Malware Analysis Report

2024-10-19 13:18

Sample ID 240602-zcxwssfb96
Target 8f569562061b82988b7172951ed8d559_JaffaCakes118
SHA256 2d15747ba2d474bcdcbd031dfd54e88ba69ca90404eb53a83db63a61764fa064
Tags
banker collection discovery evasion impact persistence credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2d15747ba2d474bcdcbd031dfd54e88ba69ca90404eb53a83db63a61764fa064

Threat Level: Likely malicious

The file 8f569562061b82988b7172951ed8d559_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact persistence credential_access

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests cell location

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Checks memory information

Checks CPU information

Queries information about running processes on the device

Queries information about the current nearby Wi-Fi networks

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the phone number (MSISDN for GSM devices)

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Queries the unique device ID (IMEI, MEID, IMSI)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Requests dangerous framework permissions

Checks if the internet connection is available

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 20:35

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-02 20:34

Reported

2024-06-02 20:35

Platform

android-x86-arm-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-02 20:34

Reported

2024-06-02 20:35

Platform

android-x64-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-02 20:34

Reported

2024-06-02 20:35

Platform

android-x64-arm64-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-02 20:34

Reported

2024-06-02 20:35

Platform

android-x86-arm-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.169.42:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 20:34

Reported

2024-06-02 20:38

Platform

android-x86-arm-20240514-en

Max time kernel

168s

Max time network

186s

Command Line

com.mfyueduqi.bool

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.mfyueduqi.bool/.jiagu/classes.dex N/A N/A
N/A /data/data/com.mfyueduqi.bool/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.mfyueduqi.bool/.jiagu/classes.dex!classes3.dex N/A N/A
N/A /data/data/com.mfyueduqi.bool/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.mfyueduqi.bool/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.mfyueduqi.bool/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.mfyueduqi.bool/.jiagu/classes.dex N/A N/A
N/A /data/data/com.mfyueduqi.bool/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.mfyueduqi.bool/.jiagu/classes.dex!classes3.dex N/A N/A
N/A /data/data/com.mfyueduqi.bool/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.mfyueduqi.bool/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.mfyueduqi.bool

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.mfyueduqi.bool/.jiagu/tmp.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/data/com.mfyueduqi.bool/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

com.mfyueduqi.bool:pushcore

sh -c id

id

getprop ro.build.version.emui

sh -c service call iphonesubinfo 1

getprop ro.build.version.emui

service call iphonesubinfo 1

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:443 log.umsns.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 59.82.29.162:443 log.umsns.com tcp
CN 59.82.29.162:443 log.umsns.com tcp
US 1.1.1.1:53 is.snssdk.com udp
SG 103.136.221.67:443 is.snssdk.com tcp
SG 103.136.221.67:443 is.snssdk.com tcp
US 1.1.1.1:53 api.shuzilm.cn udp
CN 47.95.162.60:443 api.shuzilm.cn tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
SG 103.136.221.67:443 is.snssdk.com tcp
SG 103.136.221.67:443 is.snssdk.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 124.71.159.41:19000 s.jpush.cn udp
US 1.1.1.1:53 sis.jpush.io udp
CN 120.46.131.222:19000 sis.jpush.io udp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
GB 172.217.169.66:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.135.156:7002 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 139.9.135.156:7009 im64.jpush.cn tcp
CN 59.82.29.163:443 log.umsns.com tcp
CN 59.82.29.163:443 log.umsns.com tcp
CN 139.9.135.156:7006 im64.jpush.cn tcp
CN 139.9.135.156:7005 im64.jpush.cn tcp
CN 139.9.135.156:7007 im64.jpush.cn tcp
CN 139.9.135.156:7008 im64.jpush.cn tcp
CN 139.9.135.156:7000 im64.jpush.cn tcp
CN 124.71.159.41:19000 easytomessage.com udp
CN 120.46.131.222:19000 easytomessage.com udp
CN 59.82.29.248:443 log.umsns.com tcp
CN 59.82.29.248:443 log.umsns.com tcp
CN 123.60.89.60:19000 easytomessage.com udp
CN 139.9.135.156:7005 im64.jpush.cn tcp
CN 139.9.135.156:7009 im64.jpush.cn tcp
CN 139.9.135.156:7002 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 139.9.135.156:7007 im64.jpush.cn tcp
CN 139.9.135.156:7006 im64.jpush.cn tcp
CN 139.9.135.156:7000 im64.jpush.cn tcp
CN 59.82.29.249:443 log.umsns.com tcp
CN 139.9.135.156:7008 im64.jpush.cn tcp
CN 59.82.29.249:443 log.umsns.com tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 124.71.159.41:19000 easytomessage.com udp
CN 120.46.131.222:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 59.82.31.154:443 log.umsns.com tcp
CN 59.82.31.154:443 log.umsns.com tcp
CN 139.9.135.156:7000 im64.jpush.cn tcp
CN 139.9.135.156:7002 im64.jpush.cn tcp
CN 139.9.135.156:7006 im64.jpush.cn tcp
CN 47.95.162.60:80 api.shuzilm.cn tcp
CN 139.9.135.156:7008 im64.jpush.cn tcp
CN 139.9.135.156:7005 im64.jpush.cn tcp
CN 139.9.135.156:7009 im64.jpush.cn tcp
CN 139.9.135.156:7007 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 59.82.31.160:443 log.umsns.com tcp
CN 59.82.31.160:443 log.umsns.com tcp

Files

/data/data/com.mfyueduqi.bool/.jiagu/libjiagu.so

MD5 1da618896802fdb4b6f17c92703424f4
SHA1 b48aa81ac014a5a7f6e95e618e4f951ee12d34c3
SHA256 2cbf986b5e1357e00347d75d6f631539c0f368208079df36bb44603ac4e6973f
SHA512 620a06d8df24597467318582a12bce45e2e2cb66069ffbd6fa27ac5a164c58398ddb9c2348e6ef443272a22ca85fcfa03439d0f0f22109a93708d562e0737cb6

/data/data/com.mfyueduqi.bool/.jiagu/classes.dex

MD5 4a533836dbb1b277a498f237a625f5d2
SHA1 67d1231fb131605174bb55404d91f5d16e8ca128
SHA256 d3faa1dacb7fd48653575448cdb13ad45d552997b938718d98af1bbd9634f11d
SHA512 a930393c216a0555a7a6520dcc98b38fb27e0e17ee906db84afa4b40d71ee1450a219c35a80fb95bcb901b2fbda1e5c0b1f84d15efc95c79164b87e69bda4e69

/data/data/com.mfyueduqi.bool/.jiagu/classes.dex!classes2.dex

MD5 8bafe4f7d13731508fb5b06e135ca253
SHA1 ca6a1c5f3d22555fa11399697663f188e97b8dee
SHA256 bd6b750daa09572c5defc7816dae21e3fd6a129702021db7cf9e1516e16aedfc
SHA512 d85b7749c99d72cc0b6b9368cf9ba09024d42e1f547cd2b986c9153e2456d4145c59d7e5f6f993c7712a2432e607df6c6cd3ce15591f5c974ed291f5a34b05d5

/data/data/com.mfyueduqi.bool/.jiagu/classes.dex!classes3.dex

MD5 526fa4ac8bb444c3f27cfee48c619b79
SHA1 b6f9177c0cd8d6b439db928889d087f2865e2d47
SHA256 7af26ea89ced69d157b0136058832a3761078afefa3728efe56fae08bfb5d49d
SHA512 2760ff8f835315aa6e8131a52d6aa0962fb300670e78b169e8f66023d84dcb2537096a272c231aee885d3700946abf3799df6d4a66cf83e010e687c56246b6c9

/data/data/com.mfyueduqi.bool/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.mfyueduqi.bool/files/.jglogs/.jg.ri

MD5 577d1964dbb43751869a55fc6586c478
SHA1 ebb2a5f4edbde7bc1feedffe8c4e89343661958a
SHA256 c407e2ee773a2260a3bdad0066cbe0cde944c9c6f4f9cbc323514d96b5f2c3e1
SHA512 3a53c59fcc183ca9f6a598ac3f183550ec5bb7fb80ea00f98eba7aef02b9026c8a3e0d3bb5c54c02cb80ea5251acd63e518eb4a44277bf41dbf90470ebf6c509

/data/data/com.mfyueduqi.bool/files/.jiagu.lock

MD5 8a8cfd7d7c98994d35605617a65bf355
SHA1 6a51536aabd8c5ea94804d2242f8b569eca9c023
SHA256 caba23a1b137eaed202de206da1177cbfd36f38f44aac43f339144520a01ce85
SHA512 040e2b9fa607e1ca3428b43f4bebd811c064e3a9eefc9c57be70ae1d58d60a27e98f8a5298103e6dca0e0466894f294d14ff78ba60eefa8749d9adf07ac77cfe

/data/data/com.mfyueduqi.bool/files/.jglogs/.jg.rd

MD5 1218d9348a9a1e39d5d8ac780c253dc8
SHA1 c08e3330da21b90d82480f5ab26f62363f83385e
SHA256 f3e8aac8256c6b8eb4b17f0f5c77919d192490df9f3f4f60fe03d628f7a362d1
SHA512 2a34872909a1a17fef22dfe2b266ba8231687557fe744e7e472d083451734fc3169789f0f7c2f62ed2b68d648a53c742d084f3d3ce640bfd12e101d01d2e8c48

/data/data/com.mfyueduqi.bool/files/.jglogs/.jg.store

MD5 b528a4fa6fb866efa66a7c5715558c62
SHA1 0e0f9d662d2e272e44312b5a36bf2126838b14bb
SHA256 9e93fba7e798d2395cef2c810eb6fc601b6af3a9f9c84bae0967392e558f8a97
SHA512 06a5e8c3d0ad2923ad389128a0b9ea747bbf6489f424033b01c7eb24ade326e5495cc0684a6d07a4a3b24688a5710db87ba169686d7cacbb8708e2cb474c6566

/data/data/com.mfyueduqi.bool/files/.jglogs/.jg.ac

MD5 95af500a8d150fc9b9772cce7c06a1c5
SHA1 f020ebb4d1bac4e01424ee38a08eece18a1cf55b
SHA256 1deabb3a7910e9089723bf0a66f16867b345a41fcf160e05ab12a361a23c56bd
SHA512 5a37f403e5e1422c7b3590830fd0343b8a4322acd36c50ad0f067879ad9fd5d6e08c74809203900c2c271006d636301ebdcd72065187b429c8ddca9106626c35

/data/data/com.mfyueduqi.bool/files/.jglogs/.jg.ic

MD5 c4b93c239058a848123241d851ff5d8f
SHA1 64f821980f0743760110782f6f14bbd1dd57142f
SHA256 816688713b1cb725cb61f3b508cb8d12c61a4fe3b0b6c6f8a54eaec842db116f
SHA512 16ddc91df08c55f03ed5d22c1ff807b2abc92e5454e0df5fdc2d00fecbd5b007542374eb8d975d04165b629dc87c9af34e840af8df19c2d1e8d9c96dfafc006e

/data/data/com.mfyueduqi.bool/files/.jglogs/.jg.di

MD5 dbbb91b01e3949578b10653966077acb
SHA1 0a703e855be46916c9f5168e1ec95b6ca3936d25
SHA256 ef2e251bf83607a828b74af332ebe584f2b16301e282bbcc2306b42d4e80aa0c
SHA512 3c9c6bdb902e92dcade2864146c350b15acf81bdee7d6cc1f7f823d54b95b4694e8f4e9cd41e7cb8d2440af534b68d0c3aee0394a47d84cf6a4363dd669619d5

/storage/emulated/0/360/.iddata

MD5 58da9871436fa4d60cba7417cb7a17cb
SHA1 e31957285fedb23f96a643b6b00c1ba65c24469d
SHA256 dbd2e555f57d4c054d888b9bf8242a1936f033e45f2203555f461a6b5de2290f
SHA512 fe52ffe720233f407ddb87798461e9ce941312c6c4b29f9b65f8560f5fd2a05ae71301f5725c70a258850d0894dc19d0f463655b73b22d4085ec4e3215890225

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 20:34

Reported

2024-06-02 20:38

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

188s

Command Line

com.mfyueduqi.bool

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /product/framework/com.google.android.maps.jar N/A N/A
N/A /product/framework/com.google.android.maps.jar N/A N/A
N/A /data/user/0/com.mfyueduqi.bool/[email protected] N/A N/A
N/A /data/user/0/com.mfyueduqi.bool/[email protected]!classes2.dex N/A N/A
N/A /data/user/0/com.mfyueduqi.bool/[email protected]!classes3.dex N/A N/A
N/A /product/framework/com.google.android.maps.jar N/A N/A
N/A /product/framework/com.google.android.maps.jar N/A N/A
N/A /product/framework/com.google.android.maps.jar N/A N/A
N/A /product/framework/com.google.android.maps.jar N/A N/A
N/A /data/user/0/com.mfyueduqi.bool/[email protected] N/A N/A
N/A /data/user/0/com.mfyueduqi.bool/[email protected] N/A N/A
N/A /data/user/0/com.mfyueduqi.bool/[email protected]!classes2.dex N/A N/A
N/A /data/user/0/com.mfyueduqi.bool/[email protected]!classes2.dex N/A N/A
N/A /data/user/0/com.mfyueduqi.bool/[email protected]!classes3.dex N/A N/A
N/A /data/user/0/com.mfyueduqi.bool/[email protected]!classes3.dex N/A N/A
N/A /product/framework/com.google.android.maps.jar N/A N/A
N/A /product/framework/com.google.android.maps.jar N/A N/A
N/A /data/user/0/com.mfyueduqi.bool/[email protected] N/A N/A
N/A /data/user/0/com.mfyueduqi.bool/[email protected]!classes2.dex N/A N/A
N/A /data/user/0/com.mfyueduqi.bool/[email protected]!classes3.dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A s.appjiagu.com N/A N/A
N/A b.appjiagu.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.mfyueduqi.bool

com.mfyueduqi.bool:pushcore

com.mfyueduqi.bool:iwanvi_read_process

com.mfyueduqi.bool:pushcore

Network

Country Destination Domain Proto
GB 142.250.187.227:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:443 log.umsns.com tcp
US 1.1.1.1:53 is.snssdk.com udp
US 163.181.154.238:443 is.snssdk.com tcp
US 163.181.154.238:443 is.snssdk.com tcp
US 1.1.1.1:53 adapi.cread.com udp
CN 52.82.80.76:80 adapi.cread.com tcp
CN 161.189.153.189:80 adapi.cread.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.187.194:443 tcp
US 1.1.1.1:53 ad.cread.com udp
CN 59.82.29.162:443 log.umsns.com tcp
CN 43.192.154.158:443 ad.cread.com tcp
CN 59.82.29.162:443 log.umsns.com tcp
CN 43.192.153.214:443 ad.cread.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 is.snssdk.com udp
SG 103.136.221.67:443 is.snssdk.com tcp
CN 43.192.154.158:443 ad.cread.com tcp
US 1.1.1.1:53 cx.ikanshu.cn udp
CN 43.192.153.214:443 ad.cread.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 123.60.92.210:19000 s.jpush.cn udp
US 1.1.1.1:53 share.weiyun.com udp
HK 43.159.233.95:443 share.weiyun.com tcp
US 1.1.1.1:53 zwyh.ikanshu.cn udp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 1.94.9.210:19000 sis.jpush.io udp
CN 59.82.29.163:443 log.umsns.com tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 59.82.29.163:443 log.umsns.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 139.9.135.156:7007 im64.jpush.cn tcp
CN 139.9.135.156:7008 im64.jpush.cn tcp
CN 139.9.135.156:7005 im64.jpush.cn tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 139.9.135.156:7000 im64.jpush.cn tcp
CN 139.9.135.156:7009 im64.jpush.cn tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 59.82.29.248:443 log.umsns.com tcp
CN 139.9.135.156:7006 im64.jpush.cn tcp
CN 139.9.135.156:7002 im64.jpush.cn tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 106.63.25.33:80 b.appjiagu.com tcp
CN 123.60.92.210:19000 easytomessage.com udp
CN 59.82.29.248:443 log.umsns.com tcp
US 1.1.1.1:53 alog.umengcloud.com udp
CN 223.109.148.177:80 alog.umengcloud.com tcp
CN 59.82.29.162:443 log.umsns.com tcp
US 1.1.1.1:53 is.snssdk.com udp
US 163.181.154.233:443 is.snssdk.com tcp
CN 1.94.9.210:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 223.109.148.130:80 alog.umengcloud.com tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.138.15:7009 im64.jpush.cn tcp
CN 59.82.112.112:443 log.umsns.com tcp
CN 139.9.138.15:7004 im64.jpush.cn tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 139.9.138.15:7000 im64.jpush.cn tcp
CN 139.9.138.15:7006 im64.jpush.cn tcp
CN 139.9.138.15:7007 im64.jpush.cn tcp
CN 139.9.138.15:7003 im64.jpush.cn tcp
CN 59.82.112.112:443 log.umsns.com tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
CN 59.82.29.163:443 log.umsns.com tcp
CN 139.9.138.15:7005 im64.jpush.cn tcp
CN 139.9.138.15:7002 im64.jpush.cn tcp
CN 139.9.138.15:7008 im64.jpush.cn tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 59.82.31.154:443 log.umsns.com tcp
CN 123.60.92.210:19000 easytomessage.com udp
CN 223.109.148.176:80 alog.umengcloud.com tcp
CN 1.94.9.210:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 59.82.31.154:443 log.umsns.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.29.248:443 log.umsns.com tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 124.70.211.119:7005 im64.jpush.cn tcp
CN 124.70.211.119:7009 im64.jpush.cn tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 124.70.211.119:7003 im64.jpush.cn tcp
CN 124.70.211.119:7004 im64.jpush.cn tcp
CN 59.82.31.160:443 log.umsns.com tcp
CN 124.70.211.119:7007 im64.jpush.cn tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 124.70.211.119:7000 im64.jpush.cn tcp
CN 124.70.211.119:7006 im64.jpush.cn tcp
CN 124.70.211.119:7008 im64.jpush.cn tcp
CN 59.82.31.160:443 log.umsns.com tcp
CN 124.70.211.119:7002 im64.jpush.cn tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.112.112:443 log.umsns.com tcp

Files

/product/framework/com.google.android.maps.jar

MD5 4899aca36d1ed747a447dcac0d101a62
SHA1 32e43edc0bf3e036683ea8639472e6cd31ab9929
SHA256 67a651acd867e046fb4463b31ea584c1468f7243a9d1e2efd34059e8ee2f130f
SHA512 50b23dd279a9efba566c6a6523c7537723c0cd6dd3e4871f1cbdb8d5bc355caa3ddea99452b1c8e5356802f812b3768066a9848b93d715bb8bdfa455b704285f

/data/data/com.mfyueduqi.bool/.jiagu/libjiagu.so

MD5 1da618896802fdb4b6f17c92703424f4
SHA1 b48aa81ac014a5a7f6e95e618e4f951ee12d34c3
SHA256 2cbf986b5e1357e00347d75d6f631539c0f368208079df36bb44603ac4e6973f
SHA512 620a06d8df24597467318582a12bce45e2e2cb66069ffbd6fa27ac5a164c58398ddb9c2348e6ef443272a22ca85fcfa03439d0f0f22109a93708d562e0737cb6

/data/user/0/com.mfyueduqi.bool/[email protected]

MD5 4a533836dbb1b277a498f237a625f5d2
SHA1 67d1231fb131605174bb55404d91f5d16e8ca128
SHA256 d3faa1dacb7fd48653575448cdb13ad45d552997b938718d98af1bbd9634f11d
SHA512 a930393c216a0555a7a6520dcc98b38fb27e0e17ee906db84afa4b40d71ee1450a219c35a80fb95bcb901b2fbda1e5c0b1f84d15efc95c79164b87e69bda4e69

/data/user/0/com.mfyueduqi.bool/[email protected]!classes2.dex

MD5 8bafe4f7d13731508fb5b06e135ca253
SHA1 ca6a1c5f3d22555fa11399697663f188e97b8dee
SHA256 bd6b750daa09572c5defc7816dae21e3fd6a129702021db7cf9e1516e16aedfc
SHA512 d85b7749c99d72cc0b6b9368cf9ba09024d42e1f547cd2b986c9153e2456d4145c59d7e5f6f993c7712a2432e607df6c6cd3ce15591f5c974ed291f5a34b05d5

/data/user/0/com.mfyueduqi.bool/[email protected]!classes3.dex

MD5 526fa4ac8bb444c3f27cfee48c619b79
SHA1 b6f9177c0cd8d6b439db928889d087f2865e2d47
SHA256 7af26ea89ced69d157b0136058832a3761078afefa3728efe56fae08bfb5d49d
SHA512 2760ff8f835315aa6e8131a52d6aa0962fb300670e78b169e8f66023d84dcb2537096a272c231aee885d3700946abf3799df6d4a66cf83e010e687c56246b6c9

/data/data/com.mfyueduqi.bool/files/.jglogs/.jg.ri

MD5 7a68dbd2a250675b126ae72cf250679a
SHA1 5a075095c8873a11b14f8fdaf78144fb240f4024
SHA256 ccffba0743fce13e10795b9d7ac8d38931954eccb18eefe6b8efba99a82e12bc
SHA512 53f48ac253cd76f1e6bc8d9660983623c3b565fd8a7b6efcb2fc4f8443bb89d3cab11962b0666a2e7dd822e5695fc62ee4ec10c841dab5ce744ea2e7e2a64d35

/data/data/com.mfyueduqi.bool/files/.jiagu.lock

MD5 585ea116b71825bf7767883d5e237c2b
SHA1 356623fd1b630e517389a408f709b0fa0c2ef80b
SHA256 8c167346f2f7e96f1743a40fc2e331b3f1811f42fab39257f87d76dda86c0e8a
SHA512 0161dc3d649ad0c2cdb1fb2863ee9891e62b06d6614bd5a6d00e11da3f698465cadab7c327f70eb9776d685ab87ad378be2802bcb79a0c67b5500bc5c320bef1

/data/data/com.mfyueduqi.bool/files/.jglogs/.jg.rd

MD5 72e90425fb96b187f01353ded4424901
SHA1 1a461aaac432284010f1e1626c408713a2c7f890
SHA256 acfde005f5a8510d5cc71e2668268f507d5fc19a208317a3319f7f9d75a14c32
SHA512 b307c98310fa14a633eb4ed4e54b4eb8b33acb4604101c747185600a09d4a5667a1728117c7b54f3cee2691b0e5957332b6ae215875c70d142968e6e1de3e044

/data/data/com.mfyueduqi.bool/files/.jglogs/.jg.store

MD5 1a65b67ae3836c6378fa3b4d7fe41831
SHA1 4812a68dfb0147431438ef0f68125ad220b181c8
SHA256 d07cc0317e165b4edafb6a0fe1b9576193e7f3372a6eb575e21314cab660e0eb
SHA512 dc951a37de981ded0214843964a42256f7d05aa9eb3669dc6d678f46e2dd9ba040ef3f6a3e3712eb2cd48c49d51a5bd1b641e7ef57d4b2ccc23000bf02fb2726

/data/data/com.mfyueduqi.bool/files/.jglogs/.jg.ac

MD5 38008f60048503fe3e10ce461bedf4cb
SHA1 51e201bb3b791cfe014d5e913f6a7ce4dd0ae63a
SHA256 77d710b8ef8ff62a89b6823bf2df4b54214381ae146fc9aea31e6c9a5af85a9c
SHA512 f414f8c8c1f7c09ded9d3641e506cb30ceca12fd499be97b41b31808e46dc77c5503cb3669a88ff401abf3543c3e33f5e3b2af9c23c4396dd74e56b8c895d19e

/data/data/com.mfyueduqi.bool/files/.jglogs/.jg.ic

MD5 d032a42fa69aff51120f74ae3b2b0d62
SHA1 286d51e2556b2111e2c70d2feb05ceac81f50145
SHA256 66119b76341a2b8ab73187408c25ed86ee83b7d789f872eea594df05e2233df3
SHA512 d78a3d5871b4acda99250b07a9dd321462d722a33e5fdfa71295395041d778a127a6ac636a47d4e2ca2cb6564c578a47ce2e6fdcb406c36e84e6dfe52d8a1ae7

/data/data/com.mfyueduqi.bool/files/.jglogs/.jg.di

MD5 73a423355efac6a1377d059edbab3a6e
SHA1 ee9bacfddcbe45db0bb2c9c17744782fc6ca36c7
SHA256 a90bc07206857844d54e3292137693583722c1edc644cb9aff7cb119a9c8b810
SHA512 87245a9cf04378feb89aa1ad90ac2e48779b3dfc91f6555e1a5024028ec7b9070c0500017ba88c1ab120c3adae522b57663ca2658a264a3dfd51a80b86543a5f

/storage/emulated/0/360/.iddata

MD5 18c32d1ab26a01a32cccfcd0c1c422e1
SHA1 f69fed6d06f60359bbbc470a5b5765e4001a4732
SHA256 072af3baf1e34711b432a03ec8f112e312a583b3428d213dfdd163445e6e3c1d
SHA512 58f0d13e48f48afdfec0fb607a120f07eb9179cfd62c5967ee5c4e78911336bbad579c96cf7bd3a722abfe06dbb53bac7583c07666c5ddb4a4472c5751656f78

/storage/emulated/0/360/.deviceId

MD5 4c4c5285293d5141f582aefa4e038669
SHA1 e01852a72e5a8e6f7d63a21426b515118196047b
SHA256 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731
SHA512 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399

/data/data/com.mfyueduqi.bool/databases/ttopensdk.db-journal

MD5 d3f69e2446589038b473eb6e4b06e0c7
SHA1 806de2ae35d576d7bcc72d1e3f2637ebc255aa1f
SHA256 9706bcffadf850f765148e443bcaba0f398f784dff09fd072504fcb080432719
SHA512 7ced0370d9fae1bf573f7340cf97552500319e9a99c11e64f519fd7fcfc16c32730ea87d118ac5513bafaaf5069fb9088692e6f2ec31b0676f61c595df05b8f9

/data/data/com.mfyueduqi.bool/databases/ttopensdk.db

MD5 dfeb79846440c64da34c5a08d8055c13
SHA1 8b8c5612bee502554b916fcb3cb11be03c19cef2
SHA256 e34423f765d83a2048b50ac1d93b194e67a70b74c6bfffa3696f7500dfb22171
SHA512 6213782f6390df0a774384fd56b81f22f25cd1b954b7fd37d4b9b4799c5bf2cd5ce7001bec8f258d15d2dd907c07b75e4c9c107e84f64d9e7b680d76587c4e2f

/data/data/com.mfyueduqi.bool/databases/ttopensdk.db-journal

MD5 b64c1108af9d12ce49e2db74b0822573
SHA1 44654e6b804c9241de1b9750df9f3a297c5e8c69
SHA256 2f67b43203cb0496c34a3894a05a1a7e7ce48fb15f0ea9804092c16dbe60e80c
SHA512 9bdcf669fa4e46f36d764345b9c956ce727c8611becc97df8ada6f004b652d91f058550740426c6d6f30a07759e81e5d1c3ff50c97654850a8a560931cbc66ec

/data/data/com.mfyueduqi.bool/databases/ttopensdk.db-journal

MD5 a11e7e33d4d588d38e2c7a8941fd76b7
SHA1 a428f2dc11dbebfb8094024409080c085862bea9
SHA256 febc510ab763d2b03759666a0a46f25e6b22b549d413586e1a9c37a719158c2a
SHA512 8a3e411cf15caa4c84e024ec0254b8e86ab9b681f87555f402a91e06b3ae47adf824776baeb390f732bacb7f56b989ea36067d3b12b3a25e2316debe422e6471

/data/data/com.mfyueduqi.bool/databases/downloader.db-journal

MD5 cf182bb268d0e2c44cc552065d0615cb
SHA1 dc1d41769573b7aa13d61871714c27596806a8e0
SHA256 b82f3a532b6dea0559cb073593ecfc7357ad3149e00df575ea416edced67cd70
SHA512 c47d437126dc2422e04be480478d98bc33e9d0f1dced65852b7b81668cd720a66b5cf67eba04f2aa0f16411ac792216b5d4c825b1ccce8d55fce4ee3ff5cc0aa

/data/data/com.mfyueduqi.bool/databases/downloader.db

MD5 600d724a598424fe6a9e8c30f407c6bc
SHA1 8a4f9073370bbd3030552d7595192c24f7419e4e
SHA256 f7f0c3e8bbbf3835ed943557c570a78124755eea305d14a6e56340ff53ab30ca
SHA512 f4a411efab7a676378bd8196c7603de41d9c7bb2d67a37fe2fd6ba78fc261f8f981e68d56c89d12c0bbdf44eee477cfe9880c28e5f1c734f951a6640d4afa71f

/data/data/com.mfyueduqi.bool/databases/downloader.db-journal

MD5 545c383c2b85a7131ef935b320fe2120
SHA1 d6823bba6295174a46f05b8902fdf5fe1011058b
SHA256 2016d7cf190c0745315519222bc2c429574a1d90fb98b3d3d60829b743e63585
SHA512 669e2a178eb825a98c361be987cbb2d29d8cc938d3dffb2184510ffaa1f34a5896a0856e068001c5bbdcb09e0d46392f8bb22950f116e4bc3bf8aa7cb6ec1dda

/data/data/com.mfyueduqi.bool/databases/downloader.db-journal

MD5 724360e00113ab273d147a90ec2e399a
SHA1 26fa060b0d666424de144d15fbd1692e0a835c47
SHA256 3d0c327aa7e8d11e20add90808624a3a65d7f178b7234c8fa1f4136a910aa94e
SHA512 ed1bbf632255729cc390c2f27c84262608b7ed82b0621a80f47e4753d0617683ca083ecb6f46224b5096023a13a546538262576d9d5eb0b28b8129814ca81901

/storage/emulated/0/.hide_freebook/.ygzhang

MD5 54b47411939defe264cd4eeb519e1841
SHA1 5f533ab5b3913ccdec1cfababecaeea171a94110
SHA256 66c59a60162d6e95aef4b0ed47b6d35243d7514053d375f91cf4b68a22d6b907
SHA512 92f91558a22e7040412a655a8fcc780827870e69b5d067f208756206640db70bf0dd911d705cc284c40146f0082b6b890440f76cf6f8d2afb8945999c31bc3e4

/storage/emulated/0/data/.push_deviceid

MD5 de1c60aecce18756e704d74b27add11f
SHA1 0e355d4822ddf8013dd2e27080a92215ed84a3b8
SHA256 02019bbc462fdac36eca9cba52c8043c6036ed89971867b7c5703fc6e35ed2e4
SHA512 a7bd3001b57edad8bbff42175865502f45ab3496a3cb562baf54649f176251c97c7d566e36471da776c2f497302c99683086d19625fd7779c988eb3a4c3ee02f

/data/data/com.mfyueduqi.bool/files/jpush_stat_history/normal/nowrap/ada4eb65-de84-4177-a668-2a6a7d75fab4

MD5 b6406f820e854e07d4b4eddae8f3255e
SHA1 d41bfdf43bdf409d5669454cd8c3d4be6f143bb1
SHA256 acf72c40f617ca3deb250dd46520af37e8fa1cac93468cf53fec2b2e1cc54431
SHA512 cbb57b4e1e6dd16e36e0ceb1ed806c0d3dbd6b53f65f537707ac25f3c9e66ced33a91c1735aa24bc493610a5ab55d8d63f323c788b230b8d40ed4a6b21f324e5

/data/data/com.mfyueduqi.bool/databases/cc/cc.db-journal

MD5 bfe55235e0e60d3e67c5ca4ac6099f04
SHA1 cf7ff81648689057edea4ef9cc326b86544ee200
SHA256 427010c163533012b0366e1b901f656e3b42f73558e737601b38e67a730f9823
SHA512 21674b4dae5dc3996373b90fd0374fc0f78c14cca39f1c7d71130b5c0578a35b191629d974d26a1f7d6027e09572ddb1e7ceb4e9cbf8f0ab7daf695417d5835a

/data/data/com.mfyueduqi.bool/databases/cc/cc.db

MD5 0908e924aa236931dc7166fef6e00862
SHA1 7782648d6d8f6e835bd47058d4852932c096a467
SHA256 38f8548795ca7470b449dd1de9598c07a247ba59883c0764c9c96ff0b7d31d7f
SHA512 3c16fbc5172aed04cd206e776c46d26e911732c6e3631536410a71f1d217449475727ac9b3175e827c5ce645a1da9e05900258ee6ca27c936a9060f241361dee

/data/data/com.mfyueduqi.bool/databases/cc/cc.db-journal

MD5 60e33ffa5278e5bae8aef3c747e125cf
SHA1 b7b84d1013c3ea73ab6432e95a8589de8df96d66
SHA256 f29fd076025be6953fca4e4f40c32f8268bec77a9d4720525c8d7f6e7d728df7
SHA512 bd359fab683d73624ae139ddb8a072c4d8f2d3e168612134f3ffc85d232442bb580374669f7e3400ae2777f206f0f4ffb346e092c372b3d4d3138ed43045eb39

/data/data/com.mfyueduqi.bool/databases/cc/cc.db-journal

MD5 2236aec01c63df78773dd83a441fce00
SHA1 117741c34d570a62a0df69a51c328675cfc8e3af
SHA256 1487c448dfe8d94f412aff37917bfff31c1cb4f3f7795991ff122991fe479d0e
SHA512 918e2ed2466d8bd93287bff7cfb548555272bda92ca1c6847890775bd0cafe064a9789417b2cb053b4b98f618dd3637028c93380bb9bc349fb1e20716252f00c

/data/data/com.mfyueduqi.bool/databases/freebook_comm.db-journal

MD5 50362ddca50ed27a0576b5e81c70a522
SHA1 ba6dc318c7ec8c1ecba51ce8db12e9ad09a2f270
SHA256 6a62a093da4ebc46d55bc40d806bf504a2ec15c5a5df85b4a5b36c8b10efefb7
SHA512 03cda63e6602832796a7284000369b9c256f5a9ad3a2f62b1a546a3a8e9d794f9b2a76163ae2ca0d5a52ebca17a95a9cb2a8f369c052d9894027ead8c7734347

/data/data/com.mfyueduqi.bool/databases/freebook_comm.db

MD5 39754fcd649d6b9dd240098be3344547
SHA1 f2b4a0d884610ddbeddc24dfdc8e6149dbfbe26d
SHA256 bc4bed33098055f241db59692abd13954cd7beea145e2e22042db5dc36f4f054
SHA512 aa41cb7e0777115d5d21589e7f9ca73ac5efb7482bc490dfb324dc1bc47b5b50c6b6ae50d3ec98c534056bda0f75ed878259efb41cd826a77f48dae9aa88757b

/data/data/com.mfyueduqi.bool/databases/freebook_comm.db-journal

MD5 372565c7a1629d6619a6e5d7e6ae5159
SHA1 8c9d66137a758973898b371da549be32b04a5db4
SHA256 8bed53695abfdcef30a61c36bd43fbf5a8168a10b08a03793c89648353d0579d
SHA512 4a55038a33fdcd1f9140b8f170177d3ed625c0a6187e864a8c6e424cd9bfd458b976a6df13552935413e91af3ba3ad4305cb45ee6d68ab92f9e243b4a812a660

/data/data/com.mfyueduqi.bool/databases/freebook_comm.db-journal

MD5 298cf06d56356708ac636b741f5ab9fa
SHA1 b58f7d9f04273df85c599a8fea9d7950a6e6ff7c
SHA256 77b9118d8a14c9e67d896b4ca92084e460b0059e1d077872c18ddfb28cdc4025
SHA512 8065ceb88f6ff1fd09ff592be217d2269962e45475dc4dc10de3111f2a52cfe82d9814d0cf064ac3a1c49218e2df9748f652f642953e01fac44144beacfb80fe

/data/data/com.mfyueduqi.bool/databases/.ua/ua.db-journal

MD5 226632b77e21197f2966a08f007dcd09
SHA1 d211a3f1f0f067c7b7f4857e81af551cebcd9d4f
SHA256 8fa9ef04a377e41474d9dfb652c4478187f4e04dba17eed3be3c8cc827b5fe9f
SHA512 47d1671de09003d7ba26a96525819ddc18a30132c85ea22a3f5d599acb16decd3480cb6e7a591c6a5c49fb2446e7208dcf4a930ee38e17104cbbf50fc70ed156

/data/data/com.mfyueduqi.bool/databases/.ua/ua.db

MD5 b5127bce07bb8b613699db61a6d0cde5
SHA1 166929c3baa7c73a04e008e196e2b880adb1a99d
SHA256 e748dcd43e8c4c543f1bf36800435a0db42e2f5e5b7fb35dd2d8288423114366
SHA512 ffa79c70d2b35c23edef5d0b72e59d2e7ea3c5a0f08375c3b3dfab007063343d63d56b2ab7b33dbef91abbd2634d8023668e6af1c689cd744b7cb4224e35d775

/data/data/com.mfyueduqi.bool/databases/.ua/ua.db-journal

MD5 4b22ed642d3997fd1517fd7e040084b9
SHA1 ed9f89a401ac2265b6902a9bf9dafa53a6485655
SHA256 f714cb1f3441e5f5a1a0952cb52215d800b6a30b2454342132e07eab8588f821
SHA512 6b749451051269dadf9c3ba7ee284c863b370c45ac25613162ff3b7be67a4b23b9c8372b862a9ed773f3c08dc275b11d3469dde48c6631cbe2e10daf94fa1ff3

/data/data/com.mfyueduqi.bool/databases/.ua/ua.db-journal

MD5 1a1aa37229d91ae4308c86b794ba82af
SHA1 0245d380e2c6ce3089c471669918669cd78f2276
SHA256 ea0c322c41a72881904c801697fb0a2f57d5640c41b239a86e5a76ce2cea3fc0
SHA512 2e72d9b3f438d9f9e384fda21f82dd1d023024a205151dd979b56ae6ce247c76453aed5864d934a211b1020b99466bea6b0067600d933e95f0a5c423c0c8cdf5

/data/data/com.mfyueduqi.bool/databases/.ua/ua.db-journal

MD5 308f1989852611ef85728e8fd3565716
SHA1 5033e49bbb6a468dd804ce9a705fcecbcd6fe135
SHA256 24790dedb0fc528d78a03af4467c5f7ff5e0a598c94ff44ed307b9a85ff63119
SHA512 ff439032e2779783e8c81ed5b2118c0776bfd9e97e742d307ba4c9688d58a00e2bb25c5463379f6b78d28129687243886ffa7bf124364def9f9b368edf4e8bca

/data/data/com.mfyueduqi.bool/databases/.ua/ua.db-journal

MD5 e1ec79d1d7d8f90ba41e0698ff737888
SHA1 9207bd1917ba15eb0ab982c250ba30a3f786132c
SHA256 9ee8be7febacde3900b5eb34c6293f800c20d55a3d4414e246c79974975cb1af
SHA512 73d32885c87cb595b46862ce259d1797d96fa7f8e6e65c566862d1f0aa67dbaf8a1a24d2e09417ec47a3c4f841f51a6c7022812262b3b7d050984461e1564036

/data/data/com.mfyueduqi.bool/databases/freebook_comm.db-journal

MD5 13bfc7fb33e40fba456429e8548a9f8e
SHA1 0c116dc6c3d9ccbae453044c083956f9f6a47dbd
SHA256 192b5fc11c522d97d86485b552a1724c5f3b52748778df8483be3e3561e8c155
SHA512 d74737a8a61cfa5d6e425550e89bcdc9d450fe5457b2a2fa3808d11e47c87a2631c1e30c905b5e880da7d1ac70b2c0d1b0f3acf1cee4b29bee740ace3fe5985a

/data/data/com.mfyueduqi.bool/databases/freebook_comm.db-journal

MD5 2ba99a3426cd08315f0a7dba8dcfe1ed
SHA1 4b3ab304f7e8e32fe83c981ca424d6325235130a
SHA256 81846e7d42d2d76833bec1b9f416aa3de7da17572df0fe333f5aa9310d37328e
SHA512 1a6674e34c50bb8efecc0f660dd33a3a88bbcc6efa747e533cf5c0fb600c0a1bc4e379b38fd5b79277bc685b38e6b56f2d0d85e19e57e357b3585f080f2f94d2

/data/data/com.mfyueduqi.bool/databases/freebook_comm.db-journal

MD5 65713c9d26a69e61d16199b1f678d3f1
SHA1 e1a42b3f61729f4586958954082200c3dbe83948
SHA256 77da33201734e5efd1b20aa3a25b0b291f317cdfc7d05213306c1c8a103fdc7b
SHA512 045111f1eb306f1967b107cd00656cc13b13fc6557c87176df04cd61e6c1c60c33ac21b1ec66d52e8b0968dcbec448df7209cafc39bd240b58bc13e9c3b4a022

/data/data/com.mfyueduqi.bool/files/umeng_it.cache

MD5 0bf0f48809ed4c29001a76bb7c527fa0
SHA1 f6d8748b50afbb1aead3563033312d356b1c6201
SHA256 d26f78568e15d0c97a7cd34343fef2a0140083b945858d2c0d1f016b9d68bf54
SHA512 f4db08e7e6e092ae4d3669f39124a5555091faa16b3f8501edc3e10f84c20031a43005498e4b534b3b025b10d1efda28b0eb0affa1fc1f57754d779fb2d4ceca

/data/data/com.mfyueduqi.bool/files/.umeng/exchangeIdentity.json

MD5 80f2965d2a89af3f164e6a14a7e73443
SHA1 165246bc58332ea44376c4b60ac98a5fee7418e8
SHA256 d54a5ea7f7c0986bb06386a84abb9e598ba20b9be4feb6e24e60fe910cbf157f
SHA512 298f3283100e9b594bca9dc12804bfc5a2844b4ad14d144dbcb1643224f14527468176c736a041dd5d8d72dcec33c978e9e28ed7f38bbe18865f89bcc55c55a8

/data/data/com.mfyueduqi.bool/files/exid.dat

MD5 a403180139697548638a048d91e9fc52
SHA1 9fda21a582ebc36c98591780dd06827f72eb1cad
SHA256 7c1022a63627e2907489521ecbb8ad505386dd36728d1ec99132ebe1596d947d
SHA512 a268e8541725c50c8ae336e875e583655a155c2b30dee2f1f2cb2dfa22a5712611ef7a4a3ae4f26c0890cae1a563f726b3bc1794189b31266f26ebd476c43ace

/data/data/com.mfyueduqi.bool/databases/.ua/ua.db-journal

MD5 73a7ebb558aa80651c3389a9f79516dc
SHA1 d26f2a6202162862abd0eca1a23f88970ffa4205
SHA256 88a0294b0db14dcfefb9fbd99dd721c5ade5e3ddb34488c78a382b3d2c5c62e9
SHA512 65b9fe3afcff8b7205dd17b67037f0f15c4347dd08ba25c46d484908fdd17f1c52327db7d71fffa3a836eb2938d92d3e36ed60f11e2c513ef33adbc7fb86b186

/data/data/com.mfyueduqi.bool/databases/.ua/ua.db

MD5 aa3b4af0e8cff3bee9cf0f3f4227b845
SHA1 d4b4759790919a1aec3f487a2783a9e6fb177034
SHA256 f017754818540d598be648e26ca4591a20576181f3e2acba6b7d4cda14f7c557
SHA512 3ed28482976827c31209f1433fb909d4f0f8eb77aea743af43880db77e63f1d3128a96d2b335ee193160943e0c570e188599c348434f34e1b1ac1754f54a8bb4

/data/data/com.mfyueduqi.bool/databases/cc/cc.db-journal

MD5 67dd02aee752936df528f11330435dd5
SHA1 e20963e2429d66d18266ed3db77c406f0228b36e
SHA256 7f3a9cb724ba16236c583e7eab0b9037419047acf30cc312c9d6f1fdcf582b43
SHA512 0c4ff86f3ad5c9250b99f2264f55502f1c0e93f96ca56707daefe23ddbe30a3327a5b3b917a1e112798f7c25a29e7564dbf1d31eef475783d98c0de6d1dff769

/data/data/com.mfyueduqi.bool/databases/cc/cc.db

MD5 67c12933d1e0e63d9801a6aa43092ce7
SHA1 b6936908554e4a1986b8eb08289e2d3545e8ff74
SHA256 abda5dd4cc2e7dbb951637c4b49d6990f9f34411fab4dee1a387dbcc8e7eed40
SHA512 db8b818daa3ff4ec7678645f84bf8b45c809bcbb758ea78b28982d071572655bba2d20e6f1ca4f0d057ab34fa655c5bc40457dc65050180351a2fc04a47175dd

/data/data/com.mfyueduqi.bool/databases/cc/cc.db-journal

MD5 fb45343ab540d5c8092f8ae0edcf6637
SHA1 ea94e610b5d24f1dee88c1436e111769cb737020
SHA256 9d31f93aedaba7d80c1eed6c68e071a0e0cd4cbce6702fd33760ef6303a09592
SHA512 137e52c665da0ceb95e6bcbdc2bed27dbb4a43ebc1222a5b52373ad9e2e45350a8488ef514a5a60d1d60025bd03f2fe4bb3f843dd63463d650d9de80291935ce

/data/data/com.mfyueduqi.bool/databases/cc/cc.db-journal

MD5 0e4fcbc2c22d7674c25d0921bf985861
SHA1 2458061ebe8a1503cc6fb5bbd0785eb9eb7da454
SHA256 d16770b4a2a8abd6f3bfbefc0eafe33fa7e110c74fc0bf1ac4523f10179c872b
SHA512 b2cc4f8900c5c10fc2da39e784b57aae83b36ff442b4c37fdbaffb2c519346f7943d332107393475b9fd7163dd187bbe2b947afdf93086218bc8fe6266b4e85e

/storage/emulated/0/FreeBook/book/80001414/.fb

MD5 2612a9df401b8ec33ebc6127974cb869
SHA1 8a8e23295b011e7c74d219ba17820b00e10652a0
SHA256 05a5745f5b917fb28d0f4dc399e9dddf12ec20306143b9969348a499a764e6a9
SHA512 17b7dd0045ddde30e5ed692ca1559aa0d29b33bef550bd29bd24d08ec34bd2c21a7c84374b1e82b3d53c188c0851bda3ca8b5c810896f5411c97bbd9c1cb7df6

/data/data/com.mfyueduqi.bool/files/jpush_stat_cache.json

MD5 f5b97f1455842143d31c2d580c016d9f
SHA1 b492d5f43b65193dacc1d438c4bdfb9c1a750cd5
SHA256 9fe3fb4aadb4fe1bcf8977199fb5ec01297ee36a10b314397c31b5a4be725890
SHA512 487d6dff369d232f0f32b8d410158e820e3c7c5d3d9155edec10da5b38a6b0b84051a86be5fbf3f9045c9fc74b8f4fd570cefd9709ff69437ddec0311a8f9dcd

/data/data/com.mfyueduqi.bool/databases/.ua/ua.db

MD5 89aae6682ccd630efbec942541073016
SHA1 e02947e46b9834f79af297dab885df4ca0d85666
SHA256 64678f593d43adc6a847cf0a6379f0a7fd523ba3142c5c0ec0a9f09befb61637
SHA512 d257f12e3130bff2f8900f19d6b30add88a0fa5d20d235cf0000607dc292cf947bb491e9e8e01e4024e3a8cf8f2774e199aa4810cbe76bb2e61e2fcc2c070d78

/data/data/com.mfyueduqi.bool/databases/.ua/ua.db

MD5 2dd4ed3c36c3b79bd53c8fbea8cd99ac
SHA1 cde585c39c5868e1bf2abbfe1c3fdf67095dc98a
SHA256 8049537da580e7cfcca61d9e9c3f9ea25caf90121081fd28599a514cc25c33fe
SHA512 f00c256271cc4c83b8e8ca4604e0843b170ed4833e0f6e30703df1dfcaf267390d48e48607eeea86d6d919e3c808cde4cca36fa6db89678300e7a45fb855a292

/data/data/com.mfyueduqi.bool/databases/.ua/ua.db

MD5 3ac779d43f0ba4625fa9cbb433176add
SHA1 25a140c4563bcb9b486b69ce27320277bbc46da7
SHA256 e707736a744b6cac3638d7f50e1c80c1c509390e2ef8f61fc37da9dc239d26bb
SHA512 32ae74e1cad63ddb0b49bf8a38d8d0eb4dbc0fcbc0298112b11215a97a6557116714979a437af73f8eef2d58dc7a6d7227df2012f0092e563fe763b36adfe23d

/storage/emulated/0/.cxb/.cer

MD5 9cf7f58c378e629805a14a2c2ac77a39
SHA1 a514ca1b8a048ef4e6594ed3fa1d3aa3f6149709
SHA256 fdce2982eb085d9be6f7686f47c9fe14b501a60c18634fb686204c475d7fbff0
SHA512 7fb94524651cc727ddd0dd1690d95cbf76b3eb06f28573cfd42469191133cc70ecabf3587163a4405cfd369fbfb109bf84a7e98696bf61b56ff54f8e65f91429

/data/data/com.mfyueduqi.bool/files/.jglogs/.jg.di

MD5 5fd3b0555fa5e16415c0a8f0f046ee2e
SHA1 c351b4f821381ead7de1c5b65b0620fd1ee0ed15
SHA256 59eae9b56a2596190b7c2549d2ef6bb639df5373aa39e1eebb52a4b25981962c
SHA512 5d9cf3ea040f8a6a21f79c2f9748a8214b9ace2d1d556546d40d1790334e072095be528fa6c1d6fa0667c0f0d6f352e82eb53fa4e5866e3285ade6efa32d159c

/data/data/com.mfyueduqi.bool/files/.jglogs/.jg.store

MD5 32038f4bf215a07fa6c57ca67b78ccb3
SHA1 efe76cdca05677b13da765abfc1cbb0ecb75a0d3
SHA256 fb4fdc3259aa739fcabd048587efc285a717c722cf3b5ae1d2656d85e71438d3
SHA512 a152a81c2577c059b6f0ffdfc432c9c03a6380797c914bc8b9973491abc24b39b34e665fa6aa38841294dd423ba241cc70233ab5f38c1c53ef304a42c83032fd

/data/data/com.mfyueduqi.bool/files/.jglogs/.jg.ac

MD5 33893c638840beaf45205cdc3e697693
SHA1 e99ac52c1198a39170f305f25b56a98da9508a7c
SHA256 263ed4296db609468bcc0a81750f761dcc9e3e497066bba3c4bb32ec9d8e2e31
SHA512 279e3cb785640d4d85ef9cf19344e907c241053f306e3cdfefa1157055c7b88a49d4c1713db71dcdde24e7978f1b2824de7ab839a73fb80dc4f2bd35101dd5a0

/data/data/com.mfyueduqi.bool/files/.um/um_cache_1717360658561.env

MD5 f047366997b6f5229afad89b1dc0437e
SHA1 cc7a44057deab95838d1173a0578cb839f86a3cd
SHA256 673b9dc51dc9535f842b645081ef51d2396c762afc6556ba27468962f8bbb30e
SHA512 72948a9737b059c8ed128d102d746804f66e28a4091754535dc79ced777602119cf55c14ca4857843fbec4e15a7d97a7f12241f599d0b63b05451fce1b78ba70