Play interactive tour

Edit tour

Analysis Report https://among-modded.com/app.mobileconfig

Overview

General Information

Sample URL:	https://among-modded.com/app.mobileconfig
Analysis ID:	118
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Process executable has an extension which is uncommon (probably to disguise the executable)

Process path indicates hidden application bundle (probably to disguise it)

Reads hardware related sysctl values

Reads launchservices plist files

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Reads the systems OS release and/or type

Reads the systems hostname

Writes 64-bit Mach-O files to disk

Classification

Startup

system is macvm-highsierra

mono-sgen32 New Fork (PID: 569, Parent: 493)

curl (MD5: 078cd73f58d3d8f875eed22522ff73f7) Arguments:

xpcproxy New Fork (PID: 576, Parent: 1)

System Preferences (MD5: 8957727acd4d3c1aa727010e4447c727) Arguments: /Applications/System Preferences.app/Contents/MacOS/System Preferences

TabletFinder New Fork (PID: 579, Parent: 576)

CPPrefPaneEnabledTool New Fork (PID: 580, Parent: 576)

AllowPasswordPref New Fork (PID: 581, Parent: 576)

walletAvailabilityCheckTool New Fork (PID: 582, Parent: 576)

xpcproxy New Fork (PID: 584, Parent: 1)

com.apple.preferences.configurationprofiles.remoteservice (MD5: 9e1f3bf7bebf3386c273398cbf90368f) Arguments: /System/Library/PreferencePanes/Profiles.prefPane/Contents/XPCServices/com.apple.preferences.configurationprofiles.remoteservice.xpc/Contents/MacOS/com.apple.preferences.configurationprofiles.remoteservice

cleanup

Yara Overview

No yara matches

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: unknown	TCP traffic detected without corresponding DNS query: 17.149.240.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.149.240.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.149.240.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.149.240.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.208
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.208
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: among-modded.com

Source: /usr/bin/curl (PID: 569)

Reads from socket in process: data

Jump to behavior

Source: app.mobileconfig.266.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: app.mobileconfig.266.dr	String found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: app.mobileconfig.266.dr	String found in binary or memory: http://cps.letsencrypt.org0
Source: app.mobileconfig.266.dr	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: System Preferences, 00000576.00000278.1.0000000102cfe000.0000000102d07000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: app.mobileconfig.266.dr	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: app.mobileconfig.266.dr	String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: app.mobileconfig.266.dr	String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: System Preferences, 00000576.00000278.1.0000000102cfe000.0000000102d07000.r--.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: System Preferences, 00000576.00000278.1.0000000102cfe000.0000000102d07000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: System Preferences, 00000576.00000278.1.0000000102cfe000.0000000102d07000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: System Preferences, 00000576.00000278.1.0000000104c4d000.0000000104e06000.r--.sdmp	String found in binary or memory: http://www.apple.com/http://www.apple.com/Copyright
Source: app.mobileconfig.266.dr	String found in binary or memory: https://among-modded.com/app/index.html
Source: System Preferences, 00000576.00000278.1.0000000102cfe000.0000000102d07000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49249
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49238
Source: unknown	Network traffic detected: HTTP traffic on port 49249 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49238 -> 443

Source: /usr/bin/curl (PID: 569)

Writes from socket in process: data

Jump to behavior

Source: classification engine

Classification label: mal48.evad.mac@0/7@1/0

Source: /System/Library/PreferencePanes/Profiles.prefPane/Contents/XPCServices/com.apple.preferences.configurationprofiles.remoteservice.xpc/Contents/MacOS/com.apple.preferences.configurationprofiles.remoteservice (PID: 584)

Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist

Jump to behavior

File written: /private/var/tmp/NSCreateObjectFileImageFromMemory-U1efBx

Jump to dropped file

Source: /Applications/System Preferences.app/Contents/MacOS/System Preferences (PID: 576)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist			Jump to behavior
Source: /System/Library/PreferencePanes/Profiles.prefPane/Contents/XPCServices/com.apple.preferences.configurationprofiles.remoteservice.xpc/Contents/MacOS/com.apple.preferences.configurationprofiles.remoteservice (PID: 584)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Process executable has an extension which is uncommon (probably to disguise the executable)

Show sources

Source: /usr/libexec/xpcproxy (PID: 584)

Process executable with extension: /System/Library/PreferencePanes/Profiles.prefPane/Contents/XPCServices/com.apple.preferences.configurationprofiles.remoteservice.xpc/Contents/MacOS/com.apple.preferences.configurationprofiles.remoteservice

Jump to behavior

Process path indicates hidden application bundle (probably to disguise it)

Show sources

Source: /usr/libexec/xpcproxy (PID: 584)

Application without .app extension: /System/Library/PreferencePanes/Profiles.prefPane/Contents/XPCServices/com.apple.preferences.configurationprofiles.remoteservice.xpc/Contents/MacOS/com.apple.preferences.configurationprofiles.remoteservice

Jump to behavior

Source: /System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool (PID: 582)	Sysctl read request: kern.safeboot (1.66)			Jump to behavior
Source: /System/Library/PreferencePanes/Profiles.prefPane/Contents/XPCServices/com.apple.preferences.configurationprofiles.remoteservice.xpc/Contents/MacOS/com.apple.preferences.configurationprofiles.remoteservice (PID: 584)	Sysctl read request: kern.safeboot (1.66)			Jump to behavior

Sysctl read request: hw.availcpu (6.25)

Jump to behavior

Source: /System/Library/PreferencePanes/Profiles.prefPane/Contents/XPCServices/com.apple.preferences.configurationprofiles.remoteservice.xpc/Contents/MacOS/com.apple.preferences.configurationprofiles.remoteservice (PID: 584)	Sysctl requested: kern.ostype (1.1)			Jump to behavior
Source: /System/Library/PreferencePanes/Profiles.prefPane/Contents/XPCServices/com.apple.preferences.configurationprofiles.remoteservice.xpc/Contents/MacOS/com.apple.preferences.configurationprofiles.remoteservice (PID: 584)	Sysctl requested: kern.osrelease (1.2)			Jump to behavior

Sysctl requested: kern.hostname (1.10)

Jump to behavior

Source: /Applications/System Preferences.app/Contents/MacOS/System Preferences (PID: 576)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /System/Library/PreferencePanes/Profiles.prefPane/Contents/XPCServices/com.apple.preferences.configurationprofiles.remoteservice.xpc/Contents/MacOS/com.apple.preferences.configurationprofiles.remoteservice (PID: 584)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Masquerading2	OS Credential Dumping	System Information Discovery51	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://among-modded.com/app.mobileconfig	0%	Avira URL Cloud	safe

Dropped Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
among-modded.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://cps.letsencrypt.org0	0%	Avira URL Cloud	safe
http://ocsp.int-x3.letsencrypt.org0/	0%	Avira URL Cloud	safe
http://cps.root-x1.letsencrypt.org0	0%	Avira URL Cloud	safe
https://among-modded.com/app/index.html	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
among-modded.com	104.24.114.14	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://cps.letsencrypt.org0	app.mobileconfig.266.dr	false	Avira URL Cloud: safe	unknown
http://cert.int-x3.letsencrypt.org/0	app.mobileconfig.266.dr	false		high
http://ocsp.int-x3.letsencrypt.org0/	app.mobileconfig.266.dr	false	Avira URL Cloud: safe	unknown
http://cps.root-x1.letsencrypt.org0	app.mobileconfig.266.dr	false	Avira URL Cloud: safe	unknown
https://among-modded.com/app/index.html	app.mobileconfig.266.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
17.253.57.208	unknown	United States	6185	APPLE-AUSTINUS	false
17.149.240.70	unknown	United States	714	APPLE-ENGINEERINGUS	false
104.24.114.14	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	118
Start date:	29.12.2020
Start time:	19:37:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	urldownload.jbs
Sample URL:	https://among-modded.com/app.mobileconfig
Analysis system description:	Virtual Machine, High Sierra (Office 2016 v16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Detection:	MAL
Classification:	mal48.evad.mac@0/7@1/0
Warnings:	Show All Excluded IPs from analysis (whitelisted): 104.111.215.87, 17.253.55.205, 17.253.57.206, 104.111.214.42, 93.184.220.29 Excluded domains from analysis (whitelisted): mesu-cdn.apple.com.akadns.net, mesu-cdn.origin-apple.com.akadns.net, configuration.apple.com, e6858.dsce9.akamaiedge.net, ocsp.digicert.com, e673.dsce9.akamaiedge.net, mesu.g.aaplimg.com, configuration.apple.com.akadns.net, configuration.apple.com.edgekey.net, mesu.apple.com, lb._dns-sd._udp.0.11.168.192.in-addr.arpa VT rate limit hit for: https://among-modded.com/app/index.html

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Runtime Messages

Command:	open "/Users/berri/Desktop/download/app.mobileconfig" --args
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Created / dropped Files

/Users/berri/Desktop/download/app.mobileconfig Download File
Process:	/usr/bin/curl
File Type:	data
Category:	dropped
Size (bytes):	74922
Entropy (8bit):	6.257784923836216
Encrypted:	false
SSDEEP:	1536:iBxMgyPAWrofkOniWT+tFyg1PN1lNI2irklvXU3s/Zq4biaPvTxg:i6lroJiiSIgdHm+EKLvVg
MD5:	53E2CD30D5A036A4D719A6758A135B98
SHA1:	6358FF0BFC314099F8F75707FE1E35A54F4D268C
SHA-256:	5CE6B1BDA913C35184E917E9D67FD9ADD015F8CDFDC207982F2FC701B22E7CCD
SHA-512:	697E9A0449DB90F6199E8D7A4514C36918BDB37FDD4308811C792B07ED662748C5D6FE14F4853DF43012D663BD6B05061FF00427D5837D6CC7D16CC4EF853065
Malicious:	false
Reputation:	low
Preview:	0..$....H.........$.0..$....1.0...`.H.e......0.......H................<?xml version="1.0" encoding="UTF-8"?>..<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">..<plist version="1.0">.. <dict>.. <key>ConsentText</key>.. <dict>.. <key>default</key>.. <string>Created with webClip</string>.. </dict>.. <key>PayloadContent</key>.. <array>.. <dict>.. <key>FullScreen</key>.. <true/>.. <key>Icon</key>.. <data>iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAYAAAA+s9J6AAAAAXNSR0IArs4c6QAAAERlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAA4aADAAQAAAABAAAA4QAAAAAYn8bHAABAAElEQVR4Aey9aZBk13Xnd3LPrMzaq/cVRBP7SjRAkARBarMkyiNK1jYjeWzNyMtE2B/niz85/MkRDo/DYUshjyZGI2uk0EgiJW6iuUiESIAAAQKNhdi70ftW+5p7vnz+/c/LV5Xd6MpsoNDoanTd7lfv5Vvuu+/ec+7Zz000wvkwbUVLhBmz0KKS6Oz1u1Ex0+90yiyV9FsCftbaDas16jZRecusPc92lu24WesE2zk2na

/dev/null Download File
Process:	/System/Library/PreferencePanes/Profiles.prefPane/Contents/XPCServices/com.apple.preferences.configurationprofiles.remoteservice.xpc/Contents/MacOS/com.apple.preferences.configurationprofiles.remoteservice
File Type:	ASCII text
Category:	dropped
Size (bytes):	112
Entropy (8bit):	4.819022420208454
Encrypted:	false
SSDEEP:	3:tVpYXcfWXgKLbA7GAW1QTIMZD9H3RzAEOdusWOv:yP3A7GSIyXGE7A
MD5:	836DF63023478DD8AC4CF461091DE3DF
SHA1:	4C6A5D0D88395C55BE597D383BF0C0EDD29F0674
SHA-256:	B92F3CA273FBB3EE72CF6C2AE09494AA1C75E3B423D1D9FECD0F7C323BADAB05
SHA-512:	49B07175C0F3CD37D93062C1521AD27E71A64B73EADBCE7D0268C4A2FF1E62E52B98CD3A80A35A07C7F32630F27739BF2B83C99420276487885F62F3443F5380
Malicious:	false
Reputation:	low
Preview:	2020-12-29 20:38:06.232 com.apple.preferences.configurationprofiles.remoteservice[584:5877] ApplePersistence=NO.

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/C/mds/mdsDirectory.db_ Download File
Process:	/System/Library/PreferencePanes/Profiles.prefPane/Contents/XPCServices/com.apple.preferences.configurationprofiles.remoteservice.xpc/Contents/MacOS/com.apple.preferences.configurationprofiles.remoteservice
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	48908
Entropy (8bit):	3.533948990143748
Encrypted:	false
SSDEEP:	384:xSMdGleGkIG7FF3theSMVXBD0tgcNrGBOmBfbouR6/chQOnGqwc2U+v+h/:8MdGleOGmBouRwchQOnGqwc2U+v+h/
MD5:	09070E01FA6ED1973D94FAD50C35E3ED
SHA1:	7546663E66F9889EE3365A7A0BE372300C6022CA
SHA-256:	2E6EC437A97DD88F9067B2E99AC64789670D9B9C1FC50B2856E392E66163211F
SHA-512:	621399FF832F1A8352E5E9A54984B878C7D3432156D9CF9986A1A5B75662E92D9A00FA1BA6714D679286BB49E71916F72655AADA2B99880A2806FAFC6F86E7F3
Malicious:	false
Reputation:	low
Preview:	kych...........................`...X...p..S0..SX..Th..T...T...[...^h...........L...X...............T...........d...................t...............t...........<...............P...........0...........$...p...........l...........X.......@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...D.......................!...%@.......MDS_CDSADIR_CSSM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_KRMM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_EMM_RECORDTYPE.....L.......................!...%@......"MDS_CDSADIR_EMM_PRIMARY_RECORDTYPE.....H.......................!...%@.......MDS_CDSADIR_COMMON_RECORDTYPE......L.......................!...%@......"MDS_CDSADIR_CSP_PRIMARY_RECORDTYPE.....P.......................!...%@......%MDS_CDSADIR_CSP_CAPABILITY_R

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/C/mds/mdsObject.db_ Download File
Process:	/System/Library/PreferencePanes/Profiles.prefPane/Contents/XPCServices/com.apple.preferences.configurationprofiles.remoteservice.xpc/Contents/MacOS/com.apple.preferences.configurationprofiles.remoteservice
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	4404
Entropy (8bit):	3.5113078915037033
Encrypted:	false
SSDEEP:	48:m6Xsh+CLjL3Pe3T5FFKfEuyu+iYxGv4sS:3X6LjLfe3wEuyu9YxGQX
MD5:	D487F899A14AE98519B46D51BC810F1B
SHA1:	64877ECFBE47ED66EED545B2449BBE8B22B775D0
SHA-256:	4835899C464487946E281D535381D4CAB8BC90EC08CD00A6A0ECB97854E9321D
SHA-512:	EB4FABD61B4FD2B9EF3C9E93793CA5F11353A1F81EA4DA22E0F79ED45D89180B77469B9E5DCD5350AE650B31DE9018743DA7716EFA7B5CDDFC3FA7A13C476F40
Malicious:	false
Reputation:	low
Preview:	kych.......................................d...................0...............0...p...........@...@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...@.......................!...%@.......MDS_OBJECT_RECORDTYPE..............h........... ...`........... ...@.......................-...1...5...9...=@..............................X...............P................... ...p...........l...........d...........P...........H...........,...............h...........P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................RelationName.......P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................AttributeID........X....

/private/var/tmp/NSCreateObjectFileImageFromMemory-U1efBx Download File
Process:	/System/Library/PreferencePanes/Profiles.prefPane/Contents/XPCServices/com.apple.preferences.configurationprofiles.remoteservice.xpc/Contents/MacOS/com.apple.preferences.configurationprofiles.remoteservice
File Type:	Mach-O 64-bit x86_64 bundle, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL>
Category:	dropped
Size (bytes):	4780
Entropy (8bit):	5.787433223423424
Encrypted:	false
SSDEEP:	96:xavDJ2yfQoIeVyCxVaBHlZF/jllllllllKflPz5w65:krJ2OQYTTarllllllllKflT
MD5:	AB47CD9CE5FDE43660B623E0AB4D191B
SHA1:	065E25FAB249ABDFA3C1774E1B72B0A792FB8A9B
SHA-256:	DFF83D2467449A88CB3FA172A904AB323A1551DE22C0CB72602156050333FDF8
SHA-512:	90B222E360E3D442BCA7B415516A33CE450A96B2816182FADE532ABABCE8B88EFECEF76CAC73B46DCCB106E62B3F2AF77F1D930CFFC62B58341B6CD7B5E07C52
Malicious:	false
Reputation:	low
Preview:	.................... ...............(...__TEXT..........................................................__text..........__TEXT..................[.......................................__const.........__TEXT..........`.......@.......`...............................__literal4......__TEXT..........................................................__compact_unwind__LD....................@.......................................__eh_frame......__TEXT..................h..........................h............__opencl........__TEXT..........P...............P...................................H...__LINKEDIT..............................................................i....2O...y.Wr@9"...0.......................................h...........h...................P...................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2020 19:38:01.677459955 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.695902109 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.696820974 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.721055984 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.739351988 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.745127916 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.745199919 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.745807886 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.772308111 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.790662050 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.790721893 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.790762901 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.791296959 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.791393995 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.793416977 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.793509007 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.793521881 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.793530941 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.794291973 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.811851978 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.811909914 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.811949015 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.811986923 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.812325954 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.814541101 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.815206051 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.947313070 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.947422981 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.947485924 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.947525978 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.947585106 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.947643042 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.947684050 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.947741032 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.947828054 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.947901011 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.947959900 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.948016882 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.948036909 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.948062897 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.948676109 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.948786020 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.948798895 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.948808908 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.948818922 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.948828936 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.948838949 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.950366020 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.950568914 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.950623989 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.975127935 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.975192070 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.975253105 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.975294113 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.975353003 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.975410938 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.975450039 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.975634098 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.975694895 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.975753069 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.975771904 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.975811005 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.975847960 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.975862026 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.975872040 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.976273060 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.976329088 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.976562023 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.976644039 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.976655960 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.976737022 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.976797104 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.976928949 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.977165937 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.977349043 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.977479935 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.977550030 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.977611065 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.977709055 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.977989912 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.978167057 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.978265047 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.978337049 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.978343964 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.978374958 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.978528976 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.978574038 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.978615999 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.978617907 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.978671074 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.978708982 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.978879929 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.978904963 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.979058981 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.979188919 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.979234934 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.979273081 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.979336023 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.979391098 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.979743004 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.979794025 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.979863882 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.980232000 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.980246067 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.980320930 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.980374098 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.980424881 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.980751991 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.980786085 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.980933905 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.981147051 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.981215000 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.981266975 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.981291056 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.981318951 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.981547117 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.981581926 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.981837034 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:01.981889009 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.982136965 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.982212067 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:01.982495070 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:02.003072023 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.003170967 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.003243923 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.003278971 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.003323078 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.003366947 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.003410101 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.003441095 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.003746986 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:02.003997087 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.004040956 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:02.004055977 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.004103899 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.004149914 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.004642963 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:02.004719973 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:02.004729986 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:02.004736900 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:02.004745007 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:02.004975080 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.005043030 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.005088091 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.005131960 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.005616903 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:02.005672932 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:02.005832911 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.005888939 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.005968094 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:02.006088972 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:02.006285906 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:02.006745100 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:02.006819010 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:02.007600069 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:02.008646011 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:02.026149035 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.026667118 CET	443	49249	104.24.114.14	192.168.11.11
Dec 29, 2020 19:38:02.026742935 CET	49249	443	192.168.11.11	104.24.114.14
Dec 29, 2020 19:38:05.883629084 CET	49238	443	192.168.11.11	17.149.240.70
Dec 29, 2020 19:38:05.884068966 CET	49238	443	192.168.11.11	17.149.240.70
Dec 29, 2020 19:38:06.034934998 CET	443	49238	17.149.240.70	192.168.11.11
Dec 29, 2020 19:38:06.035027981 CET	443	49238	17.149.240.70	192.168.11.11
Dec 29, 2020 19:38:06.035186052 CET	443	49238	17.149.240.70	192.168.11.11
Dec 29, 2020 19:38:06.035345078 CET	49238	443	192.168.11.11	17.149.240.70
Dec 29, 2020 19:38:06.035466909 CET	49238	443	192.168.11.11	17.149.240.70
Dec 29, 2020 19:38:30.243448973 CET	49248	80	192.168.11.11	17.253.57.208
Dec 29, 2020 19:38:30.252386093 CET	80	49248	17.253.57.208	192.168.11.11
Dec 29, 2020 19:38:30.252990961 CET	49248	80	192.168.11.11	17.253.57.208

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2020 19:38:01.403844118 CET	62604	53	192.168.11.11	1.1.1.1
Dec 29, 2020 19:38:01.592405081 CET	53	62604	1.1.1.1	192.168.11.11
Dec 29, 2020 19:38:33.153655052 CET	59943	53	192.168.11.11	1.1.1.1
Dec 29, 2020 19:38:33.162858963 CET	53	59943	1.1.1.1	192.168.11.11
Dec 29, 2020 19:38:48.283620119 CET	62461	53	192.168.11.11	1.1.1.1
Dec 29, 2020 19:38:48.292355061 CET	53	62461	1.1.1.1	192.168.11.11
Dec 29, 2020 19:38:48.563765049 CET	64313	53	192.168.11.11	1.1.1.1
Dec 29, 2020 19:38:48.572801113 CET	53	64313	1.1.1.1	192.168.11.11
Dec 29, 2020 19:41:15.660423994 CET	59943	53	192.168.11.11	1.1.1.1
Dec 29, 2020 19:41:15.669579983 CET	53	59943	1.1.1.1	192.168.11.11
Dec 29, 2020 19:42:14.413814068 CET	55116	53	192.168.11.11	1.1.1.1
Dec 29, 2020 19:42:14.423846006 CET	53	55116	1.1.1.1	192.168.11.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 29, 2020 19:38:01.403844118 CET	192.168.11.11	1.1.1.1	0xa655	Standard query (0)	among-modded.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Dec 29, 2020 19:38:01.592405081 CET	1.1.1.1	192.168.11.11	0xa655	No error (0)	among-modded.com	104.24.114.14	A (IP address)	IN (0x0001)
Dec 29, 2020 19:38:01.592405081 CET	1.1.1.1	192.168.11.11	0xa655	No error (0)	among-modded.com	172.67.220.116	A (IP address)	IN (0x0001)
Dec 29, 2020 19:38:01.592405081 CET	1.1.1.1	192.168.11.11	0xa655	No error (0)	among-modded.com	104.24.115.14	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Dec 29, 2020 19:38:01.745199919 CET	104.24.114.14	443	192.168.11.11	49249	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Wed Oct 14 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Thu Oct 14 01:59:59 CEST 2021 Wed Jan 01 00:59:59 CET 2025	771,52244-52243-52245-49200-49196-49192-49188-49172-49162-163-159-107-106-57-56-65413-196-195-136-135-129-49202-49198-49194-49190-49167-49157-157-61-53-192-132-49199-49195-49191-49187-49171-49161-162-158-103-64-51-50-190-189-69-68-49201-49197-49193-49189-49166-49156-156-60-47-186-65-49170-49160-22-19-49165-49155-10-255,0-11-10-13-13172-16-21,14-13-25-28-11-12-27-24-9-10-26-22-23-8-6-7-20-21-4-5-18-19-1-2-3-15-16-17,0-1-2	2a26b1a62e40d25d4de3babc9d532f30
Dec 29, 2020 19:38:01.745199919 CET	104.24.114.14	443	192.168.11.11	49249	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		2a26b1a62e40d25d4de3babc9d532f30

System Behavior

Analysis Process: mono-sgen32 PID: 569 Parent PID: 493

General

Start time:	19:38:00
Start date:	29/12/2020
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	n/a
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Chronological Activities

Analysis Process: curl PID: 569 Parent PID: 493

General

Start time:	19:38:00
Start date:	29/12/2020
Path:	/usr/bin/curl
Arguments:
File size:	185104 bytes
MD5 hash:	078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: xpcproxy PID: 576 Parent PID: 1

General

Start time:	19:38:05
Start date:	29/12/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	43488 bytes
MD5 hash:	d1bb9a4899f0af921e8188218b20d744

Chronological Activities

Analysis Process: System Preferences PID: 576 Parent PID: 1

General

Start time:	19:38:05
Start date:	29/12/2020
Path:	/Applications/System Preferences.app/Contents/MacOS/System Preferences
Arguments:	/Applications/System Preferences.app/Contents/MacOS/System Preferences
File size:	525296 bytes
MD5 hash:	8957727acd4d3c1aa727010e4447c727

Chronological Activities

Analysis Process: TabletFinder PID: 579 Parent PID: 576

General

Start time:	19:38:05
Start date:	29/12/2020
Path:	/System/Library/PreferencePanes/Ink.prefPane/Contents/Resources/TabletFinder
Arguments:	n/a
File size:	43408 bytes
MD5 hash:	1f478017f1584c68e2e4af90481ff4fe

Chronological Activities

Analysis Process: CPPrefPaneEnabledTool PID: 580 Parent PID: 576

General

Start time:	19:38:05
Start date:	29/12/2020
Path:	/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
Arguments:	n/a
File size:	61968 bytes
MD5 hash:	86657cbd740da70f52fb646f1439b3ca

Chronological Activities

Analysis Process: AllowPasswordPref PID: 581 Parent PID: 576

General

Start time:	19:38:05
Start date:	29/12/2020
Path:	/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
Arguments:	n/a
File size:	19376 bytes
MD5 hash:	931f942a85712044f19cda44a7938ae4

Chronological Activities

Analysis Process: walletAvailabilityCheckTool PID: 582 Parent PID: 576

General

Start time:	19:38:05
Start date:	29/12/2020
Path:	/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
Arguments:	n/a
File size:	20992 bytes
MD5 hash:	bdd004195cae8a5b5a595ccd66af9466

Chronological Activities

Analysis Process: xpcproxy PID: 584 Parent PID: 1

General

Start time:	19:38:06
Start date:	29/12/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	43488 bytes
MD5 hash:	d1bb9a4899f0af921e8188218b20d744

Chronological Activities

Analysis Process: com.apple.preferences.configurationprofiles.remoteservice PID: 584 Parent PID: 1

General

Start time:	19:38:06
Start date:	29/12/2020
Path:	/System/Library/PreferencePanes/Profiles.prefPane/Contents/XPCServices/com.apple.preferences.configurationprofiles.remoteservice.xpc/Contents/MacOS/com.apple.preferences.configurationprofiles.remoteservice
Arguments:	/System/Library/PreferencePanes/Profiles.prefPane/Contents/XPCServices/com.apple.preferences.configurationprofiles.remoteservice.xpc/Contents/MacOS/com.apple.preferences.configurationprofiles.remoteservice
File size:	19568 bytes
MD5 hash:	9e1f3bf7bebf3386c273398cbf90368f

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://among-modded.com/app.mobileconfig

Overview

General Information

Detection

Signatures

Classification

Startup

Yara Overview

Signature Overview

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Runtime Messages

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

System Behavior

Analysis Process: mono-sgen32 PID: 569 Parent PID: 493

General

Analysis Process: curl PID: 569 Parent PID: 493

General

Analysis Process: xpcproxy PID: 576 Parent PID: 1

General

Analysis Process: System Preferences PID: 576 Parent PID: 1

General

Analysis Process: TabletFinder PID: 579 Parent PID: 576

General

Analysis Process: CPPrefPaneEnabledTool PID: 580 Parent PID: 576

General

Analysis Process: AllowPasswordPref PID: 581 Parent PID: 576

General

Analysis Process: walletAvailabilityCheckTool PID: 582 Parent PID: 576

General

Analysis Process: xpcproxy PID: 584 Parent PID: 1

General

Analysis Process: com.apple.preferences.configurationprofiles.remoteservice PID: 584 Parent PID: 1

General