Edit tour

macOS Analysis Report
https://ec.editmysite.com/com.snowplowanalytics.snowplow/tp2

Overview

General Information

Sample URL:	https://ec.editmysite.com/com.snowplowanalytics.snowplow/tp2
Analysis ID:	1375212
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false

Signatures

Reads launchservices plist files

Writes 64-bit Mach-O files to disk

Classification

Analysis Advice

Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1375212
Start date and time:	2024-01-16 09:09:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://ec.editmysite.com/com.snowplowanalytics.snowplow/tp2
Analysis system description:	Virtual Machine, High Sierra (Office 2016 16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:	10.13
CPU architecture:	x86_64
Analysis Mode:	default
Detection:	CLEAN
Classification:	clean1.mac@0/8@3/0

Warnings

Excluded IPs from analysis (whitelisted): 17.253.27.206, 17.253.27.201, 3.134.154.103, 96.17.64.80, 69.192.108.34, 3.142.229.116, 142.250.190.106, 17.253.27.204, 17.253.27.202, 17.253.27.205, 17.253.27.199
Excluded domains from analysis (whitelisted): e11408.d.akamaiedge.net, smoot-searchv2.v.aaplimg.com, ocsp-a.g.aaplimg.com, gateway.icloud.com, crl.apple.com, valid.apple.com, safebrowsing.googleapis.com, help.apple.com, cds-cdn.v.aaplimg.com, cds.apple.com.akadns.net, e673.dsce9.akamaiedge.net, cds.apple.com, help-ar.apple.com.edgekey.net, crl.g.aaplimg.com, api.smoot.apple.com, bag-smoot.v.aaplimg.com, lb._dns-sd._udp.0.11.168.192.in-addr.arpa, ocsp-lb.apple.com.akadns.net, configuration.apple.com, ocsp.apple.com, valid.origin-apple.com.akadns.net, help.origin-apple.com.akadns.net, valid-apple.g.aaplimg.com, configuration.apple.com.akadns.net, configuration.apple.com.edgekey.net, world-gen.g.aaplimg.com, api2.smoot.apple.com
Report size getting too big, too many PREAD calls found.

Process Tree

System is macvm-highsierra

mono-sgen32 New Fork (PID: 893, Parent: 825)

open (MD5: 40ed6d8f35c9f20484b97582d296398f) Arguments:

xpcproxy New Fork (PID: 894, Parent: 1)

Safari (MD5: 8e18be737fe87f19fe7a97b4821e2005) Arguments: /Applications/Safari.app/Contents/MacOS/Safari

cleanup

Yara Signatures

⊘No yara matches

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Persistence and Installation Behavior
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown	HTTPS traffic detected: 17.248.207.67:443 -> 192.168.11.11:49388 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.164.255.68:443 -> 192.168.11.11:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.164.255.68:443 -> 192.168.11.11:49399 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.207.67:443 -> 192.168.11.11:49401 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.207.67:443 -> 192.168.11.11:49402 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.207.67:443 -> 192.168.11.11:49403 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.207.67:443 -> 192.168.11.11:49405 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.210.70:443 -> 192.168.11.11:49409 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.210.70:443 -> 192.168.11.11:49410 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.210.70:443 -> 192.168.11.11:49411 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 184.27.180.237
Source: unknown	TCP traffic detected without corresponding DNS query: 184.27.180.237
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /com.snowplowanalytics.snowplow/tp2 HTTP/1.1Host: ec.editmysite.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: ec.editmysite.comAccept: /Connection: keep-aliveCookie: sp=7472c5ec-f073-4536-8ac0-bdd078c738f9User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usReferer: https://ec.editmysite.com/com.snowplowanalytics.snowplow/tp2Accept-Encoding: br, gzip, deflate

Source: unknown

DNS traffic detected: queries for: ec.editmysite.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jan 2024 08:10:52 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 13Connection: closeServer: nginx

Source: .dat.nosync037e.NkTHhw.245.dr

String found in binary or memory: https://ec.editmysite.com/com.snowplowanalytics.snowplow/tp2

Source: unknown	Network traffic detected: HTTP traffic on port 49399 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49403
Source: unknown	Network traffic detected: HTTP traffic on port 49409 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49410 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49402
Source: unknown	Network traffic detected: HTTP traffic on port 49411 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49401
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49411
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49388
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49399
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49410
Source: unknown	Network traffic detected: HTTP traffic on port 49405 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49392
Source: unknown	Network traffic detected: HTTP traffic on port 49392 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49388 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49401 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49403 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49402 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49409
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49405

Source: unknown	HTTPS traffic detected: 17.248.207.67:443 -> 192.168.11.11:49388 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.164.255.68:443 -> 192.168.11.11:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.164.255.68:443 -> 192.168.11.11:49399 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.207.67:443 -> 192.168.11.11:49401 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.207.67:443 -> 192.168.11.11:49402 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.207.67:443 -> 192.168.11.11:49403 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.207.67:443 -> 192.168.11.11:49405 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.210.70:443 -> 192.168.11.11:49409 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.210.70:443 -> 192.168.11.11:49410 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.210.70:443 -> 192.168.11.11:49411 version: TLS 1.2

Source: classification engine

Classification label: clean1.mac@0/8@3/0

Source: /usr/bin/open (PID: 893)

Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist

Jump to behavior

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 894)	File written: /private/var/tmp/NSCreateObjectFileImageFromMemory-3yv1LZ	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 894)	File written: /private/var/tmp/NSCreateObjectFileImageFromMemory-XWxhJU	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 894)	File written: /private/var/tmp/NSCreateObjectFileImageFromMemory-Ljga5N	Jump to dropped file

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 894)

Random device file read: /dev/urandom

Jump to behavior

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 894)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Jump to behavior

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 894)	Binary plist file created: /private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/0/SafariFamily/Safari/.dat.nosync037e.DLk4j6			Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 894)	Binary plist file created: /Users/berri/Library/Safari/.dat.nosync037e.NkTHhw			Jump to dropped file

Source: /usr/bin/open (PID: 893)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 894)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 System Information Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	3 Ingress Tool Transfer			Data Destruction	Virtual Private Server	Employee Names

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://ec.editmysite.com/com.snowplowanalytics.snowplow/tp2	0%	Avira URL Cloud	safe
https://ec.editmysite.com/com.snowplowanalytics.snowplow/tp2	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
sp-2020021412301152490000000a-1069308460.us-west-2.elb.amazonaws.com	35.164.255.68	true	false	high
gateway.fe2.apple-dns.net	17.248.207.67	true	false	unknown
ec.editmysite.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ec.editmysite.com/com.snowplowanalytics.snowplow/tp2	false		high
https://ec.editmysite.com/favicon.ico	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
35.164.255.68	sp-2020021412301152490000000a-1069308460.us-west-2.elb.amazonaws.com	United States		16509	AMAZON-02US	false
184.27.180.237	unknown	United States		16625	AKAMAI-ASUS	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/Users/berri/Library/Safari/.dat.nosync037e.NkTHhw

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	1608
Entropy (8bit):	7.313729123396102
Encrypted:	false
SSDEEP:	48:E3NmrToTlg97CuQHSlHxFZIsF6r+vuDeCdqR:zoA7YHGHldEE+dS
MD5:	CB4D1870892D48938B961AB4A15F56EE
SHA1:	59C6CF5AFBEB19D3B9B2892B412A4784BDB461DC
SHA-256:	38C82E8B61A5483EC084045643A741EC8A5103F9D67CCC516D7EEDD96574E9DF
SHA-512:	D9C0C5DA66E778CDD397184959D63A465F30CAE8FBAF378FA74395503BE3E62F8BB755CFB5498D54EDFA6261B5FB11ECF0EA03EDC518FD3C58A4637970EF4A07
Malicious:	false
Reputation:	low
Preview:	bplist00.....^SessionVersion^SessionWindowsS1.0............................9_..SelectedTabIndex\TabBarHiddenZDateClosed_..FavoritesBarHidden]IsPopupWindow_. PrefersReadingListSidebarVisible\Miniaturized_..WindowStateVersionZWindowUUID_..WindowContentRectYTabStates_..IsPrivateWindow_..SelectedPinnedTabIndex...3A.8.......S2.0_.$677FC516-CCE8-4A73-9E76-B3471E0E637F_..{{0, 52}, {1024, 693}}.... !."#.$%&'().,-...0123456.\IsDisposable\SessionState_..AncestorTabIdentifers_..SessionStateIsEncryptedXTabIndex]LastVisitTimeWTabUUIDVTabURL]TabIdentifierXTabTitle_..ProcessIdentifierWIsMuted.O....A.... ...=..E.%...<..R..f;..O........P"+.q.z.#.7rFs.._:.....$.m0{U...q.F;e.L..B.6.u3.%..N....".C..:.8J.c.x..$.2..z..S..bUS.....)..P\....7....a...b`.=....H...2.......+G*j.7.u.T..q@\|D..p...BcJ..b.F..J...C.....>#%.aEm..{.......].n.K.>.i.(..G."....fc.....$^...i3..T.._../.&7x.....~hM..z.....e....'q...."..M....K.<..u../...r.....R....1...2...dU_./.B.._.\|H.LW1Ah...i.W.U._.j...[.9T....c.._Gu..e

/dev/null

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	ASCII text
Category:	dropped
Size (bytes):	661
Entropy (8bit):	5.2704362937142335
Encrypted:	false
SSDEEP:	12:jXNxhp1o/Lmxhp1o/L5Mnhp1o/LQ/Qhp1o/L+hp1o/LW:rNrpgmrpgunhpgQ/Qhpg+hpgW
MD5:	A11AC1E86800D17742C05E951EBEBD6D
SHA1:	521F272014CD3E8056E4ED6407F6F63893650007
SHA-256:	77020C2AD40069A486646C521491E01933FB8786CD04DE66B3E193F415631CBE
SHA-512:	6DE2327B49C2AF3776CA82B236037A1BF18919834DC670F8F38108931BB2CBD26264377FDC8C811313EFCE1BFCB510919D4D9A791569D9EC6D84A37B51A8534D
Malicious:	false
Reputation:	low
Preview:	2024-01-16 09:10:44.635 Safari[894:6458] ApplePersistence=NO.2024-01-16 09:10:46.252 Safari[894:6516] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813).2024-01-16 09:10:46.705 Safari[894:6516] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813).2024-01-16 09:10:47.545 Safari[894:6511] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813).2024-01-16 09:10:49.195 Safari[894:6513] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813).2024-01-16 09:10:49.615 Safari[894:6511] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813).

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/0/SafariFamily/Safari/.dat.nosync037e.DLk4j6

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.9370658315190226
Encrypted:	false
SSDEEP:	3:N1n6qMvRGNMTAnd/t1tH:N1nleRaMTAltH
MD5:	CDC65B5F112547EAFAE0F16F9C149426
SHA1:	AEAF9908A5B6FF3E2F7B738ABF5FE9E79108BA01
SHA-256:	1C6D085D871A855CE4A3902BAB4B9B92631B8EE8F0B7F6536768A2AAF427B45C
SHA-512:	E8B0E4CE6A760A718A19976D3CFE9063F04FB4BF179947AECA84E94C83F21459FB9DC0FFABEA8F633BD2D0BA94FE1E15D8C97E9604FDE8BD0DEA961EB83BDDB7
Malicious:	false
Reputation:	low
Preview:	bplist00..._..ExtensionArchivesExtracted...(...............................)

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/C/mds/mdsDirectory.db_

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	48908
Entropy (8bit):	3.533948990143748
Encrypted:	false
SSDEEP:	384:xSMdGleGkIG7FF3theSMVXBD0tgcNrGBOmBfbouR6/chQOnGqwc2U+v+h/:8MdGleOGmBouRwchQOnGqwc2U+v+h/
MD5:	09070E01FA6ED1973D94FAD50C35E3ED
SHA1:	7546663E66F9889EE3365A7A0BE372300C6022CA
SHA-256:	2E6EC437A97DD88F9067B2E99AC64789670D9B9C1FC50B2856E392E66163211F
SHA-512:	621399FF832F1A8352E5E9A54984B878C7D3432156D9CF9986A1A5B75662E92D9A00FA1BA6714D679286BB49E71916F72655AADA2B99880A2806FAFC6F86E7F3
Malicious:	false
Reputation:	low
Preview:	kych...........................`...X...p..S0..SX..Th..T...T...[...^h...........L...X...............T...........d...................t...............t...........<...............P...........0...........$...p...........l...........X.......@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...D.......................!...%@.......MDS_CDSADIR_CSSM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_KRMM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_EMM_RECORDTYPE.....L.......................!...%@......"MDS_CDSADIR_EMM_PRIMARY_RECORDTYPE.....H.......................!...%@.......MDS_CDSADIR_COMMON_RECORDTYPE......L.......................!...%@......"MDS_CDSADIR_CSP_PRIMARY_RECORDTYPE.....P.......................!...%@......%MDS_CDSADIR_CSP_CAPABILITY_R

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/C/mds/mdsObject.db_

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	4404
Entropy (8bit):	3.5113078915037033
Encrypted:	false
SSDEEP:	48:m6Xsh+CLjL3Pe3T5FFKfEuyu+iYxGv4sS:3X6LjLfe3wEuyu9YxGQX
MD5:	D487F899A14AE98519B46D51BC810F1B
SHA1:	64877ECFBE47ED66EED545B2449BBE8B22B775D0
SHA-256:	4835899C464487946E281D535381D4CAB8BC90EC08CD00A6A0ECB97854E9321D
SHA-512:	EB4FABD61B4FD2B9EF3C9E93793CA5F11353A1F81EA4DA22E0F79ED45D89180B77469B9E5DCD5350AE650B31DE9018743DA7716EFA7B5CDDFC3FA7A13C476F40
Malicious:	false
Reputation:	low
Preview:	kych.......................................d...................0...............0...p...........@...@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...@.......................!...%@.......MDS_OBJECT_RECORDTYPE..............h........... ...`........... ...@.......................-...1...5...9...=@..............................X...............P................... ...p...........l...........d...........P...........H...........,...............h...........P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................RelationName.......P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................AttributeID........X....

/private/var/tmp/NSCreateObjectFileImageFromMemory-3yv1LZ

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mach-O 64-bit x86_64 bundle, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL>
Category:	dropped
Size (bytes):	4780
Entropy (8bit):	5.78784933687558
Encrypted:	false
SSDEEP:	96:xav2J2yfQoIeVyCxVaBHlZF/jllllllllKflPz5w65:keJ2OQYTTarllllllllKflT
MD5:	6903FFA70C6EF8F2493E3E49101C694D
SHA1:	B70A5F8C3F48BB2251B114500DFFF1CCCE72D966
SHA-256:	633CEE31BFBF56590F6B62891CD0CB55264FD0F01E183036D8E3556B9EFF72D5
SHA-512:	2A8A297AEE0F285EAA494BA5B731D023BF6438E207B83495FF490EB67BE3D9B4E887F91680761E759973D9FEC782B9E0CEC7E1957C4E794739A0DF90E2346D87
Malicious:	false
Reputation:	low
Preview:	.................... ...............(...__TEXT..........................................................__text..........__TEXT..................[.......................................__const.........__TEXT..........`.......@.......`...............................__literal4......__TEXT..........................................................__compact_unwind__LD....................@.......................................__eh_frame......__TEXT..................h..........................h............__opencl........__TEXT..........P...............P...................................H...__LINKEDIT................................................................P/^(G....@.`.."...0.......................................h...........h...................P...................................................................................................................................................................................................................................................

/private/var/tmp/NSCreateObjectFileImageFromMemory-Ljga5N

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mach-O 64-bit x86_64 bundle, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL>
Category:	dropped
Size (bytes):	4752
Entropy (8bit):	5.761647040683616
Encrypted:	false
SSDEEP:	96:xKvjeoJ2eQIMA1EVQvOsD1cbY2vF/jllllllllKflNJz5w6w:0dJ2eQpMtxmvrllllllllKfly
MD5:	1D6F449D22D11E760495CE85C933ADF8
SHA1:	D77F5B05549E51310D0C96347482178EBD23C476
SHA-256:	BEF505FE1329E19B4AF2FFFD868C753A0824B96FB4531BD106C810D96EFB1D94
SHA-512:	4A9F4BD053BC5069625D60DDD3E1225E01FCE6B31824C35A12D7CAFAC2AD9BF79EE7785A6860E5549836970D8A4C7968355EC715C652EE1C771EDD9D9D1616A6
Malicious:	false
Reputation:	low
Preview:	.................... ...............(...__TEXT..........................................................__text..........__TEXT..................k.......................................__const.........__TEXT..................@.......................................__literal4......__TEXT..........................................................__compact_unwind__LD....................@.......................................__eh_frame......__TEXT..................h..........................h............__opencl........__TEXT..........p...............p...................................H...__LINKEDIT...............................................................{..T@_.d...a.C"...0.......................................X...........X...................P...................................................................................................................................................................................................................................................

/private/var/tmp/NSCreateObjectFileImageFromMemory-XWxhJU

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mach-O 64-bit x86_64 bundle, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL>
Category:	dropped
Size (bytes):	17444
Entropy (8bit):	4.344759971353033
Encrypted:	false
SSDEEP:	384:wtjJcXgiRVP7J3AMqLllllllKfllJlROW:wha13AMqAOW
MD5:	5E13BF7EF5C0A4B67A57A77AB2EB92BB
SHA1:	869D79A82DF7484BBA6345279BDB865CAC887A19
SHA-256:	C749D03EE70D4FF8A1A4B2F9E7379EE4F1DF15659057606A3B42782C0230220E
SHA-512:	C6DFA0482D6EA480D4F3B16D0E2DD5728141FD04B66E3CC2212B506EDD89DA38241331A7045FAFE47E23DDF5C88664C6DD9879B18ACF60A6F17F12BA0E7EF841
Malicious:	false
Reputation:	low
Preview:	........................................__TEXT...................0...............0......................__text..........__TEXT..........P...............P...............................__const.........__TEXT...........(......P........(..............................__literal4......__TEXT..........0+..............0+..............................__compact_unwind__LD............H+......@.......H+..............................__eh_frame......__TEXT...........+......h........+.................h............__symbol_stub1..__TEXT...........+...............+..............................__stub_helper...__TEXT...........+...............+..............................__opencl........__TEXT...........,...............,......................................__DATA...........0...............0..............................__nl_symbol_ptr.__DATA...........0...............0..............................__la_symbol_ptr.__DATA...........0...............0..................................H...__LINKEDIT......

Static File Info

⊘No static file info

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 96
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2024 09:10:47.797346115 CET	49388	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:10:47.797437906 CET	443	49388	17.248.207.67	192.168.11.11
Jan 16, 2024 09:10:47.798018932 CET	49388	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:10:47.845113993 CET	49388	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:10:47.845174074 CET	443	49388	17.248.207.67	192.168.11.11
Jan 16, 2024 09:10:48.101108074 CET	443	49388	17.248.207.67	192.168.11.11
Jan 16, 2024 09:10:48.102318048 CET	49388	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:10:48.102576017 CET	49388	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:10:48.102797985 CET	49388	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:10:48.385962963 CET	49388	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:10:48.386168003 CET	443	49388	17.248.207.67	192.168.11.11
Jan 16, 2024 09:10:48.386856079 CET	443	49388	17.248.207.67	192.168.11.11
Jan 16, 2024 09:10:48.386944056 CET	49388	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:10:48.387332916 CET	49388	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:10:49.857630014 CET	49392	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:49.857707024 CET	443	49392	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:49.858416080 CET	49392	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:49.859014988 CET	49392	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:49.859077930 CET	443	49392	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:50.920335054 CET	443	49392	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:50.921128988 CET	49392	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:50.921190977 CET	49392	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:50.965575933 CET	49392	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:50.965590954 CET	443	49392	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:50.965908051 CET	443	49392	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:50.966559887 CET	49392	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:50.967876911 CET	49392	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:51.008682966 CET	443	49392	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:51.136234999 CET	443	49392	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:51.136513948 CET	443	49392	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:51.136810064 CET	49392	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:51.137434959 CET	49392	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:51.143497944 CET	49392	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:51.143588066 CET	443	49392	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:51.383135080 CET	49399	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:51.383235931 CET	443	49399	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:51.383827925 CET	49399	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:51.384457111 CET	49399	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:51.384507895 CET	443	49399	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:51.734209061 CET	443	49399	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:51.735131025 CET	49399	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:51.735131979 CET	49399	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:51.742594957 CET	49399	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:51.742651939 CET	443	49399	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:51.743629932 CET	443	49399	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:51.744126081 CET	49399	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:51.745013952 CET	49399	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:51.788670063 CET	443	49399	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:52.067785025 CET	443	49399	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:52.068130970 CET	443	49399	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:52.068412066 CET	49399	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:52.068861961 CET	49399	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:52.070441961 CET	49399	443	192.168.11.11	35.164.255.68
Jan 16, 2024 09:10:52.070502043 CET	443	49399	35.164.255.68	192.168.11.11
Jan 16, 2024 09:10:54.590003014 CET	49401	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:10:54.590089083 CET	443	49401	17.248.207.67	192.168.11.11
Jan 16, 2024 09:10:54.590702057 CET	49401	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:10:54.591604948 CET	49401	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:10:54.591685057 CET	443	49401	17.248.207.67	192.168.11.11
Jan 16, 2024 09:10:54.834319115 CET	443	49401	17.248.207.67	192.168.11.11
Jan 16, 2024 09:10:54.835582018 CET	49401	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:10:54.835656881 CET	49401	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:10:54.838746071 CET	49401	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:10:54.865222931 CET	49401	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:10:54.865381956 CET	443	49401	17.248.207.67	192.168.11.11
Jan 16, 2024 09:10:54.865835905 CET	443	49401	17.248.207.67	192.168.11.11
Jan 16, 2024 09:10:54.865920067 CET	49401	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:10:54.866362095 CET	49401	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:05.443631887 CET	49402	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:05.443756104 CET	443	49402	17.248.207.67	192.168.11.11
Jan 16, 2024 09:11:05.444405079 CET	49402	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:05.444962978 CET	49402	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:05.445027113 CET	443	49402	17.248.207.67	192.168.11.11
Jan 16, 2024 09:11:05.678615093 CET	443	49402	17.248.207.67	192.168.11.11
Jan 16, 2024 09:11:05.679819107 CET	49402	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:05.680012941 CET	49402	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:05.695597887 CET	49402	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:05.695729971 CET	443	49402	17.248.207.67	192.168.11.11
Jan 16, 2024 09:11:05.696069956 CET	443	49402	17.248.207.67	192.168.11.11
Jan 16, 2024 09:11:05.696295977 CET	49402	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:05.696804047 CET	49402	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:05.716310024 CET	49403	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:05.716433048 CET	443	49403	17.248.207.67	192.168.11.11
Jan 16, 2024 09:11:05.717168093 CET	49403	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:05.718035936 CET	49403	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:05.718125105 CET	443	49403	17.248.207.67	192.168.11.11
Jan 16, 2024 09:11:05.960819960 CET	443	49403	17.248.207.67	192.168.11.11
Jan 16, 2024 09:11:05.962721109 CET	49403	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:05.962937117 CET	49403	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:05.963288069 CET	49403	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:05.978251934 CET	49403	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:05.978452921 CET	443	49403	17.248.207.67	192.168.11.11
Jan 16, 2024 09:11:05.979001045 CET	443	49403	17.248.207.67	192.168.11.11
Jan 16, 2024 09:11:05.979125023 CET	49403	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:05.979583979 CET	49403	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:11.496195078 CET	49405	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:11.496283054 CET	443	49405	17.248.207.67	192.168.11.11
Jan 16, 2024 09:11:11.496973991 CET	49405	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:11.497646093 CET	49405	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:11.497716904 CET	443	49405	17.248.207.67	192.168.11.11
Jan 16, 2024 09:11:11.737476110 CET	443	49405	17.248.207.67	192.168.11.11
Jan 16, 2024 09:11:11.739144087 CET	49405	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:11.739193916 CET	49405	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:11.739460945 CET	49405	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:11.755089998 CET	49405	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:11.755443096 CET	443	49405	17.248.207.67	192.168.11.11
Jan 16, 2024 09:11:11.756175995 CET	443	49405	17.248.207.67	192.168.11.11
Jan 16, 2024 09:11:11.756319046 CET	49405	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:11.756704092 CET	49405	443	192.168.11.11	17.248.207.67
Jan 16, 2024 09:11:21.953530073 CET	49409	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:11:21.953615904 CET	443	49409	17.248.210.70	192.168.11.11
Jan 16, 2024 09:11:21.954272032 CET	49409	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:11:21.954555988 CET	49409	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:11:21.954608917 CET	443	49409	17.248.210.70	192.168.11.11
Jan 16, 2024 09:11:22.191066980 CET	443	49409	17.248.210.70	192.168.11.11
Jan 16, 2024 09:11:22.192059994 CET	49409	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:11:22.192122936 CET	49409	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:11:22.194899082 CET	49409	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:11:22.510684013 CET	49409	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:11:22.510951042 CET	443	49409	17.248.210.70	192.168.11.11
Jan 16, 2024 09:11:22.511641979 CET	443	49409	17.248.210.70	192.168.11.11
Jan 16, 2024 09:11:22.511650085 CET	49409	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:11:22.512115002 CET	49409	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:11:38.894612074 CET	49376	80	192.168.11.11	184.27.180.237
Jan 16, 2024 09:11:39.015585899 CET	80	49376	184.27.180.237	192.168.11.11
Jan 16, 2024 09:11:39.016383886 CET	49376	80	192.168.11.11	184.27.180.237
Jan 16, 2024 09:11:42.905103922 CET	49410	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:11:42.905224085 CET	443	49410	17.248.210.70	192.168.11.11
Jan 16, 2024 09:11:42.905788898 CET	49410	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:11:42.907196045 CET	49410	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:11:42.907260895 CET	443	49410	17.248.210.70	192.168.11.11
Jan 16, 2024 09:11:43.142263889 CET	443	49410	17.248.210.70	192.168.11.11
Jan 16, 2024 09:11:43.143114090 CET	49410	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:11:43.143114090 CET	49410	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:11:43.143374920 CET	49410	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:11:43.298914909 CET	49410	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:11:43.299182892 CET	443	49410	17.248.210.70	192.168.11.11
Jan 16, 2024 09:11:43.299721003 CET	49410	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:12:23.873079062 CET	49411	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:12:23.873198986 CET	443	49411	17.248.210.70	192.168.11.11
Jan 16, 2024 09:12:23.873801947 CET	49411	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:12:23.874478102 CET	49411	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:12:23.874537945 CET	443	49411	17.248.210.70	192.168.11.11
Jan 16, 2024 09:12:24.103948116 CET	443	49411	17.248.210.70	192.168.11.11
Jan 16, 2024 09:12:24.105794907 CET	49411	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:12:24.106029034 CET	49411	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:12:24.122015953 CET	49411	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:12:24.122126102 CET	443	49411	17.248.210.70	192.168.11.11
Jan 16, 2024 09:12:24.122364998 CET	443	49411	17.248.210.70	192.168.11.11
Jan 16, 2024 09:12:24.122834921 CET	49411	443	192.168.11.11	17.248.210.70
Jan 16, 2024 09:12:24.122867107 CET	49411	443	192.168.11.11	17.248.210.70

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2024 09:10:49.724325895 CET	51422	53	192.168.11.11	1.1.1.1
Jan 16, 2024 09:10:49.854825020 CET	53	51422	1.1.1.1	192.168.11.11
Jan 16, 2024 09:11:06.939976931 CET	53	52126	1.1.1.1	192.168.11.11
Jan 16, 2024 09:11:21.844120979 CET	51980	53	192.168.11.11	1.1.1.1
Jan 16, 2024 09:11:21.951711893 CET	53	51980	1.1.1.1	192.168.11.11
Jan 16, 2024 09:11:23.860650063 CET	137	137	192.168.11.11	192.168.11.255
Jan 16, 2024 09:11:23.860941887 CET	137	137	192.168.11.11	192.168.11.255
Jan 16, 2024 09:12:23.763425112 CET	58665	53	192.168.11.11	1.1.1.1
Jan 16, 2024 09:12:23.870740891 CET	53	58665	1.1.1.1	192.168.11.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2024 09:10:49.724325895 CET	192.168.11.11	1.1.1.1	0xc1c3	Standard query (0)	ec.editmysite.com	A (IP address)	IN (0x0001)	false
Jan 16, 2024 09:11:21.844120979 CET	192.168.11.11	1.1.1.1	0xff9	Standard query (0)	gateway.fe2.apple-dns.net	A (IP address)	IN (0x0001)	false
Jan 16, 2024 09:12:23.763425112 CET	192.168.11.11	1.1.1.1	0x67ec	Standard query (0)	gateway.fe2.apple-dns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 16, 2024 09:10:47.794794083 CET	1.1.1.1	192.168.11.11	0x1855	No error (0)	gateway.fe2.apple-dns.net		17.248.207.67	A (IP address)	IN (0x0001)	false
Jan 16, 2024 09:10:49.854825020 CET	1.1.1.1	192.168.11.11	0xc1c3	No error (0)	ec.editmysite.com	sp-2020021412301152490000000a-1069308460.us-west-2.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2024 09:10:49.854825020 CET	1.1.1.1	192.168.11.11	0xc1c3	No error (0)	sp-2020021412301152490000000a-1069308460.us-west-2.elb.amazonaws.com		35.164.255.68	A (IP address)	IN (0x0001)	false
Jan 16, 2024 09:10:49.854825020 CET	1.1.1.1	192.168.11.11	0xc1c3	No error (0)	sp-2020021412301152490000000a-1069308460.us-west-2.elb.amazonaws.com		35.155.186.254	A (IP address)	IN (0x0001)	false
Jan 16, 2024 09:11:21.951711893 CET	1.1.1.1	192.168.11.11	0xff9	No error (0)	gateway.fe2.apple-dns.net		17.248.210.70	A (IP address)	IN (0x0001)	false
Jan 16, 2024 09:12:23.870740891 CET	1.1.1.1	192.168.11.11	0x67ec	No error (0)	gateway.fe2.apple-dns.net		17.248.210.70	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ec.editmysite.com

https:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.11.11	49392	35.164.255.68	443

Timestamp	Bytes transferred	Direction	Data
2024-01-16 08:10:50 UTC	365	OUT	GET /com.snowplowanalytics.snowplow/tp2 HTTP/1.1 Host: ec.editmysite.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Connection: keep-alive Accept-Encoding: br, gzip, deflate User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7
2024-01-16 08:10:51 UTC	468	IN	HTTP/1.1 200 OK Date: Tue, 16 Jan 2024 08:10:51 GMT Content-Type: image/gif Content-Length: 43 Connection: close Server: nginx Set-Cookie: sp=7472c5ec-f073-4536-8ac0-bdd078c738f9; Expires=Wed, 15 Jan 2025 08:10:51 GMT; Domain=; Path=/; Secure; SameSite=None Cache-Control: no-cache, no-store, must-revalidate P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-01-16 08:10:51 UTC	43	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 f0 00 00 ff ff ff 00 00 00 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 02 44 01 00 3b Data Ascii: GIF89a!,D;

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.11.11	49399	35.164.255.68	443

Timestamp	Bytes transferred	Direction	Data
2024-01-16 08:10:51 UTC	402	OUT	GET /favicon.ico HTTP/1.1 Host: ec.editmysite.com Accept: / Connection: keep-alive Cookie: sp=7472c5ec-f073-4536-8ac0-bdd078c738f9 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7 Accept-Language: en-us Referer: https://ec.editmysite.com/com.snowplowanalytics.snowplow/tp2 Accept-Encoding: br, gzip, deflate
2024-01-16 08:10:52 UTC	158	IN	HTTP/1.1 404 Not Found Date: Tue, 16 Jan 2024 08:10:52 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 13 Connection: close Server: nginx
2024-01-16 08:10:52 UTC	13	IN	Data Raw: 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: 404 not found

System Behavior

Analysis Process: mono-sgen32 PID: 893, Parent PID: 825

General

Start time (UTC):	08:10:43
Start date (UTC):	16/01/2024
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	-
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

File Activities

File Read (Anonymous Pipes)

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: open PID: 893, Parent PID: 825

General

Start time (UTC):	08:10:43
Start date (UTC):	16/01/2024
Path:	/usr/bin/open
Arguments:
File size:	105952 bytes
MD5 hash:	40ed6d8f35c9f20484b97582d296398f

File Activities

File Opened

File Read

File Seeked

Directory Enumerated

Process Activities

Process Exited

Process Killed

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: xpcproxy PID: 894, Parent PID: 1

General

Start time (UTC):	08:10:43
Start date (UTC):	16/01/2024
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	43488 bytes
MD5 hash:	d1bb9a4899f0af921e8188218b20d744

File Activities

File Opened

File Read

Directory Created

Process Activities

Process Spawned

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: Safari PID: 894, Parent PID: 1

General

Start time (UTC):	08:10:43
Start date (UTC):	16/01/2024
Path:	/Applications/Safari.app/Contents/MacOS/Safari
Arguments:	/Applications/Safari.app/Contents/MacOS/Safari
File size:	20896 bytes
MD5 hash:	8e18be737fe87f19fe7a97b4821e2005

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report https://ec.editmysite.com/com.snowplowanalytics.snowplow/tp2

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Process Tree

Yara Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/Users/berri/Library/Safari/.dat.nosync037e.NkTHhw

/dev/null

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/0/SafariFamily/Safari/.dat.nosync037e.DLk4j6

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/C/mds/mdsDirectory.db_

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/C/mds/mdsObject.db_

/private/var/tmp/NSCreateObjectFileImageFromMemory-3yv1LZ

/private/var/tmp/NSCreateObjectFileImageFromMemory-Ljga5N

/private/var/tmp/NSCreateObjectFileImageFromMemory-XWxhJU

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

System Behavior

Analysis Process: mono-sgen32 PID: 893, Parent PID: 825

General

File Activities

File Read (Anonymous Pipes)

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: open PID: 893, Parent PID: 825

General

File Activities

File Opened

File Read

File Seeked

Directory Enumerated

Process Activities

Process Exited

macOS Analysis Report
https://ec.editmysite.com/com.snowplowanalytics.snowplow/tp2