Loading ...

Play interactive tourEdit tour

macOS Analysis Report https://sparkasse.corona-umstellungsverfahren-de.com/ALC81OPACG

Overview

General Information

Sample URL:https://sparkasse.corona-umstellungsverfahren-de.com/ALC81OPACG
Analysis ID:881
Infos:

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Opens the Safari browser app

Classification

General Information

Joe Sandbox Version:32.0.0 Black Diamond
Analysis ID:881
Start date:24.06.2021
Start time:13:17:40
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 13s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:https://sparkasse.corona-umstellungsverfahren-de.com/ALC81OPACG
Analysis system description:Virtual Machine, High Sierra (Office 2016 v16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Analysis Mode:default
Detection:MAL
Classification:mal48.mac@0/7@15/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 18.156.205.85, 184.30.216.40, 93.184.220.29, 142.250.186.138, 23.51.123.27, 23.55.163.48, 23.55.163.58, 104.117.200.9, 172.217.18.106, 142.250.185.74, 142.250.186.168, 142.250.185.234, 151.101.1.182, 151.101.65.182, 151.101.129.182, 151.101.193.182, 104.22.46.168, 104.22.47.168, 172.67.38.83, 216.58.212.163, 172.217.18.99, 142.250.177.46, 142.250.181.226
  • Excluded domains from analysis (whitelisted): gstaticadssl.l.google.com, cs9.wac.phicdn.net, smoot-searchv2-euc1a.v.aaplimg.com, e8652.dscx.akamaiedge.net, gateway.icloud.com, g.symcd.com, adservice.google.com, api-glb-euc1a.smoot.apple.com, maps.googleapis.com, ocsp.digicert.com, a1887.dscq.akamai.net, www.googletagmanager.com, safebrowsing.googleapis.com, crl.root-x1.letsencrypt.org.edgekey.net, www.google-analytics.com, fonts.googleapis.com, www-google-analytics.l.google.com, e673.dsce9.akamaiedge.net, ajax.googleapis.com, fonts.gstatic.com, www-googletagmanager.l.google.com, e8218.dscb1.akamaiedge.net, o.lencr.edgesuite.net, api.smoot.apple.com, bag-smoot.v.aaplimg.com, ocsp-ds.ws.symantec.com.edgekey.net, lb._dns-sd._udp.0.11.168.192.in-addr.arpa, configuration.apple.com, onboard.triptease.io.cdn.cloudflare.net, configuration.apple.com.akadns.net, configuration.apple.com.edgekey.net, q.shared.global.fastly.net, maps.gstatic.com
  • Report size getting too big, too many PREAD calls found.
  • VT rate limit hit for: kubernetes-loadbalancer.triptease.io

Process Tree

  • System is macvm-highsierra
  • Safari (MD5: 8e18be737fe87f19fe7a97b4821e2005) Arguments: /Applications/Safari.app/Contents/MacOS/Safari
  • cleanup

Yara Overview

No yara matches

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: https://sparkasse.corona-umstellungsverfahren-de.com/ALC81OPACGVirustotal: Detection: 9%Perma Link
Source: unknownHTTPS traffic detected: 17.248.145.74:443 -> 192.168.11.11:49195 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.243.138.168:443 -> 192.168.11.11:49194 version: TLS 1.2
Source: unknownHTTPS traffic detected: 85.13.148.189:443 -> 192.168.11.11:49205 version: TLS 1.2
Source: unknownHTTPS traffic detected: 107.178.244.119:443 -> 192.168.11.11:49209 version: TLS 1.2
Source: unknownHTTPS traffic detected: 85.13.148.189:443 -> 192.168.11.11:49212 version: TLS 1.2
Source: unknownHTTPS traffic detected: 35.186.195.233:443 -> 192.168.11.11:49213 version: TLS 1.2
Source: unknownHTTPS traffic detected: 85.13.148.189:443 -> 192.168.11.11:49212 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.33.221.90:443 -> 192.168.11.11:49216 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.20.2:443 -> 192.168.11.11:49214 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.16.102:443 -> 192.168.11.11:49215 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.248.242.197:443 -> 192.168.11.11:49217 version: TLS 1.2
Source: unknownHTTPS traffic detected: 107.178.244.119:443 -> 192.168.11.11:49221 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.27.154:443 -> 192.168.11.11:49223 version: TLS 1.2
Source: unknownTCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknownTCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknownTCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknownTCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.55.204
Source: unknownTCP traffic detected without corresponding DNS query: 104.76.200.212
Source: unknownTCP traffic detected without corresponding DNS query: 104.76.200.212
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.55.204
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownDNS traffic detected: queries for: sparkasse.corona-umstellungsverfahren-de.com
Source: .dat.nosync0210.bKXvUw.235.drString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: .dat.nosync0210.8kfcUv.235.drString found in binary or memory: https://sparkasse.corona-umstellungsverfahren-de.com/ALC81OPACG
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49205
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49223
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49221
Source: unknownNetwork traffic detected: HTTP traffic on port 49209 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49221 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49223 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49195 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49212 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49214 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49216 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49217
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49216
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49215
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49214
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49213
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49212
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49195
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49194
Source: unknownNetwork traffic detected: HTTP traffic on port 49205 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49194 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49213 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49209
Source: unknownNetwork traffic detected: HTTP traffic on port 49217 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49215 -> 443
Source: unknownHTTPS traffic detected: 17.248.145.74:443 -> 192.168.11.11:49195 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.243.138.168:443 -> 192.168.11.11:49194 version: TLS 1.2
Source: unknownHTTPS traffic detected: 85.13.148.189:443 -> 192.168.11.11:49205 version: TLS 1.2
Source: unknownHTTPS traffic detected: 107.178.244.119:443 -> 192.168.11.11:49209 version: TLS 1.2
Source: unknownHTTPS traffic detected: 85.13.148.189:443 -> 192.168.11.11:49212 version: TLS 1.2
Source: unknownHTTPS traffic detected: 35.186.195.233:443 -> 192.168.11.11:49213 version: TLS 1.2
Source: unknownHTTPS traffic detected: 85.13.148.189:443 -> 192.168.11.11:49212 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.33.221.90:443 -> 192.168.11.11:49216 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.20.2:443 -> 192.168.11.11:49214 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.16.102:443 -> 192.168.11.11:49215 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.248.242.197:443 -> 192.168.11.11:49217 version: TLS 1.2
Source: unknownHTTPS traffic detected: 107.178.244.119:443 -> 192.168.11.11:49221 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.27.154:443 -> 192.168.11.11:49223 version: TLS 1.2
Source: classification engineClassification label: mal48.mac@0/7@15/0
Source: /usr/libexec/xpcproxy (PID: 528)Safari app opened: /Applications/Safari.app/Contents/MacOS/SafariJump to behavior
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 528)Random device file read: /dev/urandomJump to behavior
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 528)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 528)XML plist file created: /Users/berri/Library/Safari/.dat.nosync0210.bKXvUwJump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 528)Binary plist file created: /private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/0/SafariFamily/Safari/.dat.nosync0210.Is8mxgJump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 528)Binary plist file created: /Users/berri/Library/Safari/.dat.nosync0210.8kfcUvJump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 528)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPlist Modification1Plist Modification1Direct Volume AccessOS Credential DumpingSystem Information Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.