Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

Joe Sandbox X: Automated Dynamic Malware Analysis on Mac OS X

Published on: 17.09.2014

We are proud to present today Joe Sandbox X - the first automated dynamic malware analysis system for Mac OS X. As with all of our productsJoe Sandbox X executes files in a controlled environment and monitors the behavior of applications for suspicious activities. All activities are compiled into a comprehensive and extensive analysis report.

There are currently only a moderate number of known malware targeting Mac OS X systems. However, we at Joe Security think that the number of unknown Mac threats is high and since many companies are moving to the Mac world, Mac OS X will become more and more a hot target.

To show some of the features of Joe Sandbox X, we have analyzed a recent malware named "xslcmd" (MD5: 60242ad3e1b6c4d417d4dfeb8fb464a1) that was deteced by FireEye about two weeks ago (VirusTotal 0 score 0/55 at detection time, 12/55, date of this blog post).

Joe Sandbox X uses the same report format as Joe Sandbox Desktop and Joe Sandbox Mobile, so it is likely that you are familiar with the report structure. Let us walk through the report. From the behavior analysis report we see that the sample has opened a terminal window:

Currently, Joe Sandbox X includes about 100 behavior signatures which rate and classify the behavior. The signature summary already gives a nice overview concerning some of the key functionalities of the malware:

Static analysis which includes a Mach-O parser shows other interesting facts:

The sample is able to run on three different architectures (Power PC, i386 and x86_64). Usually, Mach-O files only run on one or two architectures. It is likely that three architectures are supported to extend the number of potential target systems.

Next, the comprehensive process overview shows the child and overlayed (forked then execve'd) processes of the initial sample as well as other processes started during analysis time:

After startup the sample spawns the launchctl command which is often used to load a launch agent or launch daemon (service processes). The sample also starts itself again (see PID 275). Looking at the behavior of this process reveals its purpose:

As the report excerpt outlines the sample deletes itself. Looking further down the startup shows that a launch agent process named "clipboardd" is started:

Clipboardd starts the command "sw_vers" twice. Sw_vers prints version information about the operating system:

Looking at the "sample-xslcmd" process (see PID 271) in more detail reveals that one of the created files is a plist file in the user's launch agent directory. This file is a necessary file when creating a launch agent and controls some of the launch agent' settings.

The content of the plist file outlines that the launch agent is not started on system boot (XML tag false), where the other setting ensures that the launch agent keeps running. Also the dropped "clipboardd" file is executable (check out the Mach-O magic header bytes CAFEBABE):

The launch agent is explicitly started with "launchctl load":

Looking at the "clipboardd " process (see PID 274) in more detail shows that besides other activites two directories are created: ".fontset" and "BackupData". ".fontset" is hidden on Mac OS X systems due to the point prefix. In the "BackupData" a log file is created containing the term "##Terminal##".

This is likely a log file of a keylogger (due to the suspicious name). Joe Sandbox X also enables to interact with the analysis machine, so we were able to run the sample again, simulate some user behavior and check the file content in order to verify our assumption:

The service also tries to open the three files "pxupdate.ini", "chkdiska.dat", and "chkdiskc.dat". These files did not exist so the open calls were not successful.

It is likely that these are configuration files and that the sample checks if the files exist to prevent reinfection. Finally, two hidden files named ".got" are created in the "Desktop" and "Documents" directory of the user.

As some of the signatures already detected, the sample is actively communicating with the Internet. The included world map shows at a glance which countries have been contacted:

When looking at the HTTP traffic, one can see the HTTP POST requests performed on a non-standard port to the fake host "www.appleupdate.biz":

As this blog post outlines Joe Sandbox X enables to quickly understand and detect threats which target Mac systems. We continue our development to increase the number of signatures and also capture more behavior. Joe Sandbox X will be also available in Joe Sandbox Cloud, Joe Sandbox Complete, and Joe Sandbox Ultimate.

Full analysis report for xslcmd: