Malware Analysis Report

2024-10-19 12:59

Sample ID 240827-1wrpkavhjn
Target 4a04b5136a5ded43c667ff9b702602b8ca90aa766413f761766113a6d8965601.bin
SHA256 4a04b5136a5ded43c667ff9b702602b8ca90aa766413f761766113a6d8965601
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a04b5136a5ded43c667ff9b702602b8ca90aa766413f761766113a6d8965601

Threat Level: Known bad

The file 4a04b5136a5ded43c667ff9b702602b8ca90aa766413f761766113a6d8965601.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Attempts to obfuscate APK file format

Queries the mobile country code (MCC)

Requests accessing notifications (often used to intercept notifications before users become aware).

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests modifying system settings.

Queries the unique device ID (IMEI, MEID, IMSI)

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-27 22:00

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-27 22:00

Reported

2024-08-27 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

178s

Max time network

149s

Command Line

com.cereal.defy

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cereal.defy/app_hungry/XQ.json N/A N/A
N/A /data/user/0/com.cereal.defy/app_hungry/XQ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cereal.defy

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cereal.defy/app_hungry/XQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cereal.defy/app_hungry/oat/x86/XQ.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 pelonivaremaxo.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 208.95.112.1:80 www.ip-api.com tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 1.1.1.1:53 jarolinamovexr.xyz udp
US 1.1.1.1:53 solvinarilemax.xyz udp
US 1.1.1.1:53 tralonivexomar.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp

Files

/data/data/com.cereal.defy/app_hungry/XQ.json

MD5 727b31f7acbbda9a9ac683263e35b685
SHA1 eb14cdd376d18e9abb41a281a861dc2a83ea2939
SHA256 ba38a170877f1945d145c3294c37bed87e34a6b8723f7d0d401e96a08ed0ce51
SHA512 918b46c00443516b275ecfeb7790b689db932bcd815e5a67fd4b7c7c0ebb3ffb4aa1151c3a75c98fefb9343aa5745f160e51bbb1c7513db7dfc7159d86de43ff

/data/data/com.cereal.defy/app_hungry/XQ.json

MD5 2a7aba1be2f161b465c2d08dad2da926
SHA1 9f51b9b51e685387a39c926f1d6415d00e59158d
SHA256 8bbb8df877b5c71aba15a9c640065707fbb31fe85f457876dfbe53aa5ab5127f
SHA512 63f434398707d2838e771aa0d528c24748aaad19e218b0e3310704f68398cde63217753bc4da562203de70d377650720a95b135b1402a42b5c9df0dc5e4c12fa

/data/user/0/com.cereal.defy/app_hungry/XQ.json

MD5 ca79d21e94a2e1d8e655118c101f51ce
SHA1 643e3250d6bbd0c2070feb9df06abbd8de13e37a
SHA256 12da407a1fca931675447c4f7014f9a16522dd1b9b9eea2ae16bbba167aed969
SHA512 a1c3ea18075d07fdd63a1eafbbb273d62d70449d2b62044ff3b5705a7a83c9c3b7af4d70f73c793f38af16c9d51a45f07e45f4978e2790f232ec1b318e554d2c

/data/user/0/com.cereal.defy/app_hungry/XQ.json

MD5 eb3d46a51966ba607d3e3038272df46e
SHA1 2ff376cfd82d8fcb10287cc9e5788b3931adae95
SHA256 0d6253b0b51cf7417313c1c1cd809e2e527926de71a57456a59d9d44b4417c11
SHA512 bab7bb6776ce70530c0aa5d69c65ff139bf4315f0319249b0c30152cb976c48effb7819cf053bf3ec0a698e025035ae843101d7c99031408f0306569da6fdd31

/data/data/com.cereal.defy/kl.txt

MD5 1bd30ad9d00ee39137bdc3d3a0383fc0
SHA1 56cf548e546eac4a8fce776ab3013a2c84dcaada
SHA256 c2ddf6dc75d64b9b53eb061e27c8417a1a9573feb6dc5811e95b6731754f18b8
SHA512 a72bc55d8447c8822ebf84027834b08589e0e57f7c37a9757932117e3cc935dcb075cdf68b3e9e857d1056592967dbbadfb950f0ad00d8eb889a1ca12827c198

/data/data/com.cereal.defy/kl.txt

MD5 4a7395608c804e4c9987501377087b21
SHA1 bce20d9c19bd1aae4902b4f8e0ba7ede8f07fae3
SHA256 7b10deba85a98a6a79aeaccfbc9bce17fd342560dd4060fc4778b3e2bd3cd8f7
SHA512 f83a7a86a1f1212a0da3fbaaba338f0f594379103bee6ead4a2f0f0d8af47532a6dad48e8ac8dd05749201044a16df59ecb263910c88c8952250cb78d598bc7e

/data/data/com.cereal.defy/kl.txt

MD5 bd890ea5b15349802008b1f6b38d8c14
SHA1 3b2da09d7102934da4d77c6ba413e7792014f9c3
SHA256 aa3bc64e5f5330c75704eb474faa07a9d413b1c1d9a2605ee52de6a8526cdc8a
SHA512 83f66187352f0adecfff77b0ef9ceb2990dcea3c8d51c98d1b6accb5ea22d9e3f552f0dc573690d9dbe4a26ad7e58e7bf52ec09a28130e74eff7f49a461a02c9

/data/data/com.cereal.defy/kl.txt

MD5 8ad964a620d93598d140e78b39190b0d
SHA1 0abd86a0f5df92a72fdc89fb06bf4592dc0d62a0
SHA256 9c4cd96ee80860eda85a1a2d55917991e8f8f750cf401525274db8bd59dbfec2
SHA512 383afbdeac8d98665bf429cc9b4b878146659b33f3512fc0683b23c422d26e9900834c9cdaa60d255374301d8a16d3e9766cc2e06707400aebb2862130f10852

/data/data/com.cereal.defy/kl.txt

MD5 3e558d20c64dcb1e03a8fe14822f71ef
SHA1 599d790a8232b5f314c6944fa36ce10a2314cb22
SHA256 4f1878f7859cde38cb667374bbec8bd2927e12d5a0c818beefa8ac6d84b27af4
SHA512 d0ec1e899a18690deb25b2a7dedbdf0e53654cc5a8ae9a36d64a7c101c8854d9e15ec851f02aaad651e2cedb8a74e576f9808f5862d3f021791c0c5041f7710f

/data/data/com.cereal.defy/.qcom.cereal.defy

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-27 22:00

Reported

2024-08-27 22:03

Platform

android-33-x64-arm64-20240624-en

Max time kernel

178s

Max time network

163s

Command Line

com.cereal.defy

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cereal.defy/app_hungry/XQ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cereal.defy

Network

Country Destination Domain Proto
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 jarolinamovexr.xyz udp
US 1.1.1.1:53 zarolinavexrom.xyz udp
US 1.1.1.1:53 xerolimaxonvor.xyz udp
US 1.1.1.1:53 ferolimanivrox.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 tralonivexomar.xyz udp
US 1.1.1.1:53 xerolimanorvix.xyz udp
US 1.1.1.1:53 voranileximavor.xyz udp
US 1.1.1.1:53 merolinavexrox.xyz udp
US 1.1.1.1:53 tarolinaxmover.xyz udp
US 1.1.1.1:53 jerominalexvor.xyz udp
US 1.1.1.1:53 norvinareloxam.xyz udp
US 1.1.1.1:53 karlovinarelox.xyz udp
US 1.1.1.1:53 vernolimarevox.xyz udp
US 1.1.1.1:53 zolrivanelomax.xyz udp
US 1.1.1.1:53 pelonivaremaxo.xyz udp
US 1.1.1.1:53 lornavinarelox.xyz udp
US 1.1.1.1:53 solvinarilemax.xyz udp
US 1.1.1.1:53 trevinolaromex.xyz udp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 1.1.1.1:53 tarovinalexmon.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.180.10:443 remoteprovisioning.googleapis.com tcp
GB 142.250.200.36:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
GB 216.58.201.99:443 tcp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp

Files

/data/data/com.cereal.defy/app_hungry/XQ.json

MD5 727b31f7acbbda9a9ac683263e35b685
SHA1 eb14cdd376d18e9abb41a281a861dc2a83ea2939
SHA256 ba38a170877f1945d145c3294c37bed87e34a6b8723f7d0d401e96a08ed0ce51
SHA512 918b46c00443516b275ecfeb7790b689db932bcd815e5a67fd4b7c7c0ebb3ffb4aa1151c3a75c98fefb9343aa5745f160e51bbb1c7513db7dfc7159d86de43ff

/data/data/com.cereal.defy/app_hungry/XQ.json

MD5 2a7aba1be2f161b465c2d08dad2da926
SHA1 9f51b9b51e685387a39c926f1d6415d00e59158d
SHA256 8bbb8df877b5c71aba15a9c640065707fbb31fe85f457876dfbe53aa5ab5127f
SHA512 63f434398707d2838e771aa0d528c24748aaad19e218b0e3310704f68398cde63217753bc4da562203de70d377650720a95b135b1402a42b5c9df0dc5e4c12fa

/data/user/0/com.cereal.defy/app_hungry/XQ.json

MD5 ca79d21e94a2e1d8e655118c101f51ce
SHA1 643e3250d6bbd0c2070feb9df06abbd8de13e37a
SHA256 12da407a1fca931675447c4f7014f9a16522dd1b9b9eea2ae16bbba167aed969
SHA512 a1c3ea18075d07fdd63a1eafbbb273d62d70449d2b62044ff3b5705a7a83c9c3b7af4d70f73c793f38af16c9d51a45f07e45f4978e2790f232ec1b318e554d2c

/data/data/com.cereal.defy/kl.txt

MD5 a6b2dd1d8d5ef98c36390020004a755a
SHA1 11ff7dd55285e121cd3f5f0eb9a656fed86f3108
SHA256 25b74acdb0a14721e84e29e53a3398e87b9f37107baffb036f8005c59ce218b8
SHA512 4a291a707a93a9923954b9093ad6a5cbbdae878b9cc538a07fd9d104366f367b802368b799a31884f5c5355df3b2e2b16c25f8de4b51c76f99f5e81caaefd10d

/data/data/com.cereal.defy/kl.txt

MD5 01d98405b453e31bb5612165bd2d0564
SHA1 f98710fcb35b373e028fe222370cfcb9f78187e9
SHA256 6fd280662ba3568abc0998b977a7771eb95a78a5eca8ffb3420266a267af9e92
SHA512 78d67594866c8b22ec7b079548a773051679ffe5b42324b525ade8a486d5c0fd3982cd0d320cf15fa0edfb67448cea47b8a54bba4c5303e3347b72bf90160452

/data/data/com.cereal.defy/kl.txt

MD5 04bad08cd642d83cb2f3e288eb95a938
SHA1 64f9e23307422344e946ee1f1ce6dd5f2bd003fe
SHA256 fab7d79dcbb06d60d38ceb1c6c1610bc6d73969061498a27a74da8bd2dad4885
SHA512 16de3d7f53bb5425860db79f93602801fe389260ff26d7e4dfa5d86f6947afccbf78bf30f7e1963739cb190724721e50c7a09cb59de77e9f3e6d8ab9e42b2e7d

/data/data/com.cereal.defy/kl.txt

MD5 45f420d74b7a377b58a2fb33a98a4a2f
SHA1 fa5f71c4d0bfd3976f3c4ad1c32151a15edc4d73
SHA256 1d5c4ef3b7e96feafb5b2c681b045f2adaa24543f584a7ddc297c9741b559937
SHA512 574f5951783672761d19104a6b189dd851e1c2427af38eb83c460fec354b3332be65e098c2455d9037a4c942ebca0af5985a7bf04e0fceb5990f79ef24cd2d15

/data/data/com.cereal.defy/kl.txt

MD5 3e3813923df766fb181435aeb21cf4ce
SHA1 2a614e66c43504b7d108911efbfa26b4508d8f5f
SHA256 b060ff285082d1ad1c18408d9ae5797c10b49f0593362361e9543db6e97b91b2
SHA512 fbb3c7ba19ff33aa2396ca9908f61c0327bb5ae5eab3820d4d37142b1a598e2271513973599c0148a87aada0cf8cb60908e1a16206b6245159b2d2992b1ba155

/data/data/com.cereal.defy/.qcom.cereal.defy

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c