Malware analysis Unknown-8663.apk Malicious activity | ANY.RUN

Add for printing

File name:	Unknown-8663.apk
Full analysis:	https://app.any.run/tasks/14b772f1-b7d6-4682-a401-eebb70571717
Verdict:	Malicious activity
Analysis date:	December 26, 2025, 19:01:19
OS:	Android 14
Indicators:
MIME:	application/vnd.android.package-archive
File info:	Android package (APK), with AndroidManifest.xml, with APK Signing Block
MD5:	F38BD03970EF1CC319254D0343CDF129
SHA1:	5C012FD543CE3437B67975E9E40C73CE04BF3C20
SHA256:	5E3D77E81A5457A437F4E14DFD11D393C42871EE364D5570FB84C931BC57261D
SSDEEP:	98304:ThIMVmbZAPt0AdjGso1SVNHpmXc0LTxwfGmEBaVvwCODf/iCtwmlU8jC5tl7uhJj:8rbnH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

android (14)
android.cuttlefish.overlay (14)
android.cuttlefish.phone.overlay (14)
android.ext.services (2019-09)
android.ext.shared (1)
com.android.adservices.api (14)
com.android.apps.tag (1.1)
com.android.backupconfirm (14)
com.android.bips (14)
com.android.bluetoothmidiservice (14)
com.android.bookmarkprovider (14)
com.android.calendar (14)
com.android.calllogbackup (14)
com.android.camera2 (2.0.002)
com.android.cameraextensions (14)
com.android.captiveportallogin (14)
com.android.carrierconfig (1.0.0)
com.android.carrierdefaultapp (14)
com.android.cellbroadcastreceiver (R-initial)
com.android.cellbroadcastreceiver.module (R-initial)
com.android.cellbroadcastservice (R-initial)
com.android.certinstaller (14)
com.android.companiondevicemanager (14)
com.android.compos.payload (14)
com.android.connectivity.resources (S-initial)
com.android.connectivity.resources.cuttlefish.overlay (14)
com.android.contacts (1.7.34)
com.android.credentialmanager (14)
com.android.cts.ctsshim (14-10093150)
com.android.cts.priv.ctsshim (14-10093150)
com.android.deskclock (14)
com.android.devicelockcontroller (14)
com.android.dialer (23.0)
com.android.documentsui (14)
com.android.dreams.basic (14)
com.android.dreams.phototable (14)
com.android.dynsystem (14)
com.android.egg (1.0)
com.android.emergency (14)
com.android.ext.adservices.api (14)
com.android.externalstorage (14)
com.android.federatedcompute.services (T-initial)
com.android.gallery3d (1.1.40030)
com.android.google.gce.gceservice (14)
com.android.health.connect.backuprestore (14)
com.android.healthconnect.controller (14)
com.android.hotspot2.osulogin (14)
com.android.htmlviewer (14)
com.android.imsserviceentitlement (14)
com.android.inputdevices (14)
com.android.inputmethod.latin (14)
com.android.intentresolver (2021-11)
com.android.internal.display.cutout.emulation.corner (1.0)
com.android.internal.display.cutout.emulation.double (1.0)
com.android.internal.display.cutout.emulation.hole (1.0)
com.android.internal.display.cutout.emulation.tall (1.0)
com.android.internal.display.cutout.emulation.waterfall (1.0)
com.android.internal.systemui.navbar.gestural (1.0)
com.android.internal.systemui.navbar.gestural_extra_wide_back (1.0)
com.android.internal.systemui.navbar.gestural_narrow_back (1.0)
com.android.internal.systemui.navbar.gestural_wide_back (1.0)
com.android.internal.systemui.navbar.threebutton (1.0)
com.android.internal.systemui.navbar.transparent (1.0)
com.android.keychain (14)
com.android.launcher3 (14)
com.android.localtransport (14)
com.android.location.fused (14)
com.android.managedprovisioning (14)
com.android.messaging (1.0.001)
com.android.microdroid.empty_payload (14)
com.android.mms.service (14)
com.android.modulemetadata (14)
com.android.mtp (14)
com.android.music (14)
com.android.musicfx (1.4)
com.android.nearby.halfsheet (14)
com.android.networkstack (14)
com.android.networkstack.tethering (14)
com.android.networkstack.tethering.cuttlefishoverlay (1.0)
com.android.nfc (14)
com.android.ondevicepersonalization.services (T-initial)
com.android.ons (14)
com.android.packageinstaller (14)
com.android.pacprocessor (14)
com.android.permissioncontroller (33 system image)
com.android.phone (14)
com.android.printservice.recommendation (1.3.0)
com.android.printspooler (14)
com.android.providers.blockednumber (14)
com.android.providers.calendar (14)
com.android.providers.contacts (14)
com.android.providers.downloads (14)
com.android.providers.downloads.ui (14)
com.android.providers.media (14)
com.android.providers.media.module (14)
com.android.providers.partnerbookmarks (14)
com.android.providers.settings (14)
com.android.providers.settings.cuttlefish.overlay (14)
com.android.providers.telephony (14)
com.android.providers.userdictionary (14)
com.android.provision (14)
com.android.proxyhandler (14)
com.android.quicksearchbox (14)
com.android.rkpdapp (14)
com.android.role.notes.enabled (1.0)
com.android.safetycenter.resources (33 system image)
com.android.sdksandbox (T-initial)
com.android.se (14)
com.android.server.telecom (14)
com.android.settings (14)
com.android.settings.intelligence (14)
com.android.sharedstoragebackup (14)
com.android.shell (14)
com.android.simappdialog (14)
com.android.soundpicker (14)
com.android.statementservice (1.0)
com.android.stk (14)
com.android.storagemanager (14)
com.android.systemui (14)
com.android.systemui.accessibility.accessibilitymenu (14)
com.android.telephony.qns (14)
com.android.theme.font.notoserifsource (1.0)
com.android.traceur (1.0)
com.android.uwb.resources (T-initial)
com.android.virtualmachine.res (14)
com.android.vpndialogs (14)
com.android.wallpaper.livepicker (14)
com.android.wallpaperbackup (14)
com.android.wallpapercropper (14)
com.android.wallpaperpicker (1.0)
com.android.webview (137.0.7122.0)
com.android.wifi.dialog (14)
com.android.wifi.resources (R-initial)
com.android.wifi.resources.cf (1.0)
com.google.android.telephony.satellite (14)
org.chromium.chrome (137.0.7122.0)

Add for printing

MALICIOUS
- Hides app icon from display
  - app_process64 (PID: 2832)
SUSPICIOUS
- Accesses system-level resources
  - app_process64 (PID: 2832)
- Collects data about the device's environment (JVM version)
  - app_process64 (PID: 2832)
- Retrieves a list of running application processes
  - app_process64 (PID: 2832)
- Establishing a connection
  - app_process64 (PID: 2832)
- Updates data in the storage of application settings (SharedPreferences)
  - app_process64 (PID: 2832)
- Creates a WakeLock to manage power state
  - app_process64 (PID: 2832)
- Acquires a wake lock to keep the device awake
  - app_process64 (PID: 2832)
- Retrieves Android OS build information
  - app_process64 (PID: 2832)
- Abuses foreground service for persistence
  - app_process64 (PID: 2832)
- Retrieves installed applications on device
  - app_process64 (PID: 2832)
- Launches a new activity
  - app_process64 (PID: 2832)
- Retrieves the MCC and MNC of the SIM card operator
  - app_process64 (PID: 2832)
- Starts a service
  - app_process64 (PID: 2832)
- Checks exemption from battery optimization
  - app_process64 (PID: 2832)
- Reads messages from SMS inbox
  - app_process64 (PID: 2832)
- Uses encryption API functions
  - app_process64 (PID: 2832)
INFO
- Returns elapsed time since boot
  - app_process64 (PID: 2832)
- Loads a native library into the application
  - app_process64 (PID: 2832)
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 2832)
- Detects if debugger is connected
  - app_process64 (PID: 2832)
- Retrieves data from storage of application settings (SharedPreferences)
  - app_process64 (PID: 2832)
- Handles throwable exceptions in the app
  - app_process64 (PID: 2832)
- Retrieves the value of a secure system setting
  - app_process64 (PID: 2832)
- Gets file name without full path
  - app_process64 (PID: 2832)
- Creates and writes local files
  - app_process64 (PID: 2832)
- Dynamically loads a class in Java
  - app_process64 (PID: 2832)
- Stores data using SQLite database
  - app_process64 (PID: 2832)
- Gets the display metrics associated with the device's screen
  - app_process64 (PID: 2832)
- Verifies whether the device is connected to the internet
  - app_process64 (PID: 2832)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.apk	\|	Android Package (62.8)
.jar	\|	Java Archive (17.3)
.vym	\|	VYM Mind Map (14.9)
.zip	\|	ZIP compressed archive (4.7)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0801
ZipCompression:	Deflated
ZipModifyDate:	2025:12:21 10:43:48
ZipCRC:	0xd0567dae
ZipCompressedSize:	4460
ZipUncompressedSize:	19096
ZipFileName:	AndroidManifest.xml

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

131

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2832	com.chvi.pool	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2860	com.chvi.pool	/system/bin/app_process64	—	app_process64
User: u0_a108 Integrity Level: UNKNOWN Exit code: 0
3005	<pre-initialized>	/system/bin/app_process32		app_process32
User: root Integrity Level: UNKNOWN Exit code: 0
3006	webview_zygote	/system/bin/app_process32	—	app_process32
User: webview_zygote Integrity Level: UNKNOWN Exit code: 9
3038	com.android.webview:webview_apk	/system/bin/app_process32		app_process32
User: root Integrity Level: UNKNOWN Exit code: 0

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2832	app_process64	/data/data/com.chvi.pool/files/datastore/firebaseSessions/sessionConfigsDataStore.data.version		binary
		MD5:—	SHA256:—
2832	app_process64	/data/data/com.chvi.pool/files/PersistedInstallation8226548393452936306tmp		text
		MD5:—	SHA256:—
2832	app_process64	/data/data/com.chvi.pool/files/PersistedInstallation.W0RFRkFVTFRd+MToxMDUyODIxMDY0ODczOmFuZHJvaWQ6ZTViZTBhMDE3ZmM1YzQ4YWQyNmRiOA.json		text
		MD5:—	SHA256:—
2832	app_process64	/data/data/com.chvi.pool/files/datastore/firebaseSessions/sessionDataStore.data.version		binary
		MD5:—	SHA256:—
2832	app_process64	/data/data/com.chvi.pool/shared_prefs/com.google.firebase.crashlytics.xml		xml
		MD5:—	SHA256:—
2832	app_process64	/data/data/com.chvi.pool/files/.crashlytics.v3/com.chvi.pool/open-sessions/694EDB8701F200010B103F16F5AB6432/report		text
		MD5:—	SHA256:—
2832	app_process64	/data/data/com.chvi.pool/no_backup/androidx.work.workdb-journal		binary
		MD5:—	SHA256:—
2832	app_process64	/data/data/com.chvi.pool/shared_prefs/com.google.firebase.messaging.xml		xml
		MD5:—	SHA256:—
2832	app_process64	/data/data/com.chvi.pool/no_backup/androidx.work.workdb-wal		binary
		MD5:—	SHA256:—
2832	app_process64	/data/data/com.chvi.pool/files/.crashlytics.v3/com.chvi.pool/com.crashlytics.settings.json		text
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
822	app_process64	GET	204	142.250.184.228:443	https://www.google.com/generate_204	US	—	—	whitelisted
822	app_process64	GET	204	142.250.186.131:80	http://connectivitycheck.gstatic.com/generate_204	US	—	—	whitelisted
2832	app_process64	GET	200	172.217.18.3:443	https://firebase-settings.crashlytics.com/spi/v2/platforms/android/gmp/1:1052821064873:android:e5be0a017fc5c48ad26db8/settings?instance=4b40235ec5847ca4cd9a7fff997432ca267a9b2f&build_version=322&display_version=3.2.2&source=1	US	text	739 b	unknown
2832	app_process64	GET	200	172.217.18.3:443	https://firebase-settings.crashlytics.com/spi/v2/platforms/android/gmp/1%3A1052821064873%3Aandroid%3Ae5be0a017fc5c48ad26db8/settings?build_version=322&display_version=3.2.2	US	text	739 b	unknown
2832	app_process64	POST	200	188.114.97.3:443	https://c978e75f17.adislran.info/SendData	US	binary	2 b	unknown
2832	app_process64	POST	200	142.251.141.74:443	https://firebaseinstallations.googleapis.com/v1/projects/vnisi-feec9/installations	US	text	633 b	whitelisted
1756	app_process64	POST	200	66.102.1.81:443	https://staging-remoteprovisioning.sandbox.googleapis.com/v1:signCertificates?challenge=AAABm1wJpRwBILStYx4ukhlmnG6sJGALVYU4iYA=&request_id=ad4e5718-5db8-423a-bad5-fec4a2be58ca	US	binary	11.8 Kb	whitelisted
1756	app_process64	POST	200	66.102.1.81:443	https://staging-remoteprovisioning.sandbox.googleapis.com/v1:fetchEekChain	US	binary	778 b	whitelisted
3038	app_process32	POST	200	142.250.185.99:443	https://update.googleapis.com/service/update2/json?cup2key=15:LwXzBi4BZkxqIS5C-lar_f5_ISLzFCjLeHkGMu62cJs&cup2hreq=6b52981f6b9e609394e786fbd8c1dbc84661f43374607c80207828e0fd43c53f	US	text	482 b	whitelisted
2832	app_process64	POST	200	188.114.97.3:443	https://c978e75f17.adislran.info/GetSettings	US	binary	312 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
443	mdnsd	224.0.0.251:5353	—	—	—	whitelisted
—	—	142.250.184.228:443	www.google.com	GOOGLE	US	whitelisted
—	—	142.250.186.131:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
—	—	142.250.184.228:80	www.google.com	GOOGLE	US	whitelisted
2832	app_process64	172.217.18.3:443	firebase-settings.crashlytics.com	GOOGLE	US	whitelisted
2832	app_process64	142.251.141.74:443	firebaseinstallations.googleapis.com	GOOGLE	US	whitelisted
822	app_process64	142.250.184.228:443	www.google.com	GOOGLE	US	whitelisted
571	app_process64	216.239.35.4:123	time.android.com	GOOGLE	US	whitelisted
822	app_process64	142.250.186.131:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
1756	app_process64	66.102.1.81:443	staging-remoteprovisioning.sandbox.googleapis.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.185.206	whitelisted
www.google.com	142.250.184.228	whitelisted
firebase-settings.crashlytics.com	172.217.18.3	whitelisted
firebaseinstallations.googleapis.com	142.251.141.74 172.217.23.106 142.251.140.170 142.251.141.106 142.251.208.10 216.58.206.74 216.58.206.42 216.58.212.138 142.250.186.170 142.250.185.202 172.217.18.10 142.250.184.202 142.250.185.138 142.250.186.138 142.250.74.202 142.250.186.106	whitelisted
connectivitycheck.gstatic.com	142.250.186.131	whitelisted
time.android.com	216.239.35.4 216.239.35.12 216.239.35.8 216.239.35.0	whitelisted
staging-remoteprovisioning.sandbox.googleapis.com	66.102.1.81	whitelisted
update.googleapis.com	142.250.185.99	whitelisted
clientservices.googleapis.com	216.58.212.131	whitelisted
c978e75f17.adislran.info	188.114.97.3 188.114.96.3	whitelisted

Threats

PID	Process	Class	Message
822	app_process64	Misc activity	ET INFO Android Device Connectivity Check
339	netd	Misc activity	ET INFO Observed DNS Query to .cfd TLD

Add for printing

No debug info

General Info

Unknown-8663.apk

F38BD03970EF1CC319254D0343CDF129

5C012FD543CE3437B67975E9E40C73CE04BF3C20

5E3D77E81A5457A437F4E14DFD11D393C42871EE364D5570FB84C931BC57261D

98304:ThIMVmbZAPt0AdjGso1SVNHpmXc0LTxwfGmEBaVvwCODf/iCtwmlU8jC5tl7uhJj:8rbnH

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Hides app icon from display

SUSPICIOUS

Accesses system-level resources

Collects data about the device's environment (JVM version)

Retrieves a list of running application processes

Establishing a connection

Updates data in the storage of application settings (SharedPreferences)

Creates a WakeLock to manage power state

Acquires a wake lock to keep the device awake

Retrieves Android OS build information

Abuses foreground service for persistence

Retrieves installed applications on device

Launches a new activity

Retrieves the MCC and MNC of the SIM card operator

Starts a service

Checks exemption from battery optimization

Reads messages from SMS inbox

Uses encryption API functions

INFO

Returns elapsed time since boot

Loads a native library into the application

Dynamically inspects or modifies classes, methods, and fields at runtime

Detects if debugger is connected

Retrieves data from storage of application settings (SharedPreferences)

Handles throwable exceptions in the app

Retrieves the value of a secure system setting

Gets file name without full path

Creates and writes local files

Dynamically loads a class in Java

Stores data using SQLite database

Gets the display metrics associated with the device's screen

Verifies whether the device is connected to the internet

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings