Play interactive tour

Edit tour

Analysis Report #Ud83d#Udcde.htm

Overview

General Information

Sample Name:	#Ud83d#Udcde.htm
Analysis ID:	550
MD5:	5d44cee8d28cebf028ac3afc7c4309d0
SHA1:	b53e4a9f2a2efe93ca896cd6a56af26bf861cf0f
SHA256:	c77e9dbffd377fe486c902715fd1d5587c2c7ef58cfb2839284d109a72a6a645
Infos:
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected HtmlPhish35

Opens the Safari browser app

Classification

Startup

System is macvm-highsierra

xpcproxy New Fork (PID: 573, Parent: 1)

Safari (MD5: 8e18be737fe87f19fe7a97b4821e2005) Arguments: /Applications/Safari.app/Contents/MacOS/Safari

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
#Ud83d#Udcde.htm	JoeSecurity_HtmlPhish_35	Yara detected HtmlPhish_35	Joe Security

Signature Overview

Click to jump to signature section

Show All Signature Results

Phishing:

Yara detected HtmlPhish35

Show sources

Source: Yara match

File source: #Ud83d#Udcde.htm, type: SAMPLE

Source: unknown	HTTPS traffic detected: 17.248.145.229:443 -> 192.168.11.11:49254 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.176.224:443 -> 192.168.11.11:49256 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.195:443 -> 192.168.11.11:49257 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.124.175:443 -> 192.168.11.11:49258 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.11.11:49259 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.109.201
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.214.243
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.214.243
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.109.201
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: sslcnd.aioecoin.org

Source: .dat.nosync023d.M2fcej.274.dr

String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49238
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49259
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49258
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49257
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49254
Source: unknown	Network traffic detected: HTTP traffic on port 49254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49259 -> 443

Source: unknown	HTTPS traffic detected: 17.248.145.229:443 -> 192.168.11.11:49254 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.176.224:443 -> 192.168.11.11:49256 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.195:443 -> 192.168.11.11:49257 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.124.175:443 -> 192.168.11.11:49258 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.11.11:49259 version: TLS 1.2

Source: classification engine

Classification label: mal48.phis.macHTM@0/6@4/0

Source: /usr/libexec/xpcproxy (PID: 573)

Safari app opened: /Applications/Safari.app/Contents/MacOS/Safari

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 573)

Random device file read: /dev/urandom

Jump to behavior

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 573)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 573)	XML plist file created: /Users/berri/Library/Safari/.dat.nosync023d.M2fcej	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 573)	Binary plist file created: /private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/0/SafariFamily/Safari/.dat.nosync023d.coDlpE	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 573)	Binary plist file created: /Users/berri/Library/Safari/.dat.nosync023d.KFEApc	Jump to dropped file

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 573)

System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Plist Modification1	Plist Modification1	Direct Volume Access	OS Credential Dumping	System Information Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
#Ud83d#Udcde.htm	3%	Virustotal		Browse

Dropped Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
mamodmiappscn.firebaseapp.com	0%	Virustotal	Browse
gateway.fe.apple-dns.net	0%	Virustotal	Browse
sslcnd.aioecoin.org	0%	Virustotal	Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mamodmiappscn.firebaseapp.com	151.101.1.195	true	false	0%, Virustotal, Browse	unknown
gateway.fe.apple-dns.net	17.248.145.229	true	false	0%, Virustotal, Browse	unknown
cdnjs.cloudflare.com	104.16.18.94	true	false		high
unpkg.com	104.16.124.175	true	false		high
sslcnd.aioecoin.org	172.67.176.224	true	false	0%, Virustotal, Browse	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
17.171.27.65	unknown	United States	714	APPLE-ENGINEERINGUS	false
17.253.109.201	unknown	United States	6185	APPLE-AUSTINUS	false
17.248.145.229	gateway.fe.apple-dns.net	United States	714	APPLE-ENGINEERINGUS	false
172.67.176.224	sslcnd.aioecoin.org	United States	13335	CLOUDFLARENETUS	false
151.101.1.195	mamodmiappscn.firebaseapp.com	United States	54113	FASTLYUS	false
2.20.214.243	unknown	European Union	16625	AKAMAI-ASUS	false
104.16.124.175	unpkg.com	United States	13335	CLOUDFLARENETUS	false
104.16.18.94	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	550
Start date:	09.04.2021
Start time:	17:18:38
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	#Ud83d#Udcde.htm
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, High Sierra (Office 2016 v16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Analysis Mode:	default
Detection:	MAL
Classification:	mal48.phis.macHTM@0/6@4/0
Warnings:	Show All Excluded IPs from analysis (whitelisted): 18.156.205.85, 23.54.112.17, 93.184.220.29, 18.156.44.202, 23.52.27.27, 172.217.168.42 TCP Packets have been reduced to 100 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, gateway.icloud.com, g.symcd.com, e673.dsce9.akamaiedge.net, ajax.googleapis.com, api-glb-euc1b.smoot.apple.com, e8218.dscb1.akamaiedge.net, api.smoot.apple.com, bag-smoot.v.aaplimg.com, ocsp-ds.ws.symantec.com.edgekey.net, lb._dns-sd._udp.0.11.168.192.in-addr.arpa, configuration.apple.com, ocsp.digicert.com, configuration.apple.com.akadns.net, configuration.apple.com.edgekey.net, smoot-searchv2-euc1b.v.aaplimg.com Report size getting too big, too many PREAD calls found.

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
2.20.214.243	2730.sh	Get hash	malicious	Browse
2.20.214.243	http://Destalo.pt	Get hash	malicious	Browse
104.16.124.175	ARMI Contractors RFQ.xlsx	Get hash	malicious	Browse
	RFQ.xlsx	Get hash	malicious	Browse
	INVOICES & STATEMENTS_02201.htm	Get hash	malicious	Browse
	4892.htm	Get hash	malicious	Browse
	http://login.technion.net	Get hash	malicious	Browse
	https://email.tungsten-network.com/K00kzKB00nv60AOP31Bq0G0	Get hash	malicious	Browse
	https://stevenscapitaladvisors.webflow.io/	Get hash	malicious	Browse
	https://secure-teams-storage.webflow.io/	Get hash	malicious	Browse
	https://www.canva.com/design/DAEOEcu9Gnc/C6LvqPRfMOYoF6OWlu9bVg/view?utm_content=DAEOEcu9Gnc&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse
	https://fuscoinsurance.webflow.io/	Get hash	malicious	Browse
	7158-14990-098-60-14990.htm	Get hash	malicious	Browse
	http://tracking.samsclub.com/track?type=click&enid=ZWFzPTEmYW1wO21zaWQ9MSZhbXA7YXVpZD0xNTYyMTMxNiZhbXA7bWFpbGluZ2lkPTYyMjA2JmFtcDttZXNzYWdlaWQ9MjYwMCZhbXA7ZGF0YWJhc2VpZD0xNTcxOTQxMzk5JmFtcDtzZXJpYWw9MTY3Nzk5MDgmYW1wO2VtYWlsaWQ9Y2JlbkBjb2xvcmNvYXRpbmMuY29tJmFtcDt1c2VyaWQ9MV8xODAyNiZhbXA7dGFyZ2V0aWQ9JmFtcDtmbD0mYW1wO212aWQ9JmFtcDtleHRyYT0mYW1wOyZhbXA7JmFtcDs=&&&16010&&&metging.web.app/chris.whippNovemberchris.whippchris.whipp#chris.whipp@paragon-europe.com	Get hash	malicious	Browse
	Scillc.HTM	Get hash	malicious	Browse
	https://appurl.io/QmuLwihhr	Get hash	malicious	Browse
	https://yuyiuhjcvxds.azurewebsites.net/6pFae/r04jrnZ/3XKfY/S@XzS7ANbN/yuhjnxc.php?bbre=2fb88ee97a699cbd93cb7f3859951f69	Get hash	malicious	Browse
	http://viaurnature.e-monsite.com	Get hash	malicious	Browse
	https://815ox.codesandbox.io/?bbre=324wso	Get hash	malicious	Browse
	https://truycvrtuyff-smart-pangolin-hj.mybluemix.net/weogtds/isoxci.html?bbre=329sddiis	Get hash	malicious	Browse
	https://pq4ig.csb.app/?bbre=324redfi	Get hash	malicious	Browse
	https://moneylinks.page.link/6SuK	Get hash	malicious	Browse
172.67.176.224	Open Invoice & Statements.htm	Get hash	malicious	Browse
	#Ud83d#Udcde.htm	Get hash	malicious	Browse
	#Ud83d#Udcde.htm.htm	Get hash	malicious	Browse
	AudioMessageg 7JI7-APOE7Z-PZB3.htm	Get hash	malicious	Browse
	Audio-07030.htm	Get hash	malicious	Browse
	Remittance.htm	Get hash	malicious	Browse
	metropolitanproperties.com.odt	Get hash	malicious	Browse
	ATT00900.htm	Get hash	malicious	Browse
151.101.1.195	46578-TR.exe	Get hash	malicious	Browse	www.covidtracksb.com/goei/?jBZx=D8b4q&kfOdRJ=xBMInsAuN+E1djdIl4AZwIkS2iJ2Ju/hNdjKdY9aIZe6wtX7I1CrmxbEw2e35jcdm3/W
	remittanceslip_pdf.exe	Get hash	malicious	Browse	www.devfestindia.com/cu6o/?uN6x=W+WuFBrln1qCfAXJ5xKULfOGff8dAb86Jvk64PlTVVMLGqhT4HhQij0c0Z21Ont+U/Id&Vtx0E=FDHHERlxjn8PMDI
	Project.pdf.exe	Get hash	malicious	Browse	www.towatchapp.com/ocq1/?lhudJ=s9fWYY+GRE/zu2qn9kCI0m/+x20wNzaZElH9PrG8sfLhi2QQuUQu3XvRAAgtMskCm9iv&1bm=3fhdLbnpevPXqD
	quotation.exe	Get hash	malicious	Browse	www.fsjdc.com/x2ee/?iBZLH8e=/LfDiPUOWZnyidNro0j70T8JUoHePLB2D+vct3YQB9mB3q5S0iE8mJFwRkJZflqbRhoGi7RzLw==&_RA89r=ZL3D3PvXurq
	DOCX RFQ#2.doc	Get hash	malicious	Browse	dropb-cfeb2.web.app/white.exe
	DOCX RFQ#2.rtf	Get hash	malicious	Browse	dropb-cfeb2.web.app/white.exe
	12-4.exe	Get hash	malicious	Browse	www.cvscarepasscard.com/gwg/
	PAYMENT COPY.exe	Get hash	malicious	Browse	www.firedoom.com/sbmh/?EjRh0d=C5hy1K5oAHBPrT8N397N//2qVHn6YwjigpXcmeWEXRbnBwwwMsoNEjPCOjfDrGfyrTiG&Bn=8pt0_Nex
	PO987556.exe	Get hash	malicious	Browse	www.firedoom.com/sbmh/?Yn=ybIHmldXUn88Ur&jfIT64=C5hy1K5oAHBPrT8N397N//2qVHn6YwjigpXcmeWEXRbnBwwwMsoNEjPCOg/57X/Kx0DB
	account confirmation!.exe	Get hash	malicious	Browse	www.firedoom.com/sbmh/?0Tx43p=zbDHwlRpXFN&DV8X=C5hy1K5oAHBPrT8N397N//2qVHn6YwjigpXcmeWEXRbnBwwwMsoNEjPCOjfDrGfyrTiG
	New Additional Agreement.exe	Get hash	malicious	Browse	www.erraticer.com/bw82/?J2JxbNH=6vRuuEDvqC5+aa5DVmVINCXZAyoyPzPxPo5XFdu9xcvmHzBmwHK9JJE0E4eNhlSLE1w3&BXEpz=Z2Jd8XTPeT
	00d1gI2vB4.exe	Get hash	malicious	Browse	www.erraticer.com/bw82/?ET8T=6vRuuEDvqC5+aa5DVmVINCXZAyoyPzPxPo5XFdu9xcvmHzBmwHK9JJE0E4eNhlSLE1w3&URiP=qFQxprRp5PPPOfyp
	New Additional Agreement.exe	Get hash	malicious	Browse	www.erraticer.com/bw82/?8p=6vRuuEDvqC5+aa5DVmVINCXZAyoyPzPxPo5XFdu9xcvmHzBmwHK9JJE0E7ykiluzNWFh0m7Gjw==&Bh=H0GxrDp
	Additional Agreement KYC.exe	Get hash	malicious	Browse	www.erraticer.com/bw82/?Ezrtr2qh=6vRuuEDvqC5+aa5DVmVINCXZAyoyPzPxPo5XFdu9xcvmHzBmwHK9JJE0E7ykiluzNWFh0m7Gjw==&QL3=ojqPsv
	http://roundcubemailagentupdate.web.app	Get hash	malicious	Browse	roundcubemailagentupdate.web.app/
	http://auto78438787328758792947.web.app	Get hash	malicious	Browse	auto78438787328758792947.web.app/
	http://salary-bonus.web.app	Get hash	malicious	Browse	salary-bonus.web.app/
	Client Contact REGISTRATION Sheet.xlsx	Get hash	malicious	Browse	www.letsdindin.com/mnf3/?9rTpeFt0=G6fRyfWpf4em3a5PxYoprh6KPSSsHaeEr4x3W3Pvzp31VBrhmksxwaIIwF2fZ05EyJsOCg==&rj9L_=qpnTHjlx
	http://Coronavirus.app	Get hash	malicious	Browse	coronavirus.app/
	http://mime-iz10.web.app	Get hash	malicious	Browse	mime-iz10.web.app/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdnjs.cloudflare.com	#Ud83d#Udcde973.htm	Get hash	malicious	Browse	104.16.18.94
	Open Invoice & Statements.htm	Get hash	malicious	Browse	104.16.18.94
	securedmessage.htm	Get hash	malicious	Browse	104.16.18.94
	Three.exe	Get hash	malicious	Browse	104.16.18.94
	One.exe	Get hash	malicious	Browse	104.16.19.94
	Five.exe	Get hash	malicious	Browse	104.16.19.94
	Two.exe	Get hash	malicious	Browse	104.16.19.94
	nicoleta.fagaras-DHL_TRACKING_1394942.html	Get hash	malicious	Browse	104.16.18.94
	PaymentAdvice-copy.htm	Get hash	malicious	Browse	104.16.18.94
	FARASIS.xlsx	Get hash	malicious	Browse	104.16.18.94
	FARASIS.xlsx	Get hash	malicious	Browse	104.16.19.94
	wzdu53.exe	Get hash	malicious	Browse	104.16.18.94
	Friday, April 2nd, 2021, 20210402062906.8CE1B73ADE2A192C@compassionarmy.com.htm	Get hash	malicious	Browse	104.16.18.94
	ACH REMITTANCE.xlsx	Get hash	malicious	Browse	104.16.18.94
	ACH REMITTANCE.xlsx	Get hash	malicious	Browse	104.16.19.94
	#Ud83d#Udcde.htm.htm	Get hash	malicious	Browse	104.16.18.94
	ccavero@hycite.com.htm	Get hash	malicious	Browse	104.16.19.94
	SOC_0#7198, INV#512 Via GoogleDocs gracechung.html	Get hash	malicious	Browse	104.16.19.94
	ACH WIRE INF0RMATION.xlsx	Get hash	malicious	Browse	104.16.19.94
	ACH WIRE INF0RMATION.xlsx	Get hash	malicious	Browse	104.16.19.94
mamodmiappscn.firebaseapp.com	#Ud83d#Udcde.htm	Get hash	malicious	Browse	151.101.65.195
mamodmiappscn.firebaseapp.com	#Ud83d#Udcde.htm.htm	Get hash	malicious	Browse	151.101.1.195
unpkg.com	Open Invoice & Statements.htm	Get hash	malicious	Browse	104.16.123.175
	#Ud83d#Udcde.htm.htm	Get hash	malicious	Browse	104.16.123.175
	ATT31834.htm	Get hash	malicious	Browse	104.16.126.175
	Q lifesettlements INVOICE.htm	Get hash	malicious	Browse	104.16.126.175
	Audio-07030.htm	Get hash	malicious	Browse	104.16.123.175
	Remittance.htm	Get hash	malicious	Browse	104.16.123.175
	metropolitanproperties.com.odt	Get hash	malicious	Browse	104.16.122.175
	metropolitanproperties.com.odt	Get hash	malicious	Browse	104.16.123.175
	ATT00900.htm	Get hash	malicious	Browse	104.16.126.175
	#Ud83d#Udce0-Twc-159.186.10.243.htm	Get hash	malicious	Browse	104.16.122.175
	ARMI Contractors RFQ.xlsx	Get hash	malicious	Browse	104.16.124.175
	ARMI Contractors RFQ.xlsx	Get hash	malicious	Browse	104.16.123.175
	RFQ.xlsx	Get hash	malicious	Browse	104.16.124.175
	RFQ.xlsx	Get hash	malicious	Browse	104.16.125.175
	#Ud83d#Udcde.htm	Get hash	malicious	Browse	104.16.123.175
	#U2261#U0192#U00f4#U20a7.htm.htm	Get hash	malicious	Browse	104.16.126.175
	Phish.htm	Get hash	malicious	Browse	104.16.123.175
	099-563942-59-5095-73208.htm	Get hash	malicious	Browse	104.16.122.175
	#U266b Audio_47720.wavv - - Copy.htm	Get hash	malicious	Browse	104.16.123.175
	_#Ud83d#Udcde_9173.htm	Get hash	malicious	Browse	104.16.125.175

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FASTLYUS	ghnrope2.dll	Get hash	malicious	Browse	151.101.1.44
	mapdata.dll	Get hash	malicious	Browse	151.101.114.132
	Open Invoice & Statements.htm	Get hash	malicious	Browse	151.101.1.195
	#Ud83d#Udcde.htm	Get hash	malicious	Browse	151.101.65.195
	Fax-Message-4564259.html	Get hash	malicious	Browse	151.101.12.193
	securedmessage.htm	Get hash	malicious	Browse	151.101.1.192
	Three.exe	Get hash	malicious	Browse	151.101.2.217
	Four.exe	Get hash	malicious	Browse	151.101.14.109
	Six.exe	Get hash	malicious	Browse	151.101.2.217
	One.exe	Get hash	malicious	Browse	151.101.2.217
	Five.exe	Get hash	malicious	Browse	151.101.2.217
	Two.exe	Get hash	malicious	Browse	151.101.2.217
	frox0cheats.exe	Get hash	malicious	Browse	185.199.108.154
	PO45937008ADENGY.exe	Get hash	malicious	Browse	185.199.108.153
	PO#560.zip.exe	Get hash	malicious	Browse	151.101.1.211
	Telekom.jar	Get hash	malicious	Browse	185.199.109.154
	Telekom.jar	Get hash	malicious	Browse	185.199.111.154
	Telekom.jar	Get hash	malicious	Browse	185.199.108.154
	Telekom.jar	Get hash	malicious	Browse	185.199.110.154
	nicoleta.fagaras-DHL_TRACKING_1394942.html	Get hash	malicious	Browse	151.101.12.193
CLOUDFLARENETUS	ghnrope2.dll	Get hash	malicious	Browse	104.20.185.68
	mail_6512365134_7863_202104108.html	Get hash	malicious	Browse	104.18.10.207
	Copia bancaria de swift.exe	Get hash	malicious	Browse	162.159.135.233
	Production list.exe	Get hash	malicious	Browse	172.67.206.110
	EJ000.exe	Get hash	malicious	Browse	172.67.188.154
	Payment_Advice Pdf10375200148940150.doc	Get hash	malicious	Browse	104.21.82.210
	hemEUcQ610.exe	Get hash	malicious	Browse	172.67.222.53
	mapdata.dll	Get hash	malicious	Browse	104.20.184.68
	SecuriteInfo.com.Trojan.GenericKD.36659493.29456.exe	Get hash	malicious	Browse	104.17.62.50
	SecuriteInfo.com.Trojan.Siggen12.64197.30705.exe	Get hash	malicious	Browse	104.17.63.50
	PRC-20-518 ORIGINAL.xlsx	Get hash	malicious	Browse	104.25.233.53
	CNTR-NO-GLDU7267089.xlsx	Get hash	malicious	Browse	104.25.234.53
	SwiftMT103.xlsx	Get hash	malicious	Browse	172.67.83.132
	Purchase Order.xlsx	Get hash	malicious	Browse	172.67.83.132
	SPARE PARTS drawing.xlsx	Get hash	malicious	Browse	172.67.83.132
	IN18663Q0031139I.xlsx	Get hash	malicious	Browse	23.227.38.74
	ShipDoc_CI_PL_INV_.xlsx	Get hash	malicious	Browse	172.67.83.132
	PROFORMA INVOICE.xlsx	Get hash	malicious	Browse	172.67.83.132
	#Ud83d#Udcde973.htm	Get hash	malicious	Browse	104.16.18.94
	PN 601310-02_pdf A (1).vbs	Get hash	malicious	Browse	104.23.98.190
AKAMAI-ASUS	2730.sh	Get hash	malicious	Browse	2.20.214.243
	msals.pumpl.dll	Get hash	malicious	Browse	2.22.155.145
	606d810b8ff92.pdf.dll	Get hash	malicious	Browse	2.22.155.145
	DropDll.dll	Get hash	malicious	Browse	23.57.80.37
	msals.pumpl.dll	Get hash	malicious	Browse	184.30.24.22
	nnrlOwKZlc.exe	Get hash	malicious	Browse	184.30.20.56
	145440a7c1067bacfcd4d07078040b67c3753e589501b.dll	Get hash	malicious	Browse	96.16.108.27
	PJ1OTtgIlo.dll	Get hash	malicious	Browse	104.79.88.129
	4BRIjOEYNf.dll	Get hash	malicious	Browse	104.80.28.24
	LCoqf24H7e.dll	Get hash	malicious	Browse	184.30.24.22
	ACHWIREPAYMENTINFORMATION.xlsx	Get hash	malicious	Browse	104.83.87.109
	BsFMy70EjG.dll	Get hash	malicious	Browse	2.22.155.145
	k9NSoUT2pd.dll	Get hash	malicious	Browse	2.22.155.145
	NocSbjtb9r.exe	Get hash	malicious	Browse	104.83.121.112
	redwirespace-invoice-982323_xls.HtMl	Get hash	malicious	Browse	23.211.149.25
	pkmo.exe	Get hash	malicious	Browse	172.227.96.120
	SecuriteInfo.com.ML.PE-A.2715.dll	Get hash	malicious	Browse	104.73.164.23
	SecuriteInfo.com.Win32.Kryptik.HJSQ.12709.dll	Get hash	malicious	Browse	2.17.154.103
	#Ud83d#Udd04bvoneida- empirix.com iPhone 8 104 OKeep.htm	Get hash	malicious	Browse	95.100.55.95
	register.dll	Get hash	malicious	Browse	184.30.24.22

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3e4e87dda5a3162306609b7e330441d2	fonedog-powermymac.dmg	Get hash	malicious	Browse	104.16.124.175 17.248.145.229 104.16.18.94 172.67.176.224 151.101.1.195
	diskdrill.dmg	Get hash	malicious	Browse	104.16.124.175 17.248.145.229 104.16.18.94 172.67.176.224 151.101.1.195
	Remittance.html	Get hash	malicious	Browse	104.16.124.175 17.248.145.229 104.16.18.94 172.67.176.224 151.101.1.195
	xSf	Get hash	malicious	Browse	104.16.124.175 17.248.145.229 104.16.18.94 172.67.176.224 151.101.1.195
	1ELOG8UQ4M.htm	Get hash	malicious	Browse	104.16.124.175 17.248.145.229 104.16.18.94 172.67.176.224 151.101.1.195
	BetterTouchTool.zip	Get hash	malicious	Browse	104.16.124.175 17.248.145.229 104.16.18.94 172.67.176.224 151.101.1.195
	https://billychemr324.github.io/santipxzic/index1.html?bbre=aod9435	Get hash	malicious	Browse	104.16.124.175 17.248.145.229 104.16.18.94 172.67.176.224 151.101.1.195
	http://help-servicee.ml	Get hash	malicious	Browse	104.16.124.175 17.248.145.229 104.16.18.94 172.67.176.224 151.101.1.195
	http://owauth1tadsoh1itndereql1nysa1ier1rnrhnthaesinlp.us-east-2.elasticbeanstalk.com/#jdiaz@eversheds-sutherland.es	Get hash	malicious	Browse	104.16.124.175 17.248.145.229 104.16.18.94 172.67.176.224 151.101.1.195
	http://test.kunmiskincare.com/index.php	Get hash	malicious	Browse	104.16.124.175 17.248.145.229 104.16.18.94 172.67.176.224 151.101.1.195
	http://protesidenext.com/16dbc8c14acdb8703b.js	Get hash	malicious	Browse	104.16.124.175 17.248.145.229 104.16.18.94 172.67.176.224 151.101.1.195

Dropped Files

No context

Runtime Messages

Command:	open "/Users/berri/Desktop/#Ud83d#Udcde.htm" --args
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Created / dropped Files

/Users/berri/Library/Safari/.dat.nosync023d.KFEApc Download File
Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	1963
Entropy (8bit):	7.4143084009938045
Encrypted:	false
SSDEEP:	48:E3NmrW2oTlg9VeQWRLYDBLrZPiM/bu9ueXy:zWzA4vklLrZPJbuVy
MD5:	06F4A3A2CB895C9EA8A403FD55C13908
SHA1:	7F6C2100E1017075620FF26B7D0096989EA971A7
SHA-256:	947C782B0F384BDD7C8E4BAE00ED62DA9652BBA6B6B13C631AD7DAF76B335E35
SHA-512:	B312DC8DF4B1B8CBC8180EC369758A34ECC740D880099A97154698F5F044C9551081E7C63E1D873C115D7096C9B0A02FD690E2151DCF25512C277B84C473C219
Malicious:	false
Reputation:	low
Preview:	bplist00.....^SessionVersion^SessionWindowsS1.0............................9_..SelectedTabIndex\TabBarHiddenZDateClosed_..FavoritesBarHidden]IsPopupWindow_. PrefersReadingListSidebarVisible\Miniaturized_..WindowStateVersionZWindowUUID_..WindowContentRectYTabStates_..IsPrivateWindow_..SelectedPinnedTabIndex...3A..b........S2.0_.$F69F955A-BC0A-4F87-99FC-6161B46B9DBA_..{{0, 52}, {1024, 693}}.... !."#.$%&'().,-...0123456.\IsDisposable\SessionState_..AncestorTabIdentifers_..SessionStateIsEncryptedXTabIndex]LastVisitTimeWTabUUIDVTabURL]TabIdentifierXTabTitle_..ProcessIdentifierWIsMuted.O...]8.J..DE:..jd.5}7..yM..:N`C....t.. ..&.}......h.#..s..%.s _:_"@<,....@..NUNRA..g.@......A#..{...;.*E}V..._=.$..JgY.:...N)...N..z....C"........#..........6..R..).x..N..1.s...I.:.kY..7......}.:...9L.b:H.Q\.f.!...Zn.<Z##K\|`..........W.....A...<8w...l."P.6...@Q..f..o.\.$..k..vz]..a[.3.S'c.l..H.Y+...q.. Q\.?...43n.a.s..VN.....E....Zj..`......M...O..M^.....U..Q.i.'1..!..U...)[.^...$...

/Users/berri/Library/Safari/.dat.nosync023d.M2fcej Download File
Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1012
Entropy (8bit):	5.286991847916908
Encrypted:	false
SSDEEP:	24:2dfyiwHuG5Ku3hu65juqVrTrmuGoTxR1F1xW:cfyP5Z/5PrUon1F1xW
MD5:	0C29425555C7FF0CA114B1FD0DC39C50
SHA1:	D7D808E8BE92462F4C3CEBA66734F0E9BB26ACDD
SHA-256:	52826AFEEC974BB7BACB85BDC01DC4F23BF917D65E04773D7CAD393F7866F3FD
SHA-512:	D9C8364A85F4B4A96CAAC1409F32F9D6B2F8AE19201E0ABD2D449A3EEDADD471E99E44BC92DEB5D8FB60287DA64A88E61B45F759E7B9A383A9BBE5F5FD242F95
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>SingleDeviceSaveChangesThrottlingPolicy</key>..<string>1:1440</string>..<key>MultipleDeviceSaveChangesThrottlingPolicy</key>..<string>50:1 \| 10:2 \| 10:5 \| 10:30 \| 9:40 \| 1:510</string>..<key>SingleDeviceFetchChangesThrottlingPolicy</key>..<string>11:15 \| 1:1275</string>..<key>MultipleDeviceFetchChangesThrottlingPolicy</key>..<string>50:1 \| 50:3 \| 20:4 \| 20:5 \| 20:15 \| 20:18 \| 20:20</string>..<key>SyncCircleSizeRetrievalThrottlingPolicy</key>..<string>1:1440</string>..<key>MaximumRequestLimitCharacterCount</key>..<integer>100000</integer>..<key>SyncWindow</key>..<real>1209600</real>..<key>HistoryModificationIdleDelayBeforeSyncAttemptKey</key>..<integer>90</integer>..<key>HistoryRemovalIdleDelayBeforeSyncAttempt</key>..<integer>6</integer>..<key>SaveChangesBeforeTerminationTimeout</key>..<integer>1</integer>.</dic

/dev/null Download File
Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	ASCII text
Category:	dropped
Size (bytes):	61
Entropy (8bit):	4.8180438460722765
Encrypted:	false
SSDEEP:	3:tUI7ocFzf4HzS9df3WOv:mMHw2dfmA
MD5:	65E1634E610E84BA9B63730E3F05D1D4
SHA1:	BBD299FC69A69AEB4EDB05D2D30909723E7B8984
SHA-256:	7DF386B0D056240755D8A6A63B5D824CA4306AAA9584C9FAA87A74B8BD2F5063
SHA-512:	F2230B7A613A1B7B4D9C357372A059AC09B1E5D0A9481997D4107779625333D8A3FDB653543526C3D604AB03226E181C92EBB7EDBDC8E7012728A26B69BA2DE3
Malicious:	false
Reputation:	low
Preview:	2021-04-09 19:19:30.570 Safari[573:5815] ApplePersistence=NO.

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/0/SafariFamily/Safari/.dat.nosync023d.coDlpE Download File
Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.9370658315190226
Encrypted:	false
SSDEEP:	3:N1n6qMvRGNMTAnd/t1tH:N1nleRaMTAltH
MD5:	CDC65B5F112547EAFAE0F16F9C149426
SHA1:	AEAF9908A5B6FF3E2F7B738ABF5FE9E79108BA01
SHA-256:	1C6D085D871A855CE4A3902BAB4B9B92631B8EE8F0B7F6536768A2AAF427B45C
SHA-512:	E8B0E4CE6A760A718A19976D3CFE9063F04FB4BF179947AECA84E94C83F21459FB9DC0FFABEA8F633BD2D0BA94FE1E15D8C97E9604FDE8BD0DEA961EB83BDDB7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	bplist00..._..ExtensionArchivesExtracted...(...............................)

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/C/mds/mdsDirectory.db_ Download File
Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	48908
Entropy (8bit):	3.533948990143748
Encrypted:	false
SSDEEP:	384:xSMdGleGkIG7FF3theSMVXBD0tgcNrGBOmBfbouR6/chQOnGqwc2U+v+h/:8MdGleOGmBouRwchQOnGqwc2U+v+h/
MD5:	09070E01FA6ED1973D94FAD50C35E3ED
SHA1:	7546663E66F9889EE3365A7A0BE372300C6022CA
SHA-256:	2E6EC437A97DD88F9067B2E99AC64789670D9B9C1FC50B2856E392E66163211F
SHA-512:	621399FF832F1A8352E5E9A54984B878C7D3432156D9CF9986A1A5B75662E92D9A00FA1BA6714D679286BB49E71916F72655AADA2B99880A2806FAFC6F86E7F3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	kych...........................`...X...p..S0..SX..Th..T...T...[...^h...........L...X...............T...........d...................t...............t...........<...............P...........0...........$...p...........l...........X.......@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...D.......................!...%@.......MDS_CDSADIR_CSSM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_KRMM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_EMM_RECORDTYPE.....L.......................!...%@......"MDS_CDSADIR_EMM_PRIMARY_RECORDTYPE.....H.......................!...%@.......MDS_CDSADIR_COMMON_RECORDTYPE......L.......................!...%@......"MDS_CDSADIR_CSP_PRIMARY_RECORDTYPE.....P.......................!...%@......%MDS_CDSADIR_CSP_CAPABILITY_R

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/C/mds/mdsObject.db_ Download File
Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	4404
Entropy (8bit):	3.5113078915037033
Encrypted:	false
SSDEEP:	48:m6Xsh+CLjL3Pe3T5FFKfEuyu+iYxGv4sS:3X6LjLfe3wEuyu9YxGQX
MD5:	D487F899A14AE98519B46D51BC810F1B
SHA1:	64877ECFBE47ED66EED545B2449BBE8B22B775D0
SHA-256:	4835899C464487946E281D535381D4CAB8BC90EC08CD00A6A0ECB97854E9321D
SHA-512:	EB4FABD61B4FD2B9EF3C9E93793CA5F11353A1F81EA4DA22E0F79ED45D89180B77469B9E5DCD5350AE650B31DE9018743DA7716EFA7B5CDDFC3FA7A13C476F40
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	kych.......................................d...................0...............0...p...........@...@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...@.......................!...%@.......MDS_OBJECT_RECORDTYPE..............h........... ...`........... ...@.......................-...1...5...9...=@..............................X...............P................... ...p...........l...........d...........P...........H...........,...............h...........P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................RelationName.......P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................AttributeID........X....

Static File Info

General
File type:	HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Entropy (8bit):	6.001485823782198
TrID:	HyperText Markup Language (15015/1) 20.56% HyperText Markup Language (12001/1) 16.44% HyperText Markup Language (12001/1) 16.44% HyperText Markup Language (11501/1) 15.75% HyperText Markup Language (11501/1) 15.75%
File name:	#Ud83d#Udcde.htm
File size:	5008
MD5:	5d44cee8d28cebf028ac3afc7c4309d0
SHA1:	b53e4a9f2a2efe93ca896cd6a56af26bf861cf0f
SHA256:	c77e9dbffd377fe486c902715fd1d5587c2c7ef58cfb2839284d109a72a6a645
SHA512:	5b780cf8fe3e3ae18ef82c5ce00cdcbc21a591bd4283a2169446c2fff5d5728f9730f9382f093760e44d7734940cc599d954cc3f0b7fde04fa4e4b599215f32a
SSDEEP:	96:RPCt3y7Xc3CXZXXbFn+jk2EYi3hmU3ZVrkqsnQaKA9jhGZxTc0hLat:gt3y7XfXZXEk2EYi3hV3ZPSUrZxXg
File Content Preview:	<!DOCTYPE html><html><head><script>var mizzs="Y2hlcnJ5cEB1d2diLmVkdQ=="</script>..<script>var paso1="@!&wAV9fCcXIbQnz4oSp@&!OehA8igcfspk3JE5MoTRF1DZPdwS6&@!";if(window.location.href.indexOf("bbre=")==-1) window.location.href = document.location.pathname+"

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 9, 2021 17:19:32.535933018 CEST	49238	443	192.168.11.11	17.171.27.65
Apr 9, 2021 17:19:32.536343098 CEST	49238	443	192.168.11.11	17.171.27.65
Apr 9, 2021 17:19:32.650939941 CEST	443	49238	17.171.27.65	192.168.11.11
Apr 9, 2021 17:19:32.651020050 CEST	443	49238	17.171.27.65	192.168.11.11
Apr 9, 2021 17:19:32.651314020 CEST	443	49238	17.171.27.65	192.168.11.11
Apr 9, 2021 17:19:32.651379108 CEST	49238	443	192.168.11.11	17.171.27.65
Apr 9, 2021 17:19:32.651622057 CEST	49238	443	192.168.11.11	17.171.27.65
Apr 9, 2021 17:19:33.086085081 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.096748114 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.097279072 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.214241028 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.224672079 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.224699020 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.224723101 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.225224018 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.225619078 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.225753069 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.226325035 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.226422071 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.226455927 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.226986885 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.579688072 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.590023041 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.590037107 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.590548038 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.590557098 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.597820044 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:33.620028019 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:33.620635986 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:33.620969057 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:33.643023968 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:33.647778034 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:33.647840023 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:33.647876024 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:33.648421049 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:33.648494005 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:33.648504019 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:33.686259031 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:33.708630085 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:33.708677053 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:33.708929062 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:33.709264994 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:33.709314108 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:33.710834026 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:33.710880995 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:33.710891008 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:33.710899115 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:33.710994959 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:33.732975006 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:33.732992887 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:33.733004093 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:33.733016014 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:33.733027935 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:33.733038902 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:33.734304905 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:33.742094994 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.742125988 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.742130041 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.742132902 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.742640972 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.752580881 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.752599001 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.752610922 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.753124952 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.754245996 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.754415989 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.754985094 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.755019903 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.755105972 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.755250931 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.755707026 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.755723953 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.755738020 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.755945921 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.756382942 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.756437063 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.756455898 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.756536961 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.757034063 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.757052898 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.757128954 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:33.757639885 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.871489048 CEST	49254	443	192.168.11.11	17.248.145.229
Apr 9, 2021 17:19:33.882014036 CEST	443	49254	17.248.145.229	192.168.11.11
Apr 9, 2021 17:19:34.353782892 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:34.353871107 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:34.353969097 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:34.354010105 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:34.354089975 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:34.354132891 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:34.354182005 CEST	443	49256	172.67.176.224	192.168.11.11
Apr 9, 2021 17:19:34.354271889 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:34.354477882 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:34.354549885 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:34.354563951 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:34.354574919 CEST	49256	443	192.168.11.11	172.67.176.224
Apr 9, 2021 17:19:34.968669891 CEST	49257	443	192.168.11.11	151.101.1.195
Apr 9, 2021 17:19:34.977731943 CEST	443	49257	151.101.1.195	192.168.11.11
Apr 9, 2021 17:19:34.978085995 CEST	49257	443	192.168.11.11	151.101.1.195
Apr 9, 2021 17:19:34.978554964 CEST	49257	443	192.168.11.11	151.101.1.195

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 9, 2021 17:19:31.411304951 CEST	58839	53	192.168.11.11	1.1.1.1
Apr 9, 2021 17:19:31.417310953 CEST	53	58839	1.1.1.1	192.168.11.11
Apr 9, 2021 17:19:31.791662931 CEST	59836	53	192.168.11.11	1.1.1.1
Apr 9, 2021 17:19:31.797373056 CEST	53	59836	1.1.1.1	192.168.11.11
Apr 9, 2021 17:19:31.839692116 CEST	55116	53	192.168.11.11	1.1.1.1
Apr 9, 2021 17:19:31.845232964 CEST	53	55116	1.1.1.1	192.168.11.11
Apr 9, 2021 17:19:32.360006094 CEST	50873	53	192.168.11.11	1.1.1.1
Apr 9, 2021 17:19:32.365539074 CEST	53	50873	1.1.1.1	192.168.11.11
Apr 9, 2021 17:19:33.077423096 CEST	49971	53	192.168.11.11	1.1.1.1
Apr 9, 2021 17:19:33.083138943 CEST	53	49971	1.1.1.1	192.168.11.11
Apr 9, 2021 17:19:33.332688093 CEST	54472	53	192.168.11.11	1.1.1.1
Apr 9, 2021 17:19:33.401144981 CEST	53	54472	1.1.1.1	192.168.11.11
Apr 9, 2021 17:19:33.569308043 CEST	56733	53	192.168.11.11	1.1.1.1
Apr 9, 2021 17:19:33.596271038 CEST	53	56733	1.1.1.1	192.168.11.11
Apr 9, 2021 17:19:34.934686899 CEST	61723	53	192.168.11.11	1.1.1.1
Apr 9, 2021 17:19:34.967339039 CEST	53	61723	1.1.1.1	192.168.11.11
Apr 9, 2021 17:19:36.559148073 CEST	65426	53	192.168.11.11	1.1.1.1
Apr 9, 2021 17:19:36.566097975 CEST	53	65426	1.1.1.1	192.168.11.11
Apr 9, 2021 17:19:39.295890093 CEST	65255	53	192.168.11.11	1.1.1.1
Apr 9, 2021 17:19:39.302208900 CEST	53	65255	1.1.1.1	192.168.11.11
Apr 9, 2021 17:19:39.632014990 CEST	55831	53	192.168.11.11	1.1.1.1
Apr 9, 2021 17:19:39.639265060 CEST	53	55831	1.1.1.1	192.168.11.11
Apr 9, 2021 17:20:00.310832024 CEST	57325	53	192.168.11.11	1.1.1.1
Apr 9, 2021 17:20:00.321017027 CEST	53	57325	1.1.1.1	192.168.11.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 9, 2021 17:19:33.569308043 CEST	192.168.11.11	1.1.1.1	0xa2dd	Standard query (0)	sslcnd.aioecoin.org	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:34.934686899 CEST	192.168.11.11	1.1.1.1	0xf7cf	Standard query (0)	mamodmiappscn.firebaseapp.com	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:36.559148073 CEST	192.168.11.11	1.1.1.1	0xeea5	Standard query (0)	unpkg.com	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:39.295890093 CEST	192.168.11.11	1.1.1.1	0x379c	Standard query (0)	cdnjs.cloudflare.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Apr 9, 2021 17:19:33.083138943 CEST	1.1.1.1	192.168.11.11	0x6ba0	No error (0)	gateway.fe.apple-dns.net	17.248.145.229	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:33.083138943 CEST	1.1.1.1	192.168.11.11	0x6ba0	No error (0)	gateway.fe.apple-dns.net	17.248.145.207	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:33.083138943 CEST	1.1.1.1	192.168.11.11	0x6ba0	No error (0)	gateway.fe.apple-dns.net	17.248.145.234	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:33.083138943 CEST	1.1.1.1	192.168.11.11	0x6ba0	No error (0)	gateway.fe.apple-dns.net	17.248.145.241	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:33.083138943 CEST	1.1.1.1	192.168.11.11	0x6ba0	No error (0)	gateway.fe.apple-dns.net	17.248.145.100	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:33.083138943 CEST	1.1.1.1	192.168.11.11	0x6ba0	No error (0)	gateway.fe.apple-dns.net	17.248.145.141	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:33.083138943 CEST	1.1.1.1	192.168.11.11	0x6ba0	No error (0)	gateway.fe.apple-dns.net	17.248.145.73	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:33.083138943 CEST	1.1.1.1	192.168.11.11	0x6ba0	No error (0)	gateway.fe.apple-dns.net	17.248.145.237	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:33.596271038 CEST	1.1.1.1	192.168.11.11	0xa2dd	No error (0)	sslcnd.aioecoin.org	172.67.176.224	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:33.596271038 CEST	1.1.1.1	192.168.11.11	0xa2dd	No error (0)	sslcnd.aioecoin.org	104.21.91.175	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:34.967339039 CEST	1.1.1.1	192.168.11.11	0xf7cf	No error (0)	mamodmiappscn.firebaseapp.com	151.101.1.195	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:34.967339039 CEST	1.1.1.1	192.168.11.11	0xf7cf	No error (0)	mamodmiappscn.firebaseapp.com	151.101.65.195	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:36.566097975 CEST	1.1.1.1	192.168.11.11	0xeea5	No error (0)	unpkg.com	104.16.124.175	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:36.566097975 CEST	1.1.1.1	192.168.11.11	0xeea5	No error (0)	unpkg.com	104.16.126.175	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:36.566097975 CEST	1.1.1.1	192.168.11.11	0xeea5	No error (0)	unpkg.com	104.16.122.175	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:36.566097975 CEST	1.1.1.1	192.168.11.11	0xeea5	No error (0)	unpkg.com	104.16.123.175	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:36.566097975 CEST	1.1.1.1	192.168.11.11	0xeea5	No error (0)	unpkg.com	104.16.125.175	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:39.302208900 CEST	1.1.1.1	192.168.11.11	0x379c	No error (0)	cdnjs.cloudflare.com	104.16.18.94	A (IP address)	IN (0x0001)
Apr 9, 2021 17:19:39.302208900 CEST	1.1.1.1	192.168.11.11	0x379c	No error (0)	cdnjs.cloudflare.com	104.16.19.94	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 9, 2021 17:19:33.225753069 CEST	17.248.145.229	443	192.168.11.11	49254	C=US, ST=California, O=Apple Inc., CN=gateway.icloud.com C=US, O=Apple Inc., OU=Certification Authority, CN=Apple IST CA 2 - G1 C=US, O=Apple Inc., OU=Certification Authority, CN=Apple IST CA 2 - G1	C=US, O=Apple Inc., OU=Certification Authority, CN=Apple IST CA 2 - G1 CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE CN=GeoTrust Global CA, O=GeoTrust Inc., C=US	Mon Jul 20 19:41:36 CEST 2020 Wed Dec 12 13:00:00 CET 2018 Mon Jun 16 17:42:02 CEST 2014	Thu Aug 19 19:51:00 CEST 2021 Wed May 07 14:00:00 CEST 2025 Fri May 20 17:42:02 CEST 2022	771,49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47,65281-0-23-13-5-13172-18-16-11-10,29-23-24,0	3e4e87dda5a3162306609b7e330441d2
					C=US, O=Apple Inc., OU=Certification Authority, CN=Apple IST CA 2 - G1	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Wed Dec 12 13:00:00 CET 2018	Wed May 07 14:00:00 CEST 2025
					C=US, O=Apple Inc., OU=Certification Authority, CN=Apple IST CA 2 - G1	CN=GeoTrust Global CA, O=GeoTrust Inc., C=US	Mon Jun 16 17:42:02 CEST 2014	Fri May 20 17:42:02 CEST 2022
Apr 9, 2021 17:19:33.647840023 CEST	172.67.176.224	443	192.168.11.11	49256	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Sun Aug 02 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Mon Aug 02 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47,65281-0-23-13-5-13172-18-16-11-10,29-23-24,0	3e4e87dda5a3162306609b7e330441d2
Apr 9, 2021 17:19:33.647840023 CEST	172.67.176.224	443	192.168.11.11	49256	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		3e4e87dda5a3162306609b7e330441d2
Apr 9, 2021 17:19:34.988966942 CEST	151.101.1.195	443	192.168.11.11	49257	CN=firebaseapp.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Wed Oct 21 19:55:39 CEST 2020 Thu Jun 15 02:00:42 CEST 2017	Wed Oct 20 19:55:39 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47,65281-0-23-13-5-13172-18-16-11-10,29-23-24,0	3e4e87dda5a3162306609b7e330441d2
Apr 9, 2021 17:19:34.988966942 CEST	151.101.1.195	443	192.168.11.11	49257	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		3e4e87dda5a3162306609b7e330441d2
Apr 9, 2021 17:19:36.585541964 CEST	104.16.124.175	443	192.168.11.11	49258	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Sun Aug 02 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Mon Aug 02 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47,65281-0-23-13-5-13172-18-16-11-10,29-23-24,0	3e4e87dda5a3162306609b7e330441d2
Apr 9, 2021 17:19:36.585541964 CEST	104.16.124.175	443	192.168.11.11	49258	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		3e4e87dda5a3162306609b7e330441d2
Apr 9, 2021 17:19:39.316752911 CEST	104.16.18.94	443	192.168.11.11	49259	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Wed Oct 21 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Thu Oct 21 01:59:59 CEST 2021 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47,65281-0-23-13-5-13172-18-16-11-10,29-23-24,0	3e4e87dda5a3162306609b7e330441d2
Apr 9, 2021 17:19:39.316752911 CEST	104.16.18.94	443	192.168.11.11	49259	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		3e4e87dda5a3162306609b7e330441d2

System Behavior

Analysis Process: xpcproxy PID: 573 Parent PID: 1

General

Start time:	17:19:30
Start date:	09/04/2021
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	43488 bytes
MD5 hash:	d1bb9a4899f0af921e8188218b20d744

Analysis Process: Safari PID: 573 Parent PID: 1

General

Start time:	17:19:30
Start date:	09/04/2021
Path:	/Applications/Safari.app/Contents/MacOS/Safari
Arguments:	/Applications/Safari.app/Contents/MacOS/Safari
File size:	20896 bytes
MD5 hash:	8e18be737fe87f19fe7a97b4821e2005

Description:	Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as `/Library/Preferences` (which execute with elevated privileges) and `~/Library/Preferences` (which execute with a user's privileges).
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report #Ud83d#Udcde.htm

Overview

General Information

Detection

Signatures

Classification

Startup

Yara Overview

Initial Sample

Signature Overview

Phishing:

Compliance:

Networking:

System Summary:

Persistence and Installation Behavior:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Runtime Messages

Created / dropped Files

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

System Behavior

Analysis Process: xpcproxy PID: 573 Parent PID: 1

General

Analysis Process: Safari PID: 573 Parent PID: 1

General