File name:

xFree.apk

Full analysis: https://app.any.run/tasks/e8863fea-9844-469f-b0c6-fa6e81652a9c
Verdict: Malicious activity
Analysis date: February 19, 2026, 20:56:35
OS: Android 14
MIME: application/vnd.android.package-archive
File info: Android package (APK), with AndroidManifest.xml, with APK Signing Block
MD5:

8101C6043B4133F470CA724318C9260B

SHA1:

3A888711E4D5E563C5311A02B2C54BC80A6222B3

SHA256:

339BEB17C2C4F75AA8A611AA298AE1BC57EFE1B5310D2C2CA2A542A091F125CB

SSDEEP:

98304:9zT0PMja/Z+Rre1ko6Z/mHaOURWMFY+rP2gCCJXRiV7CLN426gh1S6TNm6EOAZPG:4g0HPpA0D5Ut3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Launches a new activity

      • app_process64 (PID: 4244)

    • Starts a service

      • app_process64 (PID: 3997)
      • app_process64 (PID: 4416)

    • Abuses foreground service for persistence

      • app_process64 (PID: 3997)
      • app_process64 (PID: 4244)

    • Updates data in the storage of application settings (SharedPreferences)

      • app_process64 (PID: 3997)
      • app_process64 (PID: 4244)
      • app_process64 (PID: 4416)

    • Collects data about the device's environment (JVM version)

      • app_process64 (PID: 4416)

    • Establishing a connection

      • app_process64 (PID: 4416)

    • Creates a WakeLock to manage power state

      • app_process64 (PID: 4416)

    • Acquires a wake lock to keep the device awake

      • app_process64 (PID: 4416)

    • Monitors changes in clipboard content

      • app_process64 (PID: 4416)

    • Retrieves a list of running application processes

      • app_process64 (PID: 4416)

    • Accesses system-level resources

      • app_process64 (PID: 4416)

    • Retrieves Android OS build information

      • app_process64 (PID: 4416)

    • Retrieves the MCC and MNC of the SIM card operator

      • app_process64 (PID: 4416)

  • INFO

    • Loads a native library into the application

      • app_process64 (PID: 3997)
      • app_process64 (PID: 4416)

    • Retrieves data from storage of application settings (SharedPreferences)

      • app_process64 (PID: 3997)
      • app_process64 (PID: 4244)
      • app_process64 (PID: 4416)

    • Dynamically inspects or modifies classes, methods, and fields at runtime

      • app_process64 (PID: 4416)

    • Dynamically registers broadcast event listeners

      • app_process64 (PID: 4416)

    • Returns elapsed time since boot

      • app_process64 (PID: 4416)

    • Dynamically loads a class in Java

      • app_process64 (PID: 4416)

    • Gets file name without full path

      • app_process64 (PID: 4416)

    • Stores data using SQLite database

      • app_process64 (PID: 4416)

    • Verifies whether the device is connected to the internet

      • app_process64 (PID: 4416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jar | Java Archive (78.3)
.zip | ZIP compressed archive (21.6)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 1980:00:00 00:00:00
ZipCRC: 0x640cb794
ZipCompressedSize: 2113
ZipUncompressedSize: 7820
ZipFileName: AndroidManifest.xml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
12
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start app_process64 app_process64 no specs app_process32 app_process32 no specs app_process32 app_process64 app_process32 no specs artd no specs dex2oat32 no specs app_process64 app_process64 no specs app_process32 no specs

Process information

PID
CMD
Path
Indicators
Parent process
3997ru.gl5mrp9i1f.tupdo.rroti6p46 /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
9
4022com.android.traceur /system/bin/app_process64app_process64
User:
u0_a54
Integrity Level:
UNKNOWN
Exit code:
512
4033com.android.webview:webview_service /system/bin/app_process32
app_process32
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
4038webview_zygote /system/bin/app_process32app_process32
User:
webview_zygote
Integrity Level:
UNKNOWN
Exit code:
0
4151com.android.webview:webview_apk /system/bin/app_process32
app_process32
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
4244ru.gl5mrp9i1f.tupdo.rroti6p46 /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
9
4275webview_zygote /system/bin/app_process32app_process32
User:
webview_zygote
Integrity Level:
UNKNOWN
Exit code:
9
4403/apex/com.android.art/bin/artd/apex/com.android.art/bin/artdinit
User:
artd
Integrity Level:
UNKNOWN
Exit code:
0
4407/apex/com.android.art/bin/dex2oat32 --zip-fd=6 --zip-location=/data/app/~~SI7d8x5H2QGXykxTDPaSVg==/ru.xd47l04n6m3h.a2rjk4p6-gQgyUZ3pnrs9UyJuLCQ1ww==/base.apk --oat-fd=7 --oat-location=/data/app/~~SI7d8x5H2QGXykxTDPaSVg==/ru.xd47l04n6m3h.a2rjk4p6-gQgyUZ3pnrs9UyJuLCQ1ww==/oat/arm64/base.odex --output-vdex-fd=8 --swap-fd=9 --class-loader-context=PCL[] --classpath-dir=/data/app/~~SI7d8x5H2QGXykxTDPaSVg==/ru.xd47l04n6m3h.a2rjk4p6-gQgyUZ3pnrs9UyJuLCQ1ww== --instruction-set=arm64 --instruction-set-features=default --instruction-set-variant=cortex-a53 --compiler-filter=verify --compilation-reason=install --compact-dex-level=none --max-image-block-size=524288 --resolve-startup-const-strings=true --generate-mini-debug-info --runtime-arg -Xtarget-sdk-version:35 --runtime-arg -Xhidden-api-policy:enabled --runtime-arg -Xms64m --runtime-arg -Xmx512m --comments=app-version-name:2.7.6,app-version-code:36,art-version:340090000/apex/com.android.art/bin/dex2oat32artd
User:
artd
Integrity Level:
UNKNOWN
Exit code:
0
4416ru.xd47l04n6m3h.a2rjk4p6 /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
60
Text files
84
Unknown types
10

Dropped files

PID
Process
Filename
Type
3997app_process64/data/data/ru.gl5mrp9i1f.tupdo.rroti6p46/app_webview/last-exit-infotext
MD5:
SHA256:
3997app_process64/data/data/ru.gl5mrp9i1f.tupdo.rroti6p46/shared_prefs/WebViewChromiumPrefs.xmlxml
MD5:
SHA256:
3997app_process64/data/data/ru.gl5mrp9i1f.tupdo.rroti6p46/app_webview/Default/Web Data-journalbinary
MD5:
SHA256:
3997app_process64/data/data/ru.gl5mrp9i1f.tupdo.rroti6p46/cache/WebView/Default/HTTP Cache/Code Cache/js/indexbinary
MD5:
SHA256:
3997app_process64/data/data/ru.gl5mrp9i1f.tupdo.rroti6p46/cache/WebView/Default/HTTP Cache/Code Cache/wasm/indexbinary
MD5:
SHA256:
3997app_process64/data/data/ru.gl5mrp9i1f.tupdo.rroti6p46/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-indexbinary
MD5:
SHA256:
3997app_process64/data/data/ru.gl5mrp9i1f.tupdo.rroti6p46/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-indexbinary
MD5:
SHA256:
3997app_process64/data/data/ru.gl5mrp9i1f.tupdo.rroti6p46/app_webview/Default/Shared Dictionary/cache/indexbinary
MD5:
SHA256:
3997app_process64/data/data/ru.gl5mrp9i1f.tupdo.rroti6p46/app_webview/Default/DIPS-journalbinary
MD5:
SHA256:
3997app_process64/data/data/ru.gl5mrp9i1f.tupdo.rroti6p46/app_webview/Default/Shared Dictionary/cache/index-dir/temp-indexbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
27
DNS requests
15
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1921
app_process64
GET
204
142.251.154.119:443
https://www.google.com/generate_204
US
whitelisted
1921
app_process64
GET
204
172.217.16.195:80
http://connectivitycheck.gstatic.com/generate_204
US
whitelisted
4033
app_process32
GET
200
142.251.208.3:443
https://clientservices.googleapis.com/chrome-variations/seed?osname=android_webview&milestone=137
US
compressed
13.6 Kb
whitelisted
2931
app_process64
POST
200
108.177.15.81:443
https://staging-remoteprovisioning.sandbox.googleapis.com/v1:signCertificates?challenge=AAABnHew6mYBILStY4tobmBM5hDua3CsTN6YBW0=&request_id=9979ae0f-2104-468b-a180-ba6e2d146a3f
US
binary
11.7 Kb
whitelisted
4151
app_process32
POST
200
142.250.187.195:443
https://update.googleapis.com/service/update2/json?cup2key=15:pe9TH5WxFgiINQqvUV50102CUfhMuveJtHu5Mp3WEAU&cup2hreq=43f13e905084ce7d2cd2739e779bc1093881d2270e7165911226aad4391824ca
US
text
1.92 Kb
whitelisted
4151
app_process32
GET
200
34.104.35.123:443
https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acmmwq7dser4xm5sepzjv74g65vq_2023.7.28.10/cffplpkejcbdpfnfabnjikeicbedmifn_2023.07.28.10_all_acgbwixmcanakp2bkoppyszsbkrq.crx3
US
binary
6.71 Kb
whitelisted
2931
app_process64
POST
200
108.177.15.81:443
https://staging-remoteprovisioning.sandbox.googleapis.com/v1:fetchEekChain
US
binary
778 b
whitelisted
4151
app_process32
POST
200
142.250.187.195:443
https://update.googleapis.com/service/update2/json
US
text
252 b
whitelisted
GET
204
142.251.152.119:80
http://www.google.com/gen_204
US
whitelisted
4416
app_process64
GET
200
142.251.141.131:443
https://firebase-settings.crashlytics.com/spi/v2/platforms/android/gmp/1:622390180260:android:1465efc9503d407b422931/settings?instance=a068a7ac7f8caf2a229c423256bc9e9d96bba434&build_version=36&display_version=2.7.6&source=4
US
text
750 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
452
mdnsd
224.0.0.251:5353
whitelisted
142.251.152.119:80
www.google.com
GOOGLE
US
whitelisted
172.217.16.195:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
142.251.152.119:443
www.google.com
GOOGLE
US
whitelisted
3997
app_process64
62.76.228.138:443
majorextandec.com
MTFINANCE-AS
RU
unknown
580
app_process64
216.239.35.8:123
time.android.com
GOOGLE
US
whitelisted
1921
app_process64
142.251.154.119:443
www.google.com
GOOGLE
US
whitelisted
1921
app_process64
172.217.16.195:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
2931
app_process64
108.177.15.81:443
staging-remoteprovisioning.sandbox.googleapis.com
GOOGLE
US
whitelisted
4033
app_process32
142.251.208.3:443
clientservices.googleapis.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google.com
  • 142.251.151.119
  • 142.251.153.119
  • 142.251.152.119
  • 142.251.155.119
  • 142.251.154.119
  • 142.251.156.119
  • 142.251.150.119
  • 142.251.157.119
whitelisted
majorextandec.com
  • 62.76.228.138
unknown
connectivitycheck.gstatic.com
  • 172.217.16.195
whitelisted
time.android.com
  • 216.239.35.8
  • 216.239.35.4
  • 216.239.35.0
  • 216.239.35.12
whitelisted
staging-remoteprovisioning.sandbox.googleapis.com
  • 108.177.15.81
whitelisted
clientservices.googleapis.com
  • 142.251.208.3
whitelisted
update.googleapis.com
  • 142.250.187.195
whitelisted
edgedl.me.gvt1.com
  • 34.104.35.123
whitelisted
firebase-settings.crashlytics.com
  • 142.251.141.131
whitelisted
firebaseinstallations.googleapis.com
  • 216.58.206.42
  • 172.217.20.138
  • 142.251.141.106
  • 142.250.201.74
  • 142.251.208.170
  • 216.58.206.74
  • 142.251.140.170
  • 142.250.201.170
  • 172.217.16.170
  • 142.251.141.74
  • 142.251.36.106
  • 142.251.37.10
  • 172.217.168.74
  • 142.250.186.74
  • 142.251.127.95
  • 142.251.141.138
whitelisted

Threats

PID
Process
Class
Message
1921
app_process64
Misc activity
ET INFO Android Device Connectivity Check
347
netd
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
347
netd
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
xFree.apk