macOS Analysis Report
ot-test-app

Overview

General Information

Sample name:	ot-test-app
Analysis ID:	1430401
MD5:	4a43bafb4af0a038a7f430417bcc1b6e
SHA1:	438243575764a5e856951126674f72f20b2a0d6f
SHA256:	a0c461c94ba9f1573c7253666d218b3343d24bfa5d8ef270ee9bc74b7856e492
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: ot-test-app

ReversingLabs: Detection: 18%

Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49352 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49371 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49373 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49382 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49388 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.8:443 -> 192.168.11.12:49389 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49390 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49394 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.8:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.8:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49400 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49401 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49402 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49403 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.20
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.20
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.20
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.20
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.20
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.20
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.20
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.20
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.20
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.20
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.20
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.20
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.20
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.20
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.17
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.17
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.17
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.83.202
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.83.202
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /2021/mobileassets/041-40471/B96AF6E1-5FF6-4786-9956-944A1AFE086A/com_apple_MobileAsset_KextDenyList/404087a7302927411b6ea0e05114d2c68355185e.zip HTTP/1.1Host: updates.cdn-apple.comAccept: /Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)
Source: global traffic	HTTP traffic detected: GET /2024/patches/052-54451/D609556E-69B1-482E-9C33-B2E3510A1311/com_apple_MobileAsset_TimeZoneUpdate/c5a4d0df08e8faecf4faebbbadc4d96a07d9d990.zip HTTP/1.1Host: updates.cdn-apple.comAccept: /Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)
Source: global traffic	HTTP traffic detected: GET /2023/patches/042-18019/79402820-170F-4A67-A67F-50C95CD0F3AF/com_apple_MobileAsset_CoreSuggestions/49a5a08d2aad413f10ff536f3b9897a87faac692.zip HTTP/1.1Host: updates.cdn-apple.comAccept: /Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)

Source: unknown

DNS traffic detected: queries for: apis.apple.map.fastly.net

Source: unknown	Network traffic detected: HTTP traffic on port 49351 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49399 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49403
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49347
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49402
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49401
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49389
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49400
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49388
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49382
Source: unknown	Network traffic detected: HTTP traffic on port 49388 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49401 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49403 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49382 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49352 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49327 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49399
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49352
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49351
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49373
Source: unknown	Network traffic detected: HTTP traffic on port 49394 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49394
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49371
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49392
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49390
Source: unknown	Network traffic detected: HTTP traffic on port 49371 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49392 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49373 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49390 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49389 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49400 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49402 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49347 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49327

Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49352 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49371 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49373 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49382 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49388 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.8:443 -> 192.168.11.12:49389 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49390 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49394 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.8:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.8:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49400 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49401 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49402 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49403 version: TLS 1.2

Source: classification engine

Classification label: mal48.mac@0/0@3/0

Source: submission: ot-test-app

Mach-O header: load_dylib -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Source: submission: ot-test-app

Mach-O header: load_dylib -> /System/Library/Frameworks/Security.framework/Versions/A/Security

Source: submission: ot-test-app

Mach-O header: load_dylib -> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration

Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 638)

Random device file read: /dev/random

Jump to behavior

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.195.8	appledownload.map.fastly.net	United States	54113	FASTLYUS	false
151.101.195.6	apis.apple.map.fastly.net	United States	54113	FASTLYUS	false
151.101.67.6	unknown	United States	54113	FASTLYUS	false

Contacted Domains

Name	IP	Active
apis.apple.map.fastly.net	151.101.195.6	true
appledownload.map.fastly.net	151.101.195.8	true
updates.cdn-apple.com	unknown	unknown

ID:	1430401
Product:	CloudBasic
Start time:	16:13:48
Start date:	23.04.2024
Sample:	ot-test-app
Cookbook:	defaultmacfilecookbook.jbs
System description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Architecture:	MAC
MD5:	4a43bafb4af0a038a7f430417bcc1b6e
SHA1:	438243575764a5e856951126674f72f20b2a0d6f
SHA256:	a0c461c94ba9f1573c7253666d218b3343d24bfa5d8ef270ee9bc74b7856e492
Filetype:	Mac OS X Mach-O 64-bit Intel executable (4008/2) 50.02%

macOS Analysis Report
ot-test-app

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

macOS Analysis Report ot-test-app

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

macOS Analysis Report
ot-test-app