File name:

WOW EXP PLUS 2_v1.2.91.1_APKPure_Installer.apk

Full analysis: https://app.any.run/tasks/3b81fca1-9759-4ccd-9982-bc6fb3dca82a
Verdict: Malicious activity
Analysis date: August 01, 2025, 19:34:59
OS: Android 14
MIME: application/vnd.android.package-archive
File info: Android package (APK), with gradle app-metadata.properties, with APK Signing Block
MD5:

107A4AD454AAC6FED65C2A6D1C8227B3

SHA1:

B4175E5905A7BF8FE7A5A272C86785941DB0F1F8

SHA256:

C0AA9F0EBD236548FC21432829FE31AEEE971269A3BCED8846017AD16BBC34D4

SSDEEP:

98304:77S+EUkX92xoW2aowV8oXg6Ok+uGLd5r39mN7YV2JnDZVdU39rxq1xYtyr+b+yCU:zi4CiI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes system commands or scripts

      • app_process64 (PID: 2289)

  • SUSPICIOUS

    • Accesses system-level resources

      • app_process64 (PID: 2289)

    • Updates data in the storage of application settings (SharedPreferences)

      • app_process64 (PID: 2289)
      • app_process64 (PID: 2343)

    • Checks if the device's lock screen is showing

      • app_process64 (PID: 2289)

    • Retrieves a list of running application processes

      • app_process64 (PID: 2289)

    • Detects Xposed framework for modifications

      • app_process64 (PID: 2289)

    • Uses encryption API functions

      • app_process64 (PID: 2289)

    • Collects data about the device's environment (JVM version)

      • app_process64 (PID: 2343)
      • app_process64 (PID: 2289)

    • Establishing a connection

      • app_process64 (PID: 2343)
      • app_process64 (PID: 2289)

    • Accesses external device storage files

      • app_process64 (PID: 2289)

    • Retrieves the MCC and MNC of the SIM card operator

      • app_process64 (PID: 2289)

    • Scans for popular installed apps

      • app_process64 (PID: 2289)

    • Launches a new activity

      • app_process64 (PID: 2289)

  • INFO

    • Dynamically inspects or modifies classes, methods, and fields at runtime

      • app_process64 (PID: 2289)
      • app_process64 (PID: 2343)

    • Retrieves data from storage of application settings (SharedPreferences)

      • app_process64 (PID: 2289)
      • app_process64 (PID: 2343)

    • Detects if debugger is connected

      • app_process64 (PID: 2289)

    • Loads a native library into the application

      • app_process64 (PID: 2289)
      • app_process64 (PID: 2343)

    • Listens for connection changes

      • app_process64 (PID: 2289)

    • Creates and writes local files

      • app_process64 (PID: 2289)
      • app_process64 (PID: 2343)

    • Verifies whether the device is connected to the internet

      • app_process64 (PID: 2289)

    • Gets the display metrics associated with the device's screen

      • app_process64 (PID: 2289)

    • Returns elapsed time since boot

      • app_process64 (PID: 2289)

    • Dynamically registers broadcast event listeners

      • app_process64 (PID: 2289)

    • Checks system memory usage details

      • app_process64 (PID: 2289)

    • Dynamically loads a class in Java

      • app_process64 (PID: 2289)

    • Handles throwable exceptions in the app

      • app_process64 (PID: 2289)

    • Stores data using SQLite database

      • app_process64 (PID: 2289)

    • Retrieves the value of a secure system setting

      • app_process64 (PID: 2289)

    • Retrieves CPU core information

      • app_process64 (PID: 2289)

    • Gets file name without full path

      • app_process64 (PID: 2289)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.apk | Android Package (73.9)
.jar | Java Archive (20.4)
.zip | ZIP compressed archive (5.6)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0808
ZipCompression: Deflated
ZipModifyDate: 2025:03:28 11:03:16
ZipCRC: 0xd1f06b7f
ZipCompressedSize: 52
ZipUncompressedSize: 56
ZipFileName: META-INF/com/android/build/gradle/app-metadata.properties
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
30
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start app_process64 app_process64 toybox no specs app_process64 no specs app_process64 no specs toolbox no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs toybox no specs toybox no specs toybox no specs app_process64 no specs toolbox no specs app_process64 no specs

Process information

PID
CMD
Path
Indicators
Parent process
2289com.apkpure.aegon /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2343com.apkpure.aegon:beta /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2346chmod 700 /data/user/0/com.apkpure.aegon/app_proc/qdalive_2.1.5/daemon2.bin/system/bin/toyboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
2363com.apkpure.aegon /system/bin/app_process64app_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
2413com.apkpure.aegon /system/bin/app_process64app_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
256
2423getprop ro.build.fingerprint/system/bin/toolboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
2433com.apkpure.aegon:beta /system/bin/app_process64app_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
2434com.apkpure.aegon:beta /system/bin/app_process64app_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
2435com.apkpure.aegon:beta /system/bin/app_process64app_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
2436com.apkpure.aegon:beta /system/bin/app_process64app_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
61
Text files
358
Unknown types
94

Dropped files

PID
Process
Filename
Type
2289app_process64/data/data/com.apkpure.aegon/files/log/2025-08-01 19.txttext
MD5:
SHA256:
2289app_process64/data/data/com.apkpure.aegon/shared_prefs/BuglySdkInfos.xmlxml
MD5:
SHA256:
2289app_process64/data/data/com.apkpure.aegon/shared_prefs/raft_config.xml
MD5:
SHA256:
2289app_process64/data/data/com.apkpure.aegon/shared_prefs/keepLiveFlag.xmlxml
MD5:
SHA256:
2289app_process64/data/data/com.apkpure.aegon/app_proc/key_srver_configgmc
MD5:
SHA256:
2289app_process64/data/data/com.apkpure.aegon/app_proc/qdalive_2.1.5/daemon2.bino
MD5:
SHA256:
2346toybox/data/data/com.apkpure.aegon/app_proc/key_srver_configgmc
MD5:
SHA256:
2289app_process64/data/data/com.apkpure.aegon/app_proc/qdalive_2.1.5/dead_stampgmc
MD5:
SHA256:
2289app_process64/data/data/com.apkpure.aegon/app_proc/qdalive_2.1.5/front_statusgmc
MD5:
SHA256:
2289app_process64/data/data/com.apkpure.aegon/files/PersistedInstallation3102122806022531187tmpbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
33
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
142.250.184.195:80
http://connectivitycheck.gstatic.com/generate_204
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
445
mdnsd
224.0.0.251:5353
unknown
216.239.35.4:123
time.android.com
whitelisted
142.250.181.228:443
www.google.com
GOOGLE
US
whitelisted
142.250.184.195:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
142.250.27.81:443
staging-remoteprovisioning.sandbox.googleapis.com
GOOGLE
US
whitelisted
2289
app_process64
129.226.102.234:443
h.trace.qq.com
Tencent Building, Kejizhongyi Avenue
HK
whitelisted
2289
app_process64
142.250.74.195:443
firebase-settings.crashlytics.com
GOOGLE
US
whitelisted
2289
app_process64
142.250.181.234:443
firebaseinstallations.googleapis.com
GOOGLE
US
whitelisted
2289
app_process64
43.152.186.108:443
pv.sohu.com
SG
whitelisted
2343
app_process64
129.226.102.234:443
h.trace.qq.com
Tencent Building, Kejizhongyi Avenue
HK
whitelisted

DNS requests

Domain
IP
Reputation
www.google.com
  • 142.250.181.228
whitelisted
connectivitycheck.gstatic.com
  • 142.250.184.195
whitelisted
google.com
  • 216.58.206.78
whitelisted
time.android.com
  • 216.239.35.4
  • 216.239.35.8
  • 216.239.35.0
  • 216.239.35.12
whitelisted
staging-remoteprovisioning.sandbox.googleapis.com
  • 142.250.27.81
whitelisted
h.trace.qq.com
  • 129.226.102.234
  • 129.226.106.225
whitelisted
firebase-settings.crashlytics.com
  • 142.250.74.195
whitelisted
firebaseinstallations.googleapis.com
  • 142.250.181.234
  • 172.217.16.202
  • 216.58.212.138
  • 142.250.185.106
  • 142.250.186.106
  • 142.250.186.74
  • 142.250.185.170
  • 172.217.23.106
  • 216.58.206.42
  • 172.217.18.10
  • 172.217.18.106
  • 142.250.185.202
  • 142.250.185.74
  • 142.250.185.234
  • 142.250.186.42
  • 142.250.185.138
whitelisted
pv.sohu.com
  • 43.152.186.108
  • 43.132.64.203
whitelisted
http://vibeaconstr.onezapp.com:8080/analytics/upload
unknown

Threats

PID
Process
Class
Message
Misc activity
ET INFO Android Device Connectivity Check
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WOW EXP PLUS 2_v1.2.91.1_APKPure_Installer.apk