Malware Analysis Report

2024-10-19 11:47

Sample ID 240503-c4678ada6v
Target WiFiService.apk
SHA256 77d63aa7346717d838a57b438978d2ad4a60ad51131a69a5d2225ead03c0c1ae
Tags
tispy banker collection credential_access discovery evasion impact infostealer persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

77d63aa7346717d838a57b438978d2ad4a60ad51131a69a5d2225ead03c0c1ae

Threat Level: Known bad

The file WiFiService.apk was found to be: Known bad.

Malicious Activity Summary

tispy banker collection credential_access discovery evasion impact infostealer persistence spyware trojan

TiSpy

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests cell location

Makes use of the framework's Accessibility service

Reads the content of the browser bookmarks.

Registers a broadcast receiver at runtime (usually for listening for system events)

Reads the content of the call log.

Queries information about the current nearby Wi-Fi networks

Reads the contacts stored on the device.

Obtains sensitive information copied to the device clipboard

Queries information about the current Wi-Fi connection

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Reads the content of photos stored on the user's device.

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Requests dangerous framework permissions

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-03 02:38

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 02:38

Reported

2024-05-03 02:52

Platform

android-x86-arm-20240221-en

Max time kernel

600s

Max time network

605s

Command Line

com.fzwtqivs.djtdwezs

Signatures

TiSpy

trojan infostealer spyware tispy

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.fzwtqivs.djtdwezs/code_cache/1714704134669.dex N/A N/A
N/A /data/data/com.fzwtqivs.djtdwezs/code_cache/1714704134669.dex N/A N/A
N/A /data/user/0/com.fzwtqivs.djtdwezs/files/dex/xajoYTImFwxdYUoFa.zip N/A N/A
N/A /data/user/0/com.fzwtqivs.djtdwezs/files/dex/xajoYTImFwxdYUoFa.zip N/A N/A
N/A /data/data/com.fzwtqivs.djtdwezs/code_cache/1714704140195.dex N/A N/A
N/A /data/data/com.fzwtqivs.djtdwezs/code_cache/1714704140195.dex N/A N/A
N/A /data/user/0/com.fzwtqivs.djtdwezs/files/dex/xajoYTImFwxdYUoFa.zip N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of photos stored on the user's device.

collection
Description Indicator Process Target
URI accessed for read content://media/external/images/media N/A N/A

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.fzwtqivs.djtdwezs

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.fzwtqivs.djtdwezs/code_cache/1714704134669.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/data/com.fzwtqivs.djtdwezs/code_cache/oat/x86/1714704134669.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fzwtqivs.djtdwezs/files/dex/xajoYTImFwxdYUoFa.zip --output-vdex-fd=49 --oat-fd=50 --oat-location=/data/user/0/com.fzwtqivs.djtdwezs/files/dex/oat/x86/xajoYTImFwxdYUoFa.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.fzwtqivs.djtdwezs/code_cache/1714704140195.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/data/com.fzwtqivs.djtdwezs/code_cache/oat/x86/1714704140195.odex --compiler-filter=quicken --class-loader-context=&

getprop ro.miui.ui.version.code

getprop ro.miui.ui.version.name

/system/bin/sh

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ua.tispy.me udp
US 104.21.35.223:443 ua.tispy.me tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.3:80 tcp
GB 172.217.16.228:443 tcp
GB 142.250.200.2:443 tcp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.3:443 tcp
GB 142.250.200.3:443 tcp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.3:443 tcp
GB 142.250.200.3:443 tcp
US 1.1.1.1:53 tispy.net udp
US 172.67.72.31:443 tispy.net tcp
US 172.67.72.31:443 tispy.net tcp
US 172.67.72.31:443 tispy.net tcp
US 172.67.72.31:443 tispy.net tcp
US 172.67.72.31:443 tispy.net tcp
US 172.67.72.31:443 tispy.net tcp
US 172.67.72.31:443 tispy.net tcp
US 172.67.72.31:443 tispy.net tcp
US 172.67.72.31:443 tispy.net tcp
US 172.67.72.31:443 tispy.net tcp
US 172.67.72.31:443 tispy.net tcp
US 172.67.72.31:443 tispy.net tcp
US 172.67.72.31:443 tispy.net tcp
US 172.67.72.31:443 tispy.net tcp
US 172.67.72.31:443 tispy.net tcp
US 172.67.72.31:443 tispy.net tcp
US 172.67.72.31:443 tispy.net tcp
US 172.67.72.31:443 tispy.net tcp
US 1.1.1.1:53 ur.tispy.me udp
US 104.21.35.223:443 ur.tispy.me tcp
US 104.21.35.223:443 ur.tispy.me tcp
US 1.1.1.1:53 ua.tispy.me udp
US 104.21.35.223:443 ua.tispy.me tcp
US 104.21.35.223:443 ua.tispy.me tcp
US 1.1.1.1:53 ue.tispy.me udp
US 172.67.180.62:443 ue.tispy.me tcp
US 104.21.35.223:443 ue.tispy.me tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.213.4:443 www.google.com tcp
US 1.1.1.1:53 laizdrqctho udp
US 1.1.1.1:53 gutzwcjgsxmzzjs udp
US 1.1.1.1:53 teqbgtc udp
US 104.21.35.223:443 ue.tispy.me tcp

Files

/data/data/com.fzwtqivs.djtdwezs/code_cache/1714704134669.dex

MD5 d3364728f634bf71c4b16542c02c60cb
SHA1 f23088362b69935f404f2b81eaa40ed3172efca5
SHA256 401f68f4448fd6288b7619a7a2ae4646493cd7268f16aa6714802833fbc1197e
SHA512 9378bbda71abcb437676a2d4095d7d3ab6a5a1c1682ec95f3f6d050b9226692cd1a29ba8e7a65dac441c29cfb7b1d5e69e34b5cc32989c90c025909567a662af

/data/data/com.fzwtqivs.djtdwezs/code_cache/1714704134669.dex

MD5 a137b5568de65b8fef35329930d8617f
SHA1 49a2d6e95d447ba1d448c81691f6a609fb2859ed
SHA256 bc5290425eaa32b00a84a94c58976321e7643bc5d668817524ad68a1c7d2082b
SHA512 9dd6c25dea7b3424e8ca0150a9f1f6f85ed5fccef69e7fadfa05324014b74cc350365b788cee2a8ce25afccee084908e679eafa7f449e7791c6288485d2c5338

/data/data/com.fzwtqivs.djtdwezs/code_cache/1714704134669.dex

MD5 cf790c0dfb1361b86d4b8bfca1f8814c
SHA1 d452d9d6504f6af0c9408d6fdb1ced0ff3c45dee
SHA256 5dfcef0f59a512a9d88d21de81e5f9a20ff420d328736a1426b0a45f9459d832
SHA512 e2194cf4ab22064206d9df3523afd3b247f4ce72b7fed17056029746d1f79c1a25d340f8f9c7ec77b9590d05dc7549a735d631a368f82c472cd54bb8a1396c47

/data/data/com.fzwtqivs.djtdwezs/files/dex/xajoYTImFwxdYUoFa.zip

MD5 1619895bca177508deef0c84497302d7
SHA1 bca29a7000c797740bc53bedb33cb8ae54f8b2c4
SHA256 f31f686c39db7257f57929e1d6be098a8c2e256cf83d392e2a7b3a2221c0fa72
SHA512 a5e7dea95f0505720fd93ae1de9e1dec1b7cf0033384e66a0b45d38038856f5d1891db94d1fe349b346dca0875d3550ed3eb9e1b63a4ecd5a5c24a78b128b955

/data/user/0/com.fzwtqivs.djtdwezs/files/dex/xajoYTImFwxdYUoFa.zip

MD5 7b6fb53810fc2816122cfab87f189601
SHA1 023e803e698d4ccf01117649df414784328330f4
SHA256 2f210d2a92bf3f14ab1ba64446ca1d0e58fdd3a1682da9fd2fdab318d5fc9454
SHA512 e1d2f805d5100a6ab25f2625bb9db164b8eebfa4ac410ead05dece2cd4b0dbec6c887e753d9ba22fca1f2fd4e2748805d0a13471ad577d8695db3b3979aaa7e9

/data/user/0/com.fzwtqivs.djtdwezs/files/dex/xajoYTImFwxdYUoFa.zip

MD5 69f6cebe65e8a13ddc1d838c28f39048
SHA1 9eac2703e8625b5b09aceb1475a419dc523fa8d2
SHA256 036f9465baf8230bba3a263de57b85d0c36c0e331969cd3e1aa2f871a23bbfff
SHA512 909278cc19f6d4426d78c9003872590e8f9dc1a6b058c76c1f89973aa02af789de1cd68ab0e2168e7d4caa7aff64299b67edb92695acd58bc81cbda289c98b07

/data/data/com.fzwtqivs.djtdwezs/files/476304.so

MD5 cf0a68202d2931c3a4a4691efa7ca6ed
SHA1 cfb940125cf61533226f040991acf621f078b071
SHA256 2431ec7d78607664b60791c996ef939f172ad26694bd6d6bb1791dcb4f054f8b
SHA512 08581560791c020032a6b458c0cedb45511127d00f3e61cfbb4c8406e563d378b222266b08e1a7af30ba006e0623250ce169dc40eebc69ecfdf04a981b13c383

/data/data/com.fzwtqivs.djtdwezs/logs/Sistema1714704142821.log

MD5 0d6a3b48feeefedfee8902b1517077f8
SHA1 45205d47afa4000cfcc9eccc96a8c5068e8efe50
SHA256 7a6af1f09be9eb828903d87958b7286af863dafb8e11acb9a6ce56b05a4d12fe
SHA512 5ccdbc0325d4ce0a94ec279c48c5b19e8571ab8d5fafcc8bf601d4936b8d44869f19aa2d254f331b1c0e8691685a66e90f3c5e0312ef02ccfea24502c170441c

/data/data/com.fzwtqivs.djtdwezs/databases/privatesms.db-journal

MD5 a3a9a9b950217ece10d9790b1c9cf422
SHA1 73c8bebdc778e247d8690d49738bc187d2b5905b
SHA256 08de794c5538c06ca2600bc234dff98a87d301f055737ce3d89bdb67adeaadbf
SHA512 296793707cdb0777436f0eb14a3c1dc74539f25cfc6b8504c92b939756293cdd1c9dd488650e032668e0bfc488ced19e77a91387b80f4d8d30044c0205dd53b5

/data/data/com.fzwtqivs.djtdwezs/databases/privatesms.db

MD5 3621ce0aa81e37bc5c80e2cf881f1dd0
SHA1 00365f82dcada94caea07443656848baf60b3bd9
SHA256 8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA512 76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

/data/data/com.fzwtqivs.djtdwezs/databases/privatesms.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.fzwtqivs.djtdwezs/databases/privatesms.db-wal

MD5 f20a1fe383ea60348fb65e28f4ecaff0
SHA1 6e89b193ec5ed9ca142ddc7d08497a2e04e471e6
SHA256 6969b0dfa91463d7048d55039f72b9010a888e62e163a517de2b07d5fe906777
SHA512 9204f9516d5941aa23952dac61afcf5ed6b3ca41517771b6e4df9414d3936ffd8a6c44ad6eafe1937b0eda9b533148f6355e14c82b4203135fa37d82ab7a0597

/data/data/com.fzwtqivs.djtdwezs/files/battery_optimization.jpg

MD5 38d5899a1c496b568295d92884653e40
SHA1 a6aa1f902cbeb2eb01fd7c7cd751d6f9fd15ea54
SHA256 7b40b243b09c922dfe569ff2089b1fe8f998e85f7b9bcf00b1b58400c195b7e3
SHA512 46dda5514a1a2679d8b523157651a7c9b35c09b9d81c8c16f2c1fdd2e2a0f6e1a89c2b91b5f47c16d629d1b4abadb18df930cecaf279f55c100351e3423bb784

/data/data/com.fzwtqivs.djtdwezs/files/enable_restricted_settings.gif

MD5 cdb95b6410572927d41c94f7e961e9bd
SHA1 a170070450975129cb7867fb573fdbb49a96ef98
SHA256 649397f9d650011c7c0be34dc5e0929829d8f2480828718a31c965dcca57a34d
SHA512 db466e690657f5ff0f27023c0c9f2f837650673373185f5af42a4a0fccebd5e5a28f112441b113afe23d9774ae612a6b82dfec72c5130b8f41b4fd45b42704c0

/data/data/com.fzwtqivs.djtdwezs/files/notification_channel.gif

MD5 1222cade02a614cc0ab42e768ab62cc1
SHA1 562e83e3d019ed7c884438b411c484df586b8abb
SHA256 ec8a6069ba7ed1d3df4bde375e4f62bc8d64be4c0228554c9d5cf99d2ffa956c
SHA512 87a19557980f20aae04fad69ae6f771e0b5e7d9257fd0f455b8f6033b6b93d145cf922819d3a58b030ae250b8b3f9c6130c248acad8ce99955a8441fd13fe490

/data/data/com.fzwtqivs.djtdwezs/files/allow_restricted_settings_xiaomi.gif

MD5 8fbcb3fc68adeb2d70ec59e3c8c13cf6
SHA1 d659c6f31f6b80662ac1b6b57f1678a25def8767
SHA256 d3c7a0b0ad264efa0e7456c9e3ee0cb11ab3339d9a117b7841bee46854bf99f0
SHA512 87ec51d7f15b7760ce7dd0dfb3ff1227ceedb1696b9d36419dbf80669a4fe151b3429726b7e2bc327998691c33660e3ab5f7a67f3d0babc57c7dae3c66dd773f

/data/data/com.fzwtqivs.djtdwezs/files/auto_start.gif

MD5 d319fff17b4b3d37f658a4df7d2e9391
SHA1 4fc3488f35ff2f84f9547cf1493058d412366369
SHA256 8649cb08a83ad7beb3f8fe7431c590525cef21550449a8bf94128c4b3133904b
SHA512 a12c8a6d2df6e3ebd295a977239408ae6ce1146e2586739de4c460f7ca732f872ef25bf6f50f214b852b7f823e88ba1e464dd648c70d4a49e34128381f9c10bb

/data/data/com.fzwtqivs.djtdwezs/files/notifications_access.gif

MD5 5c8eb541cab451b1be7a5e92070aeb5d
SHA1 d6ce337ca2e9f41e0cf2e64113d237905a8f5783
SHA256 dd1540c3444205e614f7df44c5cf3f2f3332d953f55e7af3a26c37f987316fb1
SHA512 c879c2824e30b7088899f0ea427c75dbecde44e8c59245bfc318521a29f5797f1ed0b647b5a0b6b52983bee4195bb9dbb0f2947149eaeedc503cbc13c06e40fa

/data/data/com.fzwtqivs.djtdwezs/files/accessibility.gif

MD5 8aa1890c8921030b680c2557f9c8386a
SHA1 8d39dd27c4612354b968b16171f376553e594fab
SHA256 5822cb7097bf82fe0a69a343b226bbc61efa2e091f096f5d9f491e2f82d4b51b
SHA512 742c6aa33ada9f5a7f68741db731dedb9c1522fdcd2253caed7d709efdbb3b7d4be1ecb6ed2fbba13008ff7c9a2e1c7e98daec8a6c6aafcac3788426898fb4e2

/data/data/com.fzwtqivs.djtdwezs/files/screen_capture.jpg

MD5 e8211b15b6d39c725a62b559d0102e99
SHA1 9ab02ae2ce77dad2afc8b9e34b6854406321617e
SHA256 39c2b7cb18c88e7f803626a769878f3a1e124070f0885cff9aff414646bda4e5
SHA512 83518b34de7b0ab945a8162daed822aa7bee5dac908f6bf9f55f93dd677d355cd2e1328a74544a131fbf92be3c2f678d93f9e1c4266f619cabc469e9d5f1233b

/data/data/com.fzwtqivs.djtdwezs/files/google_verifier.gif

MD5 d3339871102243250cf1b8af2142df59
SHA1 c753a288f72de45a020617a7ebd6c98d94892f32
SHA256 5403976a0b7d11734d359959ab63b2ae3d86cb5dfdab42bd12a2d2bb43549b25
SHA512 c1c0b65e99260bee1fd63cb3206c4ffd9cd38fd33cbd50170f0a1cac0add00c1622d02062f89db2acb2984bc3ae6a36f244732407ff33fcdfb0b4501aef0f529

/data/data/com.fzwtqivs.djtdwezs/files/overlays.gif

MD5 537226ba9d70113cf97290362ac3c32d
SHA1 02d833af459bb73bd96f104cb9ef3e44a95a1649
SHA256 87c494b724a872bea7e1543647e097afaf1ccbc54a7310a3da5c9e5115670456
SHA512 487b99c26cee936865a5b4d10ee1d85dff1faf1994daf9cd7b2e0fa0c7ff39a227bca62e0360113ec43299a9ba77ce2bb9aa7127f3e93aaa43d2075327d12bc3

/data/data/com.fzwtqivs.djtdwezs/files/display_popup.gif

MD5 0c015f108130cbcec3c89371904be70e
SHA1 9b0348a2a1351db4cce88dc086297ac9c0435977
SHA256 09dbee56a6ba5dea1a9677b468e29cbdf4cb7317a5e8ebeded039f67ff3e834c
SHA512 d2736c7cd3c83afcf5ed30a7cdfbfaa17091eb9a8bea464f281ab524a57b0abc2ff6289d54c0ab8ee83cc4fcd33f5e9d5148930c44b81df013d453ffa8bd1511

/data/data/com.fzwtqivs.djtdwezs/files/device_admin.gif

MD5 401209b06747f49e22c5eedfe92145c6
SHA1 52eff15cf75ab39326b16db7d867bea6e25a6f32
SHA256 9527cb317cc1f954831eb53e94e29779b9bc4ea10734ae6a751b0039e7eb6852
SHA512 e3046d78b8d3305ebccaadd24a6752e50ae03e5643a862b4f25efd004022cf96e731e3d0a1d7b78e10ee4a373a32c913ecbdfbcbd15ff2edf1969a2f0c9a7b86

/data/data/com.fzwtqivs.djtdwezs/files/auto_start_oppo.gif

MD5 1fcba77be0b33d08001bb6a76c858c4a
SHA1 2e621445cd6cff7d989a90419f153062f4cbc8ba
SHA256 ab4b61b860c6ea3dfade56ac55528aef471d9f17fad4187e2f39df4b173d815d
SHA512 33493666c95274357114400b3fe1469e3445c90a68a409adbaed7016d391fa1c38ce7607d2bf064da1d0895066f4caa469aa8bbfd69f2ac6e0d72b5a52af7b42

/data/data/com.fzwtqivs.djtdwezs/files/sm_allow_in_background.gif

MD5 10dcfb18c93e96967240150509d8c5c2
SHA1 44e9a216f5ffdb0362a23cb4ffe4610c56f351a8
SHA256 1e842ae11e774f3b9605607896ca2aa7f48d4f9db4c8830763793db1ac170a6b
SHA512 b132cbec3e6b73acaa6e907cb5b2b4d5988c73bbe0d75ae3894e5deed3d5aa9e9a49c3d5cff094c6a21264e1934c81d2a0375b9d3713d0a292ba4d6e40e7059f

/data/data/com.fzwtqivs.djtdwezs/files/allow_restricted_settings.gif

MD5 45f29981620e258ef51f68f6c8dd85a2
SHA1 72eecb18f5e700d41fc870199fd4f2e769fad3c3
SHA256 c2f84da138b51cda5ca4e0af40cd90e2f69664d2e27f082cfb4ddc3bbd6f1155
SHA512 053c919d8dde4910e1a3f49e7a13288678eae364afe7ce47890c5690639bc618ec206d07bf558501686a94ed141e91ecc045129dcfa34cbcab95cd7da2d5a918

/data/data/com.fzwtqivs.djtdwezs/files/app_usage.gif

MD5 d530a125f3f6ad057316b66ad8f7689c
SHA1 ded91ae72a5124f80cbb806e34e902e4f7690585
SHA256 2d76c753f285616f2b4f7c3f9cc11689643ade33e8d47b9bba3d190fd44fd7ec
SHA512 46ddfc038ff9d3abeedc83b3d53315482b259fdc242372452169aabce76c12f899fc6b3ed3904f08055328df5d31f1f2679fdf8e04b62716b013ccab9963f431

/data/data/com.fzwtqivs.djtdwezs/files/allow_in_background_xiomi.gif

MD5 2cc8f9b7e95be09168621b46e804eda1
SHA1 6a2f34c31df9ae9b4c996bc5a3d65ded5eb2f13f
SHA256 280c95d71831fee6198324069a631f591af99d0b801f87736f11c3fb8aa2e4f0
SHA512 8235515fdb8ae92701b7e2c09ff572006662eb8b9f82fed0294cbc87315969a5038cfd2633bcb720995247f2c3410d30aca29e390929f7e8a8a933d6b7835585

/data/data/com.fzwtqivs.djtdwezs/files/allow_in_background.gif

MD5 c6121724a4eabcd69809d4d607e67580
SHA1 9431787d3e3cdc50d3d55530ad5ec14fc5ac7138
SHA256 677919c33e287b71dca8b851dafddaf0a892a4debed24e043da6e378933221cb
SHA512 4ae7a681174b52cf1eac476b7ed6ce9ba6f7d441d37ceb4315bf57721e1d1ef373a141f85d3c0c7917c550c954209b7d0c9ddba98645ee9d2e0800e94f556957

/storage/emulated/0/Android/.ANDROID.PROFILE.PuvX027hvo7mHfUgIo+k

MD5 7cb5509df96698e9a82326ca492bc08e
SHA1 da7d123478678132fd8dd820f89ed40cf97ba6c5
SHA256 b50a635259e94fe0c8752c626ff876fa25822ae411badef98760d9a27d45b82c
SHA512 e4de82b2380a2ddbf2334ef617c68f655c68873e57cfc79161c13547ba1eeab6a8edd36166783d551ad7c8b6e11aa773b2a33e2c61a4ed0a9365ba4efde65da1

/data/data/com.fzwtqivs.djtdwezs/files/476304

MD5 5e6f310cdc50752895df636e1f698524
SHA1 6c8184e98b8a9207f0cf14f2d9674d60f50178b6
SHA256 b160954208c8fa0767d5980cc4bac2f7c54c523be20e5f0c055e35dbf5277176
SHA512 bffc527499b7372fd869d7f2e3055a4615ce2064ccf6d4abb333a9b38a313771f0e271bb64d05c1f8abc0c2f8fd72cadd6edd7257835b0e8f1da0fecfa685065

/data/data/com.fzwtqivs.djtdwezs/files/476305

MD5 00e88858754ac27f57011df97ec655ba
SHA1 c0b116f87cb9fa6273afaab9b989ea49e2322915
SHA256 9dc1312d88141f18578146665870e7a3db0b411def6ab644fffb03f80aa5268c
SHA512 e408a21d961e3be5ab80667d78f8c4602b5ed819f91859a5eb0db3ab31bb50a0b8f76a42715b81b7a52955cc97bbd80439106cfcc403badf1d21153847e98a1c

/data/data/com.fzwtqivs.djtdwezs/files/img_0.png

MD5 6d180dd5d0b85d07e8de0ef580d3c3f0
SHA1 80738813df2f692c676c73ef3d0322fe68a67458
SHA256 454b4542d7ac8399ea37ca5fb968101b6c7648921e29193c54878d706951025b
SHA512 6780147783bf91a7dbc2f1327d5e7a5fa4f180d46edb1651d7cac9b9b13a0e36926490779ff69526855fc2c1418bb80492eed1a9c6372bfc117fe0898223159e

/data/data/com.fzwtqivs.djtdwezs/files/paper_5.jpg

MD5 bebbcf56ccbf574d7d9eb27dafc11835
SHA1 cf86ee9a24de0be5bf07507a8c7bc9f0909395e0
SHA256 36e147263ca768f7e1b364ac6a648bb3cb30f37549b443b46e7379b67aa542da
SHA512 642365aabc16c1cc21233d6e9049740ab38cc68ed2194ac120ad02e34752ec14b736fbaf671b5882e2ccd967229f0f341fb86be178858cb96cfcb3a72d26d885

/data/data/com.fzwtqivs.djtdwezs/files/xajoYTImFwxdYUoFa

MD5 466f86a1557469fc919c9d93bd1d5af3
SHA1 330c7943b5f8d5c86f46cf8f6923318ee3328475
SHA256 189cc4519dea4b1d7ef3e4de02e6648b312105e477ec44b60ed47556a2d075df
SHA512 9f4e663f3369994d7cb136e641576540e56abd6ed80a4b5f65491bded44316f1bb148824815de4845e0b8a1742d5467795c7f2bc647ac02a61f1dc1cee6a9341

/data/data/com.fzwtqivs.djtdwezs/databases/privatesms.db-wal

MD5 1cd2d46c47655f6c3342305e07d57826
SHA1 75fc65e9850896d4daeb462a9f267c56470ebcb6
SHA256 dffbe4d11e24dfbf6963f8dbccdaf655f1eab098249d76e1fa0420995ad9ceee
SHA512 1107d471ac0087469c76b3096bc41b4964b1de6fb1c93a09d6b7e7c57b47eb9de6c5ed8607cbddd2aff44c076c36893531fdd9af3c2d7881be999a8af46784a0

/data/data/com.fzwtqivs.djtdwezs/databases/privatesms.db

MD5 9d3358df4ff3f745499127fc09051c5f
SHA1 a9b1ca7ae365309c6639679e0368b01ff9549ec7
SHA256 aa59db44e7304b1793071517eef2b5a7c132f045f2e1cce5559ec824ba7b20e7
SHA512 c7935a4d083a23cc7f4ef2bbc8554d33fbace6d34ac16e9e838f91cd3bdd7441a9bb80d4c2dd55e06331d6807b2755a864626ca5fa068c29a7d93f0c8092ae6e

/data/data/com.fzwtqivs.djtdwezs/databases/privatesms.db-wal

MD5 34dddc2cc704962bd4d844f5310677fb
SHA1 db68c0ca3d4b9f91bc590a1781463a917b71b1f5
SHA256 3671a2b4b7820f6abc0a5a64a0033a67379f1491da8816fad2f2948141cc39e5
SHA512 d2a72e62f5ae057227eaa9137183966cc3af25e82125054cbf5145e19021e3a22e467f0a5824ad4092149a252122ac1cbe2c56ad102a27af6371bfc144d17103

/data/data/com.fzwtqivs.djtdwezs/databases/privatesms.db

MD5 0d0c09d534d7e77ff54a96605d2bc07a
SHA1 58f09c719f7c217a613b276fc089ee1275e08d5d
SHA256 d3d8d1373689a9a161703475cf6028e66954b13de0af7978fd79bf352a92a42a
SHA512 ffc3d77369a00eb18644dbaf056618713f3da5a7b4c866868833c69e122be2d85b9a365bcae9c6835edf89616f7abca4dfa2362fd8c169c25bc23ab8077b5257

/data/data/com.fzwtqivs.djtdwezs/databases/privatesms.db-wal

MD5 0da13be1cc6d73cd6ca6f6054f91869d
SHA1 d9522f27d9413016f29a83024c375b78d363e59a
SHA256 51a0d7a6ac25666c791341e91fa5156bbcf74c07a436880df5f91b6b9381ee67
SHA512 88cf9cffb1b94be463568b83c296b742210f0522f5c5920b2d0424471c987bea38370a45f2460f04d88176c10d8f8160c67db256936875bbff4fd260c1c84efd

/data/data/com.fzwtqivs.djtdwezs/databases/privatesms.db

MD5 40fdfcacdda9fb7a7b365fc30bc82607
SHA1 41b10cd1b5207a3497a802405f4088029037a738
SHA256 d9002b66f95863abed8dff016f71fd4d25702893977fea97334bb7c5dc6f2f4e
SHA512 10168ebb524b8f77c9037ebada5771ae8db41b2eaa07def966a88bb8715dd3e0677679ab0c02d236513fda892ee3b101ec11881643102cbac884e16d847f021e

/data/data/com.fzwtqivs.djtdwezs/databases/privatesms.db-wal

MD5 ef41fd798cbd97d54564c9d2b5f01fbf
SHA1 47d538ccc4bb0693aa60edb37ee32f3e6fe2297b
SHA256 55ae08fcacee6afd73a15eec592218fe4e6f64e5ce8ab8a9e58b456e6c93877a
SHA512 a0b608bf5950c71513fb2cf0282fb175bf7e5e5a7827aa6453de69e44d7dd350a86849f95c2e57894245e894ec843d6adba3ae5cda2e9067c218df4598a04a50

/data/data/com.fzwtqivs.djtdwezs/databases/privatesms.db

MD5 b284e7087da8a752cf9f6328e35e2425
SHA1 d75b1b30572759e9beca004bde2a0566352a0809
SHA256 f3269a5c1e6857efe06c23e077e993e12b503ac693b22127be016018d9fb2bc7
SHA512 394e802cc8f38a0d6770a1705dce1ef1d22979b253ac23098dd29a6da847e39182ab0dd8cf230acaa9e635816755d6635711d809b51f921333fffecf89cd8b01

/data/data/com.fzwtqivs.djtdwezs/databases/privatesms.db-wal

MD5 0141e2090407eff7775ae2161ece11b4
SHA1 64155d3d498f4e85355f25903d0b4377bb2b8412
SHA256 b7e7f49f934ad3ed699d04512c7dfccb1a21715f7aa772185691ff51aa6cb815
SHA512 a39762800cdf4cf5d77342a46210d4a3402aa98705dbdff704cba6794777625e02b7196136f248e605ac939f0db181c738f9a8556cc3ccfbeaaecc2bb7a332df

/data/data/com.fzwtqivs.djtdwezs/databases/privatesms.db

MD5 787b5cf0bb931cfb109561c779d33e93
SHA1 88ee9dd515d0a3a7ec32e29698b0ad09a8aa6556
SHA256 2ace602f1751003969a0c68ba138d8ca6c23411a6047e9c882b37f60f5eb73ad
SHA512 cff28384340bd90fcfd12883550306f08297897b588f57df326d2b8cdf6589c491b9c33a7bf7b916cb247836794b5ddb2687c6310c5acee67d612f2f5e376867

/data/data/com.fzwtqivs.djtdwezs/files/own_acc.dex

MD5 9a5bdd283ed18a6d5c1337328cc48622
SHA1 a53eb19cacb36c8c61ec86b802951991d138a311
SHA256 48699c72daacccf6aea05eb2a619bc3f91bf76a54bdff0a7fc21543fa2a9a962
SHA512 32ce7a614b7f87fbd88e14307ad5da090b38002b81b30922fb24bad564ae147c304d40e42dd74ed6e697995b7e51f1aa20faa86003a6440f1bda42b16d12bdd0