Malware Analysis Report

2024-09-09 13:44

Sample ID 240503-gez5tsaf34
Target 87d22ab5648bb020ea373d493488839c9e5440525bb1f2f2075b89ce99ae703d.bin
SHA256 87d22ab5648bb020ea373d493488839c9e5440525bb1f2f2075b89ce99ae703d
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87d22ab5648bb020ea373d493488839c9e5440525bb1f2f2075b89ce99ae703d

Threat Level: Known bad

The file 87d22ab5648bb020ea373d493488839c9e5440525bb1f2f2075b89ce99ae703d.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo

Prevents application removal

Requests modifying system settings.

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Declares services with permission to bind to the system

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-03 05:43

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-03 05:43

Reported

2024-05-03 05:49

Platform

android-x64-arm64-20240221-en

Max time kernel

150s

Max time network

139s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 udp
GB 142.250.200.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 uzaktasimaatasehir.xyz udp
US 1.1.1.1:53 topcularaktaricisisedat.shop udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 evcilkusbesleme.shop udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 filomarinakiraci.top udp
US 1.1.1.1:53 kopekuyuztedavicisi.xyz udp
US 1.1.1.1:53 hayvanyemekveriyoruz.top udp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
US 1.1.1.1:53 verdilerbizeikiadam.shop udp
US 1.1.1.1:53 tokaxtliahmetmotorcukuryesi.top udp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp

Files

/data/user/0/com.nameown12/kl.txt

MD5 0e1e867dbfd01f4e378f26e44f31788d
SHA1 cecc80390cd7626480d95c76192fd20425caa535
SHA256 a8551fc88e92822ede8827383c287bbb72b494069b30548eec21e7475a714cfd
SHA512 b2a511f74732552289eac9dac302e1c7e57678b4f66e6caa1c79e5978c7bdbcadb27aa6c1c214bcd66257df7775f09b22b7962817f618490f188a8788f5d8956

/data/user/0/com.nameown12/kl.txt

MD5 0e66c82634e0d218dcb154b98ef2c8a4
SHA1 934bc11ec079a507ee10bd3ed71758b113f7b607
SHA256 348632ccaaeb512c76989f06760b89d50de868ad984b1985472e614ced94cf4e
SHA512 02c6eda1b7ebf03b76c73e820da1063a1e3dfd1072c7d2b5d63a259eea81c2131b32b1c69ae6b9c717655597e2ccc11255f772059aac2810587b07bbe57c4265

/data/user/0/com.nameown12/kl.txt

MD5 76f08aa579ce3c53f8d7fed18ada0bc5
SHA1 86feee9056917eff90bf9c3872109ca8698f488a
SHA256 d0329e0148a713f6d816c753d3fa2542ff29876799d4d4f20747e56eae02ae0a
SHA512 b38815e487319400cddae1e72652cd49f6097c0acbedd28a33ca51760a10bf74ac092f5612ec94d782b75c7e4f3fbff1cfe4a1629cd8b4b576ed00a2314a3a9b

/data/user/0/com.nameown12/kl.txt

MD5 ed91504e7f234c5a9bf0a2e4948f0372
SHA1 df07181189e099ce431e55383a51d3bcd6953eda
SHA256 3c9d6db87e910c36c0050bc6b5b4c4abaafdc71a660f6560245a38595ea8fbea
SHA512 241fc4b22725c586897aefd1e31b4386f7b8a8824ca02d9e6ce2916ce6ebfa66e242158a77d8b2b8d0f40f96871c04b631b0062da84a24c231768585e1d3002b

/data/user/0/com.nameown12/kl.txt

MD5 ea8461b9b73fb546fc9277c0ffeb8fa3
SHA1 19fc1a2cf718a80fdbd67ad6fcf091c2346b2e7d
SHA256 8d6ac38659703fd80d0e1e2f38b1c4077c9b1d2fbc5392bf74e21f433adf3a78
SHA512 43d92443bc58157d929412bb244472a9bb98c27bdc6143615852e8f63cc86d6707ca2b86e77821a47a4e9ec2d7eeabca011bdb4556b64c995d16bb99943ac178

/data/user/0/com.nameown12/kl.txt

MD5 b643cefacb27c46d368428df22f7692d
SHA1 8299d65cbb607db34723c7d2135a9aee9b1db070
SHA256 c5615d10819a5a5cc8b1bec318cac991ce8a9d3f087d4a9f142e70999ab1776d
SHA512 46803ff5ccd2710ae4d66c8c386d433dca21c01792c2f747f131db826fb5c4e63ef0f79a55b2f64dfff47ac076690588e0904fe14882c03cc1ef722ba9b82366

/data/user/0/com.nameown12/kl.txt

MD5 906fcab4d523e5461b68aec7942e5534
SHA1 df3c2fd182358fe9145858e96750927598c98315
SHA256 60a9b4d0be91a46c638ef0cd5bb3ef4fc4abe26cdc120726a05c9336deb7ac7d
SHA512 981b249cc037ea449cd25dafa536ff5d3e5599a394ae65f42acc9174cb73b8dd30690eec8a012c6aa5cd43078637c396c0d748cf9e46db21e4ebb61a192bc9b0

/data/user/0/com.nameown12/kl.txt

MD5 6d705c5c68fad252fea2cc77176f1e2e
SHA1 447fb2abf6c56dc0b284c0667e30971d47870b12
SHA256 45934b096b3072181270c432ff3e9c367f34f841c0c3cd42dda993e4d381df14
SHA512 6f0e9131d728a3334028bb1f9d38b2b6ace667ff43af77ddd8f43890607899970b7d50fd8bde75d72a7203826e1fd72cc9a013ea39fac711c82348eb896ee892

/data/user/0/com.nameown12/kl.txt

MD5 abcb4ac6d2d74fb8803c340238fa5f2d
SHA1 3299fe5973a92467640b1689d8588ec04abf84d9
SHA256 161454b77155ab38b3bf9438d79fe20b2e4ede20f237ec12aac25944b23fa808
SHA512 e4bed562e4de87c0f3e72d0bcd2a60d6756f1bdcc7ba7afad7ba15ad27c60d171ae47be8631e46e8c0700ea85e7e4ad1c93b0750a3a87a0424ceec2df1dab9c6

/data/user/0/com.nameown12/kl.txt

MD5 37baadf17a158c74400a6ad79ebdef06
SHA1 4eecc87ec986482269850e24f2ae5fb6b07252e9
SHA256 fc60243a679878b08c77d3b738193d5e82b121a34eaa1080c22e72c24016abc1
SHA512 8b3f733bbe6da50a88544fc38c81b1cfc4c2f38f11bf960758cc567b4df8ea7bdfd99ec9a36010a224506c875770e1fc5c703b13c732d1bc1ac04a8161600df8

/data/user/0/com.nameown12/kl.txt

MD5 ff47753868a047b9f59f05109c9b54e5
SHA1 a3290d4edd2a2d8830417699abe97ca188236bee
SHA256 e693cd6eaaf098eebb67096f9e94662dde83a274bb18de688da7e8e46c47aab8
SHA512 16df51efe500b52ff4f5fe74e81a82ede9fdce57b1807654db2dbf905e2a1010b9308d2b90512872da5dab75dff7baa5a42f90f8bb5eef12aacd0dd04e3ce0ad

/data/user/0/com.nameown12/kl.txt

MD5 3b5426e8d18b70a24198917670beff28
SHA1 a72fa2b24546c423b9236c8462e401a0e2cfd9df
SHA256 c1bf6bcbd1a502d39d1022a905b09f464a1576d0ef9eb2ea3801c950103eede3
SHA512 7f1b28e78e7b06c4955e2d72be269247b990bb013c7c716050226c4b7ab6cd044815a763ae7cdf807626f412b7cfa5ebd1413169538bf43062007cad2e1a68fe

/data/user/0/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 05:43

Reported

2024-05-03 05:49

Platform

android-x86-arm-20240221-en

Max time kernel

141s

Max time network

135s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 filomarinakiraci.top udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 cannakliyat.top udp
US 1.1.1.1:53 kopekuyuztedavicisi.xyz udp
US 1.1.1.1:53 topcularaktaricisisedat.shop udp
US 1.1.1.1:53 verdilerbizeikiadam.shop udp
US 1.1.1.1:53 tokaxtliahmetmotorcukuryesi.top udp
US 1.1.1.1:53 uzaktasimaatasehir.xyz udp
US 1.1.1.1:53 hayvanyemekveriyoruz.top udp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp

Files

/data/data/com.nameown12/kl.txt

MD5 193b60eb22ca6db162b48bb3193c00ab
SHA1 d69b56a3311176226126b4f5350e942a833ca0b0
SHA256 6cd191ee1cc28ea0651d41bd4dc621d1aad3018631ea556592d6fbf21d213826
SHA512 11e548cfafc5640e8119187e52d9ddabeb75cc857931d0af2aad32241308d8612138ea27691a8b3ad093b00a73ed15d4294acd5d08a6d5c26527c80948a6e369

/data/data/com.nameown12/kl.txt

MD5 f0643ff9755658156cf5e390131c3b3c
SHA1 9c9aed0aebf430e6e8658141f3547424bb5a9339
SHA256 4c286e5986e3ab31e571003b6f3ef75a0e79993f39b46518658ed3eb8b4afd36
SHA512 8f8b701b2488d38b3ed91e60ad29d11095bf262a0861f37e8e8bff6687098fe7a803ec48c3de4be11349fb17dc68eb76a384ee659c2f73a5c9b31f5a3e72f122

/data/data/com.nameown12/kl.txt

MD5 5ca77949b6e80cf409ae812c19ba66fb
SHA1 2a7f53ed85c8302c7aaea6f91ebe1455b69bc424
SHA256 20c7760e4dbbe0f742c1a6fc382f60ba3cc720e87db66a448e3d721dab831091
SHA512 9cd7a986a15ea3edaa24a9daf91979000b14b0dc6854941a15348fc4d9cfa8733e24d4af145b0c466355d2aa1e26f8a138ce77484fbb6afed5a365c12b6cb1a4

/data/data/com.nameown12/kl.txt

MD5 ac436e2d08acfad7dc6fe40d4894b961
SHA1 ce0200c5aede077536162c24d3a2792a4754b314
SHA256 3625b484d59595382950e27e537b5ae762fef83f682e4640d959ebd171c7f439
SHA512 0c987491392c5732034a66e383bcb5ebcc8fcc3cb5f5ec21ba604fa09cd97c35a4c43c80df98e576b6a25276e2c79d0ab6d5754f3a0b9e075e37bbc22f806aa1

/data/data/com.nameown12/kl.txt

MD5 4341e033a6ccf353bb3f0ade76b81482
SHA1 60bb28426d38d6b6f038def2e5b61fb0af31ae9b
SHA256 b700387f3253a9b8de0b2fa2d545ab5f363df1a6cc1e6c426e7cf169e6a70219
SHA512 68801c9e096971a76b8adff94e6923a4361ed4e4802a5e14f9f2025d58447bc863b756936d4e8f5b1fd46cc8ded6eb75d306d27aac098d505dab02184c7e2fa1

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 05:43

Reported

2024-05-03 05:49

Platform

android-x64-20240221-en

Max time kernel

161s

Max time network

152s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 tokaxtliahmetmotorcukuryesi.top udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 kopekuyuztedavicisi.xyz udp
US 1.1.1.1:53 cannakliyat.top udp
US 1.1.1.1:53 filomarinakiraci.top udp
US 1.1.1.1:53 verdilerbizeikiadam.shop udp
US 1.1.1.1:53 topcularaktaricisisedat.shop udp
US 1.1.1.1:53 uzaktasimaatasehir.xyz udp
US 1.1.1.1:53 hayvanyemekveriyoruz.top udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
GB 216.58.204.68:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp

Files

/data/data/com.nameown12/kl.txt

MD5 292337ed584155de38fc3df91ce77b3c
SHA1 b0b45c9bc62d4017f7fcdf36120151e2170fd3cb
SHA256 0c9122ee32804764e50a441d694c5167ca917a2ed2f8c97d969b1fb961a505b5
SHA512 cda12228252c038a45bda4865914b0a27bd6c725a638abee60c9b06747e6cc3076490ee0bdffd433d5ae631115fdb936538329023f47f65448856639e4de49ef

/data/data/com.nameown12/kl.txt

MD5 1d3f5e1fe56fe3805090c375685fa09d
SHA1 9a599260f89c57f7d0d763746fd5131f0dd14421
SHA256 81b8ca4a28af8c027678c8f4063ef90bf80fa7f7ed7106efff9fa7403e5967ca
SHA512 60284cbd1a75fb787b5347cf51195a6e9ce2e16b5e0d8171c8f482a0890d2fd608f920ef4a41a6d83f84ba0c8a9d92f4a855f6b8ea9187e4c132885be03fd6ec

/data/data/com.nameown12/kl.txt

MD5 1018b9301e64ca5919bd2197efb80bda
SHA1 140115c319b0ab6756e9b798fb827ddcbff70cd8
SHA256 041bf582a9daf1bbfb7ee242dace8e93d73d6255cfe4b2c6b6f2696d31388a0a
SHA512 a8c35a0ba8829344dba608f391b8c3205d002b02cf6b742f39daf907e78447d83c5491fc5f6a245bbd6c5b4a5bb6572cdad06e4eacb011f7ca3d7e94e6328146

/data/data/com.nameown12/kl.txt

MD5 e1fc99b3da7a1e6f5d3f4bd409bf0241
SHA1 a0cbca86e771fbf3b17bd259450ab3279d5b0d80
SHA256 eaa7ccd63d674ea167391c324c3371314340caa3315947b88eba157c7dbc19e9
SHA512 eb9dcfbf3b79439ab60664e2e67eb25af6cec84de162d845c335fcd2a8bc8d29acc6f2de5f00c1637106fdd856976a804fcf479999247186a7298783dfb91ba9

/data/data/com.nameown12/kl.txt

MD5 9c649d6de111a3eafcaf5cb727b8f516
SHA1 612dc472e9f34dbe58a217c4ff2e4b2f8f21ce42
SHA256 3a67ab0c33287432aadda6e817921fce0d491c191d73e4bbd34a773c345f41eb
SHA512 63609d625001f7a00fe3ca5a5ef3268758cf72bf77ed1eecb3517f42afdcd37f5ea4a44c03161f81648270453875790c19a1a5095f18b41f32b90b86819883ab

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c