Malware analysis https://netmirror.gg/NetMirror.apk Malicious activity

Add for printing

URL:	https://netmirror.gg/NetMirror.apk
Full analysis:	https://app.any.run/tasks/f513d095-d160-4d05-a045-9923e8996f7e
Verdict:	Malicious activity
Analysis date:	February 07, 2026, 18:01:16
OS:	Android 14
Tags:	phishing
Indicators:
MD5:	F0DE6D3262A5C736A3B4D032759A2538
SHA1:	ED7E75752B45AB7DDE7B9AA0A61B293D15E284BA
SHA256:	C622F6B533FF36A892BDC0C83B1D6BD20E927E42633C967B43030A15AC1E5E23
SSDEEP:	3:N8DMXX8w2KXLfn:2CZf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

android (14)
android.cuttlefish.overlay (14)
android.cuttlefish.phone.overlay (14)
android.ext.services (2019-09)
android.ext.shared (1)
com.android.adservices.api (14)
com.android.apps.tag (1.1)
com.android.backupconfirm (14)
com.android.bips (14)
com.android.bluetoothmidiservice (14)
com.android.bookmarkprovider (14)
com.android.calendar (14)
com.android.calllogbackup (14)
com.android.camera2 (2.0.002)
com.android.cameraextensions (14)
com.android.captiveportallogin (14)
com.android.carrierconfig (1.0.0)
com.android.carrierdefaultapp (14)
com.android.cellbroadcastreceiver (R-initial)
com.android.cellbroadcastreceiver.module (R-initial)
com.android.cellbroadcastservice (R-initial)
com.android.certinstaller (14)
com.android.companiondevicemanager (14)
com.android.compos.payload (14)
com.android.connectivity.resources (S-initial)
com.android.connectivity.resources.cuttlefish.overlay (14)
com.android.contacts (1.7.34)
com.android.credentialmanager (14)
com.android.cts.ctsshim (14-10093150)
com.android.cts.priv.ctsshim (14-10093150)
com.android.deskclock (14)
com.android.devicelockcontroller (14)
com.android.dialer (23.0)
com.android.documentsui (14)
com.android.dreams.basic (14)
com.android.dreams.phototable (14)
com.android.dynsystem (14)
com.android.egg (1.0)
com.android.emergency (14)
com.android.ext.adservices.api (14)
com.android.externalstorage (14)
com.android.federatedcompute.services (T-initial)
com.android.gallery3d (1.1.40030)
com.android.google.gce.gceservice (14)
com.android.health.connect.backuprestore (14)
com.android.healthconnect.controller (14)
com.android.hotspot2.osulogin (14)
com.android.htmlviewer (14)
com.android.imsserviceentitlement (14)
com.android.inputdevices (14)
com.android.inputmethod.latin (14)
com.android.intentresolver (2021-11)
com.android.internal.display.cutout.emulation.corner (1.0)
com.android.internal.display.cutout.emulation.double (1.0)
com.android.internal.display.cutout.emulation.hole (1.0)
com.android.internal.display.cutout.emulation.tall (1.0)
com.android.internal.display.cutout.emulation.waterfall (1.0)
com.android.internal.systemui.navbar.gestural (1.0)
com.android.internal.systemui.navbar.gestural_extra_wide_back (1.0)
com.android.internal.systemui.navbar.gestural_narrow_back (1.0)
com.android.internal.systemui.navbar.gestural_wide_back (1.0)
com.android.internal.systemui.navbar.threebutton (1.0)
com.android.internal.systemui.navbar.transparent (1.0)
com.android.keychain (14)
com.android.launcher3 (14)
com.android.localtransport (14)
com.android.location.fused (14)
com.android.managedprovisioning (14)
com.android.messaging (1.0.001)
com.android.microdroid.empty_payload (14)
com.android.mms.service (14)
com.android.modulemetadata (14)
com.android.mtp (14)
com.android.music (14)
com.android.musicfx (1.4)
com.android.nearby.halfsheet (14)
com.android.networkstack (14)
com.android.networkstack.tethering (14)
com.android.networkstack.tethering.cuttlefishoverlay (1.0)
com.android.nfc (14)
com.android.ondevicepersonalization.services (T-initial)
com.android.ons (14)
com.android.packageinstaller (14)
com.android.pacprocessor (14)
com.android.permissioncontroller (33 system image)
com.android.phone (14)
com.android.printservice.recommendation (1.3.0)
com.android.printspooler (14)
com.android.providers.blockednumber (14)
com.android.providers.calendar (14)
com.android.providers.contacts (14)
com.android.providers.downloads (14)
com.android.providers.downloads.ui (14)
com.android.providers.media (14)
com.android.providers.media.module (14)
com.android.providers.partnerbookmarks (14)
com.android.providers.settings (14)
com.android.providers.settings.cuttlefish.overlay (14)
com.android.providers.telephony (14)
com.android.providers.userdictionary (14)
com.android.provision (14)
com.android.proxyhandler (14)
com.android.quicksearchbox (14)
com.android.rkpdapp (14)
com.android.role.notes.enabled (1.0)
com.android.safetycenter.resources (33 system image)
com.android.sdksandbox (T-initial)
com.android.se (14)
com.android.server.telecom (14)
com.android.settings (14)
com.android.settings.intelligence (14)
com.android.sharedstoragebackup (14)
com.android.shell (14)
com.android.simappdialog (14)
com.android.soundpicker (14)
com.android.statementservice (1.0)
com.android.stk (14)
com.android.storagemanager (14)
com.android.systemui (14)
com.android.systemui.accessibility.accessibilitymenu (14)
com.android.telephony.qns (14)
com.android.theme.font.notoserifsource (1.0)
com.android.traceur (1.0)
com.android.uwb.resources (T-initial)
com.android.virtualmachine.res (14)
com.android.vpndialogs (14)
com.android.wallpaper.livepicker (14)
com.android.wallpaperbackup (14)
com.android.wallpapercropper (14)
com.android.wallpaperpicker (1.0)
com.android.webview (137.0.7122.0)
com.android.wifi.dialog (14)
com.android.wifi.resources (R-initial)
com.android.wifi.resources.cf (1.0)
com.google.android.telephony.satellite (14)
org.chromium.chrome (137.0.7122.0)

Add for printing

MALICIOUS
- PHISHING has been detected (SURICATA)
  - app_process64 (PID: 2778)
SUSPICIOUS
- Accesses memory information
  - app_process64 (PID: 3255)
- Collects data about the device's environment (JVM version)
  - app_process64 (PID: 3255)
  - app_process64 (PID: 3359)
- Accesses system-level resources
  - app_process64 (PID: 3255)
- Sets file permissions, owner, and group for a specified path
  - app_process64 (PID: 3359)
INFO
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 3119)
  - app_process64 (PID: 3255)
  - app_process64 (PID: 3359)
- Verifies whether the device is connected to the internet
  - app_process64 (PID: 3255)
- Returns elapsed time since boot
  - app_process64 (PID: 3359)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

144

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2778	org.chromium.chrome	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2839	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2857	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
2882	<pre-initialized>	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2899	com.android.adservices.api	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2947	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
3105	/apex/com.android.art/bin/artd	/apex/com.android.art/bin/artd	—	init
User: artd Integrity Level: UNKNOWN Exit code: 0
3108	/apex/com.android.art/bin/dex2oat32 --zip-fd=6 --zip-location=/data/app/~~lLAIuOmCFCICNtnKRO98Bg==/app.netmirror.netmirrornew-6wRPKImRIIuJpB7L26J07Q==/base.apk --oat-fd=7 --oat-location=/data/app/~~lLAIuOmCFCICNtnKRO98Bg==/app.netmirror.netmirrornew-6wRPKImRIIuJpB7L26J07Q==/oat/arm64/base.odex --output-vdex-fd=8 --swap-fd=9 --class-loader-context=PCL[] --classpath-dir=/data/app/~~lLAIuOmCFCICNtnKRO98Bg==/app.netmirror.netmirrornew-6wRPKImRIIuJpB7L26J07Q== --instruction-set=arm64 --instruction-set-features=default --instruction-set-variant=cortex-a53 --compiler-filter=verify --compilation-reason=install --compact-dex-level=none --max-image-block-size=524288 --resolve-startup-const-strings=true --generate-mini-debug-info --runtime-arg -Xtarget-sdk-version:35 --runtime-arg -Xhidden-api-policy:enabled --runtime-arg -Xms64m --runtime-arg -Xmx512m --comments=app-version-name:3.0,app-version-code:1,art-version:340090000	/apex/com.android.art/bin/dex2oat32	—	artd
User: artd Integrity Level: UNKNOWN Exit code: 0
3119	<pre-initialized>	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 9
3193	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

162

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3255	app_process64	/data/data/app.netmirror.netmirrornew/shared_prefs/WebViewChromiumPrefs.xml		xml
		MD5:—	SHA256:—
3255	app_process64	/data/data/app.netmirror.netmirrornew/cache/http-cache/journal.tmp		text
		MD5:—	SHA256:—
3255	app_process64	/data/data/app.netmirror.netmirrornew/cache/http-cache/c357b8c48d7622e5b83c8ad4e4574a5d.0.tmp		text
		MD5:—	SHA256:—
3255	app_process64	/data/data/app.netmirror.netmirrornew/cache/http-cache/c357b8c48d7622e5b83c8ad4e4574a5d.1.tmp		compressed
		MD5:—	SHA256:—
3255	app_process64	/data/data/app.netmirror.netmirrornew/cache/oat_primary/arm64/base.3255.tmp		binary
		MD5:—	SHA256:—
3359	app_process64	/data/data/app.netmirror.netmirrornew/cache/oat_primary/arm64/base.art		binary
		MD5:—	SHA256:—
3359	app_process64	/data/data/app.netmirror.netmirrornew/shared_prefs/WebViewChromiumPrefs.xml		xml
		MD5:—	SHA256:—
3359	app_process64	/data/data/app.netmirror.netmirrornew/cache/http-cache/journal		text
		MD5:—	SHA256:—
3359	app_process64	/data/data/app.netmirror.netmirrornew/cache/http-cache/c357b8c48d7622e5b83c8ad4e4574a5d.0		text
		MD5:—	SHA256:—
3359	app_process64	/data/data/app.netmirror.netmirrornew/cache/http-cache/c357b8c48d7622e5b83c8ad4e4574a5d.1		compressed
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

252

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2778	app_process64	OPTIONS	200	35.190.80.1:443	https://a.nel.cloudflare.com/report/v4?s=0nby%2BeSf8ws7M7aYdXrUfb2ih%2FVTwnUokAf5ORRg23rhqqOIwsJli%2FnjSEX%2BeEoLHaJzC6HdghwogGqNb1zLE6kowiGnVoGKPKU%3D	US	—	—	unknown
822	app_process64	GET	204	142.251.141.68:443	https://www.google.com/generate_204	US	—	—	whitelisted
2778	app_process64	OPTIONS	200	35.190.80.1:443	https://a.nel.cloudflare.com/report/v4?s=0nby%2BeSf8ws7M7aYdXrUfb2ih%2FVTwnUokAf5ORRg23rhqqOIwsJli%2FnjSEX%2BeEoLHaJzC6HdghwogGqNb1zLE6kowiGnVoGKPKU%3D	US	—	—	unknown
822	app_process64	GET	204	142.251.141.68:80	http://www.google.com/gen_204	US	—	—	whitelisted
2778	app_process64	POST	200	142.251.127.84:443	https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&laf=b64bin&json=standard	US	—	—	whitelisted
2778	app_process64	GET	200	216.58.206.46:80	http://clients2.google.com/time/1/current?cup2key=9:qykG3WysQcpyQISLVs4fDz9p-Jxnp2Br9lyLE8-duwM&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	US	text	105 b	whitelisted
822	app_process64	GET	204	172.217.16.163:80	http://connectivitycheck.gstatic.com/generate_204	US	—	—	whitelisted
2778	app_process64	POST	400	142.251.141.138:443	https://androidchromeprotect.pa.googleapis.com/v1/download	US	text	586 b	whitelisted
2778	app_process64	POST	—	35.190.80.1:443	https://a.nel.cloudflare.com/report/v4?s=0nby%2BeSf8ws7M7aYdXrUfb2ih%2FVTwnUokAf5ORRg23rhqqOIwsJli%2FnjSEX%2BeEoLHaJzC6HdghwogGqNb1zLE6kowiGnVoGKPKU%3D	US	—	—	unknown
1756	app_process64	POST	200	64.233.167.81:443	https://staging-remoteprovisioning.sandbox.googleapis.com/v1:fetchEekChain	US	binary	778 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
443	mdnsd	224.0.0.251:5353	—	—	—	whitelisted
—	—	142.251.141.68:443	www.google.com	GOOGLE	US	whitelisted
—	—	172.217.16.163:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
822	app_process64	142.251.141.68:80	www.google.com	GOOGLE	US	whitelisted
2778	app_process64	216.58.206.46:80	clients2.google.com	GOOGLE	US	whitelisted
2778	app_process64	172.67.155.16:443	netmirror.gg	CLOUDFLARENET	US	whitelisted
2778	app_process64	142.251.127.84:443	accounts.google.com	GOOGLE	US	whitelisted
2778	app_process64	142.251.141.68:443	www.google.com	GOOGLE	US	whitelisted
2778	app_process64	35.190.80.1:443	a.nel.cloudflare.com	GOOGLE-CLOUD-PLATFORM	US	whitelisted
2778	app_process64	142.251.141.138:443	androidchromeprotect.pa.googleapis.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
connectivitycheck.gstatic.com	172.217.16.163	whitelisted
www.google.com	142.251.141.68	whitelisted
google.com	142.251.141.110	whitelisted
clients2.google.com	216.58.206.46	whitelisted
netmirror.gg	172.67.155.16 104.21.80.229	whitelisted
accounts.google.com	142.251.127.84	whitelisted
a.nel.cloudflare.com	35.190.80.1	whitelisted
androidchromeprotect.pa.googleapis.com	142.251.141.138	whitelisted
time.android.com	216.239.35.8 216.239.35.0 216.239.35.4 216.239.35.12	whitelisted
staging-remoteprovisioning.sandbox.googleapis.com	64.233.167.81	whitelisted

Threats

PID	Process	Class	Message
2778	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
2778	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
822	app_process64	Misc activity	ET INFO Android Device Connectivity Check
339	netd	Misc activity	INFO [ANY.RUN] .cc TLD domain request
339	netd	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
2778	app_process64	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Domain (ey43 .com)
2778	app_process64	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Domain (ey43 .com)
339	netd	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
339	netd	Misc activity	ET TA_ABUSED_SERVICES Observed DNS Query to Real-time Web Stats Domain (whos .amung .us)

Add for printing

No debug info

General Info

https://netmirror.gg/NetMirror.apk

F0DE6D3262A5C736A3B4D032759A2538

ED7E75752B45AB7DDE7B9AA0A61B293D15E284BA

C622F6B533FF36A892BDC0C83B1D6BD20E927E42633C967B43030A15AC1E5E23

3:N8DMXX8w2KXLfn:2CZf

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

PHISHING has been detected (SURICATA)

SUSPICIOUS

Accesses memory information

Collects data about the device's environment (JVM version)

Accesses system-level resources

Sets file permissions, owner, and group for a specified path

INFO

Dynamically inspects or modifies classes, methods, and fields at runtime

Verifies whether the device is connected to the internet

Returns elapsed time since boot

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings