File name:

3272f9ad58c0f5334fe39c1ccaeeef01d4602f8ef7f8f5fe2ab80e966e6c634e.apk

Full analysis: https://app.any.run/tasks/62d5e857-3139-4a72-bfc6-1e2fcc381b15
Verdict: Malicious activity
Analysis date: May 15, 2025, 12:34:33
OS: Android 14
Tags:
telegram
MIME: application/vnd.android.package-archive
File info: Android package (APK), with APK Signing Block
MD5:

3B66C0037E534D2201E9A562810CB659

SHA1:

969B166E52BEAF24B008594AACF92E8A73099442

SHA256:

3272F9AD58C0F5334FE39C1CCAEEEF01D4602F8EF7F8F5FE2AB80E966E6C634E

SSDEEP:

98304:X1x3Hl2djokzEzzAZ92TyCqPJzaD7qzQjlx7TompsZ630ZONaYXg+XnERLJ/qRA9:sg2mjzMZt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Hides app icon from display

      • app_process64 (PID: 2409)

  • SUSPICIOUS

    • Launches a new activity

      • app_process64 (PID: 2272)
      • app_process64 (PID: 2409)

    • Establishing a connection

      • app_process64 (PID: 2272)
      • app_process64 (PID: 2409)

    • Executes dynamic code using class loader

      • app_process64 (PID: 2409)

    • Abuses foreground service for persistence

      • app_process64 (PID: 2409)

    • Checks if the device's lock screen is showing

      • app_process64 (PID: 2409)

    • Retrieves a list of running services

      • app_process64 (PID: 2409)

    • Requests access to accessibility settings

      • app_process64 (PID: 2409)

    • Starts a service

      • app_process64 (PID: 2409)

    • Checks exemption from battery optimization

      • app_process64 (PID: 2409)

    • Triggers notification to user

      • app_process64 (PID: 2409)

    • Performs UI accessibility actions without user input

      • app_process64 (PID: 2409)

    • Scans for installed antivirus apps

      • app_process64 (PID: 2409)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • app_process64 (PID: 2409)
      • app_process64 (PID: 2272)

    • Intercepts events for accessibility services

      • app_process64 (PID: 2409)

    • Leverages accessibility to control apps

      • app_process64 (PID: 2409)

    • Returns the name of the current network operator

      • app_process64 (PID: 2409)

    • Prevents its uninstallation by user

      • app_process64 (PID: 2409)

    • Updates data in the storage of application settings (SharedPreferences)

      • app_process64 (PID: 2409)

  • INFO

    • Loads a native library into the application

      • app_process64 (PID: 2409)

    • Retrieves the value of a secure system setting

      • app_process64 (PID: 2409)

    • Retrieves data from storage of application settings (SharedPreferences)

      • app_process64 (PID: 2409)

    • Attempting to use instant messaging service

      • app_process64 (PID: 2272)

    • Detects device power status

      • app_process64 (PID: 2409)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.apk | Android Package (73.9)
.jar | Java Archive (20.4)
.zip | ZIP compressed archive (5.6)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: 0x0800
ZipCompression: None
ZipModifyDate: 2024:10:04 17:31:08
ZipCRC: 0x257e3129
ZipCompressedSize: 690
ZipUncompressedSize: 690
ZipFileName: res/drawable-ldrtl-xhdpi/abc_ic_menu_cut_mtrl_alpha.png
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
12
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start app_process64 artd no specs dex2oat32 no specs app_process64 trigger_perfetto no specs app_process32 app_process32 no specs app_process32 app_process64 no specs trigger_perfetto no specs trigger_perfetto no specs app_process64 no specs

Process information

PID
CMD
Path
Indicators
Parent process
2272glimmer.makeshift.multiple /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2384/apex/com.android.art/bin/artd/apex/com.android.art/bin/artdinit
User:
artd
Integrity Level:
UNKNOWN
Exit code:
0
2388/apex/com.android.art/bin/dex2oat32 --zip-fd=6 --zip-location=/data/app/~~UZ0cIhgwuej911wWtd8vmg==/founding.wrecking.sandstorm-s9MgPnM50njpNm5DlYQb1Q==/base.apk --oat-fd=7 --oat-location=/data/app/~~UZ0cIhgwuej911wWtd8vmg==/founding.wrecking.sandstorm-s9MgPnM50njpNm5DlYQb1Q==/oat/arm64/base.odex --output-vdex-fd=8 --swap-fd=9 --class-loader-context=PCL[] --classpath-dir=/data/app/~~UZ0cIhgwuej911wWtd8vmg==/founding.wrecking.sandstorm-s9MgPnM50njpNm5DlYQb1Q== --instruction-set=arm64 --instruction-set-features=default --instruction-set-variant=cortex-a53 --compiler-filter=verify --compilation-reason=install --compact-dex-level=none --max-image-block-size=524288 --resolve-startup-const-strings=true --generate-mini-debug-info --runtime-arg -Xtarget-sdk-version:34 --runtime-arg -Xhidden-api-policy:enabled --runtime-arg -Xms64m --runtime-arg -Xmx512m --comments=app-version-name:1.0,app-version-code:1,art-version:340090000/apex/com.android.art/bin/dex2oat32artd
User:
artd
Integrity Level:
UNKNOWN
Exit code:
0
2409founding.wrecking.sandstorm /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2425/system/bin/trigger_perfetto com.android.telemetry.interaction-jank-monitor-7/system/bin/trigger_perfettoapp_process64
User:
u0_a81
Integrity Level:
UNKNOWN
Exit code:
0
2444zygote /system/bin/app_process32
app_process32
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2457webview_zygote /system/bin/app_process32app_process32
User:
webview_zygote
Integrity Level:
UNKNOWN
Exit code:
0
2495zygote /system/bin/app_process32
app_process32
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2578com.android.systemui.accessibility.accessibilitymenu /system/bin/app_process64app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2611/system/bin/trigger_perfetto com.android.telemetry.interaction-jank-monitor-9/system/bin/trigger_perfettoapp_process64
User:
u0_a81
Integrity Level:
UNKNOWN
Exit code:
0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
23
Text files
33
Unknown types
0

Dropped files

PID
Process
Filename
Type
2272app_process64/data/data/glimmer.makeshift.multiple/cache/final-signed.apkcompressed
MD5:
SHA256:
2272app_process64/data/data/glimmer.makeshift.multiple/cache/oat_primary/arm64/base.2272.tmpbinary
MD5:
SHA256:
2409app_process64/data/data/founding.wrecking.sandstorm/code_cache/decrypted.dexbinary
MD5:
SHA256:
2409app_process64/data/data/founding.wrecking.sandstorm/shared_prefs/SharedFiles.xmlxml
MD5:
SHA256:
2409app_process64/data/data/founding.wrecking.sandstorm/shared_prefs/WebViewChromiumPrefs.xmlxml
MD5:
SHA256:
2409app_process64/data/data/founding.wrecking.sandstorm/app_webview/Default/Local Storage/leveldb/MANIFEST-000001binary
MD5:
SHA256:
2409app_process64/data/data/founding.wrecking.sandstorm/app_webview/Default/Local Storage/leveldb/000001.dbtmptext
MD5:
SHA256:
2409app_process64/data/data/founding.wrecking.sandstorm/app_webview/Default/Local Storage/leveldb/CURRENTtext
MD5:
SHA256:
2409app_process64/data/data/founding.wrecking.sandstorm/cache/WebView/Default/HTTP Cache/Code Cache/webui_js/indexbinary
MD5:
SHA256:
2409app_process64/data/data/founding.wrecking.sandstorm/cache/WebView/Default/HTTP Cache/Code Cache/js/indexbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
31
DNS requests
16
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
142.250.186.35:80
http://connectivitycheck.gstatic.com/generate_204
unknown
whitelisted
2409
app_process64
POST
522
104.21.64.1:80
http://cmsspain.shop/RestApi
unknown
unknown
2409
app_process64
POST
522
104.21.64.1:80
http://cmsspain.shop/RestApi
unknown
unknown
2409
app_process64
POST
522
104.21.64.1:80
http://cmsspain.shop/RestApi
unknown
unknown
2409
app_process64
POST
522
104.21.64.1:80
http://cmsspain.shop/RestApi
unknown
unknown
2409
app_process64
POST
522
104.21.64.1:80
http://cmsspain.shop/RestApi
unknown
unknown
2409
app_process64
POST
522
104.21.64.1:80
http://cmsspain.shop/RestApi
unknown
unknown
2409
app_process64
POST
104.21.64.1:80
http://cmsspain.shop/RestApi
unknown
unknown
2409
app_process64
POST
522
104.21.64.1:80
http://cmsspain.shop/RestApi
unknown
unknown
2409
app_process64
POST
522
104.21.64.1:80
http://cmsspain.shop/RestApi
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
445
mdnsd
224.0.0.251:5353
unknown
216.239.35.4:123
time.android.com
whitelisted
142.250.184.228:443
www.google.com
GOOGLE
US
whitelisted
142.250.186.35:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
142.251.168.81:443
staging-remoteprovisioning.sandbox.googleapis.com
GOOGLE
US
whitelisted
2272
app_process64
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
whitelisted
2409
app_process64
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
whitelisted
2495
app_process32
142.250.185.67:443
update.googleapis.com
GOOGLE
US
whitelisted
2444
app_process32
142.250.185.131:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
2495
app_process32
142.250.181.238:443
dl.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google.com
  • 142.250.184.228
whitelisted
connectivitycheck.gstatic.com
  • 142.250.186.35
whitelisted
google.com
  • 142.250.185.110
whitelisted
time.android.com
  • 216.239.35.4
  • 216.239.35.12
  • 216.239.35.0
  • 216.239.35.8
whitelisted
staging-remoteprovisioning.sandbox.googleapis.com
  • 142.251.168.81
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
update.googleapis.com
  • 142.250.185.67
whitelisted
clientservices.googleapis.com
  • 142.250.185.131
whitelisted
dl.google.com
  • 142.250.181.238
whitelisted
cmsspain.shop
  • 104.21.64.1
  • 104.21.48.1
  • 104.21.16.1
  • 104.21.32.1
  • 104.21.96.1
  • 104.21.80.1
  • 104.21.112.1
unknown

Threats

PID
Process
Class
Message
Misc activity
ET INFO Android Device Connectivity Check
341
netd
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
2272
app_process64
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
2272
app_process64
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
2272
app_process64
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
341
netd
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
2409
app_process64
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3272f9ad58c0f5334fe39c1ccaeeef01d4602f8ef7f8f5fe2ab80e966e6c634e.apk