macOS Analysis Report
Constate

Overview

General Information

Sample name: Constate
Analysis ID: 1538489
MD5: 430d14cbf65aa74fddd7cf3dfb7db4c7
SHA1: 71cd408617e2df20d639c546329fc5a7af8a6a87
SHA256: 6bf38c1dd13ef90742a73bcd5f3700baab068aab96b3e879e58cd6f2b1fcd14b
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Denies being traced/debugged (via ptrace PT_DENY_ATTACH)
Machine Learning detection for sample
Contains symbols with suspicious names likely related to encryption
Contains symbols with suspicious names likely related to networking
Moves itself during installation or deletes itself after installation
Process deletes its process image on disk
Reads the systems OS release and/or type
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Constate ReversingLabs: Detection: 39%
Machine Learning detection for sample
Source: Constate Joe Sandbox ML: detected
Contains symbols with suspicious names likely related to encryption
Source: submission: Constate Mach-O symbol: _CCCryptorRelease
Source: submission: Constate Mach-O symbol: _CCCryptorUpdate
Source: submission: Constate Mach-O symbol: _CCCryptorFinal
Source: submission: Constate Mach-O symbol: _CCCryptorGetOutputLength
Source: submission: Constate Mach-O symbol: _CCCryptorCreate
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49353 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.70.175.13:443 -> 192.168.11.12:49363 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49400 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49401 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49405 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49406 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49407 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49408 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49409 version: TLS 1.2
Contains symbols with suspicious names likely related to networking
Source: submission: Constate Mach-O symbol: _kIOMasterPortDefault
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.69
Source: unknown TCP traffic detected without corresponding DNS query: 96.17.64.247
Source: unknown TCP traffic detected without corresponding DNS query: 96.17.64.247
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: www.emidzazi.site
Source: global traffic DNS traffic detected: DNS query: h3.apis.apple.map.fastly.net
Source: unknown HTTP traffic detected: POST /se/cu HTTP/1.1Host: www.emidzazi.siteContent-Type: application/jsonConnection: keep-aliveAccept: */*User-Agent: Constate (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)Content-Length: 42Accept-Language: en-usAccept-Encoding: br, gzip, deflate
Source: Constate, 00000619.00000255.9.0000000119861000.000000011988a000.r--.sdmp String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: Constate, 00000619.00000255.9.0000000119861000.000000011988a000.r--.sdmp String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: Constate, 00000619.00000255.9.0000000119861000.000000011988a000.r--.sdmp String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: Constate, 00000619.00000255.9.0000000119861000.000000011988a000.r--.sdmp String found in binary or memory: http://www.apple.com/certificateauthority0
Source: Constate, 00000619.00000255.9.0000000119861000.000000011988a000.r--.sdmp String found in binary or memory: https://www.apple.com/appleca/0
Source: unknown Network traffic detected: HTTP traffic on port 49351 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49348
Source: unknown Network traffic detected: HTTP traffic on port 49399 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49401
Source: unknown Network traffic detected: HTTP traffic on port 49397 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49400
Source: unknown Network traffic detected: HTTP traffic on port 49406 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49408 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49363
Source: unknown Network traffic detected: HTTP traffic on port 49353 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49355 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49363 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49401 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49348 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49409 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49352 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49355
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49399
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49354
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49353
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49397
Source: unknown Network traffic detected: HTTP traffic on port 49405 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49352
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49396
Source: unknown Network traffic detected: HTTP traffic on port 49407 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49351
Source: unknown Network traffic detected: HTTP traffic on port 49354 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49396 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49400 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49409
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49408
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49407
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49406
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49405
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49353 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.70.175.13:443 -> 192.168.11.12:49363 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49400 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49401 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49405 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49406 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49407 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49408 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49409 version: TLS 1.2
Source: classification engine Classification label: mal56.evad.mac@0/0@2/0
Process deletes its process image on disk
Source: /Users/bernard/Desktop/Constate (PID: 619) Process image deleted: /Users/bernard/Desktop/Constate Jump to behavior
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)
Source: /Users/bernard/Desktop/Constate (PID: 619) CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist Jump to behavior
Source: submission: Constate Mach-O header: load_dylib -> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
Source: submission: Constate Mach-O header: load_dylib -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: submission: Constate Mach-O header: load_dylib -> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 639) Random device file read: /dev/random Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Denies being traced/debugged (via ptrace PT_DENY_ATTACH)
Source: /Users/bernard/Desktop/Constate (PID: 619) PTRACE system call (PT_DENY_ATTACH): PID 619 denies future traces Jump to behavior
Moves itself during installation or deletes itself after installation
Source: /Users/bernard/Desktop/Constate (PID: 619) File deleted: /Users/bernard/Desktop/Constate Jump to behavior
Source: Constate, 00000619.00000255.9.000000010bda0000.000000010bdae000.rw-.sdmp Binary or memory string: VMware
Source: Constate, 00000619.00000255.9.000000010bdc4000.000000010bdca000.r--.sdmp Binary or memory string: framework.vmnet
Source: Constate, 00000619.00000255.9.000000010bdc4000.000000010bdca000.r--.sdmp Binary or memory string: framework.vmnet$
Source: Constate, 00000619.00000255.9.000000010bda0000.000000010bdae000.rw-.sdmp Binary or memory string: y:qemu
Reads the systems OS release and/or type
Source: /Users/bernard/Desktop/Constate (PID: 619) Sysctl requested: kern.ostype (1.1) Jump to behavior
Source: /Users/bernard/Desktop/Constate (PID: 619) Sysctl requested: kern.osrelease (1.2) Jump to behavior
Source: /Users/bernard/Desktop/Constate (PID: 619) System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist Jump to behavior
cam-macmac-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.70.175.13
 searchlb-3b453017ec33bbb9.elb.us-west-2.amazonaws.com United States
16509 AMAZON-02US false
151.101.3.6
 unknown United States
54113 FASTLYUS false
96.17.64.247
 unknown United States
16625 AKAMAI-ASUS false
151.101.131.6
 unknown United States
54113 FASTLYUS false
151.101.195.6
 unknown United States
54113 FASTLYUS false
151.101.67.6
 h3.apis.apple.map.fastly.net United States
54113 FASTLYUS false

Contacted Domains

Name IP Active
searchlb-3b453017ec33bbb9.elb.us-west-2.amazonaws.com 54.70.175.13 true
h3.apis.apple.map.fastly.net 151.101.67.6 true
www.emidzazi.site unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.emidzazi.site/se/cu false
    		unknown