-wal		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

11

TCP/UDP connections

24

DNS requests

12

Threats

10

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2273	app_process64	GET	200	208.95.112.1:80	http://ip-api.com/json	unknown	—	—	whitelisted
—	—	GET	204	172.217.18.99:80	http://connectivitycheck.gstatic.com/generate_204	unknown	—	—	whitelisted
2273	app_process64	POST	200	5.61.56.18:80	http://5.61.56.18/partner_api/request-token	unknown	—	—	unknown
2346	app_process64	GET	200	208.95.112.1:80	http://ip-api.com/json	unknown	—	—	whitelisted
2346	app_process64	GET	200	81.171.24.23:80	http://lazycatsoftware.com/lazymediadeluxe/urls_lmd.json	unknown	—	—	unknown
2273	app_process64	GET	200	81.171.24.23:80	http://lazycatsoftware.com/lazymediadeluxe/urls_lmd.json	unknown	—	—	unknown
2346	app_process64	POST	200	5.61.56.18:80	http://5.61.56.18/partner_api/request-token	unknown	—	—	unknown
2273	app_process64	GET	200	5.61.56.18:80	http://5.61.56.18/partner_api/profile/login	unknown	—	—	unknown
2346	app_process64	GET	200	5.61.56.18:80	http://5.61.56.18/partner_api/profile/login	unknown	—	—	unknown
2346	app_process64	GET	200	81.171.24.23:80	http://lazycatsoftware.com/lazymediadeluxe/update_lmd.json	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
445	mdnsd	224.0.0.251:5353	—	—	—	unknown
—	—	172.217.18.99:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
—	—	142.250.185.132:443	www.google.com	GOOGLE	US	whitelisted
—	—	64.233.184.81:443	staging-remoteprovisioning.sandbox.googleapis.com	GOOGLE	US	whitelisted
—	—	216.239.35.4:123	time.android.com	—	—	whitelisted
2273	app_process64	208.95.112.1:80	ip-api.com	TUT-AS	US	whitelisted
2273	app_process64	81.171.24.23:80	lazycatsoftware.com	LeaseWeb Netherlands B.V.	NL	unknown
2273	app_process64	104.26.12.205:443	api.ipify.org	CLOUDFLARENET	US	shared
2273	app_process64	5.61.56.18:80	—	Scalaxy B.V.	NL	unknown
2273	app_process64	82.221.128.102:443	hdrzk.org	Advania Island ehf	IS	unknown

DNS requests

Domain	IP	Reputation
connectivitycheck.gstatic.com	172.217.18.99	whitelisted
www.google.com	142.250.185.132	whitelisted
google.com	142.250.181.238	whitelisted
time.android.com	216.239.35.4 216.239.35.12 216.239.35.0 216.239.35.8	whitelisted
staging-remoteprovisioning.sandbox.googleapis.com	64.233.184.81	whitelisted
ip-api.com	208.95.112.1	whitelisted
lazycatsoftware.com	81.171.24.23	unknown
api.ipify.org	104.26.12.205 172.67.74.152 104.26.13.205	shared
hdrzk.org	82.221.128.102	unknown
raw.githubusercontent.com	185.199.111.133 185.199.109.133 185.199.108.133 185.199.110.133	whitelisted

Threats

PID	Process	Class	Message
—	—	Misc activity	ET INFO Android Device Connectivity Check
341	netd	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
341	netd	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2273	app_process64	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
341	netd	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
2273	app_process64	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
341	netd	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
2346	app_process64	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
2346	app_process64	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
341	netd	Not Suspicious Traffic	INFO [ANY.RUN] Online Pastebin Text Storage

Add for printing

No debug info

General Info

LazyMedia+Deluxe+Pro+3.381-@EasyAPK.apk

FFD7CDDB5673C4659BC91D2E0B4AC8B9

CB31EC736764045F824731631D2E98493BD7899A

58CE1C37CBCD0BBB2797953580DA56435654A2AA9C2E0480E1548270E2375095

98304:VS+AaZ2XnDBlbkJLczdCZNOkEuz9KqNPa9lGtvDEGwXAwpEg5C9pKThacfyLdwVu:t091XnDFqHevtkdN91

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Hides app icon from display

SUSPICIOUS

Collects data about the device's environment (JVM version)

Launches a new activity

Sets file permissions, owner, and group for a specified path

Accesses system-level resources

Checks for external IP

Process requests binary or script from the Internet

Connects to the server without a host name

INFO

Gets the display metrics associated with the device's screen

Stores data using SQLite database

Dynamically inspects or modifies classes, methods, and fields at runtime

Dynamically registers broadcast event listeners

Retrieves the value of a global system setting

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings