Malware analysis https://www.mediafire.com/file/rjb5w355o8dsc0f/Delta-2.703.1353-02.apk/file Malicious activity

Add for printing

URL:	https://www.mediafire.com/file/rjb5w355o8dsc0f/Delta-2.703.1353-02.apk/file
Full analysis:	https://app.any.run/tasks/3d0da14c-5b64-4e56-8fd4-946437fc4ada
Verdict:	Malicious activity
Analysis date:	January 17, 2026, 14:32:09
OS:	Android 14
Tags:	obfuscated-js github discord
Indicators:
MD5:	1BB7908F349991DE9DABB792A224FF36
SHA1:	99BB6DE9B0FD21F48FED264A807E914920F85570
SHA256:	DA1B6FB899E23250C8B326BDF4587358434CACCA1F865ABE91BD1F9B2D5B45CA
SSDEEP:	3:N8DSLw3eGUoIKLjJR9SV3+cAn:2OLw3eGztbx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

android (14)
android.cuttlefish.overlay (14)
android.cuttlefish.phone.overlay (14)
android.ext.services (2019-09)
android.ext.shared (1)
com.android.adservices.api (14)
com.android.apps.tag (1.1)
com.android.backupconfirm (14)
com.android.bips (14)
com.android.bluetoothmidiservice (14)
com.android.bookmarkprovider (14)
com.android.calendar (14)
com.android.calllogbackup (14)
com.android.camera2 (2.0.002)
com.android.cameraextensions (14)
com.android.captiveportallogin (14)
com.android.carrierconfig (1.0.0)
com.android.carrierdefaultapp (14)
com.android.cellbroadcastreceiver (R-initial)
com.android.cellbroadcastreceiver.module (R-initial)
com.android.cellbroadcastservice (R-initial)
com.android.certinstaller (14)
com.android.companiondevicemanager (14)
com.android.compos.payload (14)
com.android.connectivity.resources (S-initial)
com.android.connectivity.resources.cuttlefish.overlay (14)
com.android.contacts (1.7.34)
com.android.credentialmanager (14)
com.android.cts.ctsshim (14-10093150)
com.android.cts.priv.ctsshim (14-10093150)
com.android.deskclock (14)
com.android.devicelockcontroller (14)
com.android.dialer (23.0)
com.android.documentsui (14)
com.android.dreams.basic (14)
com.android.dreams.phototable (14)
com.android.dynsystem (14)
com.android.egg (1.0)
com.android.emergency (14)
com.android.ext.adservices.api (14)
com.android.externalstorage (14)
com.android.federatedcompute.services (T-initial)
com.android.gallery3d (1.1.40030)
com.android.google.gce.gceservice (14)
com.android.health.connect.backuprestore (14)
com.android.healthconnect.controller (14)
com.android.hotspot2.osulogin (14)
com.android.htmlviewer (14)
com.android.imsserviceentitlement (14)
com.android.inputdevices (14)
com.android.inputmethod.latin (14)
com.android.intentresolver (2021-11)
com.android.internal.display.cutout.emulation.corner (1.0)
com.android.internal.display.cutout.emulation.double (1.0)
com.android.internal.display.cutout.emulation.hole (1.0)
com.android.internal.display.cutout.emulation.tall (1.0)
com.android.internal.display.cutout.emulation.waterfall (1.0)
com.android.internal.systemui.navbar.gestural (1.0)
com.android.internal.systemui.navbar.gestural_extra_wide_back (1.0)
com.android.internal.systemui.navbar.gestural_narrow_back (1.0)
com.android.internal.systemui.navbar.gestural_wide_back (1.0)
com.android.internal.systemui.navbar.threebutton (1.0)
com.android.internal.systemui.navbar.transparent (1.0)
com.android.keychain (14)
com.android.launcher3 (14)
com.android.localtransport (14)
com.android.location.fused (14)
com.android.managedprovisioning (14)
com.android.messaging (1.0.001)
com.android.microdroid.empty_payload (14)
com.android.mms.service (14)
com.android.modulemetadata (14)
com.android.mtp (14)
com.android.music (14)
com.android.musicfx (1.4)
com.android.nearby.halfsheet (14)
com.android.networkstack (14)
com.android.networkstack.tethering (14)
com.android.networkstack.tethering.cuttlefishoverlay (1.0)
com.android.nfc (14)
com.android.ondevicepersonalization.services (T-initial)
com.android.ons (14)
com.android.packageinstaller (14)
com.android.pacprocessor (14)
com.android.permissioncontroller (33 system image)
com.android.phone (14)
com.android.printservice.recommendation (1.3.0)
com.android.printspooler (14)
com.android.providers.blockednumber (14)
com.android.providers.calendar (14)
com.android.providers.contacts (14)
com.android.providers.downloads (14)
com.android.providers.downloads.ui (14)
com.android.providers.media (14)
com.android.providers.media.module (14)
com.android.providers.partnerbookmarks (14)
com.android.providers.settings (14)
com.android.providers.settings.cuttlefish.overlay (14)
com.android.providers.telephony (14)
com.android.providers.userdictionary (14)
com.android.provision (14)
com.android.proxyhandler (14)
com.android.quicksearchbox (14)
com.android.rkpdapp (14)
com.android.role.notes.enabled (1.0)
com.android.safetycenter.resources (33 system image)
com.android.sdksandbox (T-initial)
com.android.se (14)
com.android.server.telecom (14)
com.android.settings (14)
com.android.settings.intelligence (14)
com.android.sharedstoragebackup (14)
com.android.shell (14)
com.android.simappdialog (14)
com.android.soundpicker (14)
com.android.statementservice (1.0)
com.android.stk (14)
com.android.storagemanager (14)
com.android.systemui (14)
com.android.systemui.accessibility.accessibilitymenu (14)
com.android.telephony.qns (14)
com.android.theme.font.notoserifsource (1.0)
com.android.traceur (1.0)
com.android.uwb.resources (T-initial)
com.android.virtualmachine.res (14)
com.android.vpndialogs (14)
com.android.wallpaper.livepicker (14)
com.android.wallpaperbackup (14)
com.android.wallpapercropper (14)
com.android.wallpaperpicker (1.0)
com.android.webview (137.0.7122.0)
com.android.wifi.dialog (14)
com.android.wifi.resources (R-initial)
com.android.wifi.resources.cf (1.0)
com.google.android.telephony.satellite (14)
org.chromium.chrome (137.0.7122.0)

Add for printing

MALICIOUS
- Detects root access on device
  - app_process64 (PID: 3250)
- Executes system commands or scripts
  - app_process64 (PID: 3250)
SUSPICIOUS
- Accesses system-level resources
  - app_process64 (PID: 3250)
- Collects data about the device's environment (JVM version)
  - app_process64 (PID: 3250)
- Reads device serial number identifier
  - app_process64 (PID: 3250)
- Establishing a connection
  - app_process64 (PID: 3250)
- Updates data in the storage of application settings (SharedPreferences)
  - app_process64 (PID: 3250)
- Accesses memory information
  - app_process64 (PID: 3250)
- Retrieves Android OS build information
  - app_process64 (PID: 3250)
- Retrieves a list of running application processes
  - app_process64 (PID: 3250)
- Launches a new activity
  - app_process64 (PID: 3250)
- Accesses external device storage files
  - app_process64 (PID: 3250)
- Connects to unusual port
  - app_process64 (PID: 3250)
- Checks Bluetooth audio routing status
  - app_process64 (PID: 3250)
INFO
- Retrieves the value of a secure system setting
  - app_process64 (PID: 3250)
- Retrieves data from storage of application settings (SharedPreferences)
  - app_process64 (PID: 3250)
- Returns elapsed time since boot
  - app_process64 (PID: 3250)
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 3250)
- Dynamically registers broadcast event listeners
  - app_process64 (PID: 3250)
- Gets file name without full path
  - app_process64 (PID: 3250)
- Loads a native library into the application
  - app_process64 (PID: 3250)
- Gets the display metrics associated with the device's screen
  - app_process64 (PID: 3250)
- Verifies whether the device is connected to the internet
  - app_process64 (PID: 3250)
- Stores data using SQLite database
  - app_process64 (PID: 3250)
- Handles throwable exceptions in the app
  - app_process64 (PID: 3250)
- Dynamically loads a class in Java
  - app_process64 (PID: 3250)
- Detects if debugger is connected
  - app_process64 (PID: 3250)
- Attempting to use instant messaging service
  - app_process64 (PID: 2787)
- Detects device power status
  - app_process64 (PID: 3250)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

146

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2787	org.chromium.chrome	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2847	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2865	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
2877	org.chromium.chrome:privileged_process0	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2898	com.android.adservices.api	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2966	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
2988	com.android.providers.partnerbookmarks	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
3086	/system/bin/dmesgd	/system/bin/dmesgd	—	init
User: dmesgd Integrity Level: UNKNOWN Exit code: 0
3087	dmesg	/system/bin/toybox	—	dmesgd
User: dmesgd Integrity Level: UNKNOWN Exit code: 0
3088	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

478

Text files

197

Unknown types

Dropped files

PID	Process	Filename		Type
3250	app_process64	/data/data/com.roblox.client/shared_modules/50285346aa69312f47862ddc81a3edcd/gloopversioncache.txt		text
		MD5:—	SHA256:—
3250	app_process64	/data/data/com.roblox.client/shared_prefs/com.google.firebase.messaging.xml		xml
		MD5:—	SHA256:—
3250	app_process64	/data/data/com.roblox.client/shared_prefs/com.google.android.gms.measurement.prefs.xml		xml
		MD5:—	SHA256:—
3250	app_process64	/data/data/com.roblox.client/files/PersistedInstallation4605519451882698226tmp		text
		MD5:—	SHA256:—
3250	app_process64	/data/data/com.roblox.client/files/PersistedInstallation.W0RFRkFVTFRd+MToxMDAxNTUzMjA5MDk6YW5kcm9pZDphMmU0ODY1MDVhZDQzNGY1.json		text
		MD5:—	SHA256:—
3250	app_process64	/data/data/com.roblox.client/cache/journal.tmp		text
		MD5:—	SHA256:—
3250	app_process64	/data/data/com.roblox.client/databases/google_app_measurement_local.db		binary
		MD5:—	SHA256:—
3250	app_process64	/data/data/com.roblox.client/shared_prefs/prefs.xml		xml
		MD5:—	SHA256:—
3250	app_process64	/data/data/com.roblox.client/no_backup/androidx.work.workdb-journal		binary
		MD5:—	SHA256:—
3250	app_process64	/data/data/com.roblox.client/no_backup/androidx.work.workdb-wal		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

522

TCP/UDP connections

280

DNS requests

373

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2787	app_process64	GET	302	104.17.148.83:443	https://www.mediafire.com/cdn-cgi/challenge-platform/scripts/jsd/main.js	unknown	—	—	unknown
—	—	GET	204	216.58.206.68:80	http://www.google.com/gen_204	unknown	—	—	whitelisted
822	app_process64	GET	204	142.251.141.67:80	http://connectivitycheck.gstatic.com/generate_204	unknown	—	—	whitelisted
2787	app_process64	GET	200	104.17.148.83:443	https://www.mediafire.com/file/rjb5w355o8dsc0f/Delta-2.703.1353-02.apk/file	unknown	html	128 Kb	unknown
2787	app_process64	GET	200	104.17.148.83:443	https://static.mediafire.com/images/filetype/file-zip-v3.png	unknown	image	1.83 Kb	unknown
2787	app_process64	GET	200	142.250.186.174:80	http://clients2.google.com/time/1/current?cup2key=9:7Nq6rRIUSsGrc57BvUu4EyrleyySYuCVQUPFNYMN7Bc&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	unknown	—	—	whitelisted
2787	app_process64	GET	200	104.17.148.83:443	https://static.mediafire.com/images/backgrounds/header/mf_logo_full_color.svg	unknown	image	3.28 Kb	unknown
2787	app_process64	GET	200	104.17.148.83:443	https://www.mediafire.com/images/flags_svg/usa.svg	unknown	image	1.44 Kb	unknown
2787	app_process64	GET	200	104.17.148.83:443	https://static.mediafire.com/images/icons/svg_light/twitter.svg	unknown	image	949 b	unknown
2787	app_process64	GET	200	104.17.148.83:443	https://static.mediafire.com/images/icons/svg_light/facebook.svg	unknown	image	401 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
443	mdnsd	224.0.0.251:5353	—	—	—	whitelisted
—	—	216.58.206.68:80	www.google.com	GOOGLE	US	whitelisted
—	—	216.58.206.68:443	www.google.com	GOOGLE	US	whitelisted
—	—	142.251.141.67:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
2787	app_process64	142.250.186.174:80	clients2.google.com	GOOGLE	US	whitelisted
2787	app_process64	104.17.148.83:443	www.mediafire.com	CLOUDFLARENET	US	whitelisted
2787	app_process64	216.58.206.68:443	www.google.com	GOOGLE	US	whitelisted
2787	app_process64	64.233.184.84:443	accounts.google.com	GOOGLE	US	whitelisted
2787	app_process64	104.21.42.32:443	cmp.gatekeeperconsent.com	CLOUDFLARENET	US	whitelisted
2787	app_process64	172.67.199.186:443	cmp.gatekeeperconsent.com	CLOUDFLARENET	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.251.140.174	whitelisted
www.google.com	216.58.206.68 142.250.186.132	whitelisted
clients2.google.com	142.250.186.174	whitelisted
www.mediafire.com	104.17.148.83 104.17.147.83	whitelisted
accounts.google.com	64.233.184.84	whitelisted
cmp.gatekeeperconsent.com	104.21.42.32 172.67.199.186	whitelisted
the.gatekeeperconsent.com	104.21.42.32 172.67.199.186	whitelisted
www.googletagmanager.com	172.217.20.136	whitelisted
privacy.gatekeeperconsent.com	172.67.199.186 104.21.42.32	whitelisted
static.mediafire.com	104.17.148.83 104.17.147.83	whitelisted

Threats

PID	Process	Class	Message
2787	app_process64	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2787	app_process64	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2787	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2787	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
822	app_process64	Misc activity	ET INFO Android Device Connectivity Check
2787	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2787	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2787	app_process64	Potentially Bad Traffic	ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
2787	app_process64	Potentially Bad Traffic	ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
2787	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)

Add for printing

No debug info

General Info

https://www.mediafire.com/file/rjb5w355o8dsc0f/Delta-2.703.1353-02.apk/file

1BB7908F349991DE9DABB792A224FF36

99BB6DE9B0FD21F48FED264A807E914920F85570

DA1B6FB899E23250C8B326BDF4587358434CACCA1F865ABE91BD1F9B2D5B45CA

3:N8DSLw3eGUoIKLjJR9SV3+cAn:2OLw3eGztbx

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Detects root access on device

Executes system commands or scripts

SUSPICIOUS

Accesses system-level resources

Collects data about the device's environment (JVM version)

Reads device serial number identifier

Establishing a connection

Updates data in the storage of application settings (SharedPreferences)

Accesses memory information

Retrieves Android OS build information

Retrieves a list of running application processes

Launches a new activity

Accesses external device storage files

Connects to unusual port

Checks Bluetooth audio routing status

INFO

Retrieves the value of a secure system setting

Retrieves data from storage of application settings (SharedPreferences)

Returns elapsed time since boot

Dynamically inspects or modifies classes, methods, and fields at runtime

Dynamically registers broadcast event listeners

Gets file name without full path

Loads a native library into the application

Gets the display metrics associated with the device's screen

Verifies whether the device is connected to the internet

Stores data using SQLite database

Handles throwable exceptions in the app

Dynamically loads a class in Java

Detects if debugger is connected

Attempting to use instant messaging service

Detects device power status

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings