Malware Analysis Report

2025-01-19 06:58

Sample ID 240522-gewgmsdg95
Target Territorial.io 38.apk+
SHA256 e6524a4e9e6f0bfe9681b9616b35b4554f23b3ac029c5467fdd800751dfed6dd
Tags
discovery evasion persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e6524a4e9e6f0bfe9681b9616b35b4554f23b3ac029c5467fdd800751dfed6dd

Threat Level: Shows suspicious behavior

The file Territorial.io 38.apk+ was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Checks CPU information

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Checks memory information

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 05:43

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 05:43

Reported

2024-05-22 05:49

Platform

win10v2004-20240508-en

Max time kernel

234s

Max time network

269s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\apk+.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\apk+.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 05:43

Reported

2024-05-22 05:49

Platform

android-x86-arm-20240514-en

Max time kernel

306s

Max time network

339s

Command Line

territorial.io

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

territorial.io

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 territorial.io udp
US 1.1.1.1:53 fundingchoicesmessages.google.com udp
GB 142.250.200.14:443 fundingchoicesmessages.google.com tcp
GB 142.250.200.14:443 fundingchoicesmessages.google.com tcp
GB 142.250.200.14:443 fundingchoicesmessages.google.com tcp
DE 167.71.54.90:443 territorial.io tcp
DE 167.71.54.90:443 territorial.io tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
DE 167.71.54.90:443 territorial.io tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 216.58.204.68:443 tcp
GB 142.250.187.195:80 tcp
GB 172.217.16.227:443 tcp

Files

/data/data/territorial.io/no_backup/androidx.work.workdb-journal

MD5 270ab8c976172d6a3991236470b6bd20
SHA1 4a009df524a7735c3028dbe4157057379b913032
SHA256 720930ef5e7db02a625728c00f8436fa954ef239c2c24203df99f41bf04dc0de
SHA512 d51baa7f78e7f7cecb6203ea90c73fd08e0a651903a945fcd5eaf0145f4fdb509883a2121138ce654e4d1d8f2253ece76a633b687a4830202c67b25f74e64fc1

/data/data/territorial.io/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/territorial.io/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/territorial.io/no_backup/androidx.work.workdb-wal

MD5 615dfbc03e3d09242d3e21ede0874bc6
SHA1 1e88b3ca1adcb179088b656eb1f659c29d6bf134
SHA256 72dff6e3ab8c6afdc08fdcdd415ed965efac0f548edef678ec121ab806bba55b
SHA512 9ae35f3c88f171d479bc0082ddde3bcbfd91f58452f2f2cf7d8f542cb78d523c10d6938e0fea80f7157d5c937fa88de0b1cddaccb9dfabe6bb84b50587ea3840

/data/data/territorial.io/no_backup/androidx.work.workdb-wal

MD5 721f9bfcb7e4b4facc43b16830776162
SHA1 1fffbfa57000b275d91f8a5a0813d32b82a068ee
SHA256 2ba22b0f16a0bd3d5c0ed4f56016115f83efd3ba88e952cdee7b72a0ec0b8622
SHA512 a3215bca343526b4043a4684a544b0548ae1c17f1dc68b4561107c166d44f0c9a308b6d13bc975ad40009cd76ab290a5480f2ffe70b78798134684087dbf8884

/data/misc/profiles/cur/0/territorial.io/primary.prof

MD5 5ff3ab152ed8e0bb6127427f8a6bd559
SHA1 dba449a9b9da2c601766da3180943c830a79fd3e
SHA256 56434102fb84308bdf7dfef415ebbb0c7a38b6630f1b97ed6c3cc1db47afb143
SHA512 206386af05c0b3364beb20103181545c52a50ca0e2a873f6746d63fd2d3dbb63664345fb5ad19a8e430ebe0cb0c524116ab66d37736c01979d701d849d4f1422

/data/data/territorial.io/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 3cb0ee429c101cd7f333f30145e85ab3
SHA1 47a2809363449ae0270bf6eebf34d70cb0ab4ee6
SHA256 1a7f4b66b7863e5a13e74f2b8ed1454861dcc687d2bf7ec6b71ab4f85587e382
SHA512 ebf254371a7d2a3e0293bf76ffa9dc3b811df88542b03f4263b121dd5fe8b30804b60a6b06feb15a87f4803eea1216d81c5da7ae3bfd54a0302e4aae1338b974

/data/data/territorial.io/files/profileInstalled

MD5 a7d597b24921a29e91e9c17533d0304b
SHA1 da88ae8ca8b54ff46170a3e6aea89eabce5bee7d
SHA256 011a05b290385e7c973f81f8660248e2d0e19ef572a3d201f7dc16e2791d320a
SHA512 1febcc7da6297881a450107291894ae979b4e34a552ea28d25de2c579ed177c41dda686df3adba814959f7c2c0946d3c3bc51d0a7b6224117141fa5a1cc634a0

/data/data/territorial.io/files/indexUpdated.html

MD5 e5e38940da0c3dd7d97b8c05d995e3a5
SHA1 9ada75a30e788908f5ea8cd544744aceeb623835
SHA256 aa314e4dd2130ed653559baa70264971a362be6956935728883791b491e18f57
SHA512 cf00cef64d6ae890b84d0443a490748dfdac17f863e636a705c4da91ad4a526a55b534afac427fd3c679e1e082a5128a40eb5165bf33c651d9acb778dd408272

/data/misc/profiles/cur/0/territorial.io/primary.prof

MD5 f1b8609dd4d4ce5112c17440575c3bbe
SHA1 c7e46bd7a17b8928b6f3fc3cd8e5632b437d3de6
SHA256 4cd61773c38c1352080fb795c4d3eb93ad7b6e1d43cad9567d06055c52dde9e3
SHA512 b5d3d3bf9e54718cbf2fba492d93fe2ff9a9ce09447e3e542ed5138762db94a7584ec4143329a9be436fdacc1399fc597f6c62abbe57b656024b222fb5977c8d

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-22 05:43

Reported

2024-05-22 05:44

Platform

android-x64-arm64-20240514-en

Max time kernel

48s

Max time network

52s

Command Line

territorial.io

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Processes

territorial.io

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 territorial.io udp
DE 167.71.54.90:443 territorial.io tcp
US 1.1.1.1:53 fundingchoicesmessages.google.com udp
GB 142.250.200.46:443 fundingchoicesmessages.google.com tcp
DE 167.71.54.90:443 territorial.io tcp
GB 142.250.200.46:443 fundingchoicesmessages.google.com tcp
GB 142.250.200.46:443 fundingchoicesmessages.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/territorial.io/no_backup/androidx.work.workdb-journal

MD5 106609d662da116db7504b17f185c180
SHA1 19c84f2651c5b4dd99885abbb4d07bfa3e52917e
SHA256 e4572c0f286472f3cddc99703eadb9e444073951fe72f53e05bdd5153ce06e35
SHA512 07325330772f224c558ea8fa8b89cd0a7738a2d7374c04cb47edcff20dee581277735249a0e5139fd19375a06a17f040c96d1813a2a4ea17389382032fef6ae9

/data/data/territorial.io/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/territorial.io/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/territorial.io/no_backup/androidx.work.workdb-wal

MD5 431c7660b8e4b8946e5a9a366a7f4361
SHA1 9dec58cf941615e6d932de4c8132fee453696317
SHA256 d037ceb01a8d1fe9fc01d235eb59eba450d9a37a2304b21a9af9dc9a3bf516c0
SHA512 f5f5a253f8dad1f067aca826dc8f1af782823490640f6c139ec23306c1a50ea7f38fadc558af1f4e709ecda8ffee53ac43a6d5df1d1ade99b04ce615e09b2467

/data/data/territorial.io/no_backup/androidx.work.workdb-wal

MD5 8499e169668982bcec91520441c76d49
SHA1 f78a51a02beb408688dae0a2b2b553d796f7a7b7
SHA256 9fbc4737e6165605bb99162acf66c65c88a61b79b5d227af6443298f7069bef1
SHA512 e7e275b759f9a0632fe86c5ad22764e8b3340735233b2f054619f89adbfcc3c2cad62cea8b597201d60eee8aeacadfc8b5ea33fec1e20f166a73fdf6aa7ee7a9

/data/data/territorial.io/files/indexUpdated.html

MD5 0dbb525498e7881e2d7dba6cb43b0d2e
SHA1 953776f122da96459c2441c5f8121635c17aebe7
SHA256 1c8330f97452a01f92f1f2e7d2cab969d95710936f82127a2747f01310025b08
SHA512 dce8301fcd4dd4c1bb357548d70dfb6378161eb451a751edc68a8cdaa9af60c9d4dd8f5820fee201b16f1238fb3b7adc595c395ccd9e3ebc68c79987cc849212

/data/misc/profiles/cur/0/territorial.io/primary.prof

MD5 5ff3ab152ed8e0bb6127427f8a6bd559
SHA1 dba449a9b9da2c601766da3180943c830a79fd3e
SHA256 56434102fb84308bdf7dfef415ebbb0c7a38b6630f1b97ed6c3cc1db47afb143
SHA512 206386af05c0b3364beb20103181545c52a50ca0e2a873f6746d63fd2d3dbb63664345fb5ad19a8e430ebe0cb0c524116ab66d37736c01979d701d849d4f1422

/data/data/territorial.io/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 6cf470ab6b98ff5e5a5b112852dd239a
SHA1 d63568f16ded7fa4981c71880591e3187e95b2d9
SHA256 65fd7012d2e1c61aeb2bfee7421fb3f0e76d9cc54c2e899ca9b89a66218d84f2
SHA512 8777a72ee6c4815d87ecdba61881e6387e666eae74c80e0db122f4610305913cc41e92198b9fee748753e0df5acf29274758e82b686dc11cf8446424368cde28

/data/misc/profiles/cur/0/territorial.io/primary.prof

MD5 765d1c61c94041d4b273fb6bdb49340a
SHA1 f6a515c0326056fc082c3189e97830b272736463
SHA256 e9228f97c699780f34bd09832a2d2fa246fef5e462c034716286cc885eed1c73
SHA512 2bcfba7503996d0e1258924c3daf6d712f52732be383c642469cfb034895af878f06593a92c167af18afdc1e84b65b3333986ea53e67939aff76e10a81b46c0e

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-22 05:43

Reported

2024-05-22 05:44

Platform

android-x64-arm64-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 05:43

Reported

2024-05-22 05:49

Platform

android-x64-20240514-en

Max time kernel

307s

Max time network

340s

Command Line

territorial.io

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

territorial.io

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 territorial.io udp
DE 167.71.54.90:443 territorial.io tcp
US 1.1.1.1:53 fundingchoicesmessages.google.com udp
GB 216.58.204.78:443 fundingchoicesmessages.google.com tcp
GB 172.217.169.14:443 tcp
DE 167.71.54.90:443 territorial.io tcp
GB 216.58.204.78:443 fundingchoicesmessages.google.com tcp
GB 216.58.204.78:443 fundingchoicesmessages.google.com tcp
GB 142.250.200.46:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp

Files

/data/data/territorial.io/no_backup/androidx.work.workdb-journal

MD5 98ca3c767cb57c193a8002d583d5a123
SHA1 e24f61a06661c04a53d8f741ceae659fe471880f
SHA256 9989ebb37af8f5f50e2d61cbec262c8a60a92305f1572e96abc6587e9632db49
SHA512 920f0b718b2567150efc99b16e4a3e36b6873cb8c3388c6a069f63dfd31aaf1d49d62464320ab30d8e801303bcd6e998e95c190f5f2ed17191c267a4cfce5f35

/data/data/territorial.io/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/territorial.io/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/territorial.io/no_backup/androidx.work.workdb-wal

MD5 20328fb6c55151ebf6d83ff10219685f
SHA1 6e83c6dabd3315f5d399918a69d44a28b5d36e9c
SHA256 ed86b482f42cfb9b6a6712759f48901e379c35006ce9e5e490a1e777aeb7ed82
SHA512 c89d8e96650dc295a39c0f3ac9e81f27211a1415ea706af4d32fec8f4b1bb933292fd3843a68ec3fbdfe0df7d3d5fbb2e70437c6ec4f7470bfd19e8cd2714730

/data/data/territorial.io/no_backup/androidx.work.workdb-wal

MD5 f6cd7936583886a064f0cba6e15db048
SHA1 e00d5ace8913c3e13f6d886fb4571a3360d7a8ab
SHA256 af56d79da9770ec00bdafb6a35ed43c108d9e0849b61e2f5a9f658fdb6ce012d
SHA512 c891778cb8bcf8c296a29b5178772111f2417975a6d677fdbd7810ef5a0665f4332cd81e68006a13e9d46469dd7aa70e5e707593b1aebb4791da2f204bf2f14c

/data/data/territorial.io/files/indexUpdated.html

MD5 0dbb525498e7881e2d7dba6cb43b0d2e
SHA1 953776f122da96459c2441c5f8121635c17aebe7
SHA256 1c8330f97452a01f92f1f2e7d2cab969d95710936f82127a2747f01310025b08
SHA512 dce8301fcd4dd4c1bb357548d70dfb6378161eb451a751edc68a8cdaa9af60c9d4dd8f5820fee201b16f1238fb3b7adc595c395ccd9e3ebc68c79987cc849212

/data/misc/profiles/cur/0/territorial.io/primary.prof

MD5 5ff3ab152ed8e0bb6127427f8a6bd559
SHA1 dba449a9b9da2c601766da3180943c830a79fd3e
SHA256 56434102fb84308bdf7dfef415ebbb0c7a38b6630f1b97ed6c3cc1db47afb143
SHA512 206386af05c0b3364beb20103181545c52a50ca0e2a873f6746d63fd2d3dbb63664345fb5ad19a8e430ebe0cb0c524116ab66d37736c01979d701d849d4f1422

/data/data/territorial.io/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 fcec44fbe53917d0cd44bfab1d3aa6e4
SHA1 7086a8a58c07b65ee67dde042ae293652eb45687
SHA256 9a18badce54f7941bed766a6ee493c4b0a6f9a264ec95c8984ab77db14eaa519
SHA512 0c65d82e502319b923ba54df7d8f058dc0b776c293ed3b55a9063cb18b12a36655799514be2a91b417daa10bf45efae6aa8b1ffdc8a9a90178a4de40042bb928

/data/data/territorial.io/files/profileInstalled

MD5 aeab2c1e3f8d05d95bde1eda5dcb1d65
SHA1 cf374860e82f2c09ab7b7001fa1951f172cba754
SHA256 95b0f13e66eb836ba85f53945acec7346b6b594a4fac30808a8bce5abb99fff5
SHA512 35c968d0a6b3ff3704d5e0aa6b299d4353d9e395a6a36ad7fcf43c232e5f8e0b197fb82ce789850c7a711684fae9c9469f28a4e077c267ad02a42842cc87de32

/data/misc/profiles/cur/0/territorial.io/primary.prof

MD5 01cb18bbae7d42c7c5225e5ab9a43dc1
SHA1 cdd2c4527c654e7a9712681935b12c9cf3ce648a
SHA256 a22fc8028d814dde8e73ae1805ec84213a38b23490f21209f5eea55fe9813c81
SHA512 434ce12bbd02676e0625a41b0b1b4415cf4f2f622db1a8e52a1418879be764165e8efc4eb92b276938243b1fbf035270b6b1d3bdbec6abb4325fbde771e1ff3f

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-22 05:43

Reported

2024-05-22 05:44

Platform

android-x86-arm-20240514-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-22 05:43

Reported

2024-05-22 05:44

Platform

android-x64-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-22 05:43

Reported

2024-05-22 05:44

Platform

android-x86-arm-20240514-en

Max time network

3s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-22 05:43

Reported

2024-05-22 05:44

Platform

android-x64-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-22 05:43

Reported

2024-05-22 05:44

Platform

android-x64-arm64-20240514-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 05:43

Reported

2024-05-22 05:49

Platform

win7-20240221-en

Max time kernel

118s

Max time network

125s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\apk+.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\apk+.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\apk+.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\apk+.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 522d70e81fca5a44bcc5513869a81938
SHA1 400bbee6315fb50e2fec61ae1917cf9259fc4318
SHA256 d04e9135992062ce9a4ab782b917063d394a7132275974d8651b2851eb82ef12
SHA512 cd171eec6caec4010388d6df77ae4013b47778731a07fc18912aa76d8df2d2a8980f88a8a58bb994b164c83d75c2a68189ce1fe3ebbee6f387d30d5b2484535d