Malware Analysis Report

2024-09-09 13:45

Sample ID 240503-geq7xsaf22
Target 271fd489f0dc6eb0c888acbd9adbffdd0eb86fab8de213e50560b0ab749b6a9a.bin
SHA256 271fd489f0dc6eb0c888acbd9adbffdd0eb86fab8de213e50560b0ab749b6a9a
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

271fd489f0dc6eb0c888acbd9adbffdd0eb86fab8de213e50560b0ab749b6a9a

Threat Level: Known bad

The file 271fd489f0dc6eb0c888acbd9adbffdd0eb86fab8de213e50560b0ab749b6a9a.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo

Prevents application removal

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Requests modifying system settings.

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the phone number (MSISDN for GSM devices)

Declares services with permission to bind to the system

Reads information about phone network operator.

Acquires the wake lock

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Queries the unique device ID (IMEI, MEID, IMSI)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-03 05:43

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 05:43

Reported

2024-05-03 05:47

Platform

android-x64-20240221-en

Max time kernel

152s

Max time network

153s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 topcularaktaricisisedat.shop udp
US 1.1.1.1:53 hayvanyemekveriyoruz.top udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 tokaxtliahmetmotorcukuryesi.top udp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
US 1.1.1.1:53 verdilerbizeikiadam.shop udp
US 1.1.1.1:53 filomarinakiraci.top udp
US 1.1.1.1:53 cannakliyat.top udp
US 1.1.1.1:53 uzaktasimaatasehir.xyz udp
US 1.1.1.1:53 kopekuyuztedavicisi.xyz udp
US 1.1.1.1:53 evcilkusbesleme.shop udp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp

Files

/data/data/com.nameown12/kl.txt

MD5 890416bb396bcabe229d79e42d612683
SHA1 84cb4553cdec15831c55fbce5fcf1e9213bc3a24
SHA256 d82f2007faff72ac40cb6d2e087173a9a198fb8cb67139b474bdeac991f4a33c
SHA512 11b5e92cf170c956b03d6ee25786e5ff6eda214dc452cf8bb3c8840d1b009d40f1232127e195d7cf28722484c1b21491538522b88c0c0f6b7a8f065c9c89b4bf

/data/data/com.nameown12/kl.txt

MD5 bf85817ea4fd561fc6ffedd64b5d7494
SHA1 93a972cd86a8d1d7dcf4dca93769122745ba40d8
SHA256 2ee5541221526c3dd2940e9a87a5dcb996263fc7b37028c60b6b926a60a34f6e
SHA512 6addc4b907074c741d3981d970bfe7803b2bd9123eedfb0a75e5060322cb91721b80dec3e7e28fc598776ea44cb4938469f052367986474aa8c2026b7bcf3670

/data/data/com.nameown12/kl.txt

MD5 3257d1283729091d9f435472978c0cb0
SHA1 f7db3e0a0feec5a90a0649fc45be40b57f51e482
SHA256 3896c8e4ca7519c1fb75b21ae325bcc11fc800f4879e52aead0409f3906e7627
SHA512 de9feb9fc7a4f5889eff113f7bbd43ea97116076479f12ffe57a1bde0f5639ebb94a58c8d18b3728656233d54fb79873100bc13be8b4fa877d607186f3bc9331

/data/data/com.nameown12/kl.txt

MD5 e1dd7efae9c467a25b7e0bc26d7c6168
SHA1 88809f024d30e3d74a2dbb19f8e6793af4233916
SHA256 7abbb99f14012f265706da52327e85c4c94a63098f992c4eb83d7fba44d31847
SHA512 c795e937f82be0342c1dd012db33ba8ded098f1986d7682bd7389f2dc75a78912344c461d43283faab3585d5d57c7dd3c13cc5c44f798d35ac5a70b1cbca1aae

/data/data/com.nameown12/kl.txt

MD5 b065efd89772c4f6ff6529a7cd945e0a
SHA1 e52a2c6d21d66266133a6650524b8640c07d67d7
SHA256 ac8953a38b9fece9d2f1e514ce3f1129afc0b8fcf6966bfaa62b8c029986c989
SHA512 4626124504cbd081774843b74f5705db110c487ba81ff7a70e0d551afbc389d1e63c876e761b19c95ec9d9d2eb8076b59e2ac770d642bf7c03ac45682f916f74

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-03 05:43

Reported

2024-05-03 05:47

Platform

android-x64-arm64-20240221-en

Max time kernel

150s

Max time network

159s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 kopekuyuztedavicisi.xyz udp
US 1.1.1.1:53 topcularaktaricisisedat.shop udp
US 1.1.1.1:53 cannakliyat.top udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 filomarinakiraci.top udp
US 1.1.1.1:53 hayvanyemekveriyoruz.top udp
US 1.1.1.1:53 uzaktasimaatasehir.xyz udp
US 1.1.1.1:53 evcilkusbesleme.shop udp
US 1.1.1.1:53 verdilerbizeikiadam.shop udp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
US 1.1.1.1:53 tokaxtliahmetmotorcukuryesi.top udp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp

Files

/data/user/0/com.nameown12/kl.txt

MD5 e010942daca99a8282459765d472165f
SHA1 81ef42b7c35b358acbac624d1866e505dfafb09d
SHA256 d5141627967b8bdac1ddd2f16fe303a266a5254566830024184b9f0ee4056c06
SHA512 b403bc38872427c068ccec494bac439773c2b39bfd3c18ed012a7ae25ce86ca894e7822366be7a36ff5b4d4799dac0627d8017607abf4ef0ad94af4a0b77a470

/data/user/0/com.nameown12/kl.txt

MD5 6dfe7efa28e580f01984e08fe7385d96
SHA1 eb717463b21cde355b9f16db574b84575db771c3
SHA256 af79e9c46f411c73c3a72623c204ff3889140cc4da6776ed9700e4c5a0374d33
SHA512 4afe834b859d3212c988c89762c53007b8a3320c2e01971ff43328f2a6b6bc3a9f155b3437026a786728c2c3103c7933a32bf1b04071706acc89b111400f7a4a

/data/user/0/com.nameown12/kl.txt

MD5 11d783c4c2b5d007d8563ee998849ada
SHA1 bc4accfe709dddfeb24d6c794b11452bc3602774
SHA256 b38f534574ba6bba584c6e57926785329819a5fdeebc9df1c4778ed16a92f69b
SHA512 f2553842d157d42351f35a1f0eb1b62c1d4d55fe73fa6bc17b7920605d6d014e53fb492bc4307ca09795c7db6947bf876e6020909d7fd33b3e4d48c2265ab32d

/data/user/0/com.nameown12/kl.txt

MD5 940255f046d0f463283dec44c24839f3
SHA1 1cc302d55e1c30e5d3b72cff7a81a1498bef607d
SHA256 fe95091bafdb184f66fd2eb211fd109818a3ca1e07d767fc15b24a0ec8d60f2f
SHA512 ed0e16ca03d98728213812009156b74c60fdf129d87c3731d1cf33234fba5988cdcd7d11a90d900569e95220d03977b87327671388103a92683003c1b2a70db7

/data/user/0/com.nameown12/kl.txt

MD5 7d88abf624ebb1bd8dec33abb76d1268
SHA1 5153e334063a0ab4302a5967d5e1fa7600c01fd5
SHA256 9b9a8eb256a041b1a1a928e3284bc4203689752c2cffa7830137fbb82c15799b
SHA512 939a54aef344319c1a9026724e141f2ceb379495e0bea68622e77c3f9e28b815355daa76b606c644fa9f58ec60fb1c73051610b658a7ec50e504cf3afaca535d

/data/user/0/com.nameown12/kl.txt

MD5 a8523c63480ed12a8cbbdc987d0e9c16
SHA1 ec22e843fedb4cb07a28051a28dc1a1123bb01a4
SHA256 6eac64c313e0704646c827394010b62980d604b3b4d730d0e302aafa56b5b1eb
SHA512 7fb7a2e248f69f42bc7e6ad7d2cef692576456467f459ae72367f585ed2298149ce6a7632234f8c8e7e8f074ef9817ddbda28d1899524956b76d84766ba7c4c3

/data/user/0/com.nameown12/kl.txt

MD5 4ef0f341ecdd16d0915a5f2014edd18b
SHA1 227efe054ea9e35b17dc8d8f887d9ba758e3f87f
SHA256 f963da73dbd84ed1c22523c57de18fea6aa58874ddc9ebd855811af519277a0c
SHA512 f3d3f72d74f4e067091fcfc0f72da405a996138830ccbf31004b6f266abbb51f1da4f6961a5a569e10ef1e296e2bdca3b4cf14bbb4b0c076b206ec0818b924d2

/data/user/0/com.nameown12/kl.txt

MD5 e73ad0da8bf885cbd104daa80ecdc10a
SHA1 4bb91befedddbc514b4409e0bdd38c9eaf4d1c66
SHA256 c47ab0b590f0d57a578d4e5fd6d57328b6f4cc3a8427a4561e1cd7f52ce628a4
SHA512 3128c6ca34ad339377c09552ea456dcdd02cf9871da854ff42830995aeddc32152b64e7a8335345e8695ba7693ea86c9ee96417fcd1a2048720be4f954530b40

/data/user/0/com.nameown12/kl.txt

MD5 169162aa6e27f73358b1763eff58b64a
SHA1 fbadfc0ca669ccec5900a2fe4bc4f797ded2856f
SHA256 d6009c3a2957cf7c2de6632a72ca7d437caae896906477a0da67254635b5f86c
SHA512 3f1d5f49ecc8f385a7ac316b68a4045cc6a9f1d2961dc9893e4e8c1a15007cbf98e57ff7b705c1ad9af6fe11fde598f6a51eef732c7e6b063f6cf9a449faa3b4

/data/user/0/com.nameown12/kl.txt

MD5 0b810db4240336cc0f00ddb9fcd017e1
SHA1 da2d5f1494a49b1717fc12e1ed939502c86c74bf
SHA256 24cba61b1a05bab944420ccfa1674d1ab941d60a913b8142f66b40dd990a2e33
SHA512 8bf9e81896cfa2dc19552366acab90f0bcd3271f8c68fcfbb21ef2022099f24716b679e4cc26425b6180846de6011d646481531ca7e1df5cc14d731cb1e4a473

/data/user/0/com.nameown12/kl.txt

MD5 8af73c43ec009b2237662c201cdc93a4
SHA1 ba3305b7c1640ee8cff02fa7f4d7fb6aeca96a6b
SHA256 da194c30ad0659f8b6ad8d36dcab6718990235fe07c00ba1c457b9c5635eeac2
SHA512 22fa14c723f71a06fc4d5f384e15a0e42e4221e5cb52b33097f65f80830d203bca26c0b96aed792b84bc3c114e2824527c8b636be9dfd92b7d5435be31dfe670

/data/user/0/com.nameown12/kl.txt

MD5 284c000a5bdd1e8ce131e200cb6d4139
SHA1 fbc11627c08c8610b2a7b51e8676a03a7462d97b
SHA256 77125dcfac8c4bd7cf9d99844453526b8ed989cd8c1ba26146417815474283a8
SHA512 3c96a1d2fa0fe83ee8d53910ff40037bbab1f079351fd5159c6e0e2d5045640adf78e51a60a4fbc6dc2a0a8f375fe8d6ea93cacfb05080498150f57f43372699

/data/user/0/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 05:43

Reported

2024-05-03 05:47

Platform

android-x86-arm-20240221-en

Max time kernel

69s

Max time network

136s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 cannakliyat.top udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 tokaxtliahmetmotorcukuryesi.top udp
US 1.1.1.1:53 topcularaktaricisisedat.shop udp
US 1.1.1.1:53 filomarinakiraci.top udp
US 1.1.1.1:53 hayvanyemekveriyoruz.top udp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
US 1.1.1.1:53 evcilkusbesleme.shop udp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp

Files

/data/data/com.nameown12/kl.txt

MD5 98e1dd27990a61f3d8a8712b71cd8748
SHA1 6d5b25e7199b3c2d679bef5b8c8d47c1487bdcaf
SHA256 6a13659484906bf00ddf025bc5df63a52f322fb562291bbbd7d0e639649c1673
SHA512 41810edafefa392c0a6dec373b5eca4bbb6662c7d9b9ee6e35e20e84180aee2d8877613282c57df0120e0245113b9498b731cce9092bc6183260d13d9e6eb970

/data/data/com.nameown12/kl.txt

MD5 ad5dfece74512de19b1e928cbccc3db1
SHA1 81a23b38ddac84a18c86d8333406ae0a08f07763
SHA256 d9df7dbb3e6cd4d6278181b597fba5ef64a9ad721e8e95e3304a7e5b965fdd22
SHA512 eca9aefe3318a89e9b49ca1bc88060e9e84227d99ce5f7c980ff2c82a7d6ded831d47e5b77f9eef2afbcdafa05d06f067e6ca068012d3284391ed9221d7ea5d0

/data/data/com.nameown12/kl.txt

MD5 182fa039969055b889bad855c6d585dd
SHA1 f9b89acc5f93e0b6b448ab3f7e9b00752df75d47
SHA256 7f0799cae660a8c8f7b99f7fa6fb997fddfcdcfd8f5e9ce82eb57cb82075255d
SHA512 d2edeb08c5f0a3335fe871c1e9a704a3b7b2ab5cce144918b94e8af4deae74f47adad439a54e85040fe4f89d62893b155d3e5f07952ef615510678cfc2a96f9c

/data/data/com.nameown12/kl.txt

MD5 c123a18d23dcad143abb3ff1f4c4fa84
SHA1 8432568c3f6178cb81c6438f1ec09c4df83ca1a1
SHA256 67bf7328381c7e281511a15db27f17b532c7e9e05a57288c7658bfeabc12c3f0
SHA512 4aa978ae7e74c742b3e014e44b75854da1b32de3c972d6f23a8640dbb44c4f1565414a25d2b33ec823648e59b7322e7ce2356a739ab594f2807612387c3e872f

/data/data/com.nameown12/kl.txt

MD5 88a0f2adba0bfcc8a934cda2812adfb4
SHA1 cb9d2d1d2f45d14a2a292d8f6bfc0d9e43f5bf0f
SHA256 2a6a27aeaf1c001fd3ded6d3f831c57206a45dbcf6159f08fe99c6192be0f47a
SHA512 c3b753e9da0f5e599dd4e2fe8e18c990553e06e979b870941625929a5816cbd981088d6da26ca7f8cf5efd3b68abd4d1d801408b62660e80a18d9927e6bd7282

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c