Edit tour

macOS Analysis Report
https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFkILOsO1UnLItklUwD68rhtr94fRPJI4HAEjYZ7vdlgHTiHU_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZPRzSyzWe4FlQQyqQA-2BOTqGjWjoN-2BuPm4tzM5LM6f6tO2PXKa74YSjAhzL6onG-2BuKO989bZZj9

Overview

General Information

Sample URL:	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFkILOsO1UnLItklUwD68rhtr94fRPJI4HAEjYZ7vdlgHTiHU_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7
Analysis ID:	1505740
Infos:
Errors Script error: cURL download failed with exit code CURLE_WRITE_ERROR (23) and standard error:* Trying 108.139.47.10...* TCP_NODELAY set* Connected to clickme.thryv.com (108.139.47.10) port 443 (#0)*

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Classification

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1505740
Start date and time:	2024-09-06 18:34:22 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	urldownload.jbs
Sample URL:	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFkILOsO1UnLItklUwD68rhtr94fRPJI4HAEjYZ7vdlgHTiHU_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZPRzSyzWe4FlQQyqQA-2BOTqGjWjoN-2BuPm4tzM5LM6f6tO2PXKa74YSjAhzL6onG-2BuKO989bZZj9vupVvXtBWU0qXeI6VZny9p-2FgjssbU9Je1I2RDoZPOLgxX8gxf2-2BzsuoGYoVqnaS5CYR1Z5WEWAcZP0wmQbm4ikqer-2BGrlVppyDdPw-2BxPiObQZTbU2ZeclEy9V5nUC-2BnwlvdDmQwsjghHkHuJFiwInVWpyiCgGFo0uYjlPs3G8hdAgJBJu-2F-2B0K864-3D#ZmluYW5jZUBjbGVhcnZpZXcuYWk=
Analysis system description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:	10.14
CPU architecture:	x86_64
Analysis Mode:	default
Detection:	MAL
Classification:	mal48.mac@0/0@2/0

Errors

Script error: cURL download failed with exit code CURLE_WRITE_ERROR (23) and standard error:* Trying 108.139.47.10...* TCP_NODELAY set* Connected to clickme.thryv.com (108.139.47.10) port 443 (#0)* ALPN, offering h2* ALPN, offering http/1.1* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH* successfully set certificate verify locations:* CAfile: /etc/ssl/cert.pem CApath: none* TLSv1.2 (OUT), TLS handshake, Client hello (1):} [223 bytes data]* TLSv1.2 (IN), TLS handshake, Server hello (2):{ [100 bytes data]* TLSv1.2 (IN), TLS handshake, Certificate (11):{ [4950 bytes data]* TLSv1.2 (IN), TLS handshake, Server key exchange (12):{ [300 bytes data]* TLSv1.2 (IN), TLS handshake, Server finished (14):{ [4 bytes data]* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):} [37 bytes data]* TLSv1.2 (OUT), TLS change cipher, Client hello (1):} [1 bytes data]* TLSv1.2 (OUT), TLS handshake, Finished (20):} [16 bytes data]* TLSv1.2 (IN), TLS change cipher, Client hello (1):{ [1 bytes da

Warnings

Excluded IPs from analysis (whitelisted): 17.137.170.2, 23.199.49.152, 104.18.38.233, 172.64.149.23
Excluded domains from analysis (whitelisted): e11408.d.akamaiedge.net, help.origin-apple.com.akadns.net, ocsp.comodoca.com.cdn.cloudflare.net, ocsp.usertrust.com, radarsubmissions.apple.com.akadns.net, radarsubmissions.apple.com, help.apple.com, help-ar.apple.com.edgekey.net
VT rate limit hit for: https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFkILOsO1UnLItklUwD68rhtr94fRPJI4HAEjYZ7vdlgHTiHU_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZPRzSyzWe4FlQQyqQA-2BOTqGjWjoN-2BuPm4tzM5LM6f6tO2PXKa74YSjAhzL6onG-2BuKO989bZZj9vupVvXtBWU0qXeI6VZny9p-2FgjssbU9Je1I2RDoZPOLgxX8gxf2-2BzsuoGYoVqnaS5CYR1Z5WEWAcZP0wmQbm4ikqer-2BGrlVppyDdPw-2BxPiObQZTbU2ZeclEy9V5nUC-2BnwlvdDmQwsjghHkHuJFiwInVWpyiCgGFo0uYjlPs3G8hdAgJBJu-2F-2B0K864-3D#ZmluYW5jZUBjbGVhcnZpZXcuYWk=

Process Tree

System is macvm-mojave

xpcproxy New Fork (PID: 611, Parent: 1)

nsurlstoraged (MD5: 321b0a40e24b45f0af49ba42742b3f64) Arguments: /usr/libexec/nsurlstoraged --privileged

mono-sgen32 New Fork (PID: 616, Parent: 537)

curl (MD5: 2418204e23e2952e7995f1819a1f78f5) Arguments: /usr/bin/curl -t 2 -v --connect-timeout 10 -L --remote-name --insecure --silent --user-agent Mozilla/5.0 (Macintosh Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15 https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFkILOsO1UnLItklUwD68rhtr94fRPJI4HAEjYZ7vdlgHTiHU_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZPRzSyzWe4FlQQyqQA-2BOTqGjWjoN-2BuPm4tzM5LM6f6tO2PXKa74YSjAhzL6onG-2BuKO989bZZj9vupVvXtBWU0qXeI6VZny9p-2FgjssbU9Je1I2RDoZPOLgxX8gxf2-2BzsuoGYoVqnaS5CYR1Z5WEWAcZP0wmQbm4ikqer-2BGrlVppyDdPw-2BxPiObQZTbU2ZeclEy9V5nUC-2BnwlvdDmQwsjghHkHuJFiwInVWpyiCgGFo0uYjlPs3G8hdAgJBJu-2F-2B0K864-3D#ZmluYW5jZUBjbGVhcnZpZXcuYWk=

cleanup

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFkILOsO1UnLItklUwD68rhtr94fRPJI4HAEjYZ7vdlgHTiHU_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZPRzSyzWe4FlQQyqQA-2BOTqGjWjoN-2BuPm4tzM5LM6f6tO2PXKa74YSjAhzL6onG-2BuKO989bZZj9vupVvXtBWU0qXeI6VZny9p-2FgjssbU9Je1I2RDoZPOLgxX8gxf2-2BzsuoGYoVqnaS5CYR1Z5WEWAcZP0wmQbm4ikqer-2BGrlVppyDdPw-2BxPiObQZTbU2ZeclEy9V5nUC-2BnwlvdDmQwsjghHkHuJFiwInVWpyiCgGFo0uYjlPs3G8hdAgJBJu-2F-2B0K864-3D#ZmluYW5jZUBjbGVhcnZpZXcuYWk=

SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering

Source: unknown	HTTPS traffic detected: 108.139.47.10:443 -> 192.168.11.12:49353 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.168.219:443 -> 192.168.11.12:49354 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.131.6
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: clickme.thryv.com
Source: global traffic	DNS traffic detected: DNS query: inspire.rashienti.com

Source: /usr/bin/curl (PID: 616)

Reads from socket in process: data

Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 49351 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49352 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49347
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49354
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49353
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49352
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49351
Source: unknown	Network traffic detected: HTTP traffic on port 49354 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49353 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49347 -> 443

Source: /usr/bin/curl (PID: 616)

Writes from socket in process: data

Jump to behavior

Source: unknown	HTTPS traffic detected: 108.139.47.10:443 -> 192.168.11.12:49353 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.168.219:443 -> 192.168.11.12:49354 version: TLS 1.2

Source: classification engine

Classification label: mal48.mac@0/0@2/0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFkILOsO1UnLItklUwD68rhtr94fRPJI4HAEjYZ7vdlgHTiHU_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZPRzSyzWe4FlQQyqQA-2BOTqGjWjoN-2BuPm4tzM5LM6f6tO2PXKa74YSjAhzL6onG-2BuKO989bZZj9vupVvXtBWU0qXeI6VZny9p-2FgjssbU9Je1I2RDoZPOLgxX8gxf2-2BzsuoGYoVqnaS5CYR1Z5WEWAcZP0wmQbm4ikqer-2BGrlVppyDdPw-2BxPiObQZTbU2ZeclEy9V5nUC-2BnwlvdDmQwsjghHkHuJFiwInVWpyiCgGFo0uYjlPs3G8hdAgJBJu-2F-2B0K864-3D#ZmluYW5jZUBjbGVhcnZpZXcuYWk=	0%	Avira URL Cloud	safe
https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFkILOsO1UnLItklUwD68rhtr94fRPJI4HAEjYZ7vdlgHTiHU_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZPRzSyzWe4FlQQyqQA-2BOTqGjWjoN-2BuPm4tzM5LM6f6tO2PXKa74YSjAhzL6onG-2BuKO989bZZj9vupVvXtBWU0qXeI6VZny9p-2FgjssbU9Je1I2RDoZPOLgxX8gxf2-2BzsuoGYoVqnaS5CYR1Z5WEWAcZP0wmQbm4ikqer-2BGrlVppyDdPw-2BxPiObQZTbU2ZeclEy9V5nUC-2BnwlvdDmQwsjghHkHuJFiwInVWpyiCgGFo0uYjlPs3G8hdAgJBJu-2F-2B0K864-3D#ZmluYW5jZUBjbGVhcnZpZXcuYWk=	100%	SlashNext	Credential Stealing type: Phishing & Social Engineering

Name	IP	Active	Malicious	Reputation
inspire.rashienti.com	172.67.168.219	true	false	unknown
d1rsqi0l6b7evg.cloudfront.net	108.139.47.10	true	false	unknown
clickme.thryv.com	unknown	unknown	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
108.139.47.10	d1rsqi0l6b7evg.cloudfront.net	United States	16509	AMAZON-02US	false
151.101.131.6	unknown	United States	54113	FASTLYUS	false
172.67.168.219	inspire.rashienti.com	United States	13335	CLOUDFLARENETUS	false

Total Packets: 59
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 6, 2024 18:35:23.629386902 CEST	443	49351	151.101.131.6	192.168.11.12
Sep 6, 2024 18:35:23.629614115 CEST	443	49351	151.101.131.6	192.168.11.12
Sep 6, 2024 18:35:23.630168915 CEST	49351	443	192.168.11.12	151.101.131.6
Sep 6, 2024 18:35:23.643461943 CEST	49352	443	192.168.11.12	17.253.97.206
Sep 6, 2024 18:35:23.739957094 CEST	443	49352	17.253.97.206	192.168.11.12
Sep 6, 2024 18:35:23.740799904 CEST	49352	443	192.168.11.12	17.253.97.206
Sep 6, 2024 18:35:23.752370119 CEST	49352	443	192.168.11.12	17.253.97.206
Sep 6, 2024 18:35:23.786389112 CEST	49347	443	192.168.11.12	17.248.199.68
Sep 6, 2024 18:35:23.851999044 CEST	443	49352	17.253.97.206	192.168.11.12
Sep 6, 2024 18:35:23.853367090 CEST	49352	443	192.168.11.12	17.253.97.206
Sep 6, 2024 18:35:23.881336927 CEST	443	49347	17.248.199.68	192.168.11.12
Sep 6, 2024 18:35:24.163355112 CEST	49352	443	192.168.11.12	17.253.97.206
Sep 6, 2024 18:35:24.260863066 CEST	443	49352	17.253.97.206	192.168.11.12
Sep 6, 2024 18:35:24.261459112 CEST	49352	443	192.168.11.12	17.253.97.206
Sep 6, 2024 18:35:24.707721949 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:24.803181887 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:24.803949118 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:24.833575964 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:24.928710938 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:24.928894043 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:24.928983927 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:24.929060936 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:24.929630041 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:24.930061102 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:24.930147886 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:24.930794954 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:24.930795908 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:24.931847095 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:24.947416067 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:24.999973059 CEST	49347	443	192.168.11.12	17.248.199.68
Sep 6, 2024 18:35:25.001842976 CEST	49347	443	192.168.11.12	17.248.199.68
Sep 6, 2024 18:35:25.042747021 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:25.042829037 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:25.042886972 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:25.044373989 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:25.044374943 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:25.046344042 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:25.046483994 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:25.046724081 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:25.047089100 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:25.047590971 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:25.094913006 CEST	443	49347	17.248.199.68	192.168.11.12
Sep 6, 2024 18:35:25.095628023 CEST	49347	443	192.168.11.12	17.248.199.68
Sep 6, 2024 18:35:25.096759081 CEST	443	49347	17.248.199.68	192.168.11.12
Sep 6, 2024 18:35:25.141556025 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:25.141639948 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:25.142205954 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:25.142329931 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:25.186705112 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:25.220870018 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:25.220954895 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:25.221664906 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:25.221664906 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:25.351106882 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.446400881 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.447169065 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.466156006 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.561554909 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.566724062 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.566827059 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.566891909 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.567624092 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.567624092 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.595439911 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.690958023 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.691015959 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.691622972 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.691714048 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.693532944 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.693743944 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.693845987 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.694042921 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.694561005 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.740092993 CEST	49352	443	192.168.11.12	17.253.97.206
Sep 6, 2024 18:35:25.741723061 CEST	49352	443	192.168.11.12	17.253.97.206
Sep 6, 2024 18:35:25.791723967 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.791799068 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.791848898 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.792834997 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.840923071 CEST	443	49352	17.253.97.206	192.168.11.12
Sep 6, 2024 18:35:25.841686964 CEST	49352	443	192.168.11.12	17.253.97.206
Sep 6, 2024 18:35:25.962228060 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.962333918 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.962393999 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.962466955 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.962542057 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.962599993 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.962672949 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.962747097 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.962810040 CEST	443	49354	172.67.168.219	192.168.11.12
Sep 6, 2024 18:35:25.963051081 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.963051081 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.963960886 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.964031935 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.964222908 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.964498043 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.965624094 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.966799021 CEST	49354	443	192.168.11.12	172.67.168.219
Sep 6, 2024 18:35:25.966948986 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:25.968316078 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:26.061688900 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:26.061758041 CEST	443	49353	108.139.47.10	192.168.11.12
Sep 6, 2024 18:35:26.062258005 CEST	49353	443	192.168.11.12	108.139.47.10
Sep 6, 2024 18:35:26.063043118 CEST	443	49353	108.139.47.10	192.168.11.12

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 6, 2024 18:35:24.580321074 CEST	62393	53	192.168.11.12	1.1.1.1
Sep 6, 2024 18:35:24.675998926 CEST	53	62393	1.1.1.1	192.168.11.12
Sep 6, 2024 18:35:25.223835945 CEST	59921	53	192.168.11.12	1.1.1.1
Sep 6, 2024 18:35:25.321089983 CEST	53	59921	1.1.1.1	192.168.11.12
Sep 6, 2024 18:35:28.936467886 CEST	30067	25866	192.168.11.12	192.168.11.1
Sep 6, 2024 18:35:28.936578989 CEST	26994	25902	192.168.11.12	192.168.11.1
Sep 6, 2024 18:35:28.936764956 CEST	8307	29810	192.168.11.12	192.168.11.1
Sep 6, 2024 18:35:28.936764956 CEST	26676	21078	192.168.11.12	192.168.11.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 6, 2024 18:35:24.580321074 CEST	192.168.11.12	1.1.1.1	0xdb07	Standard query (0)	clickme.thryv.com	A (IP address)	IN (0x0001)	false
Sep 6, 2024 18:35:25.223835945 CEST	192.168.11.12	1.1.1.1	0x3544	Standard query (0)	inspire.rashienti.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 6, 2024 18:35:24.675998926 CEST	1.1.1.1	192.168.11.12	0xdb07	No error (0)	clickme.thryv.com	d1rsqi0l6b7evg.cloudfront.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 6, 2024 18:35:24.675998926 CEST	1.1.1.1	192.168.11.12	0xdb07	No error (0)	d1rsqi0l6b7evg.cloudfront.net		108.139.47.10	A (IP address)	IN (0x0001)	false
Sep 6, 2024 18:35:24.675998926 CEST	1.1.1.1	192.168.11.12	0xdb07	No error (0)	d1rsqi0l6b7evg.cloudfront.net		108.139.47.125	A (IP address)	IN (0x0001)	false
Sep 6, 2024 18:35:24.675998926 CEST	1.1.1.1	192.168.11.12	0xdb07	No error (0)	d1rsqi0l6b7evg.cloudfront.net		108.139.47.36	A (IP address)	IN (0x0001)	false
Sep 6, 2024 18:35:24.675998926 CEST	1.1.1.1	192.168.11.12	0xdb07	No error (0)	d1rsqi0l6b7evg.cloudfront.net		108.139.47.14	A (IP address)	IN (0x0001)	false
Sep 6, 2024 18:35:25.321089983 CEST	1.1.1.1	192.168.11.12	0x3544	No error (0)	inspire.rashienti.com		172.67.168.219	A (IP address)	IN (0x0001)	false
Sep 6, 2024 18:35:25.321089983 CEST	1.1.1.1	192.168.11.12	0x3544	No error (0)	inspire.rashienti.com		104.21.27.32	A (IP address)	IN (0x0001)	false

HTTPS Connections

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Sep 6, 2024 18:35:24.930061102 CEST	108.139.47.10	443	192.168.11.12	49353	CN=clickme.thryv.com CN=Amazon RSA 2048 M03, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Amazon RSA 2048 M03, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Sat Jun 08 02:00:00 CEST 2024 Wed Aug 24 00:26:04 CEST 2022 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009	Mon Jul 07 01:59:59 CEST 2025 Sat Aug 24 00:26:04 CEST 2030 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034	771,52393-52392-52394-49200-49196-49192-49188-49172-49162-159-107-57-65413-196-136-129-157-61-53-192-132-49199-49195-49191-49187-49171-49161-158-103-51-190-69-156-60-47-186-65-49170-49160-22-10-255,0-11-10-13-16,29-23-24,0	a7a5e32c2ca29907256b5de4fbdf61ed
					CN=Amazon RSA 2048 M03, O=Amazon, C=US	CN=Amazon Root CA 1, O=Amazon, C=US	Wed Aug 24 00:26:04 CEST 2022	Sat Aug 24 00:26:04 CEST 2030
					CN=Amazon Root CA 1, O=Amazon, C=US	CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	Mon May 25 14:00:00 CEST 2015	Thu Dec 31 02:00:00 CET 2037
					CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 02 02:00:00 CEST 2009	Wed Jun 28 19:39:16 CEST 2034
Sep 6, 2024 18:35:25.566891909 CEST	172.67.168.219	443	192.168.11.12	49354	CN=rashienti.com CN=WE1, O=Google Trust Services, C=US CN=GTS Root R4, O=Google Trust Services LLC, C=US	CN=WE1, O=Google Trust Services, C=US CN=GTS Root R4, O=Google Trust Services LLC, C=US CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE	Tue Aug 20 14:39:30 CEST 2024 Wed Dec 13 10:00:00 CET 2023 Wed Nov 15 04:43:21 CET 2023	Mon Nov 18 13:39:29 CET 2024 Tue Feb 20 15:00:00 CET 2029 Fri Jan 28 01:00:42 CET 2028	771,52393-52392-52394-49200-49196-49192-49188-49172-49162-159-107-57-65413-196-136-129-157-61-53-192-132-49199-49195-49191-49187-49171-49161-158-103-51-190-69-156-60-47-186-65-49170-49160-22-10-255,0-11-10-13-16,29-23-24,0	a7a5e32c2ca29907256b5de4fbdf61ed
					CN=WE1, O=Google Trust Services, C=US	CN=GTS Root R4, O=Google Trust Services LLC, C=US	Wed Dec 13 10:00:00 CET 2023	Tue Feb 20 15:00:00 CET 2029
					CN=GTS Root R4, O=Google Trust Services LLC, C=US	CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE	Wed Nov 15 04:43:21 CET 2023	Fri Jan 28 01:00:42 CET 2028

System Behavior

Analysis Process: xpcproxy PID: 611, Parent PID: 1

General

Start time (UTC):	16:35:22
Start date (UTC):	06/09/2024
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Start time (UTC):	16:35:22
Start date (UTC):	06/09/2024
Path:	/usr/libexec/nsurlstoraged
Arguments:	/usr/libexec/nsurlstoraged --privileged
File size:	246624 bytes
MD5 hash:	321b0a40e24b45f0af49ba42742b3f64

Start time (UTC):	16:35:23
Start date (UTC):	06/09/2024
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	-
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Start time (UTC):	16:35:23
Start date (UTC):	06/09/2024
Path:	/usr/bin/curl
Arguments:	/usr/bin/curl -t 2 -v --connect-timeout 10 -L --remote-name --insecure --silent --user-agent Mozilla/5.0 (Macintosh Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15 https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFkILOsO1UnLItklUwD68rhtr94fRPJI4HAEjYZ7vdlgHTiHU_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZPRzSyzWe4FlQQyqQA-2BOTqGjWjoN-2BuPm4tzM5LM6f6tO2PXKa74YSjAhzL6onG-2BuKO989bZZj9vupVvXtBWU0qXeI6VZny9p-2FgjssbU9Je1I2RDoZPOLgxX8gxf2-2BzsuoGYoVqnaS5CYR1Z5WEWAcZP0wmQbm4ikqer-2BGrlVppyDdPw-2BxPiObQZTbU2ZeclEy9V5nUC-2BnwlvdDmQwsjghHkHuJFiwInVWpyiCgGFo0uYjlPs3G8hdAgJBJu-2F-2B0K864-3D#ZmluYW5jZUBjbGVhcnZpZXcuYWk=
File size:	185072 bytes
MD5 hash:	2418204e23e2952e7995f1819a1f78f5

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Overview

General Information

Detection

Signatures

Classification

General Information

Errors

Warnings

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Connections

System Behavior

Analysis Process: xpcproxy PID: 611, Parent PID: 1

General

File Activities

File Opened

File Read

Process Activities

Process Spawned

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: nsurlstoraged PID: 611, Parent PID: 1

General

File Activities

File Opened

File Read

Directory Enumerated

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: mono-sgen32 PID: 616, Parent PID: 537

General

File Activities

File Read (Anonymous Pipes)

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: curl PID: 616, Parent PID: 537

General

File Activities

File Opened