Malware Analysis Report

2025-01-19 06:55

Sample ID 240523-n87v4aga5x
Target ss--universal-4.8.4.apk
SHA256 a95aedbbf0d56aaa57d158bade705fd7cfe1913a21242a9b5a49fae8cc475e11
Tags
discovery evasion impact persistence collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a95aedbbf0d56aaa57d158bade705fd7cfe1913a21242a9b5a49fae8cc475e11

Threat Level: Likely malicious

The file ss--universal-4.8.4.apk was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence collection credential_access

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries the mobile country code (MCC)

Checks CPU information

Obtains sensitive information copied to the device clipboard

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Queries information about running processes on the device

Acquires the wake lock

Requests dangerous framework permissions

Checks if the internet connection is available

Declares services with permission to bind to the system

Checks the presence of a debugger

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 12:05

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by quick settings tile services to bind with the system. Allows apps to add custom tiles to the quick settings menu. android.permission.BIND_QUICK_SETTINGS_TILE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 12:05

Reported

2024-05-23 12:33

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

182s

Command Line

com.github.shadowsocks

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.github.shadowsocks/cache/1582435991586.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks the presence of a debugger

evasion

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.github.shadowsocks

com.github.shadowsocks:bg

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
GB 216.58.204.67:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
US 1.1.1.1:53 www.googletagservices.com udp
GB 142.250.187.194:443 www.googletagservices.com tcp
GB 142.250.187.194:443 www.googletagservices.com tcp
US 1.1.1.1:53 tpc.googlesyndication.com udp
GB 142.250.200.33:443 tpc.googlesyndication.com tcp

Files

/data/user_de/0/com.github.shadowsocks/databases/config.db-journal

MD5 68bfb563590c46b52d583ab863c9a342
SHA1 481400d84c2860d3c82da916d46f3a9a47bf5951
SHA256 63dd9c94c93178b2790f7754fd3ae89acfbab2a9a9cbfb423ce7fd5f329c8459
SHA512 2dd9e52e60af1f1b08f03ea97fc24bcef2c9067e77a9a46b61e0cf8482de12547ce7410114419c0cb7b093ad9668020dc190ddb1ba5234d4b6172453846eaa2e

/data/user_de/0/com.github.shadowsocks/databases/config.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/user_de/0/com.github.shadowsocks/databases/androidx.work.workdb-journal

MD5 f05b175178bece752969df6a5aaf8ee2
SHA1 c389c9ea318e2bff3e1feadfb1e9329a9aaf731a
SHA256 fa53d76adfb34467d1b9663681a5a8b9c3e918e65dd9edd04c356fcb0c6dad52
SHA512 f68315ab70571f2b9f6e86c7d280d85b04ac3c7b98e43e0b50fbc2d408a42b0c765600d091351cc4a092ae7951fc1c0f88ba20a12ada1e70e78e4ebb91232916

/data/user_de/0/com.github.shadowsocks/databases/androidx.work.workdb-shm

MD5 d423ecc89b594ceb6e9315d500163c02
SHA1 94881f38c8ceebb3d091f5b5a40111b1c623a4ae
SHA256 122eff8a1b7b101123e57a41b158680d3aa3cfcdfd2856f77757205e6ed1bb97
SHA512 69c00b9acd538813de813b92c514a37194a49a613e055737214ee153dd9bf20757d152da32579503dc977f4a7ca15ada2bc63a0a1c218cf9b8b4bbb2402fa1b4

/data/user_de/0/com.github.shadowsocks/databases/config.db-shm

MD5 8f4703c949cd2c78061796371979be22
SHA1 0f2577d69b8491e58e877bb308d9c1598f2f4e5a
SHA256 15d315252523588f5c74a3b1700c32bd13f93ef7f39cb51ff47f209052814218
SHA512 38b684c3a877c4dded510208ae588decb2fc82466f4f2e890633068766f813cd818e1756a89747e4cd30cd4c9fef957a36dcc7869b570c24fc09ad30f99fdb22

/data/user_de/0/com.github.shadowsocks/databases/androidx.work.workdb-wal

MD5 59ad6a45e275db8e39847bf741599848
SHA1 329fbd1ae7cb98a11faedf17ee648ddffada3f76
SHA256 2d4e645b931002d9abeb95c632d8901c38afc4b1d2e06964747108899e60438b
SHA512 b97bcc29243be8f808e926469014899e880da8bda8e6300713377e7641b542f32b12c1951af06935de20d1f8d77b9a8eb18f0afc102f073aa5ef0c7933313ac4

/data/user_de/0/com.github.shadowsocks/databases/config.db-wal

MD5 71bb22665035bc03d938969600caf306
SHA1 e652101f3772361018c5235759774b15bb2e8dbb
SHA256 4ad4cd2d400469833b9dbf93ff325446928efa0225f8d03ce42caad6428984a4
SHA512 8b6e95c66a554144b83b710f0850a5bc33c9817b23d7ed3bc046d8d3c6aeeb5d46fa10448630e5691db97b34d14976279101e6ac9ecbca01b47f798bdef695bc

/data/user_de/0/com.github.shadowsocks/databases/config.db-wal

MD5 6574e1c4ee7a820dd3144c1921b2fa87
SHA1 580786cefe8d68a638dcbf7028dcfa189aa4ab2e
SHA256 52f49f15611a3ea9bbac9dc22f8cd9cb48f9eb1d32516f51f4eb45808e83252e
SHA512 858e4af72e530ce725e7b4a63fd4f452225472e8510dc4a34cf360313d839e95261e57046eb00ec62b1162258ff02b6b579b1d1fdca13bc469fdd28872ff3713

/data/user_de/0/com.github.shadowsocks/databases/androidx.work.workdb-wal

MD5 572f85798d7b689a31c60b3519f21219
SHA1 e49b7fd96d0eab09a1b9e700732ee9ec03c5e6d9
SHA256 3c733f03edcf1d27275c23147bd0487a504cb675f57c9833d5484f580c5b4be1
SHA512 c9cb2b81d08653be3bd7af41b3fcf7947584bd01a678ca513e192675d5cbddc2525ae9597e72a5c1bb0edc7d5a0c32a02806e9b514dfa61047b6813d5b806dfb

/data/user_de/0/com.github.shadowsocks/no_backup/bypass-china.acl

MD5 b6972db240b018bad4644001b8d0b058
SHA1 53ad9c654bf1c2af87ae6a1589add7a7f8c8a4e5
SHA256 93bb2f1b4d213c0c60252f9d1f704d48cd673e3288328fed870df60875e80e75
SHA512 2e1402831d2ef713ef70ab6bdd4633b3b006f74227c6699e4a7e74923fc724782f17ebe96c61b39cf546dfd34b96878cd51af5d903b5b341a0562d47a353cdd5

/data/user_de/0/com.github.shadowsocks/no_backup/bypass-lan-china.acl

MD5 881e1f55ab92b28f3aa53eb73f73c75f
SHA1 93141d312fb908ed45fe75319c5eef36ff621234
SHA256 34c89360bc4189b42540a6f378a6d70144806e1a711696539c8fe6aaecdf35cc
SHA512 82eeea56c167925a8882ba046fe54de1b358fc35a0f77ab34c50f31461d558edf2ce8414d746d69fa3f164b82d8d48dc4d552bcbad87dfcd3064712a450310e3

/data/user_de/0/com.github.shadowsocks/no_backup/bypass-lan.acl

MD5 cf64a581237e415a1b30b62e9b08271c
SHA1 93b5ebc63cc83ee7467e626049a026f2b7900857
SHA256 f017fe5d4e25b2e2c541249321110d514ff84ee7939db926d00c6f751e37f3f6
SHA512 c491660095288e6bd9d7715aa9d362d121982d6b12b054bd04b03bfd69d337d7828a69003581db811c69bcfe8afc9f6036fbc5ea6aeab7c3a23c1f006a39139c

/data/user_de/0/com.github.shadowsocks/no_backup/china-list.acl

MD5 f5060dee5c982aeea323c71353b347a1
SHA1 77d458e76b17619ce79f302fc22dafd36708d06b
SHA256 5e91cef3607fa7d0b6b77638f018822ccfd34b5e656382104f0dc56478d7f6fa
SHA512 162a1432e66b8383a2976ce92e7cf411da14c784380aad95b675dd4a6313983811f5622aa65881629366de276aa8f8cf77a7179e6934fdcb60afdc59a9851d34

/data/user_de/0/com.github.shadowsocks/no_backup/gfwlist.acl

MD5 2fc44e9ce6440b417e9f57c13a456ac8
SHA1 240f86ab493f3468c05c259114f2c43d2979b4bf
SHA256 bd2b34d3cfb997633057d9926f4f03867eea6843ed15b42ab1fbe4cfb3d40e87
SHA512 df8638ac85063fe42471f6d4d5591653cbb88c5fa6c1b2a2001ec6c92b214e146eb9483b74d95f886d9c7e7a3171577cb112e23484c77a9832d931c8de07284a

/data/user_de/0/com.github.shadowsocks/databases/config.db-wal

MD5 c7b68fb95375dc6e253b929208098aa5
SHA1 c791876f4ca30b345789dd6a31a44db935fb5873
SHA256 40ea4c66abfd48fcc9a7bee2175cec6a459f9bf9f39da8d7bc4b7b1b5cd1cb6d
SHA512 96f3d81f7b5c3c5c7e32295baef6b3793e2b4513618884c28aa142cf8fdc87b9a4ca3b2bf9fef02b7d5b0bc334d7ccbebdbbcb8ce3e7e99d5f9ac23360e2577a

/data/data/com.github.shadowsocks/databases/profile.db-journal

MD5 2a5943f6116d0b810c586fffc3b1b964
SHA1 3db332229c2298d53e0e1ffa4a042a34d8d468c7
SHA256 df9d517868707ccafbe0c00eb556b9b2eca8534506f56dcaf8a7d9d0b21e8a8c
SHA512 373c086f296004ae9f1788498e97225f0a9c3eea31442b3643614c957c35dfb4e1b29f70ed7d2fe2d9702fd53b9d227d55af332ea99642b250bdddd4cc9f4034

/data/data/com.github.shadowsocks/databases/profile.db

MD5 fcda7c2b49f91c1ef80010290303c782
SHA1 5021b54b3718c2ba69aa6eeb39629a4c240ed108
SHA256 6879f973e7f6625cb7c3fa222f66e7ced18c2a7cbcf13759d7108f12f9e7820e
SHA512 7a41ca0b22bf7d5653f070ff791f1e07b4992fab34bc3bd54fdad4e606f4acf931c2b146c3caf3ca28260d4389c997f417d82cfa28567f92ea0ad0ba6921b184

/data/data/com.github.shadowsocks/databases/profile.db-shm

MD5 c00e327286ea3d7e15bcd4a639a77fb9
SHA1 404de4b6ee25517e0066c2092fff6b8398fc0219
SHA256 34d884007d1ca4382a25c0af1f82987726a27925cd5ca4ca0cd1991f8fb97a44
SHA512 eb2cafa9e07b5ed48ce5066eac4cc344032520b025118398fcb557afbac97ca20713dc1f4d332d225507fda402776938bdb4cb8eb4cd65e31aa31a6f424f30e4

/data/data/com.github.shadowsocks/databases/profile.db-wal

MD5 963cfc133da08f39a624be77e38a83d4
SHA1 acb7e04fb0bce32ad69f6d08343fbd9a3db86e0f
SHA256 4cd770089719d4add8474a7fded13b4f801768aa8583b3a200ed846f076119cc
SHA512 d27728a04fe5f7a6405f9be6d824c1b23c34d621076bd59107d37c001b75931f304aba4e0888e734f4d0ca024e17dc19a8016692a92304b6b59cb5a4979d69f2

/data/user_de/0/com.github.shadowsocks/no_backup/com.google.InstanceId.properties

MD5 8ac963043d0c0db186f625be9e25fb57
SHA1 928cf3dbe71ee1f713838c610d9aed253364e2b8
SHA256 b38070cec510906a05ef02115664f26fca84630f48aebf7772d818ff96805763
SHA512 a280baeb58670043da71a1ff8d281e4242b863b97daaa1565d4b1c6e1905aed40c4dbb551c5751b9cb10676e1d95736a46e5f238e950d826fce59df5aafd35f8

/data/data/com.github.shadowsocks/databases/profile.db-wal

MD5 996fe0899603e2aaf7721c9b1c1934dc
SHA1 234a0c7c71e5bdaaa06f6f3d40db4908097da071
SHA256 58451a70fa2c35d74be27d1ae5b4fff6ac2da2596451f3bcc161f1c6d5fdcdf2
SHA512 85df3de1b5b202ddad1f576b1b107f66def83c1f488f29ff268f1827dfa0beb0bc7746026231322673a3b3c9c90e4b1b0cdc5a18270b3968224b7d0ebbb4addf

/data/data/com.github.shadowsocks/databases/profile.db-wal

MD5 125d821078c6549c1bf05e07ad6c20f6
SHA1 edad3fc10d66efb0b307b3fd6bfea3e046606fe3
SHA256 b062668c82720557837f74bb6ce32aea74d59411362a7d57419e7ac626bfd704
SHA512 f93942839e92a7488803766f0c9861e074ca425343f95d15d63e578d19bdf9c1a17d68c33948bf2d6d50e479b0ba18e961f0117b16d8edd67d4eb9c427b19277

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-journal

MD5 bffcf2254c7d437f0d38cffc800e0881
SHA1 e958c76fbbaf57f33866d2b4e864126cf1a4aa0d
SHA256 a0b951bc9924bd1227698278ce57b647e41585a6f69845dea22c5316582d4f62
SHA512 5d2e712bb281807a3e0979a730186adb615a804007a91b49bd8433a98c0a7766ae5bb6e8575a29ed82c6fca87bd9701077527fde403ecc0e130a21cfba6c3c1f

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db

MD5 7237409e0640cfab7bdbd429bf821a3b
SHA1 4c3da934842f8d4835dfe2a9c275a300e5123309
SHA256 5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa
SHA512 c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-wal

MD5 3dec4550cd63aab0314c6057ae6f1b7c
SHA1 f74db03c79467ab78263ef14063671bd7201e2cf
SHA256 1a384dda3cf626fca6d4e3155e41bd33b9f24c0b4ddae781546722f88bd56126
SHA512 f3dd70968467ca7cdbb3f533b1b3611de273d8c1c9036754cae2cda0ad277a80b5095f788119331963f0aeffcff8adefb3e2c77cd54bc1cff383bc890fbb1075

/data/data/com.github.shadowsocks/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/com.github.shadowsocks/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db

MD5 343efbf5315f8f8fe9262c07feaad20a
SHA1 70bba3bce3c0aec481b1c6622c35c695f3477c83
SHA256 b2c503d6b171d04f2fa151a2b6de8b33adb5382a1bc2fc86409eaa147dd554f0
SHA512 95ad00c3f520e691f53cc9090eed51771ea522b8108523fa76f8593e3a0b8c108e30afc2c634df561f4c7008e2482b7aff8151401fd53ff15d25fc588ac93259

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664F36CA011D-0001-10B9-A8A84431E6E5BeginSession.cls_temp

MD5 e72f24c16e62129a4900e05837801ee3
SHA1 d297b0d02b6f4d265ebb8f2e575f8372720c3d6c
SHA256 3b9f412a77392911f8232f63cecf99b6659610e142b69063097dd54935899245
SHA512 aaa5f588492b740e338c560fc681ce5a4c10b76874f5eb0a4f1d75e36da829bc82878a05664a6307c309af2b00d56cd4583ab6a6cc79c0d9284192e0aa25fd39

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 7ad06aff2f6096e4cb93518b1048a1e5
SHA1 d8504ebc65dd8b81369a73e404b927410f9dfebe
SHA256 7dd4378ee0a6b9a93c95707144e7ac3811d616d839ea8204a377765ec5da6be0
SHA512 b6f9211073103f1ae7d028692390dcffe13ebf9235eecf300c577aef0327e828d1b1be45c76f2143936bbba5dd8e1b84adea15e9add8f55d92261a669f3cbfbd

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_94446bd1-f515-4cf6-9ab6-91aef7982aa8_1716467413813.tap

MD5 5f59ff61abec074625e0ed28d53dda99
SHA1 b8cb4ed7c3a65d6904ec341ba3c4ac7ae69fae37
SHA256 930e33e093b65f863daf23de78d2dab529bb3edc873628dc45d27088696ddf8a
SHA512 e687d0bf1797c72fa1214d76f216befbf15cee2d88b5f6287ce90d68c45e8930257a811d6550244b3941db2a906ea9f7538bc751812022dffd143a7272f27464

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664F36CA011D-0001-10B9-A8A84431E6E5BeginSession.json

MD5 a3c433c4d0bd49ef98f942b7622e69bb
SHA1 4c31846f20afc95802661710e415de488df4dab5
SHA256 68f58d21f5a1f3b2c188df541ebd917aed7d40315b9c727743823c6e3de5b704
SHA512 dbfa6484615f2ab676984463c5010417396e3d32377c6455fbf819c739e3f2861fa67695870e0184b88d3fb92ed65d0e58fb6ed470e82423597a21beb9906825

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664F36CA011D-0001-10B9-A8A84431E6E5SessionApp.cls_temp

MD5 2c060ced813cf5238acad0021c21be1c
SHA1 a42484f2093b201a3506c5f179797bb699669073
SHA256 eab41a63b6439381ba8ad89f4715e25c122d5a4df7c944bf163a52ceb90eac73
SHA512 12a180d1b093e615ab4ec64f03e24c7905cd96a31dc9f7db3da83202f8f3a4dcb0d06e58ba82df442f54c7d38d986d33a9da9abdbd2eaa1e8c3172454e00d4b6

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664F36CA011D-0001-10B9-A8A84431E6E5SessionApp.json

MD5 eef25f87c71d2c4e982bfa3ff02fb3bb
SHA1 770a3dfad6caead5e1813d13dd39dab615cbd3b7
SHA256 c0f1e28058985de243d10a2be2915da56550deb5673d626497decee4d53266d1
SHA512 88379bfd9ceb67844ca0e849929afe412df72f45348d9f864f35c258b4988e4d6eacdfc083e66e972e4f68c2af8d9288652dffd94704326543311010b4f60225

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664F36CA011D-0001-10B9-A8A84431E6E5SessionOS.cls_temp

MD5 9b3d4522944ce6396563812bfdb92fa9
SHA1 6d2a6133c8f01938a48ccc77ef86ad8ca335c020
SHA256 d32805d685a3f50caa7f1c0bd7c8804c4d937a866513289f60e3184f7a591ed9
SHA512 091d87643712530bf9006135db42a5a50742bb5ca3026bcc5f2c1c17bf4fd984a8938d29263b0abde3d15cac196d2230902534e200b0b79485e3a1bd97d95727

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664F36CA011D-0001-10B9-A8A84431E6E5SessionOS.json

MD5 93023624eb8dff5c20050da136aaae0a
SHA1 acfd1ffed752c28fb135ba83c0c6345ddf2f6995
SHA256 968bcd7c4f1abed89a09cc0e6dadd238a81e8655e64196b39a86be49ceecd39c
SHA512 bb25dfa144d3f0e17203936c503c5fedec5f9ca710e177f99e273010ba4a682199d4bda5684151d65f3cb1549f4611b3a645ce39646d3db9a1b2c17d6b160579

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664F36CA011D-0001-10B9-A8A84431E6E5SessionDevice.cls_temp

MD5 cf9cb0612d588a1f71b63084cea67316
SHA1 3d035bb92fd3f8997160cf8025c40239af74d3ca
SHA256 0d37c5a64baf86735501f9044eeb926b3d46548cdcf67c2cd1f773df36624ac9
SHA512 70f000233e181e3b7c6fcf07aa04fdb570f970335837f8d1c4680a9f78af9f9e17c73a0a5646770f7a8787e338899edc4a5197b023865a4da894b1aca12bf600

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664F36CA011D-0001-10B9-A8A84431E6E5SessionDevice.json

MD5 75db92d50c80a89e068550028c62acec
SHA1 d78ea55f5dc682e4da456d26383249f608fe894f
SHA256 1dfc488309883b61beb3462567a9befeaf36bb475a07a7ecef2be60bedb4b5a2
SHA512 dbb81daa5fab357f087dc295e7861444f945eb4c3883a09926b47312ce526bc069266a8a24b2a5b4921fb13e797696c5824195f0a79317e279ccf7855ca2ee13

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-wal

MD5 256ef58004446b6ae912a6193a1cb638
SHA1 caa26bdd5471a0811848e26506ec49819559e0d1
SHA256 d90dd516d7a15c264ee7ce25e571f4cec5c7746cbb1f34fda9ed47af47828d1a
SHA512 0ba81cf92d0db497b57935c2e8a6f62e4119da3c3fea754901628c7e6354445bb4008052835b9efc2371e6d1d58d3b8b24d4fe12f1cbc44d4ad8db98f5f29acc

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db

MD5 670724d4c50861a6d5b008d7498f450a
SHA1 de3bb95cf99d5a51037dd6c87b5cd4b59e7f7631
SHA256 68cbe6c08700ec4216283cef18ca98054e27fc415e1fbadd4218c95c56770f9e
SHA512 b869196cd50b29d42f1dfb3d09055f3183df1f87565b87bfb1493af627a03c63d6e62bb72742a48509a4e2f1d6d879536c4897fb68ec90d11a1edb84f43586fd

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-wal

MD5 d255563126f5b910d15a3641950f8f2c
SHA1 11ebc9b819e3827f02b52014e9a425ec5463ce6b
SHA256 1c5b8d4d488196b3855861fdc79034b460ef7d123a7bfeee84788f3c84e5b8c1
SHA512 5e17cc80487a0274234c622aed74a40ec71c0a8cd6a766ed44187c8b6b0d02b56a9c17f4f329e6db1b4cf817c23acf3344b122b877175131a686b659a46553fe

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db

MD5 36be34dd89212f961933d40e5db0c6fb
SHA1 60f3c7967ea6b64abaccee6f32763d942ad1ec5a
SHA256 53529f35fbefef424339e43a1a9be91c25066b40c8e951a2ff3a63f1b978bd8d
SHA512 97c6b92c1db307f7f3675f9563c65a37e02d3b28630d14bc326d1d13b89a52a86d063de7e46a7a1688bb5b5e7dfe6353666e37013c225aa64c4ce931e7a55cca

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-wal

MD5 f723ea1988275e91b72a91929886742d
SHA1 7493ca31bdb77a1dca24c8f1c3fe66023d477eaa
SHA256 c9eea8e527f7b9308bb29add3ae1fdb21573fd3e8762d733a505c7f4fa4cde62
SHA512 913645ec6c24af54fa5f8af4ad94c61e00e5d05e028b03fecc8463fdf7a1bc297c7f72adc9c043a1cc97bd90a5800da121286808a75453752b03864314745aa7

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db

MD5 378700c242c24cf072b90100ae381265
SHA1 8195a5c8cb207f3a5f123096779f4f4ef3aa4af3
SHA256 48db51d89d54ed8a7832fc6b891f43d01d9c9c4610c44fb97e042dea67bec10e
SHA512 c3d6ff86383685dfa44e92a2c19ab13e48776f3ae2b8cbba73cc9ae309ebdba6228d6a0d53bde319a2c9a88855d3583f41d93d78381dc905feb2cc9a18c92b09

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-wal

MD5 904e80b8df2b30b6780bebbc040782cb
SHA1 f4d927c1f89b836bce75d765834604e15182bd55
SHA256 6286abffb5002fd1b0af899f82d7b37ff2ce617a84bc6f7e1ed2f3e55dea2f0a
SHA512 e49be2af35dbf8cee2f60f42039b837dcafd01064d0c90e0f0e5bcec02d97e166bd4622072a26a03956bc57f9247f527f39e0785db545e529672fceb2185d82b

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-wal

MD5 4344cfad858e7af7c4ce3d7e8f1705e4
SHA1 2f98e915410c3feccf670ceec92c5a472850feb8
SHA256 9bc321ac2c642c0d8efee27cde747e88b4f86811fc26b2b13eba05e638f3f030
SHA512 2e1fec9145de1ba27758be14b7527fe2e01d625a07bf00a192efb35c0908df9cc38a1116b21d8dc8875aa45b26fc132af7319820d9ba23ccd4e2bb4d90e2da28

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-wal

MD5 82cb3f4e5a7a2b8cf42a6a25c503313a
SHA1 ac239da4a4014c0775ce6ff304484133dcc4ee64
SHA256 c51b04524ef0878d5872fa081852a08c6954d299b7b88a6dae0c29728fa3a9bf
SHA512 5b7d45c8ccc693fa6e365cad8dce6cfea0726b07ed679feaf251df791490690dbb342927cf832c18402ac6289b2d25b2b7e52e3a7217b4480a92ea2ea95d9af8

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-wal

MD5 2055cd04e788bdf0c597d215fe62fbad
SHA1 314b9df13b0b515a5b7f9170855d538fc65d6bcf
SHA256 e51043edc002d6124e2d267d4638f65a85d07e4f6462ecf5948d6620f2d4a43e
SHA512 bdc05da2a2653a5bc9dbd5e076acf3c775ac474366e7f8c8b6a218490c3471a811c7c4db8525b2ace55baf3d8aa6182b521b1dfffcc0cd983a05e2fd741db5f1

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-wal

MD5 0b4f23408092c3e7332d2f1b91ba1ce0
SHA1 02b808f79a49af0797eba53407e8de5bb852bbab
SHA256 ae0af39729f670a9a65f30f467d17d938209b1c45c01992964a77d0d19a06c0c
SHA512 3c316b456791e2fa1eff60057e38b3c4cf26d8dd3c6bd8a4a5b4a9688719e34bf50d2b3df5958434e1d5a76974b3804d4e0a3bd7795511db1cd0c498140bcfbc

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-wal

MD5 1b1953ca34a379db1f93641e8132ba34
SHA1 6b9eff32e00d5d2b0e54a50531ab63f042db5e83
SHA256 450ba462f7282dc0794f9bcc15987c2d89adf68943ddacae92426dfa0e9eb24f
SHA512 368107d946c469bc4fc9611ebb94812615144b9e87d13d346e3c3310f6dbce68ecce691c317842d1e487621f472d395b69750db057762d45a29c6cb4b932667d

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-wal

MD5 6e6035775fbc931d33fddd100f7a493d
SHA1 979710919163898cb4888f08b466e91e341ea441
SHA256 f65e5de122d82551385da57ef98f27e80b2ebc07ddb6272de865d3c42a004020
SHA512 4f8be3e1fcf644598167238e7d234037c3d04a34af8244be33cf3a14727d16b90ae5e2ae74889b6bcc247343e6d99161d0468f18bd392b4c75e76708f3593109

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-wal

MD5 f6809f4c896296db421ca822fb30fc48
SHA1 3f3a1829eacdb6b71544e3ba5986c5003e472256
SHA256 e3f1e39ded570c22416515e5466c714d2accbb0029997717fa2e3971970146de
SHA512 29149c1176a8ab77fd55c3da1759dfecdac050c8dadc96da5001bbfbe9fc5a5c63e3bfd94131f4e52adb1da5bfc6d3789443e4e37e0b39b1756012f92dce6a83

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-wal

MD5 a5ffe8aff6a1dd809c19a442e212f6b6
SHA1 449f3968bcb56293025fb3b1a7cd7ee195eec849
SHA256 b05ee6dd4a6e6cab057adb061c3e463422240e67569fd23e04c701639098f017
SHA512 0cc4938a7cb7dfb8098ccb02df6622a96253462277a321f327ec0cb9c0de3a7cec624b4531639b75de32a1ab367e56a8447df6403039938c37f04dd8eef0cb73

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 12:05

Reported

2024-05-23 12:14

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

178s

Command Line

com.github.shadowsocks

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A
N/A /system/xbin/su N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.github.shadowsocks/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks the presence of a debugger

evasion

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.github.shadowsocks

com.github.shadowsocks:bg

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 www.googletagservices.com udp
GB 172.217.169.2:443 www.googletagservices.com tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.238:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp

Files

/data/user_de/0/com.github.shadowsocks/databases/config.db-journal

MD5 705ada454b7869759d5eac4ec03a5504
SHA1 b1cba5bc27716ac711c6a0ce59f9f727bbf48c77
SHA256 cae2164e07e78865378ec570487ab269d8036136ef5892f046142351a8729574
SHA512 3d151898423efa292f0b3e595176ca4c8d60be515f18b1eac4d6fb6ed4272a87afe4cfbe417a9fc529844f374f86e48d0416e174c3e629077f5b20b36f316ad7

/data/user_de/0/com.github.shadowsocks/databases/config.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/user_de/0/com.github.shadowsocks/databases/config.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user_de/0/com.github.shadowsocks/databases/config.db-wal

MD5 abb1458944d4dde46fa7ad6383796786
SHA1 c580347ed5c26d56899fb6ad741d214ba73dcc5a
SHA256 4ba206ce9d5b732887d6d72447958b36da4fd11254c3e63109b0f8817acf9aff
SHA512 4cdafdd06af5c7ea2edf1c35f09807575b7657b2491c2b2c381080799775e5ad692ffad67aaca820b8d6d21a25d351311a4cbeb05d87eb5a931b266e03bdbb38

/data/user_de/0/com.github.shadowsocks/databases/androidx.work.workdb-journal

MD5 f7fa6cd22c765fc275dd41890700329a
SHA1 92bca15b390477258c132c5174f7c70e7b8e5504
SHA256 5c9b2e5cbd13cd658b2450862f1d49991d3990c7b889efde205028e4e8c9e820
SHA512 a7b16c357e5023ab36d1b0525bcfc7959ac9f65c2403bb101e4a571856b3ef8cc8dff9446bbbf79d5d94595d066f5c65b1780462088d4f69a0b86a3d1cbd9c61

/data/user_de/0/com.github.shadowsocks/databases/config.db-wal

MD5 bb892517ed5fe569cdf7b066830d7a54
SHA1 e55cd5cec7eedf162eca80342533648b13c72cc8
SHA256 7b143253fa6d9087e7c9cac32a0012afebe10d843235d37d53a37a8a4a4a0627
SHA512 594798cb4680758a20aedf33f32ced6fbff1d5cc72a4500fa401fff55bc8440dfe908e10b9cad72b1afdaaed868976d4b4192d87dbdc60fc6cbc66b0726fe8d5

/data/user_de/0/com.github.shadowsocks/databases/androidx.work.workdb-shm

MD5 f2c130c61815ba03667cbaf740e51b01
SHA1 2b907e52eed40868398db3a91fbde379f1541d12
SHA256 4762bc07fc8b92351c14d38e4e965cd2254e1808dfc68e04c3fb618d70453e5c
SHA512 3bd216e7b3ad8721ca56f08d884b21ff1668d89f6b1edc93db3bd2e46ec8102ec9de9951b9d5dd39b3d8868fd4f39b1dec83aacc60acceac5b3b082a466af7cc

/data/user_de/0/com.github.shadowsocks/databases/androidx.work.workdb-wal

MD5 c0db239702dee48e2d8384416d4d399a
SHA1 5ef8915e644fa73c89aebbd6308c547134b38e28
SHA256 0528c091a45659ac065937c29f27c0ac88572a480841ac4cc405ff5beca8e8c8
SHA512 4b5541051688c70178f5a3b4bb6db9796ac77f183700a5b3dafa2a7f600ca1843a93a88bbb6f7ad4b0ba7dba7f47309016bc67b8f210c79cf27062d4910c4f81

/data/user_de/0/com.github.shadowsocks/no_backup/bypass-china.acl

MD5 2e992aab27e13f411796d2bc0ab90840
SHA1 7838c30f4e2bbb65d8f621d9521eab3ef321949c
SHA256 c3174a3284756cb66656f5a8a0d9dd65e655fe19246459fd3d06ffb073a74da7
SHA512 e2b6298cfa980e3ef5c1c226d90f2bd007a7edaeae9a10e0ff357fef88ae373c94812f6f3c317678d88af17200f739de83e5f744d37afb821ee55be5c54c067f

/data/user_de/0/com.github.shadowsocks/databases/androidx.work.workdb-wal

MD5 0bd0131cb24c4ff7a8f43e90f2022fa8
SHA1 de9eb6ec3a03ed3876b5d14c062579af5fed3ebd
SHA256 26867a509859d6f8813a6c2d839a1384e040d4fee8f4e871f6fa5b03a8ed4717
SHA512 8fa4224be8448f6b12584e5358945048aa9d8db9cc6b0442f5f45fe83d566d379e50d5a879f1c11215861aa14352a8915ef72666ec4c6b59d7a4c07aeea03ea4

/data/user_de/0/com.github.shadowsocks/no_backup/bypass-lan-china.acl

MD5 57a6ddf4e1f527e693b950f2b7960214
SHA1 ad7af69c67a3d2d6a07b4c47850b4a44c39902bd
SHA256 6265fdd5cf63e3105449ad7e70190da2cfbb4f10d45514ce8c4a9ab630f882ef
SHA512 6e38029071e066569fe5ec5a5efb9b3e62dcf7f8ce4afecdc877e0b0dd6744003b497a58147deb874b906f486257d9cd967122d78d5bed44bbb24ccae8135c3b

/data/user_de/0/com.github.shadowsocks/no_backup/bypass-lan.acl

MD5 e07bda12265f6a2c43acc0f651150fba
SHA1 e34c725f6173f1c7bfeae79c0a18cdb4c404a99f
SHA256 534129c67f86d39facdeda8e1ec48b0da8de2df0bd991922d4f759b419fe63ed
SHA512 d55dbe07c696e8f275e1bd00f550ef02ba9fc01437c02ad66cbf63c3aaf8c8f634fcdf5111bddb57f94a233d533913cdfc7c004f9516015bdfcc7bef0ec589c3

/data/user_de/0/com.github.shadowsocks/no_backup/china-list.acl

MD5 d09653ca05e152869da532bcff086512
SHA1 0aa74dc368a7fae098c7791b3f4e3e5cb9adcb4e
SHA256 16b0d1be56bee111ec447ec40233e30996a4884dd6d364d69029231ebbf092e8
SHA512 d3b72b0bdeb4d6695551d95b6e3f88d2faa8d4d834a024ba382b0b373ff92d724c7a7dee3e9ea62f920a2313acb79affbb4fa7e34be1348dd1a1373a67e10fea

/data/user_de/0/com.github.shadowsocks/no_backup/gfwlist.acl

MD5 6f69e67b9e34ed4ad9ee094c9c3c1f0c
SHA1 ff655f3abc8b9e2f133191801248440416bccfcc
SHA256 0d745021b8bf6bcb30b6857e40a5a4083f07dd7528df327cc5c07c1d855db34e
SHA512 20bd89ac1eb1d4799acaa269ec5cef012970bd5d61542585fa5d4a09204e9b5ab9532412997b1ed31bb0819cb41761b0897d985cd7733e4677814bb482064647

/data/user_de/0/com.github.shadowsocks/databases/config.db-wal

MD5 c891e72d8c11633ed29958998c2b20cd
SHA1 47d7650158f76404652d3d130e9da19a15d0f808
SHA256 b55a3862d3e5db4b2fd9296d8e502901b4e2a8f78ea13a1d13fa024dcb98d460
SHA512 0842ec8d60d9f7e1eadd9a1de6b00f870c7e2aaf8ee90ff96d7668c18c2823bf317fafb45b90852312ec301b4ceaad7e4ad4bcebb9dfb092e61bddd7c8b44123

/data/data/com.github.shadowsocks/databases/profile.db-journal

MD5 8591abe6953aabc195d00468b07efdce
SHA1 8284481bb42a260aba0046ff4631279e1bef8d33
SHA256 654e53a3274b4228d56de0ca98bee4e0f98d82bba6d5f1249bbe8590af1895a9
SHA512 845e0768006702ef6469f176689f8698b46031e77ffe258ff165f870facfa924a66328aef843de151a8d8abb0804737cbc5bb586be8c3686259e89f6d4223395

/data/data/com.github.shadowsocks/databases/profile.db

MD5 87b31af16ae31a78941c3eac81e1119d
SHA1 490868069a9e1c8993d42c3fa5c1559c0d4b4a4e
SHA256 63152e2eb21a3d65333c3fa479352d5597e27eb2115a92e7a627c4d3818252b7
SHA512 ee0c6676cc9696273631652057b094906d68d1d8ed4c4e8274c7977e4920a27db604d42689f054d0fc810fa8f41bc71bf0d3f1b36354d0feb25676d0fe7944b0

/data/data/com.github.shadowsocks/databases/profile.db-shm

MD5 bff66aa54394312e85780da15985f6d4
SHA1 062bc1da85d6597f2b125ddb237058221728243d
SHA256 17ee83a0b41220ecca7b40b3eb3fdbc529b10deef47aeb48be8a1257fe407a2b
SHA512 51bf4a908cd317be418b0a9c9eafbd6912ce72db43ad8488f5bcbd9e73a1bc75bdc2ffc5151e9bda97870c8ceb565040dadb390485a622b24efa727e8d76d470

/data/data/com.github.shadowsocks/databases/profile.db-wal

MD5 fd0c9bcba79358ddc7b7f8771c1a357e
SHA1 2c201182d7e772c33ead2765280378300b1f0a78
SHA256 5627b1477e3c1295b31ba855ae7237f4313586a739ae7661b508c6139ad7b9a7
SHA512 ccf24854fb34eeaca1eb479e964590024fd78fb715e0929b0ce2273fb280b5ae1c6e3a53d12592bca0940603e233cf98d8def1eb8df5096cdbc92387586abbd2

/data/data/com.github.shadowsocks/databases/profile.db-wal

MD5 a2e051a7f548bb956d97404257cd7c4e
SHA1 2f9491fc82fe9e7984e3f0f4ca8b97223370dfc8
SHA256 8d09435b024bfef20ae71b767eee5751342fb3e5e5574336ae41aee812e635de
SHA512 af2a62b685035ac427145fddbbb6439f45dbfd05377a30b99fd24cb52c94146a4cb80d53b03781c47a21a78db491d9b7bff02f6b58db59a34904103237406939

/data/user_de/0/com.github.shadowsocks/no_backup/com.google.InstanceId.properties

MD5 e3085f755ab194b46f069da95ecf7d85
SHA1 e77a519ce58a4e255d8f36c7c132e97ac5469196
SHA256 882f89819e23a99e66e2e27935fbb3383db35f0f0808cda7eaa6ca51c5c6d2fe
SHA512 5460882b1f82e7836fbc3df972ac92c595194ee5a90cbce1f120c4f40cbd1fa74c43e57d6f543dc72ca2eba366523a59de640e4c814a844752d13c0fde361978

/data/data/com.github.shadowsocks/databases/profile.db-wal

MD5 d413947574d85dc9b0cd32b7f2894b83
SHA1 f65134db3691b9b08808fe54e97c7cbb34a68a6b
SHA256 4eba14b7c7fed2f409e0ea2da21ce898d419580bb96e7bf7258ff70ded67b1bd
SHA512 70b45ef5abdf48d2703d312b24a97f95c07c9608d6c36b6e1f79d51ad4c8b1703296afa6bc399234bbb20d7653349c975e52c4b0ec65738996693f9f2d8e581e

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-journal

MD5 cb3d26d4e11e409a49efd79e98d13e91
SHA1 6dedfc28b94c51c4e28688d4a33ede74e8c2aa53
SHA256 2b08a5bc0353564e55c0022353f3104ee2236c3cd78f4a455eafcd5567b6cbce
SHA512 4681421ba503beeb425a0437f44ab93a957508f44052c0dd9490e30fd966a9312a79080b0fc525bf616e201f35617aae3bfe2016d63073d4ad7adf869cfee370

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db

MD5 eb52a90bb70b76e946b62f50b6f7fb85
SHA1 42d767b5d1faa7dcef4cb4e1432a5f47ec2e9ee0
SHA256 48472f593a3e9cf9e91ee5f7d66dd9ff291bfb247eb6b46778c710fc24e8d3c4
SHA512 b356c858cadd14b6ecddf134f1c494c0107a1d36be9387984fc53dcb00e6779d944f058f4ac99d0fc2fe3a427cd1c2921c6fc38ecad53909fc4b5b6f04459b5c

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-journal

MD5 7ee4ffb35b81bc8feae98062a719624c
SHA1 315dbf64e697aea61dd5a3a15460b2b246708811
SHA256 2c4ab90515ded8c54f50abf934b67a2e54fd22b7068eb68f63fb2d61802b57b8
SHA512 f056eddf87e2664cbf027d5a33668fc8e88b6f92ca65b801f428e0e39c065fe2eee8d781317f1acedb7df3ffbe6986febea92f4b555d8a05705393461a87abbb

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-journal

MD5 3b3ec1a69274a72c80971e5682a84c5f
SHA1 f542126327710363b7297ae805e2465d722df162
SHA256 b6c8e243700c437cf106200525f6a7a38dec68656d63b2f033c2ce897a9ac418
SHA512 6da875b59eacac8b012734f763bda5b5d833c6b80aa5739cf20b9407540bb8b1a6d2749ee2880d31099c82e7daeca2444231af5ff543a463571d2dc359aa2ce4

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-journal

MD5 b306f596e790fc16eba3937a015fff3e
SHA1 dab4ecd943a9701f818e7f601c4716faf474bcad
SHA256 9a6047ea925e9cf51db8c203a5c4fd0cc6b3449ea02a0087a5dc602752814c1c
SHA512 6572f52bead7621744598d4dd5fc0ccdc6d4edfb1105de7727d04a36900f4fa4218e9b3b082d3dec2e9afc286e8a818ecaa26d0ca237d2e995c805b84a4a6269

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-journal

MD5 bdc9839ef3d9a3d4e0bb6e058b39b772
SHA1 b8d85de1bff8dbcb8368b883f8b5ecdec46bb8a7
SHA256 f7d4b2b32ae23e8219efb7b6db2641c5fc807f5ced1db7b7745d7166a2e38f3b
SHA512 fcb33be982cb32f0e8886cae28befbee01131919f7dcb5510291899bcfba66fc58c33a5c70ec41c16fa72901a56ed4b75c48dbc34cfe2bed512441e94b813621

/data/data/com.github.shadowsocks/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/com.github.shadowsocks/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664F327800F8-0001-146F-9765F223D88CBeginSession.cls_temp

MD5 72a26175938d2245d0411e06ad899581
SHA1 8c9de6c9c829d44cf0dc262b26c081e0c3378503
SHA256 00b74ba753c4a60499554fa3123afe6061680f8bba2287fe45bd6ef093cefa96
SHA512 1b3733b893c0dedd4e54bb04333c683daba3b078c91e0554d77988da13a95953847f5b64c29c12441fca057e73f331287bd2067c1dadfc5522d5d73d3d2d228d

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 5508f4ae1fe4ffd3ba4fc9a0a6fa88c1
SHA1 6db3a67db6a285ed7a721b2c4d0346dbb62b7661
SHA256 d89aa9935d0d2cbf375b5bec5f1c1170c34eea447f47ed286ed458eb251c604a
SHA512 85af1d9fac53335616318a874915f2fb45b3aea7ac1799e2b9edf565888816a095d08fc82f7b6d4e825312f8bf0f299d6cd66a922abe28f1a012702f62eb4848

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664F327800F8-0001-146F-9765F223D88CBeginSession.json

MD5 4ffe9d5e606a9b5cd27e1f17a4dc00a8
SHA1 a94dffff0c0df63de6341a5b6fdb504ede34f623
SHA256 6b6afacb59f4ee481517f078ef3799ca8fb3d99c8d7678cbc49569b774c2344d
SHA512 f64d0c30e904dae538fd92f85f4b630abe150d642c716b370ad01fdd034548e52b2ed6179a4c4606ad0fe8788a24a050bf4affa6e2b779e1af36b771a9a935b5

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_8f2aa72d-43f7-4c61-9eac-aa6d0b40c95e_1716466307739.tap

MD5 db7fc254b2038434338c7fdb5f659feb
SHA1 8264b5e60f58e8dcb603a0177393d6295f631ee1
SHA256 d455f7db5e9e902c15124141f67efd5d7d1801f4747f58f7f9e63b396e93a36d
SHA512 dec23d780b9baa6a8bd55540914d4e85bd2c4dcbd89dbb9295dac2b0523fbf01f78b32785441d106a2770c8e4059e4b3c5ce1c25defb0d55ab3f7b11efac8b72

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664F327800F8-0001-146F-9765F223D88CSessionApp.cls_temp

MD5 1e56d28b621e9c89d64690dfcc21b477
SHA1 3721027663e02c224888428fcae2ae9f4f787fe3
SHA256 17e6b38d1b2e69141f91bafbe3d2e6d96466c29fbe5d4ecddf15dc0277b55ef4
SHA512 2b31b5d897cdfd29d69a64d4fb375e86c866d59a6c58255cc5f12b7ecd5b43f902447166124709feb1bc0add152351b7f5419c8e96f22e9121b404b3dc505112

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664F327800F8-0001-146F-9765F223D88CSessionApp.json

MD5 0d6e6dfbcbb63f2253a717d4125087da
SHA1 30b7485c9dfb6bee51ee4ba30895694bee6e22b4
SHA256 cb69e6a0cbc94a30325063418f3214adeebece1e764022e0765723cea6ebb7cd
SHA512 432cf6c5020a8a4e1094c512d2875aac74370428b2b54f88241d4e12def5d89ae8cd293155a4d84421deda8add60914f7616f4c912606b57b241bd171b312ad7

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664F327800F8-0001-146F-9765F223D88CSessionOS.cls_temp

MD5 2566d27ce8c28d8961f082c375d7535e
SHA1 92fe585b1a2c9c523d2fa1f65ab5c1b6a1a6edaf
SHA256 5acdb54ddba2e264f6822fbdbc4e9b5158f57d43785c2f01d981956b18f7a90a
SHA512 1c70679bbd25a57f9ac02083d5af0fe72b1417cf3070a195497f03d6f492e87b1ed3f570de7ea7c814c995a1530e32610d9570f31a480648f4062e8d3287be8f

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664F327800F8-0001-146F-9765F223D88CSessionOS.json

MD5 5caea4b68c57072f7f52a5a41720566c
SHA1 4d9712f1702c7238949da43f7d8ae6efb233a666
SHA256 3223857b618b924c2b0fbc7bfb373a1aacf300a7b5ab585e18fffcf19039f363
SHA512 fe1455d21c521aeae3292bdcc386f6d2005dc253930c03e44dbcb972f96b849670d2aba039ea59e1a5ebc0350e6315151d17bcda55c161a62987d4bb01e91f9f

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664F327800F8-0001-146F-9765F223D88CSessionDevice.cls_temp

MD5 2390c1f21db00b20c07107e3ec7275fe
SHA1 e663a646460acc071aebee942cc1776c23d77655
SHA256 d348072a01496839cfcde3a18866423aee74aefd613fa3bf1ff4a203ef46a699
SHA512 43ff60754eb60795ca1c318f44dcfe49194add26cc3d92c2eac7bef538fd65b6290f2e5953b8f1693b9425ebbcdd022ab16a18280146ee0b0c2eefe27bc0bd63

/data/user_de/0/com.github.shadowsocks/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664F327800F8-0001-146F-9765F223D88CSessionDevice.json

MD5 afa07370d07ed0a8ac9554ee7001bb72
SHA1 d1e9de22fda1295087525ff3a377f7d7dd410ac7
SHA256 8d4b99fc4968c9cdff4626ff6c1467cdb427f7a597b153f03b4bfb62dde6c07d
SHA512 a7a974b1c4ca3d7ca92e1449dc9718d5ea2af7f8e4c605d25c731fb4bbe891fdf340835e2a4e3a363558744e5ee30aec22542f377eb5bffc0097c70d24f241d1

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db-journal

MD5 8b7381c3c2adc6aed86466c430854220
SHA1 13303949e55b45fb2fc44717712af6a9a790f9c8
SHA256 3c059386ff773ad7e569982dd0a79495c77fb075d080b7a9384958b209fe004e
SHA512 d927dda2e86d80363ecea116bddcaeca9e8904264cbe48e9dc46812303267f4559aa8314dd8ecd145a54465d91dc0a49a07599f2a7e98d8068a48a22a44691d0

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db

MD5 612a724f7231751895cd1b33f3ae4231
SHA1 cdde480ae52464f0f3e362bf8964e5dbfe7150a9
SHA256 606e54bd170657cf068685cdda8d96bc5932e75282ba5f02f54ce8edbfa47840
SHA512 465ec387ab17b0acfaaf1ef0843240491f154fe5ec19ab2fc78b9f7b96ef42c90c3ef9366d19db89d83c89953e221f53c2277a4e0fa8eaefcf94b86567329578

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db

MD5 598e249db818aed974b0da112a3148d1
SHA1 67cc0f17ca1a4af0554f8646a86679513097447b
SHA256 31a98bc6f366aca61ad23fa1fd2d651eb11c0e9d264bc376d1f56298f5cb32ee
SHA512 0270945edc994e642ae8791168813c4147d634becf77b3269159dd5e697352c10a3b15ddfaef775a05c4b9927f876a4f7eb503c357796d09ef0dd68395fcf4a4

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db

MD5 528555ef545d414f187914641d8aaa47
SHA1 0b09c9065094a6e7696eb59737a2718ac6d96af3
SHA256 e6ea3c06b205b02510d4f5da94a5c8121fced81c7a8b6f7b1fb2b401af90c674
SHA512 cc858f7d2e174e6a917c8e312bbcdd3ead21a87c02bec3489403a313db94cc43601cd61ef6b991e53c730580e8065c024669d4f5baa4052adbea829340a4dcf8

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db

MD5 3df6d847b78adbe6b353bc757cb06147
SHA1 f50aa70078466fabda83606ab189e259795fd7ed
SHA256 fb80e855fc1495f8702207229ce39fe4b13e8d8f9b2b22b8356c12596a1484f1
SHA512 3bb53e8e050a198875f41435491e84f908d9efdb03fdb9d0e82eff13e7b360df3ee026102cdafd21dc503fba971f4dbcfe695e938415654a7d82fc910b7b2f06

/data/user_de/0/com.github.shadowsocks/databases/google_app_measurement_local.db

MD5 b84b269d69732ddfc17211709ac0b9d9
SHA1 b08db43c8b020afb7367d41354751689c74fee11
SHA256 576187c1771160178d52e6cdbbf07046ac5682ce212f300b9fe36dd1a76f8e3a
SHA512 6982eabfa8662cd01391fea54fa22b605b610d191070f2e7def240b1ed6fbba7fd4bad172ae8ded23c69892a1ea0d32feadfd3c520cbfca455589ebafb25d179