Malware Analysis Report

2024-10-19 13:03

Sample ID 231002-1w57ysgf92
Target facdbaa40525fd2622d88e201253cba273ea779669ea04287c65d5df87866219.bin
SHA256 facdbaa40525fd2622d88e201253cba273ea779669ea04287c65d5df87866219
Tags
ermac hook banker evasion infostealer ransomware rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

facdbaa40525fd2622d88e201253cba273ea779669ea04287c65d5df87866219

Threat Level: Known bad

The file facdbaa40525fd2622d88e201253cba273ea779669ea04287c65d5df87866219.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker evasion infostealer ransomware rat trojan

Ermac

Ermac2 payload

Hook

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Acquires the wake lock.

Loads dropped Dex/Jar

Reads information about phone network operator.

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-10-02 22:01

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-02 22:00

Reported

2023-10-02 22:03

Platform

win7-20230831-en

Max time kernel

122s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-10-02 22:00

Reported

2023-10-02 22:03

Platform

win10v2004-20230915-en

Max time kernel

91s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-02 22:00

Reported

2023-10-02 22:04

Platform

android-x86-arm-20230831-en

Max time kernel

4067125s

Max time network

154s

Command Line

com.bulosinehipibe.zusu

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.bulosinehipibe.zusu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.202:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
NL 142.251.39.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.174:443 android.apis.google.com tcp
NL 142.251.39.106:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 perlmp.com udp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp

Files

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json

MD5 0d3998927c01464e76013e1ba8a98ef9
SHA1 ab9aaa1e50a5d57b06b4bccb501cec87c30aa9ac
SHA256 dde9f9235f6b5b8970e0a19f309c49a38528c1ee55e0de04a3d6525f9cb46a46
SHA512 68ffc1116a9e88d5474b020f9739125f890600db00f67bc13cf7337194954d615b41460c5188b2fa12767a0c5aac0d9cf998391710c941521335897cb9fd00fa

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json

MD5 edc5bfa307ed549e2c7e6aa90b1bbf1f
SHA1 f8774704320d03624867c4a158b299e73b50304a
SHA256 c6828835f1bb2682771f64649456c6aa61c5223705ede469aa1ade5d46a3afd8
SHA512 b629d07fb72deaee0d2d677a99a415bf8bc9599a9baec5509df45dc5e21a4022fc360a7cdc15c9e894689bb133c1fa2a651b3cd2bc9799b211a61ab187cd65fe

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json

MD5 304a506cd3c316140cba4b35174ec269
SHA1 7d391fd95220afe1074336972cc2c8b9d770b19e
SHA256 ef008d375717ebfba7704e82cf000e008e9615397e12ab48bbed7c9c09638edf
SHA512 d672e2db3dd5bd45ed8d1218e5c38aad43c07e9d9b45dc7bd4641d90996f46db519e0b0771b1f16b0d58f886c66ddb6542d7feef6aad37479e34d9a3a9feb9ee

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

MD5 ee1293e14e97dad1ba682da8177aabbd
SHA1 dbe990f4adbece68403d9483903a9b370252fc37
SHA256 b1953c5270c12ddcf8c127e59ad64c1056433367fee8d788a299d3033883c4c4
SHA512 c792449cf6c795fc399d75587aa8779f13dda3a7abb54b8af177b4f09a28a31e1c9d0309606fc55dcfece3543a530ee20c52896b5b09e6e3f575cd6929524d6a

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 284bed093f82027a8a3fd54ea3723f81
SHA1 dc48a1b43a0704408759279244abb59ffeac4664
SHA256 f95a84d232aa6b6a326fac9ec78c7e5b3033c0d6432ac0b7c56ffbd49252cb70
SHA512 7d26f85ad846e2097499526c88f07f745e576bd98e739e3222c1d0e0c5b0e347b133b5ba87c455593e377f0186197de58866569e1709af33b37ca22acbd0ff47

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 b810123721c8ca09329a09e6a3993687
SHA1 193b7eaaa89fa9f2afaa4f5c1764e698b8f9a8d2
SHA256 c66457cd23e7291aae5e8c5fe487bc89847b04e4811bcc84bbeeae449788e1a2
SHA512 612429a3de7b57752558c17407e75245ab3dad2aff6b74dd5a8fba9e713856acded39d988eb35902536d079a5c5daa6e7be0ed7a7d99a7c65966d5c6e0ba13b9

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 8ae94635135d72820b96d37f174a0155
SHA1 7ab802164bc638cc93d1c4e5c2e2eac30bc264f7
SHA256 648f5d9b9349b46cbc1c79c68f1d2e6f5757a47f2791a329a50f51b47cd376ff
SHA512 b3293266493792422269d9e317b421608b10b30ba36c6a222682f80aad1dd82510e55ac8df0d4b64497379080be58978e9e080e1be8fa3e81334672bc28c19b7

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/eoqPgaw.json.cur.prof

MD5 dc1ee9730499faaebfe9f9fa0d43185c
SHA1 909c7e218ee31b8b2bde5ba74852d599df2b0fb4
SHA256 8d64a2005d1e2fed65761a4b5c88bac9abb381074a1a021e8af60dccc61b3746
SHA512 2218c586a2ed20fc8005003e7ebed3fd0a3b5e8f3d395935239f7525b2c67fd34570736fa91eff5b50f6b5cfa6d1e4f5819977709093ab676ec77d76faeefa05

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/eoqPgaw.json.cur.prof

MD5 bf37106ba49f1ffe88e23ca015b386b9
SHA1 a629902d26529ceec10385ef7395756e0ab75cfe
SHA256 320dbf57578aadbe3b69f497c616c28428355ff54eda7b6a2b4e23f329e9c680
SHA512 ebdb9a4d533a9f066c8b4ba99a04a26d828890950640e8cdd1424b7d731139a7c582f65cbfbcf3a626a592acfdba4494b58b56504d60e7f04176f56983f74434

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-02 22:00

Reported

2023-10-02 22:03

Platform

android-x64-20230831-en

Max time kernel

4066979s

Max time network

163s

Command Line

com.bulosinehipibe.zusu

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json] N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.bulosinehipibe.zusu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.39.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
DE 172.217.23.202:443 infinitedata-pa.googleapis.com tcp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 perlmp.com udp
NL 194.169.175.243:3434 perlmp.com tcp
NL 142.250.179.142:443 android.apis.google.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp

Files

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json

MD5 0d3998927c01464e76013e1ba8a98ef9
SHA1 ab9aaa1e50a5d57b06b4bccb501cec87c30aa9ac
SHA256 dde9f9235f6b5b8970e0a19f309c49a38528c1ee55e0de04a3d6525f9cb46a46
SHA512 68ffc1116a9e88d5474b020f9739125f890600db00f67bc13cf7337194954d615b41460c5188b2fa12767a0c5aac0d9cf998391710c941521335897cb9fd00fa

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json

MD5 edc5bfa307ed549e2c7e6aa90b1bbf1f
SHA1 f8774704320d03624867c4a158b299e73b50304a
SHA256 c6828835f1bb2682771f64649456c6aa61c5223705ede469aa1ade5d46a3afd8
SHA512 b629d07fb72deaee0d2d677a99a415bf8bc9599a9baec5509df45dc5e21a4022fc360a7cdc15c9e894689bb133c1fa2a651b3cd2bc9799b211a61ab187cd65fe

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json

MD5 304a506cd3c316140cba4b35174ec269
SHA1 7d391fd95220afe1074336972cc2c8b9d770b19e
SHA256 ef008d375717ebfba7704e82cf000e008e9615397e12ab48bbed7c9c09638edf
SHA512 d672e2db3dd5bd45ed8d1218e5c38aad43c07e9d9b45dc7bd4641d90996f46db519e0b0771b1f16b0d58f886c66ddb6542d7feef6aad37479e34d9a3a9feb9ee

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

MD5 946497efbf02b39dcc44ee1716a886be
SHA1 a735f9be767fcb29f41a60040c846dbd660ace4c
SHA256 1a8dc45669a614cfdbf180239b5f95b607677f6fa1687e95911ad146cd288d61
SHA512 dc70bbd921c77c8d5cbcddda826593e623d8d86692675ee310e40e821882fd4f9dce5b85feed71f09c055cfc945d671271689d9d4ea9be28c0e2fb7ef1baf8f3

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 e7acbbcd01277098d3bb4e1db7330c51
SHA1 4bc44d69961693be50f68962ebf220dd260ad5d5
SHA256 8dd5a8ca7d3befe45ad7a91c0e587138a0841d7eb5c18bb719d55a686cfa4ee2
SHA512 76f1d39a95713a722c95461b93e879dd4e8dadeba3c44ad1d880315b1f17e3e387893f5e353cfe54fad56ff82d8422cc64349c5a91fa9d8ce353b09850254b51

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 0958aa6b607bb17f16a01424542fd8a7
SHA1 8138cecacff60d991674ccf841db1d1c9250d3bd
SHA256 770b3c49434071f6fd17cdd276b2e239f77bdf7cbe93e0b68d532c60ae412815
SHA512 1664612b014aecce7fb93bacb4fabbda88ee39af80ef35ac6fa03c1bd8b34aa4088958f789e4b12bf13fa6a6889fe720b2e7e9ef8eb2f2d7e4a7dfe2246fe685

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 bcc763190f00bc46cad6cafbfb8372d1
SHA1 5d0ced238d2540392380b8b6bd51e04378d8b077
SHA256 901f4d7c744bad1529eca7ced0680864a7bc07daa075412b915e7c7c2b8a00ed
SHA512 50f2d309b0c89c89c556ff4ba8295ef03a49a6c56d4c209d93a30103e3f6d14cd1125f1d1b30dc082f7e2dee9d24e1319c0f27976e6174d44018442b8820fe58

[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json]

MD5 304a506cd3c316140cba4b35174ec269
SHA1 7d391fd95220afe1074336972cc2c8b9d770b19e
SHA256 ef008d375717ebfba7704e82cf000e008e9615397e12ab48bbed7c9c09638edf
SHA512 d672e2db3dd5bd45ed8d1218e5c38aad43c07e9d9b45dc7bd4641d90996f46db519e0b0771b1f16b0d58f886c66ddb6542d7feef6aad37479e34d9a3a9feb9ee

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-02 22:00

Reported

2023-10-02 22:05

Platform

android-x64-arm64-20230831-en

Max time kernel

4067119s

Max time network

154s

Command Line

com.bulosinehipibe.zusu

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json] N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.bulosinehipibe.zusu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
NL 172.217.168.202:80 play.googleapis.com tcp
US 1.1.1.1:53 perlmp.com udp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp

Files

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json

MD5 0d3998927c01464e76013e1ba8a98ef9
SHA1 ab9aaa1e50a5d57b06b4bccb501cec87c30aa9ac
SHA256 dde9f9235f6b5b8970e0a19f309c49a38528c1ee55e0de04a3d6525f9cb46a46
SHA512 68ffc1116a9e88d5474b020f9739125f890600db00f67bc13cf7337194954d615b41460c5188b2fa12767a0c5aac0d9cf998391710c941521335897cb9fd00fa

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json

MD5 edc5bfa307ed549e2c7e6aa90b1bbf1f
SHA1 f8774704320d03624867c4a158b299e73b50304a
SHA256 c6828835f1bb2682771f64649456c6aa61c5223705ede469aa1ade5d46a3afd8
SHA512 b629d07fb72deaee0d2d677a99a415bf8bc9599a9baec5509df45dc5e21a4022fc360a7cdc15c9e894689bb133c1fa2a651b3cd2bc9799b211a61ab187cd65fe

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json

MD5 304a506cd3c316140cba4b35174ec269
SHA1 7d391fd95220afe1074336972cc2c8b9d770b19e
SHA256 ef008d375717ebfba7704e82cf000e008e9615397e12ab48bbed7c9c09638edf
SHA512 d672e2db3dd5bd45ed8d1218e5c38aad43c07e9d9b45dc7bd4641d90996f46db519e0b0771b1f16b0d58f886c66ddb6542d7feef6aad37479e34d9a3a9feb9ee

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

MD5 fad9507c4446fa45fca0dc3c3e751a1d
SHA1 cb1843511608517bf3b4d9ff3de5da898ebdf963
SHA256 3c51906fd870d1672c186670f2209eb97c5e8e772a2a43449c25e3b3286f1d0d
SHA512 66d9d746b2f6a6c42515d636ee3c027a1b3664e4594bbf3d8a295628249c19de95f14513b98824f2c6d8ec20819fdb64866d86690b7e521377ab3e7fb849627b

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 c90d67a76d2e465661b8d99beb13a2d2
SHA1 00abd40cf98c643aabdabb0bf4cc8463a4a4fcf8
SHA256 6bde2c55451d4372211c44892ac82fa2c82b8c4a3dd64db297ac350c6df16f76
SHA512 2c8406f8069b0671597ded828b78e39cbe72ce21c07e95da2589dc1680c776e718caab278e9b2699905e37e183843930fe9649bb7922454c22a5fac0d338dc7c

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 4edb2d474b6a6290a0fd313ad8c52c5a
SHA1 18d5ec1e0aca702937867f104e9dcb5f711764e0
SHA256 813a00e0da600143ca68656c476b67665a4f0e73b6107bdac3a6dc7fb23b5f43
SHA512 ec9e883768da5fd2b6937d2917448daf38d9749e3fef465967a0d7ee8e6ce150e4fd6667ff8fd0edc15d12d531b6af100ffbe3e74432a78cc18f67a146ee7b92

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 0d7ab8b3ea46612d23f0f01207a485ed
SHA1 816749f6c83b7932d1456ac53008882dc3ae19f4
SHA256 f07a8ce2f29a9f534f51d27b08233e87dd93155a09189b127b174031b654810b
SHA512 dbefd136e5a53ed26a3b72f43443149afa676f4a2d2d71f708375db8dbd63e33011fa1422b7d3047e5ac5c2aa60b15b9729b3b9be41cbcfa7bafc21f03d3fe2b

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/eoqPgaw.json.cur.prof

MD5 a6b6ecb215ec6b2b931ae85bf965cbcc
SHA1 c1923442f5ddfa5e02ffe87f72e8ed7847c7e1c9
SHA256 f272853dc548f0609690daf4fb44485002127719ae2b83173ccdc81b5f58ac1b
SHA512 368b08287685004060bd994346faf58fb91b541cf68be96c0cffc1f8dc7b7c33a16da5a4e752d6adb1f5508c7bd4f053384ee7ebf9d87358bed4042693aa06da

[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json]

MD5 304a506cd3c316140cba4b35174ec269
SHA1 7d391fd95220afe1074336972cc2c8b9d770b19e
SHA256 ef008d375717ebfba7704e82cf000e008e9615397e12ab48bbed7c9c09638edf
SHA512 d672e2db3dd5bd45ed8d1218e5c38aad43c07e9d9b45dc7bd4641d90996f46db519e0b0771b1f16b0d58f886c66ddb6542d7feef6aad37479e34d9a3a9feb9ee