Play interactive tour

Edit tour

Analysis Report M4BfJpvkrT

Overview

General Information

Joe Sandbox Version:	26.0.0 Aquamarine
Analysis ID:	78343
Start date:	21.06.2019
Start time:	14:57:12
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 3m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	M4BfJpvkrT
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:	MAL
Classification:	mal68.troj.evad.mac@0/4@0/0

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	68	0 - 100	Report FP / FN	false

Classification

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Windows Remote Management	Hidden Files and Directories21	Port Monitors	Hidden Files and Directories21	Input Capture1	System Service Discovery	Application Deployment Software	Input Capture1	Data Encrypted1	Standard Cryptographic Protocol1
Replication Through Removable Media	Service Execution	Launch Agent3	Accessibility Features	Binary Padding	Network Sniffing	Application Window Discovery	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Non-Application Layer Protocol1
Drive-by Compromise	Windows Management Instrumentation	Accessibility Features	Path Interception	Rootkit	Input Capture	Query Registry	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Remote Access Tools1
Exploit Public-Facing Application	Scheduled Task	System Firmware	DLL Search Order Hijacking	Obfuscated Files or Information	Credentials in Files	System Network Configuration Discovery	Logon Scripts	Input Capture	Data Encrypted	Standard Application Layer Protocol1

Signature Overview

Click to jump to signature section

Networking:

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 17.57.146.20
Source: unknown	TCP traffic detected without corresponding DNS query: 17.57.146.20
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 17.188.166.11
Source: unknown	TCP traffic detected without corresponding DNS query: 17.188.166.11
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.212
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.214.243
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.214.243
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.111.113

Contains symbols related to proxy configuration

Show sources

Source: symbol	Static MACH information: _CFNetworkCopyProxiesForURL
Source: symbol	Static MACH information: _CFNetworkExecuteProxyAutoConfigurationURL
Source: symbol	Static MACH information: _kCFProxyAutoConfigurationURLKey
Source: symbol	Static MACH information: _kCFProxyHostNameKey
Source: symbol	Static MACH information: _kCFProxyPortNumberKey
Source: symbol	Static MACH information: _kCFProxyTypeAutoConfigurationURL
Source: symbol	Static MACH information: _kCFProxyTypeHTTP
Source: symbol	Static MACH information: _kCFProxyTypeKey
Source: symbol	Static MACH information: _kCFProxyTypeSOCKS

Urls found in memory or binary data

Show sources

Source: M4BfJpvkrT	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: M4BfJpvkrT	String found in binary or memory: http://www.google.com
Source: M4BfJpvkrT	String found in binary or memory: http://www.google.com%USER%Unknown%

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49318 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49314 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains symbols related to keyboard/mouse events

Show sources

Source: symbol	Static MACH information: _CGEventCreateKeyboardEvent
Source: symbol	Static MACH information: _CGEventCreateMouseEvent

System Summary:

Malicious sample detected (through custom Yara rule)

Show sources

Source: M4BfJpvkrT, type: SAMPLE	Matched rule: Detects OSX Netwire A
Source: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder, type: DROPPED	Matched rule: Detects OSX Netwire A

Classification label

Show sources

Source: classification engine

Classification label: mal68.troj.evad.mac@0/4@0/0

Data Obfuscation:

Contains symbols with suspicious network related names

Show sources

Source: symbol	Static MACH information: _CGSConnectionGetPID
Source: symbol	Static MACH information: __CFCopyServerVersionDictionary
Source: symbol	Static MACH information: __CGSDefaultConnection
Source: symbol	Static MACH information: _connect$UNIX2003
Source: symbol	Static MACH information: _gethostbyname
Source: symbol	Static MACH information: _kCFProxyPortNumberKey
Source: symbol	Static MACH information: _kCFProxyTypeHTTP
Source: symbol	Static MACH information: _kCFProxyTypeSOCKS
Source: symbol	Static MACH information: _send$UNIX2003
Source: symbol	Static MACH information: _setsockopt
Source: symbol	Static MACH information: _socket
Source: symbol	Static MACH information: _CGSConnectionGetPID
Source: symbol	Static MACH information: __CFCopyServerVersionDictionary
Source: symbol	Static MACH information: __CGSDefaultConnection
Source: symbol	Static MACH information: _connect$UNIX2003
Source: symbol	Static MACH information: _gethostbyname
Source: symbol	Static MACH information: _kCFProxyPortNumberKey
Source: symbol	Static MACH information: _kCFProxyTypeHTTP
Source: symbol	Static MACH information: _kCFProxyTypeSOCKS
Source: symbol	Static MACH information: _send$UNIX2003
Source: symbol	Static MACH information: _setsockopt
Source: symbol	Static MACH information: _socket

Imports the IOKit library (often used to register services)

Show sources

Source: initial sample	Static MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: initial sample	Static MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Persistence and Installation Behavior:

Executes hidden files

Show sources

Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 606)

File in hidden directory executed: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder -

Jump to behavior

Writes Mach-O files to hidden directories

Show sources

Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)

32-bit Mach-O written to hidden directory: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder

Jump to dropped file

Changes permissions of written Mach-O files

Show sources

Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)

Permissions modified for written 32-bit Mach-O /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder: bits: - usr: rwx grp: rwx all: rwx

Jump to dropped file

Contains symbols related to login items (used for persistence)

Show sources

Source: symbol	Static MACH information: _LSSharedFileListCopySnapshot
Source: symbol	Static MACH information: _LSSharedFileListCreate
Source: symbol	Static MACH information: _LSSharedFileListInsertItemURL
Source: symbol	Static MACH information: _LSSharedFileListItemRemove
Source: symbol	Static MACH information: _LSSharedFileListItemResolve
Source: symbol	Static MACH information: _kLSSharedFileListItemLast
Source: symbol	Static MACH information: _kLSSharedFileListSessionLoginItems

Contains symbols related to terminating processes

Show sources

Source: symbol

Static MACH information: _KillProcess

Creates application bundles

Show sources

Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)

Bundle Info.plist file created: /Users/henry/.defaults/Finder.app/Contents/Info.plist

Jump to behavior

Creates hidden files, links and/or directories

Show sources

Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)	Hidden Directory created: /Users/henry/.defaults -> /Users/henry/.defaults			Jump to behavior
Source: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder (PID: 606)	Hidden file created: /Users/henry/.defaults/Finder.app/Contents/MacOS/.settings.conf			Jump to behavior

Reads launchservices plist files

Show sources

Source: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder (PID: 606)

Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist

Jump to behavior

Writes 32-bit Mach-O files to disk

Show sources

Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)

File written: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder

Jump to dropped file

Writes property list (.plist) files to disk

Show sources

Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)

XML plist file created: /Users/henry/.defaults/Finder.app/Contents/Info.plist

Jump to dropped file

Boot Survival:

Creates user-wide 'launchd' managed services aka launch agents

Show sources

Source: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder (PID: 606)

Launch agent created file created: /Users/henry/Library/LaunchAgents/com.mac.host.plist

Jump to behavior

Remote Access Functionality:

Detected macOS NetWire

Show sources

Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)	IOC file dropped: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder			Jump to dropped file
Source: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder (PID: 606)	IOC file dropped: /Users/henry/Library/LaunchAgents/com.mac.host.plist			Jump to dropped file

Runtime Messages

Command:	/Users/henry/Desktop/M4BfJpvkrT
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Yara Overview

Initial Sample

Source	Rule	Description	Author
M4BfJpvkrT	JoeSecurity_NetwireA	Detects OSX Netwire A	Joe Security

PCAP (Network Traffic)

No yara matches

Dropped Files

Source	Rule	Description	Author
/Users/henry/.defaults/Finder.app/Contents/MacOS/Finder	JoeSecurity_NetwireA	Detects OSX Netwire A	Joe Security

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
2.20.214.243	http://Destalo.pt	Get hash	malicious	Browse
17.253.57.212	NoMAD.pkg	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	Invoice0186.pdf	Get hash	malicious	Browse	192.168.0.40
	P_2038402.xlsx	Get hash	malicious	Browse	192.168.0.44
	bad.pdf	Get hash	malicious	Browse	192.168.0.44
	RFQ.pdf	Get hash	malicious	Browse	192.168.0.44
	100323.pdf	Get hash	malicious	Browse	192.168.0.44
	Copy.pdf	Get hash	malicious	Browse	127.0.0.1
	2.exe	Get hash	malicious	Browse	192.168.0.40
	UPPB502981.doc	Get hash	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	Get hash	malicious	Browse	192.168.0.40
	00ECF4AD.exe	Get hash	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	Get hash	malicious	Browse	192.168.0.40
	filedata.exe	Get hash	malicious	Browse	192.168.0.40
	.exe	Get hash	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	Get hash	malicious	Browse	192.168.1.71
unknown	Invoice0186.pdf	Get hash	malicious	Browse	192.168.0.40
	P_2038402.xlsx	Get hash	malicious	Browse	192.168.0.44
	bad.pdf	Get hash	malicious	Browse	192.168.0.44
	RFQ.pdf	Get hash	malicious	Browse	192.168.0.44
	100323.pdf	Get hash	malicious	Browse	192.168.0.44
	Copy.pdf	Get hash	malicious	Browse	127.0.0.1
	2.exe	Get hash	malicious	Browse	192.168.0.40
	UPPB502981.doc	Get hash	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	Get hash	malicious	Browse	192.168.0.40
	00ECF4AD.exe	Get hash	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	Get hash	malicious	Browse	192.168.0.40
	filedata.exe	Get hash	malicious	Browse	192.168.0.40
	.exe	Get hash	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	Get hash	malicious	Browse	192.168.1.71

JA3 Fingerprints

No context

Dropped Files

No context

Antivirus and Machine Learning Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

system is mac1

mono-sgen32 (PID: 605 PPID: 556 MD5: 8910349f44a940d8d79318367855b236)

M4BfJpvkrT (PID: 605 PPID: 556 Overlayed Process Image: mono-sgen32 MD5: de3a8b1e149312dac5b8584a33c3f3c6)

M4BfJpvkrT (PID: 606 PPID: 605 MD5: de3a8b1e149312dac5b8584a33c3f3c6)

Finder (PID: 606 PPID: 605 Overlayed Process Image: M4BfJpvkrT MD5: de3a8b1e149312dac5b8584a33c3f3c6)

cleanup

Created / dropped Files

/Users/henry/.defaults/Finder.app/Contents/Info.plist Download File
Process:	/Users/henry/Desktop/M4BfJpvkrT
File Type:	XML 1.0 document, ASCII text
Size (bytes):	808
Entropy (8bit):	5.136979553002211
Encrypted:	false
MD5:	544085C5414EFF1A0E67CD13724E17C1
SHA1:	D7CF7B196E2AAF3674A747DE54C77785C19C80D7
SHA-256:	A2648050A4AB00595EBE849088FB0310E33C234AA2E93D478909161CCE376824
SHA-512:	C19D7D5065A6FFE3D97F3FECFF9B05C2CC903085A2F284B57580F2A1AC4F9067E6B0F18877719EC71AF31DBD888322FA1EA8444C95BEACC761344B3CE97F71D4
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>CFBundleDevelopmentRegion</key>..<string>English</string>..<key>CFBundleExecutable</key>..<string>Finder</string>..<key>CFBundleInfoDictionaryVersion</key>..<string>6.0</string>..<key>CFBundleName</key>..<string>Finder</string>..<key>CFBundlePackageType</key>..<string>APPL</string>..<key>CFBundleShortVersionString</key>..<string>4.5.3</string>..<key>CFBundleVersion</key>..<string>99.2</string>..<key>LSMinimumSystemVersion</key>..<string>10.3</string>..<key>NSMainNibFile</key>..<string>Finder</string>..<key>NSPrincipalClass</key>..<string>NSApplication</string>..<key>NSUIElement</key>..<string>true</string>.</dict>.</plist>.

/Users/henry/.defaults/Finder.app/Contents/MacOS/.settings.conf Download File
Process:	/Users/henry/.defaults/Finder.app/Contents/MacOS/Finder
File Type:	data
Size (bytes):	127
Entropy (8bit):	6.482663722154125
Encrypted:	false
MD5:	55EC2A40C7BE0B67332058BF3E3006D8
SHA1:	C2337A77E4431536903BBC86106AEBC75397D0DA
SHA-256:	820573EC77C6D202D08BDDDC937D02103B40B3D64E029D48DB2678E69D180AAB
SHA-512:	381E1DBF92F6F2E43FE53E32FDFA40A9FA342DD2E4FAE5540972E66D9B7362548AF2AF477864F2E64F3E0714EF9B8820C5E7441AB639ACCBBD12B977C2FEFCE8
Malicious:	false
Reputation:	low
Preview:	M..w...3..s0.no....6..v.%..ey.....>+]Q....]f..YV..t.+.15.Tpe........kJ...{..2+...p<....+....b..^0.e..Wb........#..K.Y.

/Users/henry/.defaults/Finder.app/Contents/MacOS/Finder Download File
Process:	/Users/henry/Desktop/M4BfJpvkrT
File Type:	Mach-O i386 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|NO_HEAP_EXECUTION>
Size (bytes):	63768
Entropy (8bit):	6.120626354964268
Encrypted:	false
MD5:	DE3A8B1E149312DAC5B8584A33C3F3C6
SHA1:	23017A55B3D25A2597B7148214FD8FB2372591A5
SHA-256:	07A4E04EE8B4C8DC0F7507F56DC24DB00537D4637AFEE43DBB9357D4D54F6FF4
SHA-512:	CBCE20E10203B3AA36ACD478664874B0A8FF3535F0671D2DB9DE0E6A5022EFB99A445922156F31B10BDFF1CB177782B5AA4AE7D8ED306171C2525A597C997DB8
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetwireA, Description: Detects OSX Netwire A, Source: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder, Author: Joe Security
Reputation:	low
Preview:	................................8...__PAGEZERO..............................................__TEXT..........................................__text..........__TEXT..........l...Z...l...........................__symbol_stub...__TEXT..............~..............................__stub_helper...__TEXT..........D.......D...........................__const.........__TEXT..........@.......@...........................__cstring.......__TEXT.......... ....... ...........................__unwind_info...__TEXT..............H.......................................__DATA...............@..........................__dyld..........__DATA..............................................__nl_symbol_ptr.__DATA..............P...............................__la_symbol_ptr.__DATA..........l...T...l...........................__cfstring......__DATA..............0...............................__data..........__DATA..............................................__common........__DATA..................................

/Users/henry/Library/LaunchAgents/com.mac.host.plist Download File
Process:	/Users/henry/.defaults/Finder.app/Contents/MacOS/Finder
File Type:	XML 1.0 document, ASCII text
Size (bytes):	465
Entropy (8bit):	5.096775148549045
Encrypted:	false
MD5:	57CF5F2464E46E09ECC5F991E7E7FD8B
SHA1:	FA3EEE4932ED8B239E1AF72E7E10E3FFAF0B200A
SHA-256:	38A99CC00D692D39D1F423FA5B2A1493CE5C3E8CBA0DFA0EA6D9C84A1E77E5CB
SHA-512:	F388AE9CB1C499525180D819C5B66CBC963CF28C884A11D87C9BA2C4962A45E19351707C7EFA86C574BBD4133A27B74A5390886B9233286716F15E02BAC0DF18
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN.."http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>. <key>Label</key>. <string>com.mac.host</string>. <key>ProgramArguments</key>. <array>. <string>/Users/henry/.defaults/Finder.app/Contents/MacOS/Finder</string>. </array>. <key>RunAtLoad</key>. <true/>. <key>KeepAlive</key>. <false/>.</dict>.</plist>.

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
2.20.214.243	European Union	20940	unknown	false
89.34.111.113	Belize	47447	unknown	false
17.57.146.20	United States	714	APPLE-ENGINEERING-AppleIncUS	false
17.188.166.11	United States	714	APPLE-ENGINEERING-AppleIncUS	false
17.253.57.212	United States	6185	APPLE-AUSTIN-AppleIncUS	false

Static File Info

General
File type:	Mach-O i386 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|NO_HEAP_EXECUTION>
Entropy (8bit):	6.120626354964268
TrID:	Mac OS X Mach-O 32bit Intel executable (4004/1) 100.00%
File name:	M4BfJpvkrT
File size:	63768
MD5:	de3a8b1e149312dac5b8584a33c3f3c6
SHA1:	23017a55b3d25a2597b7148214fd8fb2372591a5
SHA256:	07a4e04ee8b4c8dc0f7507f56dc24db00537d4637afee43dbb9357d4d54f6ff4
SHA512:	cbce20e10203b3aa36acd478664874b0a8ff3535f0671d2db9de0e6a5022efb99a445922156f31b10bdff1cb177782b5aa4ae7d8ed306171c2525a597c997db8
SSDEEP:	1536:4RCG77G7iHHn959DHXFoQ0hQihLv1SNObMih:WCw1HHn79D3FAQkI9ih
File Content Preview:	................................8...__PAGEZERO..............................................__TEXT..........................................__text..........__TEXT..........l...Z...l...........................__symbol_stub...__TEXT..............~..........

Static Mach Info

General Informations for header0
Endian:	<
Size:	32-bit
Architecture:	i386
Filetype:	execute
Nbr. of load commands:	19
Entry point:	0x196C

segment_command

Name	Value
segname	__PAGEZERO
fileoff	0x0
maxprot	0x0
vmsize	0x1000
nsects	0
flags	0x0
filesize	0x0
vmaddr	0x0
initprot	0x0

segment_command

Name	Value
segname	__TEXT
fileoff	0x0
maxprot	0x7
vmsize	0xD000
nsects	6
flags	0x0
filesize	0xD000
vmaddr	0x1000
initprot	0x5
Datas	sectname	__text
	segname	__TEXT
	reloff	0x0
	addr	0x196C
	align	0x2
	nreloc	0
	flags	0x80000400
	offset	0x96C
	reserved2	0
	reserved1	0
	size	0xAD5A
	sectname	__symbol_stub
	segname	__TEXT
	reloff	0x0
	addr	0xC6C6
	align	0x1
	nreloc	0
	flags	0x80000408
	offset	0xB6C6
	reserved2	6
	reserved1	0
	size	0x37E
	sectname	__stub_helper
	segname	__TEXT
	reloff	0x0
	addr	0xCA44
	align	0x2
	nreloc	0
	flags	0x80000400
	offset	0xBA44
	reserved2	0
	reserved1	0
	size	0x6FA
	sectname	__const
	segname	__TEXT
	reloff	0x0
	addr	0xD140
	align	0x4
	nreloc	0
	flags	0x0
	offset	0xC140
	reserved2	0
	reserved1	0
	size	0x7E0
	sectname	__cstring
	segname	__TEXT
	reloff	0x0
	addr	0xD920
	align	0x0
	nreloc	0
	flags	0x2
	offset	0xC920
	reserved2	0
	reserved1	0
	size	0x68B
	sectname	__unwind_info
	segname	__TEXT
	reloff	0x0
	addr	0xDFAC
	align	0x2
	nreloc	0
	flags	0x0
	offset	0xCFAC
	reserved2	0
reserved1	0
size	0x48

segment_command

Name	Value
segname	__DATA
fileoff	0xD000
maxprot	0x7
vmsize	0x24000
nsects	7
flags	0x0
filesize	0x1000
vmaddr	0xE000
initprot	0x3
Datas	sectname	__dyld
	segname	__DATA
	reloff	0x0
	addr	0xE000
	align	0x2
	nreloc	0
	flags	0x0
	offset	0xD000
	reserved2	0
	reserved1	0
	size	0x1C
	sectname	__nl_symbol_ptr
	segname	__DATA
	reloff	0x0
	addr	0xE01C
	align	0x2
	nreloc	0
	flags	0x6
	offset	0xD01C
	reserved2	0
	reserved1	149
	size	0x50
	sectname	__la_symbol_ptr
	segname	__DATA
	reloff	0x0
	addr	0xE06C
	align	0x2
	nreloc	0
	flags	0x7
	offset	0xD06C
	reserved2	0
	reserved1	169
	size	0x254
	sectname	__cfstring
	segname	__DATA
	reloff	0x0
	addr	0xE2C0
	align	0x2
	nreloc	0
	flags	0x0
	offset	0xD2C0
	reserved2	0
	reserved1	0
	size	0x30
	sectname	__data
	segname	__DATA
	reloff	0x0
	addr	0xE2F0
	align	0x2
	nreloc	0
	flags	0x0
	offset	0xD2F0
	reserved2	0
	reserved1	0
	size	0x418
	sectname	__common
	segname	__DATA
	reloff	0x0
	addr	0xE708
	align	0x2
	nreloc	0
	flags	0x1
	offset	0x0
	reserved2	0
reserved1	0
size	0x10
sectname	__bss
segname	__DATA
reloff	0x0
addr	0xE720
align	0x4
nreloc	0
flags	0x1
offset	0x0
reserved2	0
reserved1	0
size	0x234D8

segment_command

Name	Value
segname	__LINKEDIT
fileoff	0xE000
maxprot	0x7
vmsize	0x1918
nsects	0
flags	0x0
filesize	0x1918
vmaddr	0x32000
initprot	0x1

symtab_command

Name	Value
strsize	3028
symoff	57344
stroff	60740
nsyms	175

dysymtab_command

Name	Value
extreloff	59444
nlocrel	0
indirectsymoff	59468
modtaboff	0
nextrel	3
iundefsym	2
nmodtab	0
ilocalsym	0
nundefsym	173
nextrefsyms	0
locreloff	0
ntoc	0
nlocalsym	1
tocoff	0
extrefsymoff	0
nindirectsyms	318
iextdefsym	1
nextdefsym	1

dylinker_command

Name	Value
name	12
Data	/usr/lib/dyld

uuid_command

Name	Value
uuid	8c8ac65d8f7c368aad5ae7fd9d58e63c

version_min_command

Name	Value
version	656640
reserved	658432

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 1 01:00:02 1970
name	24
current_version	4864.7.3
Data	/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 1 01:00:02 1970
name	24
current_version	0.19.1
Data	/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

dylib_command

Name	Value
compatibility_version	0.150.0
timestamp	Thu Jan 1 01:00:02 1970
name	24
current_version	2048.69.5
Data	/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 1 01:00:02 1970
name	24
current_version	0.22.0
Data	/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 1 01:00:02 1970
name	24
current_version	15362.214.4
Data	/usr/lib/libSystem.B.dylib

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 1 01:00:02 1970
name	24
current_version	0.48.0
Data	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 1 01:00:02 1970
name	24
current_version	15362.120.3
Data	/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 1 01:00:02 1970
name	24
current_version	0.233.1
Data	/usr/lib/libgcc_s.1.dylib

linkedit_data_command

Name	Value
dataoff	57344
datassize	0

Symbols

Symbol
radr://5614542
__mh_execute_header
_CFArrayGetCount
_CFArrayGetValueAtIndex
_CFBundleCopyBundleURL
_CFBundleGetMainBundle
_CFDataCreateMutable
_CFDataGetLength
_CFDataGetMutableBytePtr
_CFDictionaryCreateMutable
_CFDictionaryGetValue
_CFDictionaryGetValueIfPresent
_CFDictionarySetValue
_CFEqual
_CFNetworkCopyProxiesForURL
_CFNetworkExecuteProxyAutoConfigurationURL
_CFNumberCreate
_CFNumberGetValue
_CFRelease
_CFRetain
_CFRunLoopAddSource
_CFRunLoopGetCurrent
_CFRunLoopRunInMode
_CFRunLoopSourceInvalidate
_CFRunLoopSourceIsValid
_CFStringCreateWithCString
_CFStringCreateWithFormat
_CFStringGetCString
_CFStringGetSystemEncoding
_CFURLCreateFromFileSystemRepresentation
_CFURLCreateWithBytes
_CFURLGetFileSystemRepresentation
_CGDisplayCreateImage
_CGEventCreate
_CGEventCreateKeyboardEvent
_CGEventCreateMouseEvent
_CGEventPost
_CGEventSetLocation
_CGEventSetType
_CGImageDestinationAddImage
_CGImageDestinationCreateWithData
_CGImageDestinationFinalize
_CGMainDisplayID
_CGSConnectionGetPID
_CGSGetWindowOwner
_CGWindowListCopyWindowInfo
_GetProcessForPID
_IOPMAssertionCreateWithName
_KillProcess
_LSSharedFileListCopySnapshot
_LSSharedFileListCreate
_LSSharedFileListInsertItemURL
_LSSharedFileListItemRemove
_LSSharedFileListItemResolve
_SCDynamicStoreCopyProxies
_ShowHideProcess
__CFCopyServerVersionDictionary
__CFCopySystemVersionDictionary
__CGSDefaultConnection
___CFConstantStringClassReference
___error
___snprintf_chk
___stack_chk_fail
___stack_chk_guard
___toupper
__kCFSystemVersionBuildVersionKey
__kCFSystemVersionProductNameKey
__kCFSystemVersionProductVersionKey
_asprintf
_cfmakeraw
_chdir
_chmod$UNIX2003
_clogl
_closedir$UNIX2003
_closelog
_connect$UNIX2003
_dlclose
_dlopen
_dlsym
_dup
_endutxent
_execlp
_execv
_execvp
_exit
_fcntl$UNIX2003
_fork
_free
_fstat
_ftruncate
_getenv
_geteuid
_gethostbyname
_gethostname
_getpid
_getppid
_getpwuid
_getutxent
_gmtime
_grantpt
_host_page_size
_host_statistics
_inet_ntop
_ioctl
_kCFAllocatorDefault
_kCFProxyAutoConfigurationURLKey
_kCFProxyHostNameKey
_kCFProxyPortNumberKey
_kCFProxyTypeAutoConfigurationURL
_kCFProxyTypeHTTP
_kCFProxyTypeKey
_kCFProxyTypeSOCKS
_kCFTypeDictionaryKeyCallBacks
_kCFTypeDictionaryValueCallBacks
_kCGImageDestinationLossyCompressionQuality
_kCGWindowName
_kCGWindowNumber
_kLSSharedFileListItemLast
_kLSSharedFileListSessionLoginItems
_kUTTypeJPEG
_kill$UNIX2003
_localtime
_lseek
_lstat
_mach_host_self
_malloc
_memcpy
_memset
_mkdir
_open$UNIX2003
_opendir$UNIX2003
_pipe
_posix_openpt
_proc_listpids
_proc_pidfdinfo
_proc_pidinfo
_proc_pidpath
_pthread_attr_init
_pthread_attr_setdetachstate
_pthread_create
_pthread_mutex_init
_pthread_mutex_lock
_pthread_mutex_unlock
_ptsname
_read$UNIX2003
_readdir
_realloc
_recv$UNIX2003
_rename
_rmdir
_select$UNIX2003
_send$UNIX2003
_setsid
_setsockopt
_setutxent
_shutdown
_sigaction
_sigprocmask
_socket
_stat
_strlen
_strstr
_sysctl
_sysctlnametomib
_tcgetattr
_tcsetattr
_time
_times
_umask
_uname
_unlink
_unlockpt
_usleep$UNIX2003
_waitpid$UNIX2003
_write$UNIX2003

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 21, 2019 14:58:23.425559044 CEST	49314	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:58:24.430048943 CEST	49314	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:58:25.433072090 CEST	49314	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:58:26.434040070 CEST	49314	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:58:27.436391115 CEST	49314	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:58:28.439338923 CEST	49314	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:58:28.464098930 CEST	49158	5223	192.168.0.50	17.57.146.20
Jun 21, 2019 14:58:28.487529039 CEST	5223	49158	17.57.146.20	192.168.0.50
Jun 21, 2019 14:58:28.487546921 CEST	5223	49158	17.57.146.20	192.168.0.50
Jun 21, 2019 14:58:28.487958908 CEST	49158	5223	192.168.0.50	17.57.146.20
Jun 21, 2019 14:58:30.448913097 CEST	49314	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:58:30.471621990 CEST	49157	5223	192.168.0.50	17.188.166.11
Jun 21, 2019 14:58:30.579502106 CEST	5223	49157	17.188.166.11	192.168.0.50
Jun 21, 2019 14:58:30.579713106 CEST	49157	5223	192.168.0.50	17.188.166.11
Jun 21, 2019 14:58:34.455954075 CEST	49314	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:58:42.463490009 CEST	49314	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:58:45.820000887 CEST	49312	80	192.168.0.50	17.253.57.212
Jun 21, 2019 14:58:45.820245981 CEST	49313	80	192.168.0.50	2.20.214.243
Jun 21, 2019 14:58:45.826286077 CEST	80	49313	2.20.214.243	192.168.0.50
Jun 21, 2019 14:58:45.826716900 CEST	49313	80	192.168.0.50	2.20.214.243
Jun 21, 2019 14:58:45.833061934 CEST	80	49312	17.253.57.212	192.168.0.50
Jun 21, 2019 14:58:45.833678007 CEST	49312	80	192.168.0.50	17.253.57.212
Jun 21, 2019 14:58:58.506849051 CEST	49314	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:59:30.556160927 CEST	49314	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:59:48.559796095 CEST	49318	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:59:49.562325954 CEST	49318	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:59:50.563291073 CEST	49318	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:59:51.563900948 CEST	49318	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:59:52.566622972 CEST	49318	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:59:53.569016933 CEST	49318	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:59:55.570472002 CEST	49318	443	192.168.0.50	89.34.111.113
Jun 21, 2019 14:59:59.573554039 CEST	49318	443	192.168.0.50	89.34.111.113
Jun 21, 2019 15:00:07.587693930 CEST	49318	443	192.168.0.50	89.34.111.113
Jun 21, 2019 15:00:23.608505964 CEST	49318	443	192.168.0.50	89.34.111.113

System Behavior

Analysis Process: mono-sgen32 PID: 605 Parent PID: 556

General

Start time:	14:58:22
Start date:	21/06/2019
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Chronological Activities

Analysis Process: M4BfJpvkrT PID: 605 Parent PID: 556

General

Start time:	14:58:22
Start date:	21/06/2019
Path:	/Users/henry/Desktop/M4BfJpvkrT
File size:	63768 bytes
MD5 hash:	de3a8b1e149312dac5b8584a33c3f3c6

Chronological Activities

Analysis Process: M4BfJpvkrT PID: 606 Parent PID: 605

General

Start time:	14:58:22
Start date:	21/06/2019
Path:	/Users/henry/Desktop/M4BfJpvkrT
File size:	63768 bytes
MD5 hash:	de3a8b1e149312dac5b8584a33c3f3c6

Chronological Activities

Analysis Process: Finder PID: 606 Parent PID: 605

General

Start time:	14:58:22
Start date:	21/06/2019
Path:	/Users/henry/.defaults/Finder.app/Contents/MacOS/Finder
File size:	63768 bytes
MD5 hash:	de3a8b1e149312dac5b8584a33c3f3c6

Description:	To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion, Persistence
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in `/System/Library/LaunchAgents` , `/Library/LaunchAgents` , and `$HOME/Library/LaunchAgents` . These launch agents have property list files which point to the executables that will be launched . Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories . The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in . They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).
Tactics:	Persistence
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception.
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Kernel drivers, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be whitelisted within a target environment. Remote access tools like VNC, Ammy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report M4BfJpvkrT

Overview

General Information

Detection

Classification

Mitre Att&ck Matrix

Signature Overview

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Remote Access Functionality:

Runtime Messages

Behavior Graph

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Antivirus and Machine Learning Detection

Initial Sample

Dropped Files

Domains

URLs

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted IPs

Public

Static File Info

General

Static Mach Info

General Informations for header0

segment_command

segment_command

segment_command

segment_command

symtab_command

dysymtab_command

dylinker_command

uuid_command

version_min_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

linkedit_data_command

Symbols

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: mono-sgen32 PID: 605 Parent PID: 556

General

Chronological Activities

Analysis Process: M4BfJpvkrT PID: 605 Parent PID: 556

General

Chronological Activities

Analysis Process: M4BfJpvkrT PID: 606 Parent PID: 605