File name:

fcm-ayuGram-universal-20240520.apk

Full analysis: https://app.any.run/tasks/d8f5c7e1-6d74-405a-a1da-e55a4f81cf7b
Verdict: Malicious activity
Analysis date: July 07, 2025, 05:45:39
OS: Android 14
Indicators:
MIME: application/vnd.android.package-archive
File info: Android package (APK), with gradle app-metadata.properties
MD5:

37421C991EC87F6A66EF5CC6DB78DE53

SHA1:

90818DC54AF204E67AB15FB109FD66F750E3CB7F

SHA256:

EA8F4B4F9D56481AC7AF88361CA6AEDB1DF40B52D07060FEF116DAC9CD254806

SSDEEP:

393216:EkPVaTOV5NReVAgS1xxUoXwuSdM2/Yy/5zVMHgtpk/qSvV+mcApN9:dPVaYsVNSjxMdT/p/5fz6nr9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Checks whether the screen is currently on

      • app_process64 (PID: 2262)

  • SUSPICIOUS

    • Scans for popular installed apps

      • app_process64 (PID: 2262)

    • Collects data about the device's environment (JVM version)

      • app_process64 (PID: 2262)

    • Creates a WakeLock to manage power state

      • app_process64 (PID: 2262)

    • Accesses system-level resources

      • app_process64 (PID: 2262)

    • Establishing a connection

      • app_process64 (PID: 2262)

    • Acquires a wake lock to keep the device awake

      • app_process64 (PID: 2262)

    • Updates data in the storage of application settings (SharedPreferences)

      • app_process64 (PID: 2262)

    • Detects when screen powers off

      • app_process64 (PID: 2262)

    • Accesses external device storage files

      • app_process64 (PID: 2262)

    • Detects presence of QEMU emulator

      • app_process64 (PID: 2262)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • app_process64 (PID: 2262)

    • Gets data of saved accounts

      • app_process64 (PID: 2262)

    • Retrieves installed applications on device

      • app_process64 (PID: 2262)

    • Connects to unusual port

      • app_process64 (PID: 2262)

  • INFO

    • Returns elapsed time since boot

      • app_process64 (PID: 2262)

    • Dynamically inspects or modifies classes, methods, and fields at runtime

      • app_process64 (PID: 2262)

    • Retrieves CPU core information

      • app_process64 (PID: 2262)

    • Gets the display metrics associated with the device's screen

      • app_process64 (PID: 2262)

    • Detects if debugger is connected

      • app_process64 (PID: 2262)

    • Dynamically loads a class in Java

      • app_process64 (PID: 2262)

    • Stores data using SQLite database

      • app_process64 (PID: 2262)

    • Verifies whether the device is connected to the internet

      • app_process64 (PID: 2262)

    • Creates and writes local files

      • app_process64 (PID: 2262)

    • Loads a native library into the application

      • app_process64 (PID: 2262)

    • Dynamically registers broadcast event listeners

      • app_process64 (PID: 2262)

    • Retrieves data from storage of application settings (SharedPreferences)

      • app_process64 (PID: 2262)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jar | Java Archive (78.3)
.zip | ZIP compressed archive (21.6)

EXIF

ZIP

ZipRequiredVersion: -
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 1981:01:01 01:01:02
ZipCRC: 0x05cd8676
ZipCompressedSize: 52
ZipUncompressedSize: 56
ZipFileName: META-INF/com/android/build/gradle/app-metadata.properties
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
11
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start app_process64 app_process64 app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs

Process information

PID
CMD
Path
Indicators
Parent process
2262org.telegram.messenger /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2465org.chromium.chrome /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2534<pre-initialized> /system/bin/app_process64app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2560com.android.adservices.api /system/bin/app_process64app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2610org.chromium.chrome_zygote /system/bin/app_process64app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2622org.chromium.chrome_zygote /system/bin/app_process64app_process64
User:
u0_a73
Integrity Level:
UNKNOWN
Exit code:
0
2665org.chromium.chrome_zygote /system/bin/app_process64app_process64
User:
u0_a73
Integrity Level:
UNKNOWN
Exit code:
0
2685org.chromium.chrome_zygote /system/bin/app_process64app_process64
User:
u0_a73
Integrity Level:
UNKNOWN
Exit code:
0
2705org.chromium.chrome_zygote /system/bin/app_process64app_process64
User:
u0_a73
Integrity Level:
UNKNOWN
Exit code:
0
2726org.chromium.chrome_zygote /system/bin/app_process64app_process64
User:
u0_a73
Integrity Level:
UNKNOWN
Exit code:
0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
103
Text files
62
Unknown types
16

Dropped files

PID
Process
Filename
Type
2262app_process64/data/data/org.telegram.messenger/files/PersistedInstallation6203006128686241729tmpbinary
MD5:
SHA256:
2262app_process64/data/data/org.telegram.messenger/files/PersistedInstallation.W0RFRkFVTFRd+MToyNDExODg1MDYyNzE6YW5kcm9pZDpiNDNjMzY2MDRkZGQwMjdhN2ZiMGFh.jsonbinary
MD5:
SHA256:
2262app_process64/data/data/org.telegram.messenger/shared_prefs/com.google.android.gms.measurement.prefs.xmlxml
MD5:
SHA256:
2262app_process64/data/data/org.telegram.messenger/shared_prefs/com.google.firebase.messaging.xmlxml
MD5:
SHA256:
2262app_process64/data/data/org.telegram.messenger/shared_prefs/com.google.firebase.crashlytics.xmlxml
MD5:
SHA256:
2262app_process64/data/data/org.telegram.messenger/files/.com.google.firebase.crashlytics.files.v2:org.telegram.messenger/open-sessions/686B5F2D029A000108D61412B34AB26A/reportbinary
MD5:
SHA256:
2262app_process64/data/data/org.telegram.messenger/shared_prefs/FirebaseHeartBeatW0RFRkFVTFRd+MToyNDExODg1MDYyNzE6YW5kcm9pZDpiNDNjMzY2MDRkZGQwMjdhN2ZiMGFh.xmlxml
MD5:
SHA256:
2262app_process64/data/data/org.telegram.messenger/databases/google_app_measurement_local.dbsqlite
MD5:
SHA256:
2262app_process64/storage/emulated/0/Android/data/org.telegram.messenger/cache/000000000_999999_temp.fgmc
MD5:
SHA256:
2262app_process64/data/data/org.telegram.messenger/files/cache4.db-journalbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
153
DNS requests
18
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
142.250.185.164:80
http://www.google.com/gen_204
unknown
whitelisted
GET
204
172.217.16.195:80
http://connectivitycheck.gstatic.com/generate_204
unknown
whitelisted
GET
204
172.217.16.195:80
http://connectivitycheck.gstatic.com/generate_204
unknown
whitelisted
GET
204
142.250.185.164:443
https://www.google.com/generate_204
unknown
unknown
GET
200
142.250.185.227:443
https://firebase-settings.crashlytics.com/spi/v2/platforms/android/gmp/1:241188506271:android:b43c36604ddd027a7fb0aa/settings?instance=e9d3eeab5fe6e2d6ecb6d0801943b72ea03be59e&build_version=47109&display_version=10.12.0&source=1
unknown
binary
748 b
whitelisted
POST
200
142.250.27.81:443
https://staging-remoteprovisioning.sandbox.googleapis.com/v1:fetchEekChain
unknown
binary
699 b
whitelisted
2262
app_process64
GET
301
104.21.51.156:80
http://update.ayugram.one/android/info-fcm
unknown
unknown
POST
200
172.217.23.106:443
https://firebaseinstallations.googleapis.com/v1/projects/ayugram-c6a31/installations
unknown
binary
630 b
whitelisted
GET
404
172.67.182.25:443
https://update.ayugram.one/android/info-fcm
unknown
unknown
GET
200
8.8.8.8:443
https://dns.google.com/resolve?name=apv3.stel.com&type=ANY&random_padding=DFIb8YAtnRb2BhGRJl80t5DuBRtC5ZNnnsO7MVabrj3M1bHWGCwYQvFjrCMIvIt6Y3ZP63psKgHnxD67lq6nCkMVfnrgrQ8cwLlfOZWxxfwj65Adx1dlMPEyrsgjY8A
unknown
binary
580 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
446
mdnsd
224.0.0.251:5353
unknown
172.217.16.195:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
142.250.185.164:443
www.google.com
GOOGLE
US
whitelisted
142.250.185.164:80
www.google.com
GOOGLE
US
whitelisted
108.177.15.81:443
staging-remoteprovisioning.sandbox.googleapis.com
GOOGLE
US
whitelisted
216.239.35.0:123
time.android.com
whitelisted
216.239.35.12:123
time.android.com
whitelisted
216.239.35.4:123
time.android.com
whitelisted
573
app_process64
216.239.35.8:123
time.android.com
whitelisted
2262
app_process64
142.250.184.195:443
firebase-settings.crashlytics.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
connectivitycheck.gstatic.com
  • 172.217.16.195
whitelisted
www.google.com
  • 142.250.185.164
whitelisted
google.com
  • 142.250.181.238
whitelisted
time.android.com
  • 216.239.35.0
  • 216.239.35.12
  • 216.239.35.4
  • 216.239.35.8
whitelisted
staging-remoteprovisioning.sandbox.googleapis.com
  • 108.177.15.81
whitelisted
firebase-settings.crashlytics.com
  • 142.250.184.195
whitelisted
firebaseinstallations.googleapis.com
  • 142.250.186.138
  • 216.58.206.74
  • 142.250.184.202
  • 142.250.186.74
  • 142.250.185.74
  • 216.58.212.138
  • 172.217.18.10
  • 172.217.16.138
  • 142.250.186.170
  • 142.250.185.106
  • 172.217.18.106
  • 142.250.186.106
  • 142.250.185.202
  • 142.250.185.138
  • 142.250.185.170
  • 142.250.184.234
whitelisted
update.ayugram.one
  • 104.21.51.156
  • 172.67.182.25
unknown
clients2.google.com
  • 142.250.186.78
whitelisted
accounts.google.com
  • 64.233.184.84
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Android Device Connectivity Check
Misc activity
ET INFO Android Device Connectivity Check
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fcm-ayuGram-universal-20240520.apk