File name:

xupertv-para-celular.apk

Full analysis: https://app.any.run/tasks/d999fb9b-7453-4921-8cbc-9e495ce18ac9
Verdict: Malicious activity
Analysis date: November 03, 2025, 07:25:42
OS: Android 14
Tags:
websocket
Indicators:
MIME: application/vnd.android.package-archive
File info: Android package (APK), with gradle app-metadata.properties
MD5:

882F3E70652FC6D91AF60F79A1C7549E

SHA1:

B9B253C431E5A804900C7B6B9EEAEEA4F651B967

SHA256:

4F902D5960B26E5875C9C554052F834F3755A52D585E1B941B2907D63B2CB3B9

SSDEEP:

196608:75rfhBrV5W/uLrDAlv9wsQCaTldnFye8Pz66IQlRplKftP1zkf:ZjrjDDAlXQxfn026IQbpaTzkf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes system commands or scripts

      • app_process64 (PID: 4047)

  • SUSPICIOUS

    • Accesses system-level resources

      • app_process64 (PID: 4047)

    • Updates data in the storage of application settings (SharedPreferences)

      • app_process64 (PID: 4047)

    • Accesses external device storage files

      • app_process64 (PID: 4047)

    • Uses encryption API functions

      • app_process64 (PID: 4047)

    • Establishing a connection

      • app_process64 (PID: 4047)

    • Collects data about the device's environment (JVM version)

      • app_process64 (PID: 4047)

    • Retrieves Android OS build information

      • app_process64 (PID: 4047)

    • Accesses memory information

      • app_process64 (PID: 4047)

    • Reads device MAC address fingerprint

      • app_process64 (PID: 4047)

    • Returns the name of the current network operator

      • app_process64 (PID: 4047)

    • Launches a new activity

      • app_process64 (PID: 4047)

  • INFO

    • Dynamically inspects or modifies classes, methods, and fields at runtime

      • app_process64 (PID: 4047)

    • Detects if debugger is connected

      • app_process64 (PID: 4047)

    • Returns elapsed time since boot

      • app_process64 (PID: 4047)

    • Retrieves data from storage of application settings (SharedPreferences)

      • app_process64 (PID: 4047)

    • Loads a native library into the application

      • app_process64 (PID: 4047)

    • Creates and writes local files

      • app_process64 (PID: 4047)

    • Gets the display metrics associated with the device's screen

      • app_process64 (PID: 4047)

    • Dynamically registers broadcast event listeners

      • app_process64 (PID: 4047)

    • Stores data using SQLite database

      • app_process64 (PID: 4047)

    • Verifies whether the device is connected to the internet

      • app_process64 (PID: 4047)

    • Gets file name without full path

      • app_process64 (PID: 4047)

    • Detects device power status

      • app_process64 (PID: 4047)

    • Listens for connection changes

      • app_process64 (PID: 4047)

    • Retrieves the value of a secure system setting

      • app_process64 (PID: 4047)

    • Attempting to connect via WebSocket

      • app_process64 (PID: 4047)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.apk | Android Package (73.9)
.jar | Java Archive (20.4)
.zip | ZIP compressed archive (5.6)

EXIF

ZIP

ZipRequiredVersion: -
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 1981:01:01 01:01:02
ZipCRC: 0x254e4b1a
ZipCompressedSize: 52
ZipUncompressedSize: 56
ZipFileName: META-INF/com/android/build/gradle/app-metadata.properties
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
25
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start app_process64 toybox no specs toybox no specs toybox no specs toybox no specs app_process64 no specs toolbox no specs toybox no specs toybox no specs toybox no specs toybox no specs toybox no specs toybox no specs toybox no specs toybox no specs toybox no specs app_process64 no specs toybox no specs toybox no specs toybox no specs toybox no specs toolbox no specs toolbox no specs toolbox no specs app_process64 no specs

Process information

PID
CMD
Path
Indicators
Parent process
4047com.android.mgstv /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
4195cat proc/cpuinfo/system/bin/toyboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
4197cat /sys/class/sunxi_info/sys_info/system/bin/toyboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
256
4198cat /proc/cpu_chipid/system/bin/toyboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
256
4222cat /proc/version/system/bin/toyboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
256
4227com.android.mgstv /system/bin/app_process64app_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
65280
4236getprop debug.dns.filter/system/bin/toolboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
4258cat /sys/block/mmcblk0/device/type/system/bin/toyboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
256
4259cat /sys/block/mmcblk0/device/name/system/bin/toyboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
256
4260cat /sys/block/mmcblk0/device/cid/system/bin/toyboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
256
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
169
Text files
201
Unknown types
0

Dropped files

PID
Process
Filename
Type
4047app_process64/data/data/com.android.mgstv/files/PersistedInstallation2356655270814476461tmpbinary
MD5:
SHA256:
4047app_process64/data/data/com.android.mgstv/files/PersistedInstallation.W0RFRkFVTFRd+MTo2NDg1Njg3Njg1Mzg6YW5kcm9pZDoxMDJjNjljMWY4ZDU5MGExZjcyOWEz.jsonbinary
MD5:
SHA256:
4047app_process64/data/data/com.android.mgstv/files/.com.google.firebase.crashlytics.files.v2:com.android.mgstv/open-sessions/69085909038A00010FCFDE010C077BC4/native/session.jsonbinary
MD5:
SHA256:
4047app_process64/data/data/com.android.mgstv/files/.com.google.firebase.crashlytics.files.v2:com.android.mgstv/open-sessions/69085909038A00010FCFDE010C077BC4/native/app.jsonbinary
MD5:
SHA256:
4047app_process64/data/data/com.android.mgstv/files/.com.google.firebase.crashlytics.files.v2:com.android.mgstv/open-sessions/69085909038A00010FCFDE010C077BC4/native/os.jsonbinary
MD5:
SHA256:
4047app_process64/data/data/com.android.mgstv/files/.com.google.firebase.crashlytics.files.v2:com.android.mgstv/open-sessions/69085909038A00010FCFDE010C077BC4/native/device.jsonbinary
MD5:
SHA256:
4047app_process64/data/data/com.android.mgstv/files/.com.google.firebase.crashlytics.files.v2:com.android.mgstv/open-sessions/69085909038A00010FCFDE010C077BC4/reportbinary
MD5:
SHA256:
4047app_process64/data/data/com.android.mgstv/files/.com.google.firebase.crashlytics.files.v2:com.android.mgstv/com.crashlytics.settings.jsonbinary
MD5:
SHA256:
4195toybox/data/data/com.android.mgstv/app_luna/block_cache/test.txtbinary
MD5:
SHA256:
4195toybox/data/data/com.android.mgstv/shared_prefs/umeng_common_config.xml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
62
DNS requests
54
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
142.250.186.132:80
http://www.google.com/gen_204
US
whitelisted
1961
app_process64
GET
204
142.251.140.163:80
http://connectivitycheck.gstatic.com/generate_204
US
whitelisted
4047
app_process64
GET
101
104.18.53.6:80
http://sgyc.bfj1k2g4v.com:80/v1/stargazer
unknown
unknown
4047
app_process64
POST
200
188.114.96.3:80
http://yvhcn.hxjebagrv.com/api/adserver/v2/get_content
NL
binary
362 b
whitelisted
4047
app_process64
GET
200
172.67.168.132:80
http://iyut.xgw3sdzoac.com/MarketServer/update?action=checkUpdate&packagenamesAndVersioncodes=com.android.mgstv%2C43403&language=en&sn=Oy4fMI540nhin%2FKjawgGjwvazKx2XJLqybVr9pu55l28N52OeFPYgA%3D%3D&userId=821202538
US
xml
532 b
unknown
4047
app_process64
GET
200
172.67.148.192:80
http://zxiws.tcgwhnvym.com/notice/api/get_notice?pkg=com.android.mgstv&v=43403&sn=e10cd4b0fee2f420e9a70e018470d9a2&userId=821202538&language=en
US
binary
114 b
unknown
4047
app_process64
GET
200
172.67.148.192:80
http://zxiws.tcgwhnvym.com/notice/api/get_notice?pkg=com.android.mgstv&v=43403&sn=e10cd4b0fee2f420e9a70e018470d9a2&userId=821202538&language=en
US
binary
114 b
unknown
4047
app_process64
POST
200
104.21.16.208:80
http://eajmnp.hcgv1dt8.com/api/portalCore/checkForceBind
unknown
binary
124 b
unknown
1961
app_process64
GET
204
216.239.36.223:80
http://play.googleapis.com/generate_204
US
whitelisted
4047
app_process64
GET
188.114.96.3:80
http://miqe.sdxpkgyaq.com/media/adsys/6be41ab3-5414-4cf6-b786-57c628ebfcaa.jpg
NL
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
453
mdnsd
224.0.0.251:5353
whitelisted
142.250.186.132:80
www.google.com
GOOGLE
US
whitelisted
142.250.186.132:443
www.google.com
GOOGLE
US
whitelisted
142.251.140.163:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
1961
app_process64
142.250.186.132:443
www.google.com
GOOGLE
US
whitelisted
1961
app_process64
142.251.140.163:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
1961
app_process64
216.239.36.223:80
play.googleapis.com
GOOGLE
US
whitelisted
583
app_process64
216.239.35.0:123
time.android.com
whitelisted
4047
app_process64
142.250.185.227:443
firebase-settings.crashlytics.com
GOOGLE
US
whitelisted
4047
app_process64
8.8.8.8:443
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.251.140.174
whitelisted
www.google.com
  • 142.250.186.132
whitelisted
connectivitycheck.gstatic.com
  • 142.251.140.163
whitelisted
play.googleapis.com
  • 216.239.38.223
  • 216.239.34.223
  • 216.239.32.223
  • 216.239.36.223
whitelisted
time.android.com
  • 216.239.35.0
  • 216.239.35.4
  • 216.239.35.12
  • 216.239.35.8
whitelisted
firebase-settings.crashlytics.com
  • 142.250.185.227
whitelisted
time.google.com
  • 216.239.35.0
  • 216.239.35.4
  • 216.239.35.12
  • 216.239.35.8
whitelisted
time.cloudflare.com
  • 162.159.200.123
  • 162.159.200.1
whitelisted
time.windows.com
  • 104.40.149.189
whitelisted
staging-remoteprovisioning.sandbox.googleapis.com
  • 108.177.15.81
whitelisted

Threats

PID
Process
Class
Message
1961
app_process64
Misc activity
ET INFO Android Device Connectivity Check
4047
app_process64
Misc activity
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
4047
app_process64
Misc activity
ET INFO Google DNS Over HTTPS Certificate Inbound
4047
app_process64
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
4047
app_process64
Generic Protocol Command Decode
SURICATA HTTP request field missing colon
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
xupertv-para-celular.apk