Malware Analysis Report

2024-12-07 17:42

Sample ID 241112-1x8pgasdma
Target 9c6fe1e9b76f60bbce870b1ad5dba2f48103f362313d78a2191c6f86a370db02.bin
SHA256 9c6fe1e9b76f60bbce870b1ad5dba2f48103f362313d78a2191c6f86a370db02
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c6fe1e9b76f60bbce870b1ad5dba2f48103f362313d78a2191c6f86a370db02

Threat Level: Known bad

The file 9c6fe1e9b76f60bbce870b1ad5dba2f48103f362313d78a2191c6f86a370db02.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Octo family

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Performs UI accessibility actions on behalf of the user

Acquires the wake lock

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Reads information about phone network operator.

Requests modifying system settings.

Requests accessing notifications (often used to intercept notifications before users become aware).

Declares broadcast receivers with permission to handle system events

Queries the unique device ID (IMEI, MEID, IMSI)

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 22:02

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 22:02

Reported

2024-11-12 22:05

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

151s

Command Line

com.draw.kid

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.draw.kid/app_cause/mR.json N/A N/A
N/A /data/user/0/com.draw.kid/app_cause/mR.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.draw.kid

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.draw.kid/app_cause/mR.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.draw.kid/app_cause/oat/x86/mR.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 eglencelihikayelervecizgidunyasi.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 cizgidunyasindakiyenikarakterler.xyz udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 cizgifilmklassikleriyenidonem.xyz udp
US 1.1.1.1:53 cizgifilmvedegisimkulturler.xyz udp
US 1.1.1.1:53 animasyonyapimcilariveoyuncular.xyz udp
US 1.1.1.1:53 kulturvecizgihikayegirisimi.xyz udp
US 1.1.1.1:53 cizgianimasyonvedijitalhikayeler.xyz udp
US 1.1.1.1:53 cizgifilmsanatvesinemaevreni.xyz udp
US 1.1.1.1:53 kahramanvetuhafcanlilarhikayesi.xyz udp
US 1.1.1.1:53 renklihayalguclerianimasyonlar.xyz udp
US 154.216.16.120:443 kahramanvetuhafcanlilarhikayesi.xyz tcp
US 154.216.16.120:443 kahramanvetuhafcanlilarhikayesi.xyz tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 154.216.16.120:443 kahramanvetuhafcanlilarhikayesi.xyz tcp
US 154.216.16.120:443 kahramanvetuhafcanlilarhikayesi.xyz tcp
US 1.1.1.1:53 kahramanvetuhafcanlilarhikayesi.xyz udp
US 154.216.16.120:443 kahramanvetuhafcanlilarhikayesi.xyz tcp
US 1.1.1.1:53 kahramanvetuhafcanlilarhikayesi.xyz udp
US 154.216.16.120:443 kahramanvetuhafcanlilarhikayesi.xyz tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.draw.kid/app_cause/mR.json

MD5 e767849bc6fa6b16d37b47936cce875e
SHA1 184e729aaf6105694c7e81242f1fe23fdb858488
SHA256 237566f5aed66417ec6efff19aa9eccdb62ad4a2d9800006c73ca03216c077a0
SHA512 6bec82c725d2b7dc2cd4370d42f6a9e30235f0c7a602dfcdd78b32304fbc4c769857aca2bdd280c9a2dc5c1c2a7b0e19090d5305e4280cc13c4ebd5786b3f1cb

/data/data/com.draw.kid/app_cause/mR.json

MD5 1da83f0228e293c0d8be3265e23d5c82
SHA1 2db345b407b82d97d02608786cb624155216740e
SHA256 7cb43bb9f21b86cb774c7bad490ce2f69c1121183457a956db99b1bbf613038a
SHA512 e9543f51ad5ad5f852e7f9b8f9ab64939b32a1aeb9de869c721fe246e2cfded6b6e3ba0e8dec206265f344ae9fef999d915d67b65d8f661990de57045426fd43

/data/user/0/com.draw.kid/app_cause/mR.json

MD5 517d1b395985d6a89f2c3dc95f76cde9
SHA1 ce7ea4e2e9fc862a5e524503686821bb04b16746
SHA256 974641e62ba38a35d666563766afeb946720cb0e8c86cde4fa939509f67c72ff
SHA512 9b2454c68f647d2fa4273d4d06f5739e1cd510a3cc702ab09631b583ba1ed5bf5f5fd569727aaa9788d001a7cbee19c562575374a5aaae139559b334aa6fc735

/data/user/0/com.draw.kid/app_cause/mR.json

MD5 3f9e008b582313097356ea1896a54109
SHA1 ce40ccc09a427d46e83698d1760bcba9d5843b6e
SHA256 eb9b15fec0d7d356300a29ec55f65124ae618cdf5a3b6e58499df8b11fedeb4a
SHA512 b66f5bb580a150407fd95b017d914d6a0a21f03a82b3e217c25e6196e2634008a446391e7420e9f1a983e59f2dfe10a9bb2f372d8fe6cd5a7646f4bb37c4b6d1

/data/data/com.draw.kid/kl.txt

MD5 5fe9a0df638087a2f592f0048463e094
SHA1 91b110c8082bd36580a7b2f62ec1b3b9d1871a5f
SHA256 daa9a9825d84aa621ccf624ca1a2e3490e208c5dc21ab6ba53e65e77573dafbe
SHA512 aae6dbd522bf40d1988106abca0112e2ec21f2d687f8fc371026e2b987dce3979de854ac3cc9421f9dec89f5b9ca0512ad77aaa2837d7602f29d2eca9b0dbd75

/data/data/com.draw.kid/kl.txt

MD5 381de690972c827df7d4a6d01dd6a63e
SHA1 65343dd785fd9995f7f5bac1bb05e5950fb33272
SHA256 53b6d6df1cfef665ea58eb8a969cb4c4a2ed6c54a008310ccb933ba1482a276d
SHA512 9a9e253739a7013e1389308272ebbd2a235d7cb0176a12afb148d74c472e21d82d7d27e5d26202c2102c45caa703d5b33eae2cf3ea48813aab538629aa4626b8

/data/data/com.draw.kid/kl.txt

MD5 2f2413d66833f25a4985d31eec104a90
SHA1 b85fcc8c568781cc7c74bdc6b20da3669382b945
SHA256 f4a1224bcaca5ba9f49f3bfb6f89dcbd3db72f88d4fc1d606e7e91d0e1fcf1db
SHA512 9d294592f03cbbc50c3a2cf84839bf2a866bea39b5f7efb0c8ec53b7291da1259b964f75195337606c11d9573757da58da0276c46c934f6cfe388ef7025c5d37

/data/data/com.draw.kid/kl.txt

MD5 266d3524bca84908edfe022453e9d9ae
SHA1 b35f523814b51651631d5356db29bee319552250
SHA256 0d0541bbd416c0a1689857e4acf6d79e8f7206e45d3e1b5c69552fc241e710e0
SHA512 7616cc11d6cdec133d06c4085d7223bb55d50471989bea3724282902487c5e44fd9ab6a411776bb54e9d766a7bd3bfe75f8ec7c0cef1926ed3bccdb89f09f82b

/data/data/com.draw.kid/kl.txt

MD5 4764c7148c3e54ae8c1cd3a991009ad8
SHA1 1386983ea71937e16a1683a3d3be597d16534190
SHA256 353246b30fb7fe45cdaaa6cb643cdaf651a1a194bf300108ad22e54a32087b26
SHA512 d62d00402bdc8fbf7a1b81922cc03aece93ef037fa9da988ceae3a3f47772fc172a577058e7fcbb26ad3a85457c2164df7141e4edca8d4ec7bcc0d73d7f4f6dd

/data/data/com.draw.kid/.qcom.draw.kid

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 22:02

Reported

2024-11-12 22:05

Platform

android-x64-20240910-en

Max time kernel

148s

Max time network

152s

Command Line

com.draw.kid

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.draw.kid/app_cause/mR.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.draw.kid

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
GB 216.58.212.206:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 cizgifilmlervekarakterhikayeleri.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 renklihayalguclerianimasyonlar.xyz udp
US 1.1.1.1:53 cizgidunyasindakiyenikarakterler.xyz udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 yeniyetisimlerveanimasyoncalismasi.xyz udp
US 1.1.1.1:53 cizgifilmsanatvesinemaevreni.xyz udp
US 1.1.1.1:53 animasyonvegorselsanatgezileri.xyz udp
US 1.1.1.1:53 eglencevedostcancizgifilmler.xyz udp
US 1.1.1.1:53 cizgifilmvedegisimkulturler.xyz udp
US 1.1.1.1:53 eglencelihikayelervecizgidunyasi.xyz udp
US 1.1.1.1:53 renklianimasyonvesanateserleri.xyz udp
US 1.1.1.1:53 animasyonyapimcilariveoyuncular.xyz udp
US 1.1.1.1:53 eglencelianimasyonprojelerlistesi.xyz udp
US 1.1.1.1:53 cocukanimasyonvesinemaustalari.xyz udp
US 1.1.1.1:53 sevimlikarakterlervesahneefektleri.xyz udp
US 1.1.1.1:53 cizgianimasyonvedijitalhikayeler.xyz udp
US 1.1.1.1:53 kulturvecizgihikayegirisimi.xyz udp
US 1.1.1.1:53 masalvecizgifilmkahramanlari.xyz udp
US 1.1.1.1:53 cizgifilmklassikleriyenidonem.xyz udp
US 1.1.1.1:53 cizgifilmtasarimvesanatyonetimi.xyz udp
US 1.1.1.1:53 kahramanvetuhafcanlilarhikayesi.xyz udp
US 154.216.16.120:443 kahramanvetuhafcanlilarhikayesi.xyz tcp
US 154.216.16.120:443 kahramanvetuhafcanlilarhikayesi.xyz tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 154.216.16.120:443 kahramanvetuhafcanlilarhikayesi.xyz tcp
US 154.216.16.120:443 kahramanvetuhafcanlilarhikayesi.xyz tcp
US 1.1.1.1:53 kahramanvetuhafcanlilarhikayesi.xyz udp
US 154.216.16.120:443 kahramanvetuhafcanlilarhikayesi.xyz tcp
US 1.1.1.1:53 kahramanvetuhafcanlilarhikayesi.xyz udp
US 154.216.16.120:443 kahramanvetuhafcanlilarhikayesi.xyz tcp
GB 142.250.187.194:443 tcp

Files

/data/data/com.draw.kid/app_cause/mR.json

MD5 e767849bc6fa6b16d37b47936cce875e
SHA1 184e729aaf6105694c7e81242f1fe23fdb858488
SHA256 237566f5aed66417ec6efff19aa9eccdb62ad4a2d9800006c73ca03216c077a0
SHA512 6bec82c725d2b7dc2cd4370d42f6a9e30235f0c7a602dfcdd78b32304fbc4c769857aca2bdd280c9a2dc5c1c2a7b0e19090d5305e4280cc13c4ebd5786b3f1cb

/data/data/com.draw.kid/app_cause/mR.json

MD5 1da83f0228e293c0d8be3265e23d5c82
SHA1 2db345b407b82d97d02608786cb624155216740e
SHA256 7cb43bb9f21b86cb774c7bad490ce2f69c1121183457a956db99b1bbf613038a
SHA512 e9543f51ad5ad5f852e7f9b8f9ab64939b32a1aeb9de869c721fe246e2cfded6b6e3ba0e8dec206265f344ae9fef999d915d67b65d8f661990de57045426fd43

/data/user/0/com.draw.kid/app_cause/mR.json

MD5 517d1b395985d6a89f2c3dc95f76cde9
SHA1 ce7ea4e2e9fc862a5e524503686821bb04b16746
SHA256 974641e62ba38a35d666563766afeb946720cb0e8c86cde4fa939509f67c72ff
SHA512 9b2454c68f647d2fa4273d4d06f5739e1cd510a3cc702ab09631b583ba1ed5bf5f5fd569727aaa9788d001a7cbee19c562575374a5aaae139559b334aa6fc735

/data/data/com.draw.kid/kl.txt

MD5 1e5522ad96e998fb0c67fccced5c1b20
SHA1 717af5fe626bb1f32f1c75319702562635de8483
SHA256 2d5de16fcf237c3c84dc8f799edeb4e516100f4f3900efa4182a01c88b9c378f
SHA512 ae0559a0dd17db66bbc5bd83f96c370301ca709c40b63f6d924802279f9d2cc388bce8c7ed8d271a55e474679109f424a58ac9d8588bab72b7cc5ff7da2482c4

/data/data/com.draw.kid/kl.txt

MD5 61057fcc707d23f1ad8681d5e56647ee
SHA1 40375e836f48e1bb9be575d8a99519d9a93a9e81
SHA256 7cc22ee10c31e9c29e87f4f76a8ac845326a12b069569616d5fdd3454333f1bd
SHA512 2b3a59045cd307730302c53e805e0ddd020ba4e64fb4a9eafe2470e2ed20a9d06d694145024de1710edeca39b7cc5cac5bd084bcac18d4a59e7567e535b0420b

/data/data/com.draw.kid/kl.txt

MD5 2f2413d66833f25a4985d31eec104a90
SHA1 b85fcc8c568781cc7c74bdc6b20da3669382b945
SHA256 f4a1224bcaca5ba9f49f3bfb6f89dcbd3db72f88d4fc1d606e7e91d0e1fcf1db
SHA512 9d294592f03cbbc50c3a2cf84839bf2a866bea39b5f7efb0c8ec53b7291da1259b964f75195337606c11d9573757da58da0276c46c934f6cfe388ef7025c5d37

/data/data/com.draw.kid/kl.txt

MD5 5c012198f3fa5621395aa5a7ee36e488
SHA1 c2733606a09086cf50c29a80e7c6527899188cd6
SHA256 a729f514ebed853976dba65c38ba61768d9b497392761e21116ed7f648ade5cc
SHA512 1f0ef3c261980edf51595667ca346e9f44a635d8a4ce5438310a836a41e8c71c999648bf05152abf6dd79fb3b918ce9c796d1fe2007b634f5daa10dd5bae5374

/data/data/com.draw.kid/kl.txt

MD5 cebf3b7442a2d5f9ef4c85c511a4437e
SHA1 d7a993de03a8a778d4493e8afdd67bbdcbb80baa
SHA256 ebbbf015ee479c141359d016a4614c5d9b5821fb5a7b3279b49cf95614516efb
SHA512 8658309f47922556a0437edff4ce05a3ad7269cb5122181ab5bae1f4aa05446c97df2d3d9bb5e3dc901b91508eb129d6d94c9758e3eb064d42094ca00a353604

/data/data/com.draw.kid/.qcom.draw.kid

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c