Malware Analysis Report

2024-09-09 14:26

Sample ID 240507-bw4lpafc63
Target 8df476be832a1204480d301c7579597bcdafc690b77d1f5c64dc6fb80c0d90d2.apk
SHA256 8df476be832a1204480d301c7579597bcdafc690b77d1f5c64dc6fb80c0d90d2
Tags
ermac hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8df476be832a1204480d301c7579597bcdafc690b77d1f5c64dc6fb80c0d90d2

Threat Level: Known bad

The file 8df476be832a1204480d301c7579597bcdafc690b77d1f5c64dc6fb80c0d90d2.apk was found to be: Known bad.

Malicious Activity Summary

ermac hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Ermac family

Ermac2 payload

Prevents application removal

Makes use of the framework's Accessibility service

Queries information about running processes on the device

Requests enabling of the accessibility settings.

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Acquires the wake lock

Requests dangerous framework permissions

Reads information about phone network operator.

Declares services with permission to bind to the system

Schedules tasks to execute at a specified time

Declares broadcast receivers with permission to handle system events

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-07 01:30

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 01:30

Reported

2024-05-07 01:33

Platform

android-x86-arm-20240506-en

Max time kernel

25s

Max time network

156s

Command Line

com.getecezegumetaco.gucepu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.getecezegumetaco.gucepu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 null udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp

Files

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-journal

MD5 03f11a41b161a8bd606623c66498682b
SHA1 a19a2c725ae8ba6e3fa0c0d5725513b48b7796bd
SHA256 2a87766856ad17d8fc7f2e4b5ea72de816330d5803227718df3761251ed95471
SHA512 25c78ab4843f0da40014397157be67af5f959e4d60f3d916badfd2f16b3f47943d697f187d76c9982e11c51de41fdb98bb5ed097a4a56f9b8e07ad7d395b4c2c

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-wal

MD5 9a7fe295aec2fc1388b9df6f4c38e0c8
SHA1 80a148268e7b14809fd5f1570716b2a62548f8f5
SHA256 6a7751d6a5cca0ce769d2c9e3e62dc3e35b4fb751a20ec13c1bd5d67512b768a
SHA512 d84ada66c31069924468d1a2e5e3fd1e7dab3629e6a08493450b6be5ab3ab39811b0e26cdf1d09eab952e8a9dcb9e0693eccf5d5bb433cc3b692d53d4b75bd01

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-wal

MD5 5f67b093132a9aea00957803d4f799a6
SHA1 193363baf9677fdc9d39899038b73dc93aa7c0ce
SHA256 87c0d4d3fb96e3b43adbac08b4b01b89a1f2f77c2f2ed8d9bee5bfa12616ce89
SHA512 a783514e603140fd2507f55dd154014cfddf25af956cc01d5b59b65874c76c82c54d5c064938fcb0aa800cd50aab51ea5e82acc176da9d9e6da8cbed5be1a595

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-wal

MD5 9d3196a2626a4cf1764075e826d4c148
SHA1 0677b756e641d980c101271f0afd5d4acc831a99
SHA256 ecedb1c8daf9c31880f1da0f500a9acde66112c37de140cffb1ee38f18f5a686
SHA512 b8f438137ba7a10e26a4fa8ea809cb015a7edc55d690fccd41ee78da83e6701a00c472e32490de6de5f0cb5925af3108775b2d1859529d18df1ada1074da3e10

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 01:30

Reported

2024-05-07 01:33

Platform

android-x64-20240506-en

Max time kernel

72s

Max time network

161s

Command Line

com.getecezegumetaco.gucepu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.getecezegumetaco.gucepu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.187.206:443 tcp
GB 216.58.212.206:443 tcp
GB 172.217.16.226:443 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp

Files

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-journal

MD5 55b5abd2a65012e05d73a96c0234d49d
SHA1 4c13b40c95284b49ee4eab3b7ad0671c7a0785c1
SHA256 1ebc639340de32b513fd1039f5816bfaa2ef315d676efdd72b596aaaecb8643e
SHA512 8acbd6723e813cd3c1efac9ff6232f669eb5c580282fcea8589bbdbe0891265ac32172c6ba2ee0a37a88c2d4cc25a48d1ff1c72b3d7d79425e49c1e23d60e9f1

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-wal

MD5 2f26c1231194038e12aa474b9f2fc3a2
SHA1 171f2e38fb875b0463d2c25ce5491ff91cd19f5d
SHA256 3dc6a43b3be42deb012fe133bb3a00163d95bf291a655b5245a24af05b249663
SHA512 519b58b6279c14526ad85886c4e8246b0875ae632880fa43544a0f61d34ac3020aa52b3e4e273e88bdacb7b8fb4530e6d77b9703e26445c96ef9798c3611faff

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-wal

MD5 89da19a28d544e61a3b94f759c148bcb
SHA1 1696029d25256dcc51783fd4b705bb6822026be4
SHA256 25c3caf455914461c91b6c227bfeb102c045ffca77ef38f874803af233e9dcee
SHA512 5d352906c665ee033bf76dafd4ee2a5ad0d237efbc09bf4bd9f028cc5c86fa72182d616e2044e02ce92852ea04e964331139b0b67f04e10de2271674060fef1d

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-wal

MD5 f33671fb300dcc3182d4f48d93a21ae1
SHA1 df60a5e1a4e8f7aa10083cb3250959378a490af7
SHA256 c574a2bfa3abd54dc54425567d7d224a379767cff73a3cb21dc95ac14ef7a8aa
SHA512 0627cbbe377d378a77d8553c0f413805a28ff300544590644dc304aec0dde4e43961d65378bca61a1fb867fe3a7b818bd35d362074764c8d2e2653dc8c9b12bd

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-07 01:30

Reported

2024-05-07 01:33

Platform

android-x64-arm64-20240506-en

Max time kernel

39s

Max time network

158s

Command Line

com.getecezegumetaco.gucepu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.getecezegumetaco.gucepu

Network

Country Destination Domain Proto
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.178.2:443 tcp
GB 142.250.180.6:443 tcp
GB 216.58.204.66:443 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
GB 142.250.200.4:443 www.google.com tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp

Files

/data/user/0/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-journal

MD5 c30a7687b775f973b5e1490410e462b0
SHA1 dd7bc5ff5a1200a49adf2616640dd87f3acf39fb
SHA256 87b97edb0ef678b3aa7c86f06a2016227ff5d443bc7209f9d69a376044a41c82
SHA512 078aa6dd415492493669be633ae787ad8d7d6314bd85350cf9f461353420a210d8db5bf2204b8c5c15f44377a77e9896873ded2607de68d3aaf450fe78458148

/data/user/0/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-wal

MD5 1bc19b30f4db93927c545e070987b621
SHA1 853248e1244429e789003c64e74eb53657966f63
SHA256 238443074732ad8a557d464e7572a2b72fc3d48bc52ae61a55506ecb96069c30
SHA512 0f6c896da7cf2b7882889f129cac4285b277dc93e05225d461d02237d898720ac3c50558d72fba7ec92f4535f77325906a65e02cfdbb795071531a1315475466

/data/user/0/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-wal

MD5 29476717b7ca1ef14872469bf5ac0e48
SHA1 fac8f890660f7b6625ab9dd1219abd98cc18ace5
SHA256 49b8219797fdecaf0042f720a63a1f327a8996602e2486ab2af059ae7aa13416
SHA512 765512cb947a825128e1229c79fecebb22dbab24e1dbc7281c2b8d24dc05f79c722022502258150429d08143581a367e9a1251575b194f9fe2311d3bcd975eb2

/data/user/0/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-wal

MD5 b65ec26a8da1cfc6eb928335df490561
SHA1 124621b7b59c16c162a6bb7d0ce13d1a76666e8c
SHA256 35f2403f89427ffd2476169307a86aaead42ea1e909db7edbe7b5483f9370633
SHA512 826d9ee0b933ab483aec16ce6eb64d183dcb15854ceeca7321758b8c7cd1c7a37cf87fcf59972a0589eb45037e865444dc9694c5af00a6f7ea39de27d09cd636