URL:

https://links.magis-tv.tv/down.mgssm

Full analysis: https://app.any.run/tasks/b5d7a14c-cc14-4547-8420-ab3e54287e03
Verdict: Malicious activity
Analysis date: June 04, 2025, 20:00:50
OS: Android 14
Tags:
qrcode
websocket
Indicators:
MD5:

D79C81A9709CD8FEEE78443C786E6734

SHA1:

13AE4A083E49ED8F10FECC9A0918F2D82DD138AB

SHA256:

DD2A0FED0C632E5EEC953FF317D0B5820CE5404D0C30442AE610C5E1FA311721

SSDEEP:

3:N8MLPP1LRN48Zn:2MjN4Kn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes system commands or scripts

      • app_process64 (PID: 2545)

  • SUSPICIOUS

    • Updates data in the storage of application settings (SharedPreferences)

      • app_process64 (PID: 2545)

    • Accesses system-level resources

      • app_process64 (PID: 2545)

    • Detects Xposed framework for modifications

      • app_process64 (PID: 2545)

    • Retrieves a list of running application processes

      • app_process64 (PID: 2545)

    • Collects data about the device's environment (JVM version)

      • app_process64 (PID: 2545)

    • Uses encryption API functions

      • app_process64 (PID: 2545)

    • Accesses memory information

      • app_process64 (PID: 2545)

    • Establishing a connection

      • app_process64 (PID: 2545)

    • Accesses external device storage files

      • app_process64 (PID: 2545)

    • Returns the name of the current network operator

      • app_process64 (PID: 2545)

    • Detects when screen powers off

      • app_process64 (PID: 2545)

    • Starts a service

      • app_process64 (PID: 2545)

    • Launches a new activity

      • app_process64 (PID: 2545)

  • INFO

    • Dynamically inspects or modifies classes, methods, and fields at runtime

      • app_process64 (PID: 2545)

    • Loads a native library into the application

      • app_process64 (PID: 2545)

    • Stores data using SQLite database

      • app_process64 (PID: 2545)

    • Retrieves data from storage of application settings (SharedPreferences)

      • app_process64 (PID: 2545)

    • Dynamically loads a class in Java

      • app_process64 (PID: 2545)

    • Returns elapsed time since boot

      • app_process64 (PID: 2545)

    • Dynamically registers broadcast event listeners

      • app_process64 (PID: 2545)

    • Verifies whether the device is connected to the internet

      • app_process64 (PID: 2545)

    • Listens for connection changes

      • app_process64 (PID: 2545)

    • Gets file name without full path

      • app_process64 (PID: 2545)

    • Gets the display metrics associated with the device's screen

      • app_process64 (PID: 2545)

    • Attempting to connect via WebSocket

      • app_process64 (PID: 2545)

    • Detects device power status

      • app_process64 (PID: 2545)

    • Retrieves the value of a secure system setting

      • app_process64 (PID: 2545)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
28
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start app_process64 app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs artd no specs dex2oat32 no specs app_process64 toolbox no specs toolbox no specs toolbox no specs toybox no specs app_process64 no specs app_process64 no specs toybox no specs toybox no specs toybox no specs toybox no specs toolbox no specs toolbox no specs toolbox no specs toolbox no specs toybox no specs toybox no specs toybox no specs toybox no specs app_process64 no specs

Process information

PID
CMD
Path
Indicators
Parent process
2213<pre-initialized> /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2258org.chromium.chrome_zygote /system/bin/app_process64app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2274org.chromium.chrome_zygote /system/bin/app_process64app_process64
User:
u0_a73
Integrity Level:
UNKNOWN
Exit code:
0
2310org.chromium.chrome:privileged_process0 /system/bin/app_process64app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2331<pre-initialized> /system/bin/app_process64app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2400org.chromium.chrome_zygote /system/bin/app_process64app_process64
User:
u0_a73
Integrity Level:
UNKNOWN
Exit code:
0
2529/apex/com.android.art/bin/artd/apex/com.android.art/bin/artdinit
User:
artd
Integrity Level:
UNKNOWN
Exit code:
0
2532/apex/com.android.art/bin/dex2oat32 --zip-fd=6 --zip-location=/data/app/~~lCClePvHZ8nrUEuS2-lZRA==/com.msandroid.mobile-QNr8SIqyNL9042AR2635Mg==/base.apk --oat-fd=7 --oat-location=/data/app/~~lCClePvHZ8nrUEuS2-lZRA==/com.msandroid.mobile-QNr8SIqyNL9042AR2635Mg==/oat/arm64/base.odex --output-vdex-fd=8 --swap-fd=9 --class-loader-context=PCL[] --classpath-dir=/data/app/~~lCClePvHZ8nrUEuS2-lZRA==/com.msandroid.mobile-QNr8SIqyNL9042AR2635Mg== --instruction-set=arm64 --instruction-set-features=default --instruction-set-variant=cortex-a53 --compiler-filter=verify --compilation-reason=install --compact-dex-level=none --max-image-block-size=524288 --resolve-startup-const-strings=true --generate-mini-debug-info --runtime-arg -Xtarget-sdk-version:33 --runtime-arg -Xhidden-api-policy:enabled --runtime-arg -Xms64m --runtime-arg -Xmx512m --comments=app-version-name:5.13.6,app-version-code:51306,art-version:340090000/apex/com.android.art/bin/dex2oat32artd
User:
artd
Integrity Level:
UNKNOWN
Exit code:
0
2545com.msandroid.mobile /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2597getprop debug.dns.enable/system/bin/toolboxapp_process64
User:
u0_a109
Integrity Level:
UNKNOWN
Exit code:
15
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
78
Text files
172
Unknown types
75

Dropped files

PID
Process
Filename
Type
2545app_process64/data/data/com.msandroid.mobile/files/PersistedInstallation1588987864910930046tmpbinary
MD5:
SHA256:
2545app_process64/data/data/com.msandroid.mobile/files/PersistedInstallation.W0RFRkFVTFRd+MToxODc2NzUyNDY3NTphbmRyb2lkOmM3NGYwM2Y4YTg2ODE1YzUzNWY1ZjY.jsonbinary
MD5:
SHA256:
2545app_process64/data/data/com.msandroid.mobile/shared_prefs/FirebaseHeartBeatW0RFRkFVTFRd+MToxODc2NzUyNDY3NTphbmRyb2lkOmM3NGYwM2Y4YTg2ODE1YzUzNWY1ZjY.xmlxml
MD5:
SHA256:
2545app_process64/data/data/com.msandroid.mobile/shared_prefs/com.google.firebase.crashlytics.xmlxml
MD5:
SHA256:
2545app_process64/data/data/com.msandroid.mobile/shared_prefs/com.google.firebase.messaging.xmlxml
MD5:
SHA256:
2545app_process64/data/data/com.msandroid.mobile/no_backup/androidx.work.workdb-journalbinary
MD5:
SHA256:
2545app_process64/data/data/com.msandroid.mobile/no_backup/androidx.work.workdb-walbinary
MD5:
SHA256:
2597toolbox/data/data/com.msandroid.mobile/no_backup/androidx.work.workdb-walbinary
MD5:
SHA256:
2597toolbox/data/data/com.msandroid.mobile/databases/com.google.android.datatransport.eventssqlite
MD5:
SHA256:
2597toolbox/data/data/com.msandroid.mobile/no_backup/androidx.work.workdb-shmbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
54
DNS requests
54
Threats
28

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2545
app_process64
GET
200
188.114.97.3:80
http://pwel.sdxpkgyaq.com/media/adsys/02b070c2-a37b-40ca-966e-c2a1fceead4c.png
unknown
unknown
2545
app_process64
GET
200
188.114.97.3:80
http://pwel.sdxpkgyaq.com/media/adsys/5546b26c-0405-46bb-adde-ef02d8937311.jpg
unknown
unknown
2545
app_process64
GET
200
188.114.97.3:80
http://pwel.sdxpkgyaq.com/media/adsys/cee8fe1d-1f20-45ab-a089-46f49e333d9e.jpg
unknown
unknown
2545
app_process64
GET
200
188.114.97.3:80
http://pwel.sdxpkgyaq.com/media/adsys/2ca52e36-0e53-4bf8-84dc-d5a1cb62c963.jpg
unknown
unknown
2545
app_process64
GET
200
188.114.97.3:80
http://pwel.sdxpkgyaq.com/media/adsys/c725ebdd-c681-4f8a-9ed7-8a7262d50f34.jpg
unknown
unknown
2545
app_process64
GET
200
188.114.97.3:80
http://pwel.sdxpkgyaq.com/media/adsys/55fc3fe0-7633-4878-b798-03da14a06a44.png
unknown
unknown
2545
app_process64
GET
200
188.114.97.3:80
http://pwel.sdxpkgyaq.com/media/adsys/3f0e8bf8-6679-44e8-b421-25ea3524b8ee.png
unknown
unknown
2545
app_process64
GET
200
188.114.97.3:80
http://pwel.sdxpkgyaq.com/media/adsys/f0b69ed6-ec06-4830-bfcb-cca50c3e31d8.gif
unknown
unknown
2545
app_process64
GET
200
188.114.97.3:80
http://pwel.sdxpkgyaq.com/media/adsys/2326f299-b839-4a20-9b00-3c8f6c4dc019.png
unknown
unknown
2545
app_process64
GET
200
188.114.97.3:80
http://pwel.sdxpkgyaq.com/media/adsys/4d78ff8c-fc5c-406d-b2f6-403aa128ed86.jpg
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
446
mdnsd
224.0.0.251:5353
unknown
216.239.35.12:123
time.android.com
whitelisted
216.58.206.36:443
www.google.com
GOOGLE
US
whitelisted
142.250.186.67:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
74.125.133.81:443
staging-remoteprovisioning.sandbox.googleapis.com
GOOGLE
US
whitelisted
2213
app_process64
142.250.186.142:80
clients2.google.com
GOOGLE
US
whitelisted
2213
app_process64
104.21.48.1:443
links.magis-tv.tv
unknown
2213
app_process64
216.58.206.36:443
www.google.com
whitelisted
2213
app_process64
74.125.71.84:443
accounts.google.com
GOOGLE
US
whitelisted
2213
app_process64
104.21.5.210:443
app.magistvcl.com
unknown

DNS requests

Domain
IP
Reputation
www.google.com
  • 216.58.206.36
whitelisted
connectivitycheck.gstatic.com
  • 142.250.186.67
whitelisted
time.android.com
  • 216.239.35.12
  • 216.239.35.8
  • 216.239.35.4
  • 216.239.35.0
whitelisted
staging-remoteprovisioning.sandbox.googleapis.com
  • 74.125.133.81
whitelisted
google.com
  • 142.250.184.238
whitelisted
clients2.google.com
  • 142.250.186.142
whitelisted
links.magis-tv.tv
  • 104.21.48.1
  • 104.21.112.1
  • 104.21.16.1
  • 104.21.96.1
  • 104.21.64.1
  • 104.21.32.1
  • 104.21.80.1
unknown
accounts.google.com
  • 74.125.71.84
whitelisted
app.magistvcl.com
  • 104.21.5.210
  • 172.67.133.217
unknown
androidchromeprotect.pa.googleapis.com
  • 216.58.206.42
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Android Device Connectivity Check
2213
app_process64
Generic Protocol Command Decode
SURICATA Applayer Wrong direction first Data
2213
app_process64
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2213
app_process64
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2213
app_process64
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2213
app_process64
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2213
app_process64
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2213
app_process64
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2213
app_process64
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2213
app_process64
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://links.magis-tv.tv/down.mgssm