Analysis Report finfisher.dmg
Overview
General Information
Detection
FinSpy
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Detected macOS FinSpy (FinFisher) trojan
Malicious sample detected (through community Yara rule)
Yara detected FinSpy
App bundle contains hidden files/directories
Attaches disk images with shell command 'hdiutil'
Creates kernel extensions
Denies being traced/debugged (via ptrace PT_DENY_ATTACH)
Executes hidden files
Opens applications from non-standard application directories
Queries the Manufacturer of the machine (might be used for detecting VM presence)
Sets full permissions to files and/or directories
Writes DER encoded certificate files to disk without the typical file extension
Writes Mach-O files to untypical directories
Changes permissions of written Mach-O files
Contains symbols with paths
Contains symbols with suspicious names likely related to encryption
Contains symbols with suspicious names likely related to networking
Creates and/or modifies files and/or directories in common kernel extension directories
Creates application bundles
Creates hidden files, links and/or directories
Creates memory-persistent launch services
Creates user-wide 'launchd' managed services aka launch agents
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "chown" command used to modify ownership and group ownership
Executes the "grep" command used to find patterns in files or piped streams
Executes the "ps" command used to list the status of processes
Executes the "rm" command used to delete files or directories
Executes the "security_authtrampoline" command used to authorize execution with root privileges (GUI prompt)
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Executes the "system_profiler" command used to collect detailed system hardware and software information
Explicitly loads kernel extensions
Explicitly loads/starts launch services
Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)
Opens applications that might be created ones
Reads hardware related sysctl values
Reads launchservices plist files
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)
Reads the systems OS release and/or type
Reads the systems hostname
Reads user launchservices plist file containing default apps for corresponding file types
Sample or dropped file has a small TEXT segment size indicating that the actual code is not in this segment hampering debugging
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)
Uses Security framework containing interfaces for system-level user authentication and authorization
Writes 32-bit Mach-O files to disk
Writes 64-bit Mach-O files to disk
Writes Python scripts without typical Python file extensions
Writes ZIP files to disk
Writes certificate files to disk
Yara signature match
Classification
Startup |
---|
|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FinSpy_2 | Yara detected FinSpy | Joe Security | ||
JoeSecurity_FinSpy_2 | Yara detected FinSpy | Joe Security |
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
hacktool_macos_exploit_cve_5889 | http://www.cvedetails.com/cve/cve-2015-5889 | @mimeframe |
| |
JoeSecurity_FinSpy_2 | Yara detected FinSpy | Joe Security |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
Source: | Mach-O header: | ||
Source: | Mach-O header: |
Cryptography: |
---|
Writes DER encoded certificate files to disk without the typical file extension | Show sources |
Source: | DER file created: | Jump to dropped file | ||
Source: | DER file created: | Jump to dropped file | ||
Source: | DER file created: | Jump to dropped file |
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary: |
---|
Malicious sample detected (through community Yara rule) | Show sources |
Source: | Matched rule: |
Source: | Python file created: | Jump to dropped file |
Source: | Matched rule: |
Source: | Classification label: |
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: |
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: |
Source: | Mach-O header: |
Source: | Mach-O header: | ||
Source: | Mach-O header: |
Persistence and Installation Behavior: |
---|
Attaches disk images with shell command 'hdiutil' | Show sources |
Source: | Hdiutil command executed: | Jump to behavior |
Executes hidden files | Show sources |
Source: | File in hidden directory executed: | Jump to behavior |
Opens applications from non-standard application directories | Show sources |
Source: | Application opened: | Jump to behavior |
Sets full permissions to files and/or directories | Show sources |
Source: | Chmod executable with 777: | Jump to behavior |
Writes DER encoded certificate files to disk without the typical file extension | Show sources |
Source: | DER file created: | Jump to dropped file | ||
Source: | DER file created: | Jump to dropped file | ||
Source: | DER file created: | Jump to dropped file |
Writes Mach-O files to untypical directories | Show sources |
Source: | 64-bit Mach-O written to unusual path: | Jump to dropped file | ||
Source: | 32-bit Mach-O written to unusual path: | Jump to dropped file | ||
Source: | 64-bit Mach-O written to unusual path: | Jump to dropped file | ||
Source: | 64-bit Mach-O written to unusual path: | Jump to dropped file | ||
Source: | 64-bit Mach-O written to unusual path: | Jump to dropped file | ||
Source: | 64-bit Mach-O written to unusual path: | Jump to dropped file |
Source: | Permissions modified for written 64-bit Mach-O /Users/ben/Library/Caches/org.logind.ctp.archive/helper: | Jump to dropped file | |||
Source: | Permissions modified for written 64-bit Mach-O /Users/ben/Library/Caches/org.logind.ctp.archive/installer: | Jump to behavior |
Source: | File moved: | Jump to behavior | ||
Source: | Owner / group modified: | Jump to behavior | ||
Source: | Owner / group modified: | Jump to behavior | ||
Source: | Owner / group modified: | Jump to behavior | ||
Source: | Owner / group modified: | Jump to behavior | ||
Source: | Owner / group modified: | Jump to behavior | ||
Source: | Owner / group modified: | Jump to behavior | ||
Source: | Owner / group modified: | Jump to behavior | ||
Source: | Owner / group modified: | Jump to behavior | ||
Source: | Permissions modified: | Jump to behavior | ||
Source: | Permissions modified: | Jump to behavior | ||
Source: | Permissions modified: | Jump to behavior | ||
Source: | Permissions modified: | Jump to behavior | ||
Source: | Permissions modified: | Jump to behavior | ||
Source: | Permissions modified: | Jump to behavior | ||
Source: | Permissions modified: | Jump to behavior | ||
Source: | Permissions modified: | Jump to behavior |
Source: | Bundle Info.plist File created: | Jump to behavior |
Source: | Hidden File created: | Jump to behavior | ||
Source: | Hidden File created: | Jump to behavior |
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior |
Source: | Chmod executable: | Jump to behavior |
Source: | Chown executable: | Jump to behavior |
Source: | Grep executable: | Jump to behavior | ||
Source: | Grep executable: | Jump to behavior | ||
Source: | Grep executable: | Jump to behavior | ||
Source: | Grep executable: | Jump to behavior | ||
Source: | Grep executable: | Jump to behavior | ||
Source: | Grep executable: | Jump to behavior | ||
Source: | Grep executable: | Jump to behavior | ||
Source: | Grep executable: | Jump to behavior | ||
Source: | Grep executable: | Jump to behavior | ||
Source: | Grep executable: | Jump to behavior | ||
Source: | Grep executable: | Jump to behavior | ||
Source: | Grep executable: | Jump to behavior | ||
Source: | Grep executable: | Jump to behavior | ||
Source: | Grep executable: | Jump to behavior | ||
Source: | Grep executable: | Jump to behavior | ||
Source: | Grep executable: | Jump to behavior |
Source: | Ps executable: | Jump to behavior | ||
Source: | Ps executable: | Jump to behavior | ||
Source: | Ps executable: | Jump to behavior | ||
Source: | Ps executable: | Jump to behavior | ||
Source: | Ps executable: | Jump to behavior | ||
Source: | Ps executable: | Jump to behavior | ||
Source: | Ps executable: | Jump to behavior | ||
Source: | Ps executable: | Jump to behavior | ||
Source: | Ps executable: | Jump to behavior | ||
Source: | Ps executable: | Jump to behavior | ||
Source: | Ps executable: | Jump to behavior | ||
Source: | Ps executable: | Jump to behavior | ||
Source: | Ps executable: | Jump to behavior | ||
Source: | Ps executable: | Jump to behavior | ||
Source: | Ps executable: | Jump to behavior | ||
Source: | Ps executable: | Jump to behavior |
Source: | Rm executable: | Jump to behavior | ||
Source: | Rm executable: | Jump to behavior |
Source: | Security_authtrampoline executable: | Jump to behavior | ||
Source: | Security_authtrampoline executable: | Jump to behavior |
Source: | Launch agent/daemon loaded: | Jump to behavior |
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior | ||
Source: | Shell process: | Jump to behavior |
Source: | Application opened: | Jump to behavior |
Source: | Launchservices plist file read: | Jump to behavior | ||
Source: | Launchservices plist file read: | Jump to behavior | ||
Source: | Launchservices plist file read: | Jump to behavior |
Source: | Preferences launchservices plist file read: | Jump to behavior | ||
Source: | Preferences launchservices plist file read: | Jump to behavior | ||
Source: | Preferences launchservices plist file read: | Jump to behavior |
Source: | CFNetwork info plist opened: | Jump to behavior | ||
Source: | CFNetwork info plist opened: | Jump to behavior | ||
Source: | CFNetwork info plist opened: | Jump to behavior |
Source: | Security framework info plist opened: | Jump to behavior | ||
Source: | Security framework info plist opened: | Jump to behavior |
Source: | File written: | Jump to dropped file |
Source: | File written: | Jump to dropped file | ||
Source: | File written: | Jump to dropped file | ||
Source: | File written: | Jump to dropped file | ||
Source: | File written: | Jump to dropped file | ||
Source: | File written: | Jump to dropped file | ||
Source: | File written: | Jump to dropped file |
Source: | ZIP file created: | Jump to dropped file |
Source: | CRL file created: | Jump to dropped file | ||
Source: | CRL file created: | Jump to dropped file |
Source: | CodeResources XML file: |
Source: | Random device file read: | Jump to behavior | ||
Source: | Random device file read: | Jump to behavior |
Source: | AppleKeyboardLayouts info plist opened: | Jump to behavior | ||
Source: | AppleKeyboardLayouts info plist opened: | Jump to behavior | ||
Source: | AppleKeyboardLayouts info plist opened: | Jump to behavior | ||
Source: | AppleKeyboardLayouts info plist opened: | Jump to behavior |
Source: | XML plist file created: | Jump to dropped file | ||
Source: | XML plist file created: | Jump to dropped file | ||
Source: | XML plist file created: | Jump to dropped file | ||
Source: | XML plist file created: | Jump to dropped file | ||
Source: | XML plist file created: | Jump to dropped file |
Source: | Launch agent/daemon created with KeepAlive and/or RunAtLoad, file moved: | Jump to behavior |
Source: | Launch agent created File moved: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection: |
---|
App bundle contains hidden files/directories | Show sources |
Source: | Hidden directory : | ||
Source: | Hidden directory : | ||
Source: | Hidden directory : | ||
Source: | Hidden directory : | ||
Source: | Hidden directory : | ||
Source: | Hidden directory : | ||
Source: | Hidden directory : |
Creates kernel extensions | Show sources |
Source: | Kext Info.plist File created: | Jump to behavior |
Denies being traced/debugged (via ptrace PT_DENY_ATTACH) | Show sources |
Source: | PTRACE system call (PT_DENY_ATTACH): | Jump to behavior |
Source: | Kext via kextload loaded: | Jump to behavior | ||
Source: | Kext via kextload loaded: | Jump to behavior | ||
Source: | Kext via kextload loaded: | Jump to behavior | ||
Source: | Kext via kextload loaded: | Jump to behavior | ||
Source: | Kext via kextload loaded: | Jump to behavior | ||
Source: | Kext via kextload loaded: | Jump to behavior | ||
Source: | Kext via kextload loaded: | Jump to behavior | ||
Source: | Kext via kextload loaded: | Jump to behavior | ||
Source: | Kext via kextload loaded: | Jump to behavior | ||
Source: | Kext via kextload loaded: | Jump to behavior | ||
Source: | Kext via kextload loaded: | Jump to behavior | ||
Source: | Kext via kextload loaded: | Jump to behavior | ||
Source: | Kext via kextload loaded: | Jump to behavior | ||
Source: | Kext via kextload loaded: | Jump to behavior | ||
Source: | Kext via kextload loaded: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Queries the Manufacturer of the machine (might be used for detecting VM presence) | Show sources |
Source: | Manufacturer keyword found in command: | Jump to behavior | ||
Source: | Manufacturer keyword found in command: | Jump to behavior |
Source: | Sleep executable: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |