Malware Analysis Report

2024-10-19 12:59

Sample ID 240823-1x34zs1gkp
Target 50bcb9214233d2e6d062246fae01ef9a0f27c0ef8056815cda0adecf83ec8969.bin
SHA256 50bcb9214233d2e6d062246fae01ef9a0f27c0ef8056815cda0adecf83ec8969
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

50bcb9214233d2e6d062246fae01ef9a0f27c0ef8056815cda0adecf83ec8969

Threat Level: Known bad

The file 50bcb9214233d2e6d062246fae01ef9a0f27c0ef8056815cda0adecf83ec8969.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Declares services with permission to bind to the system

Attempts to obfuscate APK file format

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests modifying system settings.

Acquires the wake lock

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-23 22:02

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Required to be able to advertise and connect to nearby devices via Wi-Fi. android.permission.NEARBY_WIFI_DEVICES N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to advertise to nearby Bluetooth devices. android.permission.BLUETOOTH_ADVERTISE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-23 22:02

Reported

2024-08-23 22:18

Platform

android-x86-arm-20240624-en

Max time kernel

175s

Max time network

143s

Command Line

com.fold.thumb

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.fold.thumb/app_hammer/Sohci.json N/A N/A
N/A /data/user/0/com.fold.thumb/app_hammer/Sohci.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.fold.thumb

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fold.thumb/app_hammer/Sohci.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.fold.thumb/app_hammer/oat/x86/Sohci.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 jerominalexvor.xyz udp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 zolrivanelomax.xyz udp
US 1.1.1.1:53 lornavinarelox.xyz udp
US 1.1.1.1:53 solvinarilemax.xyz udp
US 1.1.1.1:53 tarovinalexmon.xyz udp
US 1.1.1.1:53 tralonivexomar.xyz udp
US 1.1.1.1:53 zarolinavexrom.xyz udp
US 1.1.1.1:53 tarolinaxmover.xyz udp
US 1.1.1.1:53 norvinareloxam.xyz udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 xerolimaxonvor.xyz udp
US 1.1.1.1:53 merolinavexrox.xyz udp
US 1.1.1.1:53 jarolinamovexr.xyz udp
US 1.1.1.1:53 pelonivaremaxo.xyz udp
US 1.1.1.1:53 karlovinarelox.xyz udp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 1.1.1.1:53 vernolimarevox.xyz udp
US 1.1.1.1:53 ferolimanivrox.xyz udp
US 154.216.20.238:443 karlovinarelox.xyz tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 1.1.1.1:53 karlovinarelox.xyz udp
US 154.216.20.238:443 karlovinarelox.xyz tcp

Files

/data/data/com.fold.thumb/app_hammer/Sohci.json

MD5 1222bb0865562cbbf3e34970a43b1ccf
SHA1 26dcdb958cc75f3d183d8a747a7c4c9c23514630
SHA256 ab46bac430d25cd2bc93932aa2abec3efb4e1fee2ed04758888ffe4b5b20a64f
SHA512 9e7bf1febb352e5c1f56ce416abd3eb40cc94dd250d7d7549f3c335c1f66e11c694fe52f31fdf5f70d9bdd705444924c581f2e7f0d6681bdf8950ae0255d54d0

/data/data/com.fold.thumb/app_hammer/Sohci.json

MD5 0b39e873508d65eebd4d420823722fe1
SHA1 5911de19978aaaf401ba57c1fa471c0cc4fa2375
SHA256 eafb008e89e111920bdf452565662135a805338b791615f1e18881e01390c4c0
SHA512 6c5bbcf5fcace210d9e4a851517ad03882d17a18b016e3dd3422f4d0abb658dfbec05ec8e41a7cb381c7ecd577a4bd9b2391b73cee791d3b862bc5d9737b8a4e

/data/user/0/com.fold.thumb/app_hammer/Sohci.json

MD5 66409e14feb4bc8868e91f7397d1ba65
SHA1 fe7aa3c48bfbda8eb334e105dbb9616471d402bd
SHA256 0f8691bdd075056c5525e3bad222db85d00d4d16359da6abcce3f7b333fb9c74
SHA512 2e490bf81601a22b3822c593e7132894fe3fae7b5be68d3300651ffc4978173e1e7cd55ff8afb7385249cebdd3baa16e47441f37b9e52044cec6f32265692e8f

/data/user/0/com.fold.thumb/app_hammer/Sohci.json

MD5 b03790a72effb03d5ca16fb1c0d445ca
SHA1 275b94ecfc2d37a297f657f176151c8660b02288
SHA256 24f83ba9ac0728babbd64e0a6afa20d3a0685a83ebff6b407ba50f9ec62b2281
SHA512 2f0e8955bd6c9382ac327cce1d4bddde6929ca9e32c41d4b6acd48a9b1f9b3926db83e72b7e9f121cb64fedb3fa0b5b8596182a7309cc7a6fc6c3f27d954075d

/data/data/com.fold.thumb/kl.txt

MD5 4e38cdf534acd49740138af18d731754
SHA1 f7261fbe36c643b438f507275d39e2b1bcdf4f9b
SHA256 24138ed226039678d85f4dfa3a84234688006d31b07bdf2bc420f0c40ed1a48d
SHA512 9a7f54182d2ca2a5d5eaf6aa8f72d843529698413844db14c2d160125cca79ef150b05d72dcb2c849529c60aa782d1549eac4cfa9186f8b4d9801291d5cb0cdc

/data/data/com.fold.thumb/kl.txt

MD5 4322f363af301d4b658120c0feb9a7e2
SHA1 da321b9584dd045dac8db96df099e159afc4596f
SHA256 974bcf12dded2ef934c9278a3e472c099e763c4e9c3539dc5821d0c0090c9a6f
SHA512 7db0b863167518a9ca22a7972f02d86aa8fb4f12e6c8555535cc4b9c86e58e1243a34ee4670c021650d0086653e9e69318ea11200061445396950fad34fd6172

/data/data/com.fold.thumb/kl.txt

MD5 7d83e4a450e462a3c73883b1d62b3c33
SHA1 20fd38526cd586cd0363b48f92600cd66d4b805a
SHA256 bde5f72eb349ec1cdfb4a051748e52ca8e2da0c66a02d645f4c3d8a4a03b1321
SHA512 f61492e9675475b33461ff94b109b0ed40f0cc43dee5c86f8f97014ff227761e07d1ce893ccf0888f59a3682a37f3c607249d1b292c53531dcb2dd88bf7ed824

/data/data/com.fold.thumb/kl.txt

MD5 990178a82d603e3ef1ef258c2ef009fd
SHA1 afd5f85a20b87d865dcf5d811082ce3b36a5649d
SHA256 61808ff5d508b300f66d71fe6650cd8edbdf86e4c2ac609d4d153a4112f61071
SHA512 0f7be17d768788b96265bc401c1afa5110a3b46f9970be4d8b05f6deecc97860ca23a552254097d5deed3ab5aeab0fddd99d9bc10a5955383b938cd930f79106

/data/data/com.fold.thumb/kl.txt

MD5 81cd97d0a3d948fe6c3e1539a5049ddc
SHA1 a4cfd1ae3ef20705ab36be509f0d9060239b64a9
SHA256 1f33eefc2a4fdaab13fc9bdbb05216dad03de0ee1a6a72fd53b52c9727ae90d6
SHA512 d7987062ae1be55d7107cb2e0251fd3fbef0fbd201649e72c328d963fb1024da4fc2ff06c76c1229ddcf8047f75d6dc03f6ae16b35a4521691cc7bd116a118ec

/data/data/com.fold.thumb/.qcom.fold.thumb

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-23 22:02

Reported

2024-08-23 22:16

Platform

android-33-x64-arm64-20240624-en

Max time kernel

179s

Max time network

189s

Command Line

com.fold.thumb

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.fold.thumb/app_hammer/Sohci.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.fold.thumb

Network

Country Destination Domain Proto
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 pelonivaremaxo.xyz udp
US 1.1.1.1:53 jerominalexvor.xyz udp
US 1.1.1.1:53 trevinolaromex.xyz udp
US 1.1.1.1:53 voranileximavor.xyz udp
US 1.1.1.1:53 jarolinamovexr.xyz udp
US 1.1.1.1:53 merolinavexrox.xyz udp
US 1.1.1.1:53 vernolimarevox.xyz udp
US 1.1.1.1:53 lornavinarelox.xyz udp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 1.1.1.1:53 karlovinarelox.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 1.1.1.1:53 zolrivanelomax.xyz udp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 1.1.1.1:53 xerolimaxonvor.xyz udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 tarovinalexmon.xyz udp
US 1.1.1.1:53 solvinarilemax.xyz udp
US 1.1.1.1:53 tarolinaxmover.xyz udp
US 1.1.1.1:53 tralonivexomar.xyz udp
US 1.1.1.1:53 ferolimanivrox.xyz udp
US 1.1.1.1:53 norvinareloxam.xyz udp
US 1.1.1.1:53 xerolimanorvix.xyz udp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 1.1.1.1:53 zarolinavexrom.xyz udp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
GB 216.58.212.238:443 udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.187.196:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.178.3:443 tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 172.64.41.3:443 udp
US 34.104.35.123:80 tcp
GB 142.250.178.3:443 udp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
GB 142.250.187.196:443 udp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 1.1.1.1:53 karlovinarelox.xyz udp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 1.1.1.1:53 karlovinarelox.xyz udp
US 154.216.20.238:443 karlovinarelox.xyz tcp
US 154.216.20.238:443 karlovinarelox.xyz tcp

Files

/data/data/com.fold.thumb/app_hammer/Sohci.json

MD5 1222bb0865562cbbf3e34970a43b1ccf
SHA1 26dcdb958cc75f3d183d8a747a7c4c9c23514630
SHA256 ab46bac430d25cd2bc93932aa2abec3efb4e1fee2ed04758888ffe4b5b20a64f
SHA512 9e7bf1febb352e5c1f56ce416abd3eb40cc94dd250d7d7549f3c335c1f66e11c694fe52f31fdf5f70d9bdd705444924c581f2e7f0d6681bdf8950ae0255d54d0

/data/data/com.fold.thumb/app_hammer/Sohci.json

MD5 0b39e873508d65eebd4d420823722fe1
SHA1 5911de19978aaaf401ba57c1fa471c0cc4fa2375
SHA256 eafb008e89e111920bdf452565662135a805338b791615f1e18881e01390c4c0
SHA512 6c5bbcf5fcace210d9e4a851517ad03882d17a18b016e3dd3422f4d0abb658dfbec05ec8e41a7cb381c7ecd577a4bd9b2391b73cee791d3b862bc5d9737b8a4e

/data/user/0/com.fold.thumb/app_hammer/Sohci.json

MD5 66409e14feb4bc8868e91f7397d1ba65
SHA1 fe7aa3c48bfbda8eb334e105dbb9616471d402bd
SHA256 0f8691bdd075056c5525e3bad222db85d00d4d16359da6abcce3f7b333fb9c74
SHA512 2e490bf81601a22b3822c593e7132894fe3fae7b5be68d3300651ffc4978173e1e7cd55ff8afb7385249cebdd3baa16e47441f37b9e52044cec6f32265692e8f

/data/data/com.fold.thumb/.qcom.fold.thumb

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c