Malware Analysis Report

2024-12-07 19:32

Sample ID 241114-npe1zaxqfz
Target Alertswiss_bind_sign.apk
SHA256 4928c563dc610a7c968f697e4ebcda9a441d94a4abd5013c38dfa8e8b62cc4f5
Tags
discovery evasion octo banker collection credential_access impact infostealer persistence privilege_escalation rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4928c563dc610a7c968f697e4ebcda9a441d94a4abd5013c38dfa8e8b62cc4f5

Threat Level: Known bad

The file Alertswiss_bind_sign.apk was found to be: Known bad.

Malicious Activity Summary

discovery evasion octo banker collection credential_access impact infostealer persistence privilege_escalation rat trojan

Octo family

Octo payload

Octo

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Queries information about active data network

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Tries to add a device administrator.

Reads information about phone network operator.

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Checks the presence of a debugger

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 11:34

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 11:34

Reported

2024-11-14 11:37

Platform

android-x86-arm-20240624-en

Max time kernel

124s

Max time network

145s

Command Line

ch.admin.babs.alertswiss

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks the presence of a debugger

evasion

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

ch.admin.babs.alertswiss

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 firebase-settings.crashlytics.com udp
GB 216.58.201.99:443 firebase-settings.crashlytics.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 app-prod-ws.alertswiss-app.ch udp
DE 18.184.148.206:443 app-prod-ws.alertswiss-app.ch tcp
US 1.1.1.1:53 tag.myaspectra.ch udp
CH 185.27.184.25:443 tag.myaspectra.ch tcp

Files

/data/data/ch.admin.babs.alertswiss/databases/com.google.android.datatransport.events-journal

MD5 9f9fabcb573cd9decc8bb1f46ba027e5
SHA1 b3263c4a47b4086f478c4b19847eca44534e912f
SHA256 a05f46326b999a37527921204d4168289d8a965ac324d50800038e74d5c0e2cb
SHA512 15f479ca11b59beb83c14933208b0f92882d5b16443a63e80419eaa52b38bea644060686485e2374376d26d3696368cfd6d75066aca6172b5e90665fe59cdc13

/data/data/ch.admin.babs.alertswiss/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/ch.admin.babs.alertswiss/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/ch.admin.babs.alertswiss/databases/com.google.android.datatransport.events-wal

MD5 d55223ffebf0e423ccf6854e73eec535
SHA1 043a94a07d3594e9c208809e3f142ca69db35ea5
SHA256 ba8a7f4ba29be4cb407ecdfd3d9f6533d513b44a29213b53495d06f3fb72a904
SHA512 d828865d822cc717d115ce62bb55e5f8bda43251068b4123a7c8dd63e5c18643d14d9c619250626144f029683723e1f63154d3108192d152ae33ea2edf961947

/data/data/ch.admin.babs.alertswiss/files/PersistedInstallation6234797957243389664tmp

MD5 a362b6550412a24b962d201746ff4652
SHA1 78fc3bd8988c2ddccbf2cc0812add8b54795c0cd
SHA256 d20489dea55b70cef5a7ce5f4077c638a1c951656d81836232861a4cff026da1
SHA512 028ef7f74ae36882539b41adbabc158eac99c917e87d4cf3aff6b00703af1d5617fd5f52a3994457ce38df1e9ab39d692e921b7851f0f86fb62f3ba2ae901e6f

/data/data/ch.admin.babs.alertswiss/files/.com.google.firebase.crashlytics.files.v2:ch.admin.babs.alertswiss/open-sessions/6735E05101C800011090FF99E8C59B1D/native/session.json

MD5 68f586310cac936190d2b7b09e15b6cb
SHA1 2a032107abd3dba3e0fd5511253f3ec17c51af08
SHA256 8b54b8e6448e1ff61df91cd9c524127e388e41422ffa0219722921674049b6a8
SHA512 cc5e9fa12c3585ad1bb337121af3307a9c98550f90f4e8bbc6d6ee3f415470bdb4f68819ef06d3d31930561e9f255de1b17813448e1c160a7acdecf73c4886da

/data/data/ch.admin.babs.alertswiss/files/.com.google.firebase.crashlytics.files.v2:ch.admin.babs.alertswiss/open-sessions/6735E05101C800011090FF99E8C59B1D/native/app.json

MD5 c8187961220b33333f665c924df0ea5b
SHA1 de6fd60acff09bdde5ad270d660f9ebeed27f609
SHA256 3ef1ab061040dc10f078a03b4a548057865180ac60ddf4e4ffac0c83594d953e
SHA512 ae0509127d0f4e09c588fcd82b79c98ff1adef7ba987a89fe0abc25ba15ac28bbedd853ad2d60132bc5e996d628fc0ebaef9371a194cff9f3b38cce4f6f4dc89

/data/data/ch.admin.babs.alertswiss/files/.com.google.firebase.crashlytics.files.v2:ch.admin.babs.alertswiss/open-sessions/6735E05101C800011090FF99E8C59B1D/native/os.json

MD5 93023624eb8dff5c20050da136aaae0a
SHA1 acfd1ffed752c28fb135ba83c0c6345ddf2f6995
SHA256 968bcd7c4f1abed89a09cc0e6dadd238a81e8655e64196b39a86be49ceecd39c
SHA512 bb25dfa144d3f0e17203936c503c5fedec5f9ca710e177f99e273010ba4a682199d4bda5684151d65f3cb1549f4611b3a645ce39646d3db9a1b2c17d6b160579

/data/data/ch.admin.babs.alertswiss/files/.com.google.firebase.crashlytics.files.v2:ch.admin.babs.alertswiss/open-sessions/6735E05101C800011090FF99E8C59B1D/native/device.json

MD5 7da63ee7971f089ccedcdb4fb7bf0afa
SHA1 48dff61b1caeee036b7cb59bf6031034e6249263
SHA256 84a3bb12deb77d1f327204051d565064b402b591ed9ec76c452fec770a1fcb9d
SHA512 85a739087dcfdfb9ebc264e702b7bbe921446252596d1918f5c35d672fc3b43ee849865c383422dbd7cef377a6a9ffe76a6d512b8966af1794073f42d1ea21db

/data/data/ch.admin.babs.alertswiss/files/.com.google.firebase.crashlytics.files.v2:ch.admin.babs.alertswiss/open-sessions/6735E05101C800011090FF99E8C59B1D/report

MD5 3ed9fc7d743147a68bd9f71601e45aad
SHA1 23b09425b859f402f247a28f3b2c47a813c5595d
SHA256 57bbfd3c38882cd6a09d061a9d45b20c29742fbc46f0e9a2caf8d4c1681e133f
SHA512 1f61c0fda025d74cf383dfc8d4e7672d3c7f86df472e2bd38ae9eb5d86f1fa6fd594f96eef8a2f67129828e7f96350fe8dc37f9b6a4f667e53f629f2ce19e5a4

/data/data/ch.admin.babs.alertswiss/files/.com.google.firebase.crashlytics.files.v2:ch.admin.babs.alertswiss/open-sessions/6735E05101C800011090FF99E8C59B1D/keys

MD5 49e64ef8012d9c9a06ac1f893a2f46b3
SHA1 52fe056b2e71b407952f54f7382d3fc99869da1a
SHA256 7d4be3b1f3e4391d3d5397b1083f639cb429360b9c43efad38fb03143d4f3e42
SHA512 f2f0fd7d38e49a4bb4d89a34768704e61ad5a383c82e539c9d8b79de2c70c63370602352ceae2acb20705337f043e1414348191dfc3603c72b723dcbf64c14eb

/data/data/ch.admin.babs.alertswiss/files/.com.google.firebase.crashlytics.files.v2:ch.admin.babs.alertswiss/com.crashlytics.settings.json

MD5 ee5d1bde183d8bc5c8adf06d0ea4c5fb
SHA1 d20e4ce243411d3e9a43986c9ae1a7eb70d70c08
SHA256 3e012b6b9f2aad1ffbc9558629cbc7e05dda63445d6ea32fcf8f1427e0c1ec5b
SHA512 851f468462ebc9c2a5531d5b94f4fd6400d6145528172052f6fa9b5bf3253353506f9feefd0b7fd7af257d5f91ae8f35e1e7dae403182d5fefe8bd0bc09d85f6

/data/data/ch.admin.babs.alertswiss/files/PersistedInstallation5940880653721364368tmp

MD5 100729bca9f187671b4dedbbc9eda249
SHA1 79a7be02586a6addf0e8e38618658ddbe20d070c
SHA256 94e82a4ba8dc11f0507872fe3bcf3ea152361ecd783bad98e042e9917e395722
SHA512 40874388827bdac53172514d2647de9d6feba8ff76c131e83c2705dbe7548ba091668088e64f02039a963adb23b581e2e0455652d993cdacabf41e0bb6026130

/data/data/ch.admin.babs.alertswiss/files/db/dataManager.db-journal

MD5 220a130e56945b2f06c2dac1b3f80dfd
SHA1 577172289f220705c232342450cbfc1f31f19e5c
SHA256 e510868394cffec57df40e05bc22e04e61eabe63f31d98cdbac2b7846328edf1
SHA512 43d5c0b4d68d0d502c1ece461b2b0be20e08e3179e5e20d474fc984e70a3f6d37a429bdb3ab50535b4b167c1b4def62c4dc737e829f20bc5c9c8f21ccbdbfa3e

/data/data/ch.admin.babs.alertswiss/files/db/dataManager.db

MD5 2185fc1696822582cf40677699db12ac
SHA1 37b27c7674e066e789b3e3e302ae2eaabfda755c
SHA256 73a4459cc764c98c4f03b1be47420f9d1f48ba9d8cfb39af633b53194432e7dd
SHA512 4c2249fb1b0bb52001c1ce8dd18889046ad21d6f9f2f6f690482b4afce3adae7253e1af0bec97cce8fa8e7c745a20eed2638916a502ec159aedd8ac0dbb4c732

/data/data/ch.admin.babs.alertswiss/files/tmpDB

MD5 2601b84c694dfaf0235f6bc903fa61d7
SHA1 f550223c50408a04eb723422af2b36b192537015
SHA256 64eac3d94357b1af560382adeaccd1255aa21283cdb49452dca1dd83a400c704
SHA512 c4b1b20bc2ef61da79cee35951607203e6ae069c900b15a07b670a42ba9dfd83342120915d07c6737f8d06db3a21865c068b0df7a62f13baba0dd5f2caf058fc

/data/data/ch.admin.babs.alertswiss/files/db/UserDatabase.sqlite-journal

MD5 a09a9ce36cad54aa374a5e0260bbd55e
SHA1 b6c8b4a1b8b10edf92e82393881ff952e04d490b
SHA256 00ba229dae458cadd0c74dc3349f90802c235fd8e59517693517a4342704f480
SHA512 2018ead4084c4966cdadb4d5560a978ac5da9aa71cdb892f2760a2f2491998c90f9b355a3197bc337f47adce58590b49933b8300599bcf0d00622c773e6de814

/data/data/ch.admin.babs.alertswiss/files/db/UserDatabase.sqlite

MD5 21484a4329ca67bc6faec2127adf0887
SHA1 20e1e2bb67c5fa25f40b56647f4d7f30d018c6b7
SHA256 ad119f2ee98e8cd407e4ec70cf544421f78e5420a78698944f3c8ee722fd1cb9
SHA512 978002ff432053c0a2dc24af7f32116ac7ac7baec8714f18238879629f0160a79ab3d680043f00ca21b57a67298e0c773606b48b629617c6480860aa54bf9692

/data/data/ch.admin.babs.alertswiss/files/db/UserDatabase.sqlite-journal

MD5 391bbffd67575b88318cc891ea3f3ab8
SHA1 3f7b836189cddfd3874b85d64dd5fd7b09781a65
SHA256 95343b2f5fc63fab7c39039c3b131efda60429245abd5502ca8d413959e66850
SHA512 c27c7b67c466968a47b3af341744eface9d32fb50358fb80eb0f1d45f394e307f2e83717dbd56787548f032bfa24638ad9ecfa6439c3a1aa41b30c8ec522073f

/data/data/ch.admin.babs.alertswiss/files/db/UserDatabase.sqlite-journal

MD5 74974ea36510dbe49dbb955432ae85e9
SHA1 b9e911df91d2e66ebc10f45745071e83058ad80b
SHA256 9b7385c2b71ba84d37cd68d168429f4412cbfa4173b893ed1b9534517e18d98c
SHA512 56489f78c1cef72b021568a02e900ee2bffaf32651a29af410088e2db5af0fb69943527c40af48c297a6c3ef5be08e6383527c2a3cc0ef593b37d3292dc1ff03

/data/data/ch.admin.babs.alertswiss/files/db/UserDatabase.sqlite-journal

MD5 8740ef9bab21916aa8777c7d67a6d140
SHA1 49594a4ced5df6b7c7fbfefef814146a470b6ba2
SHA256 75ad99724758a65c6625ea867cffcda6378c9ba1a040f0ca428d0e8f52b45dd0
SHA512 2f6c6ed37bcc2e6406b9d866f644c2dbf945847b80dde69b5fc450cb8b333a7a8c55b3bfd5182663a5145200292956ef5bb4bc3344b3c1bb77215c28cd50bd27

/data/data/ch.admin.babs.alertswiss/files/db/UserDatabase.sqlite-journal

MD5 b28e158b2f5834fcea21a9c1ba900de5
SHA1 1f27f2899107ec7dff932acaa79146fc921b0218
SHA256 d1ad69859c056ac97556328117532b2f2b5858b00a2d91dfd36ea9892c8db3d2
SHA512 3beca6f831a9200e01815bc6efc8a86a98071a16e04356f14aaf8126409d7f5ad705c7e4733fba918bcb3e291d72928aff104f37fcf88a3746c7df8a5d0f79d1

/data/data/ch.admin.babs.alertswiss/files/db/UserDatabase.sqlite-journal

MD5 7c7b5a20e90ff99174b7f82bee9ed0f1
SHA1 ae3f501a2886e4ea51284c15c6284b02bf0ddae5
SHA256 1a16bb06f50aa14279d153164ae6b47b8b25d3b792abfc02d9f706f6364eebd0
SHA512 3bb4110eccb4a36e539ca00574518c8cbc4e732651b5ab0db3b192be3d963f3d4ee10c8b3f73ef81e7c53a416cb642872d34efa97eb6426445027a81536f2389

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 11:34

Reported

2024-11-14 11:37

Platform

android-33-x64-arm64-20240624-en

Max time kernel

125s

Max time network

146s

Command Line

ch.admin.babs.alertswiss

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/xbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks the presence of a debugger

evasion

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

ch.admin.babs.alertswiss

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 tcp
US 1.1.1.1:53 firebase-settings.crashlytics.com udp
GB 142.250.200.35:443 firebase-settings.crashlytics.com tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 app-prod-ws.alertswiss-app.ch udp
DE 35.156.123.37:443 app-prod-ws.alertswiss-app.ch tcp
GB 216.58.212.238:443 udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 172.217.169.10:443 remoteprovisioning.googleapis.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.204.67:443 tcp
US 172.64.41.3:443 udp
GB 216.58.204.67:443 udp
GB 142.250.187.196:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.187.196:443 udp
GB 142.250.187.227:443 tcp
US 1.1.1.1:53 tag.myaspectra.ch udp
CH 185.27.184.25:443 tag.myaspectra.ch tcp

Files

/data/data/ch.admin.babs.alertswiss/files/PersistedInstallation8206390859548586968tmp

MD5 d28c03c60b380e45a8f11511a6b24e89
SHA1 2ea124b9873606ab9ee3b58bc722cf40473f9ab1
SHA256 b74bbfaab855892f2918bb51458de064a0d5d23b63293107cc3107d5f885e4a4
SHA512 6faa478e1cfa6226b01795976f698684a9418eb9ed83c005abc2c4fe95eebb562bbb10fa991c13e04d517508dd2601e54446d5571d7e1ca17eb30aca2347bcf7

/data/data/ch.admin.babs.alertswiss/databases/com.google.android.datatransport.events-journal

MD5 39355aaaf6c7ef4a92a4168d31f10051
SHA1 92e9eada1c361189bdea1914e1ffb0c8c618fe10
SHA256 284f1d6d69fe332688d9500cd4fa21d147e1c2718152c9f4547df0b7045c7c83
SHA512 8c35d953b9e8a86a730d43bc1f7b5b3f42d6128edf7f242ee2d5b50ebaa5bdd223a0fced377aeb7f1f0a96d0595998765be91949b20d1a19172a68025cb70334

/data/data/ch.admin.babs.alertswiss/databases/com.google.android.datatransport.events

MD5 c8bd960e6d0591af85be983730235920
SHA1 8c269af11eab9452c9df86bece4665279fcb978c
SHA256 276b169c78e6d5602fd62164e9906b6e8d88278fce206607f1d6df4062eff54c
SHA512 a54f56e5b70fed24e3c7426a0c84c73b2875d9de5f046046b8a0a6512dbd021f6b855b547bfba66bdee19485bd8df7d26a63e8d48ed8d8e708ebb2dfa7e1b3db

/data/data/ch.admin.babs.alertswiss/databases/com.google.android.datatransport.events-journal

MD5 d953c1bd3918ee1253e8d681f9303901
SHA1 00dd788d4410d47ae3086271932cb4635157991c
SHA256 531ac2b6742b0bc9e1c9d60b9d90ff55bf93bf2a9d391d44aa88cf7b74d8e976
SHA512 d0384acc9e01615b6a09ad69a1835c658f2b167518dce326581fb9f56fb86b336d73ad96d554fa1a5766af7f3028f72e5bea8279413526171326ba0366978f90

/data/data/ch.admin.babs.alertswiss/databases/com.google.android.datatransport.events-journal

MD5 ae4059d931deb26897769861e72c478e
SHA1 1824911d81ab0207aa5828608375b9a778f89bf8
SHA256 b5e8df5b13c2ffd9b818e1bf247a25ecf36cc7a450dd10f3a70422182d6c83c7
SHA512 22ac87e5ebc552e80910bd7f0180722aaf799f23fc92f37ad1c9fbe4fac6057c0182e695223be3d238284f156afb1b24d0fb927c5c0c429c9d55a4251409a7bb

/data/data/ch.admin.babs.alertswiss/files/.com.google.firebase.crashlytics.files.v2:ch.admin.babs.alertswiss/open-sessions/6735E0530115000110E0EAE6C71ABC5A/native/session.json

MD5 c8abcc09ef560d9bee17bba719e001c9
SHA1 2e5b0ca420d6eed666c4d13b3c4e40ada8ace203
SHA256 151515d9f7f18d34a38e1e6057c89eb3dd153350ae05ed49127aaa57d4761f54
SHA512 6b5be0a00b2995eb5994043dae00c9070ca2a746c524dc72fb757e87e058182ca3631a5e1f3e36f333081c09ee2c6959d2f911bc413ce2945d1edcd5716a76fe

/data/data/ch.admin.babs.alertswiss/files/.com.google.firebase.crashlytics.files.v2:ch.admin.babs.alertswiss/open-sessions/6735E0530115000110E0EAE6C71ABC5A/native/app.json

MD5 12655503cd02132f251aace14e4092eb
SHA1 7eed2530d96fa1ae635a136ab1a7039c52e2a971
SHA256 00d04d7f2e0b7bc7f7f7a249c03a5f1200cb9605cd7347a5f141b96ae0974e9d
SHA512 cba9784d61dab5883baf802d3dd762a458bf10cfb9793b69286566af6377c78cf6519f612b7f1e8614599ab2eaa548096535c33181c1dea72e158aee33161adf

/data/data/ch.admin.babs.alertswiss/files/.com.google.firebase.crashlytics.files.v2:ch.admin.babs.alertswiss/open-sessions/6735E0530115000110E0EAE6C71ABC5A/native/os.json

MD5 87e2b9d6edc06545b88235933e703881
SHA1 b29448a47c87bfe3a59286e3cf4e02eb72581a7e
SHA256 77b886b74dd48e22effd172c38ee914ced97247f4516c319f09cb8c9ebce4c7a
SHA512 ccccd682e14a485c8c8d13ca0105d196d00fe02bed941d939154a199c14e741eac6522f378f509ed14a52efd38e479930ae223f6f317a35b0787d82e553db3a6

/data/data/ch.admin.babs.alertswiss/files/.com.google.firebase.crashlytics.files.v2:ch.admin.babs.alertswiss/open-sessions/6735E0530115000110E0EAE6C71ABC5A/native/device.json

MD5 0c333f7d0e1d5476eef5a751d54181f1
SHA1 a07751346b823230e1ee4d1f6a966336648bda27
SHA256 a37e7edbf8dcc0e3cba6a2997ce4bd97031a5ac1a94cd6607396a87f9c1d93c3
SHA512 fb64fbe7cf08d0c25d03d26765c1b163c7509c8b8d39b19841eaa3c4809db44c2356de60bd5229d518793bfa1b4fbca0db6d6e873000757782a91a6eb3944978

/data/data/ch.admin.babs.alertswiss/files/.com.google.firebase.crashlytics.files.v2:ch.admin.babs.alertswiss/open-sessions/6735E0530115000110E0EAE6C71ABC5A/report

MD5 46d36dd1f8a0560a36b4bc3483237e83
SHA1 397775bda55158cc5729805bd301687485f8011a
SHA256 cad83564829f9795a66da8487206a4b1624403c0295e0cf8178d1232a59aa654
SHA512 6a1f218c054df93b0b2067596b6e2d7580206b7252c599ea420897e9c2492a7cc860a01052a74ac9b65908761adb7dafec4321091d980e434ef9020fc0d62f45

/data/data/ch.admin.babs.alertswiss/files/.com.google.firebase.crashlytics.files.v2:ch.admin.babs.alertswiss/open-sessions/6735E0530115000110E0EAE6C71ABC5A/keys

MD5 49e64ef8012d9c9a06ac1f893a2f46b3
SHA1 52fe056b2e71b407952f54f7382d3fc99869da1a
SHA256 7d4be3b1f3e4391d3d5397b1083f639cb429360b9c43efad38fb03143d4f3e42
SHA512 f2f0fd7d38e49a4bb4d89a34768704e61ad5a383c82e539c9d8b79de2c70c63370602352ceae2acb20705337f043e1414348191dfc3603c72b723dcbf64c14eb

/data/data/ch.admin.babs.alertswiss/files/.com.google.firebase.crashlytics.files.v2:ch.admin.babs.alertswiss/com.crashlytics.settings.json

MD5 22114ba0c11110ea1907826da3d3da0c
SHA1 b86ffaf15b7ed8ae7ecfabf0412ec32947c3ddbf
SHA256 a1b806e3ebde99fe0992eafa6528d10db995dbd464068ec35fb74c140713474e
SHA512 5be005df5e3411d353ce5b73f1fe702196f79465796ab4c7f4a355498858235b6595173d594770e7eda93dd373874bd7e772bfc090612cba29d2f7c5bbd7280d

/data/data/ch.admin.babs.alertswiss/files/PersistedInstallation5121857214672048246tmp

MD5 d9fea2b4cb8625f4c7efc26bf0d0bab1
SHA1 a286668a48eb56551d3d784e7a6f61d56963b7ab
SHA256 709163085eb38dd59d1d8de6fc02811652b5e781cfd796912a3418c76d3c89d9
SHA512 cb8e3027937090cf7ef8a9b0275c1569955b05df629d0750b38af41e5e7d7677a9973d21e85ce580006154b19dff8c4af3e60fb88cab4cce39b4b1c272e305d9

/data/data/ch.admin.babs.alertswiss/files/db/dataManager.db-journal

MD5 d5b1ca92689cfb9dc4c5a158a4dce94c
SHA1 7af06ba40e24b32c446ed527180fcb940f254eed
SHA256 6b12130114bdec1b0dc1053342c2f75bd9a057a96a76ebbafa1596c3d2bddb91
SHA512 29a0ecbf5543ff1e1e7a5e548c1a3bb0c6ff58ef50164df72dc812d7f2b55cea514006096cc6f7a266b8915f3bf5d62d05d506ef25a9a38a5e1c679bfcb42f5e

/data/data/ch.admin.babs.alertswiss/files/db/dataManager.db

MD5 2185fc1696822582cf40677699db12ac
SHA1 37b27c7674e066e789b3e3e302ae2eaabfda755c
SHA256 73a4459cc764c98c4f03b1be47420f9d1f48ba9d8cfb39af633b53194432e7dd
SHA512 4c2249fb1b0bb52001c1ce8dd18889046ad21d6f9f2f6f690482b4afce3adae7253e1af0bec97cce8fa8e7c745a20eed2638916a502ec159aedd8ac0dbb4c732

/data/data/ch.admin.babs.alertswiss/files/tmpDB

MD5 2601b84c694dfaf0235f6bc903fa61d7
SHA1 f550223c50408a04eb723422af2b36b192537015
SHA256 64eac3d94357b1af560382adeaccd1255aa21283cdb49452dca1dd83a400c704
SHA512 c4b1b20bc2ef61da79cee35951607203e6ae069c900b15a07b670a42ba9dfd83342120915d07c6737f8d06db3a21865c068b0df7a62f13baba0dd5f2caf058fc

/data/data/ch.admin.babs.alertswiss/files/db/UserDatabase.sqlite-journal

MD5 c948919b46fa6c6d49b27976e876512e
SHA1 e63c1450e90ee69222b9d71ed87573be7c8b5602
SHA256 4f62a4bb90db2cac6cc9faaa9665c212fb562245acc2173d8a1cdaa12a82d53a
SHA512 ba742756e7571099902ddd7f5980cc9acb6fc6298b73bf1ba0d6d672e21072b3b96d8b5439ba6520d29b4495d9a3fa07e3099b2220000497b6749790d5715b17

/data/data/ch.admin.babs.alertswiss/files/db/UserDatabase.sqlite

MD5 21484a4329ca67bc6faec2127adf0887
SHA1 20e1e2bb67c5fa25f40b56647f4d7f30d018c6b7
SHA256 ad119f2ee98e8cd407e4ec70cf544421f78e5420a78698944f3c8ee722fd1cb9
SHA512 978002ff432053c0a2dc24af7f32116ac7ac7baec8714f18238879629f0160a79ab3d680043f00ca21b57a67298e0c773606b48b629617c6480860aa54bf9692

/data/data/ch.admin.babs.alertswiss/files/db/UserDatabase.sqlite-journal

MD5 525ba84fb7586b9f8f2d382b6be071ca
SHA1 48072f0f7138c765af4ecc2ea1869f1fe38f1427
SHA256 1a1a091b63adf70beddbd653d70eaa2ce48535d69e2cda880abcab04737ae8d4
SHA512 39a1cadf3a240e7c78c2d6e2819be47f21a59f06999b7c9111b0f2c0b7d6f798bd320dba97c522d47995d7ec4a05dd5cb7e65d10db489a52fbaa891694509b63

/data/data/ch.admin.babs.alertswiss/files/db/UserDatabase.sqlite-journal

MD5 2d11c289f1f848045e57bfd24cfb2b45
SHA1 2e484eb7dad4f44e61b7c906ecb0ef3cd0a402c5
SHA256 f624b4bd5393f6072d1693bba1125e037e1af500406628ae832d8135b715302c
SHA512 5df6f26bbc1d53621707e9a51e218c86c4a9ce7f13c4daf2986ea9ec8bd646f19356ce8085017ce524e77fb5c3743a28e017b50464636a7d78c698243a1b70d0

/data/data/ch.admin.babs.alertswiss/files/db/UserDatabase.sqlite-journal

MD5 75a98c7cef300425eda69257e2788f63
SHA1 18c00e2f7ff44dc5f10b4ff26736179fd3cd1cd9
SHA256 5638400bbb8415b9f1b064106da0edd3465d8e106820638a5be4d9bfef748118
SHA512 82850515aa1bbaeb6892e2cd1088f7dc60f310a059ed96f70fa08cbf0ffcaa2b13efdfc916f6e728de1641043e0d995124376fc6ac392e33678f18bae59eedf4

/data/data/ch.admin.babs.alertswiss/files/db/UserDatabase.sqlite-journal

MD5 35e7c8aa695f42406516bac9a2379b58
SHA1 4c431ce651387d008b8b59d60e9de68ac4ea2dd5
SHA256 f958364e37cc5ea04101e03ca1f2701b50964cf1fa9ee1ec99939046ac2d436f
SHA512 df4b79eb2b7a85675904817d2bf3cbaa54c099e31c54cde91a696fd822b3dfd875b3f52dd0c9303699017ddf497200b8b260ee210570f78c50445585fa0e96c9

/data/data/ch.admin.babs.alertswiss/files/db/UserDatabase.sqlite-journal

MD5 e3387ae2af8823abaf236eccbdc42f37
SHA1 9da5c4779ddf4561a14eecabf80bc93b8aa3c27f
SHA256 631af036e1cd66f18af7ad5d661a6a72c74d21238a6048d3a6a56ce234160fdf
SHA512 4e422e455d5290432fb0dc38025344f571e275b143067464888226f079b9bf972f93fd578aa78d746dd1db0068d512fe374e31ae8394a701e4147802cec541ab

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-14 11:34

Reported

2024-11-14 11:37

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

146s

Command Line

com.clphone_new1

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.clphone_new1/app_spawn/IPgq.json N/A N/A
N/A /data/user/0/com.clphone_new1/app_spawn/IPgq.json N/A N/A
N/A Anonymous-DexFile@0xc9178000-0xc91fb688 N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.clphone_new1

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.clphone_new1/app_spawn/IPgq.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.clphone_new1/app_spawn/oat/x86/IPgq.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 3900f936b3eb2b231e774ebb2524865c.de udp
RO 64.7.198.190:443 3900f936b3eb2b231e774ebb2524865c.de tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.clphone_new1/app_spawn/IPgq.json

MD5 9b9a3cd81d7d261b9c8dd48a91037768
SHA1 f82f3ef429ed8e39cafece115b1dacb540843d69
SHA256 86a5d8a4318b5e482a0d77f046980f30db924c4c4c8a12fa80c7673be5db9d59
SHA512 9f79d41000593883c7eda8143e688177f30622df6fbdbfba46b139bad923ac60088e54b0f09ec9be863d6ba7c677301f7c2e2e1dd48aef49f1674870254e8729

/data/data/com.clphone_new1/app_spawn/IPgq.json

MD5 32285e0b133bb0f99c9bf10e880ea5a1
SHA1 0f1cfb5098de4dcd0cf08a3692afcd361e9ea7f1
SHA256 401e080c89bd87e3063fc343f591afde7ed683ee01783d7ee0e0af5b4c79253e
SHA512 de73074c06341acdccf6a1bc436b9b7c559b205528d956ccba9d35309ec2c13f737d95101c1f1e1c5127ab7419a3cb933582719c11c67c5a60ef9899b5f03d98

/data/user/0/com.clphone_new1/app_spawn/IPgq.json

MD5 c7b731a5c62050b5347a9579d33bf74e
SHA1 8d0caf7da0182a85cf04432fddf2de9895da526a
SHA256 54a3ca49bad96bf95f39a398b2bdcc2834565b6b0381aed5c80e14ed52b1d01f
SHA512 43faf474edd98c482b2761c52ef981c4f3cfba6184683de4410438fab8eee6ff15190177935a690a1653cb3bfc298ed1c47c63c9f84306c03c1e7257ff6dc954

/data/user/0/com.clphone_new1/app_spawn/IPgq.json

MD5 67bc12f4e421fcce6439827401bf0f86
SHA1 aa55fed172cf79f14968a31a40901ce1ef34adc8
SHA256 39c31f1bf32b0ec903c9a1c4d62e47977aab0e53d6efc57fdaf2e30e03641277
SHA512 bd5b1d42d852393a7445667406ed0f5c7e3a4627838f5de2a0f4fb62c0ff9d5bf055ed2422477142065cbd6976b8ff0819e5034815de2e9eea981b15cf835f1f

/data/data/com.clphone_new1/files/.i

MD5 4e73947cabb5db3f92ca85004981b754
SHA1 6d9667fdb0280ed2dcb782b4683e422a51bdc601
SHA256 6db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c
SHA512 be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69

Anonymous-DexFile@0xc9178000-0xc91fb688

MD5 e382217be6b81b82eb84ab293937c2a8
SHA1 b261d01dcfbf21eab62b56f8eb0a2c023b2a42d6
SHA256 029fe892400ace26bc348095dd6f35fb957b99d46dc870059ba0b2aece259111
SHA512 85093ff904c4ee84fb94b9568ff989d0f7acab04a282d133c74298b04d4a6aa99d66ca715ae226531d11a20065cbe292a13717c5bc3c71df72469ca336ca9e16

/data/data/com.clphone_new1/.global.com.clphone_new1

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

/data/data/com.clphone_new1/.global.com.clphone_new1

MD5 4b3b598fdd699b086fc332360b9cdba0
SHA1 59970a959d55dedf0e946622121775d28fb21939
SHA256 0e0e05b9222902a9e6e553e825ed0f077bf81c78299b9a0cd77b32ad012b940a
SHA512 e23127d2f6d78bd32ae2f9cbe7c54bddeef91ca23491b455dae8b4b906efd48a745d391e511a0c5b6052f29122f1656b1b5f07eda8512fa5fde6cc9a71fec13d

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-14 11:34

Reported

2024-11-14 11:37

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

156s

Command Line

com.clphone_new1

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.clphone_new1/app_spawn/IPgq.json N/A N/A
N/A /data/user/0/com.clphone_new1/[email protected] N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.clphone_new1

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 f185bf787e433a156f33cc9d94455935.in udp
US 1.1.1.1:53 4b3e469faca52fed85676f94a00f4a69.info udp
RO 64.7.198.190:443 4b3e469faca52fed85676f94a00f4a69.info tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 142.250.200.2:443 tcp
GB 142.250.180.14:443 tcp

Files

/data/data/com.clphone_new1/app_spawn/IPgq.json

MD5 9b9a3cd81d7d261b9c8dd48a91037768
SHA1 f82f3ef429ed8e39cafece115b1dacb540843d69
SHA256 86a5d8a4318b5e482a0d77f046980f30db924c4c4c8a12fa80c7673be5db9d59
SHA512 9f79d41000593883c7eda8143e688177f30622df6fbdbfba46b139bad923ac60088e54b0f09ec9be863d6ba7c677301f7c2e2e1dd48aef49f1674870254e8729

/data/data/com.clphone_new1/app_spawn/IPgq.json

MD5 32285e0b133bb0f99c9bf10e880ea5a1
SHA1 0f1cfb5098de4dcd0cf08a3692afcd361e9ea7f1
SHA256 401e080c89bd87e3063fc343f591afde7ed683ee01783d7ee0e0af5b4c79253e
SHA512 de73074c06341acdccf6a1bc436b9b7c559b205528d956ccba9d35309ec2c13f737d95101c1f1e1c5127ab7419a3cb933582719c11c67c5a60ef9899b5f03d98

/data/user/0/com.clphone_new1/app_spawn/IPgq.json

MD5 c7b731a5c62050b5347a9579d33bf74e
SHA1 8d0caf7da0182a85cf04432fddf2de9895da526a
SHA256 54a3ca49bad96bf95f39a398b2bdcc2834565b6b0381aed5c80e14ed52b1d01f
SHA512 43faf474edd98c482b2761c52ef981c4f3cfba6184683de4410438fab8eee6ff15190177935a690a1653cb3bfc298ed1c47c63c9f84306c03c1e7257ff6dc954

/data/data/com.clphone_new1/files/.i

MD5 77dc50489b9323274732d27dc8a4e803
SHA1 0e02a3595b62489d0739d771881da8604d117c65
SHA256 c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820
SHA512 0684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58

/data/user/0/com.clphone_new1/[email protected]

MD5 e382217be6b81b82eb84ab293937c2a8
SHA1 b261d01dcfbf21eab62b56f8eb0a2c023b2a42d6
SHA256 029fe892400ace26bc348095dd6f35fb957b99d46dc870059ba0b2aece259111
SHA512 85093ff904c4ee84fb94b9568ff989d0f7acab04a282d133c74298b04d4a6aa99d66ca715ae226531d11a20065cbe292a13717c5bc3c71df72469ca336ca9e16

/data/data/com.clphone_new1/oat/x86_64/[email protected]

MD5 6c35e9b2a2e36eab0abb854e770db348
SHA1 67765d80646412e69a9efb41a829e5f2ca9d3a79
SHA256 db1b4b74e0a2a4039c6fa5669b3ef87750f3ede396d94b30b47911bcf1fbdd7a
SHA512 c90f220a18a0e816fdc16a5ef270e358988d7add8aafd44a7f33a8a2b0980ef00aa612013345874ca49d73664c755fbba250e0958c66dcfd1b3abfb4a8f6355c

/data/data/com.clphone_new1/.global.com.clphone_new1

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

/data/data/com.clphone_new1/.global.com.clphone_new1

MD5 ab410d06c1379043cd1a9cbc4d9e603c
SHA1 0a317a72f86e937d40cba1890ffabe76f4fddd00
SHA256 d3b22df749d76e2adb68d5e4b0bf0ec568e898d2a775b7fe8fb10a77b2b957d8
SHA512 2a27d2ee4c288a9f2b6c9a06ab8d4c9038d034e4d17f30ea690c9dfbb13b411bbcabd9715ec5b500c08ceb86f15e06bce8c15b40ef3c93c6400221306bfbd807