Loading ...

Play interactive tourEdit tour

Analysis Report DwtuKb8m5R

Overview

General Information

Joe Sandbox Version:26.0.0
Analysis ID:73246
Start date:09.04.2019
Start time:16:43:13
Joe Sandbox Product:Cloud
Overall analysis duration:0h 6m 55s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:DwtuKb8m5R
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:MAL
Classification:mal84.troj.spyw.evad.mac@0/4@0/0

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold840 - 100Report FP / FNfalsemalicious

Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface1Hidden Files and Directories1Port MonitorsHidden Files and Directories1Credential DumpingSystem Information Discovery571Application Deployment SoftwareData from Local SystemData CompressedRemote Access Tools1
Replication Through Removable MediaScripting1Port MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionScripting1Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information1Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.55.207
Source: unknownTCP traffic detected without corresponding DNS query: 104.102.19.83
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.55.207
Source: unknownTCP traffic detected without corresponding DNS query: 104.102.19.83

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal84.troj.spyw.evad.mac@0/4@0/0

Persistence and Installation Behavior:

barindex
Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)Show sources
Source: /bin/sh (PID: 669)Shell process: system_profiler SPHardwareDataTypeJump to behavior
Source: /bin/sh (PID: 670)Shell process: awk /Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }Jump to behavior
Source: /bin/sh (PID: 673)Shell process: ioreg -lJump to behavior
Source: /bin/sh (PID: 674)Shell process: grep -e ManufacturerJump to behavior
Source: /bin/sh (PID: 675)Shell process: sleep 2Jump to behavior
Source: /bin/sh (PID: 677)Shell process: sysctl hw.modelJump to behavior
Source: /bin/sh (PID: 678)Shell process: sleep 2Jump to behavior
Source: /bin/sh (PID: 680)Shell process: ioreg -rd1 -c IOPlatformExpertDeviceJump to behavior
Source: /bin/sh (PID: 681)Shell process: awk /IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }Jump to behavior
Source: /bin/sh (PID: 683)Shell process: touch -t 1510090209 /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appexJump to behavior
Source: /bin/sh (PID: 685)Shell process: sw_vers -productVersionJump to behavior
Source: /bin/sh (PID: 687)Shell process: uname -mJump to behavior
Source: /bin/sh (PID: 689)Shell process: sw_vers -productVersionJump to behavior
Source: /bin/sh (PID: 691)Shell process: uname -mJump to behavior
Sample file contains a Mach-O with an entry point into CFstrings (probably to hamper static analysis)Show sources
Source: initial sampleEntry point in __cfstring: 0xF0000E44
Executes commands using a shell command-line interpreterShow sources
Source: /Users/henry/Desktop/DwtuKb8m5R (PID: 667)Shell command executed: sh -c system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }' 2>/dev/nullJump to behavior
Source: /Users/henry/Desktop/DwtuKb8m5R (PID: 667)Shell command executed: sh -c ioreg -l | grep -e 'Manufacturer' 2>&1 & sleep 2 kill $! > /dev/null 2>&1Jump to behavior
Source: /Users/henry/Desktop/DwtuKb8m5R (PID: 667)Shell command executed: sh -c sysctl hw.model 2>&1 & sleep 2 kill $! > /dev/null 2>&1Jump to behavior
Source: /Users/henry/Desktop/DwtuKb8m5R (PID: 667)Shell command executed: sh -c ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }' 2>&1Jump to behavior
Source: /Users/henry/Desktop/DwtuKb8m5R (PID: 667)Shell command executed: sh -c touch -t 1510090209 '/Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex' > /dev/null 2>&1Jump to behavior
Source: /Users/henry/Desktop/DwtuKb8m5R (PID: 667)Shell command executed: sh -c sw_vers -productVersion 2>&1Jump to behavior
Source: /Users/henry/Desktop/DwtuKb8m5R (PID: 667)Shell command executed: sh -c uname -m 2>&1Jump to behavior
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/sh (PID: 674)Grep executable: /usr/bin/grep -> grep -e ManufacturerJump to behavior
Executes the "sysctl" command used to retrieve or modify kernel settingsShow sources
Source: /bin/sh (PID: 677)Sysctl executable: /usr/sbin/sysctl -> sysctl hw.modelJump to behavior
Executes the "touch" command used to create files or modify time stampsShow sources
Source: /bin/sh (PID: 683)Touch executable: /usr/bin/touch -> touch -t 1510090209 /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appexJump to behavior
Reads launchservices plist filesShow sources
Source: /usr/sbin/system_profiler (PID: 671)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Executes the "awk" command used to scan for patterns (typically in standard output)Show sources
Source: /bin/sh (PID: 670)Awk executable: /usr/bin/awk -> awk /Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }Jump to behavior
Source: /bin/sh (PID: 681)Awk executable: /usr/bin/awk -> awk /IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Denies being traced/debugged (via ptrace PT_DENY_ATTACH)Show sources
Source: /Users/henry/Desktop/DwtuKb8m5R (PID: 667)PTRACE system call (PT_DENY_ATTACH): PID 667 denies future tracesJump to behavior
Hides files and/or directories from GUIShow sources
Source: /Users/henry/Desktop/DwtuKb8m5R (PID: 667)Hidden flag set: /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appexJump to behavior
Source: /Users/henry/Desktop/DwtuKb8m5R (PID: 667)Hidden flag set: /tmp/storeJump to behavior

Malware Analysis System Evasion:

barindex
Queries the Boot ROM version of the machine (might be used for detecting native machines, i.e. VM presence)Show sources
Source: /Users/henry/Desktop/DwtuKb8m5R (PID: 667)Boot ROM Version keywords found in command: /bin/sh sh -c system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }' 2>/dev/nullJump to behavior
Source: /bin/sh (PID: 670)Boot ROM Version keywords found in command: /usr/bin/awk awk /Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }Jump to behavior
Queries the Manufacturer of the machine (might be used for detecting VM presence)Show sources
Source: /Users/henry/Desktop/DwtuKb8m5R (PID: 667)Manufacturer keyword found in command: /bin/sh sh -c ioreg -l | grep -e 'Manufacturer' 2>&1 & sleep 2 kill $! > /dev/null 2>&1Jump to behavior
Source: /bin/sh (PID: 674)Manufacturer keyword found in command: /usr/bin/grep grep -e ManufacturerJump to behavior
Executes the "sleep" command used to delay execution and potentially evade sandboxesShow sources
Source: /bin/sh (PID: 675)Sleep executable: /bin/sleep -> sleep 2Jump to behavior
Source: /bin/sh (PID: 678)Sleep executable: /bin/sleep -> sleep 2Jump to behavior
Reads the sysctl hardware model value (might be used for detecting VM presence)Show sources
Source: /usr/sbin/system_profiler (PID: 671)Sysctl read request: hw.model (6.2)Jump to behavior
Source: /usr/sbin/sysctl (PID: 677)Sysctl read request: hw.model (6.2)Jump to behavior

Language, Device and Operating System Detection:

barindex
Executes the "ioreg" command used to gather hardware information (I/O kit registry)Show sources
Source: /bin/sh (PID: 673)IOreg executable: /usr/sbin/ioreg -> ioreg -lJump to behavior
Source: /bin/sh (PID: 680)IOreg executable: /usr/sbin/ioreg -> ioreg -rd1 -c IOPlatformExpertDeviceJump to behavior
Queries the unique Apple serial number of the machineShow sources
Source: /Users/henry/Desktop/DwtuKb8m5R (PID: 667)IOPlatformSerialNumber keyword found in command: /bin/sh sh -c ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }' 2>&1Jump to behavior
Source: /bin/sh (PID: 681)IOPlatformSerialNumber keyword found in command: /usr/bin/awk awk /IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }Jump to behavior
Queries OS software version with shell command 'sw_vers'Show sources
Source: /bin/sh (PID: 685)sw_vers executed: sw_vers -productVersionJump to behavior
Source: /bin/sh (PID: 689)sw_vers executed: sw_vers -productVersionJump to behavior
Reads hardware related sysctl valuesShow sources
Source: /usr/sbin/system_profiler (PID: 671)Sysctl read request: hw.cpu_freq (6.15)Jump to behavior
Source: /usr/sbin/system_profiler (PID: 671)Sysctl read request: hw.memsize (6.24)Jump to behavior
Reads the systems OS release and/or typeShow sources
Source: /usr/bin/uname (PID: 687)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /usr/bin/uname (PID: 687)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /usr/bin/uname (PID: 691)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /usr/bin/uname (PID: 691)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Reads the systems hostnameShow sources
Source: /bin/sh (PID: 668)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 672)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 676)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 679)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 682)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 684)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 686)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /usr/bin/uname (PID: 687)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 688)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 690)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /usr/bin/uname (PID: 691)Sysctl requested: kern.hostname (1.10)Jump to behavior
Reads the system or server version plist fileShow sources
Source: /usr/bin/sw_vers (PID: 685)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /usr/bin/sw_vers (PID: 689)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Stealing of Sensitive Information:

barindex
Executes the "system_profiler" command used to collect detailed system hardware and software informationShow sources
Source: /bin/sh (PID: 669)System_profiler executable: /usr/sbin/system_profiler -> system_profiler SPHardwareDataTypeJump to behavior
Source: /usr/sbin/system_profiler (PID: 669)System_profiler executable: /usr/sbin/system_profiler -> /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel fullJump to behavior
Executes the "uname" command used to read OS and architecture nameShow sources
Source: /bin/sh (PID: 687)Uname executable: /usr/bin/uname -> uname -mJump to behavior
Source: /bin/sh (PID: 691)Uname executable: /usr/bin/uname -> uname -mJump to behavior

Remote Access Functionality:

barindex
Detected macOS OceanLotusShow sources
Source: /Users/henry/Desktop/DwtuKb8m5R (PID: 667)IOC file dropped: /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appexJump to dropped file


Runtime Messages

Command:/Users/henry/Desktop/DwtuKb8m5R
Exit Code:
Exit Code Info:
Killed:True
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 73246 Sample: DwtuKb8m5R Startdate: 09/04/2019 Architecture: MAC Score: 84 47 17.253.55.207, 49234, 80 APPLE-AUSTIN-AppleIncUS United States 2->47 49 104.102.19.83, 49235, 80 unknown United States 2->49 51 Sample file contains a Mach-O with an entry point into CFstrings (probably to hamper static analysis) 2->51 9 mono-sgen32 DwtuKb8m5R 2 2->9         started        signatures3 process4 file5 45 /Library/Storage/F...cf6e/pivtoken.appex, data 9->45 dropped 65 Detected macOS OceanLotus 9->65 67 Queries the Manufacturer of the machine (might be used for detecting VM presence) 9->67 69 Queries the Boot ROM version of the machine (might be used for detecting native machines, i.e. VM presence) 9->69 71 3 other signatures 9->71 13 sh 9->13         started        15 sh 9->15         started        17 sh 9->17         started        19 6 other processes 9->19 signatures6 process7 file8 22 sh system_profiler 13->22         started        25 sh awk 13->25         started        27 sh ioreg 15->27         started        29 sh grep 15->29         started        31 sh sleep 15->31         started        33 sh ioreg 17->33         started        35 sh awk 17->35         started        43 /dev/null, ASCII 19->43 dropped 37 sh sysctl 19->37         started        39 6 other processes 19->39 process9 signatures10 53 Executes the "system_profiler" command used to collect detailed system hardware and software information 22->53 55 Many shell processes execute programs via execve syscall (might be indicative for malicious behavior) 22->55 41 system_profiler 22->41         started        57 Queries the Boot ROM version of the machine (might be used for detecting native machines, i.e. VM presence) 25->57 59 Executes the "ioreg" command used to gather hardware information (I/O kit registry) 27->59 61 Queries the Manufacturer of the machine (might be used for detecting VM presence) 29->61 63 Queries the unique Apple serial number of the machine 35->63 process11

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Antivirus and Machine Learning Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.