Edit tour

macOS Analysis Report
Localizable.strings

Overview

General Information

Sample Name:	Localizable.strings
Analysis ID:	756111
MD5:	2c6cc441ccdea763c0be634ab46ae0f6
SHA1:	7968a661c4bf7f54a8ed1ef501a083a337aacf6e
SHA256:	41ecf6703414bbee3cf309de7b3c3b94a8495f93118f260ab3d2299ab405bb62
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false

Signatures

Reads launchservices plist files

Classification

Analysis Advice

Sample could not be started, try setting a correct file extension or analyze on a different analysis machine.

Exit code suggests that the sample could not be started, try to look at standard streams or writes to anonymous pipes for possible reason.

Non-zero exit code suggests an error during the execution. Lookup the error code for hints.

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756111
Start date and time:	2022-11-29 16:43:26 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 40s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Localizable.strings
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, High Sierra (Office 2016 16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Analysis Mode:	default
Detection:	CLEAN
Classification:	clean0.macSTRINGS@0/0@0/0

Warnings

Excluded IPs from analysis (whitelisted): 17.253.15.206, 17.253.15.199
Excluded domains from analysis (whitelisted): ocsp.apple.com, ocsp-a.g.aaplimg.com

Runtime Messages

Command:	open "/Users/berri/Desktop/Localizable.strings"
PID:	884
Exit Code:	1
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	No application knows how to open /Users/berri/Desktop/Localizable.strings.

Process Tree

System is macvm-highsierra

mono-sgen32 New Fork (PID: 884, Parent: 811)

open (MD5: 40ed6d8f35c9f20484b97582d296398f) Arguments:

cleanup

Yara Signatures

⊘No yara matches

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown	Network traffic detected: HTTP traffic on port 49302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49302

Source: Localizable.strings	String found in binary or memory: http://blog.gete.net/lion-diskmaker-fr
Source: Localizable.strings	String found in binary or memory: http://blog.gete.net/lion-diskmaker-us
Source: Localizable.strings	String found in binary or memory: http://liondiskmaker.com/
Source: Localizable.strings	String found in binary or memory: http://liondiskmaker.com/?lang=fr
Source: Localizable.strings	String found in binary or memory: http://liondiskmaker.com/?page_id=149
Source: Localizable.strings	String found in binary or memory: http://liondiskmaker.com/?page_id=151&lang=fr

Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.15.210
Source: unknown	TCP traffic detected without corresponding DNS query: 88.221.168.210
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.15.210
Source: unknown	TCP traffic detected without corresponding DNS query: 88.221.168.210
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.248.70

Source: classification engine

Classification label: clean0.macSTRINGS@0/0@0/0

Source: /usr/bin/open (PID: 884)

Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Localizable.strings	0%	Virustotal		Browse
Localizable.strings	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://liondiskmaker.com/?page_id=149	Localizable.strings	false	unknown
http://liondiskmaker.com/?page_id=151&lang=fr	Localizable.strings	false	unknown
http://blog.gete.net/lion-diskmaker-fr	Localizable.strings	false	unknown
http://liondiskmaker.com/?lang=fr	Localizable.strings	false	unknown
http://blog.gete.net/lion-diskmaker-us	Localizable.strings	false	unknown
http://liondiskmaker.com/	Localizable.strings	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
88.221.168.210	unknown	European Union		16625	AKAMAI-ASUS	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	Unicode text, UTF-8 text, with very long lines (600)
Entropy (8bit):	4.936931280143745
TrID:
File name:	Localizable.strings
File size:	11875
MD5:	2c6cc441ccdea763c0be634ab46ae0f6
SHA1:	7968a661c4bf7f54a8ed1ef501a083a337aacf6e
SHA256:	41ecf6703414bbee3cf309de7b3c3b94a8495f93118f260ab3d2299ab405bb62
SHA512:	173779861c98bff0ec239344af6b68c6ef26e5ed13d264297992a541d21ba5ae85a171ddbd1b02f34ac7551fffcb33a45a28e27b7eb39a33875443987847dc5e
SSDEEP:	192:zhQU06Mn7H7IE6Vy8WmMyzgOPsMzL4ekGX1Z3JXJy4LzmhW16Q7XaTs:zhQUzSbIPVy8WmsOkAwO1XXZIW16QzCs
TLSH:	4332A4BD4B40037C2952C3A1623FBF17FB108329662DA18E4D6FC55522DF90AE67BA53
File Content Preview:	"A newer version of DiskMaker X is available. Do you want to download it?" = "Uma vers..o mais recente do DiskMaker X est.. dispon..vel. Voc.. deseja fazer a transfer..ncia?" ;.."Not now, thanks" = "Agora n..o, obrigado";.."Get new version" = "Obter a nov

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 16:44:17.757339001 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.766694069 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.766796112 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.766870022 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.767663956 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.767663956 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.779956102 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.779957056 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.779957056 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.779957056 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.780102968 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.789170027 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.789271116 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.789343119 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.789408922 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.789475918 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.790016890 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.790385008 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.790503979 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.790596008 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.790797949 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.790885925 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.790952921 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.791385889 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.791387081 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.791471004 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.791651964 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.791651964 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.791766882 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.791872025 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.791943073 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.792397976 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.792562962 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.792740107 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.792768002 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.792875051 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.792963028 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.793469906 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.793471098 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.793471098 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.793839931 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.793957949 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.794032097 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.794435978 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.794511080 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.794512033 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.799211025 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.799320936 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.799397945 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.800174952 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.800226927 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.800228119 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.800287008 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.800333023 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.800400972 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:17.801047087 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.801047087 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.801047087 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.929836035 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:17.938807011 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:29.853941917 CET	49293	80	192.168.11.11	17.253.15.210
Nov 29, 2022 16:44:29.854063988 CET	49294	80	192.168.11.11	88.221.168.210
Nov 29, 2022 16:44:29.863038063 CET	80	49293	17.253.15.210	192.168.11.11
Nov 29, 2022 16:44:29.863706112 CET	49293	80	192.168.11.11	17.253.15.210
Nov 29, 2022 16:44:29.866926908 CET	80	49294	88.221.168.210	192.168.11.11
Nov 29, 2022 16:44:29.867552042 CET	49294	80	192.168.11.11	88.221.168.210
Nov 29, 2022 16:44:47.790657997 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:47.790779114 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:47.790873051 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:47.791754961 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:47.791755915 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:47.791755915 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:47.795222998 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:47.795223951 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:47.795783997 CET	49302	443	192.168.11.11	17.248.248.70
Nov 29, 2022 16:44:47.804214954 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:47.804380894 CET	443	49302	17.248.248.70	192.168.11.11
Nov 29, 2022 16:44:47.804471016 CET	443	49302	17.248.248.70	192.168.11.11

System Behavior

Analysis Process: mono-sgen32 PID: 884, Parent PID: 811

General

Start time:	16:44:23
Start date:	29/11/2022
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	n/a
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Analysis Process: open PID: 884, Parent PID: 811

General

Start time:	16:44:23
Start date:	29/11/2022
Path:	/usr/bin/open
Arguments:
File size:	105952 bytes
MD5 hash:	40ed6d8f35c9f20484b97582d296398f

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report Localizable.strings

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Snort Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: mono-sgen32 PID: 884, Parent PID: 811

General

Analysis Process: open PID: 884, Parent PID: 811

General

macOS Analysis Report
Localizable.strings