Malware Analysis Report

2024-11-13 17:37

Sample ID 241109-1ztnbstckd
Target 3a8aca86890e9d6da081020226cf8f06e61d48025c09d39534d2c31f4dd9b933.bin
SHA256 3a8aca86890e9d6da081020226cf8f06e61d48025c09d39534d2c31f4dd9b933
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a8aca86890e9d6da081020226cf8f06e61d48025c09d39534d2c31f4dd9b933

Threat Level: Known bad

The file 3a8aca86890e9d6da081020226cf8f06e61d48025c09d39534d2c31f4dd9b933.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo family

Octo

Octo payload

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Requests dangerous framework permissions

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Queries the unique device ID (IMEI, MEID, IMSI)

Attempts to obfuscate APK file format

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Requests modifying system settings.

Makes use of the framework's foreground persistence service

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:05

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:05

Reported

2024-11-09 22:08

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

150s

Command Line

com.negative.addict

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.negative.addict/app_cigar/Njmja.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.negative.addict

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 cizgidunyasindakiyenikarakterler.xyz udp
US 1.1.1.1:53 yeniyetisimlerveanimasyoncalismasi.xyz udp
US 1.1.1.1:53 cizgifilmvedegisimkulturler.xyz udp
US 1.1.1.1:53 cizgifilmsanatvesinemaevreni.xyz udp
US 1.1.1.1:53 animasyonyapimcilariveoyuncular.xyz udp
US 1.1.1.1:53 eglencevedostcancizgifilmler.xyz udp
US 1.1.1.1:53 masalvecizgifilmkahramanlari.xyz udp
US 1.1.1.1:53 cizgifilmlervekarakterhikayeleri.xyz udp
US 1.1.1.1:53 sevimlikarakterlervesahneefektleri.xyz udp
US 1.1.1.1:53 cizgifilmtasarimvesanatyonetimi.xyz udp
US 1.1.1.1:53 renklihayalguclerianimasyonlar.xyz udp
US 1.1.1.1:53 animasyonvegorselsanatgezileri.xyz udp
US 1.1.1.1:53 eglencelihikayelervecizgidunyasi.xyz udp
US 1.1.1.1:53 renklianimasyonvesanateserleri.xyz udp
US 1.1.1.1:53 cizgifilmklassikleriyenidonem.xyz udp
US 1.1.1.1:53 cizgianimasyonvedijitalhikayeler.xyz udp
US 1.1.1.1:53 eglencelianimasyonprojelerlistesi.xyz udp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 1.1.1.1:53 cocukanimasyonvesinemaustalari.xyz udp
US 1.1.1.1:53 kulturvecizgihikayegirisimi.xyz udp
US 1.1.1.1:53 kahramanvetuhafcanlilarhikayesi.xyz udp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 1.1.1.1:53 eglencelianimasyonprojelerlistesi.xyz udp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
US 1.1.1.1:53 eglencelianimasyonprojelerlistesi.xyz udp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp

Files

/data/data/com.negative.addict/app_cigar/Njmja.json

MD5 ce4200e768608c737d92e69438710b1e
SHA1 bb0201528f33509ff6610cc10d46f5403a7351a0
SHA256 39dc35d9a60725607b50c6f052fb621faf2242d4d03a20b0c6bd6133a9f39ae5
SHA512 82d4153399f0e5eeeb4fe1333f89e19b164c5ccedfd2aaf8e55e152fd8dd9069c970c5d966f696d0bc750e87cdf102cd941177d06952c7a09454d5aa7187ba25

/data/data/com.negative.addict/app_cigar/Njmja.json

MD5 7a5f66449fcc9c5817e33d6d1767cff1
SHA1 2d6b05a081c10979a1cd7bd19cc0fea3a91010c5
SHA256 a847cc6681c27ddcedfd45c25c6a726e61f5c834c581c20c6ceed9fb326a1626
SHA512 de33a0065e6c506247c24eaf14a1e4b16f22ef95174ef7a1ea1d1db7251bdf4d567825c5f9f54cee2d225be1ce54804857859ff91eb8dd32f8a0042bb2a75179

/data/user/0/com.negative.addict/app_cigar/Njmja.json

MD5 b63162f740f9b8aae12518d071c7fccf
SHA1 073a04a2c6bd9f5efa85a307acb0f1b8b78b2f4a
SHA256 e35736fcaa7669caf92b211c7489d1ee1020909df36a82d7a6376567436b4034
SHA512 99c658b2a4876f739baa28989c7d9c26e473082123a482bf39f763200b82bbc2a98634fe39b6757e34233bf3fe8dae2f5612a2b4166e6925239d7f888fda3039

/data/data/com.negative.addict/kl.txt

MD5 eb250431f3f8e64adc6867154e119596
SHA1 91a440addad08d7756591001eceb8e10029d88d3
SHA256 a1d660314b4b10c7876444ad4609a5acc8b1f4423987b68f816554f1b9f7e976
SHA512 b190bb4bd6f1fda122c60bf635e046f9ea791827a1de59c5b966338e6684cf5f4897a735015792da6e042118a5176acd3a5333d14eca5525c50a6edc7951252a

/data/data/com.negative.addict/kl.txt

MD5 3e331b0438c862b9476b843ce4c31918
SHA1 c84060dadc57fa272d994aec4d537d54613f2371
SHA256 70e24994fb0cdf378211c89da8bc31d6f2c5967b31c75945f6cb1bd39d81d1a7
SHA512 aa7d6494e56e521f88d389f095c890ec2c6a4acc293ba4bac5dca3f0dbc27f6e910c88f0b5f36707753c1dfb697805e65b6871148849c427317cd280e8276245

/data/data/com.negative.addict/kl.txt

MD5 2fff7be2a040006eb58acbf7f63429eb
SHA1 00b6a33e6e542c3afd098a52abae87595ac8f89d
SHA256 1b543c43ecc2c786a4e8911f425b185089705237724b6177de2b8731c786a853
SHA512 fdad042c5cb497d3991a824b392e86fe84e32acf39c24e9ac4ecaa52946b0237ee15a70d5aef53193bb1453487c69287dee855b8b075ef35db59fdbf37adbfbd

/data/data/com.negative.addict/kl.txt

MD5 d6ae3c914637150eb9a5a8972eb7ce11
SHA1 d39192bf6b607669eeac9e89b1a5593314b4e2ca
SHA256 bb1024c91890ed02fe291ecb61ec766d858009d95a82c73d4a43f7557e6028e9
SHA512 9fc158054dcaac9054876bba86534c262347b212d19c0e01659a7cc68538daf43ec07429a7612b0ff3da8db7482ce80614610c8b90b7b3dc3c18f234413b085a

/data/data/com.negative.addict/kl.txt

MD5 017b8d319cdff8f7a4bebd5427c57b13
SHA1 d15600c8da56957b0e430e117e2ff1015afd5fd8
SHA256 664d5a2343700ee8a381c8bfd441a45b930acc8a62286a5387bd846f371cd0d6
SHA512 b077ca4980cac7f9cb341cc380dca33a2be8d827725aba757832d1f6876856bd259c0c9e050f4375deb5b2b4215328715bd9be894c11f09c5dde43ce5d5ef96c

/data/data/com.negative.addict/.qcom.negative.addict

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:05

Reported

2024-11-09 22:08

Platform

android-x86-arm-20240624-en

Max time kernel

144s

Max time network

142s

Command Line

com.negative.addict

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.negative.addict/app_cigar/Njmja.json N/A N/A
N/A /data/user/0/com.negative.addict/app_cigar/Njmja.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.negative.addict

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.negative.addict/app_cigar/Njmja.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.negative.addict/app_cigar/oat/x86/Njmja.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 animasyonvegorselsanatgezileri.xyz udp
US 1.1.1.1:53 masalvecizgifilmkahramanlari.xyz udp
US 1.1.1.1:53 cizgifilmlervekarakterhikayeleri.xyz udp
US 1.1.1.1:53 sevimlikarakterlervesahneefektleri.xyz udp
US 1.1.1.1:53 eglencevedostcancizgifilmler.xyz udp
US 1.1.1.1:53 cizgianimasyonvedijitalhikayeler.xyz udp
US 1.1.1.1:53 animasyonyapimcilariveoyuncular.xyz udp
US 1.1.1.1:53 kahramanvetuhafcanlilarhikayesi.xyz udp
US 1.1.1.1:53 eglencelianimasyonprojelerlistesi.xyz udp
US 1.1.1.1:53 kulturvecizgihikayegirisimi.xyz udp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 1.1.1.1:53 renklihayalguclerianimasyonlar.xyz udp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 1.1.1.1:53 eglencelianimasyonprojelerlistesi.xyz udp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 1.1.1.1:53 eglencelianimasyonprojelerlistesi.xyz udp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp

Files

/data/data/com.negative.addict/app_cigar/Njmja.json

MD5 ce4200e768608c737d92e69438710b1e
SHA1 bb0201528f33509ff6610cc10d46f5403a7351a0
SHA256 39dc35d9a60725607b50c6f052fb621faf2242d4d03a20b0c6bd6133a9f39ae5
SHA512 82d4153399f0e5eeeb4fe1333f89e19b164c5ccedfd2aaf8e55e152fd8dd9069c970c5d966f696d0bc750e87cdf102cd941177d06952c7a09454d5aa7187ba25

/data/data/com.negative.addict/app_cigar/Njmja.json

MD5 7a5f66449fcc9c5817e33d6d1767cff1
SHA1 2d6b05a081c10979a1cd7bd19cc0fea3a91010c5
SHA256 a847cc6681c27ddcedfd45c25c6a726e61f5c834c581c20c6ceed9fb326a1626
SHA512 de33a0065e6c506247c24eaf14a1e4b16f22ef95174ef7a1ea1d1db7251bdf4d567825c5f9f54cee2d225be1ce54804857859ff91eb8dd32f8a0042bb2a75179

/data/user/0/com.negative.addict/app_cigar/Njmja.json

MD5 b63162f740f9b8aae12518d071c7fccf
SHA1 073a04a2c6bd9f5efa85a307acb0f1b8b78b2f4a
SHA256 e35736fcaa7669caf92b211c7489d1ee1020909df36a82d7a6376567436b4034
SHA512 99c658b2a4876f739baa28989c7d9c26e473082123a482bf39f763200b82bbc2a98634fe39b6757e34233bf3fe8dae2f5612a2b4166e6925239d7f888fda3039

/data/user/0/com.negative.addict/app_cigar/Njmja.json

MD5 b9a1bca3dd33ea6587509f5cd1079f0e
SHA1 0f1eed2af7b1f25751ee703528a25c46393cf430
SHA256 90617d6c4b149b7e77ad3a145635fdb792a9b7096ac4098639cead7bc8fbcd7d
SHA512 fb7f1794ef01643281fcc4376a9b670eeab7ee230601b4afe46f42dc9effd8200c234e5a3f7933ba462ca3943f3fc668b7132dbac9644fa32cbdd6a43356e63a

/data/data/com.negative.addict/kl.txt

MD5 b9ea7aad31b48908c50e0042e95ef802
SHA1 e63a6a9b83593832bf47f4ef9f902644b65ba19c
SHA256 32706247b4342c682673d166057790321c090ccfa76bb7349c9fdc9d75bf8aef
SHA512 ee1a0b74822a44dcc4b9d4ce31cd88422f8ebc395f706a8dd251a071fa213c80390494779217fdd8dc81121802871982da6e90b48d70e5b623081223ffcc180e

/data/data/com.negative.addict/kl.txt

MD5 01746936982534cc9cfdca07072b6985
SHA1 ce9eb483bcae0f15ad9cc7596cc065596c9f4795
SHA256 b5e007f6298c4c889a00a716b7ebd610da8ef26fc6e6f19edf587655c87d26d5
SHA512 e91d630236538980ef329f535abd136aa63ac1d241e8d101ca4ddedfd18e380d51426e20fcec159da9c72800a6a23687360ac5f06c5b90528908a02d7a900a9f

/data/data/com.negative.addict/kl.txt

MD5 8647f6beea2db0d3948f919ab7a64773
SHA1 384395039761afa69f2841d8aa25c9c2418e5a79
SHA256 6b1b919d63bb93440bfc3d7b185a627fc94cf0604f7abacd21564f264c9de124
SHA512 6b2766019516de44b0ac59a43f8b4cba41ab80edc1e6eff48f11947bd85f6afe095cf622b02f2537b0afbd92f5023f37c06c6ee016f4cd3a34a454aa977f378f

/data/data/com.negative.addict/kl.txt

MD5 3fcbcc739f310fb35ede5e8042bab93b
SHA1 fa4e40471cea43576420d610bcc118ebe6aa742d
SHA256 265863c5b09ff7ba128fe5c9a37567e0759f326eb885764306f60d0c965afd70
SHA512 f9a2c1e56ab0afabf8e00cdabe40f34fb4cedd331e2ce43b654af3f5a51c7c1555c29413605a955869ec29d7e1d5dfcb2ea775e82b4f08623d7daeb477b98223

/data/data/com.negative.addict/kl.txt

MD5 3f06f70b474337e30a9ae3e02453a009
SHA1 b3ab1610b17778f85e0b5ed70cb0c23d9ad47dc8
SHA256 2853e55315e7bcbdcbc35b3eb5b389fec17a007006094d80ca146b72831e23d9
SHA512 22e6de5fbcd33e22e8f3c7e396ec08456ce4f51ab21613c7d6be1f5f7d256480a6af0083d9721cdd75593203e2c002a5701b08b3b0ddcd46f2a8056ce8f66e13

/data/data/com.negative.addict/.qcom.negative.addict

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c