Analysis Report

Overview

General Information

Analysis ID:26
Start time:10:02:05
Start date:25/09/2014
Overall analysis duration:0h 7m 14s
Report type:full
Sample file name:9283c61f8cce4258c8111aaf098d21ee
Cookbook file name:keylogging.jbs
Analysis system description:Mac OS X, Mavericks, clean


Detection

StrategyReport FP/FN
Threshold malicious


Signature Overview


Networking:

barindex
Urls found in memory or binary dataShow sources
Source: 9283c61f8cce4258c8111aaf098d21eeString found in binary or memory: http://220.175.13.250:82http://220.175.13.250:821000-
Source: 9283c61f8cce4258c8111aaf098d21eeString found in binary or memory: http://www.apple.com/dtds/propertylist-1.0.dtd

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Captures keyboard strokes that are written to a log fileShow sources
Source: /Applications/TextEdit.app/Contents/MacOS/TextEditDetected decoy string in file: /private/var/folders/6s/pncyckn14gl55c5_8kr9m_k80000gn/T/com.apple.TextEdit/TemporaryItems/(A Document Being Saved By TextEdit)/Unsaved TextEdit Document.rtf
Writes property list (.plist) files to disk with content indicative for key loggersShow sources
Source: /usr/bin/tarXML plist file created with lower-case letters in tags: /Library/.local/Keymap.plist

Persistence and Installation Behavior:

barindex
Writes property list (.plist) files to diskShow sources
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeXML plist file created: /Library/LaunchDaemons/com.updated.launchagent.plist
Source: /usr/bin/tarXML plist file created: /Library/.local/Keymap.plist
Source: /usr/bin/tarXML plist file created: /Library/.local/updated.kext/Contents/Info.plist
Source: /Applications/TextEdit.app/Contents/MacOS/TextEditXML plist file created: /private/var/folders/6s/pncyckn14gl55c5_8kr9m_k80000gn/T/com.apple.TextEdit/TemporaryItems/(A Document Being Saved By TextEdit)/com.apple.TextEdit.plist
Creates and/or modifies files and/or directories in common kernel extension directoriesShow sources
Source: /bin/mvFile moved: /Library/.local/updated.kext -> /System/Library/Extensions/updated.kext
Source: /bin/chmodPermissions modified: /System/Library/Extensions/updated.kext
Creates code signed kernel extensionsShow sources
Source: /usr/bin/tarKext code signature resource file created: updated.kext/Contents/Info.plist
Source: /bin/mvKext code signature resource file created in extensions directory: /Library/.local/updated.kext -> /System/Library/Extensions/updated.kext
Creates hidden files, links and/or directoriesShow sources
Source: /bin/mkdirHidden directory created: /Library/.local
Source: /Library/.local/EventMonitorHidden file created: /Library/.local/.logfile
Executes commands using a shell command-line interpreterShow sources
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeShell command executed: sh -c mkdir -p /Library/LaunchDaemons
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeShell command executed: sh -c mkdir -p /Library/.local
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeShell command executed: sh -c /bin/chmod +x /Library/.local/updated
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeShell command executed: sh -c /bin/chmod +x /Library/.local/update
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeShell command executed: sh -c /bin/chmod +x /Library/.local/reweb
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeShell command executed: sh -c chmod -R 777 /Library/.local/
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeShell command executed: sh -c tar -xf /Library/.local/kext.tar -C /Library/.local/
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeShell command executed: sh -c /bin/mv -f /Library/.local/updated.kext /System/Library/Extensions/updated.kext
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeShell command executed: sh -c /bin/chmod -R 755 /System/Library/Extensions/updated.kext
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeShell command executed: sh -c /bin/chown -R root:wheel /System/Library/Extensions/updated.kext
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeShell command executed: sh -c /sbin/kextload /System/Library/Extensions/updated.kext
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeShell command executed: sh -c /bin/chmod +x /Library/.local/EventMonitor
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeShell command executed: sh -c rm /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeShell command executed: sh -c /Library/.local/reweb &
Source: /Library/.local/rewebShell command executed: sh -c chmod -R 777 /Library/.local
Source: /Library/.local/rewebShell command executed: sh -c killall -9 updated
Source: /Library/.local/rewebShell command executed: sh -c killall -9 update
Source: /Library/.local/rewebShell command executed: sh -c /Library/.local/updated
Source: /Library/.local/updatedShell command executed: sh -c killall -9 reweb
Source: /Library/.local/updatedShell command executed: sh -c /Library/.local/EventMonitor &
Source: /Library/.local/updatedShell command executed: sh -c /Library/.local/update
Writes 64-bit Mach-O files to diskShow sources
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeFile written: /Library/.local/reweb
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeFile written: /Library/.local/update
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeFile written: /Library/.local/updated
Source: /usr/bin/tarFile written: /Library/.local/EventMonitor
Writes FAT Mach-O files to diskShow sources
Source: /usr/bin/tarFile written: /Library/.local/updated.kext/Contents/MacOS/logKext
Writes RTF files to diskShow sources
Source: /Applications/TextEdit.app/Contents/MacOS/TextEditFile written: /private/var/folders/6s/pncyckn14gl55c5_8kr9m_k80000gn/T/com.apple.TextEdit/TemporaryItems/(A Document Being Saved By TextEdit)/Unsaved TextEdit Document.rtf
Terminates processes by executing the killall commandShow sources
Source: /bin/shKillall command executed: killall -9 updated
Source: /bin/shKillall command executed: killall -9 update
Source: /bin/shKillall command executed: killall -9 reweb

Boot Survival:

barindex
Creates memory-persistent launch servicesShow sources
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeLaunch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Library/LaunchDaemons/com.updated.launchagent.plist
Creates system-wide 'launchd' managed services aka launch daemonsShow sources
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21eeLaunch daemon created, file created: /Library/LaunchDaemons/com.updated.launchagent.plist

Hooking and other Techniques for Hiding and Protection:

barindex
Explicitly loads kernel extensionsShow sources
Source: /bin/shKext via kextload loaded: /sbin/kextload /System/Library/Extensions/updated.kext
Creates kernel extensionsShow sources
Source: /usr/bin/tarKext Info.plist file created: updated.kext/Contents/Info.plist
Source: /bin/mvKext Info.plist file created in extensions directory: /Library/.local/updated.kext -> /System/Library/Extensions/updated.kext
Moves itself during installation or deletes itself after installationShow sources
Source: /bin/rmFile deleted: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee

Stealing of Sensitive Information:

barindex
Captures keyboard strokes that are written to a log fileShow sources
Source: /Applications/TextEdit.app/Contents/MacOS/TextEditDetected decoy string in file: /private/var/folders/6s/pncyckn14gl55c5_8kr9m_k80000gn/T/com.apple.TextEdit/TemporaryItems/(A Document Being Saved By TextEdit)/Unsaved TextEdit Document.rtf


Runtime Messages

Command:/Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee
Exitcode:0
Killed:False
Standard Output:/Library/.local /Library/LaunchDaemons /proc/self/launch -> [/Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee] /proc/self/exe -> [/Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee]
Standard Error:sh: /bin/chown: No such file or directory No matching processes were found No matching processes were found 2014-09-25 12:03:48.011 updated[449:c07] Hello; World!

Yara Overview

No Yara matches

Screenshot