Malware analysis PNB BANK E-KYC.apk Malicious activity

Add for printing

File name:	PNB BANK E-KYC.apk
Full analysis:	https://app.any.run/tasks/c81e6ab1-9352-4986-b6bb-3c9c69ce941d
Verdict:	Malicious activity
Analysis date:	May 16, 2025, 16:29:59
OS:	Android 14
MIME:	application/vnd.android.package-archive
File info:	Android package (APK), with AndroidManifest.xml, with APK Signing Block
MD5:	4E6829B150BF8B39B835EA38C8814E24
SHA1:	F038DB1AE13EE3982BC7C0DB66E0FCD5F4D4BB4B
SHA256:	878B17A7CADC8FA10BD7F1C8B33B654EB4AD6039608994EC18AD0BE817B332EB
SSDEEP:	98304:HDlMlnLS3EemjsJTAAlbZllnsD93fQkpJrmi3H/H9zdW1nlpIGk3GoqXdR7qfwtq:H4oVwI/KUg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Collects data about the device's environment (JVM version)
  - app_process64 (PID: 2284)
- Abuses foreground service for persistence
  - app_process64 (PID: 2284)
- Checks exemption from battery optimization
  - app_process64 (PID: 2284)
INFO
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 2284)
- Dynamically loads a class in Java
  - app_process64 (PID: 2284)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.apk	\|	Android Package (73.9)
.jar	\|	Java Archive (20.4)
.zip	\|	ZIP compressed archive (5.6)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	0x0800
ZipCompression:	Unknown (33889)
ZipModifyDate:	2025:01:03 21:20:48
ZipCRC:	0x77bd3d1d
ZipCompressedSize:	6706
ZipUncompressedSize:	19160
ZipFileName:	AndroidManifest.xml

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

127

Monitored processes

3

Malicious processes

1

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2284	com.panelamcall.forwardpro	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2318	zygote	/system/bin/app_process32	—	app_process32
User: root Integrity Level: UNKNOWN Exit code: 0
2336	webview_zygote	/system/bin/app_process32	—	app_process32
User: webview_zygote Integrity Level: UNKNOWN Exit code: 0

Add for printing

Total events

0

Read events

0

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

0

Suspicious files

26

Text files

11

Unknown types

0

Dropped files

PID	Process	Filename		Type
2284	app_process64	/data/data/com.panelamcall.forwardpro/no_backup/androidx.work.workdb-journal		binary
		MD5:—	SHA256:—
2284	app_process64	/data/data/com.panelamcall.forwardpro/no_backup/androidx.work.workdb-wal		binary
		MD5:—	SHA256:—
2284	app_process64	/data/data/com.panelamcall.forwardpro/shared_prefs/WebViewChromiumPrefs.xml		xml
		MD5:—	SHA256:—
2284	app_process64	/data/data/com.panelamcall.forwardpro/app_webview/Default/Local Storage/leveldb/MANIFEST-000001		binary
		MD5:—	SHA256:—
2284	app_process64	/data/data/com.panelamcall.forwardpro/app_webview/Default/Local Storage/leveldb/000001.dbtmp		text
		MD5:—	SHA256:—
2284	app_process64	/data/data/com.panelamcall.forwardpro/app_webview/Default/Local Storage/leveldb/CURRENT		text
		MD5:—	SHA256:—
2284	app_process64	/data/data/com.panelamcall.forwardpro/cache/WebView/Default/HTTP Cache/Code Cache/js/index		binary
		MD5:—	SHA256:—
2284	app_process64	/data/data/com.panelamcall.forwardpro/cache/WebView/Default/HTTP Cache/Code Cache/webui_js/index		binary
		MD5:—	SHA256:—
2284	app_process64	/data/data/com.panelamcall.forwardpro/cache/WebView/Default/HTTP Cache/Code Cache/webui_js/index-dir/temp-index		binary
		MD5:—	SHA256:—
2284	app_process64	/data/data/com.panelamcall.forwardpro/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

14

TCP/UDP connections

28

DNS requests

6

Threats

7

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	404	142.250.186.68:80	http://www.google.com/gen_204	unknown	—	—	whitelisted
—	—	GET	404	142.250.186.67:80	http://connectivitycheck.gstatic.com/generate_204	unknown	—	—	whitelisted
—	—	GET	404	142.250.186.67:80	http://connectivitycheck.gstatic.com/generate_204	unknown	—	—	whitelisted
—	—	GET	404	216.239.38.223:80	http://play.googleapis.com/generate_204	unknown	—	—	whitelisted
—	—	GET	404	142.250.186.68:80	http://www.google.com/gen_204	unknown	—	—	whitelisted
804	app_process64	GET	404	142.250.186.67:80	http://connectivitycheck.gstatic.com/generate_204	unknown	—	—	whitelisted
804	app_process64	GET	404	216.239.34.223:80	http://play.googleapis.com/generate_204	unknown	—	—	whitelisted
—	—	GET	404	142.250.186.67:80	http://connectivitycheck.gstatic.com/generate_204	unknown	—	—	whitelisted
804	app_process64	GET	404	142.250.186.67:80	http://connectivitycheck.gstatic.com/generate_204	unknown	—	—	whitelisted
804	app_process64	GET	404	142.250.186.68:80	http://www.google.com/gen_204	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
449	mdnsd	224.0.0.251:5353	—	—	—	unknown
—	—	142.250.186.68:443	www.google.com	GOOGLE	US	whitelisted
—	—	142.250.186.67:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
—	—	142.250.186.68:80	www.google.com	GOOGLE	US	whitelisted
—	—	216.239.38.223:80	play.googleapis.com	GOOGLE	US	whitelisted
804	app_process64	142.250.186.67:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
804	app_process64	142.250.186.68:443	www.google.com	GOOGLE	US	whitelisted
804	app_process64	216.239.34.223:80	play.googleapis.com	GOOGLE	US	whitelisted
2284	app_process64	49.13.77.253:443	master-12num.alish.cloud	Hetzner Online GmbH	DE	unknown
804	app_process64	142.250.186.68:80	www.google.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
connectivitycheck.gstatic.com	142.250.186.67	whitelisted
www.google.com	142.250.186.68	whitelisted
google.com	142.250.186.142	whitelisted
play.googleapis.com	216.239.32.223 216.239.36.223 216.239.34.223 216.239.38.223	whitelisted
master-12num.alish.cloud	49.13.77.253	unknown
time.android.com	216.239.35.0 216.239.35.4 216.239.35.8 216.239.35.12	whitelisted

Threats

PID	Process	Class	Message
—	—	Misc activity	ET INFO Android Device Connectivity Check
—	—	Misc activity	ET INFO Android Device Connectivity Check
—	—	Misc activity	ET INFO Android Device Connectivity Check
804	app_process64	Misc activity	ET INFO Android Device Connectivity Check
804	app_process64	Misc activity	ET INFO Android Device Connectivity Check
804	app_process64	Misc activity	ET INFO Android Device Connectivity Check
804	app_process64	Misc activity	ET INFO Android Device Connectivity Check

Add for printing

No debug info

General Info

PNB BANK E-KYC.apk

4E6829B150BF8B39B835EA38C8814E24

F038DB1AE13EE3982BC7C0DB66E0FCD5F4D4BB4B

878B17A7CADC8FA10BD7F1C8B33B654EB4AD6039608994EC18AD0BE817B332EB

98304:HDlMlnLS3EemjsJTAAlbZllnsD93fQkpJrmi3H/H9zdW1nlpIGk3GoqXdR7qfwtq:H4oVwI/KUg

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Collects data about the device's environment (JVM version)

Abuses foreground service for persistence

Checks exemption from battery optimization

INFO

Dynamically inspects or modifies classes, methods, and fields at runtime

Dynamically loads a class in Java

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings