Edit tour

macOS Analysis Report
Homebrew-4.2.19.pkg

Overview

General Information

Sample name:	Homebrew-4.2.19.pkg
Analysis ID:	1431739
MD5:	e16aa5f0a2e358934b2a87c1b685eaaf
SHA1:	75667161d1d00596bd035e693a28d525976ea994
SHA256:	61a958ff4d3d911dcf2b5d32470d44509fa53b28c97c0b5e6ef5fe649d141c1c
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false

Signatures

Reads hardware related sysctl values

Reads the systems OS release and/or type

Reads the systems hostname

Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)

Uses Security framework containing interfaces for system-level user authentication and authorization

Classification

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431739
Start date and time:	2024-04-25 17:25:34 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:	10.14
CPU architecture:	x86_64
Analysis Mode:	default
Sample name:	Homebrew-4.2.19.pkg
Detection:	CLEAN
Classification:	clean2.macPKG@0/3@2/0

Warnings

Excluded IPs from analysis (whitelisted): 17.171.98.2, 23.222.201.219, 17.253.119.201, 17.253.21.205, 17.36.200.79, 23.222.200.29
Excluded domains from analysis (whitelisted): e11408.d.akamaiedge.net, mesu-cdn.apple.com.akadns.net, lcdn-locator-usuqo.apple.com.akadns.net, updates.cdn-apple.com.akadns.net, e673.dsce9.akamaiedge.net, help-ar.apple.com.edgekey.net, lb._dns-sd._udp.0.11.168.192.in-addr.arpa, mesu-cdn.origin-apple.com.akadns.net, lcdn-locator.apple.com.akadns.net, help.origin-apple.com.akadns.net, radarsubmissions.apple.com.akadns.net, lcdn-locator.apple.com, mesu.g.aaplimg.com, updates.g.aaplimg.com, radarsubmissions.apple.com, itunes.apple.com.edgekey.net, help.apple.com, mesu.apple.com, init.itunes.apple.com, init-cdn.itunes-apple.com.akadns.net

Runtime Messages

Command:	open "/Users/bernard/Desktop/Homebrew-4.2.19.pkg"
PID:	621
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

System is macvm-mojave

mono-sgen32 New Fork (PID: 621, Parent: 537)

open (MD5: 34bd93241fa5d2aee225941b1ca14fa4) Arguments: /usr/bin/open /Users/bernard/Desktop/Homebrew-4.2.19.pkg

xpcproxy New Fork (PID: 622, Parent: 1)

Installer (MD5: 50c84168359b295c12427b3461315322) Arguments: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer

xpcproxy New Fork (PID: 635, Parent: 1)

nsurlstoraged (MD5: 321b0a40e24b45f0af49ba42742b3f64) Arguments: /usr/libexec/nsurlstoraged --privileged

xpcproxy New Fork (PID: 651, Parent: 1)

eficheck (MD5: 328beb81a2263449258057506bb4987f) Arguments: /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon

cleanup

Yara Signatures

⊘No yara matches

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49350 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49366 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49368 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49371 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49373 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49401 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49402 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49403 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49404 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49405 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.21.201
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.21.201
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: h3.apis.apple.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: updates.cdn-apple.com

Source: Homebrew-4.2.19.pkg	String found in binary or memory: http://crl.apple.com/root.crl0
Source: Homebrew-4.2.19.pkg	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: Homebrew-4.2.19.pkg	String found in binary or memory: http://ocsp.apple.com/ocsp03-devid070
Source: Homebrew-4.2.19.pkg	String found in binary or memory: http://www.apple.com/appleca0
Source: Homebrew-4.2.19.pkg	String found in binary or memory: http://www.apple.com/certificateauthority/0
Source: Distribution	String found in binary or memory: https://developer.apple.com/documentation/installer_js
Source: postinstall	String found in binary or memory: https://git-scm.com/docs/git-config#SCOPES
Source: Homebrew-4.2.19.pkg	String found in binary or memory: https://www.apple.com/appleca/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49403
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49402
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49368
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49401
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49366
Source: unknown	Network traffic detected: HTTP traffic on port 49401 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49403 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49346 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49327 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown	Network traffic detected: HTTP traffic on port 49405 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49396
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49373
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49350
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49371
Source: unknown	Network traffic detected: HTTP traffic on port 49396 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49371 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49373 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49368 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49404 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49402 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49366 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49349 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49405
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49349
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49327
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49404

Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49350 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49366 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49368 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49371 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49373 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49401 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49402 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49403 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49404 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49405 version: TLS 1.2

Source: classification engine

Classification label: clean2.macPKG@0/3@2/0

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)

CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist

Jump to behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)

Security framework info plist opened: /System/Library/Frameworks/Security.framework/Resources/Info.plist

Jump to behavior

Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 651)

Random device file read: /dev/random

Jump to behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Jump to behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)	Sysctl read request: hw.cpu_freq (6.15)	Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)	Sysctl read request: hw.ncpu (6.3)	Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)	Sysctl read request: hw.memsize (6.24)	Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)	Sysctl read request: hw.availcpu (6.25)	Jump to behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)	Sysctl requested: kern.ostype (1.1)			Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)	Sysctl requested: kern.osrelease (1.2)			Jump to behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)

Sysctl requested: kern.hostname (1.10)

Jump to behavior

Source: /usr/bin/open (PID: 621)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	31 System Information Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
h3.apis.apple.map.fastly.net	0%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
h3.apis.apple.map.fastly.net	151.101.3.6	true	false	0%, Virustotal, Browse	unknown
updates.cdn-apple.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://git-scm.com/docs/git-config#SCOPES	postinstall	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
151.101.3.6	h3.apis.apple.map.fastly.net	United States		54113	FASTLYUS	false
151.101.67.6	unknown	United States		54113	FASTLYUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
151.101.3.6	https://cloudflare-ipfs.com/ipfs/bafybeiagiq7tdzbkrrgr6pdgcm3qpbokwry3qqk2gedyazwwolhwfy4suy/nodex.html#	Get hash	malicious	Unknown	Browse
	Calendly.dmg	Get hash	malicious	Unknown	Browse
	89.kk	Get hash	malicious	Unknown	Browse
	Arc12645415	Get hash	malicious	Unknown	Browse
	SME.dmg	Get hash	malicious	Unknown	Browse
	https://pub.marq.com/Downloadiiii-Fileee/	Get hash	malicious	Unknown	Browse
	todoist-setup.dmg	Get hash	malicious	Unknown	Browse
	http://marketplace-item-details-98756222.zya.me	Get hash	malicious	Unknown	Browse
	Diogenes	Get hash	malicious	Unknown	Browse
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c139e8bc-e6cf-46e4-b94b-c8b5dea21199	Get hash	malicious	Unknown	Browse
151.101.67.6	ot-test-app	Get hash	malicious	Unknown	Browse
	https://cloudflare-ipfs.com/ipfs/bafybeiagiq7tdzbkrrgr6pdgcm3qpbokwry3qqk2gedyazwwolhwfy4suy/nodex.html#	Get hash	malicious	Unknown	Browse
	malw_sampl	Get hash	malicious	Unknown	Browse
	Arc12645415	Get hash	malicious	Unknown	Browse
	3MVd1q7ygy.macho	Get hash	malicious	Unknown	Browse
	https://www.flazio.com/server.html	Get hash	malicious	Unknown	Browse
	http://marketplace-item-details-98756222.zya.me	Get hash	malicious	Unknown	Browse
	ztfzDO15sO.dmg	Get hash	malicious	AMOS Stealer	Browse
	http://api.statisticsong.com/	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	https://r20.rs6.net/tn.jsp?f=001mdupJ4qBb-Nd2_ylzx8HBttlQ9opTAsCLDNaIzR_kjOMUNmpNcZJwTrf1-JKcQms1CJ9Uho976bwGC08_tX5C5noMjVDoDyLOXoK3aopxxStOM8t6wvTBKWgVo18etJYQ_eeHjJ4R2lwkep1pKOUg8VLdGfphtuo&c=&ch=/Er8BdK9PMSuOgr2lskWkeZAKVKx339#?ZnJhbmtfZHJhcGVyQGFvLnVzY291cnRzLmdvdg==	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://bushelman-my.sharepoint.com/:b:/p/lance/ESXtc6Laa05KpaC4W3rpMEMBfLSUU1GZhgfhBL8opRqFHg?e=Wrw3le	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	151.101.2.137
	https://runrun.it/share/portal/x1pWDYC5l2f72kuw	Get hash	malicious	HTMLPhisher	Browse	151.101.20.158
	https://app.robly.com/sites/1550c67c312457e2bb58457f78fda912/f774d7ddfffc8f1d429cd55a95adr852d	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	151.101.66.137
	[EXTERNAL] New file received.eml	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/o76fri/enpmZG9tbF9zdXBlcnZpc29yMXN0X2Fzc2lzdGFudEBmZC5vcmc=	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	Isass.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	Isass.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	https://us-west-2.protection.sophos.com/?d=google.co.za&u=aHR0cHM6Ly9nb29nbGUuY28uemEvYW1wL3Mvd3d3Lmdvb2dsZS5jb20lMkZ1cmwlM0ZzYSUzREQlMjZxJTNEaHR0cHMlM0ElMkYlMkZlbWFpbGluZy5taXJhYmF1ZC1hbS5jb20lMkZ0bC5waHAlMjUzRnAlMjUzRDVwMCUyRnQyJTJGcnMlMkYxZTYlMkZyeSUyRnJzJTJGJTJGaHR0cHMlM0ElMkYlMkZmaXJlYmFzZXN0b3JhZ2UuZ29vZ2xlYXBpcy5jb20lMjUyNTJGdjAlMjUyNTJGYiUyNTI1MkZteS1hd2Vzb21lLXByb2plY3QtaWQtMzU4ODkuYXBwc3BvdC5jb20lMjUyNTJGbyUyNTI1MkZzb3NmcmUuaHRtbCUyNTI1M0ZhbHQlMjUyNTNEbWVkaWElMjUyNTI2dG9rZW4lMjUyNTNENzBmZDlmZWMtZWM4Mi00YjQ1LTkwMmQtMmFhM2Q3NTgwYzNiJTI2dXN0JTNEMTcxNDEyMzE0MDAwMDAwMCUyNnVzZyUzREFPdlZhdzJ5SzhVRkpvWmVuUkRWdUJMLXNmY20lMjZobCUzRGVuJTI2c291cmNlJTNEZ21haWwjYTJ4MVkyRnpRR04wYlhOdmFHbHZMbU52YlE9PQ==&p=m&i=NjFjOWM1NjJmM2YxNmYxMDA2OTJjYWZj&t=THJkcUUxZW9PQzAvNFZ0aWxoalJFOStYQ0dWVXgvYjJ6aS82eTZoUDhJcz0=&h=276fada438bf49c2be0403c28d11d4f4&s=AVNPUEhUT0NFTkNSWVBUSVZ-gOCnEu8L0hbaTxie_PLqb02g0uIV3TDGiGYGiGwGbDIPB11limBksw9z8tTzOiKEbBHGOtpfybJD4FbJxpna6swSu6rycA6MG9n6CTc4aMLN4lGfbapv3cHB_2jaSF4	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
FASTLYUS	https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	https://r20.rs6.net/tn.jsp?f=001mdupJ4qBb-Nd2_ylzx8HBttlQ9opTAsCLDNaIzR_kjOMUNmpNcZJwTrf1-JKcQms1CJ9Uho976bwGC08_tX5C5noMjVDoDyLOXoK3aopxxStOM8t6wvTBKWgVo18etJYQ_eeHjJ4R2lwkep1pKOUg8VLdGfphtuo&c=&ch=/Er8BdK9PMSuOgr2lskWkeZAKVKx339#?ZnJhbmtfZHJhcGVyQGFvLnVzY291cnRzLmdvdg==	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://bushelman-my.sharepoint.com/:b:/p/lance/ESXtc6Laa05KpaC4W3rpMEMBfLSUU1GZhgfhBL8opRqFHg?e=Wrw3le	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	151.101.2.137
	https://runrun.it/share/portal/x1pWDYC5l2f72kuw	Get hash	malicious	HTMLPhisher	Browse	151.101.20.158
	https://app.robly.com/sites/1550c67c312457e2bb58457f78fda912/f774d7ddfffc8f1d429cd55a95adr852d	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	151.101.66.137
	[EXTERNAL] New file received.eml	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/o76fri/enpmZG9tbF9zdXBlcnZpc29yMXN0X2Fzc2lzdGFudEBmZC5vcmc=	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	Isass.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	Isass.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	https://us-west-2.protection.sophos.com/?d=google.co.za&u=aHR0cHM6Ly9nb29nbGUuY28uemEvYW1wL3Mvd3d3Lmdvb2dsZS5jb20lMkZ1cmwlM0ZzYSUzREQlMjZxJTNEaHR0cHMlM0ElMkYlMkZlbWFpbGluZy5taXJhYmF1ZC1hbS5jb20lMkZ0bC5waHAlMjUzRnAlMjUzRDVwMCUyRnQyJTJGcnMlMkYxZTYlMkZyeSUyRnJzJTJGJTJGaHR0cHMlM0ElMkYlMkZmaXJlYmFzZXN0b3JhZ2UuZ29vZ2xlYXBpcy5jb20lMjUyNTJGdjAlMjUyNTJGYiUyNTI1MkZteS1hd2Vzb21lLXByb2plY3QtaWQtMzU4ODkuYXBwc3BvdC5jb20lMjUyNTJGbyUyNTI1MkZzb3NmcmUuaHRtbCUyNTI1M0ZhbHQlMjUyNTNEbWVkaWElMjUyNTI2dG9rZW4lMjUyNTNENzBmZDlmZWMtZWM4Mi00YjQ1LTkwMmQtMmFhM2Q3NTgwYzNiJTI2dXN0JTNEMTcxNDEyMzE0MDAwMDAwMCUyNnVzZyUzREFPdlZhdzJ5SzhVRkpvWmVuUkRWdUJMLXNmY20lMjZobCUzRGVuJTI2c291cmNlJTNEZ21haWwjYTJ4MVkyRnpRR04wYlhOdmFHbHZMbU52YlE9PQ==&p=m&i=NjFjOWM1NjJmM2YxNmYxMDA2OTJjYWZj&t=THJkcUUxZW9PQzAvNFZ0aWxoalJFOStYQ0dWVXgvYjJ6aS82eTZoUDhJcz0=&h=276fada438bf49c2be0403c28d11d4f4&s=AVNPUEhUT0NFTkNSWVBUSVZ-gOCnEu8L0hbaTxie_PLqb02g0uIV3TDGiGYGiGwGbDIPB11limBksw9z8tTzOiKEbBHGOtpfybJD4FbJxpna6swSu6rycA6MG9n6CTc4aMLN4lGfbapv3cHB_2jaSF4	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5c118da645babe52f060d0754256a73c	ot-test-app	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.67.6
	https://cloudflare-ipfs.com/ipfs/bafybeiagiq7tdzbkrrgr6pdgcm3qpbokwry3qqk2gedyazwwolhwfy4suy/nodex.html#	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.67.6
	Calendly.dmg	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.67.6
	malw_sampl	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.67.6
	89.kk	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.67.6
	Arc12645415	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.67.6
	SME.dmg	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.67.6
	3MVd1q7ygy.macho	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.67.6
	https://www.flazio.com/server.html	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.67.6
	https://pub.marq.com/Downloadiiii-Fileee/	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.67.6

Dropped Files

⊘No context

Created / dropped Files

/dev/null

Download File

Process:	/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
File Type:	ASCII text
Category:	dropped
Size (bytes):	64
Entropy (8bit):	4.673533547037795
Encrypted:	false
SSDEEP:	3:tRJRsDfxAqDgX2XUU4KVJ1WOv:7sDfxxgXXU4OmA
MD5:	09CC13DB21D4EAAA9A61BFAEA125BC3D
SHA1:	1411FA7B53CE4665CF35EEB7346E66B9CAEC6D92
SHA-256:	41C6D680A6D0C6AC194B542E39BF5681BABA89C7168C3FE8765C8147F487615B
SHA-512:	89C668DB18D2E5BF7A6CD6B38CC4486B4D9D908244B1F5662248CC4D7D17E79D0B471FC15EF44BCDF5A2EB0881A5F6632ED0D3FDACE4286B22F2B9903178C75B
Malicious:	false
Reputation:	low
Preview:	2024-04-25 17:26:55.702 Installer[622:4921] ApplePersistence=NO.

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/mds/mdsDirectory.db_

Download File

Process:	/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	48908
Entropy (8bit):	3.533814637805397
Encrypted:	false
SSDEEP:	384:xSMdGleGkIG7FF3theSMVXBD0tgcNrGB5pBfbouR6/chQOnGqwc2U+v+h/:8MdGleOhpBouRwchQOnGqwc2U+v+h/
MD5:	0E4A0D1CEB2AF6F0F8D0167CE77BE2D3
SHA1:	414BA4C1DC5FC8BF53D550E296FD6F5AD669918C
SHA-256:	CCA093BCFC65E25DD77C849866E110DF72526DFFBE29D76E11E29C7D888A4030
SHA-512:	1DC5282D27C49A4B6F921BA5DFC88B8C1D32289DF00DD866F9AC6669A5A8D99AFEDA614BFFC7CF61A44375AE73E09CD52606B443B63636977C9CD2EF4FA68A20
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	kych...........................`...X...p..S0..SX..Th..T...T...[...^h...........L...X...............T...........d...................t...............t...........<...............P...........0...........$...p...........l...........X.......@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...D.......................!...%@.......MDS_CDSADIR_CSSM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_KRMM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_EMM_RECORDTYPE.....L.......................!...%@......"MDS_CDSADIR_EMM_PRIMARY_RECORDTYPE.....H.......................!...%@.......MDS_CDSADIR_COMMON_RECORDTYPE......L.......................!...%@......"MDS_CDSADIR_CSP_PRIMARY_RECORDTYPE.....P.......................!...%@......%MDS_CDSADIR_CSP_CAPABILITY_R

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/mds/mdsObject.db_

Download File

Process:	/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	4404
Entropy (8bit):	3.5110922853353324
Encrypted:	false
SSDEEP:	24:mFkXs98w/mBr53CEb9ujBbCYoVeA7uBEUMy733Ka2VCneWHrUZRJkWnJI4FNMOQS:m6Xsh+CLjL3Pe3T5FFEfEn8xiYuuSsS
MD5:	D3A1859E6EC593505CC882E6DEF48FC8
SHA1:	F8E6728E3E9DE477A75706FAA95CEAD9CE13CB32
SHA-256:	3EBAFA97782204A4A1D75CFEC22E15FCDEAB45B65BAB3B3E65508707E034A16C
SHA-512:	EA2A749B105759EA33408186B417359DEFFB4A3A5ED0533CB26B459C16BB3524D67EDE5C9CF0D5098921C0C0A9313FB9C2672F1E5BA48810EDA548FA3209E818
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	kych.......................................d...................0...............0...p...........@...@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...@.......................!...%@.......MDS_OBJECT_RECORDTYPE..............h........... ...`........... ...@.......................-...1...5...9...=@..............................X...............P................... ...p...........l...........d...........P...........H...........,...............h...........P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................RelationName.......P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................AttributeID........X....

Static File Info

General

File type:	xar archive compressed TOC: 4886, SHA-1 checksum
Entropy (8bit):	7.999720266278033
TrID:	Safari Extension (4004/1) 80.00% ZLIB compressed file (1001/1) 20.00%
File name:	Homebrew-4.2.19.pkg
File size:	96'748'593 bytes
MD5:	e16aa5f0a2e358934b2a87c1b685eaaf
SHA1:	75667161d1d00596bd035e693a28d525976ea994
SHA256:	61a958ff4d3d911dcf2b5d32470d44509fa53b28c97c0b5e6ef5fe649d141c1c
SHA512:	8d6ed81beb8a679b1ebc0658c383bc1d249a660770fc3cba399cbb0374ce76fb41c62f9ea963387746d9ff60d50f09eeb117e0ecff68671a08d2364ba66bac85
SSDEEP:	1572864:01Jy7TRF4XWEY2IQcfovf5MMQPBwj2l9pIR921it+Hnwh3PciiGyKo:uETn4GEY2KFTajY9pIK1it+HOPciZo
TLSH:	532833885FFB4F932A663631508163929472061263CFCABA7B5C6F317FCEAD0C95196C
File Content Preview:	xar!..................A.....x..\Yo...~G.?..>...g...G.1...3.7...`0....B....Q.}t..)(v...r..}k.....E...lwIU.....\|...^.'e....%}....G...l.t.<....}y...S.'..I..@.....7.....E...C.....8........<....v..../.U.....x.?^]Fw.......8...t\.vIT:.~..4.S..B..F.\|V..a..J.V_.A.

Archive PKG

Archived Files

File Path	File Attributes	File Size
Distribution		1'864 bytes
Homebrew.pkg	D	bytes
Homebrew.pkg/Bom		675'017 bytes
Homebrew.pkg/PackageInfo		629 bytes
Homebrew.pkg/Payload		96'478'720 bytes
Homebrew.pkg/Scripts	D	bytes
Homebrew.pkg/Scripts/postinstall		3'249 bytes
Homebrew.pkg/Scripts/preinstall		554 bytes
Resources	D	bytes
Resources/CONCLUSION.rtf		4'177 bytes
Resources/Homebrew.png		66'714 bytes
Resources/LICENSE.rtf		1'784 bytes
Resources/WELCOME.rtf		1'128 bytes

Extracted Files

Distribution

File path:	Distribution
File size:	1'864 bytes
File type:	XML 1.0 document, ASCII text

Homebrew.pkg/Bom

File path:	Homebrew.pkg/Bom
File size:	675'017 bytes
File type:	Mac OS X bill of materials (BOM) file

Homebrew.pkg/PackageInfo

File path:	Homebrew.pkg/PackageInfo
File size:	629 bytes
File type:	XML 1.0 document, ASCII text

Homebrew.pkg/Payload

File path:	Homebrew.pkg/Payload
File size:	96'478'720 bytes
File type:	gzip compressed data, from Unix, original size modulo 2^32 140955648

Homebrew.pkg/Scripts/postinstall

File path:	Homebrew.pkg/Scripts/postinstall
File size:	3'249 bytes
File type:	Bourne-Again shell script, ASCII text executable

Homebrew.pkg/Scripts/preinstall

File path:	Homebrew.pkg/Scripts/preinstall
File size:	554 bytes
File type:	Bourne-Again shell script, ASCII text executable

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 17:26:37.831312895 CEST	443	49349	151.101.67.6	192.168.11.12
Apr 25, 2024 17:26:37.831376076 CEST	443	49349	151.101.67.6	192.168.11.12
Apr 25, 2024 17:26:37.833277941 CEST	49349	443	192.168.11.12	151.101.67.6
Apr 25, 2024 17:26:37.854593039 CEST	443	49350	151.101.67.6	192.168.11.12
Apr 25, 2024 17:26:37.855412006 CEST	49350	443	192.168.11.12	151.101.67.6
Apr 25, 2024 17:26:37.856873989 CEST	49350	443	192.168.11.12	151.101.67.6
Apr 25, 2024 17:26:37.956068993 CEST	443	49350	151.101.67.6	192.168.11.12
Apr 25, 2024 17:26:37.963979006 CEST	443	49350	151.101.67.6	192.168.11.12
Apr 25, 2024 17:26:37.964077950 CEST	443	49350	151.101.67.6	192.168.11.12
Apr 25, 2024 17:26:37.964169979 CEST	443	49350	151.101.67.6	192.168.11.12
Apr 25, 2024 17:26:37.964271069 CEST	443	49350	151.101.67.6	192.168.11.12
Apr 25, 2024 17:26:37.964322090 CEST	443	49350	151.101.67.6	192.168.11.12
Apr 25, 2024 17:26:37.964922905 CEST	49350	443	192.168.11.12	151.101.67.6
Apr 25, 2024 17:26:37.964978933 CEST	49350	443	192.168.11.12	151.101.67.6
Apr 25, 2024 17:26:37.965095997 CEST	49350	443	192.168.11.12	151.101.67.6
Apr 25, 2024 17:26:37.965605021 CEST	49350	443	192.168.11.12	151.101.67.6
Apr 25, 2024 17:26:37.981087923 CEST	49350	443	192.168.11.12	151.101.67.6
Apr 25, 2024 17:26:38.080379963 CEST	443	49350	151.101.67.6	192.168.11.12
Apr 25, 2024 17:26:38.080446005 CEST	443	49350	151.101.67.6	192.168.11.12
Apr 25, 2024 17:26:38.081197023 CEST	49350	443	192.168.11.12	151.101.67.6
Apr 25, 2024 17:26:38.295114994 CEST	49346	443	192.168.11.12	17.248.228.70
Apr 25, 2024 17:26:38.395381927 CEST	443	49346	17.248.228.70	192.168.11.12
Apr 25, 2024 17:26:39.096981049 CEST	49327	443	192.168.11.12	17.248.228.65
Apr 25, 2024 17:26:39.172844887 CEST	49327	443	192.168.11.12	17.248.228.65
Apr 25, 2024 17:26:39.197354078 CEST	443	49327	17.248.228.65	192.168.11.12
Apr 25, 2024 17:26:39.197417974 CEST	443	49327	17.248.228.65	192.168.11.12
Apr 25, 2024 17:26:39.198879004 CEST	49327	443	192.168.11.12	17.248.228.65
Apr 25, 2024 17:26:39.273287058 CEST	443	49327	17.248.228.65	192.168.11.12
Apr 25, 2024 17:26:39.548485994 CEST	49346	443	192.168.11.12	17.248.228.70
Apr 25, 2024 17:26:39.552206993 CEST	49346	443	192.168.11.12	17.248.228.70
Apr 25, 2024 17:26:39.648513079 CEST	443	49346	17.248.228.70	192.168.11.12
Apr 25, 2024 17:26:39.650646925 CEST	49346	443	192.168.11.12	17.248.228.70
Apr 25, 2024 17:26:39.652021885 CEST	443	49346	17.248.228.70	192.168.11.12
Apr 25, 2024 17:27:12.012511015 CEST	49366	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.012608051 CEST	443	49366	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:12.014302015 CEST	49366	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.015422106 CEST	49366	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.015520096 CEST	443	49366	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:12.238746881 CEST	443	49366	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:12.239952087 CEST	49366	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.239953041 CEST	49366	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.249511957 CEST	49366	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.249644995 CEST	443	49366	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:12.249901056 CEST	443	49366	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:12.250348091 CEST	49366	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.250448942 CEST	49366	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.263952971 CEST	49368	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.264075994 CEST	443	49368	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:12.264796972 CEST	49368	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.265502930 CEST	49368	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.265598059 CEST	443	49368	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:12.502799034 CEST	443	49368	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:12.503669024 CEST	49368	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.503669024 CEST	49368	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.510693073 CEST	49368	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.510905981 CEST	443	49368	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:12.511485100 CEST	443	49368	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:12.511547089 CEST	49368	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.512093067 CEST	49368	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.641879082 CEST	49371	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.641922951 CEST	443	49371	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:12.642519951 CEST	49371	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.668562889 CEST	49371	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.668663025 CEST	443	49371	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:12.882461071 CEST	443	49371	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:12.883397102 CEST	49371	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.883398056 CEST	49371	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.890074968 CEST	49371	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.890269995 CEST	443	49371	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:12.890773058 CEST	443	49371	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:12.890902042 CEST	49371	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.891817093 CEST	49371	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.905788898 CEST	49373	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.905906916 CEST	443	49373	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:12.906768084 CEST	49373	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.907737017 CEST	49373	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:12.907804012 CEST	443	49373	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:13.138953924 CEST	443	49373	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:13.139903069 CEST	49373	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:13.139903069 CEST	49373	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:13.204289913 CEST	49373	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:13.204451084 CEST	443	49373	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:13.205009937 CEST	443	49373	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:13.205199003 CEST	49373	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:13.207931042 CEST	49373	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:18.701308966 CEST	49396	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:18.701325893 CEST	443	49396	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:18.701978922 CEST	49396	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:18.717010975 CEST	49396	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:18.717017889 CEST	443	49396	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:18.928508043 CEST	443	49396	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:18.929255009 CEST	49396	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:18.929333925 CEST	49396	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:19.059602976 CEST	49396	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:19.059889078 CEST	443	49396	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:19.060671091 CEST	443	49396	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:19.061120033 CEST	49396	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:19.061434984 CEST	49396	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:19.297234058 CEST	49398	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:19.297353029 CEST	443	49398	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:19.297986031 CEST	49398	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:19.300219059 CEST	49398	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:19.300293922 CEST	443	49398	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:19.511568069 CEST	443	49398	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:19.512393951 CEST	49398	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:19.512526989 CEST	49398	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:19.533989906 CEST	49398	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:19.534236908 CEST	443	49398	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:19.534872055 CEST	443	49398	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:19.534986019 CEST	49398	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:19.535537004 CEST	49398	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:20.338169098 CEST	49401	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:20.338275909 CEST	443	49401	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:20.339220047 CEST	49401	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:20.340018988 CEST	49401	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:20.340087891 CEST	443	49401	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:20.555749893 CEST	443	49401	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:20.556730032 CEST	49401	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:20.556730032 CEST	49401	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:20.599467039 CEST	49401	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:20.599733114 CEST	443	49401	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:20.600419044 CEST	443	49401	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:20.600421906 CEST	49401	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:20.601327896 CEST	49401	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:36.543468952 CEST	49343	80	192.168.11.12	17.253.21.201
Apr 25, 2024 17:27:36.648425102 CEST	80	49343	17.253.21.201	192.168.11.12
Apr 25, 2024 17:27:36.650213003 CEST	49343	80	192.168.11.12	17.253.21.201
Apr 25, 2024 17:27:49.791555882 CEST	49402	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:49.791676044 CEST	443	49402	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:49.792589903 CEST	49402	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:49.793426037 CEST	49402	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:49.793490887 CEST	443	49402	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.012746096 CEST	443	49402	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.013643980 CEST	49402	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.013691902 CEST	49402	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.019424915 CEST	49402	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.019618988 CEST	443	49402	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.020131111 CEST	443	49402	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.020493031 CEST	49402	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.020576954 CEST	49402	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.038630962 CEST	49403	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.038750887 CEST	443	49403	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.039891958 CEST	49403	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.041157961 CEST	49403	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.041250944 CEST	443	49403	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.255156040 CEST	443	49403	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.256027937 CEST	49403	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.256027937 CEST	49403	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.264508009 CEST	49403	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.264779091 CEST	443	49403	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.265418053 CEST	49403	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.265497923 CEST	443	49403	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.266038895 CEST	49403	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.285698891 CEST	49404	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.285820961 CEST	443	49404	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.286645889 CEST	49404	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.287555933 CEST	49404	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.287616968 CEST	443	49404	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.498402119 CEST	443	49404	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.499238014 CEST	49404	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.499238014 CEST	49404	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.511948109 CEST	49404	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.512114048 CEST	443	49404	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.512542963 CEST	443	49404	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.512676954 CEST	49404	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.513034105 CEST	49404	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.553639889 CEST	49405	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.553761005 CEST	443	49405	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.554389000 CEST	49405	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.555787086 CEST	49405	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.555849075 CEST	443	49405	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.769299030 CEST	443	49405	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.770797968 CEST	49405	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.770999908 CEST	49405	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.799666882 CEST	49405	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.799947977 CEST	443	49405	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.800790071 CEST	443	49405	151.101.3.6	192.168.11.12
Apr 25, 2024 17:27:50.801058054 CEST	49405	443	192.168.11.12	151.101.3.6
Apr 25, 2024 17:27:50.801500082 CEST	49405	443	192.168.11.12	151.101.3.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 17:26:54.154557943 CEST	137	137	192.168.11.12	192.168.11.255
Apr 25, 2024 17:26:54.154557943 CEST	137	137	192.168.11.12	192.168.11.255
Apr 25, 2024 17:26:57.437613964 CEST	53	52458	1.1.1.1	192.168.11.12
Apr 25, 2024 17:27:11.909065008 CEST	49208	53	192.168.11.12	1.1.1.1
Apr 25, 2024 17:27:12.009825945 CEST	53	49208	1.1.1.1	192.168.11.12
Apr 25, 2024 17:27:17.131253958 CEST	53046	53	192.168.11.12	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 17:27:11.909065008 CEST	192.168.11.12	1.1.1.1	0xf62f	Standard query (0)	h3.apis.apple.map.fastly.net	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:27:17.131253958 CEST	192.168.11.12	1.1.1.1	0x5533	Standard query (0)	updates.cdn-apple.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 17:27:12.009825945 CEST	1.1.1.1	192.168.11.12	0xf62f	No error (0)	h3.apis.apple.map.fastly.net		151.101.3.6	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:27:12.009825945 CEST	1.1.1.1	192.168.11.12	0xf62f	No error (0)	h3.apis.apple.map.fastly.net		151.101.195.6	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:27:12.009825945 CEST	1.1.1.1	192.168.11.12	0xf62f	No error (0)	h3.apis.apple.map.fastly.net		151.101.67.6	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:27:12.009825945 CEST	1.1.1.1	192.168.11.12	0xf62f	No error (0)	h3.apis.apple.map.fastly.net		151.101.131.6	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:27:17.232580900 CEST	1.1.1.1	192.168.11.12	0x5533	No error (0)	updates.cdn-apple.com	updates.cdn-apple.com.akadns.net		CNAME (Canonical name)	IN (0x0001)	false

HTTPS Connections

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 25, 2024 17:26:37.964169979 CEST	151.101.67.6	443	192.168.11.12	49350	CN=bag.itunes.apple.com, O=Apple Inc., L=Cupertino, ST=California, C=US, SERIALNUMBER=C0806592, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 27 22:00:02 CET 2023 Wed Apr 29 14:54:50 CEST 2020	Sat May 25 23:10:02 CEST 2024 Thu Apr 11 01:59:59 CEST 2030	771,49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47-49160-49170-10,65281-0-23-13-5-13172-18-16-11-10,29-23-24-25,0	5c118da645babe52f060d0754256a73c
Apr 25, 2024 17:26:37.964169979 CEST	151.101.67.6	443	192.168.11.12	49350	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Apr 29 14:54:50 CEST 2020	Thu Apr 11 01:59:59 CEST 2030		5c118da645babe52f060d0754256a73c

System Behavior

Analysis Process: mono-sgen32 PID: 621, Parent PID: 537

General

Start time (UTC):	15:26:55
Start date (UTC):	25/04/2024
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	-
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Chronological Activities

Analysis Process: open PID: 621, Parent PID: 537

General

Start time (UTC):	15:26:55
Start date (UTC):	25/04/2024
Path:	/usr/bin/open
Arguments:	/usr/bin/open /Users/bernard/Desktop/Homebrew-4.2.19.pkg
File size:	105952 bytes
MD5 hash:	34bd93241fa5d2aee225941b1ca14fa4

Chronological Activities

Analysis Process: xpcproxy PID: 622, Parent PID: 1

General

Start time (UTC):	15:26:55
Start date (UTC):	25/04/2024
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Chronological Activities

Analysis Process: Installer PID: 622, Parent PID: 1

General

Start time (UTC):	15:26:55
Start date (UTC):	25/04/2024
Path:	/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
Arguments:	/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
File size:	294864 bytes
MD5 hash:	50c84168359b295c12427b3461315322

Chronological Activities

Analysis Process: xpcproxy PID: 635, Parent PID: 1

General

Start time (UTC):	15:27:09
Start date (UTC):	25/04/2024
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Chronological Activities

Analysis Process: nsurlstoraged PID: 635, Parent PID: 1

General

Start time (UTC):	15:27:09
Start date (UTC):	25/04/2024
Path:	/usr/libexec/nsurlstoraged
Arguments:	/usr/libexec/nsurlstoraged --privileged
File size:	246624 bytes
MD5 hash:	321b0a40e24b45f0af49ba42742b3f64

Chronological Activities

Analysis Process: xpcproxy PID: 651, Parent PID: 1

General

Start time (UTC):	15:27:39
Start date (UTC):	25/04/2024
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Chronological Activities

Analysis Process: eficheck PID: 651, Parent PID: 1

General

Start time (UTC):	15:27:39
Start date (UTC):	25/04/2024
Path:	/usr/libexec/firmwarecheckers/eficheck/eficheck
Arguments:	/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon
File size:	74048 bytes
MD5 hash:	328beb81a2263449258057506bb4987f

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report Homebrew-4.2.19.pkg

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/dev/null

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/mds/mdsDirectory.db_

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/mds/mdsObject.db_

Static File Info

General

Archive PKG

Archived Files

Extracted Files

Distribution

Homebrew.pkg/Bom

Homebrew.pkg/PackageInfo

Homebrew.pkg/Payload

Homebrew.pkg/Scripts/postinstall

Homebrew.pkg/Scripts/preinstall

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Connections

System Behavior

Analysis Process: mono-sgen32 PID: 621, Parent PID: 537

General

Chronological Activities

Analysis Process: open PID: 621, Parent PID: 537

General

Chronological Activities

Analysis Process: xpcproxy PID: 622, Parent PID: 1

General

Chronological Activities

Analysis Process: Installer PID: 622, Parent PID: 1

General

Chronological Activities

macOS Analysis Report
Homebrew-4.2.19.pkg