Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:21.0.0
Analysis ID:48021
Start time:10:37:03
Joe Sandbox Product:Cloud
Start date:16.01.2018
Overall analysis duration:0h 9m 31s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:MaMi
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Virtual Machine, El Capitan 10.11.6 (MS Office 15.34, Java 1.8.0_131)
Detection:MAL
Classification:mal80.troj.spyw.evad.mac@0/43@5/0


Detection

StrategyScoreRangeReportingDetection
Threshold800 - 100Report FP / FNmalicious


Classification

Signature Overview

Click to jump to signature section


Cryptography:

barindex
Imports (root) certificates into the systems keychain typically to intercept SSL traffic or bypass code integrity protectionsShow sources
Source: /Users/luke/Desktop/MaMi (PID: 513)Certificate import: /usr/bin/security -> /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Users/luke/Desktop/MaMi.bin
Writes DER encoded certificate files to disk without the typical file extensionShow sources
Source: /Users/luke/Desktop/MaMi (PID: 513)DER file created: /Users/luke/Desktop/.dat.nosync0201.Jo8P8B

Networking:

barindex
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /?r=9jc3i8XAbBPh_SVJQUQMiFWKWE9RYEK6JViGhaUYGHAYT3PiZABNyX3y-tKFjbgD5_8POTdplyBinajb97o1If7zCzR18UCtQ2i4ObCx2dpWKhG2VCVNdWJqFMjFRYYt2ESeWm24gTzYVGMNbOgzf6qV92lBPjYi4S_ReFM5CiSC6aQGX9sMdWYckHXKG4mSk-pgf__svmzjvNx5TioAqNDZnyT3dcYL7ftr0__I1T2vujIgXH7cHolsvyPM0mL1_SwfyLc5BCaSgKtFU8zWVyrQ8xC3Hq8ez3uJWtCToFXhwT-Zs5K0QRPoeDldKoE8X0sovErtC7bbeT3T7-_VX1bbzRGcT9ujraFOhWJTPSCVTHJf_jFq2p6NSwpM26PPeBS2NpWwIs-n266MLXRGM75xjcGz2ybVRLqegEoN226KJRhhLtVjA-c2ddfJuPbMjEWRn7jwfSOFRAuszW1dfWR5oc0H2KdsHMZaH9BCv2jIkWIPLdbko7gbUe7jCuX5E_wiYbc3wjmy903wKiLxWHJDabVoSkuLP9auX3UKJQuBFvs_Ty95UEKIxBmHC50R1Crcsq47rSej7DWUXaqrCJgYAGw0SHYYP5ADY75FV6jrT5C2YyDtlDygzej-m9DNRDJq268rTdsYGLV-QwU3-Y-jyxjGmxMwiv_upoVtRcqyQLhgb4igduxcdGdHHoXd4NQUkYWVZJTDfzZh5u1Rv71kn9HvgQfNaOASkVj0XOEeWaBYWnsXqbvdCMkB6jz0XzUbyhsPxc99zI1E90ULe96RA1qtZPlqZdErF3anES4m0zrwVxm1qsgPT6zxaWbb3FUn_Kaot4AHNRhOO6CRXJxXwhZlqaG8LHC1kxQBtYVrSrhGSrr8a_BaM-XInpz7eXcLyK0mlfMtNft0fGtT7dISjExcsKlBzWydT96ywKN2oPNJjkcugIq5i9bm06O-cY-z04cv5SBSi14T7OgvEpB5um58n7YJwDJ2QEsC6EoQNazIOo71kNEka
Source: global trafficHTTP traffic detected: GET /?r=9jc3i8XAbBPh_SVJQUQMiFWKWE9RYEK6JViGhaUYGHAYT3PiZABNyX3y-tKFjbgD5_8POTdplyBinajb97o1If7zCzR18UCtQ2i4ObCx2dpWKhG2VCVNdWJqFMjFRYYt2ESeWm24gTzYVGMNbOgzf6qV92lBPjYi4S_ReFM5CiSC6aQGX9sMdWYckHXKG4mSk-pgf__svmzjvNx5TioAqNDZnyT3dcYL7ftr0__I1T2vujIgXH7cHolsvyPM0mL1_SwfyLc5BCaSgKtFU8zWVyrQ8xC3Hq8ez3uJWtCToFXhwT-Zs5K0QRPoeDldKoE8X0sovErtC7bbeT3T7-_VX1bbzRGcT9ujraFOhWJTPSCVTHJf_jFq2p6NSwpM26PPeBS2NpWwIs-n266MLXRGM75xjcGz2ybVRLqegEoN226KJRhhLtVjA-c2ddfJuPbMjEWRn7jwfSOFRAuszW1dfWR5oc0H2KdsHMZaH9BCv2jIkWIPLdbko7gbUe7jCuX5E_wiYbc3wjmy903wKiLxWHJDabVoSkuLP9auX3UKJQuBFvs_Ty95UEKIxBmHC50R1Crcsq47rSej7DWUXaqrCJgYAGw0SHYYP5ADY75FV6jrT5C2YyDtlDygzej-m9DNRDJq268rTdsYGLV-QwU3-Y-jyxjGmxMwiv_upoVtRcqyQLhgb4igduxcdGdHHoXd4NQUkYWVZJTDfzZh5u1Rv71kn9HvgQfNaOASkVj0XOEeWaBYWnsXqbvdCMkB6jz0XzUbyhsPxc99zI1E90ULe96RA1qtZPlqZdErF3anES4m0zrwVxm1qsgPT6zxaWbb3FUn_Kaot4AHNRhOO6CRXJxXwhZlqaG8LHC1kxQBtYVrSrhGSrr8a_BaM-XInpz7eXcLyK0mlfMtNft0fGtT7dISjExcsKlBzWydT96ywKN2oPNJjkcugIq5i9bm06O-cY-z04cv5SBSi14T7OgvEpB5um58n7YJwDJ2QEsC6EoQNazIOo71kNEka
Source: global trafficHTTP traffic detected: GET /?r=9jc3i8XAbBPh_SVJQUQMiFWKWE9RYEK6JViGhaUYGHAYT3PiZABNyX3y-tKFjbgD5_8POTdplyBinajb97o1If7zCzR18UCtQ2i4ObCx2dpWKhG2VCVNdWJqFMjFRYYt2ESeWm24gTzYVGMNbOgzf6qV92lBPjYi4S_ReFM5CiSC6aQGX9sMdWYckHXKG4mSk-pgf__svmzjvNx5TioAqNDZnyT3dcYL7ftr0__I1T2vujIgXH7cHolsvyPM0mL1_SwfyLc5BCaSgKtFU8zWVyrQ8xC3Hq8ez3uJWtCToFXhwT-Zs5K0QRPoeDldKoE8X0sovErtC7bbeT3T7-_VX1bbzRGcT9ujraFOhWJTPSCVTHJf_jFq2p6NSwpM26PPeBS2NpWwIs-n266MLXRGM75xjcGz2ybVRLqegEoN226KJRhhLtVjA-c2ddfJuPbMjEWRn7jwfSOFRAuszW1dfWR5oc0H2KdsHMZaH9BCv2jIkWIPLdbko7gbUe7jCuX5E_wiYbc3wjmy903wKiLxWHJDabVoSkuLP9auX3UKJQuBFvs_Ty95UEKIxBmHC50R1Crcsq47rSej7DWUXaqrCJgYAGw0SHYYP5ADY75FV6jrT5C2YyDtlDygzej-m9DNRDJq268rTdsYGLV-QwU3-Y-jyxjGmxMwiv_upoVtRcqyQLhgb4igduxcdGdHHoXd4NQUkYWVZJTDfzZh5u1Rv71kn9HvgQfNaOASkVj0XOEeWaBYWnsXqbvdCMkB6jz0XzUbyhsPxc99zI1E90ULe96RA1qtZPlqZdErF3anES4m0zrwVxm1qsgPT6zxaWbb3FUn_Kaot4AHNRhOO6CRXJxXwhZlqaG8LHC1kxQBtYVrSrhGSrr8a_BaM-XInpz7eXcLyK0mlfMtNft0fGtT7dISjExcsKlBzWydT96ywKN2oPNJjkcugIq5i9bm06O-cY-z04cv5SBSi14T7OgvEpB5um58n7YJwDJ2QEsC6EoQNazIOo71kNEka
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: W7
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST / HTTP/1.1Host: squartera.infoUser-Agent: Content-Type: application/x-www-form-urlencodedContent-Length: 2347Accept-Encoding: gzipConnection: close
Reads from file descriptors related to (network) socketsShow sources
Source: /Users/luke/Desktop/MaMi (PID: 513)Reads from socket in process: data
Urls found in memory or binary dataShow sources
Source: MaMiString found in binary or memory: http://bbc.com
Source: MaMiString found in binary or memory: http://cnn.com
Source: MaMiString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49184 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49189
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49184
Source: unknownNetwork traffic detected: HTTP traffic on port 49189 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49192
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49191
Source: unknownNetwork traffic detected: HTTP traffic on port 49192 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49191 -> 443
Writes from file descriptors related to (network) socketsShow sources
Source: /Users/luke/Desktop/MaMi (PID: 513)Writes from socket in process: data
Executes the "networksetup" command used to configure network settingsShow sources
Source: /Users/luke/Desktop/MaMi (PID: 513)Networksetup executable: /usr/sbin/networksetup -> /usr/sbin/networksetup -listnetworkserviceorder
Source: /Users/luke/Desktop/MaMi (PID: 513)Networksetup executable: /usr/sbin/networksetup -> /usr/sbin/networksetup -getdnsservers Ethernet
Explicitly retrieves the order of network devices used for connecting to the networkShow sources
Source: /Users/luke/Desktop/MaMi (PID: 513)Networksetup with list network services order args: /usr/sbin/networksetup -listnetworkserviceorder
Explicitly retrieves the configured DNS serversShow sources
Source: /Users/luke/Desktop/MaMi (PID: 513)Networksetup with get DNS servers args: /usr/sbin/networksetup -getdnsservers Ethernet

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal80.troj.spyw.evad.mac@0/43@5/0

Data Obfuscation:

barindex
Imports the IOKit library (often used to register services)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Persistence and Installation Behavior:

barindex
Executes the "awk" command used to scan for patterns (typically in standard output)Show sources
Source: /Users/luke/Desktop/MaMi (PID: 513)Awk executable: /usr/bin/awk -> /usr/bin/awk /IOPlatformSerialNumber/ { print $4 }
Reads data from the local random generatorShow sources
Source: /usr/libexec/diskmanagementd (PID: 509)Random device file read: /dev/random
Source: /Users/luke/Desktop/MaMi (PID: 513)Random device file read: /dev/urandom
Source: /Users/luke/Desktop/MaMi (PID: 513)Random device file read: /dev/random
Source: /usr/bin/security (PID: 598)Random device file read: /dev/random
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Users/luke/Desktop/MaMi (PID: 513)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Writes property list (.plist) files to diskShow sources
Source: /Users/luke/Desktop/MaMi (PID: 513)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist-new
Source: /bin/cp (PID: 518)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 520)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 524)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 526)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 537)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 539)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 543)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 545)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 549)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 551)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 555)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 557)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 561)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 563)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 567)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 569)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 573)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 575)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 579)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 581)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 585)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 587)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 595)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 597)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 603)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 605)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 609)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 611)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 615)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 617)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 621)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 623)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 627)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 629)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 633)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 635)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Creates hidden files, links and/or directoriesShow sources
Source: /Users/luke/Desktop/MaMi (PID: 513)Hidden file created: /Users/luke/Library/Application Support/.dat.nosync0201.GCXGyu
Source: /Users/luke/Desktop/MaMi (PID: 513)Hidden file created: /Users/luke/Desktop/.dat.nosync0201.Jo8P8B
Executes commands using a shell command-line interpreterShow sources
Source: /usr/sbin/networksetup (PID: 517)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 519)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 523)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 525)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 536)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 538)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 542)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 544)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 548)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 550)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 554)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 556)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 560)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 562)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 566)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 568)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 572)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 574)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 578)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 580)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 584)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 586)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 594)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 596)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 602)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 604)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 608)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 610)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 614)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 616)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 620)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 622)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 626)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 628)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 632)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 634)Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Executes the "scutil" command used to manage network related system configuration parametersShow sources
Source: /Users/luke/Desktop/MaMi (PID: 513)Scutil executable: /usr/sbin/scutil -> /usr/sbin/scutil
Many shell processes execute programs via execve syscall (may be indicative for malicious behavior)Show sources
Source: /bin/sh (PID: 518)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 520)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 524)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 526)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 537)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 539)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 543)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 545)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 549)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 551)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 555)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 557)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 561)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 563)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 567)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 569)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 573)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 575)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 579)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 581)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 585)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 587)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 595)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 597)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 603)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 605)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 609)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 611)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 615)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 617)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 621)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 623)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 627)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 629)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 633)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 635)Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Samples exit code indicates no error despite standard error outputShow sources
Source: submitted sampleStderr: 2018-01-16 11:38:38.416 MaMi[513:4712] chmodding parent /var/root/Library/Cookies with perm 700: exit code = 0
Writes DER encoded certificate files to disk without the typical file extensionShow sources
Source: /Users/luke/Desktop/MaMi (PID: 513)DER file created: /Users/luke/Desktop/.dat.nosync0201.Jo8P8B

Hooking and other Techniques for Hiding and Protection:

barindex
Moves itself during installation or deletes itself after installationShow sources
Source: /Users/luke/Desktop/MaMi (PID: 513)File deleted: /Users/luke/Desktop/MaMi

Language, Device and Operating System Detection:

barindex
Reads the system or server version plist fileShow sources
Source: /Users/luke/Desktop/MaMi (PID: 513)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Reads the systems hostnameShow sources
Source: /bin/sh (PID: 518)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 520)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 524)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 526)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 537)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 539)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 543)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 545)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 549)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 551)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 555)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 557)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 561)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 563)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 567)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 569)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 573)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 575)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 579)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 581)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 585)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 587)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 595)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 597)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 603)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 605)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 609)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 611)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 615)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 617)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 621)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 623)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 627)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 629)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 633)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 635)Sysctl requested: kern.hostname (1.10)
Executes the "ioreg" command used to gather hardware information (I/O kit registry)Show sources
Source: /Users/luke/Desktop/MaMi (PID: 513)IOreg executable: /usr/sbin/ioreg -> /usr/sbin/ioreg -l
Queries the unique Apple serial number of the machineShow sources
Source: /Users/luke/Desktop/MaMi (PID: 513)IOPlatformSerialNumber keyword found in command: /usr/bin/awk /usr/bin/awk /IOPlatformSerialNumber/ { print $4 }

Stealing of Sensitive Information:

barindex
Executes the "security" command used to access the keychainShow sources
Source: /Users/luke/Desktop/MaMi (PID: 513)Security executable: /usr/bin/security -> /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Users/luke/Desktop/MaMi.bin
Imports (root) certificates into the systems keychain typically to intercept SSL traffic or bypass code integrity protectionsShow sources
Source: /Users/luke/Desktop/MaMi (PID: 513)Certificate import: /usr/bin/security -> /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Users/luke/Desktop/MaMi.bin


Runtime Messages

Command:/Users/luke/Desktop/MaMi
Exitcode:0
Killed:False
Standard Output:
Standard Error:2018-01-16 11:38:38.416 MaMi[513:4712] chmodding parent /var/root/Library/Cookies with perm 700

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 48021 Sample: MaMi Startdate: 16/01/2018 Architecture: MAC Score: 80 44 82.163.142.137, 53, 65226 GREENTEAMIL United Kingdom 2->44 46 82.163.143.135, 50111, 50145, 52805 GREENTEAMIL United Kingdom 2->46 48 9 other IPs or domains 2->48 50 Samples exit code indicates no error despite standard error output 2->50 8 mono-sgen32 MaMi 4 2->8         started        12 xpcproxy diskmanagementd 2->12         started        14 xpcproxy applessdstatistics 2->14         started        signatures3 process4 file5 40 /Users/luke/Desktop/.dat.nosync0201.Jo8P8B, data 8->40 dropped 52 Writes DER encoded certificate files to disk without the typical file extension 8->52 54 Explicitly retrieves the configured DNS servers 8->54 56 Executes the "scutil" command used to manage network related system configuration parameters 8->56 58 5 other signatures 8->58 16 networksetup 8->16         started        18 networksetup 8->18         started        20 networksetup 8->20         started        22 85 other processes 8->22 signatures6 process7 process8 24 sh cp 16->24         started        28 sh cp 1 18->28         started        30 sh cp 20->30         started        32 sh cp 22->32         started        34 sh cp 22->34         started        36 sh cp 22->36         started        38 30 other processes 22->38 file9 42 /Library/Preferenc...eferences.plist.old, XML 24->42 dropped 60 Many shell processes execute programs via execve syscall (may be indicative for malicious behavior) 24->60 signatures10

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Screenshot