macOS Analysis Report
Homebrew-4.2.19.pkg

Overview

General Information

Sample name: Homebrew-4.2.19.pkg
Analysis ID: 1431739
MD5: e16aa5f0a2e358934b2a87c1b685eaaf
SHA1: 75667161d1d00596bd035e693a28d525976ea994
SHA256: 61a958ff4d3d911dcf2b5d32470d44509fa53b28c97c0b5e6ef5fe649d141c1c
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false

Signatures

Reads hardware related sysctl values
Reads the systems OS release and/or type
Reads the systems hostname
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)
Uses Security framework containing interfaces for system-level user authentication and authorization

Classification

Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49350 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49366 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49368 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49371 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49373 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49401 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49402 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49403 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49404 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49405 version: TLS 1.2
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.228.70
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.228.65
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.228.65
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.228.65
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.228.70
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.228.70
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.228.70
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.21.201
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.21.201
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: h3.apis.apple.map.fastly.net
Source: global traffic DNS traffic detected: DNS query: updates.cdn-apple.com
Source: Homebrew-4.2.19.pkg String found in binary or memory: http://crl.apple.com/root.crl0
Source: Homebrew-4.2.19.pkg String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: Homebrew-4.2.19.pkg String found in binary or memory: http://ocsp.apple.com/ocsp03-devid070
Source: Homebrew-4.2.19.pkg String found in binary or memory: http://www.apple.com/appleca0
Source: Homebrew-4.2.19.pkg String found in binary or memory: http://www.apple.com/certificateauthority/0
Source: Distribution String found in binary or memory: https://developer.apple.com/documentation/installer_js
Source: postinstall String found in binary or memory: https://git-scm.com/docs/git-config#SCOPES
Source: Homebrew-4.2.19.pkg String found in binary or memory: https://www.apple.com/appleca/0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49403
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49402
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49368
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49346
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49401
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49366
Source: unknown Network traffic detected: HTTP traffic on port 49401 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49403 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49346 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49327 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49350 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown Network traffic detected: HTTP traffic on port 49405 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49396
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49373
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49350
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49371
Source: unknown Network traffic detected: HTTP traffic on port 49396 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49371 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49373 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49368 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49404 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49402 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49366 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49349 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49405
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49349
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49327
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49404
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49350 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49366 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49368 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49371 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49373 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49401 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49402 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49403 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49404 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49405 version: TLS 1.2
Source: classification engine Classification label: clean2.macPKG@0/3@2/0
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622) CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist Jump to behavior
Uses Security framework containing interfaces for system-level user authentication and authorization
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622) Security framework info plist opened: /System/Library/Frameworks/Security.framework/Resources/Info.plist Jump to behavior
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 651) Random device file read: /dev/random Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622) AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist Jump to behavior
Reads hardware related sysctl values
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622) Sysctl read request: hw.cpu_freq (6.15) Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622) Sysctl read request: hw.ncpu (6.3) Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622) Sysctl read request: hw.memsize (6.24) Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622) Sysctl read request: hw.availcpu (6.25) Jump to behavior
Reads the systems OS release and/or type
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622) Sysctl requested: kern.ostype (1.1) Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622) Sysctl requested: kern.osrelease (1.2) Jump to behavior
Reads the systems hostname
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622) Sysctl requested: kern.hostname (1.10) Jump to behavior
Source: /usr/bin/open (PID: 621) System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622) System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist Jump to behavior
cam-macmac-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
151.101.3.6
 h3.apis.apple.map.fastly.net United States
54113 FASTLYUS false
151.101.67.6
 unknown United States
54113 FASTLYUS false

Contacted Domains

Name IP Active
h3.apis.apple.map.fastly.net 151.101.3.6 true
updates.cdn-apple.com unknown unknown