Malware Analysis Report

2024-09-09 13:22

Sample ID 240614-ac55qszhnr
Target 526edbd1b2f2e32d135963fd3bb48a52a46a6c822f209eef6439b903edd73508.bin
SHA256 526edbd1b2f2e32d135963fd3bb48a52a46a6c822f209eef6439b903edd73508
Tags
xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

526edbd1b2f2e32d135963fd3bb48a52a46a6c822f209eef6439b903edd73508

Threat Level: Known bad

The file 526edbd1b2f2e32d135963fd3bb48a52a46a6c822f209eef6439b903edd73508.bin was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

XLoader, MoqHao

XLoader payload

Removes its main activity from the application launcher

Checks if the Android device is rooted.

Queries account information for other applications stored on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Reads the content of the MMS message.

Queries the phone number (MSISDN for GSM devices)

Acquires the wake lock

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Requests changing the default SMS application.

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 00:05

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 00:05

Reported

2024-06-14 00:08

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

185s

Command Line

zxtj.uvxrh.pomjs

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/zxtj.uvxrh.pomjs/files/dex N/A N/A
N/A /data/user/0/zxtj.uvxrh.pomjs/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

zxtj.uvxrh.pomjs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 docs.google.com udp
GB 142.250.178.14:443 docs.google.com tcp
GB 142.250.178.14:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/data/zxtj.uvxrh.pomjs/files/dex

MD5 6e3d29b5306a57dba7028a8da4609797
SHA1 da143c2306182d664c850b74b4afa7fa948c974d
SHA256 07f170fb70397d72a187bcdb83adc11f2e7c6d5a928d951d4f24b5e82dc04d96
SHA512 e9dadbc1fa4244e681a22178a512bf8ef0b5a41e6b80e54f09ef8f5fd120ac25c55db8a6ff53f748ba0ba22eeee84eb8714bc79468da921d4ec8f0129bd60915

/storage/emulated/0/.msg_device_id.txt

MD5 a122a4d69adecece25a1c7b278ef91f6
SHA1 13c901b03676fcc7cc7f59afcac740ab1a886168
SHA256 7a2e76474f28da688c9777b0a86f7848f97485b339d8f0c22492a4fc4c9e9a3a
SHA512 b38a001a2528589a9f4f2cb56054aeddbfc82014f475d84cfe111b306e02aa1636cd805011cf9f05043d92349a18277998e1f677065f6d75bfbee1dc8dcc104f

/data/data/zxtj.uvxrh.pomjs/files/oat/dex.cur.prof

MD5 34489b30c7b7ddf2362fadcf88fecf13
SHA1 772ed0ff42cff4fd3ada3bf13edf2cd556794bb0
SHA256 5d796143bac9af1c3e55d0ce477b5dcfbac364a3f033980aec5e08dacbaffd04
SHA512 afc8dae13ebb0f80da0d700f236867b901cc811d5919a33811b5a7038d65cec9dafbbaf0f375569674f5ff910b2742d1f1e8c639f04a9ff0fe5f46fdc9a355a5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 00:05

Reported

2024-06-14 00:08

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

187s

Command Line

zxtj.uvxrh.pomjs

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/zxtj.uvxrh.pomjs/files/dex N/A N/A
N/A /data/user/0/zxtj.uvxrh.pomjs/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

zxtj.uvxrh.pomjs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 docs.google.com udp
GB 216.58.212.206:443 docs.google.com tcp
GB 216.58.212.206:443 docs.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 172.217.169.10:443 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 172.217.169.10:443 tcp
GB 172.217.169.14:443 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 172.217.169.78:443 tcp
GB 142.250.179.226:443 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/data/zxtj.uvxrh.pomjs/files/dex

MD5 6e3d29b5306a57dba7028a8da4609797
SHA1 da143c2306182d664c850b74b4afa7fa948c974d
SHA256 07f170fb70397d72a187bcdb83adc11f2e7c6d5a928d951d4f24b5e82dc04d96
SHA512 e9dadbc1fa4244e681a22178a512bf8ef0b5a41e6b80e54f09ef8f5fd120ac25c55db8a6ff53f748ba0ba22eeee84eb8714bc79468da921d4ec8f0129bd60915

/storage/emulated/0/.msg_device_id.txt

MD5 53041d3b3ff26ba25167c2ee2932c043
SHA1 1ab76d02b2e61ac8dfb02a1f19f06f24fa032db0
SHA256 c4558f9aa75ca73a83567fc6b752ff0bff7466a679c887df5eea372575593129
SHA512 abe9ba3edf78948414ff22b62bd311220ab52b24499b18af0395d8ee1d02c7c005f2244b756dbedcbec6c3e6efb4b6c835e5b78c0f7408e8e2bfb5f2673ab578

/data/data/zxtj.uvxrh.pomjs/files/oat/dex.cur.prof

MD5 bd2f38ab0cc4a4fc2dd278f6b60dcaf5
SHA1 2a4cb93b882514ab161af819380bbc9f84fa925e
SHA256 4f8ea7690b6151f6867f16629b6ea58572f2ac9275a9d2e0ee0d6b7c141ab160
SHA512 87ef034d897801916aeb28db865e94f81b2d7e74b877b04c68bfa54160ab4a9e523490f835bb375837f77e2e6038e9b851068f856ee53e62e98bdbd1ba7bbf2b

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 00:05

Reported

2024-06-14 00:08

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

189s

Command Line

zxtj.uvxrh.pomjs

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/zxtj.uvxrh.pomjs/files/dex N/A N/A
N/A /data/user/0/zxtj.uvxrh.pomjs/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

zxtj.uvxrh.pomjs

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 docs.google.com udp
GB 216.58.213.14:443 docs.google.com tcp
GB 216.58.213.14:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/user/0/zxtj.uvxrh.pomjs/files/dex

MD5 6e3d29b5306a57dba7028a8da4609797
SHA1 da143c2306182d664c850b74b4afa7fa948c974d
SHA256 07f170fb70397d72a187bcdb83adc11f2e7c6d5a928d951d4f24b5e82dc04d96
SHA512 e9dadbc1fa4244e681a22178a512bf8ef0b5a41e6b80e54f09ef8f5fd120ac25c55db8a6ff53f748ba0ba22eeee84eb8714bc79468da921d4ec8f0129bd60915

/storage/emulated/0/.msg_device_id.txt

MD5 8a38671d95b5755995f0136bd1a7739e
SHA1 6aba6117c2897c12174d3bd83e9c300fd5c0dfca
SHA256 78834fd6443355b087cdf062123c18d657df5b10c4c96f112a3325e1ff49c53e
SHA512 6e89452fdd2445cf56158bcc59957db747e8b1ac8c5889f2f82093852551e8a0081b55a6874b2339b07f5ec4511c17baed1311be33dd431201b9e77b804acf96

/data/user/0/zxtj.uvxrh.pomjs/files/oat/dex.cur.prof

MD5 86910d6080b83fecabdabf5c3b37f4f4
SHA1 8c8fc3e2b4588fdbb97f71e9642cffc96e8a9460
SHA256 5aaded7cbac71670edd7510e505cc74dd3e08324bede74554812cd59946546ee
SHA512 7bb62d4b624017ebbf0adaad2aff3c1a9b8818221ba2cd4fdd5c7f479063634a20618c30cfc8b2bad50b4c2b1bf8a6393a9b426cb40ae1f897f72e5e5b1c7b9a