Malware Analysis Report

2024-10-19 12:58

Sample ID 240823-1wzeea1fnn
Target 4d9f792dc874caf4f22d288d46d691d86cb222dc3511db48e3395484e5575fa4.bin
SHA256 4d9f792dc874caf4f22d288d46d691d86cb222dc3511db48e3395484e5575fa4
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d9f792dc874caf4f22d288d46d691d86cb222dc3511db48e3395484e5575fa4

Threat Level: Known bad

The file 4d9f792dc874caf4f22d288d46d691d86cb222dc3511db48e3395484e5575fa4.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Performs UI accessibility actions on behalf of the user

Acquires the wake lock

Requests modifying system settings.

Makes use of the framework's foreground persistence service

Queries the unique device ID (IMEI, MEID, IMSI)

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-23 22:00

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Required to be able to advertise to nearby Bluetooth devices. android.permission.BLUETOOTH_ADVERTISE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to advertise and connect to nearby devices via Wi-Fi. android.permission.NEARBY_WIFI_DEVICES N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-23 22:00

Reported

2024-08-23 22:06

Platform

android-x86-arm-20240624-en

Max time kernel

171s

Max time network

142s

Command Line

com.shock.tomorrow

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.shock.tomorrow/app_toddler/nUZdNg.json N/A N/A
N/A /data/user/0/com.shock.tomorrow/app_toddler/nUZdNg.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.shock.tomorrow

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.shock.tomorrow/app_toddler/nUZdNg.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.shock.tomorrow/app_toddler/oat/x86/nUZdNg.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 karlovinarelox.xyz udp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 pelonivaremaxo.xyz udp
US 1.1.1.1:53 xerolimanorvix.xyz udp
US 1.1.1.1:53 ferolimanivrox.xyz udp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 1.1.1.1:53 trevinolaromex.xyz udp
US 1.1.1.1:53 tralonivexomar.xyz udp
US 1.1.1.1:53 voranileximavor.xyz udp
US 1.1.1.1:53 solvinarilemax.xyz udp
US 1.1.1.1:53 merolinavexrox.xyz udp
US 1.1.1.1:53 vernolimarevox.xyz udp
US 1.1.1.1:53 jarolinamovexr.xyz udp
US 1.1.1.1:53 xerolimaxonvor.xyz udp
US 1.1.1.1:53 lornavinarelox.xyz udp
US 1.1.1.1:53 tarovinalexmon.xyz udp
US 1.1.1.1:53 norvinareloxam.xyz udp
US 1.1.1.1:53 zarolinavexrom.xyz udp
US 1.1.1.1:53 jerominalexvor.xyz udp
US 154.216.20.238:443 karlovinarelox.xyz tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 1.1.1.1:53 karlovinarelox.xyz udp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 1.1.1.1:53 karlovinarelox.xyz udp
US 154.216.20.238:443 karlovinarelox.xyz tcp

Files

/data/data/com.shock.tomorrow/app_toddler/nUZdNg.json

MD5 3a6a4b9ba1882d189ac291b90b030e31
SHA1 bef9531e2be6262e3a332522f8a4809b7bf4777c
SHA256 befcba49bc4373bb6b517330e3d4a438cda97c9f2b6ed2d532113edc05501786
SHA512 d9ae66ce24485dc6d659508eea1ba35383b1a0704460056f1b3f29eca7d3709bcd195b33b4c23d8fbac8d0d917128cbc52290304fed7ae3073b09b6090ecaa44

/data/data/com.shock.tomorrow/app_toddler/nUZdNg.json

MD5 29e025dce3b6c403a355b0bb3daba221
SHA1 45c811916b31f4b6994a4d17c09075fc7034d539
SHA256 db99af0b24bb8d9e061c746cdf6463801e293d0f65a407d90822abf16e4a2dc3
SHA512 11fafb3c1655a73629fdc1601a7a1fdd030fc49efa8ad698d90c21948b5b35c01524a9940208035e350ea817b9b748548637db1afab6143fff87e8b68ec0c80d

/data/user/0/com.shock.tomorrow/app_toddler/nUZdNg.json

MD5 333b206a40c29301bbfac707d0c37d37
SHA1 d21e452b5df6e5505d8f090c58d406afb12352d6
SHA256 a067a9b75ceed805f724870b139c2f8d511ba6757d67d58c7777a2ce8045afd5
SHA512 0e646f8649f6dcefca115f1eea00f5508dea653b78670463024f04ff500438c4f22c9ebbeedb463a3bbc75e4d73b1026dda42cecb9152f3c69f1455e08ab5bd0

/data/user/0/com.shock.tomorrow/app_toddler/nUZdNg.json

MD5 8af597ee67310a270742f7f45e5bf573
SHA1 4e3072f7b4fc9ebf0da2afaa6f71ed75b845c9bc
SHA256 71058569d2b6ffbe3a6209d6680c16623440b7295c1b3af1d397cd11c1361238
SHA512 f8e7caca85cb4a5a303e1c68fd5cbc6ebd82e464e223a17f9d425eee3c20d667da61a503801b8ed04ec29c5df69839c6f01d8a17198f1071592c7916126606e9

/data/data/com.shock.tomorrow/kl.txt

MD5 bf513e57136f85fd67a2881dd372171f
SHA1 596d9ed95a842428f93057c48aac0b8476b6cca6
SHA256 6924ed92dde718e5696cbc978c5fa04bf462446a22f2ba68bcade60621c76600
SHA512 f143306e68818ea1e4ad50c2e9f3308b9deb3509c69f6d80c7fc483918b7eea4fe2d1a995a571356d22819e0f5d5fb0af423b892f07e7ce5c86b89e9dd44836f

/data/data/com.shock.tomorrow/kl.txt

MD5 fa099f684e8ee466961ef9bdd57a08e8
SHA1 fae55279bb2afeb78bfcb5680cf473941d7342a2
SHA256 5e961a4b2403edda41c4a8525714470e1520cc159ecdbb2af4b81524108b3039
SHA512 a41e460004624cb5428167faa461c9ce3e86588c8ec09aa7b37044cad07352bfb3bf60b17b9a18007316914e0c21d352b465937f6281f344515abd77d39431f2

/data/data/com.shock.tomorrow/kl.txt

MD5 373523ae5201430557d12b56dda348de
SHA1 8be21a454c905bbd7db2200433ac3c399df17389
SHA256 058e64a5d79c5c551d0f70bf5b4faa9cb90b836de4a60f50f05654d7e1e3c936
SHA512 0fd64627a92ff27d1210eb91814ee7e9a6d0e5cbbcc5df052532324c2ad4c5227b162ebf3f46b5c43fdc2c4112b365d4f66170aeb2720b7e6e10c526fa813b81

/data/data/com.shock.tomorrow/kl.txt

MD5 a4754f7a944086eb288684de75c7be49
SHA1 ae6821641b01a2f8cfe5b4ebc3b2f8e4e03482e8
SHA256 097312e72d7b3c5db3bf67fba62a9d3152fab050ab9beccf5c613f02655ba14d
SHA512 db95c3e3915013751b14e41cf97e314a4a135a6c52cd78c1570c704643dd0bd7d6b4a37d392eb230ea818275341ed2ac2d195753ad19111bb7f7b9c2fb6e3a34

/data/data/com.shock.tomorrow/kl.txt

MD5 795f0303f46a1e8b76b5d1da05c67f0c
SHA1 545dd51a7b49bc8917aead79cb6c6788f210e946
SHA256 59a56f64fed8baeebe2ec13435c0cd69864fd72af6f63fc57f45da3a0e4e8ec7
SHA512 748c69c7610f3627b88df7c2053fb56e9abc5b38023d827c9bb9aa7c1c48d0683c45c3818c7b33db4adc29648b2b24182e4c503b860f7bb651c07aaba67650f8

/data/data/com.shock.tomorrow/.qcom.shock.tomorrow

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-23 22:00

Reported

2024-08-23 22:09

Platform

android-33-x64-arm64-20240624-en

Max time kernel

178s

Max time network

182s

Command Line

com.shock.tomorrow

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.shock.tomorrow/app_toddler/nUZdNg.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.shock.tomorrow

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 zarolinavexrom.xyz udp
US 1.1.1.1:53 xerolimanorvix.xyz udp
US 1.1.1.1:53 xerolimaxonvor.xyz udp
US 1.1.1.1:53 norvinareloxam.xyz udp
US 1.1.1.1:53 tarolinaxmover.xyz udp
US 1.1.1.1:53 solvinarilemax.xyz udp
US 1.1.1.1:53 jarolinamovexr.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 vernolimarevox.xyz udp
US 1.1.1.1:53 pelonivaremaxo.xyz udp
US 1.1.1.1:53 jerominalexvor.xyz udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 lornavinarelox.xyz udp
US 1.1.1.1:53 voranileximavor.xyz udp
US 1.1.1.1:53 trevinolaromex.xyz udp
US 1.1.1.1:53 merolinavexrox.xyz udp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 1.1.1.1:53 karlovinarelox.xyz udp
US 1.1.1.1:53 tarovinalexmon.xyz udp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 1.1.1.1:53 tralonivexomar.xyz udp
US 1.1.1.1:53 ferolimanivrox.xyz udp
US 1.1.1.1:53 zolrivanelomax.xyz udp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
GB 216.58.204.78:443 udp
GB 216.58.201.100:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 udp
GB 216.58.201.100:443 udp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.204.74:443 remoteprovisioning.googleapis.com tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 1.1.1.1:53 karlovinarelox.xyz udp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 1.1.1.1:53 karlovinarelox.xyz udp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp

Files

/data/data/com.shock.tomorrow/app_toddler/nUZdNg.json

MD5 3a6a4b9ba1882d189ac291b90b030e31
SHA1 bef9531e2be6262e3a332522f8a4809b7bf4777c
SHA256 befcba49bc4373bb6b517330e3d4a438cda97c9f2b6ed2d532113edc05501786
SHA512 d9ae66ce24485dc6d659508eea1ba35383b1a0704460056f1b3f29eca7d3709bcd195b33b4c23d8fbac8d0d917128cbc52290304fed7ae3073b09b6090ecaa44

/data/data/com.shock.tomorrow/app_toddler/nUZdNg.json

MD5 29e025dce3b6c403a355b0bb3daba221
SHA1 45c811916b31f4b6994a4d17c09075fc7034d539
SHA256 db99af0b24bb8d9e061c746cdf6463801e293d0f65a407d90822abf16e4a2dc3
SHA512 11fafb3c1655a73629fdc1601a7a1fdd030fc49efa8ad698d90c21948b5b35c01524a9940208035e350ea817b9b748548637db1afab6143fff87e8b68ec0c80d

/data/user/0/com.shock.tomorrow/app_toddler/nUZdNg.json

MD5 333b206a40c29301bbfac707d0c37d37
SHA1 d21e452b5df6e5505d8f090c58d406afb12352d6
SHA256 a067a9b75ceed805f724870b139c2f8d511ba6757d67d58c7777a2ce8045afd5
SHA512 0e646f8649f6dcefca115f1eea00f5508dea653b78670463024f04ff500438c4f22c9ebbeedb463a3bbc75e4d73b1026dda42cecb9152f3c69f1455e08ab5bd0

/data/data/com.shock.tomorrow/.qcom.shock.tomorrow

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c