Edit tour

macOS Analysis Report
https://www.youtube.com/channel/UCAuerig2N-RZWJT8x75V9yw

Overview

General Information

Sample URL:	https://www.youtube.com/channel/UCAuerig2N-RZWJT8x75V9yw
Analysis ID:	831167
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false

Signatures

Writes 64-bit Mach-O files to disk

Reads launchservices plist files

Classification

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	831167
Start date and time:	2023-03-21 07:31:23 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 40s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	browseurl.jbs
Sample URL:	https://www.youtube.com/channel/UCAuerig2N-RZWJT8x75V9yw
Analysis system description:	Virtual Machine, High Sierra (Office 2016 16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Analysis Mode:	default
Detection:	CLEAN
Classification:	clean1.mac@0/10@4/0

Warnings

Excluded IPs from analysis (whitelisted): 3.73.173.154, 2.16.12.21, 172.217.18.99, 142.250.186.138, 172.217.18.10, 172.217.18.3
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): configuration.apple.com, fonts.googleapis.com, gateway.icloud.com, e673.dsce9.akamaiedge.net, fonts.gstatic.com, configuration.apple.com.akadns.net, configuration.apple.com.edgekey.net, api-glb-euc1b.smoot.apple.com, safebrowsing.googleapis.com, www.gstatic.com, api.smoot.apple.com, bag-smoot.v.aaplimg.com
Report size getting too big, too many PREAD calls found.

Process Tree

System is macvm-highsierra

mono-sgen32 New Fork (PID: 878, Parent: 812)

open (MD5: 40ed6d8f35c9f20484b97582d296398f) Arguments:

xpcproxy New Fork (PID: 879, Parent: 1)

Safari (MD5: 8e18be737fe87f19fe7a97b4821e2005) Arguments: /Applications/Safari.app/Contents/MacOS/Safari

cleanup

String found in binary or memory: https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Fchannel%2FUCAuerig2N-RZWJT8x75V9yw%3Fcbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1 equals www.youtube.com (Youtube)

Source: .dat.nosync036f.TyISu0.259.dr

String found in binary or memory: https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Fchannel%2FUCAuerig2N-RZWJT8x7

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comContent-Type: application/x-www-form-urlencoded;charset=UTF-8Origin: https://consent.youtube.comAccept-Encoding: br, gzip, deflateConnection: keep-aliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Referer: https://consent.youtube.com/Content-Length: 2068Accept-Language: en-us

Source: unknown	HTTPS traffic detected: 17.248.248.15:443 -> 192.168.11.11:49308 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.174:443 -> 192.168.11.11:49312 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.206:443 -> 192.168.11.11:49313 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.164:443 -> 192.168.11.11:49339 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.142:443 -> 192.168.11.11:49340 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.248.15:443 -> 192.168.11.11:49341 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.248.15:443 -> 192.168.11.11:49343 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.248.15:443 -> 192.168.11.11:49344 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.248.15:443 -> 192.168.11.11:49345 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.248.15:443 -> 192.168.11.11:49346 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.142:443 -> 192.168.11.11:49347 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.248.15:443 -> 192.168.11.11:49349 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.248.15:443 -> 192.168.11.11:49352 version: TLS 1.2

Source: classification engine

Classification label: clean1.mac@0/10@4/0

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 879)	File written: /private/var/tmp/NSCreateObjectFileImageFromMemory-TphzPP	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 879)	File written: /private/var/tmp/NSCreateObjectFileImageFromMemory-cKdWhB	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 879)	File written: /private/var/tmp/NSCreateObjectFileImageFromMemory-GLnGst	Jump to dropped file

Source: /usr/bin/open (PID: 878)

Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist

Jump to behavior

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 879)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 879)

Random device file read: /dev/urandom

Jump to behavior

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 879)	Binary plist file created: /Users/berri/Library/WebKit/com.apple.Safari/WebsiteData/ResourceLoadStatistics/full_browsing_session_resourceLog.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 879)	Binary plist file created: /private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/0/SafariFamily/Safari/.dat.nosync036f.Pk6yS5	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 879)	Binary plist file created: /Users/berri/Library/Safari/.dat.nosync036f.TyISu0	Jump to dropped file

Source: /usr/bin/open (PID: 878)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 879)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 Plist Modification	1 Plist Modification	Direct Volume Access	OS Credential Dumping	11 System Information Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://www.youtube.com/channel/UCAuerig2N-RZWJT8x75V9yw	0%	Avira URL Cloud	safe
https://www.youtube.com/channel/UCAuerig2N-RZWJT8x75V9yw	0%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	142.250.185.174	true	false	high
play.google.com	172.217.16.142	true	false	high
gateway.fe.apple-dns.net	17.248.248.15	true	false	unknown
consent.youtube.com	172.217.16.206	true	false	high
www.google.com	142.250.186.164	true	false	high
www.youtube.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://www.youtube.com/channel/UCAuerig2N-RZWJT8x75V9yw	false	high
https://play.google.com/log?format=json&hasfast=true	false	high
https://consent.youtube.com/_/ConsentUi/browserinfo?f.sid=6542961051346440918&bl=boq_identityfrontenduiserver_20230314.06_p1&hl=en&gl=GB&_reqid=30759&rt=j	false	high
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	high
https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Fchannel%2FUCAuerig2N-RZWJT8x75V9yw%3Fcbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1	false	high
https://www.google.com/favicon.ico	false	high
https://consent.youtube.com/_/ConsentUi/browserinfo?f.sid=6542961051346440918&bl=boq_identityfrontenduiserver_20230314.06_p1&hl=en&gl=GB&_reqid=130759&rt=j	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Fchannel%2FUCAuerig2N-RZWJT8x7	.dat.nosync036f.TyISu0.259.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.174	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
172.217.16.206	consent.youtube.com	United States	15169	GOOGLEUS	false
142.250.186.164	www.google.com	United States	15169	GOOGLEUS	false
172.217.16.142	play.google.com	United States	15169	GOOGLEUS	false

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	1975
Entropy (8bit):	7.487661238463374
Encrypted:	false
SSDEEP:	48:E3NmrooTlg9iiQx8k4WV9gnauI6OqVtj92:zdAiie6W7gnaH6zVtx2
MD5:	1F3685B645E3B97F0AABD44E81400036
SHA1:	BFC73C25F4737944DC2883B6B2A8298206F1338A
SHA-256:	C6C330510935B7694416DE28248F57DF1F594671AB01762A14F915CF314DFB2B
SHA-512:	7B9A99FB8203C5FE39184C8BE9CC65880CB578EEFB2D19AA563E8A3D6D00345F46B26FE318D125FB0C2954C6391215D6EDD85C0B7B3AC359FC01E11D9A7875DA
Malicious:	false
Reputation:	low
Preview:	bplist00.....^SessionVersion^SessionWindowsS1.0............................9_..SelectedTabIndex\TabBarHiddenZDateClosed_..FavoritesBarHidden]IsPopupWindow_. PrefersReadingListSidebarVisible\Miniaturized_..WindowStateVersionZWindowUUID_..WindowContentRectYTabStates_..IsPrivateWindow_..SelectedPinnedTabIndex...3A...f......S2.0_.$767827F8-A1E2-43E6-8B6B-5F7E699222EA_..{{0, 52}, {1024, 693}}.... !."#.$%&'().,-...0123456.\IsDisposable\SessionState_..AncestorTabIdentifers_..SessionStateIsEncryptedXTabIndex]LastVisitTimeWTabUUIDVTabURL]TabIdentifierXTabTitle_..ProcessIdentifierWIsMuted.O...>,V.9U...S..J.I..b./..?."Z......\|.0....D.:Pfu.Q.^,...9......S.%..`.[M.(.)d..............g...........Q.A..Cj..1.4..Qb.....<..Y..M;..4..C.3.p.@.p.O....+,f.1}7.[C..p...eZ."M(....Y...k.k.5...].b[.J..JB.....M...0.'..1Q...6..\.6....\|..........O.[KGa.$..i_i..2.....yp......K..?.Ox..f..5.. 1{..O..4..-...il....j...U.l#_.>].S.....?....p.1.....D.....;..<S..i.Xi}....Z...q}...,p4.x...;..A4+.P.e

/Users/berri/Library/Safari/Favicon Cache/favicons/.dat.nosync036f.pdcdlR

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
Reputation:	low
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

/Users/berri/Library/WebKit/com.apple.Safari/WebsiteData/ResourceLoadStatistics/full_browsing_session_resourceLog.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	999
Entropy (8bit):	5.692112784657474
Encrypted:	false
SSDEEP:	24:rqx+XBs6DRXsebAMF+XBSs6DRXe/P/+XBSs6DRXM/AKTalmB:rmGs6RkMFKSs6SP/KSs64ALa
MD5:	70D90C1F8717A3931E5F0A22CF43ADEE
SHA1:	F8C268906301E804CFF2F0337855ED5302E6A8D5
SHA-256:	5E6022AE8CD5C62E3896D2516506618296D671E41CF2A66252C8FE0221C585FA
SHA-512:	0FA87B7D5D1E7D3A9FA48A0BC6A3C29A71CF9763BC534AD1FF22B843C1BEFC3F75F5CE634995B10AA3ABE22504526A49682200D1E69E4C92E55FBCFB9937A6D1
Malicious:	false
Reputation:	low
Preview:	bplist00.......@A^operatingDates_..browsingStatistics_..endOfGrandfatheringTimestampWversion.....Tdate#A..<...... 0................._..PrevalentResourceOrigin_..mostRecentUserInteractionXlastSeen]grandfathered_..isPrevalentResource_..subresourceUnderTopFrameOrigins_..hadUserInteraction_..dataRecordsRemoved[gstatic.com#........#A..U\|............VoriginUcount[youtube.com......!".#$%&'(....+.._..PrevalentResourceOrigin_..mostRecentUserInteraction]grandfathered_..isPrevalentResource_..subresourceUnderTopFrameOrigins_..hadUserInteraction_..dataRecordsRemoved_..fonts.googleapis.com...,...-.[youtube.com....12.345678....;.._..PrevalentResourceOrigin_..mostRecentUserInteraction]grandfathered_..isPrevalentResource_..subresourceUnderTopFrameOrigins_..hadUserInteraction_..dataRecordsRemovedZgoogle.com...<...=>[youtube.com...#............... .5.T.\.^.a.f.o.s.................3.?.H.Q.R.S.U.Z.a.g.s.u.v.x.............../.F.G.H.J.O.[.].^.o............... .!.".$.).5.7.8.A...............B...............C

/dev/null

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	ASCII text
Category:	dropped
Size (bytes):	661
Entropy (8bit):	5.249043164367681
Encrypted:	false
SSDEEP:	12:kYRGp1o/LVNQp1o/LVp1o/LIp1o/LWp1o/LW:9GpgspgVpgIpgWpgW
MD5:	F84EE5D1B09071A89736D44844137D8A
SHA1:	21E1CA7657746390E720A3478F2E1B7D98230292
SHA-256:	D87EBBB355D4FDF96AF8FA8E2556A5B2A9E88AE60BC1DBFD07B5FAA00EFEB470
SHA-512:	83CD3D9E0EF6E2D6C3C46E48F210DD2D6D7EC30A893CFEC03F509E7D0BBC96D6AD33429F4A5F8C66C46A643755571D1DC94806F522330B1CBD0ED1FBE825CF2D
Malicious:	false
Reputation:	low
Preview:	2023-03-21 08:32:30.491 Safari[879:6820] ApplePersistence=NO.2023-03-21 08:32:31.582 Safari[879:6870] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813).2023-03-21 08:32:32.224 Safari[879:6862] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813).2023-03-21 08:32:32.785 Safari[879:6869] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813).2023-03-21 08:32:34.306 Safari[879:6861] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813).2023-03-21 08:32:34.371 Safari[879:6861] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813).

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/0/SafariFamily/Safari/.dat.nosync036f.Pk6yS5

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.9370658315190226
Encrypted:	false
SSDEEP:	3:N1n6qMvRGNMTAnd/t1tH:N1nleRaMTAltH
MD5:	CDC65B5F112547EAFAE0F16F9C149426
SHA1:	AEAF9908A5B6FF3E2F7B738ABF5FE9E79108BA01
SHA-256:	1C6D085D871A855CE4A3902BAB4B9B92631B8EE8F0B7F6536768A2AAF427B45C
SHA-512:	E8B0E4CE6A760A718A19976D3CFE9063F04FB4BF179947AECA84E94C83F21459FB9DC0FFABEA8F633BD2D0BA94FE1E15D8C97E9604FDE8BD0DEA961EB83BDDB7
Malicious:	false
Reputation:	low
Preview:	bplist00..._..ExtensionArchivesExtracted...(...............................)

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/C/mds/mdsDirectory.db_

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	48908
Entropy (8bit):	3.533948990143748
Encrypted:	false
SSDEEP:	384:xSMdGleGkIG7FF3theSMVXBD0tgcNrGBOmBfbouR6/chQOnGqwc2U+v+h/:8MdGleOGmBouRwchQOnGqwc2U+v+h/
MD5:	09070E01FA6ED1973D94FAD50C35E3ED
SHA1:	7546663E66F9889EE3365A7A0BE372300C6022CA
SHA-256:	2E6EC437A97DD88F9067B2E99AC64789670D9B9C1FC50B2856E392E66163211F
SHA-512:	621399FF832F1A8352E5E9A54984B878C7D3432156D9CF9986A1A5B75662E92D9A00FA1BA6714D679286BB49E71916F72655AADA2B99880A2806FAFC6F86E7F3
Malicious:	false
Reputation:	low
Preview:	kych...........................`...X...p..S0..SX..Th..T...T...[...^h...........L...X...............T...........d...................t...............t...........<...............P...........0...........$...p...........l...........X.......@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...D.......................!...%@.......MDS_CDSADIR_CSSM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_KRMM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_EMM_RECORDTYPE.....L.......................!...%@......"MDS_CDSADIR_EMM_PRIMARY_RECORDTYPE.....H.......................!...%@.......MDS_CDSADIR_COMMON_RECORDTYPE......L.......................!...%@......"MDS_CDSADIR_CSP_PRIMARY_RECORDTYPE.....P.......................!...%@......%MDS_CDSADIR_CSP_CAPABILITY_R

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/C/mds/mdsObject.db_

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	4404
Entropy (8bit):	3.5113078915037033
Encrypted:	false
SSDEEP:	48:m6Xsh+CLjL3Pe3T5FFKfEuyu+iYxGv4sS:3X6LjLfe3wEuyu9YxGQX
MD5:	D487F899A14AE98519B46D51BC810F1B
SHA1:	64877ECFBE47ED66EED545B2449BBE8B22B775D0
SHA-256:	4835899C464487946E281D535381D4CAB8BC90EC08CD00A6A0ECB97854E9321D
SHA-512:	EB4FABD61B4FD2B9EF3C9E93793CA5F11353A1F81EA4DA22E0F79ED45D89180B77469B9E5DCD5350AE650B31DE9018743DA7716EFA7B5CDDFC3FA7A13C476F40
Malicious:	false
Reputation:	low
Preview:	kych.......................................d...................0...............0...p...........@...@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...@.......................!...%@.......MDS_OBJECT_RECORDTYPE..............h........... ...`........... ...@.......................-...1...5...9...=@..............................X...............P................... ...p...........l...........d...........P...........H...........,...............h...........P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................RelationName.......P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................AttributeID........X....

/private/var/tmp/NSCreateObjectFileImageFromMemory-GLnGst

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mach-O 64-bit x86_64 bundle, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL>
Category:	dropped
Size (bytes):	4752
Entropy (8bit):	5.761647040683616
Encrypted:	false
SSDEEP:	96:xKvjeoJ2eQIMA1EVQvOsD1cbY2vF/jllllllllKflNJz5w6w:0dJ2eQpMtxmvrllllllllKfly
MD5:	1D6F449D22D11E760495CE85C933ADF8
SHA1:	D77F5B05549E51310D0C96347482178EBD23C476
SHA-256:	BEF505FE1329E19B4AF2FFFD868C753A0824B96FB4531BD106C810D96EFB1D94
SHA-512:	4A9F4BD053BC5069625D60DDD3E1225E01FCE6B31824C35A12D7CAFAC2AD9BF79EE7785A6860E5549836970D8A4C7968355EC715C652EE1C771EDD9D9D1616A6
Malicious:	false
Reputation:	low
Preview:	.................... ...............(...__TEXT..........................................................__text..........__TEXT..................k.......................................__const.........__TEXT..................@.......................................__literal4......__TEXT..........................................................__compact_unwind__LD....................@.......................................__eh_frame......__TEXT..................h..........................h............__opencl........__TEXT..........p...............p...................................H...__LINKEDIT...............................................................{..T@_.d...a.C"...0.......................................X...........X...................P...................................................................................................................................................................................................................................................

/private/var/tmp/NSCreateObjectFileImageFromMemory-TphzPP

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mach-O 64-bit x86_64 bundle, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL>
Category:	dropped
Size (bytes):	4780
Entropy (8bit):	5.78784933687558
Encrypted:	false
SSDEEP:	96:xav2J2yfQoIeVyCxVaBHlZF/jllllllllKflPz5w65:keJ2OQYTTarllllllllKflT
MD5:	6903FFA70C6EF8F2493E3E49101C694D
SHA1:	B70A5F8C3F48BB2251B114500DFFF1CCCE72D966
SHA-256:	633CEE31BFBF56590F6B62891CD0CB55264FD0F01E183036D8E3556B9EFF72D5
SHA-512:	2A8A297AEE0F285EAA494BA5B731D023BF6438E207B83495FF490EB67BE3D9B4E887F91680761E759973D9FEC782B9E0CEC7E1957C4E794739A0DF90E2346D87
Malicious:	false
Reputation:	low
Preview:	.................... ...............(...__TEXT..........................................................__text..........__TEXT..................[.......................................__const.........__TEXT..........`.......@.......`...............................__literal4......__TEXT..........................................................__compact_unwind__LD....................@.......................................__eh_frame......__TEXT..................h..........................h............__opencl........__TEXT..........P...............P...................................H...__LINKEDIT................................................................P/^(G....@.`.."...0.......................................h...........h...................P...................................................................................................................................................................................................................................................

/private/var/tmp/NSCreateObjectFileImageFromMemory-cKdWhB

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mach-O 64-bit x86_64 bundle, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL>
Category:	dropped
Size (bytes):	17444
Entropy (8bit):	4.344991783661145
Encrypted:	false
SSDEEP:	384:wKjJcXgiRVP7J3AMqLllllllKfllJlROW:wia13AMqAOW
MD5:	09CBD27A6D6C025F5067FCA3ECEB23C0
SHA1:	B6C4CE88D1174DA7EC3BD2A6B01B56FD10A2C412
SHA-256:	817D05E0855D1D66A1DE931BC52DA7F1C4C57F6C0049B5EE758E4ADCA8A780E8
SHA-512:	361C3F619B6B9C0EBAAEA16E25960539FB86FD72236D0908A679810A998DB283D2B7589BA454E283963EF4857FA538C836CC2116351DD8AED793C05F03419F83
Malicious:	false
Reputation:	low
Preview:	........................................__TEXT...................0...............0......................__text..........__TEXT..........P...............P...............................__const.........__TEXT...........(......P........(..............................__literal4......__TEXT..........0+..............0+..............................__compact_unwind__LD............H+......@.......H+..............................__eh_frame......__TEXT...........+......h........+.................h............__symbol_stub1..__TEXT...........+...............+..............................__stub_helper...__TEXT...........+...............+..............................__opencl........__TEXT...........,...............,......................................__DATA...........0...............0..............................__nl_symbol_ptr.__DATA...........0...............0..............................__la_symbol_ptr.__DATA...........0...............0..................................H...__LINKEDIT......

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2023 07:32:33.046024084 CET	49308	443	192.168.11.11	17.248.248.15
Mar 21, 2023 07:32:33.046104908 CET	443	49308	17.248.248.15	192.168.11.11
Mar 21, 2023 07:32:33.046658039 CET	49308	443	192.168.11.11	17.248.248.15
Mar 21, 2023 07:32:33.047487020 CET	49308	443	192.168.11.11	17.248.248.15
Mar 21, 2023 07:32:33.047557116 CET	443	49308	17.248.248.15	192.168.11.11
Mar 21, 2023 07:32:33.108097076 CET	443	49308	17.248.248.15	192.168.11.11
Mar 21, 2023 07:32:33.108896017 CET	49308	443	192.168.11.11	17.248.248.15
Mar 21, 2023 07:32:33.108990908 CET	49308	443	192.168.11.11	17.248.248.15
Mar 21, 2023 07:32:33.180778027 CET	49308	443	192.168.11.11	17.248.248.15
Mar 21, 2023 07:32:33.180995941 CET	443	49308	17.248.248.15	192.168.11.11
Mar 21, 2023 07:32:33.181586981 CET	49308	443	192.168.11.11	17.248.248.15
Mar 21, 2023 07:32:33.181642056 CET	443	49308	17.248.248.15	192.168.11.11
Mar 21, 2023 07:32:33.182178974 CET	49308	443	192.168.11.11	17.248.248.15
Mar 21, 2023 07:32:35.198183060 CET	49312	443	192.168.11.11	142.250.185.174
Mar 21, 2023 07:32:35.198247910 CET	443	49312	142.250.185.174	192.168.11.11
Mar 21, 2023 07:32:35.198765993 CET	49312	443	192.168.11.11	142.250.185.174
Mar 21, 2023 07:32:35.199888945 CET	49312	443	192.168.11.11	142.250.185.174
Mar 21, 2023 07:32:35.200984001 CET	443	49312	142.250.185.174	192.168.11.11
Mar 21, 2023 07:32:35.266623020 CET	443	49312	142.250.185.174	192.168.11.11
Mar 21, 2023 07:32:35.267551899 CET	49312	443	192.168.11.11	142.250.185.174
Mar 21, 2023 07:32:35.267600060 CET	49312	443	192.168.11.11	142.250.185.174
Mar 21, 2023 07:32:35.268079042 CET	49312	443	192.168.11.11	142.250.185.174
Mar 21, 2023 07:32:35.268663883 CET	443	49312	142.250.185.174	192.168.11.11
Mar 21, 2023 07:32:35.270092964 CET	49312	443	192.168.11.11	142.250.185.174
Mar 21, 2023 07:32:35.312140942 CET	49312	443	192.168.11.11	142.250.185.174
Mar 21, 2023 07:32:35.312602997 CET	443	49312	142.250.185.174	192.168.11.11
Mar 21, 2023 07:32:35.314007998 CET	443	49312	142.250.185.174	192.168.11.11
Mar 21, 2023 07:32:35.315515041 CET	49312	443	192.168.11.11	142.250.185.174
Mar 21, 2023 07:32:35.316750050 CET	49312	443	192.168.11.11	142.250.185.174
Mar 21, 2023 07:32:35.351795912 CET	443	49312	142.250.185.174	192.168.11.11
Mar 21, 2023 07:32:35.352171898 CET	443	49312	142.250.185.174	192.168.11.11
Mar 21, 2023 07:32:35.353415012 CET	49312	443	192.168.11.11	142.250.185.174
Mar 21, 2023 07:32:35.353593111 CET	49312	443	192.168.11.11	142.250.185.174
Mar 21, 2023 07:32:35.376970053 CET	49312	443	192.168.11.11	142.250.185.174
Mar 21, 2023 07:32:35.377017021 CET	443	49312	142.250.185.174	192.168.11.11
Mar 21, 2023 07:32:35.396194935 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.396284103 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.397582054 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.397970915 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.398036957 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.445987940 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.446732044 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.446813107 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.447072983 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.448985100 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.449945927 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.457524061 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.457586050 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.458617926 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.459148884 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.459942102 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.500374079 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.522388935 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.522612095 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.522794008 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.523164988 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.523338079 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.523339987 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.523397923 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.523432016 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.523586035 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.523792028 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.523814917 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.524041891 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.524117947 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.524163008 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.524367094 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.524544001 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.524656057 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.524827003 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.524923086 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.524946928 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.524971962 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.525357008 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.525597095 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.525660038 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.525806904 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.531508923 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.532109976 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.532337904 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.532397985 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.533030033 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.533093929 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.533153057 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.533607006 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.533884048 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.533950090 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.533972025 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.534276962 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.534548998 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.534888029 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.535101891 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.535129070 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.535157919 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.535182953 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.535795927 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.535804987 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.535844088 CET	49313	443	192.168.11.11	172.217.16.206
Mar 21, 2023 07:32:35.535868883 CET	443	49313	172.217.16.206	192.168.11.11
Mar 21, 2023 07:32:35.536185980 CET	49313	443	192.168.11.11	172.217.16.206

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2023 07:32:32.232289076 CET	53	56249	1.1.1.1	192.168.11.11
Mar 21, 2023 07:32:35.167781115 CET	63371	53	192.168.11.11	1.1.1.1
Mar 21, 2023 07:32:35.177141905 CET	53	63371	1.1.1.1	192.168.11.11
Mar 21, 2023 07:32:35.384959936 CET	51779	53	192.168.11.11	1.1.1.1
Mar 21, 2023 07:32:35.394527912 CET	53	51779	1.1.1.1	192.168.11.11
Mar 21, 2023 07:32:36.907757998 CET	57295	53	192.168.11.11	1.1.1.1
Mar 21, 2023 07:32:36.917454958 CET	53	57295	1.1.1.1	192.168.11.11
Mar 21, 2023 07:32:37.051582098 CET	55576	53	192.168.11.11	1.1.1.1
Mar 21, 2023 07:32:37.060633898 CET	53	55576	1.1.1.1	192.168.11.11
Mar 21, 2023 07:32:46.169306993 CET	137	137	192.168.11.11	192.168.11.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 21, 2023 07:32:35.167781115 CET	192.168.11.11	1.1.1.1	0x1dd0	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.384959936 CET	192.168.11.11	1.1.1.1	0xf18c	Standard query (0)	consent.youtube.com	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:36.907757998 CET	192.168.11.11	1.1.1.1	0x76c1	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:37.051582098 CET	192.168.11.11	1.1.1.1	0xe855	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 21, 2023 07:32:33.042762041 CET	1.1.1.1	192.168.11.11	0x74a4	No error (0)	gateway.fe.apple-dns.net		17.248.248.15	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:33.042762041 CET	1.1.1.1	192.168.11.11	0x74a4	No error (0)	gateway.fe.apple-dns.net		17.248.145.233	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:33.042762041 CET	1.1.1.1	192.168.11.11	0x74a4	No error (0)	gateway.fe.apple-dns.net		17.248.145.82	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:33.042762041 CET	1.1.1.1	192.168.11.11	0x74a4	No error (0)	gateway.fe.apple-dns.net		17.248.145.83	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:33.042762041 CET	1.1.1.1	192.168.11.11	0x74a4	No error (0)	gateway.fe.apple-dns.net		17.248.145.102	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:33.042762041 CET	1.1.1.1	192.168.11.11	0x74a4	No error (0)	gateway.fe.apple-dns.net		17.248.145.208	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:33.042762041 CET	1.1.1.1	192.168.11.11	0x74a4	No error (0)	gateway.fe.apple-dns.net		17.248.248.17	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:33.042762041 CET	1.1.1.1	192.168.11.11	0x74a4	No error (0)	gateway.fe.apple-dns.net		17.248.182.204	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.177141905 CET	1.1.1.1	192.168.11.11	0x1dd0	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 21, 2023 07:32:35.177141905 CET	1.1.1.1	192.168.11.11	0x1dd0	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.177141905 CET	1.1.1.1	192.168.11.11	0x1dd0	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.177141905 CET	1.1.1.1	192.168.11.11	0x1dd0	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.177141905 CET	1.1.1.1	192.168.11.11	0x1dd0	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.177141905 CET	1.1.1.1	192.168.11.11	0x1dd0	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.177141905 CET	1.1.1.1	192.168.11.11	0x1dd0	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.177141905 CET	1.1.1.1	192.168.11.11	0x1dd0	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.177141905 CET	1.1.1.1	192.168.11.11	0x1dd0	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.177141905 CET	1.1.1.1	192.168.11.11	0x1dd0	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.177141905 CET	1.1.1.1	192.168.11.11	0x1dd0	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.177141905 CET	1.1.1.1	192.168.11.11	0x1dd0	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.177141905 CET	1.1.1.1	192.168.11.11	0x1dd0	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.177141905 CET	1.1.1.1	192.168.11.11	0x1dd0	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.177141905 CET	1.1.1.1	192.168.11.11	0x1dd0	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.177141905 CET	1.1.1.1	192.168.11.11	0x1dd0	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.177141905 CET	1.1.1.1	192.168.11.11	0x1dd0	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:35.394527912 CET	1.1.1.1	192.168.11.11	0xf18c	No error (0)	consent.youtube.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:36.917454958 CET	1.1.1.1	192.168.11.11	0x76c1	No error (0)	www.google.com		142.250.186.164	A (IP address)	IN (0x0001)	false
Mar 21, 2023 07:32:37.060633898 CET	1.1.1.1	192.168.11.11	0xe855	No error (0)	play.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.youtube.com

consent.youtube.com

https:

www.google.com

play.google.com

System Behavior

Analysis Process: mono-sgen32 PID: 878, Parent PID: 812

General

Start time:	07:32:29
Start date:	21/03/2023
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	n/a
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Analysis Process: open PID: 878, Parent PID: 812

General

Start time:	07:32:29
Start date:	21/03/2023
Path:	/usr/bin/open
Arguments:
File size:	105952 bytes
MD5 hash:	40ed6d8f35c9f20484b97582d296398f

Analysis Process: xpcproxy PID: 879, Parent PID: 1

General

Start time:	07:32:29
Start date:	21/03/2023
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	43488 bytes
MD5 hash:	d1bb9a4899f0af921e8188218b20d744

Analysis Process: Safari PID: 879, Parent PID: 1

General

Start time:	07:32:29
Start date:	21/03/2023
Path:	/Applications/Safari.app/Contents/MacOS/Safari
Arguments:	/Applications/Safari.app/Contents/MacOS/Safari
File size:	20896 bytes
MD5 hash:	8e18be737fe87f19fe7a97b4821e2005

Source: global traffic	HTTP traffic detected: GET /channel/UCAuerig2N-RZWJT8x75V9yw HTTP/1.1Host: www.youtube.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7
Source: global traffic	HTTP traffic detected: GET /m?continue=https%3A%2F%2Fwww.youtube.com%2Fchannel%2FUCAuerig2N-RZWJT8x75V9yw%3Fcbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1 HTTP/1.1Host: consent.youtube.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Cookie: CONSENT=PENDING+208; SOCS=CAAaBgiA5-OgBg; YSC=VW-BOUX76pM; __Secure-YEC=Cgt1TXpISGNBNkVTVSiDn-WgBg%3D%3DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usAccept-Encoding: br, gzip, deflateConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-aliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usReferer: https://consent.youtube.com/Accept-Encoding: br, gzip, deflate

Description:	Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as `/Library/Preferences` (which execute with elevated privileges) and `~/Library/Preferences` (which execute with a user's privileges).
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49348
Source: unknown	Network traffic detected: HTTP traffic on port 49351 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49347
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49345
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49344
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49343
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49342
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49341
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49340
Source: unknown	Network traffic detected: HTTP traffic on port 49339 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49313 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49340 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49344 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49308 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49342 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49339
Source: unknown	Network traffic detected: HTTP traffic on port 49346 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49348 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49352 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49313
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49312
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49352
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49351
Source: unknown	Network traffic detected: HTTP traffic on port 49341 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49312 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49345 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49343 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49308
Source: unknown	Network traffic detected: HTTP traffic on port 49347 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49349 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49349

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report https://www.youtube.com/channel/UCAuerig2N-RZWJT8x75V9yw

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Process Tree

Yara Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/Users/berri/Library/Safari/.dat.nosync036f.TyISu0

/Users/berri/Library/Safari/Favicon Cache/favicons/.dat.nosync036f.pdcdlR

/Users/berri/Library/WebKit/com.apple.Safari/WebsiteData/ResourceLoadStatistics/full_browsing_session_resourceLog.plist

/dev/null

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/0/SafariFamily/Safari/.dat.nosync036f.Pk6yS5

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/C/mds/mdsDirectory.db_

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/C/mds/mdsObject.db_

/private/var/tmp/NSCreateObjectFileImageFromMemory-GLnGst

/private/var/tmp/NSCreateObjectFileImageFromMemory-TphzPP

/private/var/tmp/NSCreateObjectFileImageFromMemory-cKdWhB

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

System Behavior

Analysis Process: mono-sgen32 PID: 878, Parent PID: 812

General

Analysis Process: open PID: 878, Parent PID: 812

General

Analysis Process: xpcproxy PID: 879, Parent PID: 1

General

Analysis Process: Safari PID: 879, Parent PID: 1

General

macOS Analysis Report
https://www.youtube.com/channel/UCAuerig2N-RZWJT8x75V9yw