File name:

rophim-android-mobile.apk

Full analysis: https://app.any.run/tasks/2c370de0-d21f-4480-a1ee-5b88c306faf9
Verdict: Malicious activity
Analysis date: April 23, 2025, 03:11:23
OS: Android 14
Indicators:
MIME: application/vnd.android.package-archive
File info: Android package (APK), with gradle app-metadata.properties
MD5:

A96CFE2F8EE3755F25C60741E3C427D1

SHA1:

74C2E6247EC655BF5C21D7A7FB42B8271D18849A

SHA256:

C1D86D5D4C97A83909A555B310B93B19E646C5F597EE52B8342B8497B9D28E5A

SSDEEP:

98304:wwdi2Zb6LZAb9/cL9IbNYBBXkhg3dflaIkp+OkVQYSiVT4s0vUAEiL9N4wrb2tow:xCt2Tq5UidHuojgrvL5HKn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates a WakeLock to manage power state

      • app_process64 (PID: 2273)

    • Retrieves the ISO country code of the current network

      • app_process64 (PID: 2273)

    • Acquires a wake lock to keep the device awake

      • app_process64 (PID: 2273)

    • Establishing a connection

      • app_process64 (PID: 2273)

    • Retrieves a list of running application processes

      • app_process64 (PID: 2273)

    • Collects data about the device's environment (JVM version)

      • app_process64 (PID: 2273)

    • Updates data in the storage of application settings (SharedPreferences)

      • app_process64 (PID: 2273)

    • Retrieves the MCC and MNC of the SIM card operator

      • app_process64 (PID: 2273)

    • Accesses system-level resources

      • app_process64 (PID: 2273)

  • INFO

    • Listens for connection changes

      • app_process64 (PID: 2273)

    • Handles throwable exceptions in the app

      • app_process64 (PID: 2273)

    • Dynamically registers broadcast event listeners

      • app_process64 (PID: 2273)

    • Retrieves the value of a secure system setting

      • app_process64 (PID: 2273)

    • Dynamically inspects or modifies classes, methods, and fields at runtime

      • app_process64 (PID: 2273)

    • Detects device power status

      • app_process64 (PID: 2273)

    • Gets file name without full path

      • app_process64 (PID: 2273)

    • Stores data using SQLite database

      • app_process64 (PID: 2273)

    • Gets the display metrics associated with the device's screen

      • app_process64 (PID: 2273)

    • Returns elapsed time since boot

      • app_process64 (PID: 2273)

    • Dynamically loads a class in Java

      • app_process64 (PID: 2273)

    • Retrieves data from storage of application settings (SharedPreferences)

      • app_process64 (PID: 2273)

    • Verifies whether the device is connected to the internet

      • app_process64 (PID: 2273)

    • Loads a native library into the application

      • app_process64 (PID: 2273)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.apk | Android Package (62.8)
.jar | Java Archive (17.3)
.vym | VYM Mind Map (14.9)
.zip | ZIP compressed archive (4.7)

EXIF

ZIP

ZipRequiredVersion: -
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 1981:01:01 01:01:02
ZipCRC: 0xf9e152b4
ZipCompressedSize: 51
ZipUncompressedSize: 56
ZipFileName: META-INF/com/android/build/gradle/app-metadata.properties
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start app_process64 app_process64 no specs

Process information

PID
CMD
Path
Indicators
Parent process
2273com.rophim.android.mobile /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2328com.android.adservices.api /system/bin/app_process64app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
41
Text files
102
Unknown types
0

Dropped files

PID
Process
Filename
Type
2273app_process64/data/data/com.rophim.android.mobile/files/PersistedInstallation3795033338711336550tmpbinary
MD5:
SHA256:
2273app_process64/data/data/com.rophim.android.mobile/files/PersistedInstallation.W0RFRkFVTFRd+MTozMDEyNjA4NDU5MDQ6YW5kcm9pZDo5MjljMzUxZmNiN2VmNTNlOTg3MjU1.jsonbinary
MD5:
SHA256:
2273app_process64/data/data/com.rophim.android.mobile/shared_prefs/com.google.android.gms.measurement.prefs.xmlxml
MD5:
SHA256:
2273app_process64/data/data/com.rophim.android.mobile/shared_prefs/com.google.firebase.messaging.xmlxml
MD5:
SHA256:
2273app_process64/data/data/com.rophim.android.mobile/shared_prefs/com.google.firebase.crashlytics.xmlxml
MD5:
SHA256:
2273app_process64/data/data/com.rophim.android.mobile/shared_prefs/FirebaseHeartBeatW0RFRkFVTFRd+MTozMDEyNjA4NDU5MDQ6YW5kcm9pZDo5MjljMzUxZmNiN2VmNTNlOTg3MjU1.xmlxml
MD5:
SHA256:
2273app_process64/data/data/com.rophim.android.mobile/files/.crashlytics.v3/com.rophim.android.mobile/open-sessions/68085A6B024A000108E14FE2EDB7ADB7/reportbinary
MD5:
SHA256:
2273app_process64/data/data/com.rophim.android.mobile/files/.crashlytics.v3/com.rophim.android.mobile/open-sessions/68085A6B024A000108E14FE2EDB7ADB7/internal-keysbinary
MD5:
SHA256:
2273app_process64/data/data/com.rophim.android.mobile/files/.crashlytics.v3/com.rophim.android.mobile/com.crashlytics.settings.jsonbinary
MD5:
SHA256:
2273app_process64/data/data/com.rophim.android.mobile/files/PersistedInstallation2465698368249027841tmpbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
21
DNS requests
16
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
142.250.186.131:80
http://connectivitycheck.gstatic.com/generate_204
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
443
mdnsd
224.0.0.251:5353
unknown
142.250.186.131:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
172.217.16.196:443
www.google.com
GOOGLE
US
whitelisted
216.239.35.12:123
time.android.com
whitelisted
108.177.119.81:443
staging-remoteprovisioning.sandbox.googleapis.com
GOOGLE
US
whitelisted
2273
app_process64
142.250.186.67:443
firebase-settings.crashlytics.com
GOOGLE
US
whitelisted
2273
app_process64
216.239.35.4:123
time.android.com
whitelisted
2273
app_process64
172.217.16.202:443
firebaseinstallations.googleapis.com
GOOGLE
US
whitelisted
2273
app_process64
188.114.96.3:443
api.rofilm.net
CLOUDFLARENET
NL
unknown
2273
app_process64
142.250.185.170:443
firebaseinstallations.googleapis.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
connectivitycheck.gstatic.com
  • 142.250.186.131
whitelisted
www.google.com
  • 172.217.16.196
whitelisted
google.com
  • 142.250.184.238
whitelisted
time.android.com
  • 216.239.35.12
  • 216.239.35.8
  • 216.239.35.0
  • 216.239.35.4
whitelisted
staging-remoteprovisioning.sandbox.googleapis.com
  • 108.177.119.81
whitelisted
firebase-settings.crashlytics.com
  • 142.250.186.67
whitelisted
firebaseinstallations.googleapis.com
  • 172.217.16.202
  • 216.58.206.74
  • 142.250.185.74
  • 142.250.185.106
  • 142.250.185.202
  • 142.250.186.42
  • 172.217.18.10
  • 142.250.185.138
  • 142.250.185.170
  • 216.58.212.170
  • 172.217.23.106
  • 142.250.74.202
  • 172.217.16.138
  • 142.250.185.234
  • 216.58.206.42
  • 142.250.181.234
whitelisted
time.google.com
  • 2001:4860:4806::
  • 2001:4860:4806:8::
  • 2001:4860:4806:c::
  • 2001:4860:4806:4::
  • 216.239.35.4
  • 216.239.35.12
  • 216.239.35.8
  • 216.239.35.0
whitelisted
api.rofilm.net
  • 188.114.96.3
  • 188.114.97.3
unknown
firebaseremoteconfigrealtime.googleapis.com
  • 142.250.185.170
  • 172.217.18.10
  • 142.250.186.170
  • 142.250.185.234
  • 216.58.206.74
  • 142.250.184.202
  • 142.250.185.202
  • 142.250.185.138
  • 142.250.185.74
  • 216.58.206.42
  • 172.217.16.138
  • 142.250.181.234
  • 142.250.185.106
  • 216.58.212.138
  • 172.217.18.106
  • 142.250.184.234
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Android Device Connectivity Check
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rophim-android-mobile.apk