Malware Analysis Report

2024-10-19 12:59

Sample ID 240819-1xpllasbmm
Target 9ebd40513425f07b21b149625c3f6816e66f6b104baa4fc054a925428debb56d.bin
SHA256 9ebd40513425f07b21b149625c3f6816e66f6b104baa4fc054a925428debb56d
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ebd40513425f07b21b149625c3f6816e66f6b104baa4fc054a925428debb56d

Threat Level: Known bad

The file 9ebd40513425f07b21b149625c3f6816e66f6b104baa4fc054a925428debb56d.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries the mobile country code (MCC)

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests dangerous framework permissions

Reads information about phone network operator.

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Attempts to obfuscate APK file format

Queries the unique device ID (IMEI, MEID, IMSI)

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests modifying system settings.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-19 22:01

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to advertise to nearby Bluetooth devices. android.permission.BLUETOOTH_ADVERTISE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Required to be able to advertise and connect to nearby devices via Wi-Fi. android.permission.NEARBY_WIFI_DEVICES N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-19 22:01

Reported

2024-08-19 22:13

Platform

android-x86-arm-20240624-en

Max time kernel

175s

Max time network

156s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nameown12/app_ancient/pBeRPWO.json N/A N/A
N/A /data/user/0/com.nameown12/app_ancient/pBeRPWO.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nameown12/app_ancient/pBeRPWO.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.nameown12/app_ancient/oat/x86/pBeRPWO.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 vekralizo.xyz udp
US 1.1.1.1:53 varopelix.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 tarviklosu.xyz udp
US 1.1.1.1:53 tekralivo.xyz udp
US 1.1.1.1:53 joxirvanix.xyz udp
US 1.1.1.1:53 zavornexa.xyz udp
US 1.1.1.1:53 parovixur.xyz udp
US 1.1.1.1:53 noxalivra.xyz udp
US 1.1.1.1:53 zorlavinex.xyz udp
US 1.1.1.1:53 nevralixo.xyz udp
US 1.1.1.1:53 asklardannn.xyz udp
US 154.216.18.48:443 nevralixo.xyz tcp
US 1.1.1.1:53 xeromifla.xyz udp
US 1.1.1.1:53 vorlanixa.xyz udp
US 1.1.1.1:53 jervinoxa.xyz udp
US 1.1.1.1:53 solvimrax.xyz udp
US 1.1.1.1:53 lavorkixu.xyz udp
US 1.1.1.1:53 traximorv.xyz udp
US 154.216.18.48:443 traximorv.xyz tcp
US 208.95.112.1:80 www.ip-api.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
US 154.216.18.48:443 traximorv.xyz tcp
US 154.216.18.48:443 traximorv.xyz tcp
US 154.216.18.48:443 traximorv.xyz tcp
US 154.216.18.48:443 traximorv.xyz tcp
US 1.1.1.1:53 traximorv.xyz udp
US 154.216.18.48:443 traximorv.xyz tcp
US 1.1.1.1:53 traximorv.xyz udp
US 154.216.18.48:443 traximorv.xyz tcp

Files

/data/data/com.nameown12/app_ancient/pBeRPWO.json

MD5 ba3d78ad75d4ae97d8121a329d2824af
SHA1 5bfb3ede7ba0a02c2e3da0e919a95e944b4c86d3
SHA256 73263746596d5a9a1d68e3f498c72683a420054a042b0627e32425a58ba7ab7c
SHA512 72227b3a057fb653560e7972d47e8493bf742e0db2463cbe5ef92672a07a6f6010dc1ac3555eb1d316f1cbef400a6225805d96c910e7fe3398d5d286c379c151

/data/data/com.nameown12/app_ancient/pBeRPWO.json

MD5 148cc4500b709c8d42fbe2e4b22abc9a
SHA1 8c16c24d82b3132e472a99fce8b160cdc3704687
SHA256 6a438a6b742976c1d96463b91ec6f1670c840b76fb89efdc38ea7ef8a133e769
SHA512 659fe0d5e55a6327d0b69b41c41aa3e050a8f6fa965244ba2fe6a1b5e2e202514e303fdb285e07a567271d2d5cde7196d53117b0aecb2adb27ff136cf362cb5a

/data/user/0/com.nameown12/app_ancient/pBeRPWO.json

MD5 6f86676276279c63a671f88c59b85b29
SHA1 0106c80753aa857a74ed282d9818232cd01d3ac1
SHA256 5a7c4598c6ad0cbbc222bdc4e809aa43c6e696db69e56ea0696b0531b22f58fb
SHA512 e5a118fc4bfc12add20649e1be035bed5ad079b9661cc0e41448a0fe7450ca6bc19c4895ea29607f0b4a54bf22de7113dbb21cce5c71e68c9e25445d3b6bde2e

/data/user/0/com.nameown12/app_ancient/pBeRPWO.json

MD5 6ddc41bd93a4130c608168c3f0ef944f
SHA1 c668ebef09c808fdbe7f3cba8412f32afb45a3d7
SHA256 77a4c949bb62c8227d838df7973cae9d7e401684fb28e1f57f617d9ea50ac975
SHA512 98cb1aea6d3367afba5e4af6996a7550d461b21fa3a008c7b0fdafd87f50a569715f0431f0497f84edce2dd8401d7857f9667fcc345037b4b57b9b7372734165

/data/data/com.nameown12/kl.txt

MD5 10c0c32ff9091733a06562639675b9cb
SHA1 45ca8169df57daec15561e5eea16ffbf852d1cfc
SHA256 7a349cb321a1a2378cda05fa7a45a36ceb3787509cf17bdb1d8e19b165849b95
SHA512 512ad399c34ea431271cbdb13cb521d2edf193ed1b5bd95e5029d5f1bdfabcd706cb05e40aaaeaf6d2ab30128f4791094ad452331d9e85d2849e708da9e8ffa3

/data/data/com.nameown12/kl.txt

MD5 7956f97b811f44a7390e8df82845efd1
SHA1 0dbe488c4a5b66bfb3719600d88544aa11d20e9e
SHA256 be7a827892df83afcaf3e73a6abf8c47fab95cf8d939a32a03a36f39201910d0
SHA512 1edb4472b491db82d704cffead0604e6785524a49630028f81ad48d2bbc12031d2b4631648c11c7c1dfb72a3ef0efe9dee94a1ac5c7f573350977f9dbb30f858

/data/data/com.nameown12/kl.txt

MD5 c9c76106920e6d9792061df79e3f60fb
SHA1 de7351496b91544f794ec773746345eb07a923d6
SHA256 189acdfa2bced4b3debbb4ed1162247c901c461b98e9bd5c7d6950eb97942d02
SHA512 4b0b8edeea0e22c12da3a16cd42f3ea149fe06c2ccdbdff4882dad4a61691dee47555d61d635714b8c85a5810a9a4d6fe602159479bf265481fc7f6ec204d75a

/data/data/com.nameown12/kl.txt

MD5 4ec990e40c6aa0a33e57e28212a64caf
SHA1 af1a4e2e36e5290b02ac2629cf9db9c7c21ec843
SHA256 9a7937339ec968e9acf1d7fb38b89232af29abab780b3d638d700d7be6eda795
SHA512 9e2b8b799a987082352350b4617f28f751213f8ffb62e321dfbf5a05f9db31de0b3558c04cfdce06061c62c928f60cc548caf7821f1d826ddad25b0117f9028a

/data/data/com.nameown12/kl.txt

MD5 6b1fd812b8fd4b146894042028c00a52
SHA1 a7e1c99a970ec47c14520696e0957f108aa78576
SHA256 74a3ee07cc0620cd275a6f86424eb227c6cf9c720ee3b0281e44d012dcd50aac
SHA512 9b2ee54233b748c4c3e471c5ac62a6e5311413d3d972527a2ce0932c5c954de1380da70ada8ce5a5de2b916115235ce0d332e22cd05063f00d5c35b53cb44aa2

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-19 22:01

Reported

2024-08-19 22:16

Platform

android-x64-arm64-20240624-en

Max time kernel

178s

Max time network

144s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nameown12/app_ancient/pBeRPWO.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 noxalivra.xyz udp
US 1.1.1.1:53 nevralixo.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 154.216.18.48:443 nevralixo.xyz tcp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 zorlavinex.xyz udp
US 1.1.1.1:53 wervonixa.xyz udp
US 1.1.1.1:53 varopelix.xyz udp
US 1.1.1.1:53 zavornexa.xyz udp
US 1.1.1.1:53 traximorv.xyz udp
US 154.216.18.48:443 traximorv.xyz tcp
US 154.216.18.48:443 traximorv.xyz tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 154.216.18.48:443 traximorv.xyz tcp
US 154.216.18.48:443 traximorv.xyz tcp
US 1.1.1.1:53 traximorv.xyz udp
US 154.216.18.48:443 traximorv.xyz tcp
US 1.1.1.1:53 traximorv.xyz udp
US 154.216.18.48:443 traximorv.xyz tcp

Files

/data/data/com.nameown12/app_ancient/pBeRPWO.json

MD5 ba3d78ad75d4ae97d8121a329d2824af
SHA1 5bfb3ede7ba0a02c2e3da0e919a95e944b4c86d3
SHA256 73263746596d5a9a1d68e3f498c72683a420054a042b0627e32425a58ba7ab7c
SHA512 72227b3a057fb653560e7972d47e8493bf742e0db2463cbe5ef92672a07a6f6010dc1ac3555eb1d316f1cbef400a6225805d96c910e7fe3398d5d286c379c151

/data/data/com.nameown12/app_ancient/pBeRPWO.json

MD5 148cc4500b709c8d42fbe2e4b22abc9a
SHA1 8c16c24d82b3132e472a99fce8b160cdc3704687
SHA256 6a438a6b742976c1d96463b91ec6f1670c840b76fb89efdc38ea7ef8a133e769
SHA512 659fe0d5e55a6327d0b69b41c41aa3e050a8f6fa965244ba2fe6a1b5e2e202514e303fdb285e07a567271d2d5cde7196d53117b0aecb2adb27ff136cf362cb5a

/data/user/0/com.nameown12/app_ancient/pBeRPWO.json

MD5 6f86676276279c63a671f88c59b85b29
SHA1 0106c80753aa857a74ed282d9818232cd01d3ac1
SHA256 5a7c4598c6ad0cbbc222bdc4e809aa43c6e696db69e56ea0696b0531b22f58fb
SHA512 e5a118fc4bfc12add20649e1be035bed5ad079b9661cc0e41448a0fe7450ca6bc19c4895ea29607f0b4a54bf22de7113dbb21cce5c71e68c9e25445d3b6bde2e

/data/data/com.nameown12/kl.txt

MD5 3da27f1a42328aa25a96311254399bd0
SHA1 ca00cad39c46e4ba33fc84904c93cfd09c75ed79
SHA256 8b1c246c369641894d4899a40c3b85d97897423f3ca8a13784c73c36cd50c97b
SHA512 81600fd60405ecedf134ecc31f53c1eab7c2f479695ba2fa4127ec3689fc0124e0a5ead67120d07315147e7107b58c9e07efd401c543344b22e5d30c4d252048

/data/data/com.nameown12/kl.txt

MD5 2ade52c26bb9b4bce3f317b775b73ceb
SHA1 350d13fe98c67c359a35e97864cb1cb76501c095
SHA256 feed20790ea7f33ce9960a0bb09699277ca32f7f056d9ddf2f15e4cb0e2d21fa
SHA512 da598908af3fe7f68b61f51e50d347920b2e8ad3405721615e24390acd1569d78b247afebb9933c0d30f3512ced070f664b35d7b4fb893b8733be4f81d5140d0

/data/data/com.nameown12/kl.txt

MD5 418d242d50ad81c2b560a742b8c1122f
SHA1 d782540456fc134f730d66a09f06cb5fcc76c8a4
SHA256 826821ef26866f5fbd11e7943e18d7ac4a9c6b1f9b104f32ed4a2f1e35699ba9
SHA512 5e097baab0440fc8729c0be75dd3e74cdb33a828f1605e4627b43d21273e97dc33511a6047ef67fdc594b4070af3f874f7b586a70ed03bbbd525ec5dbc1ab6c2

/data/data/com.nameown12/kl.txt

MD5 db5be5377dbf0d692a476e5563e3bee3
SHA1 ee889de1adcb5986e307fabcb2358e58d6b82e8f
SHA256 f38f0487efa6cc5a9bd19779d1d3b8cdd866929a6baf8dba38f34151c8e7fdba
SHA512 7100ea1aa8ed11c807ff3569b101c86a555b8e8f36251c6b9e46dacfa3c76e747a1619a1e348264d9ef1f98be762c8410cf9e6326de4551eec31fb97c4b90d4d

/data/data/com.nameown12/kl.txt

MD5 251f950833142262cf5b22513e80676b
SHA1 89adbb8997890fa4eb6734a59efd324618875744
SHA256 ec7620cb9fd88036410c11b81439b12a0c25993bdcf3a850c1ca12d801b11593
SHA512 b5b6e4ae84daf0a3a3005475f6f3c167d58cd5eae8b92432448d625d70c276bb3846aeeff662772fa5b8636f5ffec5869708dbc6870658e4add46b998f3f752c

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c