Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32

n/a

/usr/bin/open

/usr/libexec/xpcproxy

n/a

/Applications/Safari.app/Contents/MacOS/Safari

URLs

Name

Malicious

https://www.youtube.com/channel/UCAuerig2N-RZWJT8x75V9yw

Details

Filetype:	URL
Filename:	https://www.youtube.com/channel/UCAuerig2N-RZWJT8x75V9yw

Signature Hits	Behavior Group	Mitre Attack
Writes 64-bit Mach-O files to disk	Persistence and Installation Behavior
Reads launchservices plist files	Persistence and Installation Behavior	System Information Discovery
Reads the system or server version plist file	Language, Device and Operating System Detection
Performs DNS lookups	Networking
Uses AppleKeyboardLayouts bundle containing keyboard layouts	Persistence and Installation Behavior
Classification label	System Summary
Uses HTTPS	Networking	Encrypted Channel
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Non-Application Layer Protocol Application Layer Protocol Ingress Tool Transfer
Reads data from the local random generator	Persistence and Installation Behavior
Found strings which match to known social media urls	Networking
Writes property list (.plist) files to disk	Persistence and Installation Behavior	Plist Modification
URLs found in memory or binary data	Networking
Posts data to webserver	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://www.youtube.com/channel/UCAuerig2N-RZWJT8x75V9yw

142.250.185.174

https://play.google.com/log?format=json&hasfast=true

172.217.16.142

https://consent.youtube.com/_/ConsentUi/browserinfo?f.sid=6542961051346440918&bl=boq_identityfrontenduiserver_20230314.06_p1&hl=en&gl=GB&_reqid=30759&rt=j

172.217.16.206

Details

Name:	https://consent.youtube.com/_/ConsentUi/browserinfo?f.sid=6542961051346440918&bl=boq_identityfrontenduiserver_20230314.06_p1&hl=en&gl=GB&_reqid=30759&rt=j
IP:	172.217.16.206
TargetID:	-1
From Memory:	false
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://play.google.com/log?format=json&hasfast=true&authuser=0

172.217.16.142

https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Fchannel%2FUCAuerig2N-RZWJT8x75V9yw%3Fcbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1

172.217.16.206

Details

Name:	https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Fchannel%2FUCAuerig2N-RZWJT8x75V9yw%3Fcbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1
IP:	172.217.16.206
TargetID:	-1
From Memory:	false
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings which match to known social media urls	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://www.google.com/favicon.ico

142.250.186.164

https://consent.youtube.com/_/ConsentUi/browserinfo?f.sid=6542961051346440918&bl=boq_identityfrontenduiserver_20230314.06_p1&hl=en&gl=GB&_reqid=130759&rt=j

172.217.16.206

Details

Name:	https://consent.youtube.com/_/ConsentUi/browserinfo?f.sid=6542961051346440918&bl=boq_identityfrontenduiserver_20230314.06_p1&hl=en&gl=GB&_reqid=130759&rt=j
IP:	172.217.16.206
TargetID:	-1
From Memory:	false
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Fchannel%2FUCAuerig2N-RZWJT8x7

unknown

Details

Name:	https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Fchannel%2FUCAuerig2N-RZWJT8x7
TargetID:	259
From Memory:	true
Current Path:	/Applications/Safari.app/Contents/MacOS/Safari
Source:	.dat.nosync036f.TyISu0.259.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings which match to known social media urls	Networking
URLs found in memory or binary data	Networking

Domains

Name

Malicious

youtube-ui.l.google.com

142.250.185.174

play.google.com

172.217.16.142

Details

Name:	play.google.com
IP:	172.217.16.142
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
Uses secure TLS version for HTTPS connections	Compliance, Networking

gateway.fe.apple-dns.net

17.248.248.15

consent.youtube.com

172.217.16.206

Details

Name:	consent.youtube.com
IP:	172.217.16.206
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found strings which match to known social media urls	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

www.google.com

142.250.186.164

Details

Name:	www.google.com
IP:	142.250.186.164
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Uses secure TLS version for HTTPS connections	Compliance, Networking

www.youtube.com

unknown

Details

Name:	www.youtube.com
TargetID:	-1
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found strings which match to known social media urls	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

142.250.185.174

youtube-ui.l.google.com

United States

Details

IP:	142.250.185.174
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	youtube-ui.l.google.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

172.217.16.206

consent.youtube.com

United States

Details

IP:	172.217.16.206
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	consent.youtube.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

142.250.186.164

www.google.com

United States

Details

IP:	142.250.186.164
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	www.google.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

172.217.16.142

play.google.com

United States

Details

IP:	172.217.16.142
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	play.google.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://www.youtube.com/channel/UCAuerig2N-RZWJT8x75V9yw

Files

Processes

URLs

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://www.youtube.com/channel/UCAuerig2N-RZWJT8x75V9yw

Files

Processes

URLs

Domains

IPs

IOC Report
https://www.youtube.com/channel/UCAuerig2N-RZWJT8x75V9yw