Malware Analysis Report

2024-12-01 03:00

Sample ID 241107-1xx8qsymbs
Target 7155b585eafb8e08cba5edaa7fc62f12c036aa4f714ed0dd72cd2f3cb2d36bd8.bin
SHA256 7155b585eafb8e08cba5edaa7fc62f12c036aa4f714ed0dd72cd2f3cb2d36bd8
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7155b585eafb8e08cba5edaa7fc62f12c036aa4f714ed0dd72cd2f3cb2d36bd8

Threat Level: Known bad

The file 7155b585eafb8e08cba5edaa7fc62f12c036aa4f714ed0dd72cd2f3cb2d36bd8.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo family

Octo payload

Octo

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the unique device ID (IMEI, MEID, IMSI)

Requests modifying system settings.

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Requests accessing notifications (often used to intercept notifications before users become aware).

Reads information about phone network operator.

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 22:02

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 22:02

Reported

2024-11-07 22:04

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

151s

Command Line

com.amazing.secret

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.amazing.secret/app_goat/QG.json N/A N/A
N/A /data/user/0/com.amazing.secret/app_goat/QG.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.amazing.secret

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.amazing.secret/app_goat/QG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.amazing.secret/app_goat/oat/x86/QG.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 galaksikarasivakumbilgeliksistemi.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 galaksilerarasiseyahatsanatyolculugu.xyz udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 gelecekuzaygemisifantezivegercek.xyz udp
US 1.1.1.1:53 paralelboyutlarvedijitalruhtasarimi.xyz udp
US 1.1.1.1:53 uzayzamankapsamivedonusumkalkani.xyz udp
US 1.1.1.1:53 gelecektekiuzaykolonilerindeyasam.xyz udp
US 1.1.1.1:53 bilimkurguvedonusumolasilikharitasi.xyz udp
US 1.1.1.1:53 yapayzekailegezegentasimaprojesi.xyz udp
US 1.1.1.1:53 yildizlararasihikayelerveuzaygemileri.xyz udp
US 1.1.1.1:53 galaksilerarasiiletisimveanliksistemler.xyz udp
US 1.1.1.1:53 karadeliksiralariuzayarastirmalari.xyz udp
US 1.1.1.1:53 yildizlarveteknolojikmedeniyetler.xyz udp
US 1.1.1.1:53 paralelgezegenlerveyapaysavaslar.xyz udp
US 1.1.1.1:53 zamanmakinesivemultievrenselgeziler.xyz udp
US 1.1.1.1:53 bilimkurguvetoplananveridunyasi.xyz udp
US 1.1.1.1:53 uzaykesifveteknolojigelecegimizinharitasi.xyz udp
US 1.1.1.1:53 bilimkurgukesifvedonusumharitasi.xyz udp
US 1.1.1.1:53 robotveinsanbirlesmesimacerasi.xyz udp
US 1.1.1.1:53 sibernetikveevrenselakilliyonetimi.xyz udp
US 154.216.18.186:443 sibernetikveevrenselakilliyonetimi.xyz tcp
US 1.1.1.1:53 galaktikekonomiuzaycagelecekyolu.xyz udp
US 154.216.18.186:443 sibernetikveevrenselakilliyonetimi.xyz tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 154.216.18.186:443 sibernetikveevrenselakilliyonetimi.xyz tcp
US 154.216.18.186:443 sibernetikveevrenselakilliyonetimi.xyz tcp
US 1.1.1.1:53 sibernetikveevrenselakilliyonetimi.xyz udp
US 154.216.18.186:443 sibernetikveevrenselakilliyonetimi.xyz tcp
US 1.1.1.1:53 sibernetikveevrenselakilliyonetimi.xyz udp
US 154.216.18.186:443 sibernetikveevrenselakilliyonetimi.xyz tcp
GB 142.250.179.227:80 tcp
GB 142.250.179.228:80 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.amazing.secret/app_goat/QG.json

MD5 a47e41fabdb91d903005cdf570ddc38b
SHA1 f108357b4760dd761a9bcbc1fad5ab6b2145c47b
SHA256 0bce24ddd932783c8c6c91cdb5e351094be6a7f6a72f3beee27235505f199879
SHA512 951d588dbb742a98db5218668797a2e2052c1eb24931575f680b9fd316e20d1de86a9e094bf116268098b17fce0ec9a83ec81a3ffd0c7dddbda8fa4aafd14ea9

/data/data/com.amazing.secret/app_goat/QG.json

MD5 9978c44e9a8d380de97649e975e7e92f
SHA1 898d5e176c6e36d4a8d5d7df654158532e693d81
SHA256 061aff95703958533ceddfea9126ffab10049e0204f68c0d6e636adb3e04ce74
SHA512 42cfc042c29c8c8aeca0a4db6c7b50f5cbdaa0168bb325f41e47d2cb91cb178e120f3704d3e610a8abaf6c4b89c549770efaa2a19f68d180cf53de6876605042

/data/user/0/com.amazing.secret/app_goat/QG.json

MD5 ba3ec93d258519f183fa7efbf282778b
SHA1 7182cc1c2867888dfe53c3157e84cafcd7b79016
SHA256 5ad846a4deba7799049d81764ce56b0630f3fdea366e0e9b0cdca17d2443c287
SHA512 3ca5810d0c5131e4330aa7070682d7c1509796f4c5c4f00ba4fe3db36cbd582a0e5785ad3f4fc193e2270d0e56be594c5788b1ae379041f46ee6d2b45637a4fa

/data/user/0/com.amazing.secret/app_goat/QG.json

MD5 ff2b4d2eaddefcc0b5841e930056cbb7
SHA1 33a28689037a920ffc308dfb02df84f6b091633e
SHA256 d0fe9de7b57c0f29bf8476ae39de84431de03598dcb6f6e4f897524862c22fa7
SHA512 941f5978b3bf1d67c110d1bb5da0cde028177915ee088057e21de48a9391c3b807b02938d479f4e4b8249bed2edb0ce93b589e7eb53b28685e8797b4a8864ca6

/data/data/com.amazing.secret/kl.txt

MD5 bdf463a263a8f07d92fff7f7b9819777
SHA1 110c1885aab70e4cfcb650bbe33b45e53d3a5160
SHA256 e77e6194e52485ebee46714ba118cc28c22f150914e23ababff5f2013b4fbc09
SHA512 4a89b32775ef3017bf2b76fcc6428f7a03df84dbd81633c446bba9860c3d4cf851c0bbd5b718c1c956458a6fb095a8d6fd247ee5d06a843425b043f404aaca96

/data/data/com.amazing.secret/kl.txt

MD5 6f1ab5c5e4c993957534b01b150befaf
SHA1 4f0dda75aa75493be0131069e191cf8032fc39ee
SHA256 cdb8728c0628f3cbba2fc83c7774ee672402b386a72858b5221447a12c18a995
SHA512 75a33b5df692b3c8c54b63e49aa9b1a1cac20b8583bfa6888224629af30b9d5fc1ac107cd9ad06105bef2358ef787fb1735fabfc9787a9cf88e8a03fa4fc147e

/data/data/com.amazing.secret/kl.txt

MD5 4e9695c89d8249f1d72a24f20d8a61eb
SHA1 d649d095fc8584c5ba0c658156a2fdcdc854c344
SHA256 f1beecc9faa4e565b95250f5d6a905846ee6253a0ec473bd406a0f0f8f8ae7d5
SHA512 3115546e9fb8d674d2867f5382a54e6b4e99bdb0084a6cd11d14cef4403cf44691a9983db77d6c23120e354b0fd358db29a741693b5b01b6be88197631a93f60

/data/data/com.amazing.secret/kl.txt

MD5 d907dc38d9346dd461ec714d9d8e31b0
SHA1 92ce9a07499bc44b4ac5a7a72929137588926ed0
SHA256 9d2127381e71cea12302563f24fff3bd194800c8c792a3adbedc09f9e27ff911
SHA512 29bd6bf04482463dc8b65adb3e0ca8bcbb9c9b47bdef4652405cc3b67539c6c0c5f3531eba55168d17f20c75144d8e5fdbafba9f7671d9fbc4f15b0f1610c8ce

/data/data/com.amazing.secret/kl.txt

MD5 17c6a235e2ec8550a0db9ff0622646d2
SHA1 60f5caeebd831b93be138c90e79d9c4d5e42f99c
SHA256 795dc111c98e7b6ca2244295860159095935f836533eca0fe9d65a03dc89915f
SHA512 2ce2347c7c18b75d812ceefafb912cf6106590f7c8c12f62413432ac91149aa3a03f2a242252219f813bfebaaf4aa6165f12f49fd0fb2f6bde86b00d4286df48

/data/data/com.amazing.secret/.qcom.amazing.secret

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 22:02

Reported

2024-11-07 22:04

Platform

android-x64-20240910-en

Max time kernel

148s

Max time network

151s

Command Line

com.amazing.secret

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.amazing.secret/app_goat/QG.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.amazing.secret

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 gelecektekiuzaykolonilerindeyasam.xyz udp
US 1.1.1.1:53 yildizlararasihikayelerveuzaygemileri.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 bilimkurgukesifvedonusumharitasi.xyz udp
US 1.1.1.1:53 galaksilerarasiiletisimveanliksistemler.xyz udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 bilimkurguvetoplananveridunyasi.xyz udp
US 1.1.1.1:53 sibernetikveevrenselakilliyonetimi.xyz udp
US 1.1.1.1:53 karadeliksiralariuzayarastirmalari.xyz udp
US 154.216.18.186:443 sibernetikveevrenselakilliyonetimi.xyz tcp
US 1.1.1.1:53 paralelgezegenlerveyapaysavaslar.xyz udp
US 1.1.1.1:53 uzaykesifveteknolojigelecegimizinharitasi.xyz udp
US 1.1.1.1:53 paralelboyutlarvedijitalruhtasarimi.xyz udp
US 1.1.1.1:53 robotveinsanbirlesmesimacerasi.xyz udp
US 1.1.1.1:53 galaktikekonomiuzaycagelecekyolu.xyz udp
US 1.1.1.1:53 gelecekuzaygemisifantezivegercek.xyz udp
US 1.1.1.1:53 yapayzekailegezegentasimaprojesi.xyz udp
US 1.1.1.1:53 galaksilerarasiseyahatsanatyolculugu.xyz udp
US 1.1.1.1:53 bilimkurguvedonusumolasilikharitasi.xyz udp
US 1.1.1.1:53 galaksikarasivakumbilgeliksistemi.xyz udp
US 1.1.1.1:53 uzayzamankapsamivedonusumkalkani.xyz udp
US 154.216.18.186:443 sibernetikveevrenselakilliyonetimi.xyz tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 154.216.18.186:443 sibernetikveevrenselakilliyonetimi.xyz tcp
US 154.216.18.186:443 sibernetikveevrenselakilliyonetimi.xyz tcp
US 1.1.1.1:53 sibernetikveevrenselakilliyonetimi.xyz udp
US 154.216.18.186:443 sibernetikveevrenselakilliyonetimi.xyz tcp
US 1.1.1.1:53 sibernetikveevrenselakilliyonetimi.xyz udp
US 154.216.18.186:443 sibernetikveevrenselakilliyonetimi.xyz tcp

Files

/data/data/com.amazing.secret/app_goat/QG.json

MD5 a47e41fabdb91d903005cdf570ddc38b
SHA1 f108357b4760dd761a9bcbc1fad5ab6b2145c47b
SHA256 0bce24ddd932783c8c6c91cdb5e351094be6a7f6a72f3beee27235505f199879
SHA512 951d588dbb742a98db5218668797a2e2052c1eb24931575f680b9fd316e20d1de86a9e094bf116268098b17fce0ec9a83ec81a3ffd0c7dddbda8fa4aafd14ea9

/data/data/com.amazing.secret/app_goat/QG.json

MD5 9978c44e9a8d380de97649e975e7e92f
SHA1 898d5e176c6e36d4a8d5d7df654158532e693d81
SHA256 061aff95703958533ceddfea9126ffab10049e0204f68c0d6e636adb3e04ce74
SHA512 42cfc042c29c8c8aeca0a4db6c7b50f5cbdaa0168bb325f41e47d2cb91cb178e120f3704d3e610a8abaf6c4b89c549770efaa2a19f68d180cf53de6876605042

/data/user/0/com.amazing.secret/app_goat/QG.json

MD5 ba3ec93d258519f183fa7efbf282778b
SHA1 7182cc1c2867888dfe53c3157e84cafcd7b79016
SHA256 5ad846a4deba7799049d81764ce56b0630f3fdea366e0e9b0cdca17d2443c287
SHA512 3ca5810d0c5131e4330aa7070682d7c1509796f4c5c4f00ba4fe3db36cbd582a0e5785ad3f4fc193e2270d0e56be594c5788b1ae379041f46ee6d2b45637a4fa

/data/data/com.amazing.secret/kl.txt

MD5 1d388a443c5ca8aff6e3ae4481d9d3c1
SHA1 5ba58abfa509e6a0bc3e697a06f138f2751835e0
SHA256 92c3f724f2f06d637341d13f0906e238a894437351b46047f20a2ac3a60bfc58
SHA512 d5857ef5e4341ab436e6769b6980e7810158460d01374c1e79461251ed9ed8fcd5dbcd76db05d80e3b464732ff5cd96e581dfaeaef47cc99f037f372248c8882

/data/data/com.amazing.secret/kl.txt

MD5 de41d30d0b9468db6954b0c05274e14b
SHA1 45bb09703d2042b04007f28d8e1d8e096a29df16
SHA256 dd72bc22881c974ef6292061a07285e2344cc4824949145172c0406828032cf7
SHA512 779dccc903c314e56f20dd1de74c26c48ad5f5f72c2c4215215a6465d88c665b394eb1525c747aea20194c7df7682586b5580e3b868347739e2f98c34be4217d

/data/data/com.amazing.secret/kl.txt

MD5 d907dc38d9346dd461ec714d9d8e31b0
SHA1 92ce9a07499bc44b4ac5a7a72929137588926ed0
SHA256 9d2127381e71cea12302563f24fff3bd194800c8c792a3adbedc09f9e27ff911
SHA512 29bd6bf04482463dc8b65adb3e0ca8bcbb9c9b47bdef4652405cc3b67539c6c0c5f3531eba55168d17f20c75144d8e5fdbafba9f7671d9fbc4f15b0f1610c8ce

/data/data/com.amazing.secret/kl.txt

MD5 7947e0af9d9fe0a10d832365bc171c3d
SHA1 1bb795324f0c2feef84778d94b0e5520bcf8425c
SHA256 7329bbb147b6ba786961222ad6c0ad2dc1adb72a428ab2696022eef2c0ef5da8
SHA512 57622ff6d9299bce55aa0ee46b6b30a504d6f4f9fe7c032ab66ca6af6f95e3fbfd3522a1edf9291d5645a0c6492dbecc359a312d418c75eb793039af1d66a135

/data/data/com.amazing.secret/kl.txt

MD5 b015f50d445c45da00541fc6e395cc07
SHA1 c917cf9fec8c41b132868650169d9ded72a8dbfd
SHA256 3c3b7cc54f10c6748b18b7ed351ee260815b87d2afa84f753c6130740cf2673c
SHA512 c7c4a11a7a16902bb41531b688509bfb48559736fe04a772344710ef30735fed04771467a9d9ee0ba442c814e1c7a8c08179cc0eb5a814328a2f8188ab077032

/data/data/com.amazing.secret/.qcom.amazing.secret

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c