Loading ...

Play interactive tourEdit tour

Analysis Report M4BfJpvkrT

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:78343
Start date:21.06.2019
Start time:14:57:12
Joe Sandbox Product:Cloud
Overall analysis duration:0h 3m 57s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:M4BfJpvkrT
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:MAL
Classification:mal68.troj.evad.mac@0/4@0/0

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold680 - 100Report FP / FNfalsemalicious

Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementHidden Files and Directories21Port MonitorsHidden Files and Directories21Input Capture1System Service DiscoveryApplication Deployment SoftwareInput Capture1Data Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionLaunch Agent3Accessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote Access Tools1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol1

Signature Overview

Click to jump to signature section


Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 17.57.146.20
Source: unknownTCP traffic detected without corresponding DNS query: 17.57.146.20
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 17.188.166.11
Source: unknownTCP traffic detected without corresponding DNS query: 17.188.166.11
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.212
Source: unknownTCP traffic detected without corresponding DNS query: 2.20.214.243
Source: unknownTCP traffic detected without corresponding DNS query: 2.20.214.243
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.212
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Contains symbols related to proxy configurationShow sources
Source: symbolStatic MACH information: _CFNetworkCopyProxiesForURL
Source: symbolStatic MACH information: _CFNetworkExecuteProxyAutoConfigurationURL
Source: symbolStatic MACH information: _kCFProxyAutoConfigurationURLKey
Source: symbolStatic MACH information: _kCFProxyHostNameKey
Source: symbolStatic MACH information: _kCFProxyPortNumberKey
Source: symbolStatic MACH information: _kCFProxyTypeAutoConfigurationURL
Source: symbolStatic MACH information: _kCFProxyTypeHTTP
Source: symbolStatic MACH information: _kCFProxyTypeKey
Source: symbolStatic MACH information: _kCFProxyTypeSOCKS
Urls found in memory or binary dataShow sources
Source: M4BfJpvkrTString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: M4BfJpvkrTString found in binary or memory: http://www.google.com
Source: M4BfJpvkrTString found in binary or memory: http://www.google.com%USER%Unknown%
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49318 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49314 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains symbols related to keyboard/mouse eventsShow sources
Source: symbolStatic MACH information: _CGEventCreateKeyboardEvent
Source: symbolStatic MACH information: _CGEventCreateMouseEvent

System Summary:

barindex
Malicious sample detected (through custom Yara rule)Show sources
Source: M4BfJpvkrT, type: SAMPLEMatched rule: Detects OSX Netwire A
Source: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder, type: DROPPEDMatched rule: Detects OSX Netwire A
Classification labelShow sources
Source: classification engineClassification label: mal68.troj.evad.mac@0/4@0/0

Data Obfuscation:

barindex
Contains symbols with suspicious network related namesShow sources
Source: symbolStatic MACH information: _CGSConnectionGetPID
Source: symbolStatic MACH information: __CFCopyServerVersionDictionary
Source: symbolStatic MACH information: __CGSDefaultConnection
Source: symbolStatic MACH information: _connect$UNIX2003
Source: symbolStatic MACH information: _gethostbyname
Source: symbolStatic MACH information: _kCFProxyPortNumberKey
Source: symbolStatic MACH information: _kCFProxyTypeHTTP
Source: symbolStatic MACH information: _kCFProxyTypeSOCKS
Source: symbolStatic MACH information: _send$UNIX2003
Source: symbolStatic MACH information: _setsockopt
Source: symbolStatic MACH information: _socket
Source: symbolStatic MACH information: _CGSConnectionGetPID
Source: symbolStatic MACH information: __CFCopyServerVersionDictionary
Source: symbolStatic MACH information: __CGSDefaultConnection
Source: symbolStatic MACH information: _connect$UNIX2003
Source: symbolStatic MACH information: _gethostbyname
Source: symbolStatic MACH information: _kCFProxyPortNumberKey
Source: symbolStatic MACH information: _kCFProxyTypeHTTP
Source: symbolStatic MACH information: _kCFProxyTypeSOCKS
Source: symbolStatic MACH information: _send$UNIX2003
Source: symbolStatic MACH information: _setsockopt
Source: symbolStatic MACH information: _socket
Imports the IOKit library (often used to register services)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Persistence and Installation Behavior:

barindex
Executes hidden filesShow sources
Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 606)File in hidden directory executed: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder -Jump to behavior
Writes Mach-O files to hidden directoriesShow sources
Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)32-bit Mach-O written to hidden directory: /Users/henry/.defaults/Finder.app/Contents/MacOS/FinderJump to dropped file
Changes permissions of written Mach-O filesShow sources
Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)Permissions modified for written 32-bit Mach-O /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder: bits: - usr: rwx grp: rwx all: rwxJump to dropped file
Contains symbols related to login items (used for persistence)Show sources
Source: symbolStatic MACH information: _LSSharedFileListCopySnapshot
Source: symbolStatic MACH information: _LSSharedFileListCreate
Source: symbolStatic MACH information: _LSSharedFileListInsertItemURL
Source: symbolStatic MACH information: _LSSharedFileListItemRemove
Source: symbolStatic MACH information: _LSSharedFileListItemResolve
Source: symbolStatic MACH information: _kLSSharedFileListItemLast
Source: symbolStatic MACH information: _kLSSharedFileListSessionLoginItems
Contains symbols related to terminating processesShow sources
Source: symbolStatic MACH information: _KillProcess
Creates application bundlesShow sources
Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)Bundle Info.plist file created: /Users/henry/.defaults/Finder.app/Contents/Info.plistJump to behavior
Creates hidden files, links and/or directoriesShow sources
Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)Hidden Directory created: /Users/henry/.defaults -> /Users/henry/.defaultsJump to behavior
Source: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder (PID: 606)Hidden file created: /Users/henry/.defaults/Finder.app/Contents/MacOS/.settings.confJump to behavior
Reads launchservices plist filesShow sources
Source: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder (PID: 606)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Writes 32-bit Mach-O files to diskShow sources
Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)File written: /Users/henry/.defaults/Finder.app/Contents/MacOS/FinderJump to dropped file
Writes property list (.plist) files to diskShow sources
Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)XML plist file created: /Users/henry/.defaults/Finder.app/Contents/Info.plistJump to dropped file

Boot Survival:

barindex
Creates user-wide 'launchd' managed services aka launch agentsShow sources
Source: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder (PID: 606)Launch agent created file created: /Users/henry/Library/LaunchAgents/com.mac.host.plistJump to behavior

Remote Access Functionality:

barindex
Detected macOS NetWireShow sources
Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)IOC file dropped: /Users/henry/.defaults/Finder.app/Contents/MacOS/FinderJump to dropped file
Source: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder (PID: 606)IOC file dropped: /Users/henry/Library/LaunchAgents/com.mac.host.plistJump to dropped file


Runtime Messages

Command:/Users/henry/Desktop/M4BfJpvkrT
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Yara Overview

Initial Sample

SourceRuleDescriptionAuthor
M4BfJpvkrTJoeSecurity_NetwireADetects OSX Netwire AJoe Security

PCAP (Network Traffic)

No yara matches

Dropped Files

SourceRuleDescriptionAuthor
/Users/henry/.defaults/Finder.app/Contents/MacOS/FinderJoeSecurity_NetwireADetects OSX Netwire AJoe Security

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
2.20.214.243http://Destalo.ptGet hashmaliciousBrowse
    17.253.57.212NoMAD.pkgGet hashmaliciousBrowse

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      unknownInvoice0186.pdfGet hashmaliciousBrowse
      • 192.168.0.40
      P_2038402.xlsxGet hashmaliciousBrowse
      • 192.168.0.44
      bad.pdfGet hashmaliciousBrowse
      • 192.168.0.44
      RFQ.pdfGet hashmaliciousBrowse
      • 192.168.0.44
      100323.pdfGet hashmaliciousBrowse
      • 192.168.0.44
      Copy.pdfGet hashmaliciousBrowse
      • 127.0.0.1
      2.exeGet hashmaliciousBrowse
      • 192.168.0.40
      UPPB502981.docGet hashmaliciousBrowse
      • 192.168.0.44
      Adm_Boleto.via2.comGet hashmaliciousBrowse
      • 192.168.0.40
      00ECF4AD.exeGet hashmaliciousBrowse
      • 192.168.0.40
      PDF_100987464500.exeGet hashmaliciousBrowse
      • 192.168.0.40
      filedata.exeGet hashmaliciousBrowse
      • 192.168.0.40
      .exeGet hashmaliciousBrowse
      • 192.168.1.60
      33redacted@threatwave.comGet hashmaliciousBrowse
      • 192.168.1.71
      unknownInvoice0186.pdfGet hashmaliciousBrowse
      • 192.168.0.40
      P_2038402.xlsxGet hashmaliciousBrowse
      • 192.168.0.44
      bad.pdfGet hashmaliciousBrowse
      • 192.168.0.44
      RFQ.pdfGet hashmaliciousBrowse
      • 192.168.0.44
      100323.pdfGet hashmaliciousBrowse
      • 192.168.0.44
      Copy.pdfGet hashmaliciousBrowse
      • 127.0.0.1
      2.exeGet hashmaliciousBrowse
      • 192.168.0.40
      UPPB502981.docGet hashmaliciousBrowse
      • 192.168.0.44
      Adm_Boleto.via2.comGet hashmaliciousBrowse
      • 192.168.0.40
      00ECF4AD.exeGet hashmaliciousBrowse
      • 192.168.0.40
      PDF_100987464500.exeGet hashmaliciousBrowse
      • 192.168.0.40
      filedata.exeGet hashmaliciousBrowse
      • 192.168.0.40
      .exeGet hashmaliciousBrowse
      • 192.168.1.60
      33redacted@threatwave.comGet hashmaliciousBrowse
      • 192.168.1.71

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Antivirus and Machine Learning Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.