Loading Joe Sandbox Report ...

Edit tour

macOS Analysis Report
locker

Overview

General Information

Sample Name:locker
Analysis ID:3293996
MD5:abf01633960dd77c6137175a21fccf34
SHA1:2d15286d25f0e0938823dcd742bc928e78199b3d
SHA256:3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79
Infos:

Detection

LockBit ransomware
Score:72
Range:0 - 100
Whitelisted:false

Signatures

Yara detected LockBit ransomware
Likely encrypts files before changing their extension which is indicative for ransomware
Found potential ransomware demand text
Contains symbols with suspicious names likely related to ransomware
Found Tor onion address
Contains symbols with suspicious names likely related to ransomware targeting virtualization
Tries to kill the VMware ESXi syslog daemon (likely for hiding)
Contains symbols with suspicious names likely related to encryption
Contains symbols with suspicious names likely related to virtualization
Yara signature match
Sample is code signed by an ad-hoc signature
Executes the "grep" command used to find patterns in files or piped streams
Writes files to the user's download directory
Executes commands using a shell command-line interpreter
Executes the "ps" command used to list the status of processes
Contains symbols with suspicious names likely related to anti-analysis

Classification

Joe Sandbox Version:38.0.0 Beryl
Analysis ID:3293996
Start date and time:2023-08-16 09:48:28 +02:00
Joe Sandbox Product:Cloud
Overall analysis duration:0h 3m 48s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:macOS - Ventura.jbs
Analysis system description:Mac Mini, Apple Silicon ARM64, Ventura
macOS major version:13
CPU architecture:arm64
Analysis Mode:default
Sample file name:locker
Detection:MAL
Classification:mal72.rans.evad.mac@0/3@0/0
  • Excluded IPs from analysis (whitelisted): 23.32.238.66, 23.32.238.50
  • Excluded domains from analysis (whitelisted): 1-courier.sandbox.push.apple.com, lb._dns-sd._udp.0.0.168.192.in-addr.arpa, 56.0.168.192.in-addr.arpa, weather-data.apple.com.akamaized.net, weather-data.apple.com, stocks-data-service.apple.com, a1091.dscw154.akamai.net, weather-data.apple.com.akadns.net, stocks-data-service.lb-apple.com.akadns.net, stocks-data-service.apple.com.edgesuite.net, api.smoot.apple.com, bag-smoot.v.aaplimg.com
Command:/Users/rodrigo/Desktop/locker -f -p test -i /Users/rodrigo/Downloads/myfiles
PID:1322
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • System is mac-arm-ventura
  • locker (MD5: abf01633960dd77c6137175a21fccf34) Arguments: /Users/rodrigo/Desktop/locker -f -p test -i /Users/rodrigo/Downloads/myfiles
    • locker New Fork (PID: 1323, Parent: 1322)
      • locker New Fork (PID: 1324, Parent: 1323)
      • sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c pciconf -lv
      • bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c pciconf -lv
      • locker New Fork (PID: 1325, Parent: 1323)
      • sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c esxcfg-scsidevs -l | egrep -i 'display name|vendor'
      • bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c esxcfg-scsidevs -l | egrep -i 'display name|vendor'
        • bash New Fork (PID: 1326, Parent: 1325)
        • bash New Fork (PID: 1327, Parent: 1325)
        • egrep (MD5: 6f66c1fde5ed2bf315b619fec82808e7) Arguments: egrep -i display name|vendor
      • locker New Fork (PID: 1329, Parent: 1323)
      • sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c ps -ef | grep 'vmsyslogd' | grep -v grep | awk '{print $2}' | xargs -r kill -9
      • bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c ps -ef | grep 'vmsyslogd' | grep -v grep | awk '{print $2}' | xargs -r kill -9
        • bash New Fork (PID: 1330, Parent: 1329)
        • ps (MD5: c69d135ec952c1e7e71a6661d7f2c668) Arguments: ps -ef
        • bash New Fork (PID: 1331, Parent: 1329)
        • egrep (MD5: 6f66c1fde5ed2bf315b619fec82808e7) Arguments: grep vmsyslogd
        • bash New Fork (PID: 1332, Parent: 1329)
        • grep (MD5: 6f66c1fde5ed2bf315b619fec82808e7) Arguments: grep -v grep
        • bash New Fork (PID: 1333, Parent: 1329)
        • awk (MD5: 97896adae88543b8cb6b90100baf16fb) Arguments: awk {print $2}
        • bash New Fork (PID: 1334, Parent: 1329)
        • xargs (MD5: dc3e49e00351048640a9116224da6c69) Arguments: xargs -r kill -9
      • locker New Fork (PID: 1338, Parent: 1323)
      • sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c ps -ef | grep 'zsxdcxz' | grep -v grep | awk '{print $2}' | xargs -r kill -9
      • bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c ps -ef | grep 'zsxdcxz' | grep -v grep | awk '{print $2}' | xargs -r kill -9
        • bash New Fork (PID: 1339, Parent: 1338)
        • ps (MD5: c69d135ec952c1e7e71a6661d7f2c668) Arguments: ps -ef
        • bash New Fork (PID: 1340, Parent: 1338)
        • grep (MD5: 6f66c1fde5ed2bf315b619fec82808e7) Arguments: grep zsxdcxz
        • bash New Fork (PID: 1341, Parent: 1338)
        • grep (MD5: 6f66c1fde5ed2bf315b619fec82808e7) Arguments: grep -v grep
        • bash New Fork (PID: 1342, Parent: 1338)
        • awk (MD5: 97896adae88543b8cb6b90100baf16fb) Arguments: awk {print $2}
        • bash New Fork (PID: 1343, Parent: 1338)
        • xargs (MD5: dc3e49e00351048640a9116224da6c69) Arguments: xargs -r kill -9
      • locker New Fork (PID: 1345, Parent: 1323)
      • sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper /Users/rodrigo/Downloads/myfiles
      • bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper /Users/rodrigo/Downloads/myfiles
        • bash New Fork (PID: 1346, Parent: 1345)
        • wordexp-helper (MD5: fe300e6642f4527972a259fc8f350927) Arguments: /usr/lib/system/wordexp-helper /Users/rodrigo/Downloads/myfiles
      • locker New Fork (PID: 1348, Parent: 1323)
      • sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper
      • bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper
        • bash New Fork (PID: 1349, Parent: 1348)
        • wordexp-helper (MD5: fe300e6642f4527972a259fc8f350927) Arguments: /usr/lib/system/wordexp-helper
  • cleanup
SourceRuleDescriptionAuthorStrings
lockerMAL_RANSOM_LNX_macOS_LockBit_Apr23_1Detects LockBit ransomware samples for Linux and macOSFlorian Roth
  • 0x4ddcf:$x1: restore-my-files.txt
  • 0x4dd90:$s1: ntuser.dat.log
  • 0x4dd9f:$s2: bootsect.bak
  • 0x4ddac:$s3: autorun.inf
  • 0x62f64:$s4: lockbit
  • 0x4dc92:$xc1: 33 38 36 00 63 6D 64 00 61 6E 69 00 61 64 76 00 6D 73 69 00 6D 73 70 00 63 6F 6D 00 6E 6C 73
  • 0x4dd8a:$xc2: 6E 74 6C 64 72 00 6E 74 75 73 65 72 2E 64 61 74 2E 6C 6F 67 00 62 6F 6F 74 73 65 63 74 2E 62 61 6B
  • 0x4dc52:$xc3: 76 6D 2E 73 74 61 74 73 2E 76 6D 2E 76 5F 66 72 65 65 5F 63 6F 75 6E 74 00 61 2B 00 2F 2A
lockerMAL_RANSOM_LockBit_Apr23_1Detects indicators found in LockBit ransomwareFlorian Roth
  • 0x543ef:$xe1: \x14P\x19\x1E\x16IXMQ\x16MV\x16ZK@IM\x1E
  • 0x5498f:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x549d5:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x54a1b:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x54a61:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x54aa7:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x54aed:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x54b33:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x54b79:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x54bbf:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x54c20:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x54c69:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x54cb2:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x54cfb:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x54d44:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x54d8d:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x54dd6:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x54e1f:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x54e68:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x55558:$xe2: QMMI\x03\x16\x16UVZR[PM
  • 0x5559e:$xe2: QMMI\x03\x16\x16UVZR[PM
lockerJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
    SourceRuleDescriptionAuthorStrings
    /Users/rodrigo/Downloads/myfiles/!!!-Restore-My-Files-!!!MAL_RANSOM_LockBit_Apr23_1Detects indicators found in LockBit ransomwareFlorian Roth
    • 0x1b5:$xe2: http://lockbit
    • 0x1fb:$xe2: http://lockbit
    • 0x241:$xe2: http://lockbit
    • 0x287:$xe2: http://lockbit
    • 0x2cd:$xe2: http://lockbit
    • 0x313:$xe2: http://lockbit
    • 0x359:$xe2: http://lockbit
    • 0x39f:$xe2: http://lockbit
    • 0x3e5:$xe2: http://lockbit
    • 0x446:$xe2: http://lockbit
    • 0x48f:$xe2: http://lockbit
    • 0x4d8:$xe2: http://lockbit
    • 0x521:$xe2: http://lockbit
    • 0x56a:$xe2: http://lockbit
    • 0x5b3:$xe2: http://lockbit
    • 0x5fc:$xe2: http://lockbit
    • 0x645:$xe2: http://lockbit
    • 0x68e:$xe2: http://lockbit
    • 0xd7d:$xe2: http://lockbit
    • 0xdc3:$xe2: http://lockbit
    • 0xe09:$xe2: http://lockbit
    /Users/rodrigo/Downloads/myfiles/!!!-Restore-My-Files-!!!JoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
      /private/tmp/locklogMAL_RANSOM_LockBit_Locker_LOG_Apr23_1Detects indicators found in LockBit ransomware log filesFlorian Roth
      • 0x394:$s1: is encrypted. Checksum after encryption
      • 0x42e:$s1: is encrypted. Checksum after encryption
      • 0xd2:$s2: ~~~~~Hardware~~~~
      • 0xfd:$s2: ~~~~~Hardware~~~~
      • 0x133:$s3: [+] Add directory to encrypt:
      • 0x16:$s4: ][+] Launch parameters:
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results
      Source: submission: lockerMach-O symbol: _crypto_core_salsa208_constbytes
      Source: submission: lockerMach-O symbol: _encrypt_all_files_in_dir
      Source: submission: lockerMach-O symbol: _crypto_core_salsa208_inputbytes
      Source: submission: lockerMach-O symbol: _crypto_core_hsalsa20
      Source: submission: lockerMach-O symbol: _crypto_core_salsa20
      Source: submission: lockerMach-O symbol: _mbedtls_aes_decrypt_cbc
      Source: submission: lockerMach-O symbol: _crypto_core_salsa2012
      Source: submission: lockerMach-O symbol: _mbedtls_aes_encrypt_cbc
      Source: submission: lockerMach-O symbol: _crypto_core_salsa2012_constbytes
      Source: submission: lockerMach-O symbol: _crypto_core_salsa2012_inputbytes
      Source: submission: lockerMach-O symbol: _mbedtls_aes_init_decrypt
      Source: submission: lockerMach-O symbol: _crypto_core_salsa2012_keybytes
      Source: submission: lockerMach-O symbol: _mbedtls_aes_init_encrypt
      Source: submission: lockerMach-O symbol: _crypto_core_salsa2012_outputbytes
      Source: submission: lockerMach-O symbol: _mbedtls_internal_aes_decrypt
      Source: submission: lockerMach-O symbol: _crypto_core_salsa208
      Source: submission: lockerMach-O symbol: _mbedtls_internal_aes_encrypt
      Source: submission: lockerMach-O symbol: _crypto_generichash_blake2b_init
      Source: submission: lockerMach-O symbol: _crypto_core_salsa208_outputbytes
      Source: submission: lockerMach-O symbol: _encrypt_file_by_spots
      Source: submission: lockerMach-O symbol: _crypto_core_salsa20_constbytes
      Source: submission: lockerMach-O symbol: _encrypt_file_first_N_bytes
      Source: submission: lockerMach-O symbol: _crypto_core_salsa20_inputbytes
      Source: submission: lockerMach-O symbol: _encrypt_small_file
      Source: submission: lockerMach-O symbol: _crypto_core_salsa20_keybytes
      Source: submission: lockerMach-O symbol: _crypto_core_salsa20_outputbytes
      Source: submission: lockerMach-O symbol: _crypto_generichash
      Source: submission: lockerMach-O symbol: _crypto_generichash_blake2b
      Source: submission: lockerMach-O symbol: _crypto_generichash_blake2b_final
      Source: submission: lockerMach-O symbol: _encrypt_all_files_in_dir_by_ext
      Source: submission: lockerMach-O symbol: _crypto_core_salsa208_keybytes
      Source: submission: lockerMach-O symbol: _encrypt_file
      Source: submission: lockerMach-O symbol: _crypto_generichash_blake2b_update
      Source: submission: lockerMach-O symbol: _crypto_generichash_bytes
      Source: submission: lockerMach-O symbol: _crypto_generichash_bytes_max
      Source: submission: lockerMach-O symbol: _crypto_generichash_bytes_min
      Source: submission: lockerMach-O symbol: _crypto_generichash_final
      Source: submission: lockerMach-O symbol: _crypto_generichash_init
      Source: submission: lockerMach-O symbol: _crypto_generichash_keybytes
      Source: submission: lockerMach-O symbol: _crypto_generichash_keybytes_max
      Source: submission: lockerMach-O symbol: _crypto_generichash_blake2b_init_salt_personal
      Source: submission: lockerMach-O symbol: _crypto_generichash_blake2b_salt_personal
      Source: submission: lockerMach-O symbol: _crypto_box_beforenmbytes
      Source: submission: lockerMach-O symbol: _crypto_box_beforenm
      Source: submission: lockerMach-O symbol: _crypto_box_afternm
      Source: submission: lockerMach-O symbol: _crypto_box
      Source: submission: lockerMach-O symbol: _crypto_generichash_statebytes
      Source: submission: lockerMach-O symbol: _crypto_generichash_update
      Source: submission: lockerMach-O symbol: _crypto_hash_sha512
      Source: submission: lockerMach-O symbol: _crypto_box_boxzerobytes
      Source: submission: lockerMach-O symbol: _crypto_hash_sha512_final
      Source: submission: lockerMach-O symbol: _crypto_hash_sha512_init
      Source: submission: lockerMach-O symbol: _crypto_hash_sha512_update
      Source: submission: lockerMach-O symbol: _crypto_onetimeauth_poly1305
      Source: submission: lockerMach-O symbol: _crypto_generichash_keybytes_min
      Source: submission: lockerMach-O symbol: _crypto_generichash_keygen
      Source: submission: lockerMach-O symbol: _crypto_generichash_primitive
      Source: submission: lockerMach-O symbol: _crypto_onetimeauth_poly1305_keygen
      Source: submission: lockerMach-O symbol: _crypto_onetimeauth_poly1305_statebytes
      Source: submission: lockerMach-O symbol: _crypto_onetimeauth_poly1305_update
      Source: submission: lockerMach-O symbol: _crypto_onetimeauth_poly1305_verify
      Source: submission: lockerMach-O symbol: _crypto_scalarmult_curve25519
      Source: submission: lockerMach-O symbol: _crypto_scalarmult_curve25519_base
      Source: submission: lockerMach-O symbol: _crypto_onetimeauth_poly1305_bytes
      Source: submission: lockerMach-O symbol: _crypto_onetimeauth_poly1305_final
      Source: submission: lockerMach-O symbol: _crypto_onetimeauth_poly1305_init
      Source: submission: lockerMach-O symbol: _crypto_onetimeauth_poly1305_keybytes
      Source: submission: lockerMach-O symbol: _crypto_secretbox_open_easy
      Source: submission: lockerMach-O symbol: _crypto_secretbox_xsalsa20poly1305
      Source: submission: lockerMach-O symbol: _crypto_secretbox_xsalsa20poly1305_boxzerobytes
      Source: submission: lockerMach-O symbol: _crypto_secretbox_xsalsa20poly1305_keybytes
      Source: submission: lockerMach-O symbol: _crypto_secretbox_xsalsa20poly1305_keygen
      Source: submission: lockerMach-O symbol: _crypto_scalarmult_curve25519_bytes
      Source: submission: lockerMach-O symbol: _crypto_scalarmult_curve25519_scalarbytes
      Source: submission: lockerMach-O symbol: _crypto_secretbox_detached
      Source: submission: lockerMach-O symbol: _crypto_secretbox_easy
      Source: submission: lockerMach-O symbol: _crypto_secretbox_open_detached
      Source: submission: lockerMach-O symbol: _crypto_stream_chacha20_ietf
      Source: submission: lockerMach-O symbol: _crypto_stream_chacha20_ietf_keybytes
      Source: submission: lockerMach-O symbol: _crypto_stream_chacha20_ietf_keygen
      Source: submission: lockerMach-O symbol: _crypto_stream_chacha20_ietf_messagebytes_max
      Source: submission: lockerMach-O symbol: _crypto_secretbox_xsalsa20poly1305_macbytes
      Source: submission: lockerMach-O symbol: _crypto_secretbox_xsalsa20poly1305_messagebytes_max
      Source: submission: lockerMach-O symbol: _crypto_secretbox_xsalsa20poly1305_noncebytes
      Source: submission: lockerMach-O symbol: _crypto_secretbox_xsalsa20poly1305_open
      Source: submission: lockerMach-O symbol: _crypto_secretbox_xsalsa20poly1305_zerobytes
      Source: submission: lockerMach-O symbol: _crypto_stream_chacha20
      Source: submission: lockerMach-O symbol: _all_bytes_encrypted
      Source: submission: lockerMach-O symbol: _crypto_stream_chacha20_xor
      Source: submission: lockerMach-O symbol: _crypto_stream_chacha20_xor_ic
      Source: submission: lockerMach-O symbol: _crypto_stream_salsa20
      Source: submission: lockerMach-O symbol: _crypto_stream_chacha20_ietf_noncebytes
      Source: submission: lockerMach-O symbol: _crypto_stream_chacha20_ietf_xor
      Source: submission: lockerMach-O symbol: _crypto_stream_chacha20_ietf_xor_ic
      Source: submission: lockerMach-O symbol: _crypto_stream_chacha20_keybytes
      Source: submission: lockerMach-O symbol: _crypto_stream_chacha20_keygen
      Source: submission: lockerMach-O symbol: _crypto_stream_chacha20_messagebytes_max
      Source: submission: lockerMach-O symbol: _crypto_stream_chacha20_noncebytes
      Source: submission: lockerMach-O symbol: _pre_encrypt_file
      Source: submission: lockerMach-O symbol: _crypto_box_curve25519xsalsa20poly1305_noncebytes
      Source: submission: lockerMach-O symbol: _crypto_stream_salsa20_xor_ic
      Source: submission: lockerMach-O symbol: _crypto_box_curve25519xsalsa20poly1305_keypair
      Source: submission: lockerMach-O symbol: _crypto_stream_xsalsa20
      Source: submission: lockerMach-O symbol: _crypto_box_curve25519xsalsa20poly1305_boxzerobytes
      Source: submission: lockerMach-O symbol: _crypto_stream_xsalsa20_keybytes
      Source: submission: lockerMach-O symbol: _crypto_box_curve25519xsalsa20poly1305_messagebytes_max
      Source: submission: lockerMach-O symbol: _crypto_stream_xsalsa20_keygen
      Source: submission: lockerMach-O symbol: _crypto_box_curve25519xsalsa20poly1305_macbytes
      Source: submission: lockerMach-O symbol: _crypto_stream_xsalsa20_messagebytes_max
      Source: submission: lockerMach-O symbol: _crypto_box_curve25519xsalsa20poly1305_afternm
      Source: submission: lockerMach-O symbol: _crypto_box_curve25519xsalsa20poly1305
      Source: submission: lockerMach-O symbol: _crypto_box_curve25519xsalsa20poly1305_beforenmbytes
      Source: submission: lockerMach-O symbol: _crypto_box_curve25519xsalsa20poly1305_beforenm
      Source: submission: lockerMach-O symbol: _crypto_box_curve25519xsalsa20poly1305_open_afternm
      Source: submission: lockerMach-O symbol: _crypto_stream_salsa20_keybytes
      Source: submission: lockerMach-O symbol: _crypto_box_curve25519xsalsa20poly1305_open
      Source: submission: lockerMach-O symbol: _crypto_stream_salsa20_keygen
      Source: submission: lockerMach-O symbol: _crypto_stream_salsa20_messagebytes_max
      Source: submission: lockerMach-O symbol: _crypto_stream_salsa20_noncebytes
      Source: submission: lockerMach-O symbol: _crypto_stream_salsa20_xor
      Source: submission: lockerMach-O symbol: _crypto_verify_32_bytes
      Source: submission: lockerMach-O symbol: _crypto_box_detached
      Source: submission: lockerMach-O symbol: _crypto_verify_64
      Source: submission: lockerMach-O symbol: _crypto_box_curve25519xsalsa20poly1305_zerobytes
      Source: submission: lockerMach-O symbol: _crypto_verify_64_bytes
      Source: submission: lockerMach-O symbol: _crypto_box_easy
      Source: submission: lockerMach-O symbol: _crypto_box_detached_afternm
      Source: submission: lockerMach-O symbol: _crypto_box_curve25519xsalsa20poly1305_secretkeybytes
      Source: submission: lockerMach-O symbol: _crypto_box_curve25519xsalsa20poly1305_publickeybytes
      Source: submission: lockerMach-O symbol: _crypto_box_curve25519xsalsa20poly1305_seedbytes
      Source: submission: lockerMach-O symbol: _crypto_box_curve25519xsalsa20poly1305_seed_keypair
      Source: submission: lockerMach-O symbol: _crypto_stream_xsalsa20_noncebytes
      Source: submission: lockerMach-O symbol: _crypto_stream_xsalsa20_xor
      Source: submission: lockerMach-O symbol: _crypto_stream_xsalsa20_xor_ic
      Source: submission: lockerMach-O symbol: _crypto_verify_16
      Source: submission: lockerMach-O symbol: _crypto_verify_16_bytes
      Source: submission: lockerMach-O symbol: _crypto_verify_32
      Source: submission: lockerMach-O symbol: _CalculateCryptoBlocksShift
      Source: submission: lockerMach-O symbol: _crypto_box_open_afternm
      Source: submission: lockerMach-O symbol: _crypto_box_open_detached
      Source: submission: lockerMach-O symbol: _crypto_box_open_detached_afternm
      Source: submission: lockerMach-O symbol: _crypto_box_open_easy
      Source: submission: lockerMach-O symbol: _crypto_box_easy_afternm
      Source: submission: lockerMach-O symbol: _crypto_box_keypair
      Source: submission: lockerMach-O symbol: _crypto_box_macbytes
      Source: submission: lockerMach-O symbol: _crypto_box_messagebytes_max
      Source: submission: lockerMach-O symbol: _crypto_box_noncebytes
      Source: submission: lockerMach-O symbol: _crypto_box_open
      Source: submission: lockerMach-O symbol: _crypto_box_seed_keypair
      Source: submission: lockerMach-O symbol: _crypto_box_seedbytes
      Source: submission: lockerMach-O symbol: _crypto_box_zerobytes
      Source: submission: lockerMach-O symbol: _crypto_box_open_easy_afternm
      Source: submission: lockerMach-O symbol: _crypto_box_primitive
      Source: submission: lockerMach-O symbol: _crypto_box_publickeybytes
      Source: submission: lockerMach-O symbol: _crypto_box_seal
      Source: submission: lockerMach-O symbol: _crypto_box_seal_open
      Source: submission: lockerMach-O symbol: _crypto_box_sealbytes
      Source: submission: lockerMach-O symbol: _crypto_box_secretkeybytes

      Networking

      barindex
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
      Source: submission: lockerMach-O symbol: _kill_esxi_1
      Source: submission: lockerMach-O symbol: _kill_esxi_2
      Source: submission: lockerMach-O symbol: _kill_esxi_3
      Source: submission: lockerMach-O symbol: _killed_force_vm_id
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54215
      Source: unknownNetwork traffic detected: HTTP traffic on port 54215 -> 443
      Source: unknownTCP traffic detected without corresponding DNS query: 2.21.20.146
      Source: unknownTCP traffic detected without corresponding DNS query: 2.21.20.146
      Source: unknownTCP traffic detected without corresponding DNS query: 2.21.20.146
      Source: unknownTCP traffic detected without corresponding DNS query: 2.21.20.146
      Source: unknownTCP traffic detected without corresponding DNS query: 2.21.20.146
      Source: unknownTCP traffic detected without corresponding DNS query: 2.21.20.146
      Source: unknownTCP traffic detected without corresponding DNS query: 2.21.20.146
      Source: unknownTCP traffic detected without corresponding DNS query: 2.21.20.146
      Source: unknownTCP traffic detected without corresponding DNS query: 2.21.20.146
      Source: unknownTCP traffic detected without corresponding DNS query: 2.21.20.146
      Source: unknownTCP traffic detected without corresponding DNS query: 2.21.20.146
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: https://twitter.com/hashtag/lockbit?f=live
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: https://www.torproject.org/

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Source: Yara matchFile source: locker, type: SAMPLE
      Source: Yara matchFile source: /Users/rodrigo/Downloads/myfiles/!!!-Restore-My-Files-!!!, type: DROPPED
      Source: /Users/rodrigo/Desktop/locker (PID: 1323)Written file moved: /Users/rodrigo/Downloads/myfiles/foo.zip -> /Users/rodrigo/Downloads/myfiles/foo.zip.lockbitJump to behavior
      Source: /Users/rodrigo/Desktop/locker (PID: 1323)Written file moved: /Users/rodrigo/Downloads/myfiles/bar.zip -> /Users/rodrigo/Downloads/myfiles/bar.zip.lockbitJump to behavior
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: >>>>> Your data is stolen and encrypted.
      Source: !!!-Restore-My-Files-!!!.15.drString found in binary or memory: If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.
      Source: submission: lockerMach-O symbol: _bwipe
      Source: submission: lockerMach-O symbol: _end_wipe
      Source: submission: lockerMach-O symbol: _end_wiping
      Source: submission: lockerMach-O symbol: _Restore_My_Files_body_3
      Source: submission: lockerMach-O symbol: _Restore_My_Files_name
      Source: submission: lockerMach-O symbol: _Restore_My_Files_body_1
      Source: submission: lockerMach-O symbol: _Restore_My_Files_body_2
      Source: submission: lockerMach-O symbol: _Restore_My_Files_body
      Source: submission: lockerMach-O symbol: _wipe
      Source: submission: lockerMach-O symbol: _wipe_error_fmt
      Source: submission: lockerMach-O symbol: _wipe_routine
      Source: submission: lockerMach-O symbol: _wiping
      Source: submission: lockerMach-O symbol: _lock_all_files_in_dir
      Source: submission: lockerMach-O symbol: _lock_all_files_in_dir_by_ext
      Source: submission: lockerMach-O symbol: _start_wipe
      Source: submission: lockerMach-O symbol: _start_wiping
      Source: locker, type: SAMPLEMatched rule: MAL_RANSOM_LNX_macOS_LockBit_Apr23_1 date = 2023-04-15, hash5 = dc3d08480f5e18062a0643f9c4319e5c3f55a2e7e93cd8eddd5e0c02634df7cf, hash4 = c9cac06c9093e9026c169adc3650b018d29c8b209e3ec511bbe34cbe1638a0d8, hash3 = a405d034c01a357a89c9988ffe8a46a165915df18fd297469b2bcaaf97578442, hash2 = 9ebcbaf3c9e2bbce6b2331238ab584f95f7ced326ca4aba2ddcc8aa8ee964f66, hash1 = 0a2bffa0a30ec609d80591eef1d0994d8b37ab1f6a6bad7260d9d435067fb48e, author = Florian Roth, description = Detects LockBit ransomware samples for Linux and macOS, score = , hash8 = 3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79, hash7 = 0be6f1e927f973df35dad6fc661048236d46879ad59f824233d757ec6e722bde, hash6 = e77124c2e9b691dbe41d83672d3636411aaebc0aff9a300111a90017420ff096, reference = https://twitter.com/malwrhunterteam/status/1647384505550876675?s=20
      Source: locker, type: SAMPLEMatched rule: MAL_RANSOM_LockBit_Apr23_1 date = 2023-04-17, author = Florian Roth, description = Detects indicators found in LockBit ransomware, score = , reference = https://objective-see.org/blog/blog_0x75.html
      Source: /Users/rodrigo/Downloads/myfiles/!!!-Restore-My-Files-!!!, type: DROPPEDMatched rule: MAL_RANSOM_LockBit_Apr23_1 date = 2023-04-17, author = Florian Roth, description = Detects indicators found in LockBit ransomware, score = , reference = https://objective-see.org/blog/blog_0x75.html
      Source: /private/tmp/locklog, type: DROPPEDMatched rule: MAL_RANSOM_LockBit_Locker_LOG_Apr23_1 date = 2023-04-17, author = Florian Roth, description = Detects indicators found in LockBit ransomware log files, score = , reference = https://objective-see.org/blog/blog_0x75.html
      Source: classification engineClassification label: mal72.rans.evad.mac@0/3@0/0
      Source: submissionCode Signing Info: Signature=adhoc
      Source: /bin/bash (PID: 1327)Grep executable: /usr/bin/egrep -> egrep -i display name|vendorJump to behavior
      Source: /bin/bash (PID: 1331)Grep executable: /usr/bin/egrep -> grep vmsyslogdJump to behavior
      Source: /bin/bash (PID: 1332)Grep executable: /usr/bin/grep -> grep -v grepJump to behavior
      Source: /bin/bash (PID: 1340)Grep executable: /usr/bin/grep -> grep zsxdcxzJump to behavior
      Source: /bin/bash (PID: 1341)Grep executable: /usr/bin/grep -> grep -v grepJump to behavior
      Source: /Users/rodrigo/Desktop/locker (PID: 1323)File created in download directory: /Users/rodrigo/Downloads/myfiles/!!!-Restore-My-Files-!!!Jump to dropped file
      Source: /Users/rodrigo/Desktop/locker (PID: 1324)Shell command executed: sh -c pciconf -lvJump to behavior
      Source: /bin/sh (PID: 1324)Shell command executed: sh -c pciconf -lvJump to behavior
      Source: /Users/rodrigo/Desktop/locker (PID: 1325)Shell command executed: sh -c esxcfg-scsidevs -l | egrep -i 'display name|vendor'Jump to behavior
      Source: /bin/sh (PID: 1325)Shell command executed: sh -c esxcfg-scsidevs -l | egrep -i 'display name|vendor'Jump to behavior
      Source: /Users/rodrigo/Desktop/locker (PID: 1329)Shell command executed: sh -c ps -ef | grep 'vmsyslogd' | grep -v grep | awk '{print $2}' | xargs -r kill -9Jump to behavior
      Source: /bin/sh (PID: 1329)Shell command executed: sh -c ps -ef | grep 'vmsyslogd' | grep -v grep | awk '{print $2}' | xargs -r kill -9Jump to behavior
      Source: /Users/rodrigo/Desktop/locker (PID: 1338)Shell command executed: sh -c ps -ef | grep 'zsxdcxz' | grep -v grep | awk '{print $2}' | xargs -r kill -9Jump to behavior
      Source: /bin/sh (PID: 1338)Shell command executed: sh -c ps -ef | grep 'zsxdcxz' | grep -v grep | awk '{print $2}' | xargs -r kill -9Jump to behavior
      Source: /Users/rodrigo/Desktop/locker (PID: 1345)Shell command executed: sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper /Users/rodrigo/Downloads/myfilesJump to behavior
      Source: /bin/sh (PID: 1345)Shell command executed: sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper /Users/rodrigo/Downloads/myfilesJump to behavior
      Source: /Users/rodrigo/Desktop/locker (PID: 1348)Shell command executed: sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helperJump to behavior
      Source: /bin/sh (PID: 1348)Shell command executed: sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helperJump to behavior
      Source: /bin/bash (PID: 1330)Ps executable: /bin/ps -> ps -efJump to behavior
      Source: /bin/bash (PID: 1339)Ps executable: /bin/ps -> ps -efJump to behavior
      Source: /bin/bash (PID: 1333)Awk executable: /usr/bin/awk -> awk {print $2}Jump to behavior
      Source: /bin/bash (PID: 1342)Awk executable: /usr/bin/awk -> awk {print $2}Jump to behavior
      Source: submissionCodeSign Info: Executable=/Users/rodrigo/Desktop/locker

      Hooking and other Techniques for Hiding and Protection

      bar