Malware analysis https://cloudfam.io/bd29821cc44e Malicious activity

Add for printing

URL:	https://cloudfam.io/bd29821cc44e
Full analysis:	https://app.any.run/tasks/08e616cc-1cef-496f-8c08-53197d0479f6
Verdict:	Malicious activity
Threats:	Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage. Malware Trends Tracker >>>
Analysis date:	March 20, 2026, 00:27:39
OS:	Android 14
Tags:	obfuscated-js promptspy spyware
Indicators:
MD5:	434EF96E2F80D29F2BCFEB18AC290395
SHA1:	070A99DCEE91D03D37206C0F66597EBEC8AF06A8
SHA256:	C99D09E0E4A44B8F1249F4555C684FAB1BC4E1C64A16C5C94CCEF9AE724DB524
SSDEEP:	3:N8ULBDl9v:2UrN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

android (14)
android.cuttlefish.overlay (14)
android.cuttlefish.phone.overlay (14)
android.ext.services (2019-09)
android.ext.shared (1)
com.android.adservices.api (14)
com.android.apps.tag (1.1)
com.android.backupconfirm (14)
com.android.bips (14)
com.android.bluetoothmidiservice (14)
com.android.bookmarkprovider (14)
com.android.calendar (14)
com.android.calllogbackup (14)
com.android.camera2 (2.0.002)
com.android.cameraextensions (14)
com.android.captiveportallogin (14)
com.android.carrierconfig (1.0.0)
com.android.carrierdefaultapp (14)
com.android.cellbroadcastreceiver (R-initial)
com.android.cellbroadcastreceiver.module (R-initial)
com.android.cellbroadcastservice (R-initial)
com.android.certinstaller (14)
com.android.companiondevicemanager (14)
com.android.compos.payload (14)
com.android.connectivity.resources (S-initial)
com.android.connectivity.resources.cuttlefish.overlay (14)
com.android.contacts (1.7.34)
com.android.credentialmanager (14)
com.android.cts.ctsshim (14-10093150)
com.android.cts.priv.ctsshim (14-10093150)
com.android.deskclock (14)
com.android.devicelockcontroller (14)
com.android.dialer (23.0)
com.android.documentsui (14)
com.android.dreams.basic (14)
com.android.dreams.phototable (14)
com.android.dynsystem (14)
com.android.egg (1.0)
com.android.emergency (14)
com.android.ext.adservices.api (14)
com.android.externalstorage (14)
com.android.federatedcompute.services (T-initial)
com.android.gallery3d (1.1.40030)
com.android.google.gce.gceservice (14)
com.android.health.connect.backuprestore (14)
com.android.healthconnect.controller (14)
com.android.hotspot2.osulogin (14)
com.android.htmlviewer (14)
com.android.imsserviceentitlement (14)
com.android.inputdevices (14)
com.android.inputmethod.latin (14)
com.android.intentresolver (2021-11)
com.android.internal.display.cutout.emulation.corner (1.0)
com.android.internal.display.cutout.emulation.double (1.0)
com.android.internal.display.cutout.emulation.hole (1.0)
com.android.internal.display.cutout.emulation.tall (1.0)
com.android.internal.display.cutout.emulation.waterfall (1.0)
com.android.internal.systemui.navbar.gestural (1.0)
com.android.internal.systemui.navbar.gestural_extra_wide_back (1.0)
com.android.internal.systemui.navbar.gestural_narrow_back (1.0)
com.android.internal.systemui.navbar.gestural_wide_back (1.0)
com.android.internal.systemui.navbar.threebutton (1.0)
com.android.internal.systemui.navbar.transparent (1.0)
com.android.keychain (14)
com.android.launcher3 (14)
com.android.localtransport (14)
com.android.location.fused (14)
com.android.managedprovisioning (14)
com.android.messaging (1.0.001)
com.android.microdroid.empty_payload (14)
com.android.mms.service (14)
com.android.modulemetadata (14)
com.android.mtp (14)
com.android.music (14)
com.android.musicfx (1.4)
com.android.nearby.halfsheet (14)
com.android.networkstack (14)
com.android.networkstack.tethering (14)
com.android.networkstack.tethering.cuttlefishoverlay (1.0)
com.android.nfc (14)
com.android.ondevicepersonalization.services (T-initial)
com.android.ons (14)
com.android.packageinstaller (14)
com.android.pacprocessor (14)
com.android.permissioncontroller (33 system image)
com.android.phone (14)
com.android.printservice.recommendation (1.3.0)
com.android.printspooler (14)
com.android.providers.blockednumber (14)
com.android.providers.calendar (14)
com.android.providers.contacts (14)
com.android.providers.downloads (14)
com.android.providers.downloads.ui (14)
com.android.providers.media (14)
com.android.providers.media.module (14)
com.android.providers.partnerbookmarks (14)
com.android.providers.settings (14)
com.android.providers.settings.cuttlefish.overlay (14)
com.android.providers.telephony (14)
com.android.providers.userdictionary (14)
com.android.provision (14)
com.android.proxyhandler (14)
com.android.quicksearchbox (14)
com.android.rkpdapp (14)
com.android.role.notes.enabled (1.0)
com.android.safetycenter.resources (33 system image)
com.android.sdksandbox (T-initial)
com.android.se (14)
com.android.server.telecom (14)
com.android.settings (14)
com.android.settings.intelligence (14)
com.android.sharedstoragebackup (14)
com.android.shell (14)
com.android.simappdialog (14)
com.android.soundpicker (14)
com.android.statementservice (1.0)
com.android.stk (14)
com.android.storagemanager (14)
com.android.systemui (14)
com.android.systemui.accessibility.accessibilitymenu (14)
com.android.telephony.qns (14)
com.android.theme.font.notoserifsource (1.0)
com.android.traceur (1.0)
com.android.uwb.resources (T-initial)
com.android.virtualmachine.res (14)
com.android.vpndialogs (14)
com.android.wallpaper.livepicker (14)
com.android.wallpaperbackup (14)
com.android.wallpapercropper (14)
com.android.wallpaperpicker (1.0)
com.android.webview (137.0.7122.0)
com.android.wifi.dialog (14)
com.android.wifi.resources (R-initial)
com.android.wifi.resources.cf (1.0)
com.google.android.telephony.satellite (14)
org.chromium.chrome (137.0.7122.0)

Add for printing

MALICIOUS
- PROMPTSPY has been detected
  - app_process64 (PID: 3394)
- Hides app icon from display
  - app_process64 (PID: 3394)
SUSPICIOUS
- Accesses system-level resources
  - app_process64 (PID: 3394)
- Collects data about the device's environment (JVM version)
  - app_process64 (PID: 3394)
- Retrieves Android OS build information
  - app_process64 (PID: 3394)
- Retrieves a list of running application processes
  - app_process64 (PID: 3394)
- Returns the name of the current network operator
  - app_process64 (PID: 3394)
- Accesses external device storage files
  - app_process64 (PID: 3394)
- Updates data in the storage of application settings (SharedPreferences)
  - app_process64 (PID: 3394)
- Establishing a connection
  - app_process64 (PID: 3394)
- Uses encryption API functions
  - app_process64 (PID: 3394)
- Retrieves current clipboard content
  - app_process64 (PID: 3394)
- Retrieves the ISO country code of the current SIM card
  - app_process64 (PID: 3394)
- Launches a new activity
  - app_process64 (PID: 3394)
- Queries device location using GPS
  - app_process64 (PID: 3394)
- Monitors changes in clipboard content
  - app_process64 (PID: 3394)
- Alters device audio routing settings
  - app_process64 (PID: 3394)
- Retrieves additional components with DownloadManager
  - app_process64 (PID: 3394)
- Retrieves installed applications on device
  - app_process64 (PID: 3394)
- Abuses foreground service for persistence
  - app_process64 (PID: 3394)
INFO
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 3394)
- Stores data using SQLite database
  - app_process64 (PID: 3394)
- Loads a native library into the application
  - app_process64 (PID: 3394)
- Returns elapsed time since boot
  - app_process64 (PID: 3394)
- Retrieves data from storage of application settings (SharedPreferences)
  - app_process64 (PID: 3394)
- Verifies whether the device is connected to the internet
  - app_process64 (PID: 3394)
- Gets file name without full path
  - app_process64 (PID: 3394)
- Dynamically registers broadcast event listeners
  - app_process64 (PID: 3394)
- Retrieves CPU core information
  - app_process64 (PID: 3394)
- Handles throwable exceptions in the app
  - app_process64 (PID: 3394)
- Retrieves the value of a secure system setting
  - app_process64 (PID: 3394)
- Gets the display metrics associated with the device's screen
  - app_process64 (PID: 3394)
- Detects if debugger is connected
  - app_process64 (PID: 3394)
- Creates and writes local files
  - app_process64 (PID: 3394)
- Dynamically loads a class in Java
  - app_process64 (PID: 3394)
- Listens for changes in sensors
  - app_process64 (PID: 3394)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

151

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2780	org.chromium.chrome	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2832	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2849	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
2882	org.chromium.chrome:privileged_process0	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2902	com.android.adservices.api	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2961	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
2982	com.android.providers.partnerbookmarks	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
3064	/system/bin/dmesgd	/system/bin/dmesgd	—	init
User: dmesgd Integrity Level: UNKNOWN Exit code: 0
3065	dmesg	/system/bin/toybox	—	dmesgd
User: dmesgd Integrity Level: UNKNOWN Exit code: 0
3066	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

246

Unknown types

Dropped files

PID	Process	Filename		Type
3147	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.gBsBgD/list.pb		binary
		MD5:—	SHA256:—
3147	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.gBsBgD/manifest.json		text
		MD5:—	SHA256:—
3147	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.gBsBgD/LICENSE		text
		MD5:—	SHA256:—
3147	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.gBsBgD/_metadata/verified_contents.json		text
		MD5:—	SHA256:—
3147	app_process64	/data/data/org.chromium.chrome/app_chrome/component_crx_cache/cab4d1f0a6a2a1afecae808a520f6690dd2b9d58bf54762877f2dc9715d55461		binary
		MD5:—	SHA256:—
3180	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.RKPJn5/privacy-sandbox-attestations.dat		binary
		MD5:—	SHA256:—
3180	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.RKPJn5/manifest.json		text
		MD5:—	SHA256:—
3180	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.RKPJn5/_metadata/verified_contents.json		text
		MD5:—	SHA256:—
3180	app_process64	/data/data/org.chromium.chrome/app_chrome/component_crx_cache/38c89b12bb20a8f2751c9c7cd2e31c173a47af08c115e1ecccc2f5151a2cf2c6		binary
		MD5:—	SHA256:—
3224	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.Q955tq/decoded_xz		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

249

TCP/UDP connections

208

DNS requests

109

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2780	app_process64	GET	302	31.171.131.211:443	https://cloudfam.io/bd29821cc44e	US	—	—	unknown
2780	app_process64	HEAD	200	31.171.131.211:443	https://cloudfam.io/redirection0.php?slug=bd29821cc44e&token=f99cb3c15604fe4cd34e1e2bce844fe5	US	—	—	unknown
2780	app_process64	GET	302	104.26.3.143:443	https://cdn.tailwindcss.com/	US	—	—	whitelisted
2780	app_process64	GET	200	31.171.131.211:443	https://cloudfam.io/redirection0.php?slug=bd29821cc44e&token=f99cb3c15604fe4cd34e1e2bce844fe5	US	html	652 Kb	unknown
822	app_process64	GET	204	142.251.127.106:443	https://www.google.com/generate_204	US	—	—	whitelisted
2780	app_process64	GET	200	142.251.127.101:80	http://clients2.google.com/time/1/current?cup2key=9:7bOOOLfb1gfp2RdYKpXZXJPnSGnv52_RlPd367EZF0k&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	US	text	105 b	whitelisted
—	—	GET	204	142.251.127.104:80	http://www.google.com/gen_204	US	—	—	whitelisted
2780	app_process64	HEAD	200	139.45.197.165:443	https://hwnsopghuafi.com/	GB	—	—	unknown
2780	app_process64	GET	200	31.171.131.211:443	https://cloudfam.io/assets/js/app-core.js	US	text	17.2 Kb	unknown
2780	app_process64	GET	200	104.26.3.143:443	https://cdn.tailwindcss.com/3.4.17	US	text	397 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	216.58.206.35:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
443	mdnsd	224.0.0.251:5353	—	—	—	whitelisted
—	—	142.251.127.105:443	www.google.com	GOOGLE	US	whitelisted
—	—	142.251.127.104:80	www.google.com	GOOGLE	US	whitelisted
2780	app_process64	142.251.127.101:80	google.com	GOOGLE	US	whitelisted
2780	app_process64	31.171.131.211:443	cloudfam.io	ULTAHOST-AS	US	unknown
2780	app_process64	142.251.127.84:443	accounts.google.com	GOOGLE	US	whitelisted
2780	app_process64	142.251.127.99:443	www.google.com	GOOGLE	US	whitelisted
2780	app_process64	216.58.206.42:443	fonts.googleapis.com	GOOGLE	US	whitelisted
2780	app_process64	142.251.141.67:443	fonts.gstatic.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.251.127.139 142.251.127.113 142.251.127.100 142.251.127.101 142.251.127.138 142.251.127.102	whitelisted
www.google.com	142.251.127.103 142.251.127.105 142.251.127.104 142.251.127.106 142.251.127.147 142.251.127.99	whitelisted
clients2.google.com	142.251.127.101 142.251.127.102 142.251.127.138 142.251.127.139 142.251.127.100 142.251.127.113	whitelisted
cloudfam.io	31.171.131.211	unknown
accounts.google.com	142.251.127.84	whitelisted
fonts.googleapis.com	216.58.206.42	whitelisted
cdn.tailwindcss.com	104.26.3.143 172.67.68.11 104.26.2.143	whitelisted
unpkg.com	104.18.1.22 104.18.0.22	whitelisted
www.paypal.com	151.101.65.21 151.101.129.21 151.101.1.21 151.101.193.21	whitelisted
fonts.gstatic.com	142.251.141.67	whitelisted

Threats

PID	Process	Class	Message
2780	app_process64	Misc activity	SUSPICIOUS [ANY.RUN] JavaScript Obfuscation (ParseInt)
2780	app_process64	Misc activity	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2
2780	app_process64	Misc activity	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1
2780	app_process64	Misc activity	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3
822	app_process64	Misc activity	ET INFO Android Device Connectivity Check
2780	app_process64	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Possible Malicious CrossDomain (usrpubtrk .com)
2780	app_process64	Misc activity	SUSPICIOUS [ANY.RUN] JavaScript Obfuscation (ParseInt)
2780	app_process64	Misc activity	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2
2780	app_process64	Misc activity	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1
2780	app_process64	Misc activity	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3

Add for printing

No debug info

General Info

https://cloudfam.io/bd29821cc44e

434EF96E2F80D29F2BCFEB18AC290395

070A99DCEE91D03D37206C0F66597EBEC8AF06A8

C99D09E0E4A44B8F1249F4555C684FAB1BC4E1C64A16C5C94CCEF9AE724DB524

3:N8ULBDl9v:2UrN

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

PROMPTSPY has been detected

Hides app icon from display

SUSPICIOUS

Accesses system-level resources

Collects data about the device's environment (JVM version)

Retrieves Android OS build information

Retrieves a list of running application processes

Returns the name of the current network operator

Accesses external device storage files

Updates data in the storage of application settings (SharedPreferences)

Establishing a connection

Uses encryption API functions

Retrieves current clipboard content

Retrieves the ISO country code of the current SIM card

Launches a new activity

Queries device location using GPS

Monitors changes in clipboard content

Alters device audio routing settings

Retrieves additional components with DownloadManager

Retrieves installed applications on device

Abuses foreground service for persistence

INFO

Dynamically inspects or modifies classes, methods, and fields at runtime

Stores data using SQLite database

Loads a native library into the application

Returns elapsed time since boot

Retrieves data from storage of application settings (SharedPreferences)

Verifies whether the device is connected to the internet

Gets file name without full path

Dynamically registers broadcast event listeners

Retrieves CPU core information

Handles throwable exceptions in the app

Retrieves the value of a secure system setting

Gets the display metrics associated with the device's screen

Detects if debugger is connected

Creates and writes local files

Dynamically loads a class in Java

Listens for changes in sensors

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings