Analysis Overview
SHA256
e6524a4e9e6f0bfe9681b9616b35b4554f23b3ac029c5467fdd800751dfed6dd
Threat Level: Shows suspicious behavior
The file Territorial.io 38.apk+ was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks CPU information
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Obtains sensitive information copied to the device clipboard
Checks memory information
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 05:43
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 05:43
Reported
2024-05-22 05:49
Platform
win10v2004-20240508-en
Max time kernel
234s
Max time network
269s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\apk+.json
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 05:43
Reported
2024-05-22 05:49
Platform
android-x86-arm-20240514-en
Max time kernel
306s
Max time network
339s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
territorial.io
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | territorial.io | udp |
| US | 1.1.1.1:53 | fundingchoicesmessages.google.com | udp |
| GB | 142.250.200.14:443 | fundingchoicesmessages.google.com | tcp |
| GB | 142.250.200.14:443 | fundingchoicesmessages.google.com | tcp |
| GB | 142.250.200.14:443 | fundingchoicesmessages.google.com | tcp |
| DE | 167.71.54.90:443 | territorial.io | tcp |
| DE | 167.71.54.90:443 | territorial.io | tcp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| DE | 167.71.54.90:443 | territorial.io | tcp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| GB | 172.217.169.14:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 216.58.204.68:443 | tcp | |
| GB | 142.250.187.195:80 | tcp | |
| GB | 172.217.16.227:443 | tcp |
Files
/data/data/territorial.io/no_backup/androidx.work.workdb-journal
| MD5 | 270ab8c976172d6a3991236470b6bd20 |
| SHA1 | 4a009df524a7735c3028dbe4157057379b913032 |
| SHA256 | 720930ef5e7db02a625728c00f8436fa954ef239c2c24203df99f41bf04dc0de |
| SHA512 | d51baa7f78e7f7cecb6203ea90c73fd08e0a651903a945fcd5eaf0145f4fdb509883a2121138ce654e4d1d8f2253ece76a633b687a4830202c67b25f74e64fc1 |
/data/data/territorial.io/no_backup/androidx.work.workdb
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/territorial.io/no_backup/androidx.work.workdb-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/territorial.io/no_backup/androidx.work.workdb-wal
| MD5 | 615dfbc03e3d09242d3e21ede0874bc6 |
| SHA1 | 1e88b3ca1adcb179088b656eb1f659c29d6bf134 |
| SHA256 | 72dff6e3ab8c6afdc08fdcdd415ed965efac0f548edef678ec121ab806bba55b |
| SHA512 | 9ae35f3c88f171d479bc0082ddde3bcbfd91f58452f2f2cf7d8f542cb78d523c10d6938e0fea80f7157d5c937fa88de0b1cddaccb9dfabe6bb84b50587ea3840 |
/data/data/territorial.io/no_backup/androidx.work.workdb-wal
| MD5 | 721f9bfcb7e4b4facc43b16830776162 |
| SHA1 | 1fffbfa57000b275d91f8a5a0813d32b82a068ee |
| SHA256 | 2ba22b0f16a0bd3d5c0ed4f56016115f83efd3ba88e952cdee7b72a0ec0b8622 |
| SHA512 | a3215bca343526b4043a4684a544b0548ae1c17f1dc68b4561107c166d44f0c9a308b6d13bc975ad40009cd76ab290a5480f2ffe70b78798134684087dbf8884 |
/data/misc/profiles/cur/0/territorial.io/primary.prof
| MD5 | 5ff3ab152ed8e0bb6127427f8a6bd559 |
| SHA1 | dba449a9b9da2c601766da3180943c830a79fd3e |
| SHA256 | 56434102fb84308bdf7dfef415ebbb0c7a38b6630f1b97ed6c3cc1db47afb143 |
| SHA512 | 206386af05c0b3364beb20103181545c52a50ca0e2a873f6746d63fd2d3dbb63664345fb5ad19a8e430ebe0cb0c524116ab66d37736c01979d701d849d4f1422 |
/data/data/territorial.io/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 3cb0ee429c101cd7f333f30145e85ab3 |
| SHA1 | 47a2809363449ae0270bf6eebf34d70cb0ab4ee6 |
| SHA256 | 1a7f4b66b7863e5a13e74f2b8ed1454861dcc687d2bf7ec6b71ab4f85587e382 |
| SHA512 | ebf254371a7d2a3e0293bf76ffa9dc3b811df88542b03f4263b121dd5fe8b30804b60a6b06feb15a87f4803eea1216d81c5da7ae3bfd54a0302e4aae1338b974 |
/data/data/territorial.io/files/profileInstalled
| MD5 | a7d597b24921a29e91e9c17533d0304b |
| SHA1 | da88ae8ca8b54ff46170a3e6aea89eabce5bee7d |
| SHA256 | 011a05b290385e7c973f81f8660248e2d0e19ef572a3d201f7dc16e2791d320a |
| SHA512 | 1febcc7da6297881a450107291894ae979b4e34a552ea28d25de2c579ed177c41dda686df3adba814959f7c2c0946d3c3bc51d0a7b6224117141fa5a1cc634a0 |
/data/data/territorial.io/files/indexUpdated.html
| MD5 | e5e38940da0c3dd7d97b8c05d995e3a5 |
| SHA1 | 9ada75a30e788908f5ea8cd544744aceeb623835 |
| SHA256 | aa314e4dd2130ed653559baa70264971a362be6956935728883791b491e18f57 |
| SHA512 | cf00cef64d6ae890b84d0443a490748dfdac17f863e636a705c4da91ad4a526a55b534afac427fd3c679e1e082a5128a40eb5165bf33c651d9acb778dd408272 |
/data/misc/profiles/cur/0/territorial.io/primary.prof
| MD5 | f1b8609dd4d4ce5112c17440575c3bbe |
| SHA1 | c7e46bd7a17b8928b6f3fc3cd8e5632b437d3de6 |
| SHA256 | 4cd61773c38c1352080fb795c4d3eb93ad7b6e1d43cad9567d06055c52dde9e3 |
| SHA512 | b5d3d3bf9e54718cbf2fba492d93fe2ff9a9ce09447e3e542ed5138762db94a7584ec4143329a9be436fdacc1399fc597f6c62abbe57b656024b222fb5977c8d |
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-22 05:43
Reported
2024-05-22 05:44
Platform
android-x64-arm64-20240514-en
Max time kernel
48s
Max time network
52s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Processes
territorial.io
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.178.14:443 | tcp | |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.169.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | territorial.io | udp |
| DE | 167.71.54.90:443 | territorial.io | tcp |
| US | 1.1.1.1:53 | fundingchoicesmessages.google.com | udp |
| GB | 142.250.200.46:443 | fundingchoicesmessages.google.com | tcp |
| DE | 167.71.54.90:443 | territorial.io | tcp |
| GB | 142.250.200.46:443 | fundingchoicesmessages.google.com | tcp |
| GB | 142.250.200.46:443 | fundingchoicesmessages.google.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/data/territorial.io/no_backup/androidx.work.workdb-journal
| MD5 | 106609d662da116db7504b17f185c180 |
| SHA1 | 19c84f2651c5b4dd99885abbb4d07bfa3e52917e |
| SHA256 | e4572c0f286472f3cddc99703eadb9e444073951fe72f53e05bdd5153ce06e35 |
| SHA512 | 07325330772f224c558ea8fa8b89cd0a7738a2d7374c04cb47edcff20dee581277735249a0e5139fd19375a06a17f040c96d1813a2a4ea17389382032fef6ae9 |
/data/data/territorial.io/no_backup/androidx.work.workdb
| MD5 | 7e858c4054eb00fcddc653a04e5cd1c6 |
| SHA1 | 2e056bf31a8d78df136f02a62afeeca77f4faccf |
| SHA256 | 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad |
| SHA512 | d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb |
/data/data/territorial.io/no_backup/androidx.work.workdb-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/territorial.io/no_backup/androidx.work.workdb-wal
| MD5 | 431c7660b8e4b8946e5a9a366a7f4361 |
| SHA1 | 9dec58cf941615e6d932de4c8132fee453696317 |
| SHA256 | d037ceb01a8d1fe9fc01d235eb59eba450d9a37a2304b21a9af9dc9a3bf516c0 |
| SHA512 | f5f5a253f8dad1f067aca826dc8f1af782823490640f6c139ec23306c1a50ea7f38fadc558af1f4e709ecda8ffee53ac43a6d5df1d1ade99b04ce615e09b2467 |
/data/data/territorial.io/no_backup/androidx.work.workdb-wal
| MD5 | 8499e169668982bcec91520441c76d49 |
| SHA1 | f78a51a02beb408688dae0a2b2b553d796f7a7b7 |
| SHA256 | 9fbc4737e6165605bb99162acf66c65c88a61b79b5d227af6443298f7069bef1 |
| SHA512 | e7e275b759f9a0632fe86c5ad22764e8b3340735233b2f054619f89adbfcc3c2cad62cea8b597201d60eee8aeacadfc8b5ea33fec1e20f166a73fdf6aa7ee7a9 |
/data/data/territorial.io/files/indexUpdated.html
| MD5 | 0dbb525498e7881e2d7dba6cb43b0d2e |
| SHA1 | 953776f122da96459c2441c5f8121635c17aebe7 |
| SHA256 | 1c8330f97452a01f92f1f2e7d2cab969d95710936f82127a2747f01310025b08 |
| SHA512 | dce8301fcd4dd4c1bb357548d70dfb6378161eb451a751edc68a8cdaa9af60c9d4dd8f5820fee201b16f1238fb3b7adc595c395ccd9e3ebc68c79987cc849212 |
/data/misc/profiles/cur/0/territorial.io/primary.prof
| MD5 | 5ff3ab152ed8e0bb6127427f8a6bd559 |
| SHA1 | dba449a9b9da2c601766da3180943c830a79fd3e |
| SHA256 | 56434102fb84308bdf7dfef415ebbb0c7a38b6630f1b97ed6c3cc1db47afb143 |
| SHA512 | 206386af05c0b3364beb20103181545c52a50ca0e2a873f6746d63fd2d3dbb63664345fb5ad19a8e430ebe0cb0c524116ab66d37736c01979d701d849d4f1422 |
/data/data/territorial.io/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 6cf470ab6b98ff5e5a5b112852dd239a |
| SHA1 | d63568f16ded7fa4981c71880591e3187e95b2d9 |
| SHA256 | 65fd7012d2e1c61aeb2bfee7421fb3f0e76d9cc54c2e899ca9b89a66218d84f2 |
| SHA512 | 8777a72ee6c4815d87ecdba61881e6387e666eae74c80e0db122f4610305913cc41e92198b9fee748753e0df5acf29274758e82b686dc11cf8446424368cde28 |
/data/misc/profiles/cur/0/territorial.io/primary.prof
| MD5 | 765d1c61c94041d4b273fb6bdb49340a |
| SHA1 | f6a515c0326056fc082c3189e97830b272736463 |
| SHA256 | e9228f97c699780f34bd09832a2d2fa246fef5e462c034716286cc885eed1c73 |
| SHA512 | 2bcfba7503996d0e1258924c3daf6d712f52732be383c642469cfb034895af878f06593a92c167af18afdc1e84b65b3333986ea53e67939aff76e10a81b46c0e |
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-22 05:43
Reported
2024-05-22 05:44
Platform
android-x64-arm64-20240514-en
Max time network
5s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-22 05:43
Reported
2024-05-22 05:49
Platform
android-x64-20240514-en
Max time kernel
307s
Max time network
340s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
territorial.io
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.213.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | territorial.io | udp |
| DE | 167.71.54.90:443 | territorial.io | tcp |
| US | 1.1.1.1:53 | fundingchoicesmessages.google.com | udp |
| GB | 216.58.204.78:443 | fundingchoicesmessages.google.com | tcp |
| GB | 172.217.169.14:443 | tcp | |
| DE | 167.71.54.90:443 | territorial.io | tcp |
| GB | 216.58.204.78:443 | fundingchoicesmessages.google.com | tcp |
| GB | 216.58.204.78:443 | fundingchoicesmessages.google.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| GB | 172.217.16.226:443 | tcp | |
| GB | 216.58.204.68:443 | tcp | |
| GB | 216.58.204.68:443 | tcp |
Files
/data/data/territorial.io/no_backup/androidx.work.workdb-journal
| MD5 | 98ca3c767cb57c193a8002d583d5a123 |
| SHA1 | e24f61a06661c04a53d8f741ceae659fe471880f |
| SHA256 | 9989ebb37af8f5f50e2d61cbec262c8a60a92305f1572e96abc6587e9632db49 |
| SHA512 | 920f0b718b2567150efc99b16e4a3e36b6873cb8c3388c6a069f63dfd31aaf1d49d62464320ab30d8e801303bcd6e998e95c190f5f2ed17191c267a4cfce5f35 |
/data/data/territorial.io/no_backup/androidx.work.workdb
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/territorial.io/no_backup/androidx.work.workdb-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/territorial.io/no_backup/androidx.work.workdb-wal
| MD5 | 20328fb6c55151ebf6d83ff10219685f |
| SHA1 | 6e83c6dabd3315f5d399918a69d44a28b5d36e9c |
| SHA256 | ed86b482f42cfb9b6a6712759f48901e379c35006ce9e5e490a1e777aeb7ed82 |
| SHA512 | c89d8e96650dc295a39c0f3ac9e81f27211a1415ea706af4d32fec8f4b1bb933292fd3843a68ec3fbdfe0df7d3d5fbb2e70437c6ec4f7470bfd19e8cd2714730 |
/data/data/territorial.io/no_backup/androidx.work.workdb-wal
| MD5 | f6cd7936583886a064f0cba6e15db048 |
| SHA1 | e00d5ace8913c3e13f6d886fb4571a3360d7a8ab |
| SHA256 | af56d79da9770ec00bdafb6a35ed43c108d9e0849b61e2f5a9f658fdb6ce012d |
| SHA512 | c891778cb8bcf8c296a29b5178772111f2417975a6d677fdbd7810ef5a0665f4332cd81e68006a13e9d46469dd7aa70e5e707593b1aebb4791da2f204bf2f14c |
/data/data/territorial.io/files/indexUpdated.html
| MD5 | 0dbb525498e7881e2d7dba6cb43b0d2e |
| SHA1 | 953776f122da96459c2441c5f8121635c17aebe7 |
| SHA256 | 1c8330f97452a01f92f1f2e7d2cab969d95710936f82127a2747f01310025b08 |
| SHA512 | dce8301fcd4dd4c1bb357548d70dfb6378161eb451a751edc68a8cdaa9af60c9d4dd8f5820fee201b16f1238fb3b7adc595c395ccd9e3ebc68c79987cc849212 |
/data/misc/profiles/cur/0/territorial.io/primary.prof
| MD5 | 5ff3ab152ed8e0bb6127427f8a6bd559 |
| SHA1 | dba449a9b9da2c601766da3180943c830a79fd3e |
| SHA256 | 56434102fb84308bdf7dfef415ebbb0c7a38b6630f1b97ed6c3cc1db47afb143 |
| SHA512 | 206386af05c0b3364beb20103181545c52a50ca0e2a873f6746d63fd2d3dbb63664345fb5ad19a8e430ebe0cb0c524116ab66d37736c01979d701d849d4f1422 |
/data/data/territorial.io/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | fcec44fbe53917d0cd44bfab1d3aa6e4 |
| SHA1 | 7086a8a58c07b65ee67dde042ae293652eb45687 |
| SHA256 | 9a18badce54f7941bed766a6ee493c4b0a6f9a264ec95c8984ab77db14eaa519 |
| SHA512 | 0c65d82e502319b923ba54df7d8f058dc0b776c293ed3b55a9063cb18b12a36655799514be2a91b417daa10bf45efae6aa8b1ffdc8a9a90178a4de40042bb928 |
/data/data/territorial.io/files/profileInstalled
| MD5 | aeab2c1e3f8d05d95bde1eda5dcb1d65 |
| SHA1 | cf374860e82f2c09ab7b7001fa1951f172cba754 |
| SHA256 | 95b0f13e66eb836ba85f53945acec7346b6b594a4fac30808a8bce5abb99fff5 |
| SHA512 | 35c968d0a6b3ff3704d5e0aa6b299d4353d9e395a6a36ad7fcf43c232e5f8e0b197fb82ce789850c7a711684fae9c9469f28a4e077c267ad02a42842cc87de32 |
/data/misc/profiles/cur/0/territorial.io/primary.prof
| MD5 | 01cb18bbae7d42c7c5225e5ab9a43dc1 |
| SHA1 | cdd2c4527c654e7a9712681935b12c9cf3ce648a |
| SHA256 | a22fc8028d814dde8e73ae1805ec84213a38b23490f21209f5eea55fe9813c81 |
| SHA512 | 434ce12bbd02676e0625a41b0b1b4415cf4f2f622db1a8e52a1418879be764165e8efc4eb92b276938243b1fbf035270b6b1d3bdbec6abb4325fbde771e1ff3f |
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-22 05:43
Reported
2024-05-22 05:44
Platform
android-x86-arm-20240514-en
Max time network
4s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.200.42:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-22 05:43
Reported
2024-05-22 05:44
Platform
android-x64-20240514-en
Max time network
5s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-22 05:43
Reported
2024-05-22 05:44
Platform
android-x86-arm-20240514-en
Max time network
3s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.195:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-22 05:43
Reported
2024-05-22 05:44
Platform
android-x64-20240514-en
Max time network
6s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-22 05:43
Reported
2024-05-22 05:44
Platform
android-x64-arm64-20240514-en
Max time network
7s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 05:43
Reported
2024-05-22 05:49
Platform
win7-20240221-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.json | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.json\ = "json_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2220 wrote to memory of 2880 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2220 wrote to memory of 2880 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2220 wrote to memory of 2880 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2880 wrote to memory of 2276 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2880 wrote to memory of 2276 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2880 wrote to memory of 2276 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2880 wrote to memory of 2276 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\apk+.json
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\apk+.json
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\apk+.json"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 522d70e81fca5a44bcc5513869a81938 |
| SHA1 | 400bbee6315fb50e2fec61ae1917cf9259fc4318 |
| SHA256 | d04e9135992062ce9a4ab782b917063d394a7132275974d8651b2851eb82ef12 |
| SHA512 | cd171eec6caec4010388d6df77ae4013b47778731a07fc18912aa76d8df2d2a8980f88a8a58bb994b164c83d75c2a68189ce1fe3ebbee6f387d30d5b2484535d |