Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:19.0.0
Analysis ID:37008
Start time:09:40:01
Joe Sandbox Product:Cloud
Start date:03.05.2017
Overall analysis duration:0h 9m 40s
Report type:full
Sample file name:54ee71f6ad1f91a6f162bd5712d1a2e3d3111c352a0f52db630dcb4638101938.zip
Cookbook file name:default.jbs
Analysis system description:Mac Mini, El Capitan 10.11.6 (MS Office 15.25, Java 1.8.0_25)
Detection:MAL
Classification:mal72.troj.evad.macZIP@0/18@0/0


Detection

StrategyScoreRangeReportingDetection
Threshold720 - 100Report FP / FNmalicious


Classification

Signature Overview

Click to jump to signature section


Networking:

barindex
Writes from file descriptors related to (network) socketsShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 594)Writes from socket in process:
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.0.50:49327 -> 185.68.93.74:4545

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal72.troj.evad.macZIP@0/18@0/0
Writes Python scripts without typical Python file extensionsShow sources
Source: /usr/bin/base64 (PID: 586)Python file created: /private/tmp/AppStore
Submitted sample is a known malware sampleShow sources
Source: MD5 0e48346ebd57b1b6dbaa0bbad4d579dcSubmitted blacklisted sample: Spyware Dok.B

Persistence and Installation Behavior:

barindex
Executes the "PlistBuddy" command used to read and write values to plistsShow sources
Source: /bin/sh (PID: 599)Sysctl executable: /usr/sbin/sysctl -> sysctl hw.model
Reads data from the local random generatorShow sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Random device file read: /dev/random
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Random device file read: /dev/random
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 590)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 594)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 594)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 594)Random device file read: /dev/urandom
Submitted sample is a bundle that is signedShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)CodeSignature CodeResources file read: /Users/vreni/Desktop/unpack/Dokument.app/Contents/_CodeSignature/CodeResources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)CodeSignature CodeResources file read: /Users/vreni/Desktop/unpack/Dokument.app/Contents/_CodeSignature/CodeResources
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Uses the Python frameworkShow sources
Source: /Library/Frameworks/Python.framework/Versions/2.7/bin/python (PID: 590)Python framework application: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /usr/bin/python (PID: 594)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Writes log files to diskShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)Log file created: /private/tmp/loader.log
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Log file created: /private/tmp/loader.log
Writes property list (.plist) files to diskShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)XML plist file created: /Users/Shared/AppStore.app/Contents/_CodeSignature/CodeResources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)XML plist file created: /Users/Shared/AppStore.app/Contents/Info.plist
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)Binary plist file created: /Users/Shared/AppStore.app/Contents/Resources/Base.lproj/MainMenu.nib
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 590)XML plist file created: /Users/vreni/Library/LaunchAgents/com.apple.iTunes.plist
Changes permissions of written Mach-O filesShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)Permissions modifiied for written 64-bit Mach-O /Users/Shared/AppStore.app/Contents/MacOS/AppStore: bits: - usr: rx grp: rx all: rwx
Creates hidden files, links and/or directoriesShow sources
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 590)Hidden Directory created: /Users/vreni/Library/Containers/.bella/ -> /Users/vreni/Library/Containers/.bella/
Creates launch services that start periodicallyShow sources
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 590)Launch agent/daemon created with StartInterval and/or StartCalendarInterval, file created: /Users/vreni/Library/LaunchAgents/com.apple.iTunes.plist
Executes commands using a shell command-line interpreterShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)Shell command executed: /bin/bash -c chmod +x /Users/Shared/AppStore.app
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)Shell command executed: /bin/bash -c sleep 5 && rm -fR '/Users/vreni/Downloads/Dokument.app' && '/Users/Shared/AppStore.app/Contents/MacOS/AppStore' Dokument
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Shell command executed: /bin/bash -c base64 -i /tmp/tmp123 -o /tmp/AppStore -D
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Shell command executed: /bin/bash -c chmod +x /tmp/AppStore && rm -f /tmp/tmp123
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Shell command executed: /bin/bash -c /tmp/AppStore
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Shell command executed: /bin/bash -c sleep 5 && rm -fR '/Users/Shared/AppStore.app'
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 591)Shell command executed: /bin/sh -c scutil --get LocalHostName
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 592)Shell command executed: /bin/sh -c launchctl load -w /Users/vreni/Library/LaunchAgents/com.apple.iTunes.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 598)Shell command executed: /bin/sh -c scutil --get LocalHostName
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 599)Shell command executed: /bin/sh -c sysctl hw.model
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 600)Shell command executed: /bin/sh -c /usr/libexec/PlistBuddy -c 'Print :'Macmini6,1'' /System/Library/PrivateFrameworks/ServerInformation.framework/Versions/A/Resources/English.lproj/SIMachineAttributes.plist | grep marketingModel
Executes the "chmod" command used to modify permissionsShow sources
Source: /bin/bash (PID: 572)Chmod executable: /bin/chmod -> chmod +x /Users/Shared/AppStore.app
Source: /bin/bash (PID: 588)Chmod executable: /bin/chmod -> chmod +x /tmp/AppStore
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/sh (PID: 602)Grep executable: /usr/bin/grep -> grep marketingModel
Executes the "python" command used to interprete Python scriptsShow sources
Source: /tmp/AppStore (PID: 590)Python executable: /Library/Frameworks/Python.framework/Versions/2.7/bin/python -> python /tmp/AppStore
Source: /Users/vreni/Library/Containers/.bella/Bella (PID: 594)Python executable: /usr/bin/python -> python /Users/vreni/Library/Containers/.bella/Bella
Executes the "sysctl" command used to retrieve or modify kernel settingsShow sources
Source: /bin/sh (PID: 599)Sysctl executable: /usr/sbin/sysctl -> sysctl hw.model
Explicitly loads/starts launch servicesShow sources
Source: /bin/sh (PID: 592)Launch agent/daemon loaded: launchctl load -w /Users/vreni/Library/LaunchAgents/com.apple.iTunes.plist
Reads launchservices plist filesShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Reads user launchservices plist file containing default apps for corresponding filetypesShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Uses AppleScript framework/components containing Apple Script related functionalitiesShow sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Uses AppleScript scripting additions containing additional functionalities for Apple ScriptsShow sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Writes 64-bit Mach-O files to diskShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)File written: /Users/Shared/AppStore.app/Contents/MacOS/AppStore
Writes icon files to diskShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)File written: /Users/Shared/AppStore.app/Contents/Resources/AppIcon.icns
Deletes icon filesShow sources
Source: /bin/rm (PID: 603)File deleted: AppIcon.icns
Executes the "rm" command used to delete files or directoriesShow sources
Source: /bin/bash (PID: 576)Rm executable: /bin/rm -> rm -fR /Users/vreni/Downloads/Dokument.app
Source: /bin/bash (PID: 589)Rm executable: /bin/rm -> rm -f /tmp/tmp123
Source: /bin/bash (PID: 603)Rm executable: /bin/rm -> rm -fR /Users/Shared/AppStore.app
Executes the "scutil" command used to manage network related system configuration parametersShow sources
Source: /bin/sh (PID: 591)Scutil executable: /usr/sbin/scutil -> scutil --get LocalHostName
Source: /bin/sh (PID: 598)Scutil executable: /usr/sbin/scutil -> scutil --get LocalHostName
Uses sfltool in order to modify login item settingsShow sources
Source: /System/Library/CoreServices/sharedfilelistd (PID: 578)Sfltool executed with keyword 'loginitems': /usr/bin/sfltool -> /usr/bin/sfltool com.apple.loginitems SessionItems
Source: /System/Library/CoreServices/sharedfilelistd (PID: 579)Sfltool executed with keyword 'loginitems': /usr/bin/sfltool -> /usr/bin/sfltool com.apple.loginitems SessionItems
Source: /System/Library/CoreServices/sharedfilelistd (PID: 580)Sfltool executed with keyword 'loginitems': /usr/bin/sfltool -> /usr/bin/sfltool save-lists com.apple.loginitems
Source: /System/Library/CoreServices/sharedfilelistd (PID: 595)Sfltool executed with keyword 'loginitems': /usr/bin/sfltool -> /usr/bin/sfltool com.apple.loginitems SessionItems
Source: /System/Library/CoreServices/sharedfilelistd (PID: 604)Sfltool executed with keyword 'loginitems': /usr/bin/sfltool -> /usr/bin/sfltool save-lists com.apple.loginitems

Boot Survival:

barindex
Creates user-wide 'launchd' managed services aka launch agentsShow sources
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 590)Launch agent created file created: /Users/vreni/Library/LaunchAgents/com.apple.iTunes.plist

Hooking and other Techniques for Hiding and Protection:

barindex
Executes the "base64" command used to encode or decode data (e.g. files, payloads)Show sources
Source: /bin/bash (PID: 586)Base64 executable: /usr/bin/base64 -> base64 -i /tmp/tmp123 -o /tmp/AppStore -D
Moves itself during installation or deletes itself after installationShow sources
Source: /bin/rm (PID: 603)Directory deleted: /Users/Shared/AppStore.app
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 594)File deleted: /Users/vreni/Library/Containers/.bella/bella.db-journal

Malware Analysis System Evasion:

barindex
Executes the "sleep" command used to delay execution and potentially evade sandboxesShow sources
Source: /bin/bash (PID: 574)Sleep executable: /bin/sleep -> sleep 5
Source: /bin/bash (PID: 597)Sleep executable: /bin/sleep -> sleep 5

HIPS / PFW / Operating System Protection Evasion:

barindex
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)Show sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Sysctl read request: kern.safeboot (1.66)

Language, Device and Operating System Detection:

barindex
Reads the system or server version plist fileShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 590)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 590)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 594)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 594)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Reads hardware related sysctl valuesShow sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Sysctl read request: hw.availcpu (6.25)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Sysctl read request: hw.ncpu (6.3)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Sysctl read request: hw.cpu_freq (6.15)
Reads the kernel OS version valueShow sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Sysctl read request: kern.osversion (1.65)
Reads the systems hostnameShow sources
Source: /bin/bash (PID: 572)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 573)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 586)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 587)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 590)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 591)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 592)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 596)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 598)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 599)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 600)Sysctl requested: kern.hostname (1.10)

Remote Access Functionality:

barindex
Installs Bella RATShow sources
Source: PIDs 590 and 586Behaviour pattern found: /Users/vreni/Library/Containers/.bella/ and /private/tmp/AppStore created
Writes files containing IP addresses of contacted hosts (e.g. command and control server)Show sources
Source: global traffic and dropped filesIP 185.68.93.74 found in file: /private/tmp/AppStore


Runtime Messages

Command:open
Exitcode:0
Killed:False
Standard Output:
Standard Error:

Yara Overview

No Yara matches

Screenshot