File name:

a25bee53a407f77d0972eefedc325cb99fd5abfdf638d543cd04963ea0238c3emgs_4.32.2_5661a259_20250225_42_beta_jiagu.apk

Full analysis: https://app.any.run/tasks/a0d5d87c-228a-40b3-9ba3-ef34a8dae652
Verdict: Malicious activity
Analysis date: June 21, 2025, 03:48:15
OS: Android 14
Indicators:
MIME: application/vnd.android.package-archive
File info: Android package (APK), with gradle app-metadata.properties
MD5:

5F70C3C57A9E35C00842812ABBDCB289

SHA1:

9385AAA6C31A715C7F12BB01026D9346224DAB2E

SHA256:

A25BEE53A407F77D0972EEFEDC325CB99FD5ABFDF638D543CD04963EA0238C3E

SSDEEP:

393216:ZpIg2VZ2W4SYRbUGp1NZ/+lV1j1AZJBXoPSBV+OVyRx:ZpIgMZYRbUGpyV1jkPX5CICx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes system commands or scripts

      • app_process64 (PID: 2272)
      • app_process64 (PID: 2621)

  • SUSPICIOUS

    • Retrieves a list of running application processes

      • app_process64 (PID: 2272)
      • app_process64 (PID: 2621)

    • Establishing a connection

      • app_process64 (PID: 2272)

    • Updates data in the storage of application settings (SharedPreferences)

      • app_process64 (PID: 2272)
      • app_process64 (PID: 2621)

    • Accesses system-level resources

      • app_process64 (PID: 2272)
      • app_process64 (PID: 2621)

    • Retrieves installed applications on device

      • app_process64 (PID: 2272)

    • Accesses memory information

      • app_process64 (PID: 2272)
      • app_process64 (PID: 2621)

    • Accesses external device storage files

      • app_process64 (PID: 2272)

    • Collects data about the device's environment (JVM version)

      • app_process64 (PID: 2272)
      • app_process64 (PID: 2621)

    • Uses encryption API functions

      • app_process64 (PID: 2272)

    • Detects Xposed framework for modifications

      • app_process64 (PID: 2272)

    • Reads device MAC address fingerprint

      • app_process64 (PID: 2272)

    • Detects Cydia Substrate modification platform

      • app_process64 (PID: 2272)

    • Abuses foreground service for persistence

      • app_process64 (PID: 2621)
      • app_process64 (PID: 2272)

    • Returns the name of the current network operator

      • app_process64 (PID: 2272)

    • Launches a new activity

      • app_process64 (PID: 2272)

  • INFO

    • Returns elapsed time since boot

      • app_process64 (PID: 2272)
      • app_process64 (PID: 2621)

    • Dynamically inspects or modifies classes, methods, and fields at runtime

      • app_process64 (PID: 2272)
      • app_process64 (PID: 2621)

    • Detects if debugger is connected

      • app_process64 (PID: 2272)

    • Retrieves data from storage of application settings (SharedPreferences)

      • app_process64 (PID: 2272)
      • app_process64 (PID: 2621)

    • Creates and writes local files

      • app_process64 (PID: 2272)

    • Listens for connection changes

      • app_process64 (PID: 2272)
      • app_process64 (PID: 2621)

    • Dynamically registers broadcast event listeners

      • app_process64 (PID: 2272)
      • app_process64 (PID: 2621)

    • Stores data using SQLite database

      • app_process64 (PID: 2272)

    • Loads a native library into the application

      • app_process64 (PID: 2272)
      • app_process64 (PID: 2621)

    • Gets the display metrics associated with the device's screen

      • app_process64 (PID: 2272)
      • app_process64 (PID: 2621)

    • Verifies whether the device is connected to the internet

      • app_process64 (PID: 2272)
      • app_process64 (PID: 2621)

    • Dynamically loads a class in Java

      • app_process64 (PID: 2272)

    • Gets file name without full path

      • app_process64 (PID: 2272)

    • Detects device power status

      • app_process64 (PID: 2272)

    • Handles throwable exceptions in the app

      • app_process64 (PID: 2272)

    • Retrieves the value of a secure system setting

      • app_process64 (PID: 2272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jar | Java Archive (78.3)
.zip | ZIP compressed archive (21.6)

EXIF

ZIP

ZipRequiredVersion: -
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 1981:01:01 01:01:02
ZipCRC: 0x254e4b1a
ZipCompressedSize: 52
ZipUncompressedSize: 56
ZipFileName: META-INF/com/android/build/gradle/app-metadata.properties
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
32
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start app_process64 toybox no specs toolbox no specs toolbox no specs toybox no specs dmesgd no specs toybox no specs app_process64 no specs toybox no specs toybox no specs toybox no specs toybox no specs toybox no specs toybox no specs toybox no specs toybox no specs toybox no specs toybox no specs toybox no specs toybox no specs app_process64 no specs toybox no specs toybox no specs toybox no specs toybox no specs toolbox no specs toolbox no specs toolbox no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs

Process information

PID
CMD
Path
Indicators
Parent process
2272com.android.mgstv /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2367ps/system/bin/toyboxapp_process64
User:
u0_a109
Integrity Level:
UNKNOWN
Exit code:
0
2372getprop debug.dns.enable/system/bin/toolboxapp_process64
User:
u0_a109
Integrity Level:
UNKNOWN
Exit code:
0
2380getprop debug.dns.filter/system/bin/toolboxapp_process64
User:
u0_a109
Integrity Level:
UNKNOWN
Exit code:
0
2388cat /proc/version/system/bin/toyboxapp_process64
User:
u0_a109
Integrity Level:
UNKNOWN
Exit code:
256
2395/system/bin/dmesgd/system/bin/dmesgdinit
User:
dmesgd
Integrity Level:
UNKNOWN
Exit code:
0
2397dmesg/system/bin/toyboxdmesgd
User:
dmesgd
Integrity Level:
UNKNOWN
Exit code:
0
2400com.android.mgstv /system/bin/app_process64app_process64
User:
u0_a109
Integrity Level:
UNKNOWN
Exit code:
65280
2459cat proc/cpuinfo/system/bin/toyboxapp_process64
User:
u0_a109
Integrity Level:
UNKNOWN
Exit code:
0
2460cat /sys/class/sunxi_info/sys_info/system/bin/toyboxapp_process64
User:
u0_a109
Integrity Level:
UNKNOWN
Exit code:
256
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
186
Text files
188
Unknown types
3

Dropped files

PID
Process
Filename
Type
2272app_process64/data/data/com.android.mgstv/files/PersistedInstallation4036233046827794990tmpbinary
MD5:
SHA256:
2272app_process64/data/data/com.android.mgstv/files/PersistedInstallation.W0RFRkFVTFRd+MTo2NDg1Njg3Njg1Mzg6YW5kcm9pZDoxMDJjNjljMWY4ZDU5MGExZjcyOWEz.jsonbinary
MD5:
SHA256:
2272app_process64/data/data/com.android.mgstv/shared_prefs/FirebaseHeartBeatW0RFRkFVTFRd+MTo2NDg1Njg3Njg1Mzg6YW5kcm9pZDoxMDJjNjljMWY4ZDU5MGExZjcyOWEz.xmlxml
MD5:
SHA256:
2272app_process64/data/data/com.android.mgstv/files/.com.google.firebase.crashlytics.files.v2:com.android.mgstv/open-sessions/68562BA30285000108E0B49D308C7D9D/native/session.jsonbinary
MD5:
SHA256:
2272app_process64/data/data/com.android.mgstv/files/.com.google.firebase.crashlytics.files.v2:com.android.mgstv/open-sessions/68562BA30285000108E0B49D308C7D9D/native/app.jsonbinary
MD5:
SHA256:
2272app_process64/data/data/com.android.mgstv/shared_prefs/com.google.firebase.crashlytics.xmlxml
MD5:
SHA256:
2272app_process64/data/data/com.android.mgstv/shared_prefs/com.google.android.gms.measurement.prefs.xmlxml
MD5:
SHA256:
2272app_process64/data/data/com.android.mgstv/files/.com.google.firebase.crashlytics.files.v2:com.android.mgstv/open-sessions/68562BA30285000108E0B49D308C7D9D/native/os.jsonbinary
MD5:
SHA256:
2272app_process64/data/data/com.android.mgstv/files/.com.google.firebase.crashlytics.files.v2:com.android.mgstv/open-sessions/68562BA30285000108E0B49D308C7D9D/native/device.jsonbinary
MD5:
SHA256:
2272app_process64/data/data/com.android.mgstv/shared_prefs/com.google.android.gms.appid.xmlxml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
55
TCP/UDP connections
239
DNS requests
319
Threats
61

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
142.250.185.164:443
https://www.google.com/generate_204
unknown
GET
204
142.250.185.164:80
http://www.google.com/gen_204
unknown
whitelisted
GET
204
142.250.181.227:80
http://connectivitycheck.gstatic.com/generate_204
unknown
whitelisted
GET
204
142.250.185.164:443
https://www.google.com/generate_204
unknown
GET
204
142.250.181.227:80
http://connectivitycheck.gstatic.com/generate_204
unknown
whitelisted
POST
200
108.177.15.81:443
https://staging-remoteprovisioning.sandbox.googleapis.com/v1:fetchEekChain
unknown
binary
699 b
whitelisted
GET
200
142.250.186.67:443
https://firebase-settings.crashlytics.com/spi/v2/platforms/android/gmp/1:648568768538:android:102c69c1f8d590a1f729a3/settings?instance=c16e41bc3b1c02ea3365ed59310c86e7bc83050b&build_version=43202&display_version=4.32.2&source=1
unknown
binary
743 b
whitelisted
POST
200
142.250.186.138:443
https://firebaseinstallations.googleapis.com/v1/projects/mgs-free-e6046/installations
unknown
binary
629 b
whitelisted
POST
200
104.21.64.1:443
https://fuxok.nguvmqhpk.com/v1/googleadmob/zip%3Fg=true
unknown
binary
1.10 Kb
2272
app_process64
GET
104.21.29.101:80
http://zxiws.tcgwhnvym.com/notice/api/get_notice?pkg=com.android.mgstv&v=43202&sn=085345a26dabb44809cca71514451ad6&userId=&language=en
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
451
mdnsd
224.0.0.251:5353
unknown
142.250.185.164:443
www.google.com
GOOGLE
US
whitelisted
142.250.181.227:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
142.250.185.164:80
www.google.com
GOOGLE
US
whitelisted
108.177.15.81:443
staging-remoteprovisioning.sandbox.googleapis.com
GOOGLE
US
whitelisted
216.239.35.12:123
time.android.com
whitelisted
574
app_process64
216.239.35.4:123
time.android.com
whitelisted
574
app_process64
216.239.35.8:123
time.android.com
whitelisted
2272
app_process64
239.255.255.250:1900
whitelisted
2272
app_process64
142.250.185.227:443
firebase-settings.crashlytics.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
connectivitycheck.gstatic.com
  • 142.250.181.227
whitelisted
www.google.com
  • 142.250.185.164
whitelisted
google.com
  • 142.250.185.174
whitelisted
time.android.com
  • 216.239.35.12
  • 216.239.35.4
  • 216.239.35.8
  • 216.239.35.0
whitelisted
staging-remoteprovisioning.sandbox.googleapis.com
  • 108.177.15.81
whitelisted
firebase-settings.crashlytics.com
  • 142.250.185.227
whitelisted
firebaseinstallations.googleapis.com
  • 142.250.186.74
  • 142.250.185.170
  • 142.250.185.106
  • 142.250.184.202
  • 142.250.186.170
  • 172.217.18.106
  • 142.250.186.106
  • 142.250.186.42
  • 172.217.18.10
  • 142.250.185.74
  • 142.250.186.138
  • 216.58.212.138
  • 172.217.23.106
  • 142.250.185.138
  • 216.58.206.74
  • 142.250.184.234
whitelisted
time.google.com
whitelisted
time.cloudflare.com
whitelisted
time.windows.com
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Android Device Connectivity Check
Misc activity
ET INFO Android Device Connectivity Check
2272
app_process64
Misc activity
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
2272
app_process64
Misc activity
ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
2272
app_process64
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .quad9 .net in TLS SNI)
2272
app_process64
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .quad9 .net in TLS SNI)
2272
app_process64
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .quad9 .net in TLS SNI)
Generic Protocol Command Decode
SURICATA HTTP gzip decompression failed
2272
app_process64
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .quad9 .net in TLS SNI)
2272
app_process64
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .quad9 .net in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
a25bee53a407f77d0972eefedc325cb99fd5abfdf638d543cd04963ea0238c3emgs_4.32.2_5661a259_20250225_42_beta_jiagu.apk