Malware Analysis Report

2024-09-09 13:32

Sample ID 240616-s9fkfsyhkd
Target b4500d97beb41fe730f118546977a77e_JaffaCakes118
SHA256 91580dec4d188d56132b7e26202df4451e7b57abd0f7da8478fa983871495c25
Tags
banker collection discovery evasion execution impact persistence stealth trojan credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

91580dec4d188d56132b7e26202df4451e7b57abd0f7da8478fa983871495c25

Threat Level: Likely malicious

The file b4500d97beb41fe730f118546977a77e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion execution impact persistence stealth trojan credential_access

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Queries account information for other applications stored on the device

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Declares services with permission to bind to the system

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 15:49

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 15:49

Reported

2024-06-16 15:52

Platform

android-x86-arm-20240611.1-en

Max time kernel

138s

Max time network

141s

Command Line

com.bangkok.bqupmorm.fhjqstiv

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bangkok.bqupmorm.fhjqstiv/app_tfile/fields.jar N/A N/A
N/A /data/user/0/com.bangkok.bqupmorm.fhjqstiv/app_tfile/fields.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.bangkok.bqupmorm.fhjqstiv

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bangkok.bqupmorm.fhjqstiv/app_tfile/fields.jar --output-vdex-fd=48 --oat-fd=50 --oat-location=/data/user/0/com.bangkok.bqupmorm.fhjqstiv/app_tfile/oat/x86/fields.odex --compiler-filter=quicken --class-loader-context=&

com.bangkok.bqupmorm.fhjqstiv:RemoteProcess

com.bangkok.bqupmorm.fhjqstiv:guard

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 api.adsnative123.com udp

Files

/data/data/com.bangkok.bqupmorm.fhjqstiv/app_tfile/fields.jar

MD5 cceb8db3b057d24673d49eda229e9892
SHA1 b18f6353b2156410249079a3b7b86ef3a530e8ee
SHA256 e900cb4c3fe9d8f45196a7457e9645c65b0f3cde820f4161950252cff67a4d97
SHA512 4a42cde3165a706e823caa1362001ed8aa647caf22325a4f2554c64fc4ebcd79afe44fe5eab5474221806f26e7aca9d2901026de6e597ef62fe867f123e4bd57

/data/user/0/com.bangkok.bqupmorm.fhjqstiv/app_tfile/fields.jar

MD5 73b11c4c10150bbd4f29ad012dc11dde
SHA1 65c83ad32c29f9811c32eda75d7fcdc92ef42dda
SHA256 52132037e9b950a9cb48d6374ee2c6747a6bfe776e13a726395771f1b40ee9da
SHA512 3e53b1ee22a00e60896da86d2695195e0965c93d190c4d1c0dba2eb5c611d670ee7693a9f8756858255e2b170cb82a753719dd4d6a827af437309b7a1dcc6f01

/data/user/0/com.bangkok.bqupmorm.fhjqstiv/app_tfile/fields.jar

MD5 4654f352b1b2095d54e0945af0e3948c
SHA1 4819b9827e70025c72a74869a85c996d92603931
SHA256 71c5cdeeaea45916c993908370cb7b1d60911d8e233dc9d1def0e75915e4548e
SHA512 a58ba607dbdb9af50beb9bec719e24c7d4e457e6bd9a6ef71460b0ee629f002788ac8a93d2d18728304c695fca3ac000138f19427c064cd66c628dab8a839ce3

/data/data/com.bangkok.bqupmorm.fhjqstiv/databases/tbcom.bangkok.bqupmorm.fhjqstiv-journal

MD5 cecfa7f69229a87b7543d5e0f65bc1e5
SHA1 19a1307f31787918ff6440dbb59d8517615898f5
SHA256 52988980fa694ee6a2ae527a09629efea72b061245f92a323a50c6354c1e8f24
SHA512 65721fe1c33c1ecc857a5f46a00977516401afcd65a50eb002baeb66c8a74089d2ded0ee51faee063319d03c9fa80ced5a82441c6e5a4552770855c23b4da335

/data/data/com.bangkok.bqupmorm.fhjqstiv/databases/tbcom.bangkok.bqupmorm.fhjqstiv

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.bangkok.bqupmorm.fhjqstiv/databases/tbcom.bangkok.bqupmorm.fhjqstiv-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.bangkok.bqupmorm.fhjqstiv/databases/tbcom.bangkok.bqupmorm.fhjqstiv-wal

MD5 0242bed1c231ea4607264024420672c0
SHA1 aa19214000db7612305bcefb0f3bc50cbd42c90e
SHA256 f321c404d0a71084246a5a72e527b1a4d475fe749f343df43834e575344e489b
SHA512 e854901211dcb017886d9739d73a7bb8d526099446a0e90bc17a34745a299e7a706ad1551f9a80a952b469e14d07c0ce96ad7bed0061fe500ea0892250246102

/storage/emulated/0/Download/sdsid

MD5 b8c37e33defde51cf91e1e03e51657da
SHA1 dd01903921ea24941c26a48f2cec24e0bb0e8cc7
SHA256 fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71
SHA512 e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 15:49

Reported

2024-06-16 15:52

Platform

android-x64-20240611.1-en

Max time kernel

177s

Max time network

185s

Command Line

com.bangkok.bqupmorm.fhjqstiv

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bangkok.bqupmorm.fhjqstiv/app_tfile/fields.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.bangkok.bqupmorm.fhjqstiv

com.bangkok.bqupmorm.fhjqstiv:RemoteProcess

com.bangkok.bqupmorm.fhjqstiv:guard

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 api.adsnative123.com udp
GB 172.217.169.78:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 172.217.169.14:443 tcp

Files

/data/data/com.bangkok.bqupmorm.fhjqstiv/app_tfile/fields.jar

MD5 cceb8db3b057d24673d49eda229e9892
SHA1 b18f6353b2156410249079a3b7b86ef3a530e8ee
SHA256 e900cb4c3fe9d8f45196a7457e9645c65b0f3cde820f4161950252cff67a4d97
SHA512 4a42cde3165a706e823caa1362001ed8aa647caf22325a4f2554c64fc4ebcd79afe44fe5eab5474221806f26e7aca9d2901026de6e597ef62fe867f123e4bd57

/data/user/0/com.bangkok.bqupmorm.fhjqstiv/app_tfile/fields.jar

MD5 73b11c4c10150bbd4f29ad012dc11dde
SHA1 65c83ad32c29f9811c32eda75d7fcdc92ef42dda
SHA256 52132037e9b950a9cb48d6374ee2c6747a6bfe776e13a726395771f1b40ee9da
SHA512 3e53b1ee22a00e60896da86d2695195e0965c93d190c4d1c0dba2eb5c611d670ee7693a9f8756858255e2b170cb82a753719dd4d6a827af437309b7a1dcc6f01

/data/data/com.bangkok.bqupmorm.fhjqstiv/databases/tbcom.bangkok.bqupmorm.fhjqstiv-journal

MD5 1d9b0f6744e70463100c32bb83a90ed3
SHA1 d9fb92ebc0b475dba2ac76fb877366c5eaff10d6
SHA256 f156a1e8559151fbbd9f25aeeffce94e0c4ec6f98cff381ee8c9a67ca09b5dd1
SHA512 88de6b06bc6989bccaec93d247dbf1acb9e3dc6da561ed0d00cd15f04f41dceaeb75a163ec50632364d24114b6f0c32ca71759e6a8dfe659ffd3ea2166ae021f

/data/data/com.bangkok.bqupmorm.fhjqstiv/databases/tbcom.bangkok.bqupmorm.fhjqstiv

MD5 ae8aa93151da27ce1348c21d6ea98a45
SHA1 d187ce29f387717ea0c7d2919a77945a6f04a954
SHA256 b5023c1c2354845e52c945166be1111d7565a000e57ea18d8ce2943c73580e81
SHA512 7bc212292c6dd5192e2d714d1e06c3109f133bf0f5bddb4dd4113a4b9ab3a8db3ba7e1cab4a7da44724361b8d7d53cdde3d50506cf7264fb00d7b4521014c85a

/data/data/com.bangkok.bqupmorm.fhjqstiv/databases/tbcom.bangkok.bqupmorm.fhjqstiv-journal

MD5 120afa94fabd54538735d3181699a4d6
SHA1 ce59b0428e236f3ddf1d346a2de276ceeadcb0c9
SHA256 1e2289b7b8262a36c59be1dc642dd2937cf6597a573cae9e7f6c550440edeb7c
SHA512 9e6edccf49f507813ea3ca65214ed67e9aa7dff8397d47362de6b2acca54be3efd0f6f39ec72ce49a6a988dae5b808d3cb1daf7d0439a24501f38f18c301112a

/data/data/com.bangkok.bqupmorm.fhjqstiv/databases/tbcom.bangkok.bqupmorm.fhjqstiv-journal

MD5 485d9848a41f51452aad5a813ab72ff8
SHA1 29f8cbd651741c796ae2380a3ecb61845780d37b
SHA256 9546661b08daf58a61a3ffce0a9bf772d37b1ca0508c7f7dece3c5a10b196c9b
SHA512 f9274c7b6e413a08cbee337e4cd5fa4ee6d62cd93365414ac4e11d5da3f33d5fa2a3cf9ba07eae4586cdb42d45bd8053fd6451a779374a74094d37f34b26aacd

/storage/emulated/0/Download/sdsid

MD5 b8c37e33defde51cf91e1e03e51657da
SHA1 dd01903921ea24941c26a48f2cec24e0bb0e8cc7
SHA256 fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71
SHA512 e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7

/data/data/com.bangkok.bqupmorm.fhjqstiv/app_tfile/oat/fields.jar.cur.prof

MD5 6de41202d76cfb91657a014430e7f33d
SHA1 1c066a98ee1dae3493881522b42a6978ef72ffee
SHA256 51491488aa5999f64c4d74c50676559497e9890b2a3978cdc8f07dc782e945ec
SHA512 765ef4f4ca7a832af8677b8cb38b705a5cf809b6d321f7d86bcb03471d5e55d8c9b8dc04dbad9f89b10febd5e87b29d29e1bd36fa91259ba00ea863ad1225236

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 15:49

Reported

2024-06-16 15:52

Platform

android-x64-arm64-20240611.1-en

Max time kernel

176s

Max time network

132s

Command Line

com.bangkok.bqupmorm.fhjqstiv

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bangkok.bqupmorm.fhjqstiv/app_tfile/fields.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.bangkok.bqupmorm.fhjqstiv

com.bangkok.bqupmorm.fhjqstiv:RemoteProcess

com.bangkok.bqupmorm.fhjqstiv:guard

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.adsnative123.com udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/com.bangkok.bqupmorm.fhjqstiv/app_tfile/fields.jar

MD5 cceb8db3b057d24673d49eda229e9892
SHA1 b18f6353b2156410249079a3b7b86ef3a530e8ee
SHA256 e900cb4c3fe9d8f45196a7457e9645c65b0f3cde820f4161950252cff67a4d97
SHA512 4a42cde3165a706e823caa1362001ed8aa647caf22325a4f2554c64fc4ebcd79afe44fe5eab5474221806f26e7aca9d2901026de6e597ef62fe867f123e4bd57

/data/user/0/com.bangkok.bqupmorm.fhjqstiv/app_tfile/fields.jar

MD5 73b11c4c10150bbd4f29ad012dc11dde
SHA1 65c83ad32c29f9811c32eda75d7fcdc92ef42dda
SHA256 52132037e9b950a9cb48d6374ee2c6747a6bfe776e13a726395771f1b40ee9da
SHA512 3e53b1ee22a00e60896da86d2695195e0965c93d190c4d1c0dba2eb5c611d670ee7693a9f8756858255e2b170cb82a753719dd4d6a827af437309b7a1dcc6f01

/data/user/0/com.bangkok.bqupmorm.fhjqstiv/databases/tbcom.bangkok.bqupmorm.fhjqstiv-journal

MD5 2c08c904d0db6a6d02d36c2b2ac8d187
SHA1 f4b9cf2021a3b36870347332bb4a84cf5b95b5c8
SHA256 b1a5cf6989403c02212633b3ef1d6def094f836c936d7542f373c2f23a552f07
SHA512 123234f1e4a6352b12ea97e448d8ec1c1388d719e3ac9246f38463a30c3ea0f42260c0569dffc75819b59c25a82b887c506e6fe30d40c7e9965e63c2ca52da7c

/data/user/0/com.bangkok.bqupmorm.fhjqstiv/databases/tbcom.bangkok.bqupmorm.fhjqstiv

MD5 ebfd4869bb86abd638bc48b891f3e1c8
SHA1 a27f262fe7a41ec9976d457416447f8b78c80e03
SHA256 5f49bca53de766023101cc1ac8dda79a83c485fce8d9138452b39d1853d2fe0f
SHA512 062fd15e0a34619071834f2d81889e6a100c3a707e53621b16d584182a57c690f6a24a73e19fb77678d857fde477935811a963998a73d7ffe971d6ebd9cafb07

/data/user/0/com.bangkok.bqupmorm.fhjqstiv/databases/tbcom.bangkok.bqupmorm.fhjqstiv-journal

MD5 c3ad417984d01c73744ca2dc5c7abc92
SHA1 b22f191afc2c2059a6ec606a9d4a906b900b7eea
SHA256 1fd42e15ca841a77ac0b1e729af68c6d6780479e668ccf05c261fea27082da1b
SHA512 721303448243feab31c33a313a58f4fba75988c58abf62681ee6e9bf3ba31f81bf0efa1ad321c9b9694553cec6b14a046e6c4ee25f7795547d9c642115262dad

/data/user/0/com.bangkok.bqupmorm.fhjqstiv/databases/tbcom.bangkok.bqupmorm.fhjqstiv-journal

MD5 4eb369a390c92bda8218fa415821f346
SHA1 662ee9e5f49116c5ab887c93dd063e4b866ddeaf
SHA256 edd9a445d8684f2992ffc43aea839273e677a862e85f79158497788d0485f500
SHA512 dde55523908da91eeef66d68683b4a7afd3c188579262f91ff3c07f595ba4bdcf22af686b381d5946f728f879276ada5e361dead93bedad57aa25bae9d404fe1

/storage/emulated/0/Download/sdsid

MD5 b8c37e33defde51cf91e1e03e51657da
SHA1 dd01903921ea24941c26a48f2cec24e0bb0e8cc7
SHA256 fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71
SHA512 e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7