macOS Analysis Report
d1TtkSBl05.dmg

ID:	1539815
Product:	CloudBasic
Start time:	07:29:14
Start date:	23.10.2024
Sample:	d1TtkSBl05
Cookbook:	defaultmacfilecookbook.jbs
System description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Architecture:	MAC
MD5:	67edf42ca4a72cf93b21f09d59736b81
SHA1:	7456c1284fb2865da6b2dda880d727dc53b9026c
SHA256:	eea95fdafd0988bcac790cead96755dd973264e794246e4233c8dc8fa6486e7a
Filetype:	Disk Image (Macintosh), GPT (APFS) (47500/0) 49.48%

Name	Type	MD5	SHA1	SHA256
/dev/null	ASCII text	F6854E9D599C78E2AB1643CEA6AA24F2	64F65915275C9A539BD79A0741DB99A5738C1A40	7514173F4B4A6968919E730F7069699169B8B455567A2A88FE0E399305C32895
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/mds/mdsDirectory.db_	Mac OS X Keychain File	0E4A0D1CEB2AF6F0F8D0167CE77BE2D3	414BA4C1DC5FC8BF53D550E296FD6F5AD669918C	CCA093BCFC65E25DD77C849866E110DF72526DFFBE29D76E11E29C7D888A4030
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/mds/mdsObject.db_	Mac OS X Keychain File	D3A1859E6EC593505CC882E6DEF48FC8	F8E6728E3E9DE477A75706FAA95CEAD9CE13CB32	3EBAFA97782204A4A1D75CFEC22E15FCDEAB45B65BAB3B3E65508707E034A16C
/private/var/log/wifi.log.0.bz2	bzip2 compressed data, block size = 900k	21C8D4EF1C1BC2D6A1FA1D59BEEBAB74	F9D0A7E1F02EB03DF642CDA4F64CB1FB99A231FE	69A816C7079892186A0116CE8772CF1BD13762D94B4D6B6037762312DFF8AB0E

Compliance

Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49351 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.8:443 -> 192.168.11.12:49381 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.8:443 -> 192.168.11.12:49382 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49385 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49386 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49390 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49393 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49394 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49400 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49401 version: TLS 1.2

Networking

Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.71
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.71
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.71
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.71
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.224.247
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.224.247
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /2021/mobileassets/041-40471/B96AF6E1-5FF6-4786-9956-944A1AFE086A/com_apple_MobileAsset_KextDenyList/404087a7302927411b6ea0e05114d2c68355185e.zip HTTP/1.1Host: updates.cdn-apple.comAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)
Source: global traffic	HTTP traffic detected: GET /2024/patches/062-08173/234EE7F7-CC33-4CD3-85FC-60590A103560/com_apple_MobileAsset_CoreSuggestions/84f6102e2a09dd10dd694d795792a7771b6014fc.zip HTTP/1.1Host: updates.cdn-apple.comAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)
Source: global traffic	HTTP traffic detected: GET /2024/patches/052-54451/D609556E-69B1-482E-9C33-B2E3510A1311/com_apple_MobileAsset_TimeZoneUpdate/c5a4d0df08e8faecf4faebbbadc4d96a07d9d990.zip HTTP/1.1Host: updates.cdn-apple.comAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)

Source: global traffic

DNS traffic detected: DNS query: h3.apis.apple.map.fastly.net

Source: d1TtkSBl05.dmg

String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd

Source: unknown	Network traffic detected: HTTP traffic on port 49351 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49399 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49347
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49401
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49400
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49386
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49385
Source: unknown	Network traffic detected: HTTP traffic on port 49393 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49383
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49382
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49381
Source: unknown	Network traffic detected: HTTP traffic on port 49391 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49401 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49382 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49399
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49351
Source: unknown	Network traffic detected: HTTP traffic on port 49394 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49394
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49393
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49392
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49391
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49390
Source: unknown	Network traffic detected: HTTP traffic on port 49392 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49390 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49400 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49347 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49385 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49383 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49381 -> 443

Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49351 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.8:443 -> 192.168.11.12:49381 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.8:443 -> 192.168.11.12:49382 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49385 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49386 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49390 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49393 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49394 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49400 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49401 version: TLS 1.2

System Summary

Source: classification engine

Classification label: clean2.macDMG@0/4@1/0

Persistence and Installation Behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 639)

CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist

Jump to behavior

Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 674)

Random device file read: /dev/random

Jump to behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 639)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Jump to behavior

Malware Analysis System Evasion

Source: d1TtkSBl05.dmg	Binary or memory string: 5EQEMUEY^ZR
Source: d1TtkSBl05.dmg	Binary or memory string: (I@ZQEMUUMQZ
Source: d1TtkSBl05.dmg	Binary or memory string: yQEmuUeue%x

Language, Device and Operating System Detection

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 639)	Sysctl read request: hw.cpu_freq (6.15)			Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 639)	Sysctl read request: hw.ncpu (6.3)			Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 639)	Sysctl read request: hw.memsize (6.24)			Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 639)	Sysctl read request: hw.availcpu (6.25)			Jump to behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 639)	Sysctl requested: kern.ostype (1.1)			Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 639)	Sysctl requested: kern.osrelease (1.2)			Jump to behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 639)

Sysctl requested: kern.hostname (1.10)

Jump to behavior

Source: /usr/bin/open (PID: 638)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 639)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior