Malware Analysis Report

2024-11-13 17:37

Sample ID 241109-1zvwdstcml
Target 15de17ad5b9e74b5c84d156fbf962b3b3bb2eb372df3a9e038789b9e86d3e09e.bin
SHA256 15de17ad5b9e74b5c84d156fbf962b3b3bb2eb372df3a9e038789b9e86d3e09e
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15de17ad5b9e74b5c84d156fbf962b3b3bb2eb372df3a9e038789b9e86d3e09e

Threat Level: Known bad

The file 15de17ad5b9e74b5c84d156fbf962b3b3bb2eb372df3a9e038789b9e86d3e09e.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo family

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Requests accessing notifications (often used to intercept notifications before users become aware).

Acquires the wake lock

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Makes use of the framework's foreground persistence service

Attempts to obfuscate APK file format

Queries the unique device ID (IMEI, MEID, IMSI)

Declares services with permission to bind to the system

Requests dangerous framework permissions

Requests modifying system settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:05

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:05

Reported

2024-11-09 22:08

Platform

android-x86-arm-20240910-en

Max time kernel

148s

Max time network

156s

Command Line

com.sadness.picture

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sadness.picture/app_start/kSR.json N/A N/A
N/A /data/user/0/com.sadness.picture/app_start/kSR.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sadness.picture

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sadness.picture/app_start/kSR.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.sadness.picture/app_start/oat/x86/kSR.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 eglencevedostcancizgifilmler.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 cizgidunyasindakiyenikarakterler.xyz udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 cizgifilmvedegisimkulturler.xyz udp
US 1.1.1.1:53 kulturvecizgihikayegirisimi.xyz udp
US 1.1.1.1:53 kahramanvetuhafcanlilarhikayesi.xyz udp
US 1.1.1.1:53 animasyonvegorselsanatgezileri.xyz udp
US 1.1.1.1:53 cocukanimasyonvesinemaustalari.xyz udp
US 1.1.1.1:53 cizgifilmsanatvesinemaevreni.xyz udp
US 1.1.1.1:53 eglencelihikayelervecizgidunyasi.xyz udp
US 1.1.1.1:53 sevimlikarakterlervesahneefektleri.xyz udp
US 1.1.1.1:53 eglencelianimasyonprojelerlistesi.xyz udp
US 1.1.1.1:53 cizgianimasyonvedijitalhikayeler.xyz udp
US 1.1.1.1:53 animasyonyapimcilariveoyuncular.xyz udp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 1.1.1.1:53 masalvecizgifilmkahramanlari.xyz udp
US 1.1.1.1:53 renklianimasyonvesanateserleri.xyz udp
US 1.1.1.1:53 cizgifilmtasarimvesanatyonetimi.xyz udp
US 1.1.1.1:53 cizgifilmlervekarakterhikayeleri.xyz udp
US 1.1.1.1:53 renklihayalguclerianimasyonlar.xyz udp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 1.1.1.1:53 eglencelianimasyonprojelerlistesi.xyz udp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 1.1.1.1:53 eglencelianimasyonprojelerlistesi.xyz udp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.196:443 tcp

Files

/data/data/com.sadness.picture/app_start/kSR.json

MD5 ee6845cd41bf9b1acef8963929c7e59a
SHA1 8905dc7e7f1ce4822821858536b3a7f4da4e0413
SHA256 4114cbb74afc0ca5aec2b4a419d806b67c55b96b729ce80bfaca579d49aff903
SHA512 f98b5a661ad5fa8439c0c29c700f726b91bd0b48fbc5d1c80a11885a7a1ae2063f84770808f27ecb5c113b71e5fc4978ac22ab260ca6e9ae6ad29985346ee6e7

/data/data/com.sadness.picture/app_start/kSR.json

MD5 34d842145226bccc301a02a4d222cc6e
SHA1 3dc6e39646f687ef35a875d00cf773e5465015e0
SHA256 57f4acc618b7c328a36b75ee782c4ab684f2ff1fba673f0fd2e7e1912520c978
SHA512 52c9ee0bdbfa1f1039ad079cac245d0b68d9f421778fbea098698e06479f6152468deb05693aea7961473849016dfb45e98886dacfef2f154e3c8b4f873f4496

/data/user/0/com.sadness.picture/app_start/kSR.json

MD5 62a9f4797da305f595e3bb1d48bc975c
SHA1 beaf86fcdbe45b84ceea1157bc2f6334c91e518c
SHA256 9cfbb2d7daf67ef35e290250d687a3f92317ababfed53e8bbce437f955c3516c
SHA512 f4ab05c327511be09ef040fdbfc49439ed64f5fba57679e27d2aa412918b5fb37897e17e4bf3782fef798bea80312b7c13d0fd09cf394fe5e90c09f8762253f9

/data/user/0/com.sadness.picture/app_start/kSR.json

MD5 221ad96371777b2a3ab6c8e28795237d
SHA1 edc7ab4f0b8db2647c725f4233318b9984022f24
SHA256 676475ff52552b22b3c5bee619f0263765d3d31fb60cf4b6c59b75b4f5c55385
SHA512 864209571ad8f408bbc14f7b09dbd2bb7a1ea5f56d2a1b56f65d5e064b7368844965d55c4dd4080bbe28abb76ca66659a73e41848f07ca4216f3fb8849a48be4

/data/data/com.sadness.picture/kl.txt

MD5 b9ea7aad31b48908c50e0042e95ef802
SHA1 e63a6a9b83593832bf47f4ef9f902644b65ba19c
SHA256 32706247b4342c682673d166057790321c090ccfa76bb7349c9fdc9d75bf8aef
SHA512 ee1a0b74822a44dcc4b9d4ce31cd88422f8ebc395f706a8dd251a071fa213c80390494779217fdd8dc81121802871982da6e90b48d70e5b623081223ffcc180e

/data/data/com.sadness.picture/kl.txt

MD5 f6e8f02a968fc2bd77569517683c31a8
SHA1 3130b17f681affc11768f4e7f04d48b7c9c87a81
SHA256 7636c5b26f3ae4afce8e7ecfc1a3d5c9cea82868944fb7a47dd9aa0fadce6bf0
SHA512 f6bb6687ee6eb5e8649947ced606be53a67dde951652cf1b2c8680b152a48f7ca4c1d2b50825ac5afc1f9d5b286de7b4563b2996a40e5944ca67c6ef4cad3316

/data/data/com.sadness.picture/kl.txt

MD5 2fff7be2a040006eb58acbf7f63429eb
SHA1 00b6a33e6e542c3afd098a52abae87595ac8f89d
SHA256 1b543c43ecc2c786a4e8911f425b185089705237724b6177de2b8731c786a853
SHA512 fdad042c5cb497d3991a824b392e86fe84e32acf39c24e9ac4ecaa52946b0237ee15a70d5aef53193bb1453487c69287dee855b8b075ef35db59fdbf37adbfbd

/data/data/com.sadness.picture/kl.txt

MD5 fc998f4f756f2f16ae6bff361a5fe5c8
SHA1 a29d558aee77724902858251972830c2cdba9177
SHA256 6e26aa229dc4bf6af128173e1d811ae9a94373963ea1f689f769ec753a3e25d6
SHA512 77b2829153f0d973baa4e35a7b8e2352ee5ef2d5b889d6b24a1bd372d410607ace2fd2267b81f117e152f3f4e0896c50740467c10b14e349be50c5662ca716fc

/data/data/com.sadness.picture/kl.txt

MD5 b98ad08b7a0d4ace3dad96151136fe0b
SHA1 9bdb895d4c6c4525fda860d5dcca44c8aa8b9bba
SHA256 895f405a0e8e66a9350afd33fe0558f1c4c53a284b8ed49542d76056369d3199
SHA512 3e1a5e822d0c84e7bbab01e8f9292d0e47e0c692a9519c19de73d20d96896e979bf5a96d6bab4a0f907a71b8089bd5c42da6d39bbdb4cd1581179c48a3a5cf94

/data/data/com.sadness.picture/.qcom.sadness.picture

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:05

Reported

2024-11-09 22:08

Platform

android-33-x64-arm64-20240624-en

Max time kernel

145s

Max time network

138s

Command Line

com.sadness.picture

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sadness.picture/app_start/kSR.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sadness.picture

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 kahramanvetuhafcanlilarhikayesi.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 cizgifilmklassikleriyenidonem.xyz udp
US 1.1.1.1:53 cizgidunyasindakiyenikarakterler.xyz udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 cocukanimasyonvesinemaustalari.xyz udp
US 1.1.1.1:53 cizgifilmtasarimvesanatyonetimi.xyz udp
US 1.1.1.1:53 eglencevedostcancizgifilmler.xyz udp
US 1.1.1.1:53 cizgifilmsanatvesinemaevreni.xyz udp
US 1.1.1.1:53 cizgianimasyonvedijitalhikayeler.xyz udp
US 1.1.1.1:53 yeniyetisimlerveanimasyoncalismasi.xyz udp
US 1.1.1.1:53 animasyonyapimcilariveoyuncular.xyz udp
US 1.1.1.1:53 kulturvecizgihikayegirisimi.xyz udp
US 1.1.1.1:53 eglencelihikayelervecizgidunyasi.xyz udp
US 1.1.1.1:53 sevimlikarakterlervesahneefektleri.xyz udp
US 1.1.1.1:53 animasyonvegorselsanatgezileri.xyz udp
US 1.1.1.1:53 masalvecizgifilmkahramanlari.xyz udp
US 1.1.1.1:53 renklihayalguclerianimasyonlar.xyz udp
US 1.1.1.1:53 eglencelianimasyonprojelerlistesi.xyz udp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 1.1.1.1:53 renklianimasyonvesanateserleri.xyz udp
US 1.1.1.1:53 cizgifilmlervekarakterhikayeleri.xyz udp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
GB 216.58.204.78:443 udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.187.202:443 remoteprovisioning.googleapis.com tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.179.227:443 tcp
US 172.64.41.3:443 udp
GB 142.250.179.227:443 udp
GB 216.58.201.100:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 216.58.201.100:443 udp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 1.1.1.1:53 eglencelianimasyonprojelerlistesi.xyz udp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 1.1.1.1:53 eglencelianimasyonprojelerlistesi.xyz udp
US 1.1.1.1:53 eglencelianimasyonprojelerlistesi.xyz udp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp
US 154.216.16.120:443 eglencelianimasyonprojelerlistesi.xyz tcp

Files

/data/data/com.sadness.picture/app_start/kSR.json

MD5 ee6845cd41bf9b1acef8963929c7e59a
SHA1 8905dc7e7f1ce4822821858536b3a7f4da4e0413
SHA256 4114cbb74afc0ca5aec2b4a419d806b67c55b96b729ce80bfaca579d49aff903
SHA512 f98b5a661ad5fa8439c0c29c700f726b91bd0b48fbc5d1c80a11885a7a1ae2063f84770808f27ecb5c113b71e5fc4978ac22ab260ca6e9ae6ad29985346ee6e7

/data/data/com.sadness.picture/app_start/kSR.json

MD5 34d842145226bccc301a02a4d222cc6e
SHA1 3dc6e39646f687ef35a875d00cf773e5465015e0
SHA256 57f4acc618b7c328a36b75ee782c4ab684f2ff1fba673f0fd2e7e1912520c978
SHA512 52c9ee0bdbfa1f1039ad079cac245d0b68d9f421778fbea098698e06479f6152468deb05693aea7961473849016dfb45e98886dacfef2f154e3c8b4f873f4496

/data/user/0/com.sadness.picture/app_start/kSR.json

MD5 62a9f4797da305f595e3bb1d48bc975c
SHA1 beaf86fcdbe45b84ceea1157bc2f6334c91e518c
SHA256 9cfbb2d7daf67ef35e290250d687a3f92317ababfed53e8bbce437f955c3516c
SHA512 f4ab05c327511be09ef040fdbfc49439ed64f5fba57679e27d2aa412918b5fb37897e17e4bf3782fef798bea80312b7c13d0fd09cf394fe5e90c09f8762253f9

/data/data/com.sadness.picture/.qcom.sadness.picture

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

/data/data/com.sadness.picture/.qcom.sadness.picture

MD5 eab082560709a3637087700ede5c3987
SHA1 e8d8f23538f9c89255707149174cb4ad6e279ffc
SHA256 6dc1cca9c299c4addc6b7d0a4aa5ba46f590bbde6219b0bcd9524bff13bc5b36
SHA512 bf21c3a84b482af479156f146945d693cf7bd009b9898f40195a7aacce0266df41e1adedeb0492407b33da6ce8bdb4053f9a6e2aa48a1a0ddeab6b04505f014e

/data/data/com.sadness.picture/kl.txt

MD5 71242e448e0c170bfedeafa8861fa164
SHA1 c6a28276e3678664f6b4056848204de49a897f39
SHA256 f9d74145cb0b948ebf3d5c17db590fe4ce98656e202d1708035bedab0c1f5591
SHA512 a87bc5dd7e10a19c8a2b9ad2fc84f72e4f8eb8c4ea08b018839be10598597915d7df2569b7da4ce2b19a60a4bdff7c83d0a5ef62b084af9caeaebd89584f8d3d

/data/data/com.sadness.picture/kl.txt

MD5 a8b0b374990fbf607fa324a4dfa8008d
SHA1 e02257ed036c17b0ea0804425b070666829c94bf
SHA256 83223802d80f17102b79dd448791b254baa04c662afd324b1639f57faaef76be
SHA512 b80fac1ee13da4d6122ddd31ae10d783502f00fdb9aaa00133dbe6e9c942c6801a0214a7106e9c9c336ba0276e6b93e5d616561f1ae9c7d24e2eafc1ceb2df57

/data/data/com.sadness.picture/kl.txt

MD5 c578db49b9967e176e7bc25936b3731d
SHA1 f73b7a07cd953e5e88be738fd492e0a801184261
SHA256 509d4f47adc28410f61e553b61b19b7698ca77f233ae11adbefb4f63e90d4e55
SHA512 242030a1843e3bccb020d8900ec3010d5de734a1e84526b89472d236afe990a57675d6df502262a61668e8872018c26b8743f8091cf097aa354d92c3b60623b3

/data/data/com.sadness.picture/kl.txt

MD5 6c892069ef428a3d9c83b84bca5b6c5d
SHA1 1009136fd123576c3656ae69e0f04e140477f9a9
SHA256 499f46fed10fde4b0c45615c199be435d4dbf4ce0bb5af1a19be9b020a2bb95f
SHA512 764a271d8a5108f8366d725843401d90c51ca51d415783f23e16f861faed219452956ffc1cc9dc95004aa1d5cdba71421757ad707693ed39bd517d6abbbdd198

/data/data/com.sadness.picture/kl.txt

MD5 720cc4e75c1594b22770adfe53a98976
SHA1 618cd737ad2386d5da933ffcd12db85114f70d9b
SHA256 d2b895fcf837ed16d7d7376dcddc5db55e4a47b125e1f0369210cdc207779c09
SHA512 8b08d0ac75d8b0c20d0690f2a9a21c26f1dced9764087a52d67197378d4a5e8ae65498f706a7a145743d078daeb385219aaea77ae47f2da8e9b30dfc1c2e5978