Loading Joe Sandbox Report ...

Edit tour

macOS Analysis Report
Localizable.strings

Overview

General Information

Sample Name:Localizable.strings
Analysis ID:756111
MD5:2c6cc441ccdea763c0be634ab46ae0f6
SHA1:7968a661c4bf7f54a8ed1ef501a083a337aacf6e
SHA256:41ecf6703414bbee3cf309de7b3c3b94a8495f93118f260ab3d2299ab405bb62
Infos:

Detection

Score:0
Range:0 - 100
Whitelisted:false

Signatures

Reads launchservices plist files

Classification

Analysis Advice

Sample could not be started, try setting a correct file extension or analyze on a different analysis machine.
Exit code suggests that the sample could not be started, try to look at standard streams or writes to anonymous pipes for possible reason.
Non-zero exit code suggests an error during the execution. Lookup the error code for hints.
Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:756111
Start date and time:2022-11-29 16:43:26 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 40s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Localizable.strings
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Virtual Machine, High Sierra (Office 2016 16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Analysis Mode:default
Detection:CLEAN
Classification:clean0.macSTRINGS@0/0@0/0
  • Excluded IPs from analysis (whitelisted): 17.253.15.206, 17.253.15.199
  • Excluded domains from analysis (whitelisted): ocsp.apple.com, ocsp-a.g.aaplimg.com
Command:open "/Users/berri/Desktop/Localizable.strings"
PID:884
Exit Code:1
Exit Code Info:
Killed:False
Standard Output:

Standard Error:No application knows how to open /Users/berri/Desktop/Localizable.strings.
  • System is macvm-highsierra
  • open (MD5: 40ed6d8f35c9f20484b97582d296398f) Arguments:
  • cleanup
No yara matches
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownNetwork traffic detected: HTTP traffic on port 49302 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49302
Source: Localizable.stringsString found in binary or memory: http://blog.gete.net/lion-diskmaker-fr
Source: Localizable.stringsString found in binary or memory: http://blog.gete.net/lion-diskmaker-us
Source: Localizable.stringsString found in binary or memory: http://liondiskmaker.com/
Source: Localizable.stringsString found in binary or memory: http://liondiskmaker.com/?lang=fr
Source: Localizable.stringsString found in binary or memory: http://liondiskmaker.com/?page_id=149
Source: Localizable.stringsString found in binary or memory: http://liondiskmaker.com/?page_id=151&lang=fr
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.15.210
Source: unknownTCP traffic detected without corresponding DNS query: 88.221.168.210
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.15.210
Source: unknownTCP traffic detected without corresponding DNS query: 88.221.168.210
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknownTCP traffic detected without corresponding DNS query: 17.248.248.70
Source: classification engineClassification label: clean0.macSTRINGS@0/0@0/0
Source: /usr/bin/open (PID: 884)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping1
System Information Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Application Layer Protocol
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


cam-macmac-stand
SourceDetectionScannerLabelLink
Localizable.strings0%VirustotalBrowse
Localizable.strings0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://liondiskmaker.com/?page_id=149Localizable.stringsfalse
    unknown
    http://liondiskmaker.com/?page_id=151&lang=frLocalizable.stringsfalse
      unknown
      http://blog.gete.net/lion-diskmaker-frLocalizable.stringsfalse
        unknown
        http://liondiskmaker.com/?lang=frLocalizable.stringsfalse
          unknown
          http://blog.gete.net/lion-diskmaker-usLocalizable.stringsfalse
            unknown
            http://liondiskmaker.com/Localizable.stringsfalse
              unknown
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              88.221.168.210
              unknownEuropean Union
              16625AKAMAI-ASUSfalse
              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              88.221.168.210Agreement#7176.htmlGet hashmaliciousBrowse
                https://go.findservice.xyzGet hashmaliciousBrowse
                  https://fmovies.toGet hashmaliciousBrowse
                    Zotero-6.0.18.dmgGet hashmaliciousBrowse
                      https://tastelesstrees.comGet hashmaliciousBrowse
                        https://view-resolution.constantcontactsites.com/?&=https://www.paypal.com/us/smarthelpGet hashmaliciousBrowse
                          hpYM7cGC0h.zipGet hashmaliciousBrowse
                            http://wazusoft.comGet hashmaliciousBrowse
                              https://frameboxxindore.com/linux/how-do-i-find-my-linux-shell-name.htmlGet hashmaliciousBrowse
                                .crowdstrike_checkGet hashmaliciousBrowse
                                  https://downloads-mystream.com/en_us/unlock-content-now?&subid=5b05730c-37b5-4b29-9436-7d163f42520b&networkid=200347&publisher=39f60e66&isNewTr=1&stream=Get hashmaliciousBrowse
                                    http://sti.listeningvoice.homes#RWILLIAM@CO.MONMOUTH.NJ.USGet hashmaliciousBrowse
                                      WormholeInstaller.dmgGet hashmaliciousBrowse
                                        VCxm8QutNAGet hashmaliciousBrowse
                                          https://paper.li/41i0IyhsDU2LHUTTqmDaP/story/ap-ausdredge-VBjAsEzkfIUV7miNpzaCiGet hashmaliciousBrowse
                                            https://us03.bizGet hashmaliciousBrowse
                                              https://packaddranew.com/rqCYGet hashmaliciousBrowse
                                                ag8uJdXEiiGet hashmaliciousBrowse
                                                  NUqbJaMswgGet hashmaliciousBrowse
                                                    No context
                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    AKAMAI-ASUSINV#8763 PAYMENT REMMITANCE-Alasdair McDougall-ashleyann.co.uk.htmlGet hashmaliciousBrowse
                                                    • 88.221.169.152
                                                    scan Document_SA26844823746789e.PDF.htmlGet hashmaliciousBrowse
                                                    • 88.221.169.152
                                                    Judy Katro shared QHA AUSTRALIA with you..msgGet hashmaliciousBrowse
                                                    • 88.221.169.199
                                                    https://sites.google.com/view/uas-invite/homeGet hashmaliciousBrowse
                                                    • 23.3.109.244
                                                    LvVirzr3Fq.elfGet hashmaliciousBrowse
                                                    • 104.92.226.249
                                                    tdMxAPpSMk.elfGet hashmaliciousBrowse
                                                    • 104.101.138.129
                                                    INVOICE# 78644-0001.htmGet hashmaliciousBrowse
                                                    • 88.221.169.152
                                                    file.exeGet hashmaliciousBrowse
                                                    • 23.206.100.182
                                                    o6Khx92Ipk.elfGet hashmaliciousBrowse
                                                    • 23.64.208.96
                                                    0s41hOyQp6.elfGet hashmaliciousBrowse
                                                    • 184.85.6.185
                                                    jklarm7.elfGet hashmaliciousBrowse
                                                    • 184.27.0.92
                                                    MZbxLJqYM3.elfGet hashmaliciousBrowse
                                                    • 2.17.183.129
                                                    jklx86.elfGet hashmaliciousBrowse
                                                    • 96.16.159.32
                                                    jklarm.elfGet hashmaliciousBrowse
                                                    • 23.57.244.20
                                                    oAUrOBvfbV.elfGet hashmaliciousBrowse
                                                    • 104.120.201.244
                                                    sora.arm.elfGet hashmaliciousBrowse
                                                    • 184.50.136.75
                                                    X508LklDYI.elfGet hashmaliciousBrowse
                                                    • 104.90.135.163
                                                    mvqGHalL9h.elfGet hashmaliciousBrowse
                                                    • 95.101.200.93
                                                    http://cibc-a.com/Get hashmaliciousBrowse
                                                    • 88.221.168.237
                                                    https://jrvi8o.s3.amazonaws.com/x752idt.html?gzebvezvzibzrbo=79445724Get hashmaliciousBrowse
                                                    • 23.54.113.52
                                                    No context
                                                    No context
                                                    No created / dropped files found
                                                    File type:Unicode text, UTF-8 text, with very long lines (600)
                                                    Entropy (8bit):4.936931280143745
                                                    TrID:
                                                      File name:Localizable.strings
                                                      File size:11875
                                                      MD5:2c6cc441ccdea763c0be634ab46ae0f6
                                                      SHA1:7968a661c4bf7f54a8ed1ef501a083a337aacf6e
                                                      SHA256:41ecf6703414bbee3cf309de7b3c3b94a8495f93118f260ab3d2299ab405bb62
                                                      SHA512:173779861c98bff0ec239344af6b68c6ef26e5ed13d264297992a541d21ba5ae85a171ddbd1b02f34ac7551fffcb33a45a28e27b7eb39a33875443987847dc5e
                                                      SSDEEP:192:zhQU06Mn7H7IE6Vy8WmMyzgOPsMzL4ekGX1Z3JXJy4LzmhW16Q7XaTs:zhQUzSbIPVy8WmsOkAwO1XXZIW16QzCs
                                                      TLSH:4332A4BD4B40037C2952C3A1623FBF17FB108329662DA18E4D6FC55522DF90AE67BA53
                                                      File Content Preview:"A newer version of DiskMaker X is available. Do you want to download it?" = "Uma vers..o mais recente do DiskMaker X est.. dispon..vel. Voc.. deseja fazer a transfer..ncia?" ;.."Not now, thanks" = "Agora n..o, obrigado";.."Get new version" = "Obter a nov
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 29, 2022 16:44:17.757339001 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.766694069 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.766796112 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.766870022 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.767663956 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.767663956 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.779956102 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.779957056 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.779957056 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.779957056 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.780102968 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.789170027 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.789271116 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.789343119 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.789408922 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.789475918 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.790016890 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.790385008 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.790503979 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.790596008 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.790797949 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.790885925 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.790952921 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.791385889 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.791387081 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.791471004 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.791651964 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.791651964 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.791766882 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.791872025 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.791943073 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.792397976 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.792562962 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.792740107 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.792768002 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.792875051 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.792963028 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.793469906 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.793471098 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.793471098 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.793839931 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.793957949 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.794032097 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.794435978 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.794511080 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.794512033 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.799211025 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.799320936 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.799397945 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.800174952 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.800226927 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.800228119 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.800287008 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.800333023 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.800400972 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:17.801047087 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.801047087 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.801047087 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.929836035 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:17.938807011 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:29.853941917 CET4929380192.168.11.1117.253.15.210
                                                      Nov 29, 2022 16:44:29.854063988 CET4929480192.168.11.1188.221.168.210
                                                      Nov 29, 2022 16:44:29.863038063 CET804929317.253.15.210192.168.11.11
                                                      Nov 29, 2022 16:44:29.863706112 CET4929380192.168.11.1117.253.15.210
                                                      Nov 29, 2022 16:44:29.866926908 CET804929488.221.168.210192.168.11.11
                                                      Nov 29, 2022 16:44:29.867552042 CET4929480192.168.11.1188.221.168.210
                                                      Nov 29, 2022 16:44:47.790657997 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:47.790779114 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:47.790873051 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:47.791754961 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:47.791755915 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:47.791755915 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:47.795222998 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:47.795223951 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:47.795783997 CET49302443192.168.11.1117.248.248.70
                                                      Nov 29, 2022 16:44:47.804214954 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:47.804380894 CET4434930217.248.248.70192.168.11.11
                                                      Nov 29, 2022 16:44:47.804471016 CET4434930217.248.248.70192.168.11.11

                                                      System Behavior

                                                      Start time:16:44:23
                                                      Start date:29/11/2022
                                                      Path:/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
                                                      Arguments:n/a
                                                      File size:3722408 bytes
                                                      MD5 hash:8910349f44a940d8d79318367855b236
                                                      Start time:16:44:23
                                                      Start date:29/11/2022
                                                      Path:/usr/bin/open
                                                      Arguments:
                                                      File size:105952 bytes
                                                      MD5 hash:40ed6d8f35c9f20484b97582d296398f