File name:

fcm-ayuGram-universal-20250101.apk

Full analysis: https://app.any.run/tasks/6a34082e-ad32-47a4-9092-354f791af33a
Verdict: Malicious activity
Analysis date: July 07, 2025, 07:28:57
OS: Android 14
Indicators:
MIME: application/vnd.android.package-archive
File info: Android package (APK), with gradle app-metadata.properties
MD5:

33A3B30490F63EB9F0573F1D512F6702

SHA1:

30AF42802488B4BAC65EE611FADD0FEB747F6726

SHA256:

D1EDA16535C07006AD20D07B831A9A44E087789C7949BE0016851C036C5CA2E0

SSDEEP:

393216:rFhCIvXNuEXwFU4UH/o27BE1dL0EdmrfFG1iINOzR8a/41NzZs74rHFz0U73Pvl0:LJfBAFU4Mx7YxHdm0Y2zZzDfJkh3laL0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Checks whether the screen is currently on

      • app_process64 (PID: 2265)

  • SUSPICIOUS

    • Collects data about the device's environment (JVM version)

      • app_process64 (PID: 2265)

    • Scans for popular installed apps

      • app_process64 (PID: 2265)

    • Acquires a wake lock to keep the device awake

      • app_process64 (PID: 2265)

    • Accesses system-level resources

      • app_process64 (PID: 2265)

    • Detects presence of QEMU emulator

      • app_process64 (PID: 2265)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • app_process64 (PID: 2265)

    • Retrieves installed applications on device

      • app_process64 (PID: 2265)

    • Connects to unusual port

      • app_process64 (PID: 2265)

    • Creates a WakeLock to manage power state

      • app_process64 (PID: 2265)

    • Establishing a connection

      • app_process64 (PID: 2265)

    • Accesses external device storage files

      • app_process64 (PID: 2265)

    • Updates data in the storage of application settings (SharedPreferences)

      • app_process64 (PID: 2265)

    • Detects when screen powers off

      • app_process64 (PID: 2265)

    • Gets data of saved accounts

      • app_process64 (PID: 2265)

  • INFO

    • Dynamically inspects or modifies classes, methods, and fields at runtime

      • app_process64 (PID: 2265)

    • Returns elapsed time since boot

      • app_process64 (PID: 2265)

    • Stores data using SQLite database

      • app_process64 (PID: 2265)

    • Retrieves data from storage of application settings (SharedPreferences)

      • app_process64 (PID: 2265)

    • Verifies whether the device is connected to the internet

      • app_process64 (PID: 2265)

    • Detects if debugger is connected

      • app_process64 (PID: 2265)

    • Creates and writes local files

      • app_process64 (PID: 2265)

    • Retrieves CPU core information

      • app_process64 (PID: 2265)

    • Gets the display metrics associated with the device's screen

      • app_process64 (PID: 2265)

    • Dynamically registers broadcast event listeners

      • app_process64 (PID: 2265)

    • Loads a native library into the application

      • app_process64 (PID: 2265)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jar | Java Archive (78.3)
.zip | ZIP compressed archive (21.6)

EXIF

ZIP

ZipRequiredVersion: -
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 1981:01:01 01:01:02
ZipCRC: 0x20a6d9aa
ZipCompressedSize: 52
ZipUncompressedSize: 56
ZipFileName: META-INF/com/android/build/gradle/app-metadata.properties
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start app_process64 app_process64 no specs

Process information

PID
CMD
Path
Indicators
Parent process
2265org.telegram.messenger /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2474org.chromium.chrome /system/bin/app_process64app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
87
Text files
58
Unknown types
20

Dropped files

PID
Process
Filename
Type
2265app_process64/data/data/org.telegram.messenger/files/PersistedInstallation2060377087250247041tmpbinary
MD5:
SHA256:
2265app_process64/data/data/org.telegram.messenger/files/PersistedInstallation.W0RFRkFVTFRd+MToyNDExODg1MDYyNzE6YW5kcm9pZDpiNDNjMzY2MDRkZGQwMjdhN2ZiMGFh.jsonbinary
MD5:
SHA256:
2265app_process64/data/data/org.telegram.messenger/shared_prefs/com.google.firebase.crashlytics.xmlxml
MD5:
SHA256:
2265app_process64/data/data/org.telegram.messenger/files/.com.google.firebase.crashlytics.files.v2:org.telegram.messenger/open-sessions/686B775F0086000108D9564DA1B1C43D/reportbinary
MD5:
SHA256:
2265app_process64/data/data/org.telegram.messenger/shared_prefs/com.google.firebase.messaging.xmlxml
MD5:
SHA256:
2265app_process64/data/data/org.telegram.messenger/shared_prefs/FirebaseHeartBeatW0RFRkFVTFRd+MToyNDExODg1MDYyNzE6YW5kcm9pZDpiNDNjMzY2MDRkZGQwMjdhN2ZiMGFh.xmlxml
MD5:
SHA256:
2265app_process64/data/data/org.telegram.messenger/shared_prefs/com.google.android.gms.measurement.prefs.xmlxml
MD5:
SHA256:
2265app_process64/data/data/org.telegram.messenger/databases/google_app_measurement_local.dbsqlite
MD5:
SHA256:
2265app_process64/data/data/org.telegram.messenger/files/cache4.db-journalbinary
MD5:
SHA256:
2265app_process64/data/data/org.telegram.messenger/files/tgnet.datbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
145
DNS requests
11
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
142.250.74.196:80
http://www.google.com/gen_204
US
whitelisted
GET
204
142.250.185.131:80
http://connectivitycheck.gstatic.com/generate_204
US
whitelisted
GET
204
142.250.186.164:443
https://www.google.com/generate_204
US
unknown
GET
204
142.250.185.131:80
http://connectivitycheck.gstatic.com/generate_204
US
whitelisted
POST
200
142.250.27.81:443
https://staging-remoteprovisioning.sandbox.googleapis.com/v1:fetchEekChain
US
binary
699 b
whitelisted
GET
200
216.58.206.35:443
https://firebase-settings.crashlytics.com/spi/v2/platforms/android/gmp/1:241188506271:android:b43c36604ddd027a7fb0aa/settings?instance=f21a58d87e2a8d49f7593b64c26ff13e997235ed&build_version=55119&display_version=11.5.3&source=1
US
binary
748 b
whitelisted
GET
200
104.21.23.24:443
https://cdn.jsdelivr.net/npm/@fawazahmed0/currency-api@2025-07-07/v1/currencies/usd.json
US
binary
7.30 Kb
whitelisted
POST
200
142.250.185.74:443
https://firebaseinstallations.googleapis.com/v1/projects/ayugram-c6a31/installations
US
binary
630 b
whitelisted
GET
200
8.8.4.4:443
https://dns.google.com/resolve?name=apv3.stel.com&type=ANY&random_padding=tIFJUIFBH5QWmnwFCYEIEQ42H6UIbegXGBL9PvcLl7xVS8MGZTspPkRbF43cVujuPf7cu7GNguq0OGmSU4yUF5uAkJPxd1icwxRG
US
binary
580 b
whitelisted
GET
200
172.217.18.14:443
https://app-measurement.com/config/app/1%3A241188506271%3Aandroid%3Ab43c36604ddd027a7fb0aa?platform=android&gmp_version=79000&runtime_version=0
US
binary
875 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
446
mdnsd
224.0.0.251:5353
unknown
142.250.185.131:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
142.250.74.196:443
www.google.com
GOOGLE
US
whitelisted
142.250.74.196:80
www.google.com
GOOGLE
US
whitelisted
216.239.35.4:123
time.android.com
whitelisted
108.177.15.81:443
staging-remoteprovisioning.sandbox.googleapis.com
GOOGLE
US
whitelisted
216.239.35.8:123
time.android.com
whitelisted
573
app_process64
216.239.35.0:123
time.android.com
whitelisted
573
app_process64
216.239.35.12:123
time.android.com
whitelisted
2265
app_process64
142.250.186.35:443
firebase-settings.crashlytics.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google.com
  • 142.250.74.196
whitelisted
connectivitycheck.gstatic.com
  • 142.250.185.131
whitelisted
google.com
  • 142.250.181.238
whitelisted
time.android.com
  • 216.239.35.4
  • 216.239.35.8
  • 216.239.35.0
  • 216.239.35.12
whitelisted
staging-remoteprovisioning.sandbox.googleapis.com
  • 108.177.15.81
whitelisted
firebase-settings.crashlytics.com
  • 142.250.186.35
whitelisted
firebaseinstallations.googleapis.com
  • 172.217.16.138
  • 142.250.181.234
  • 142.250.184.234
  • 142.250.185.234
  • 142.250.186.42
  • 142.250.186.170
  • 172.217.16.202
  • 142.250.186.106
  • 142.250.186.74
  • 142.250.186.138
  • 142.250.184.202
  • 216.58.206.42
  • 216.58.206.74
  • 142.250.74.202
  • 216.58.212.170
  • 172.217.18.10
whitelisted
cdn.jsdelivr.net
  • 104.16.175.226
  • 104.16.174.226
whitelisted
dns.google.com
  • 8.8.8.8
  • 8.8.4.4
whitelisted
app-measurement.com
  • 142.250.184.206
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Android Device Connectivity Check
Misc activity
ET INFO Android Device Connectivity Check
342
netd
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2265
app_process64
Misc activity
ET INFO Observed Google DNS over HTTPS Domain (dns .google .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fcm-ayuGram-universal-20250101.apk