Malware analysis https://fawt.xvmobdes.com/download Malicious activity

Add for printing

URL:	https://fawt.xvmobdes.com/download
Full analysis:	https://app.any.run/tasks/5cd504eb-a61d-40c3-9ec4-a8ef520035b2
Verdict:	Malicious activity
Analysis date:	March 27, 2026, 00:34:43
OS:	Android 14
Indicators:
MD5:	4E8F778FCD82DFAC19BB36AFE91AF7B7
SHA1:	953465D35EFD35F993A83875582AE6B625DB240C
SHA256:	A43DBB3FFC06F967824FA3A4C33396E2C6320A6B35CD0DC372DFF864A02B99C6
SSDEEP:	3:N8b93HBGWKM:2p3BKM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

android (14)
android.cuttlefish.overlay (14)
android.cuttlefish.phone.overlay (14)
android.ext.services (2019-09)
android.ext.shared (1)
com.android.adservices.api (14)
com.android.apps.tag (1.1)
com.android.backupconfirm (14)
com.android.bips (14)
com.android.bluetoothmidiservice (14)
com.android.bookmarkprovider (14)
com.android.calendar (14)
com.android.calllogbackup (14)
com.android.camera2 (2.0.002)
com.android.cameraextensions (14)
com.android.captiveportallogin (14)
com.android.carrierconfig (1.0.0)
com.android.carrierdefaultapp (14)
com.android.cellbroadcastreceiver (R-initial)
com.android.cellbroadcastreceiver.module (R-initial)
com.android.cellbroadcastservice (R-initial)
com.android.certinstaller (14)
com.android.companiondevicemanager (14)
com.android.compos.payload (14)
com.android.connectivity.resources (S-initial)
com.android.connectivity.resources.cuttlefish.overlay (14)
com.android.contacts (1.7.34)
com.android.credentialmanager (14)
com.android.cts.ctsshim (14-10093150)
com.android.cts.priv.ctsshim (14-10093150)
com.android.deskclock (14)
com.android.devicelockcontroller (14)
com.android.dialer (23.0)
com.android.documentsui (14)
com.android.dreams.basic (14)
com.android.dreams.phototable (14)
com.android.dynsystem (14)
com.android.egg (1.0)
com.android.emergency (14)
com.android.ext.adservices.api (14)
com.android.externalstorage (14)
com.android.federatedcompute.services (T-initial)
com.android.gallery3d (1.1.40030)
com.android.google.gce.gceservice (14)
com.android.health.connect.backuprestore (14)
com.android.healthconnect.controller (14)
com.android.hotspot2.osulogin (14)
com.android.htmlviewer (14)
com.android.imsserviceentitlement (14)
com.android.inputdevices (14)
com.android.inputmethod.latin (14)
com.android.intentresolver (2021-11)
com.android.internal.display.cutout.emulation.corner (1.0)
com.android.internal.display.cutout.emulation.double (1.0)
com.android.internal.display.cutout.emulation.hole (1.0)
com.android.internal.display.cutout.emulation.tall (1.0)
com.android.internal.display.cutout.emulation.waterfall (1.0)
com.android.internal.systemui.navbar.gestural (1.0)
com.android.internal.systemui.navbar.gestural_extra_wide_back (1.0)
com.android.internal.systemui.navbar.gestural_narrow_back (1.0)
com.android.internal.systemui.navbar.gestural_wide_back (1.0)
com.android.internal.systemui.navbar.threebutton (1.0)
com.android.internal.systemui.navbar.transparent (1.0)
com.android.keychain (14)
com.android.launcher3 (14)
com.android.localtransport (14)
com.android.location.fused (14)
com.android.managedprovisioning (14)
com.android.messaging (1.0.001)
com.android.microdroid.empty_payload (14)
com.android.mms.service (14)
com.android.modulemetadata (14)
com.android.mtp (14)
com.android.music (14)
com.android.musicfx (1.4)
com.android.nearby.halfsheet (14)
com.android.networkstack (14)
com.android.networkstack.tethering (14)
com.android.networkstack.tethering.cuttlefishoverlay (1.0)
com.android.nfc (14)
com.android.ondevicepersonalization.services (T-initial)
com.android.ons (14)
com.android.packageinstaller (14)
com.android.pacprocessor (14)
com.android.permissioncontroller (33 system image)
com.android.phone (14)
com.android.printservice.recommendation (1.3.0)
com.android.printspooler (14)
com.android.providers.blockednumber (14)
com.android.providers.calendar (14)
com.android.providers.contacts (14)
com.android.providers.downloads (14)
com.android.providers.downloads.ui (14)
com.android.providers.media (14)
com.android.providers.media.module (14)
com.android.providers.partnerbookmarks (14)
com.android.providers.settings (14)
com.android.providers.settings.cuttlefish.overlay (14)
com.android.providers.telephony (14)
com.android.providers.userdictionary (14)
com.android.provision (14)
com.android.proxyhandler (14)
com.android.quicksearchbox (14)
com.android.rkpdapp (14)
com.android.role.notes.enabled (1.0)
com.android.safetycenter.resources (33 system image)
com.android.sdksandbox (T-initial)
com.android.se (14)
com.android.server.telecom (14)
com.android.settings (14)
com.android.settings.intelligence (14)
com.android.sharedstoragebackup (14)
com.android.shell (14)
com.android.simappdialog (14)
com.android.soundpicker (14)
com.android.statementservice (1.0)
com.android.stk (14)
com.android.storagemanager (14)
com.android.systemui (14)
com.android.systemui.accessibility.accessibilitymenu (14)
com.android.telephony.qns (14)
com.android.theme.font.notoserifsource (1.0)
com.android.traceur (1.0)
com.android.uwb.resources (T-initial)
com.android.virtualmachine.res (14)
com.android.vpndialogs (14)
com.android.wallpaper.livepicker (14)
com.android.wallpaperbackup (14)
com.android.wallpapercropper (14)
com.android.wallpaperpicker (1.0)
com.android.webview (137.0.7122.0)
com.android.wifi.dialog (14)
com.android.wifi.resources (R-initial)
com.android.wifi.resources.cf (1.0)
com.google.android.telephony.satellite (14)
org.chromium.chrome (137.0.7122.0)

Add for printing

MALICIOUS
- Hides app icon from display
  - app_process64 (PID: 3148)
- Executes system commands or scripts
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
SUSPICIOUS
- Accesses external device storage files
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Accesses system-level resources
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Uses encryption API functions
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Updates data in the storage of application settings (SharedPreferences)
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Establishing a connection
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4215)
- Collects data about the device's environment (JVM version)
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Retrieves Android OS build information
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Retrieves a list of running services
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Launches a new activity
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Reads device MAC address fingerprint
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Retrieves the MCC and MNC of the SIM card operator
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4215)
INFO
- Loads a native library into the application
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Returns elapsed time since boot
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Gets the display metrics associated with the device's screen
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Retrieves data from storage of application settings (SharedPreferences)
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Dynamically registers broadcast event listeners
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Stores data using SQLite database
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Verifies whether the device is connected to the internet
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Detects device power status
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Creates and writes local files
  - app_process64 (PID: 3148)
- Detects if debugger is connected
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)
- Normally terminates current Java virtual machine
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
- Listens for connection changes
  - app_process64 (PID: 3148)
  - app_process64 (PID: 4025)
  - app_process64 (PID: 4215)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

214

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2797	org.chromium.chrome	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2850	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2868	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
2894	zygote64	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2896	com.android.adservices.api	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2966	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
3130	/apex/com.android.art/bin/artd	/apex/com.android.art/bin/artd	—	init
User: artd Integrity Level: UNKNOWN Exit code: 0
3133	/apex/com.android.art/bin/dex2oat32 --zip-fd=6 --zip-location=/data/app/~~rTR2qBIDzQ8BMJpFLShnfQ==/com.android.mgstv-P67PBsU5ue4r3WHRhozVIg==/base.apk --oat-fd=7 --oat-location=/data/app/~~rTR2qBIDzQ8BMJpFLShnfQ==/com.android.mgstv-P67PBsU5ue4r3WHRhozVIg==/oat/arm64/base.odex --output-vdex-fd=8 --swap-fd=9 --class-loader-context-fds=10 --class-loader-context=PCL[]{PCL[/system/framework/org.apache.http.legacy.jar]} --classpath-dir=/data/app/~~rTR2qBIDzQ8BMJpFLShnfQ==/com.android.mgstv-P67PBsU5ue4r3WHRhozVIg== --instruction-set=arm64 --instruction-set-features=default --instruction-set-variant=cortex-a53 --compiler-filter=verify --compilation-reason=install --compact-dex-level=none --max-image-block-size=524288 --resolve-startup-const-strings=true --generate-mini-debug-info --runtime-arg -Xtarget-sdk-version:33 --runtime-arg -Xhidden-api-policy:enabled --runtime-arg -Xms64m --runtime-arg -Xmx512m --comments=app-version-name:4.34.5,app-version-code:43405,art-version:340090000	/apex/com.android.art/bin/dex2oat32	—	artd
User: artd Integrity Level: UNKNOWN Exit code: 0
3148	zygote64	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
3276	cat proc/cpuinfo	/system/bin/toybox	—	app_process64
User: u0_a108 Integrity Level: UNKNOWN Exit code: 0

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

463

Text files

299

Unknown types

Dropped files

PID	Process	Filename		Type
3148	app_process64	/data/data/com.android.mgstv/files/libexec.so		binary
		MD5:—	SHA256:—
3148	app_process64	/data/data/com.android.mgstv/files/libexecmain.so		binary
		MD5:—	SHA256:—
3148	app_process64	/data/data/com.android.mgstv/no_backup/appmetrica/analytics/db/client.db		binary
		MD5:—	SHA256:—
3148	app_process64	/data/data/com.android.mgstv/no_backup/appmetrica/analytics/uuid.dat		text
		MD5:—	SHA256:—
3148	app_process64	/data/data/com.android.mgstv/shared_prefs/log.xml		xml
		MD5:—	SHA256:—
3148	app_process64	/data/data/com.android.mgstv/shared_prefs/umeng_common_config.xml		xml
		MD5:—	SHA256:—
3148	app_process64	/data/data/com.android.mgstv/app_luna/block_cache/test.txt		binary
		MD5:—	SHA256:—
3148	app_process64	/data/data/com.android.mgstv/app_luna/.ntp_cache		binary
		MD5:—	SHA256:—
3148	app_process64	/data/data/com.android.mgstv/databases/ua.db		binary
		MD5:—	SHA256:—
3148	app_process64	/data/data/com.android.mgstv/shared_prefs/umeng_general_config.xml		xml
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2797	app_process64	OPTIONS	200	35.190.80.1:443	https://a.nel.cloudflare.com/report/v4?s=%2FMOubJCEZblFizVyL%2FNuAfynF4er6odvumCQs0Py3Z%2Bu3knd7P%2Bb7PFd00zbg%2FogAl73BTwh5S60jE29TcqZUWPNPni7LAbpY%2B1%2FtegiwfrDHul1MSUqmiVPgmGB6FRzf9hv4Q%3D%3D	unknown	—	—	unknown
822	app_process64	GET	204	142.251.154.119:443	https://www.google.com/generate_204	unknown	—	—	whitelisted
3148	app_process64	GET	200	213.180.204.244:443	https://startup.mobile.yandex.net/analytics/startup?deviceid=0a1e44a473544df7813d12fe69a47e08&adv_id=&oaid=&yandex_adv_id=&app_set_id=0a1e44a4-7354-4df7-813d-12fe69a47e08&app_set_id_scope=app&app_platform=android&protocol_version=2&analytics_sdk_version_name=7.14.0&model=P30_Pro&manufacturer=huawei&os_version=14&screen_width=1024&screen_height=576&screen_dpi=160&scalefactor=1.0&locale=en_US&device_type=tablet&queries=1&query_hosts=2&features=scr%2Cis%2Cpc%2Cfc%2Cg%2Ch%2Csi%2Csp&app_id=com.android.mgstv&app_debuggable=0&detect_locale=1&uuid=cc04f291939b4a868b03935bde1f5b21&time=1&stat_sending=1&rp=1&cc=1&pc=1&app_system_flag=0&at=1&su=1&exta=1&permissions=1&scr=1&aic=1&is=1	unknown	—	—	unknown
2797	app_process64	POST	200	142.251.127.84:443	https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&laf=b64bin&json=standard	unknown	—	—	whitelisted
822	app_process64	GET	204	142.250.186.35:80	http://connectivitycheck.gstatic.com/generate_204	unknown	—	—	whitelisted
2797	app_process64	GET	200	142.250.154.102:80	http://clients2.google.com/time/1/current?cup2key=9:cWCNVhc8m7JeOMC-JXvX8sgvQE9C_0TJnNH8uCsrMl4&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	unknown	—	—	whitelisted
2797	app_process64	POST	200	35.190.80.1:443	https://a.nel.cloudflare.com/report/v4?s=%2FMOubJCEZblFizVyL%2FNuAfynF4er6odvumCQs0Py3Z%2Bu3knd7P%2Bb7PFd00zbg%2FogAl73BTwh5S60jE29TcqZUWPNPni7LAbpY%2B1%2FtegiwfrDHul1MSUqmiVPgmGB6FRzf9hv4Q%3D%3D	unknown	—	—	unknown
1756	app_process64	POST	200	142.251.127.81:443	https://staging-remoteprovisioning.sandbox.googleapis.com/v1:fetchEekChain	unknown	binary	778 b	whitelisted
2797	app_process64	POST	400	142.251.20.95:443	https://androidchromeprotect.pa.googleapis.com/v1/download	unknown	text	586 b	whitelisted
1756	app_process64	POST	200	142.251.127.81:443	https://staging-remoteprovisioning.sandbox.googleapis.com/v1:signCertificates?challenge=AAABnSy3RakBILStY-3Eycq_iePYoiRoNAChDc0=&request_id=36593f6c-b745-4eb3-a8c6-84f20a0404c1	unknown	binary	11.7 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
443	mdnsd	224.0.0.251:5353	—	—	—	whitelisted
—	—	142.251.152.119:80	www.google.com	GOOGLE	US	whitelisted
—	—	142.251.153.119:443	www.google.com	GOOGLE	US	whitelisted
—	—	172.217.20.131:80	—	GOOGLE	US	whitelisted
2797	app_process64	142.250.154.102:80	clients2.google.com	GOOGLE	US	whitelisted
2797	app_process64	188.114.97.3:443	fawt.xvmobdes.com	CLOUDFLARENET	US	whitelisted
2797	app_process64	142.251.127.84:443	accounts.google.com	GOOGLE	US	whitelisted
2797	app_process64	142.251.154.119:443	www.google.com	GOOGLE	US	whitelisted
2797	app_process64	35.190.80.1:443	a.nel.cloudflare.com	GOOGLE-CLOUD-PLATFORM	US	whitelisted
822	app_process64	142.250.186.35:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.201.174	whitelisted
clients2.google.com	142.250.154.102 142.250.154.101 142.250.154.139 142.250.154.113 142.250.154.100 142.250.154.138	whitelisted
fawt.xvmobdes.com	188.114.97.3 188.114.96.3	unknown
www.google.com	142.251.154.119 142.251.152.119 142.251.151.119 142.251.156.119 142.251.150.119 142.251.153.119 142.251.157.119 142.251.155.119	whitelisted
accounts.google.com	142.251.127.84	whitelisted
a.nel.cloudflare.com	35.190.80.1	whitelisted
connectivitycheck.gstatic.com	142.250.186.35	whitelisted
time.android.com	216.239.35.4 216.239.35.8 216.239.35.12 216.239.35.0	whitelisted
staging-remoteprovisioning.sandbox.googleapis.com	142.251.127.81	whitelisted
androidchromeprotect.pa.googleapis.com	142.251.20.95	whitelisted

Threats

PID	Process	Class	Message
2797	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
2797	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
822	app_process64	Misc activity	ET INFO Android Device Connectivity Check
3148	app_process64	Misc activity	ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
3148	app_process64	Misc activity	ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
3148	app_process64	Misc activity	ET INFO Cloudflare DNS Over HTTPS Certificate Inbound
3148	app_process64	Misc activity	ET INFO Google DNS Over HTTPS Certificate Inbound
3148	app_process64	Misc activity	ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4025	app_process64	Misc activity	ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4215	app_process64	Misc activity	ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)

Add for printing

No debug info

General Info

https://fawt.xvmobdes.com/download

4E8F778FCD82DFAC19BB36AFE91AF7B7

953465D35EFD35F993A83875582AE6B625DB240C

A43DBB3FFC06F967824FA3A4C33396E2C6320A6B35CD0DC372DFF864A02B99C6

3:N8b93HBGWKM:2p3BKM

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Hides app icon from display

Executes system commands or scripts

SUSPICIOUS

Accesses external device storage files

Accesses system-level resources

Uses encryption API functions

Updates data in the storage of application settings (SharedPreferences)

Establishing a connection

Collects data about the device's environment (JVM version)

Retrieves Android OS build information

Retrieves a list of running services

Launches a new activity

Reads device MAC address fingerprint

Retrieves the MCC and MNC of the SIM card operator

INFO

Loads a native library into the application

Dynamically inspects or modifies classes, methods, and fields at runtime

Returns elapsed time since boot

Gets the display metrics associated with the device's screen

Retrieves data from storage of application settings (SharedPreferences)

Dynamically registers broadcast event listeners

Stores data using SQLite database

Verifies whether the device is connected to the internet

Detects device power status

Creates and writes local files

Detects if debugger is connected

Normally terminates current Java virtual machine

Listens for connection changes

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings