Malware Analysis Report

2024-09-09 17:24

Sample ID 240613-1t8v3a1hmf
Target a6c4085bd5bdf9a6c4e30e7cba5634d5_JaffaCakes118
SHA256 6382aefd3a65de5018ecf62fbf1a743afe82b2ed94829a7b1d5546ced451123f
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6382aefd3a65de5018ecf62fbf1a743afe82b2ed94829a7b1d5546ced451123f

Threat Level: Likely malicious

The file a6c4085bd5bdf9a6c4e30e7cba5634d5_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries information about running processes on the device

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Queries information about active data network

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 21:57

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 21:57

Reported

2024-06-13 22:00

Platform

android-x86-arm-20240611.1-en

Max time kernel

134s

Max time network

131s

Command Line

com.ykx.flm.broker

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ykx.flm.broker/.jiagu/classes.dex N/A N/A
N/A /data/user/0/com.ykx.flm.broker/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.ykx.flm.broker/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.ykx.flm.broker/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.ykx.flm.broker/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A
N/A b.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ykx.flm.broker

chmod 755 /data/user/0/com.ykx.flm.broker/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.ykx.flm.broker/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=44 --oat-location=/data/data/com.ykx.flm.broker/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

sh -c ps

ps

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 cloudconfig.mta.qq.com udp
CN 58.250.9.51:4002 cloudconfig.mta.qq.com tcp
US 1.1.1.1:53 mpush-api.aliyun.com udp
CN 106.11.253.96:80 mpush-api.aliyun.com tcp
US 1.1.1.1:53 api.map.baidu.com udp
US 1.1.1.1:53 flm-resource.oss-cn-shanghai.aliyuncs.com udp
HK 103.235.46.245:443 api.map.baidu.com tcp
CN 106.14.228.165:80 flm-resource.oss-cn-shanghai.aliyuncs.com tcp
CN 106.14.228.165:80 flm-resource.oss-cn-shanghai.aliyuncs.com tcp
CN 106.11.243.160:80 mpush-api.aliyun.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
CN 106.11.248.144:80 mpush-api.aliyun.com tcp
CN 140.205.160.128:80 mpush-api.aliyun.com tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
CN 106.11.253.96:80 mpush-api.aliyun.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
CN 106.11.243.160:80 mpush-api.aliyun.com tcp
CN 106.11.248.144:80 mpush-api.aliyun.com tcp
CN 140.205.160.128:80 mpush-api.aliyun.com tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 106.63.25.33:80 b.appjiagu.com tcp
US 1.1.1.1:53 mpush-api.aliyun.com udp
CN 106.11.248.144:80 mpush-api.aliyun.com tcp
CN 140.205.160.128:80 mpush-api.aliyun.com tcp
CN 106.11.253.96:80 mpush-api.aliyun.com tcp
CN 106.11.243.160:80 mpush-api.aliyun.com tcp

Files

/data/data/com.ykx.flm.broker/.jiagu/libjiagu.so

MD5 aa01dd97609092ce310e17bf791069ce
SHA1 f000840a8f68ea7beb2e29ea466088daf55609db
SHA256 e432c191f918053ce368e1b1f155b2e1f9e84379611b93aabec0106172b73aa2
SHA512 766c120a06215d0950aae32026fcde3eafed8d18ae0de7bc8135a7378a9055c8f0040d61574d9af67fe2b5b90eeae64c62d787343858ae375bb6658df8afe7b4

/data/data/com.ykx.flm.broker/.jiagu/classes.dex

MD5 d5d329a5993732c32b98fc5b567b8f83
SHA1 cf41634864bea29adf608a5745bceaee6c183682
SHA256 fd4cab3aeb9b003dee39637ac7fc144734dbd22e34f950b2623082224ba044a9
SHA512 9a69be47d07dbdd6b8dbda8a033568216fed10e7db32135e988101f57136e1f64d41620875dd4157b75a7bab733e790e418050d5b4f44a81c15235caba4e131e

/data/user/0/com.ykx.flm.broker/.jiagu/classes.dex

MD5 002a294aea45cba9f916ae7d7bb5cad0
SHA1 8fa9066c8365d2e3d3a4bcd08e9ffe905866fbde
SHA256 7e1ddca5b940b0b5d955fb394737b18d0596edd415026b0185178952fc9e5e91
SHA512 67cf055a4e44741aad584eac66baa6cf1c9a2ebbf3887c4456bcab20280b7adc53e3a2a5b584cfc5713096054a0c006fa7676d0e3d9b59507c362cd00acadec7

/data/user/0/com.ykx.flm.broker/.jiagu/classes.dex!classes2.dex

MD5 bc8a924d1a64ec86edbea31e24951109
SHA1 a9a417048a68e1d0704ca559d6f23aeffb472714
SHA256 6686bbe3ae501c296b040e4cde52b9183533b4a327c7a0ea6619e103985877e4
SHA512 c0990dbe0f11a5e4b3220f5e47eb62fa03ef91d4154a709a173efcc8e0619e38e3938e7af4f14640babc16cb96e8704830f0e9f637137803f7441070dd9cb4aa

/data/data/com.ykx.flm.broker/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.ykx.flm.broker/files/.jglogs/.jg.ri

MD5 900cd21b817022cce694e8754f4e0264
SHA1 e41f605cdf460dca31e1a1f6a5a0a9975ced791f
SHA256 901a2b6453056893fb82a55ba0879ae27002e6fdf40c7f7166ffa608f46cc54f
SHA512 446937bc74c37098040a97db88b98fae983d6d60e46821958031d13f5ed961970c66e6c6f0f3a4c22b9abe2d88a65145e0d373375f94e1ca194a175c2bfbff01

/data/data/com.ykx.flm.broker/files/.jiagu.lock

MD5 2611a902151b2c11e41ae43bb9deffce
SHA1 9747ca9bf4706b54603325a0676d7e7d7a64547a
SHA256 f822cea8a93e885ccd7935a482f8d45926b9616bd201c2d996e210db0a0cd738
SHA512 697dbd2dc957f49d29f8aff5211cca6e3b0ae94b42d416d6b64114bf0aa2a2df9a13b4309373417a74c3be715952a95accdd561ddd2c98e200ca1b0e43fb1f42

/data/data/com.ykx.flm.broker/files/.jglogs/.jg.ac

MD5 e0fc16857e50b235e04496a1e7a26a9f
SHA1 f321389fcf9bb7cb8446a4d6a6954cbce6376f10
SHA256 20f3375a97bad55b8bd5c1fd906d80ecbe09eebf9598ba2fa16d968e9b63dabc
SHA512 5d038a59d434119bfb106c14bf9f6142247da03945af3a7f0a1a2de60dc25ffe413f368ac5b50621ca16ee6a79b9cc157c9549ad1fa52d71927f318935e810fe

/data/data/com.ykx.flm.broker/files/.jglogs/.jg.ic

MD5 7ce84dbed5ff1ca06e3fda4d77cb70e9
SHA1 d0ac73a3102f46066545f9e02e42b89ee70df763
SHA256 52b5c858055cc76df6263fd4ba945a549fddefa82729ca3858c5fd2818e58bd4
SHA512 54596aa6b418cb621c7fc724fef4c2bd6f18ea5e0365579e6b55d1627643d1c98482d1589de4814c2d11dca25c66b35c15858eec6e9aa9bde106e7820c122646

/data/data/com.ykx.flm.broker/files/.jglogs/.jg.di

MD5 d168d7bc47eadf96c8c3ab583bdb038d
SHA1 492e9e2c2c288ac80011488492c0550d48ddb6e2
SHA256 f4c1f068a4cd4eb888f8013cc52c77ef746fb577da697c274aba6c8340c6a767
SHA512 dfc8da0818d797bfcf838d7d3687114739c6c72788ddbf1f2f20f5884279ace51ea936f8a55aba218b87ff4a4128cebb09f09e3a020c8be8c0e53f319ab95a4d

/storage/emulated/0/360/.iddata

MD5 23cbfcd9a19dd30203f90481f2acbb39
SHA1 feb982b639e4d68b32302205cf7a7747b7722c9f
SHA256 d18170a148ccbc6bebbb81c8f2115678dd017f6b1ad763aeaae10c01510f53f3
SHA512 f5a95341add7384563834dee156f232d3a03fc6285afe9311d710311bbdfcf059faf8b9b1b742b25dede31389300701d79dc2be0f9f63cec9ef0d8e978d2064b

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9764738822c12c815c1620d3459a1f16
SHA1 84b11d74820a904e12da574b831be250f8881ddf
SHA256 9a255ae50f4a818242aa7d6efc51546958293446ecaeb4fd1f4ec93976bb7c51
SHA512 a0f157cb4d41ad851c1e21a6f0f141fb2f71557cb4a2aee8c5f165d528d4e1ae9237fcc7ee761c7bee839f718143852391fe344ee76c0c995b0049d40c287f4e

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 5bfc0a35e5624eeb8978a1628200ab30
SHA1 038eadfe79a65d104502d735edb559f519db0027
SHA256 67e8aae6ec19c60b46df92f8a9a47f7f485e4c7d7cd9f9fa9a0ff6b6522704b2
SHA512 c670cae1e6bfe34e9e14a824f7d479e5bb9126db6edfa14d8c4d7798d7d251af19af5fa82051053e4942670a1ddf3f7c55efa3d2b4328659f452d25af3240d35

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 38619c332f7333b538b336126cb108ce
SHA1 74f6c135dd5bcb0d0b65155b8f18b3db058c380f
SHA256 1601494307454b6de203afc6151d676652b50639272ab3f0dfe143175ef865d5
SHA512 de78628e981146dc14a944c6bcb367abec1553e6e9d0e0f01320ad018147711ef5e42296f49f2a6b8fc5699898444070c5ea9f5f185cedb068c61ac6eb1919d4

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 4776390573e3dc330b036a7d7344c86e
SHA1 018d017fb9d67e1e2e9633d8ee9c9dde28719fba
SHA256 fecd1d859c7b8bc80d79c8b4a1b3cf8beccec96ead8e579488cd364ef6c6d23a
SHA512 ebff0190773264dde38ee50573ea36e807cee34b6742e46c08dac7db957066e74f2df04d519b6cc53aac9bd720a6a68031044ce8b3298a58560d5f0001bc2970

/data/data/com.ykx.flm.broker/files/libcuid.so

MD5 5aeda60c6fc2e0198b199be22fa1abd4
SHA1 c1937ae20a6b5a5e8b882ce8292c022820006263
SHA256 8a9deee84a21ec4bf3f7fa28ab600a26c4b216263ac6ce6a983e4d22267a41e2
SHA512 fb3243fcbe60c912bc43be1a32856497c437fb192d3ed6ea59177ab396575f3eb08d7b44b2ae70f1ef7b6bec88d985990c3fccf772b380a9b9b5da10202434a8

/data/data/com.ykx.flm.broker/databases/tencent_analysis.db_com.ykx.flm.broker-journal

MD5 b08bdd934b1fdeb33dc1a108359b43f1
SHA1 705cc337407cab29d2ddf3c016b2adf05318a95d
SHA256 055d4da56d9ccbb4900a3a3c17759dbc559c168f318ec79bf2ff822bf63f1de9
SHA512 54b8cd8fdfff2896b1a96d3a7d6938da83110b89e01b654c77a84a966ba163499f830b638532a0ba132e21f00b734e26e7dc59de3a3555453543ae5fe9994389

/data/data/com.ykx.flm.broker/databases/tencent_analysis.db_com.ykx.flm.broker

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ykx.flm.broker/databases/tencent_analysis.db_com.ykx.flm.broker-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ykx.flm.broker/databases/tencent_analysis.db_com.ykx.flm.broker-wal

MD5 fe6aabcea155d7537e7caf5bc9e91f15
SHA1 774fa04c3d0065deb0654479cdc8edfc3a96e9aa
SHA256 3e5eba64257d01d8afd13877629bb212201b1a59c52038dc50afcf29a1845871
SHA512 b708831809f68f99a89128b1344effdc171d43315eb92e3d9035e397eb866dd256cdc7c7f751c5b348de4ce08c47846a5cf699ba7b58082b254585eed20bfdf6

/data/data/com.ykx.flm.broker/databases/pri_tencent_analysis.db_com.ykx.flm.broker-journal

MD5 4df8b877ebd33c99c88e18e74b044496
SHA1 6218a9d985a6ef593d57eb5679d0588895b4fcfd
SHA256 7d5174e3b2602827f99fb0e24f18f1794e3714ff95fe08196bd828c164c877cc
SHA512 205a196e35d2eaf88f79ab108baf96b9279a5df384eac39c286570427e6b0d6fa44a93b1ce2fd952e039e0caa96dd8d19dfb1d4d13e1dd4d02f9aac6f5747061

/data/data/com.ykx.flm.broker/databases/pri_tencent_analysis.db_com.ykx.flm.broker-wal

MD5 89301171597b8bf13ff2047f54c289f8
SHA1 2908b756ac04b248049d7ff2d7501a90f66a3b9d
SHA256 11784b8e4658cd7603ce57488286ed4e270c0811c8b14d3b81f17320fbe4b078
SHA512 bf524483ced88925313e1efe4fb17df337cd7dbd10ce025b04123e3970710db02f7d273351081c5c48bbf837d9ab4a672d58f45fbd38e44a58ccf676b19bb383

/data/data/com.ykx.flm.broker/files/.jglogs/.jg.di

MD5 9ff5bc61f8168395adb8298001f2486f
SHA1 824364914082417c1702d939dad6b1daf1a52435
SHA256 947c2e5fce27282a4f9d279b5e633994cfb9f228b6fd173343c86c8f7ad3d3aa
SHA512 b3f759a0ad424e5d2fc998df72248e3e6fbf58a70e193fc741fcc2533a0199a97807ce2ccb88c213a27ab07cf08dbbda8206ab0e04631afba2a167aa0d8e8c79

/data/data/com.ykx.flm.broker/files/.jglogs/.jg.ac

MD5 2f75c725e2bee36e1fa30c62b52690d3
SHA1 602258e85ec474f23a39ae5ae6e7f607134d04e0
SHA256 441504d0e00402ff462f5f3d07f233943cb9bef171e813853f50b15d6b71b128
SHA512 3dc531a2732f6754e2065865717c27cfddfd840adc4409bac9a2fb9b7b40273b56fffa7cc19f84bdbb1fb1824879f82eb71cb24ff50d26806eb2b069b2934f1b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 21:57

Reported

2024-06-13 22:00

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

8s

Max time network

179s

Command Line

com.ykx.flm.broker

Signatures

N/A

Processes

com.ykx.flm.broker

Network

Country Destination Domain Proto
BE 142.251.168.188:5228 tcp
GB 216.58.204.74:443 tcp
GB 142.250.179.228:443 tcp
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 udp
GB 142.250.180.10:443 tcp
GB 216.58.212.227:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.201.99:443 tcp
US 172.64.41.3:443 udp
GB 216.58.201.99:443 udp
GB 172.217.169.68:443 udp
GB 142.250.179.228:443 tcp

Files

/data/user/0/com.ykx.flm.broker/.jiagu/libjiagu.so

MD5 aa01dd97609092ce310e17bf791069ce
SHA1 f000840a8f68ea7beb2e29ea466088daf55609db
SHA256 e432c191f918053ce368e1b1f155b2e1f9e84379611b93aabec0106172b73aa2
SHA512 766c120a06215d0950aae32026fcde3eafed8d18ae0de7bc8135a7378a9055c8f0040d61574d9af67fe2b5b90eeae64c62d787343858ae375bb6658df8afe7b4