Malware analysis https://apkcombo.com/d?u=aHR0cHM6Ly9kb3dubG9hZC5wdXJlYXBrLmNvbS9iL1hBUEsvWTI5dExtSmlZaTVpWlhSMFpYSXVZWEJ3WHpJMU1ESXhPREF4WDJOaU1XTmtOelkyP2FzMj05OGI5NzBlOTA3NDFhMjBkMjFkYjY2ODU5MjZkMTlhMDZhMzI5ODdkJms9YWZkYjQ4MDA1MWUyNzFkNmJkYzdjZjNhNjk0Y2QyOWU2YTMyOTg3ZCZfcD1ZMjl0TG1KaVlpNWlaWFIwWlhJdVlYQncmYz0xJTdDVE9PTFMlN0NiMmxrUFRrbVpHVjJQVVZoY25Sb0pUSXdVbWx6WlNVeU1FWmFRMDhtZEQxNFlYQnJKbk05TXprd01qVTNNemttZG00OU1DNHdMakExSm5aalBUSTFNREl4T0RBeCZfZm49UW1WMGRHVnlVMlZqZFhKcGRIa3JVMkZtWlhSNUswMWhibUZuWlhKZk1DNHdMakExWDJGd2EyTnZiV0p2TG1OdmJTNTRZWEJy&fp=5641ebff18a3faad592064017a2213ef&ip=102.220.15.38 Malicious activity

Add for printing

URL:	https://apkcombo.com/d?u=aHR0cHM6Ly9kb3dubG9hZC5wdXJlYXBrLmNvbS9iL1hBUEsvWTI5dExtSmlZaTVpWlhSMFpYSXVZWEJ3WHpJMU1ESXhPREF4WDJOaU1XTmtOelkyP2FzMj05OGI5NzBlOTA3NDFhMjBkMjFkYjY2ODU5MjZkMTlhMDZhMzI5ODdkJms9YWZkYjQ4MDA1MWUyNzFkNmJkYzdjZjNhNjk0Y2QyOWU2YTMyOTg3ZCZfcD1ZMjl0TG1KaVlpNWlaWFIwWlhJdVlYQncmYz0xJTdDVE9PTFMlN0NiMmxrUFRrbVpHVjJQVVZoY25Sb0pUSXdVbWx6WlNVeU1FWmFRMDhtZEQxNFlYQnJKbk05TXprd01qVTNNemttZG00OU1DNHdMakExSm5aalBUSTFNREl4T0RBeCZfZm49UW1WMGRHVnlVMlZqZFhKcGRIa3JVMkZtWlhSNUswMWhibUZuWlhKZk1DNHdMakExWDJGd2EyTnZiV0p2TG1OdmJTNTRZWEJy&fp=5641ebff18a3faad592064017a2213ef&ip=102.220.15.38
Full analysis:	https://app.any.run/tasks/3103352b-aa46-488e-9cc7-b547b5916166
Verdict:	Malicious activity
Analysis date:	June 22, 2025, 12:53:07
OS:	Android 14
Indicators:
MD5:	FF13C1EF8064FEC069665C46B5A8C737
SHA1:	4052C6D9908DF9276C1A4D6D62AF3F4E642858E3
SHA256:	4D10B1FB149B9C10F2053019A2828FD8D6E3E77F88681BF40FF4E823B4A87E49
SSDEEP:	12:2QNKRMXk7ED1Fg2iuYU9tWacJhfPhT4sSiUxRkyrtjiuiGS/hjXqGw8k3HQXCT:2QNOxG1Fgbb5JhfZMeERk2jivJbqx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- Initiates background APK installation
  - app_process64 (PID: 2603)
- Hides app icon from display
  - app_process64 (PID: 2932)
- Executes system commands or scripts
  - app_process64 (PID: 2603)
SUSPICIOUS
- Collects data about the device's environment (JVM version)
  - app_process64 (PID: 2603)
  - app_process64 (PID: 2715)
  - app_process64 (PID: 2838)
  - app_process64 (PID: 3274)
  - app_process64 (PID: 3390)
- Accesses external device storage files
  - app_process64 (PID: 2603)
- Retrieves installed applications on device
  - app_process64 (PID: 2603)
  - app_process64 (PID: 2715)
  - app_process64 (PID: 2838)
  - app_process64 (PID: 3274)
  - app_process64 (PID: 3390)
- Establishing a connection
  - app_process64 (PID: 2603)
  - app_process64 (PID: 2715)
  - app_process64 (PID: 2838)
  - app_process64 (PID: 2932)
- Launches a new activity
  - app_process64 (PID: 2603)
  - app_process64 (PID: 2838)
- Retrieves a list of running application processes
  - app_process64 (PID: 2715)
  - app_process64 (PID: 2838)
  - app_process64 (PID: 2932)
  - app_process64 (PID: 3274)
  - app_process64 (PID: 3390)
- Updates data in the storage of application settings (SharedPreferences)
  - app_process64 (PID: 2715)
  - app_process64 (PID: 2838)
  - app_process64 (PID: 3274)
  - app_process64 (PID: 3390)
- Accesses system-level resources
  - app_process64 (PID: 2715)
  - app_process64 (PID: 2838)
  - app_process64 (PID: 3274)
  - app_process64 (PID: 2603)
  - app_process64 (PID: 3390)
- Uses encryption API functions
  - app_process64 (PID: 2932)
  - app_process64 (PID: 2838)
- Abuses foreground service for persistence
  - app_process64 (PID: 2838)
  - app_process64 (PID: 3274)
  - app_process64 (PID: 3390)
- Sets file permissions, owner, and group for a specified path
  - app_process64 (PID: 3390)
  - app_process64 (PID: 3274)
- Retrieves the MCC and MNC of the SIM card operator
  - app_process64 (PID: 2932)
INFO
- Gets the display metrics associated with the device's screen
  - app_process64 (PID: 2603)
  - app_process64 (PID: 2838)
- Dynamically loads a class in Java
  - app_process64 (PID: 2603)
- Verifies whether the device is connected to the internet
  - app_process64 (PID: 2603)
  - app_process64 (PID: 2838)
  - app_process64 (PID: 2932)
  - app_process64 (PID: 3274)
- Creates and writes local files
  - app_process64 (PID: 2603)
  - app_process64 (PID: 2715)
- Gets file name without full path
  - app_process64 (PID: 2715)
  - app_process64 (PID: 2838)
  - app_process64 (PID: 3274)
  - app_process64 (PID: 2603)
  - app_process64 (PID: 3390)
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 2715)
  - app_process64 (PID: 2838)
  - app_process64 (PID: 2932)
  - app_process64 (PID: 3274)
  - app_process64 (PID: 3390)
  - app_process64 (PID: 2603)
- Retrieves data from storage of application settings (SharedPreferences)
  - app_process64 (PID: 2715)
  - app_process64 (PID: 2838)
  - app_process64 (PID: 2932)
  - app_process64 (PID: 3274)
  - app_process64 (PID: 3390)
- Returns elapsed time since boot
  - app_process64 (PID: 2715)
  - app_process64 (PID: 2838)
  - app_process64 (PID: 2932)
  - app_process64 (PID: 3274)
  - app_process64 (PID: 3390)
- Dynamically registers broadcast event listeners
  - app_process64 (PID: 2715)
  - app_process64 (PID: 2838)
  - app_process64 (PID: 2932)
  - app_process64 (PID: 3274)
  - app_process64 (PID: 2603)
  - app_process64 (PID: 3390)
- Loads a native library into the application
  - app_process64 (PID: 2838)
  - app_process64 (PID: 2932)
- Detects if debugger is connected
  - app_process64 (PID: 2715)
  - app_process64 (PID: 2838)
  - app_process64 (PID: 2932)
  - app_process64 (PID: 3274)
  - app_process64 (PID: 3390)
- Stores data using SQLite database
  - app_process64 (PID: 2715)
  - app_process64 (PID: 2838)
  - app_process64 (PID: 2932)
  - app_process64 (PID: 2603)
  - app_process64 (PID: 3274)
  - app_process64 (PID: 3390)
- Detects device power status
  - app_process64 (PID: 2932)
  - app_process64 (PID: 2838)
  - app_process64 (PID: 3274)
  - app_process64 (PID: 3390)
- Normally terminates current Java virtual machine
  - app_process64 (PID: 3274)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

193

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2226	org.chromium.chrome	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2266	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2276	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a73 Integrity Level: UNKNOWN Exit code: 0
2318	org.chromium.chrome:privileged_process0	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2339	<pre-initialized>	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2378	com.android.traceur	/system/bin/app_process64	—	app_process64
User: u0_a54 Integrity Level: UNKNOWN Exit code: 512
2410	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a73 Integrity Level: UNKNOWN Exit code: 0
2433	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a73 Integrity Level: UNKNOWN Exit code: 0
2480	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a73 Integrity Level: UNKNOWN Exit code: 0
2587	/apex/com.android.art/bin/artd	/apex/com.android.art/bin/artd	—	init
User: artd Integrity Level: UNKNOWN Exit code: 0

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

319

Text files

238

Unknown types

Dropped files

PID	Process	Filename		Type
2603	app_process64	/data/user/0/com.apkpure.installer/shared_prefs/com.google.android.gms.analytics.prefs.xml		xml
		MD5:—	SHA256:—
2603	app_process64	/data/user/0/com.apkpure.installer/files/gaClientId		text
		MD5:—	SHA256:—
2647	toybox	/data/user/0/com.apkpure.installer/databases/google_analytics_v4.db		sqlite
		MD5:—	SHA256:—
2603	app_process64	/storage/emulated/0/Android/data/com.apkpure.installer/files/info_cache/fb93b37e4633c0ca57810fea4198d9f5.info		binary
		MD5:—	SHA256:—
2603	app_process64	/storage/emulated/0/Download/XAPK Installer_2.2.2_apkcombo.com.apk		compressed
		MD5:—	SHA256:—
2603	app_process64	/storage/emulated/0/Android/data/com.apkpure.installer/files/info_cache/ce9066f1a8ca1d6c82aa95cb697e7c06.info		binary
		MD5:—	SHA256:—
2603	app_process64	/data/user/0/com.apkpure.installer/cache/oat_primary/arm64/base.2603.tmp		binary
		MD5:—	SHA256:—
2603	app_process64	/storage/emulated/0/Android/data/com.apkpure.installer/files/info_cache/fb93b37e4633c0ca57810fea4198d9f5.icon		image
		MD5:—	SHA256:—
2603	app_process64	/storage/emulated/0/Android/data/com.apkpure.installer/files/info_cache/ce9066f1a8ca1d6c82aa95cb697e7c06.icon		image
		MD5:—	SHA256:—
2603	app_process64	/storage/emulated/0/Android/data/com.apkpure.installer/cache/temp_apk/com.bbb.better.app_split_apks/config.xxhdpi.apk		compressed
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	172.217.16.195:80	http://connectivitycheck.gstatic.com/generate_204	unknown	—	—	whitelisted
2226	app_process64	GET	200	172.217.16.206:80	http://clients2.google.com/time/1/current?cup2key=9:WbecfMPsIM75DwTfD-ZMzmkVtKe22KeXe8niK7q4Uto&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	unknown	—	—	whitelisted
2226	app_process64	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acjd76thx2vzd6unmcparronttha_518/lmelglejhemejginpboagddgdfbepgmp_518_all_ZZ_jxk7o6f56kzj634p4qatav6urq.crx3	unknown	—	—	whitelisted
2226	app_process64	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/aevtvjsxpcrwhjvp5w32fej6zq_9.56.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.56.0_all_acq3rupi4ymeq53so4pzqroatfea.crx3	unknown	—	—	whitelisted
2226	app_process64	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/diffgen-puffin/obedbbhbpmojnkanicioggnmelmoomoc/4add6d01f60003b23f83b4d88899b7c648d41ce3c061a88262671b53880a068c	unknown	—	—	whitelisted
2226	app_process64	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acdvcifl2ztime6bsz3eijtcfeaq_2025.5.15.1/kiabhabjdbkjdpjbpigfodbdjmbglcoo_2025.05.15.01_all_ehum5zzx5qnqq3vyyhyi6ytrfq.crx3	unknown	—	—	whitelisted
2226	app_process64	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ngifsy4k4mu7bcrdyhc4vjaocy_2025.4.2.0/gonpemdgkjcecdgbnaabipppbmgfggbe_2025.04.02.00_all_adnkhxd45xqajkfutwmwv6agl33q.crx3	unknown	—	—	whitelisted
2226	app_process64	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acmmwq7dser4xm5sepzjv74g65vq_2023.7.28.10/cffplpkejcbdpfnfabnjikeicbedmifn_2023.07.28.10_all_acgbwixmcanakp2bkoppyszsbkrq.crx3	unknown	—	—	whitelisted
2226	app_process64	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/diffgen-puffin/kgdbnmlfakkebekbaceapiaenjgmlhan/e41131c999e82c36dd1a380288d4af2f5decfed1ab6077c8c0aece3d05e1d0ea	unknown	—	—	whitelisted
2226	app_process64	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/pcbw6tyw7x3rtjiemkmpb6yn2m_2025.6.9.0/kgdbnmlfakkebekbaceapiaenjgmlhan_2025.06.09.0_all_bvkcqje4h2s3xof6azs7f4xfba.crx3	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
451	mdnsd	224.0.0.251:5353	—	—	—	unknown
—	—	216.239.35.8:123	time.android.com	—	—	whitelisted
—	—	172.217.16.195:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
—	—	172.217.16.196:443	www.google.com	GOOGLE	US	whitelisted
—	—	108.177.15.81:443	staging-remoteprovisioning.sandbox.googleapis.com	GOOGLE	US	whitelisted
2226	app_process64	172.217.16.206:80	clients2.google.com	GOOGLE	US	whitelisted
2226	app_process64	172.67.37.254:443	apkcombo.com	CLOUDFLARENET	US	whitelisted
2226	app_process64	74.125.133.84:443	accounts.google.com	GOOGLE	US	whitelisted
2226	app_process64	172.217.16.196:443	www.google.com	GOOGLE	US	whitelisted
2226	app_process64	192.99.62.165:443	d-01.winudf.com	OVH SAS	CA	whitelisted

DNS requests

Domain	IP	Reputation
connectivitycheck.gstatic.com	172.217.16.195	whitelisted
www.google.com	172.217.16.196	whitelisted
time.android.com	216.239.35.8 216.239.35.4 216.239.35.12 216.239.35.0	whitelisted
staging-remoteprovisioning.sandbox.googleapis.com	108.177.15.81	whitelisted
google.com	216.58.206.46	whitelisted
clients2.google.com	172.217.16.206	whitelisted
apkcombo.com	172.67.37.254 104.22.10.70 104.22.11.70	whitelisted
accounts.google.com	74.125.133.84	whitelisted
download.pureapk.com	172.67.20.93 104.22.9.141 104.22.8.141	unknown
d-01.winudf.com	192.99.62.165	whitelisted

Threats

PID	Process	Class	Message
—	—	Misc activity	ET INFO Android Device Connectivity Check
2226	app_process64	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
2226	app_process64	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
2226	app_process64	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
2226	app_process64	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
2226	app_process64	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
2226	app_process64	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
2226	app_process64	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
2226	app_process64	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
2226	app_process64	Generic Protocol Command Decode	SURICATA QUIC failed decrypt

Add for printing

No debug info

General Info

FF13C1EF8064FEC069665C46B5A8C737

4052C6D9908DF9276C1A4D6D62AF3F4E642858E3

4D10B1FB149B9C10F2053019A2828FD8D6E3E77F88681BF40FF4E823B4A87E49

12:2QNKRMXk7ED1Fg2iuYU9tWacJhfPhT4sSiUxRkyrtjiuiGS/hjXqGw8k3HQXCT:2QNOxG1Fgbb5JhfZMeERk2jivJbqx

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Initiates background APK installation

Hides app icon from display

Executes system commands or scripts

SUSPICIOUS

Collects data about the device's environment (JVM version)

Accesses external device storage files

Retrieves installed applications on device

Establishing a connection

Launches a new activity

Retrieves a list of running application processes

Updates data in the storage of application settings (SharedPreferences)

Accesses system-level resources

Uses encryption API functions

Abuses foreground service for persistence

Sets file permissions, owner, and group for a specified path

Retrieves the MCC and MNC of the SIM card operator

INFO

Gets the display metrics associated with the device's screen

Dynamically loads a class in Java

Verifies whether the device is connected to the internet

Creates and writes local files

Gets file name without full path

Dynamically inspects or modifies classes, methods, and fields at runtime

Retrieves data from storage of application settings (SharedPreferences)

Returns elapsed time since boot

Dynamically registers broadcast event listeners

Loads a native library into the application

Detects if debugger is connected

Stores data using SQLite database

Detects device power status

Normally terminates current Java virtual machine

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings