Play interactive tourEdit tour
Analysis Report lSrIxJfe79
Overview
General Information
Detection
OceanLotus
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Detected macOS OceanLotus
Removes the quarantine attribute (used to protect from malware) from files
Yara detected OceanLotus
App bundle contains hidden files/directories
Executes the "ifconfig" command used to gather network information
Executes the "ioreg" command used to gather hardware information (I/O kit registry)
Explicitly modifies time stamps using the "touch" command
Likely queries the I/O Kit registry to detect VMs (based on "IOPlatformExpertDevice" class)
Process deletes its process image on disk
Process executable has an extension which is uncommon (probably to disguise the executable)
Process path indicates hidden application bundle (probably to disguise it)
Queries the unique Apple serial number of the machine
Searches for specific files/directories within the "Users" directory
Terminates several processes with shell command 'killall'
Writes Mach-O files to untypical directories
Changes permissions of written Mach-O files
Creates 'launchd' managed services aka launch agents with bundle ID names to possibly disguise malicious intentions
Creates memory-persistent launch services
Creates user-wide 'launchd' managed services aka launch agents
Deletes icon files
Executes commands using a shell command-line interpreter
Executes the "base64" command used to encode or decode data (e.g. files, payloads)
Executes the "chmod" command used to modify permissions
Executes the "find" command together with an exec argument (might be indicative for ransomware)
Executes the "rm" command used to delete files or directories
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Executes the "system_profiler" command used to collect detailed system hardware and software information
Executes the "touch" command used to create files or modify time stamps
Executes the "uname" command used to read OS and architecture name
Explicitly loads/starts launch services
Explicitly unloads, stops, and/or removes launch services
Hides files and/or directories from GUI
Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)
Queries OS software version with shell command 'sw_vers'
Reads hardware related sysctl values
Reads launchservices plist files
Reads the sysctl hardware model value (might be used for detecting VM presence)
Reads the systems OS release and/or type
Reads the systems hostname
Reads, modifies and/or removes extended attributes containing macOS specific file meta data
Sample tries to kill a process (SIGKILL)
Writes FAT Mach-O files to disk
Writes ZIP files to disk
Classification
Startup |
---|
|
Yara Overview |
---|
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_OceanLotus_2 | Yara detected OceanLotus | Joe Security |
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_OceanLotus_2 | Yara detected OceanLotus | Joe Security | ||
JoeSecurity_OceanLotus_2 | Yara detected OceanLotus | Joe Security |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | Reads from socket in process: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Writes from socket in process: |
Source: | Find command executed: | Jump to behavior | ||
Source: | Find command executed: | Jump to behavior | ||
Source: | Find command executed: | Jump to behavior | ||
Source: | Find command executed: |
Source: | SIGKILL sent: | ||
Source: | SIGKILL sent: | ||
Source: | SIGKILL sent: |
Source: | Classification label: |
Persistence and Installation Behavior: |
---|
Explicitly modifies time stamps using the "touch" command | Show sources |
Source: | Touch executable uses timestamp modification options: | ||
Source: | Touch executable uses timestamp modification options: |
Process deletes its process image on disk | Show sources |
Source: | Process image deleted: |
Terminates several processes with shell command 'killall' | Show sources |
Source: | Killall command executed: |
Writes Mach-O files to untypical directories | Show sources |
Source: | FAT Mach-O written to unusual path: | Jump to dropped file |
Source: | Permissions modified for written FAT Mach-O /Users/henry/Library/User Photos/mount_devfs: | Jump to dropped file |
Source: | File deleted: |
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: | ||
Source: | Shell command executed: |
Source: | Chmod executable: |
Source: | Rm executable: | ||
Source: | Rm executable: |
Source: | Touch executable: | ||
Source: | Touch executable: |
Source: | Launch agent/daemon loaded: |
Source: | Launch agent/daemon unloaded: |
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: | ||
Source: | Shell process: |
Source: | Launchservices plist file read: | ||
Source: | Launchservices plist file read: | ||
Source: | Launchservices plist file read: |
Source: | Xattr command executed: | Jump to behavior | ||
Source: | Xattr command executed: |