Analysis Report #Ud83d#Udcde.htm

ID:	550
Product:	CloudBasic
Start time:	17:18:38
Start date:	09.04.2021
Sample:	#Ud83d#Udcde.htm
Cookbook:	defaultmacfilecookbook.jbs
System description:	Virtual Machine, High Sierra (Office 2016 v16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Architecture:	MAC
MD5:	5d44cee8d28cebf028ac3afc7c4309d0
SHA1:	b53e4a9f2a2efe93ca896cd6a56af26bf861cf0f
SHA256:	c77e9dbffd377fe486c902715fd1d5587c2c7ef58cfb2839284d109a72a6a645
Filetype:	HyperText Markup Language (15015/1) 20.56%

Name	Type	MD5	SHA1	SHA256
/Users/berri/Library/Safari/.dat.nosync023d.KFEApc	Apple binary property list	06F4A3A2CB895C9EA8A403FD55C13908	7F6C2100E1017075620FF26B7D0096989EA971A7	947C782B0F384BDD7C8E4BAE00ED62DA9652BBA6B6B13C631AD7DAF76B335E35
/Users/berri/Library/Safari/.dat.nosync023d.M2fcej	XML 1.0 document, ASCII text	0C29425555C7FF0CA114B1FD0DC39C50	D7D808E8BE92462F4C3CEBA66734F0E9BB26ACDD	52826AFEEC974BB7BACB85BDC01DC4F23BF917D65E04773D7CAD393F7866F3FD
/dev/null	ASCII text	65E1634E610E84BA9B63730E3F05D1D4	BBD299FC69A69AEB4EDB05D2D30909723E7B8984	7DF386B0D056240755D8A6A63B5D824CA4306AAA9584C9FAA87A74B8BD2F5063
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/0/SafariFamily/Safari/.dat.nosync023d.coDlpE	Apple binary property list	CDC65B5F112547EAFAE0F16F9C149426	AEAF9908A5B6FF3E2F7B738ABF5FE9E79108BA01	1C6D085D871A855CE4A3902BAB4B9B92631B8EE8F0B7F6536768A2AAF427B45C
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/C/mds/mdsDirectory.db_	Mac OS X Keychain File	09070E01FA6ED1973D94FAD50C35E3ED	7546663E66F9889EE3365A7A0BE372300C6022CA	2E6EC437A97DD88F9067B2E99AC64789670D9B9C1FC50B2856E392E66163211F
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/C/mds/mdsObject.db_	Mac OS X Keychain File	D487F899A14AE98519B46D51BC810F1B	64877ECFBE47ED66EED545B2449BBE8B22B775D0	4835899C464487946E281D535381D4CAB8BC90EC08CD00A6A0ECB97854E9321D

Phishing:

Yara detected HtmlPhish35

Source: Yara match

File source: #Ud83d#Udcde.htm, type: SAMPLE

Compliance:

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 17.248.145.229:443 -> 192.168.11.11:49254 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.176.224:443 -> 192.168.11.11:49256 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.195:443 -> 192.168.11.11:49257 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.124.175:443 -> 192.168.11.11:49258 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.11.11:49259 version: TLS 1.2

Networking:

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.109.201
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.214.243
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.214.243
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.109.201
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: sslcnd.aioecoin.org

URLs found in memory or binary data

Source: .dat.nosync023d.M2fcej.274.dr

String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49238
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49259
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49258
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49257
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49254
Source: unknown	Network traffic detected: HTTP traffic on port 49254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49259 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 17.248.145.229:443 -> 192.168.11.11:49254 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.176.224:443 -> 192.168.11.11:49256 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.195:443 -> 192.168.11.11:49257 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.124.175:443 -> 192.168.11.11:49258 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.11.11:49259 version: TLS 1.2

System Summary:

Classification label

Source: classification engine

Classification label: mal48.phis.macHTM@0/6@4/0

Persistence and Installation Behavior:

Opens the Safari browser app

Source: /usr/libexec/xpcproxy (PID: 573)

Safari app opened: /Applications/Safari.app/Contents/MacOS/Safari

Jump to behavior

Reads data from the local random generator

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 573)

Random device file read: /dev/urandom

Jump to behavior

Uses AppleKeyboardLayouts bundle containing keyboard layouts

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 573)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Jump to behavior

Writes property list (.plist) files to disk

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 573)	XML plist file created: /Users/berri/Library/Safari/.dat.nosync023d.M2fcej			Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 573)	Binary plist file created: /private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/0/SafariFamily/Safari/.dat.nosync023d.coDlpE			Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 573)	Binary plist file created: /Users/berri/Library/Safari/.dat.nosync023d.KFEApc			Jump to dropped file

Language, Device and Operating System Detection:

Reads the system or server version plist file

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 573)

System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist

Jump to behavior