macOS Analysis Report
https://www.vysor.io/download/?return=https%3A%2F%2Fwww.vysor.io%2F

Overview

General Information

Sample URL: https://www.vysor.io/download/?return=https%3A%2F%2Fwww.vysor.io%2F
Analysis ID: 1660774
Infos:

Detection

Score: 1
Range: 0 - 100

Signatures

Writes HTML files containing JavaScript to disk
Writes HTML files containing suspicious ad-related keywords to disk

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49347 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49348 version: TLS 1.2
Source: unknown HTTPS traffic detected: 17.248.199.68:443 -> 192.168.11.12:49349 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49351 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.153:443 -> 192.168.11.12:49355 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49365 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49366 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49368 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49369 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49400 version: TLS 1.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.58.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 23.58.91.134
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: www.vysor.io
Source: global traffic DNS traffic detected: DNS query: h3.apis.apple.map.fastly.net
Source: /usr/bin/curl (PID: 612) Reads from socket in process: data Jump to behavior
Source: ?return=https%3A%2F%2Fwww.vysor.io%2F.246.dr String found in binary or memory: https://app.vysor.io/
Source: ?return=https%3A%2F%2Fwww.vysor.io%2F.246.dr String found in binary or memory: https://chrome.google.com/webstore/detail/gidgenkbbabolejbgbpnhbimgjbffefm
Source: ?return=https%3A%2F%2Fwww.vysor.io%2F.246.dr String found in binary or memory: https://nuts.vysor.io/download/
Source: ?return=https%3A%2F%2Fwww.vysor.io%2F.246.dr String found in binary or memory: https://support.vysor.io/
Source: ?return=https%3A%2F%2Fwww.vysor.io%2F.246.dr String found in binary or memory: https://vysordev.clockworkmod.com/#two
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49348
Source: unknown Network traffic detected: HTTP traffic on port 49351 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49399 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49347
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49369
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49368
Source: unknown Network traffic detected: HTTP traffic on port 49397 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49400
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49366
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49365
Source: unknown Network traffic detected: HTTP traffic on port 49391 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49355 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49369 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49348 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49365 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49355
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49399
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49397
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49396
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49351
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49392
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49391
Source: unknown Network traffic detected: HTTP traffic on port 49396 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49392 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49400 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49368 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49347 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49366 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49349 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49349
Source: /usr/bin/curl (PID: 612) Writes from socket in process: data Jump to behavior
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49347 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49348 version: TLS 1.2
Source: unknown HTTPS traffic detected: 17.248.199.68:443 -> 192.168.11.12:49349 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49351 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.153:443 -> 192.168.11.12:49355 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49365 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49366 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49368 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49369 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49400 version: TLS 1.2
Source: /usr/bin/curl (PID: 612) HTML file containing JavaScript created: /Users/bernard/Desktop/download/?return=https%3A%2F%2Fwww.vysor.io%2F Jump to dropped file
Source: /usr/bin/curl (PID: 612) HTML file created with suspicious ad-related keywords: /Users/bernard/Desktop/download/?return=https%3A%2F%2Fwww.vysor.io%2F (keywords found: search, ads) Jump to dropped file
Source: classification engine Classification label: clean1.mac@0/1@2/0
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 639) Random device file read: /dev/random Jump to behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs