Malware analysis Download.apk Malicious activity | ANY.RUN

Add for printing

File name:	Download.apk
Full analysis:	https://app.any.run/tasks/9a6c67b3-4c11-407a-9d55-5e2901604daa
Verdict:	Malicious activity
Analysis date:	April 18, 2025, 13:12:05
OS:	Android 14
MIME:	application/vnd.android.package-archive
File info:	Android package (APK), with gradle app-metadata.properties, with APK Signing Block
MD5:	8ADEA3B64B224F1010AD5C632BCB544E
SHA1:	D05933A0746D5B488320B55DBD3F1F13F486BD47
SHA256:	C30691D4220BBAAB78435E3F3807DC97E4DE48C59D6A2242838DF3B999425443
SSDEEP:	98304:kjAuxpJF1KgXg3MZ4e3tDRz80jfWuRjHHDmkUFh8FC+rD6x/ZLXlWYWRQb3+4Bzc:oVtfCRH7hHmX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Retrieves the ISO country code of the current SIM card
  - app_process64 (PID: 2227)
- Retrieves the ISO country code of the current network
  - app_process64 (PID: 2227)
- Launches a new activity
  - app_process64 (PID: 2227)
- Returns the name of the current network operator
  - app_process64 (PID: 2227)
- Retrieves the MCC and MNC of the SIM card operator
  - app_process64 (PID: 2227)
- Establishing a connection
  - app_process64 (PID: 2227)
- Updates data in the storage of application settings (SharedPreferences)
  - app_process64 (PID: 2227)
INFO
- Retrieves data from storage of application settings (SharedPreferences)
  - app_process64 (PID: 2227)
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 2227)
- Verifies whether the device is connected to the internet
  - app_process64 (PID: 2227)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	-
ZipBitFlag:	0x0001
ZipCompression:	Deflated
ZipModifyDate:	1981:01:01 01:01:02
ZipCRC:	0x00000000
ZipCompressedSize:	2
ZipUncompressedSize:	-
ZipFileName:	META-INF/com/android/build/gradle/app-metadata.properties

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

132

Monitored processes

7

Malicious processes

1

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2227	english.speaking.course.hindi	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2270	zygote	/system/bin/app_process32		app_process32
User: root Integrity Level: UNKNOWN Exit code: 0
2271	webview_zygote	/system/bin/app_process32	—	app_process32
User: webview_zygote Integrity Level: UNKNOWN Exit code: 0
2297	com.android.traceur	/system/bin/app_process64	—	app_process64
User: u0_a53 Integrity Level: UNKNOWN Exit code: 512
2324	zygote	/system/bin/app_process32		app_process32
User: root Integrity Level: UNKNOWN Exit code: 0
2392	org.chromium.webview_shell	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2435	webview_zygote	/system/bin/app_process32	—	app_process32
User: webview_zygote Integrity Level: UNKNOWN Exit code: 0

Add for printing

Total events

0

Read events

0

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

0

Suspicious files

26

Text files

11

Unknown types

0

Dropped files

PID	Process	Filename		Type
2227	app_process64	/data/data/english.speaking.course.hindi/files/ed43c7fb.dex		compressed
		MD5:—	SHA256:—
2227	app_process64	/data/data/english.speaking.course.hindi/shared_prefs/FirebaseHeartBeatW0RFRkFVTFRd+MTo4ODI1MDc2MzUyMjE6YW5kcm9pZDpjZDY3ZTJjNWU1MThmY2UxZTkwYzFj.xml		xml
		MD5:—	SHA256:—
2227	app_process64	/data/data/english.speaking.course.hindi/shared_prefs/com.google.firebase.messaging.xml		xml
		MD5:—	SHA256:—
2227	app_process64	/data/data/english.speaking.course.hindi/shared_prefs/WebViewChromiumPrefs.xml		xml
		MD5:—	SHA256:—
2227	app_process64	/data/data/english.speaking.course.hindi/app_webview/Default/Local Storage/leveldb/MANIFEST-000001		binary
		MD5:—	SHA256:—
2227	app_process64	/data/data/english.speaking.course.hindi/app_webview/Default/Local Storage/leveldb/000001.dbtmp		text
		MD5:—	SHA256:—
2227	app_process64	/data/data/english.speaking.course.hindi/app_webview/Default/Local Storage/leveldb/CURRENT		text
		MD5:—	SHA256:—
2227	app_process64	/data/data/english.speaking.course.hindi/cache/WebView/Default/HTTP Cache/Code Cache/webui_js/index		binary
		MD5:—	SHA256:—
2227	app_process64	/data/data/english.speaking.course.hindi/cache/WebView/Default/HTTP Cache/Code Cache/js/index		binary
		MD5:—	SHA256:—
2227	app_process64	/data/data/english.speaking.course.hindi/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

4

TCP/UDP connections

22

DNS requests

20

Threats

2

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2392	app_process64	GET	302	57.129.64.230:80	http://push.razkondronging.com/register?uid=71373830FC6AD2310FD072D6773CF87A-FCC5C27EFC0AAB5411BD0DFD176D3DBBA5CEBBAA	unknown	—	—	unknown
—	—	GET	204	216.58.206.67:80	http://connectivitycheck.gstatic.com/generate_204	unknown	—	—	whitelisted
2227	app_process64	GET	200	94.130.169.32:80	http://g2.feradolongricoka.com//client.config/?app=pndr2&format=json&advert_key=ZWMwMDBhMDY3ODAwNDBjZjAwMDA0MGUwMDA0MGUwMDA0MGUwZDExMzNkNmExNQ==&uid=71373830FC6AD2310FD072D6773CF87A-FCC5C27EFC0AAB5411BD0DFD176D3DBBA5CEBBAA&version=64.9&pckg=english.speaking.course.hindi&em=false&ia=14&im=google&id=Pixel_4&utm_source=6C4kMMjxwyqgDAiN6tRDuxHf5euekGeSTnHJsPBs8KWWESZyVQ5B5iYvfSTD13kN5bkdwTH72Qf85sMkNH3aqR6WVqzBtjayKKciYykFRQqTCGEfvd2CszgG1z8LZftGCNTrabqEnTCV2YUethfWuamBtJWR4kD1hbXkPcdcRNVgoiykNLjApoMm9oJwUCgKUjyyzsfWSdMbfJ8j5T1RNSLsQBF8ZJdaivJrf2wRxbGeyN3dHspQtkLts758U&sp_time=6&ne=1&network_operator=Verizon&phone_type=gsm&sim_operator=Verizon&network_vpn=&sim_iso=us&networks=dummy0;lo;buried_eth0&network_type=MOBILE&network_iso=us&gaid=none&pndr_install=1	unknown	—	—	unknown
2392	app_process64	GET	301	98.137.11.163:80	http://yahoo.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
449	mdnsd	224.0.0.251:5353	—	—	—	unknown
—	—	216.239.35.12:123	time.android.com	—	—	whitelisted
—	—	142.250.186.132:443	www.google.com	GOOGLE	US	whitelisted
—	—	216.58.206.67:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
—	—	142.251.18.81:443	staging-remoteprovisioning.sandbox.googleapis.com	GOOGLE	US	whitelisted
2270	app_process32	142.250.185.67:443	clientservices.googleapis.com	GOOGLE	US	whitelisted
2324	app_process32	142.250.185.163:443	update.googleapis.com	GOOGLE	US	whitelisted
2227	app_process64	142.250.186.74:443	firebaseinstallations.googleapis.com	GOOGLE	US	whitelisted
2324	app_process32	142.250.185.142:443	dl.google.com	GOOGLE	US	whitelisted
2392	app_process64	57.129.64.230:80	push.razkondronging.com	—	FR	unknown

DNS requests

Domain	IP	Reputation
connectivitycheck.gstatic.com	216.58.206.67	whitelisted
www.google.com	142.250.186.132	whitelisted
time.android.com	216.239.35.12 216.239.35.8 216.239.35.4 216.239.35.0	whitelisted
google.com	142.250.186.110	whitelisted
staging-remoteprovisioning.sandbox.googleapis.com	142.251.18.81	whitelisted
clientservices.googleapis.com	142.250.185.67	whitelisted
firebaseinstallations.googleapis.com	142.250.186.74 216.58.206.74 172.217.18.106 172.217.16.202 142.250.185.138 142.250.185.74 216.58.206.42 142.250.186.42 142.250.185.106 216.58.212.170 142.250.185.170 142.250.186.106 172.217.23.106 142.250.181.234 142.250.185.234 142.250.185.202	whitelisted
update.googleapis.com	142.250.185.163	whitelisted
dl.google.com	142.250.185.142	whitelisted
push.razkondronging.com	57.129.64.230	unknown

Threats

PID	Process	Class	Message
—	—	Misc activity	ET INFO Android Device Connectivity Check
2392	app_process64	Misc Attack	ET DROP Dshield Block Listed Source group 1

Add for printing

No debug info

General Info

Download.apk

8ADEA3B64B224F1010AD5C632BCB544E

D05933A0746D5B488320B55DBD3F1F13F486BD47

C30691D4220BBAAB78435E3F3807DC97E4DE48C59D6A2242838DF3B999425443

98304:kjAuxpJF1KgXg3MZ4e3tDRz80jfWuRjHHDmkUFh8FC+rD6x/ZLXlWYWRQb3+4Bzc:oVtfCRH7hHmX

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Retrieves the ISO country code of the current SIM card

Retrieves the ISO country code of the current network

Launches a new activity

Returns the name of the current network operator

Retrieves the MCC and MNC of the SIM card operator

Establishing a connection

Updates data in the storage of application settings (SharedPreferences)

INFO

Retrieves data from storage of application settings (SharedPreferences)

Dynamically inspects or modifies classes, methods, and fields at runtime

Verifies whether the device is connected to the internet

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings