macOS Analysis Report
V6QED2Q1WBYVOPE

Overview

General Information

Sample name: V6QED2Q1WBYVOPE
Analysis ID: 1545735
MD5: 6dee3bbd2bb0b9de6423700a8e1fe1e8
SHA1: 88537c509c075956ba5d4e1d9fbdd18eaa357e53
SHA256: 1001c1ed209abec59d96e0f27007561c3036c585dd0113ed3cc074bf6a11c105
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Mach-O contains sections with high entropy indicating compressed/encrypted content
Sample or dropped file has a small TEXT segment size indicating that the actual code is not in this segment hampering debugging

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: V6QED2Q1WBYVOPE Avira: detected
Multi AV Scanner detection for submitted file
Source: V6QED2Q1WBYVOPE ReversingLabs: Detection: 47%
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49379 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.8:443 -> 192.168.11.12:49381 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.8:443 -> 192.168.11.12:49380 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49382 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.8:443 -> 192.168.11.12:49387 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49388 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49390 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49393 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49394 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49395 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.199.49.152
Source: unknown TCP traffic detected without corresponding DNS query: 23.199.49.152
Source: unknown TCP traffic detected without corresponding DNS query: 23.199.49.152
Source: unknown TCP traffic detected without corresponding DNS query: 23.199.49.152
Source: unknown TCP traffic detected without corresponding DNS query: 23.199.49.152
Source: unknown TCP traffic detected without corresponding DNS query: 23.46.224.247
Source: unknown TCP traffic detected without corresponding DNS query: 23.46.224.247
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /2024/patches/062-47618/2296644A-2400-46B4-A723-9D2B5B310BB3/com_apple_MobileAsset_CoreSuggestions/d0953e982fbb98874ebf11b227f84d8d5094f457.zip HTTP/1.1Host: updates.cdn-apple.comAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)
Source: global traffic HTTP traffic detected: GET /2024/patches/052-54451/D609556E-69B1-482E-9C33-B2E3510A1311/com_apple_MobileAsset_TimeZoneUpdate/c5a4d0df08e8faecf4faebbbadc4d96a07d9d990.zip HTTP/1.1Host: updates.cdn-apple.comAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)
Source: global traffic HTTP traffic detected: GET /2021/mobileassets/041-40471/B96AF6E1-5FF6-4786-9956-944A1AFE086A/com_apple_MobileAsset_KextDenyList/404087a7302927411b6ea0e05114d2c68355185e.zip HTTP/1.1Host: updates.cdn-apple.comAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)
Source: global traffic DNS traffic detected: DNS query: h3.apis.apple.map.fastly.net
Source: V6QED2Q1WBYVOPE, 00000620.00000248.9.000000011a772000.000000011a79b000.r--.sdmp String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: V6QED2Q1WBYVOPE, 00000620.00000248.9.000000011a772000.000000011a79b000.r--.sdmp String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: V6QED2Q1WBYVOPE, 00000620.00000248.9.000000011a772000.000000011a79b000.r--.sdmp String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: V6QED2Q1WBYVOPE, 00000620.00000248.9.000000011a772000.000000011a79b000.r--.sdmp String found in binary or memory: http://www.apple.com/certificateauthority0
Source: V6QED2Q1WBYVOPE, 00000620.00000248.9.000000011a772000.000000011a79b000.r--.sdmp String found in binary or memory: https://www.apple.com/appleca/0
Source: unknown Network traffic detected: HTTP traffic on port 49397 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49388
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49387
Source: unknown Network traffic detected: HTTP traffic on port 49393 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49382
Source: unknown Network traffic detected: HTTP traffic on port 49395 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49381
Source: unknown Network traffic detected: HTTP traffic on port 49391 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49380
Source: unknown Network traffic detected: HTTP traffic on port 49353 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49388 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49380 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49382 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49379
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49353
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49397
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49396
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49395
Source: unknown Network traffic detected: HTTP traffic on port 49394 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49394
Source: unknown Network traffic detected: HTTP traffic on port 49379 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49393
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49392
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49391
Source: unknown Network traffic detected: HTTP traffic on port 49396 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49390
Source: unknown Network traffic detected: HTTP traffic on port 49392 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49390 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49387 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49381 -> 443
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49379 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.8:443 -> 192.168.11.12:49381 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.8:443 -> 192.168.11.12:49380 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49382 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.8:443 -> 192.168.11.12:49387 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49388 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49390 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49393 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49394 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49395 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: classification engine Classification label: mal56.mac@0/0@1/0
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 640) Random device file read: /dev/random Jump to behavior
Mach-O contains sections with high entropy indicating compressed/encrypted content
Source: V6QED2Q1WBYVOPE Submission file: section __data with 7.99957854 entropy (max. 8.0)
Sample or dropped file has a small TEXT segment size indicating that the actual code is not in this segment hampering debugging
Source: V6QED2Q1WBYVOPE Mach-O __TEXT segment size: 0x1000 <= 16 KB
cam-macmac-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
151.101.67.8
 appledownload.map.fastly.net United States
54113 FASTLYUS false
23.199.49.152
 unknown United States
20940 AKAMAI-ASN1EU false
151.101.131.6
 h3.apis.apple.map.fastly.net United States
54113 FASTLYUS false
23.46.224.247
 unknown United States
16625 AKAMAI-ASUS false
151.101.67.6
 unknown United States
54113 FASTLYUS false

Contacted Domains

Name IP Active
appledownload.map.fastly.net 151.101.67.8 true
h3.apis.apple.map.fastly.net 151.101.131.6 true