File name:

HappyMod-Download-3-1-9.apk

Full analysis: https://app.any.run/tasks/a0a08242-5d31-4464-92a2-875c4611069d
Verdict: Malicious activity
Analysis date: July 19, 2025, 13:08:52
OS: Android 14
Tags:
arch-scr
arch-html
MIME: application/vnd.android.package-archive
File info: Android package (APK), with AndroidManifest.xml
MD5:

17303618BA959EBBCF1D4DF71E884063

SHA1:

9FA309FBE23E081B8FCFDD21E8EE43BFE4008EF4

SHA256:

5E322F8EA93850C32DDDCF4859CF097D7C774189F3E5C61633DACD57B755AB6C

SSDEEP:

98304:zvuUEzz7gDt498i7H/UQrPPN3l+BHTdN79dXxZa5I6YRDnN5BmvYSxNBR/sqlLJl:zwUnflsa/vyV1aptza2qrpJLtL8yDS6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Checks whether the screen is currently on

      • app_process64 (PID: 2288)

  • SUSPICIOUS

    • Collects data about the device's environment (JVM version)

      • app_process64 (PID: 2288)

    • Accesses system-level resources

      • app_process64 (PID: 2288)

    • Retrieves a list of running application processes

      • app_process64 (PID: 2288)

    • Updates data in the storage of application settings (SharedPreferences)

      • app_process64 (PID: 2288)

    • Establishing a connection

      • app_process64 (PID: 2288)

    • Connects to unusual port

      • app_process64 (PID: 2288)

    • Accesses external device storage files

      • app_process64 (PID: 2288)

    • Abuses foreground service for persistence

      • app_process64 (PID: 2288)

    • Launches a new activity

      • app_process64 (PID: 2288)

  • INFO

    • Returns elapsed time since boot

      • app_process64 (PID: 2288)

    • Dynamically inspects or modifies classes, methods, and fields at runtime

      • app_process64 (PID: 2288)

    • Retrieves data from storage of application settings (SharedPreferences)

      • app_process64 (PID: 2288)

    • Loads a native library into the application

      • app_process64 (PID: 2288)

    • Dynamically registers broadcast event listeners

      • app_process64 (PID: 2288)

    • Dynamically loads a class in Java

      • app_process64 (PID: 2288)

    • Gets file name without full path

      • app_process64 (PID: 2288)

    • Gets the display metrics associated with the device's screen

      • app_process64 (PID: 2288)

    • Detects if debugger is connected

      • app_process64 (PID: 2288)

    • Creates and writes local files

      • app_process64 (PID: 2288)

    • Stores data using SQLite database

      • app_process64 (PID: 2288)

    • Verifies whether the device is connected to the internet

      • app_process64 (PID: 2288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.apk | Android Package (66.4)
.jar | Java Archive (18.3)
.xpi | Mozilla Firefox browser extension (10.1)
.zip | ZIP compressed archive (5)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:07:07 10:38:20
ZipCRC: 0x1b92625f
ZipCompressedSize: 8899
ZipUncompressedSize: 55928
ZipFileName: AndroidManifest.xml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start app_process64 toybox no specs app_process64 app_process64 no specs app_process64 no specs app_process64 dmesgd no specs toybox no specs toolbox no specs

Process information

PID
CMD
Path
Indicators
Parent process
2288com.happymod.apk /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2320cat /proc/self/status/system/bin/toyboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
2370com.android.webview:webview_service /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2385webview_zygote /system/bin/app_process64app_process64
User:
webview_zygote
Integrity Level:
UNKNOWN
Exit code:
0
2423com.android.adservices.api /system/bin/app_process64app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2443com.android.webview:webview_apk /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2695/system/bin/dmesgd/system/bin/dmesgdinit
User:
dmesgd
Integrity Level:
UNKNOWN
Exit code:
0
2696dmesg/system/bin/toyboxdmesgd
User:
dmesgd
Integrity Level:
UNKNOWN
Exit code:
0
2715getprop/system/bin/toolboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
161
Text files
149
Unknown types
0

Dropped files

PID
Process
Filename
Type
2288app_process64/data/data/com.happymod.apk/.jiagu/libjiagu.sobinary
MD5:
SHA256:
2288app_process64/data/data/com.happymod.apk/.jiagu/libjiagu_64.sobinary
MD5:
SHA256:
2288app_process64/data/data/com.happymod.apk/files/jgobfpppppbinary
MD5:
SHA256:
2288app_process64/data/data/com.happymod.apk/files/.jglogs/.jg.ribinary
MD5:
SHA256:
2288app_process64/data/data/com.happymod.apk/files/.jglogs/.jg.store.report_pidtext
MD5:
SHA256:
2288app_process64/data/data/com.happymod.apk/.oabugaij/.fsgkeabinary
MD5:
SHA256:
2288app_process64/data/data/com.happymod.apk/files/PersistedInstallation4111069034502088480tmpbinary
MD5:
SHA256:
2288app_process64/data/data/com.happymod.apk/files/PersistedInstallation.W0RFRkFVTFRd+MTozNzk2MTMzODkxMTk6YW5kcm9pZDpkYTliN2UxMWRmODhhZTc2NzA3Mzhh.jsonbinary
MD5:
SHA256:
2288app_process64/data/data/com.happymod.apk/shared_prefs/FirebaseHeartBeatW0RFRkFVTFRd+MTozNzk2MTMzODkxMTk6YW5kcm9pZDpkYTliN2UxMWRmODhhZTc2NzA3Mzhh.xmlxml
MD5:
SHA256:
2288app_process64/data/data/com.happymod.apk/shared_prefs/com.google.firebase.crashlytics.xmlxml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
106
TCP/UDP connections
101
DNS requests
49
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
216.58.206.68:80
http://www.google.com/gen_204
unknown
whitelisted
GET
204
216.58.206.68:443
https://www.google.com/generate_204
unknown
865
app_process64
GET
204
216.58.206.67:80
http://connectivitycheck.gstatic.com/generate_204
unknown
whitelisted
GET
204
216.58.206.67:80
http://connectivitycheck.gstatic.com/generate_204
unknown
whitelisted
POST
200
66.102.1.81:443
https://staging-remoteprovisioning.sandbox.googleapis.com/v1:fetchEekChain
unknown
binary
699 b
whitelisted
GET
200
142.250.186.99:443
https://firebase-settings.crashlytics.com/spi/v2/platforms/android/gmp/1:379613389119:android:da9b7e11df88ae7670738a/settings?instance=5c7d5987a31c67e39bab4727220022518ee720c1&build_version=263&display_version=3.1.9&source=1
unknown
binary
742 b
whitelisted
GET
200
142.250.186.99:443
https://firebase-settings.crashlytics.com/spi/v2/platforms/android/gmp/1%3A379613389119%3Aandroid%3Ada9b7e11df88ae7670738a/settings?build_version=263&display_version=3.1.9
unknown
binary
742 b
whitelisted
POST
204
34.117.255.242:443
https://analytics.rayjump.com/
unknown
GET
200
18.245.86.115:443
https://configure.rayjump.com/setting?app_id=107909&sign=144dd95958835a2925357b1decc09114&vtag=&open=0&channel=&band_width=0&platform=1&os_version=14&package_name=com.happymod.apk&app_version_name=3.1.9&app_version_code=263&orientation=2&model=Galaxy_S10&brand=samsung&gaid=&gaid2=&network_type=0&network_str=&language=en-US&timezone=UTC&useragent=Mozilla%2F5.0+%28Linux%3B+Android+14%3B+Galaxy_S10+Build%2FUP1A.231105.001.4a827109%3B+wv%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Version%2F4.0+Chrome%2F137.0.7122.0+Mobile+Safari%2F537.36&sdk_version=MAL_16.5.91&screen_size=1024x576&withGP=0&has_wx=0&integrated_wx=0&opensdk_ver=0&wx_api_ver=0&mnc=012&mcc=310&adid_limit=0&adid_limit_dev=1&f=V%2F6EWElJb7PDLEegLjNDBjgphNdqXWvnrTk8knYHDr0bZ25gnUNKg002n0UfBzmkslh%2B%2BSdK71vn%0AbntAStsK0RFGU0sRCS1FCJ1ZZ5fPgNU%3D%0A&ts=1752930552453&st=a699ad3220ce7997d7598c926c7c3586
unknown
binary
6.69 Kb
POST
200
142.250.184.234:443
https://firebaseinstallations.googleapis.com/v1/projects/android-firebase-progect/installations
unknown
binary
630 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
445
mdnsd
224.0.0.251:5353
unknown
216.58.206.67:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
216.58.206.68:443
www.google.com
GOOGLE
US
whitelisted
216.58.206.68:80
www.google.com
GOOGLE
US
whitelisted
865
app_process64
216.58.206.68:443
www.google.com
GOOGLE
US
whitelisted
865
app_process64
216.58.206.67:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
574
app_process64
216.239.35.4:123
time.android.com
whitelisted
1760
app_process64
66.102.1.81:443
staging-remoteprovisioning.sandbox.googleapis.com
GOOGLE
US
whitelisted
2288
app_process64
142.250.185.99:443
firebase-settings.crashlytics.com
GOOGLE
US
whitelisted
2288
app_process64
216.58.212.138:443
firebaseinstallations.googleapis.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google.com
  • 216.58.206.68
whitelisted
connectivitycheck.gstatic.com
  • 216.58.206.67
whitelisted
google.com
  • 216.58.206.78
whitelisted
staging-remoteprovisioning.sandbox.googleapis.com
  • 66.102.1.81
whitelisted
time.android.com
  • 216.239.35.4
  • 216.239.35.0
  • 216.239.35.12
  • 216.239.35.8
whitelisted
firebase-settings.crashlytics.com
  • 142.250.185.99
whitelisted
firebaseinstallations.googleapis.com
  • 216.58.212.138
  • 216.58.206.42
  • 142.250.185.202
  • 142.250.185.74
  • 142.250.185.170
  • 172.217.18.106
  • 142.250.186.170
  • 172.217.16.138
  • 142.250.184.234
  • 142.250.185.138
  • 172.217.18.10
  • 142.250.185.106
  • 142.250.184.202
  • 172.217.23.106
  • 142.250.186.106
  • 142.250.186.138
whitelisted
configure.rayjump.com
  • 18.245.86.74
  • 18.245.86.115
  • 18.245.86.97
  • 18.245.86.121
unknown
analytics.rayjump.com
  • 34.117.255.242
unknown
update.googleapis.com
  • 172.217.18.99
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Android Device Connectivity Check
865
app_process64
Misc activity
ET INFO Android Device Connectivity Check
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HappyMod-Download-3-1-9.apk