macOS Analysis Report
https://icloudservers.com/gm/update

General Information

Sample URL: https://icloudservers.com/gm/update
Analysis ID: 1711291
Infos:
Errors
  • Failed to launch downloaded binary

Detection

Score: 0
Range: 0 - 100

Signatures

Writes FAT Mach-O files to disk

Classification

Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.12:49353 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49368 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49370 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49377 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49384 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49386 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49387 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49388 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49393 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49394 version: TLS 1.2
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown TCP traffic detected without corresponding DNS query: 23.58.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 23.58.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.91.6
Source: global traffic DNS traffic detected: DNS query: icloudservers.com
Source: /usr/bin/curl (PID: 650) Reads from socket in process: data Jump to behavior
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49348
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49368
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49388
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49387
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49386
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49384
Source: unknown Network traffic detected: HTTP traffic on port 49370 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49393 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49391 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49353 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49386 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49388 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49384 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49348 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49352 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49377
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49353
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49352
Source: unknown Network traffic detected: HTTP traffic on port 49394 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49394
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49393
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49370
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49392
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49391
Source: unknown Network traffic detected: HTTP traffic on port 49377 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49392 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49387 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49368 -> 443
Source: /usr/bin/curl (PID: 650) Writes from socket in process: data Jump to behavior
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.12:49353 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49368 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49370 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49377 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49384 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49386 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49387 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49388 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49393 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.91.6:443 -> 192.168.11.12:49394 version: TLS 1.2
Source: classification engine Classification label: clean0.mac@0/1@1/0
Writes FAT Mach-O files to disk
Source: /usr/bin/curl (PID: 650) File written: /Users/bernard/Desktop/download/update Jump to dropped file
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 678) Random device file read: /dev/random Jump to behavior
cam-macmac-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.112.1
 icloudservers.com United States 13335 CLOUDFLARENETUS false
23.58.91.134
 unknown United States 16625 AKAMAI-ASUS false
199.232.91.6
 unknown United States 54113 FASTLYUS false

Contacted Domains

Name IP Active
icloudservers.com 104.21.112.1 true