Malware Analysis Report

2024-10-19 12:59

Sample ID 240827-1w72jsvhlp
Target 1c816b006c08e1c805512564c9b74fb4b02de85c49b777a7131c1b69230210d0.bin
SHA256 1c816b006c08e1c805512564c9b74fb4b02de85c49b777a7131c1b69230210d0
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1c816b006c08e1c805512564c9b74fb4b02de85c49b777a7131c1b69230210d0

Threat Level: Known bad

The file 1c816b006c08e1c805512564c9b74fb4b02de85c49b777a7131c1b69230210d0.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests modifying system settings.

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Attempts to obfuscate APK file format

Makes use of the framework's foreground persistence service

Acquires the wake lock

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-27 22:01

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-27 22:01

Reported

2024-08-27 22:06

Platform

android-x86-arm-20240624-en

Max time kernel

178s

Max time network

144s

Command Line

com.legend.urge

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.legend.urge/app_sheriff/GOGLBPI.json N/A N/A
N/A /data/user/0/com.legend.urge/app_sheriff/GOGLBPI.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.legend.urge

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.legend.urge/app_sheriff/GOGLBPI.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.legend.urge/app_sheriff/oat/x86/GOGLBPI.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 pelonivaremaxo.xyz udp
US 1.1.1.1:53 tralonivexomar.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 zolrivanelomax.xyz udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 trevinolaromex.xyz udp
US 1.1.1.1:53 lornavinarelox.xyz udp
US 1.1.1.1:53 tarolinaxmover.xyz udp
US 1.1.1.1:53 jerominalexvor.xyz udp
US 1.1.1.1:53 jarolinamovexr.xyz udp
US 1.1.1.1:53 zarolinavexrom.xyz udp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 1.1.1.1:53 merolinavexrox.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 1.1.1.1:53 xerolimaxonvor.xyz udp
US 1.1.1.1:53 vernolimarevox.xyz udp
US 1.1.1.1:53 solvinarilemax.xyz udp
US 1.1.1.1:53 tarovinalexmon.xyz udp
US 1.1.1.1:53 voranileximavor.xyz udp
US 1.1.1.1:53 xerolimanorvix.xyz udp
US 1.1.1.1:53 karlovinarelox.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp

Files

/data/data/com.legend.urge/app_sheriff/GOGLBPI.json

MD5 172180848f8c0615548f2ce453fcd6d1
SHA1 cbaa92d22201c561486d37bd09ae1e50e7ea87dc
SHA256 538afac44aa94d36bb5627a695b4be84db375a7451b928535543bd3700ac7d57
SHA512 bd1ba4cb55cb595fc36ab1a5ee38df0e5f797d4bb79d2efe152673ebf52a4fbde3ce3ec4aac9758e020cf2f249e4fe6b76edc9ecb9b7e8374c6e75dc24f4b4e2

/data/data/com.legend.urge/app_sheriff/GOGLBPI.json

MD5 829d0709466bd6b8548c58f83dcb2a0b
SHA1 2214743d38ed2f3d9db78b4181a6a659437f18f5
SHA256 d1e345bb7b9b3643b286b2e49dce5f3217b6c64b193639bebe2dacb6db7df8bf
SHA512 55a37efd04293ddd44b214d13faa31799c541501d45380e7825042245f1b66967479b6db85b15d2a38cde502678aeda68cf0da9770ed6ae49bdc79b8b40158e6

/data/user/0/com.legend.urge/app_sheriff/GOGLBPI.json

MD5 fed017e390c950e25634e69fd63f10aa
SHA1 53f8f97200d1e5810d14a3559b571046d27ff9b8
SHA256 765c6873f27be2ac563148e27992b75361b92dee36ba25b1475d6a106a120f40
SHA512 d37a93c20070e6b2077d91fcbf665a15655db1220b5e64251b491c42831f5070fcdcf4119ef4bbc865853ccca6c403a608b9895464ca20161406d3258a0dfe86

/data/user/0/com.legend.urge/app_sheriff/GOGLBPI.json

MD5 04a938dae702b872dc022b1fcfe111b8
SHA1 e425e64cc98659c0d3a05110c03f6200469c5038
SHA256 5b5fa22ac124c030db71e58e9bd0eff7c84a72f7e52c66bc3de75d63eb7e82c2
SHA512 9d676f868aa5e605dc9a7a12e05c7045af94942d881ae9d9c96488a118aa124d4617ff602122ffbd15aee5a0e8634015f06a77d96b78c211569d927419b37b5c

/data/data/com.legend.urge/kl.txt

MD5 006e8a6d14415231d97655343aef6fd4
SHA1 a2811f9f277fbd15bf7d1928b10a18d6a8f2dbb1
SHA256 32b305cc4f37d94ed533719d5fed40be5fc3cbcbafeb67fd8df8b924cc1c0bda
SHA512 81d953d393dd957eb8d584b2c94ec7a507438998a0b10386247e3ba50e8b6eb824f38dbcd6d01a5e8a78cf444c602708185505c1b021af17817caf7ccc2dcd16

/data/data/com.legend.urge/kl.txt

MD5 b9c0553abd46940b3fe7c935e225217e
SHA1 7e8592238e6b26d3b0f12babca65c358106ed929
SHA256 bcfb27c62748ffe5de08ef838296521d8a2a8ab5eb1d5f8e899827a51e4501be
SHA512 59ff6cad150b9af0d68c8c920559da7ae341da45818230cc8e345126059acb068c7291c9cff28e59b525db5cc22d793d33f9d6670ad591327ce72a78679b35bd

/data/data/com.legend.urge/kl.txt

MD5 302bcda7b65fc3b700cd49566a4e7585
SHA1 796730bf22858ce4fd743e77e575354c4054b379
SHA256 659035233e06f2721a3a05e3384c2d9bde8a985f0101b3620a03a442c51f6df0
SHA512 9d3621aca7f2b0e791173de1b1d084ace04c6e36ff5c97a74b8e7aa9615c1bc26357dc44d9461ce73ccb15b61a8c506449ebc6daa9bf574097dd1ce03a33a0a3

/data/data/com.legend.urge/kl.txt

MD5 373684bb860e57b1167ba8ad5b378266
SHA1 b190566f764849a99535afc0e1632c57e109f962
SHA256 e7136c7bb24dd28adf38819e7491454177919f14f420e727050984bff2d5d8b8
SHA512 667875100e270a6996ed372ffa6a42e5efcd76b0f96fe153b21e42b4262e87afede280d8a82d8c06b56f1df9e4acee24082084f8f593ae375462357665e7625b

/data/data/com.legend.urge/kl.txt

MD5 1571acc219ed82d71909ea74c225715d
SHA1 4000ce3761d3cbcd7c4b7a90c6ba212e3fca6bdd
SHA256 ca5d4b77a443231ac05c25ace79be285d8d605fbd2d4fb83dae8e483910c06ed
SHA512 dd37ec3c66695720568afa505548682f0128ed2e8e4e59a780bfc16706021fe2dcf4cd8aea27cf98e04afa519e94f8ec5c26b766c2991e1b0de1e7e6510ddcb4

/data/data/com.legend.urge/.qcom.legend.urge

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-27 22:01

Reported

2024-08-27 22:06

Platform

android-x64-arm64-20240624-en

Max time kernel

178s

Max time network

158s

Command Line

com.legend.urge

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.legend.urge/app_sheriff/GOGLBPI.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.legend.urge

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 tralonivexomar.xyz udp
US 1.1.1.1:53 tarolinaxmover.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 karlovinarelox.xyz udp
US 1.1.1.1:53 xerolimanorvix.xyz udp
US 1.1.1.1:53 ferolimanivrox.xyz udp
US 1.1.1.1:53 norvinareloxam.xyz udp
US 1.1.1.1:53 jarolinamovexr.xyz udp
US 1.1.1.1:53 zolrivanelomax.xyz udp
US 1.1.1.1:53 trevinolaromex.xyz udp
US 1.1.1.1:53 xerolimaxonvor.xyz udp
US 1.1.1.1:53 zarolinavexrom.xyz udp
US 1.1.1.1:53 tarovinalexmon.xyz udp
US 1.1.1.1:53 lornavinarelox.xyz udp
US 1.1.1.1:53 solvinarilemax.xyz udp
US 1.1.1.1:53 jerominalexvor.xyz udp
US 1.1.1.1:53 pelonivaremaxo.xyz udp
US 1.1.1.1:53 merolinavexrox.xyz udp
US 1.1.1.1:53 vernolimarevox.xyz udp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 voranileximavor.xyz udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp

Files

/data/data/com.legend.urge/app_sheriff/GOGLBPI.json

MD5 172180848f8c0615548f2ce453fcd6d1
SHA1 cbaa92d22201c561486d37bd09ae1e50e7ea87dc
SHA256 538afac44aa94d36bb5627a695b4be84db375a7451b928535543bd3700ac7d57
SHA512 bd1ba4cb55cb595fc36ab1a5ee38df0e5f797d4bb79d2efe152673ebf52a4fbde3ce3ec4aac9758e020cf2f249e4fe6b76edc9ecb9b7e8374c6e75dc24f4b4e2

/data/data/com.legend.urge/app_sheriff/GOGLBPI.json

MD5 829d0709466bd6b8548c58f83dcb2a0b
SHA1 2214743d38ed2f3d9db78b4181a6a659437f18f5
SHA256 d1e345bb7b9b3643b286b2e49dce5f3217b6c64b193639bebe2dacb6db7df8bf
SHA512 55a37efd04293ddd44b214d13faa31799c541501d45380e7825042245f1b66967479b6db85b15d2a38cde502678aeda68cf0da9770ed6ae49bdc79b8b40158e6

/data/user/0/com.legend.urge/app_sheriff/GOGLBPI.json

MD5 fed017e390c950e25634e69fd63f10aa
SHA1 53f8f97200d1e5810d14a3559b571046d27ff9b8
SHA256 765c6873f27be2ac563148e27992b75361b92dee36ba25b1475d6a106a120f40
SHA512 d37a93c20070e6b2077d91fcbf665a15655db1220b5e64251b491c42831f5070fcdcf4119ef4bbc865853ccca6c403a608b9895464ca20161406d3258a0dfe86

/data/data/com.legend.urge/kl.txt

MD5 6a99c91e5e3786e87f6772e0a7a3d683
SHA1 604a9c7dc1f766a767df0b3a9bf4c62592153ccb
SHA256 3e488f7a0f02a90e09b736e3efa08089b2be22057f165d045dc88f9e9ce78bba
SHA512 76823e9a64f30e95c1bda686a77a1dbcc1ba7aff4348214f208e50efa34389d164ed02462dbde3fc3209ab74a0c0b166917fb90f8d1c0a620ee62d5e19e35d86

/data/data/com.legend.urge/kl.txt

MD5 270d7add87dff5d385b65aa9d56494fb
SHA1 54967ef5e3fb91ba85faf5b5cdd66f7ed04aef92
SHA256 32b0c4c288329a9cfaba3ca27ee0201252163d629373f9c0b5f95a293f14ab3f
SHA512 e1055b98639cf617db15f9a48909b4bf51b129dbc84b67a31e1a476659672b390f07b02bf98795458215ba88a20f2e66aa9c5b9b464cd962753fecfa7f1d1d2d

/data/data/com.legend.urge/kl.txt

MD5 ea3721bcf446893d470be1dcc11c4b2d
SHA1 c33527ab08d999ecda6e3b651533cbbee752fbc2
SHA256 7902c9ec9a1f61572a1f0c272a0aa6ba2de10d4b0e1c34522c294103d07c4193
SHA512 9b8c8648f52e794d9903ea08dbfb1124f683bb067bd6b807d4a9762b821b6bb9c1a04fa784018d78a2db4c2de571c5d25aa451fbafdfd3368b582436d4c21966

/data/data/com.legend.urge/kl.txt

MD5 2de0ca93c25e127fa7975aec400ab1ef
SHA1 3f52b680bed0bf3f93103ddf3f52d62318b6ac50
SHA256 8d887746dc223dbc9c59eb390f1c5108fb7abe3430457c7d487ef269aa661c61
SHA512 2d2d555ffdc319a2f158172c43ad00b2b7a564910795f05ea8e15d7d19a99ab4ecca2dadde95b204acdd13b64d25b815a2cbc5f9ea425839e6507f2102566603

/data/data/com.legend.urge/kl.txt

MD5 83f14cc8244b6c591e341ebebe3fa612
SHA1 858e1aeac3a819c205f2857f040b105349d65df3
SHA256 b9c10cab2f72632c1ed5d44e87b8e3bbf5a2a30eeb4dbec3c8a8d7a6c5a817d5
SHA512 213da523001ef79ac7713e297c2b74bd543b0a33ca87c9e91a2fa511a5013cb5600b616ccceaa2d7e7b5e677d4c78c9b3faf2cf2f7552ce54ec8ad70c7de86b1

/data/data/com.legend.urge/.qcom.legend.urge

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c