Loading ...

Play interactive tourEdit tour

Analysis Report x03hxefIsS

Overview

General Information

Sample Name:x03hxefIsS
Analysis ID:114942
MD5:06334cb14c1512bf2794af8dae5ab357
SHA1:e615632c9998e4d3e5acd8851864ed09b02c77d2
SHA256:e94781e3da02c7f1426fd23cbd0a375cceac8766fe79c8bc4d4458d6fe64697c

Most interesting Screenshot:

Detection

OceanLotus
Score:96
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Detected macOS OceanLotus
Yara detected OceanLotus
Denies being traced/debugged (via ptrace PT_DENY_ATTACH)
Executes the "ioreg" command used to gather hardware information (I/O kit registry)
Explicitly modifies time stamps using the "touch" command
Likely queries the I/O Kit registry to detect VMs (based on "IOPlatformExpertDevice" class)
Queries the Boot ROM version of the machine (might be used for detecting native machines, i.e. VM presence)
Queries the Manufacturer of the machine (might be used for detecting VM presence)
Queries the unique Apple serial number of the machine
Sample file contains a Mach-O with an entry point into CFstrings (probably to hamper static analysis)
Executes commands using a shell command-line interpreter
Executes the "grep" command used to find patterns in files or piped streams
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Executes the "sysctl" command used to retrieve or modify kernel settings
Executes the "system_profiler" command used to collect detailed system hardware and software information
Executes the "touch" command used to create files or modify time stamps
Executes the "uname" command used to read OS and architecture name
Hides files and/or directories from GUI
Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)
Queries OS software version with shell command 'sw_vers'
Reads hardware related sysctl values
Reads launchservices plist files
Reads the sysctl hardware model value (might be used for detecting VM presence)
Reads the systems OS release and/or type
Reads the systems hostname

Classification

Startup

  • system is mac1
  • x03hxefIsS (MD5: 06334cb14c1512bf2794af8dae5ab357) Arguments: /Users/henry/Desktop/x03hxefIsS
    • sh New Fork (PID: 542, Parent: 541)
      • sh New Fork (PID: 543, Parent: 542)
      • system_profiler (MD5: 28bae8e36d2b8a65b50a54ee327298b8) Arguments: system_profiler SPHardwareDataType
      • sh New Fork (PID: 544, Parent: 542)
      • awk (MD5: fa9db7f6c4a0287ceb78a3bd34524ada) Arguments: awk /Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }
    • sh New Fork (PID: 546, Parent: 541)
      • sh New Fork (PID: 547, Parent: 546)
      • ioreg (MD5: c728ee7d6c0e4941de5ab855a856f473) Arguments: ioreg -l
      • sh New Fork (PID: 548, Parent: 546)
      • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -e Manufacturer
      • sh New Fork (PID: 549, Parent: 546)
      • sleep (MD5: cd4336ba78cb5b78f50d0f935036c332) Arguments: sleep 2
    • sh New Fork (PID: 550, Parent: 541)
      • sh New Fork (PID: 551, Parent: 550)
      • sysctl (MD5: dc0558d3d932acb68af969ace5df58cc) Arguments: sysctl hw.model
      • sh New Fork (PID: 552, Parent: 550)
      • sleep (MD5: cd4336ba78cb5b78f50d0f935036c332) Arguments: sleep 2
    • sh New Fork (PID: 553, Parent: 541)
      • sh New Fork (PID: 554, Parent: 553)
      • ioreg (MD5: c728ee7d6c0e4941de5ab855a856f473) Arguments: ioreg -rd1 -c IOPlatformExpertDevice
      • sh New Fork (PID: 555, Parent: 553)
      • awk (MD5: fa9db7f6c4a0287ceb78a3bd34524ada) Arguments: awk /IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }
    • sh New Fork (PID: 556, Parent: 541)
      • sh New Fork (PID: 557, Parent: 556)
      • touch (MD5: 4aacabad02929f18b00a9b6ef85e0605) Arguments: touch -t 1504231000 /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex
    • sh New Fork (PID: 558, Parent: 541)
      • sh New Fork (PID: 559, Parent: 558)
      • sw_vers (MD5: d33f7f9efd4158694d0d58879b54f89d) Arguments: sw_vers -productVersion
    • sh New Fork (PID: 560, Parent: 541)
      • sh New Fork (PID: 561, Parent: 560)
      • uname (MD5: b1c1eadf36eaaad76210c21573f65b47) Arguments: uname -m
    • sh New Fork (PID: 562, Parent: 541)
      • sh New Fork (PID: 563, Parent: 562)
      • sw_vers (MD5: d33f7f9efd4158694d0d58879b54f89d) Arguments: sw_vers -productVersion
    • sh New Fork (PID: 564, Parent: 541)
      • sh New Fork (PID: 565, Parent: 564)
      • uname (MD5: b1c1eadf36eaaad76210c21573f65b47) Arguments: uname -m
  • cleanup

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000541.00000252.1.0000000100000000.000000010001a000.r-x.sdmpJoeSecurity_OceanLotusYara detected OceanLotusJoe Security

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: x03hxefIsSAvira: detected
    Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.207
    Source: unknownTCP traffic detected without corresponding DNS query: 2.20.85.115
    Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.207
    Source: unknownTCP traffic detected without corresponding DNS query: 2.20.85.115
    Source: x03hxefIsS, 00000541.00000252.1.00000000f008f000.00000000f00aa000.r--.sdmpString found in binary or memory: http://crl.apple.com/codesigning.crl0
    Source: x03hxefIsS, 00000541.00000252.1.00000000f008f000.00000000f00aa000.r--.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
    Source: x03hxefIsS, 00000541.00000252.1.00000000f008f000.00000000f00aa000.r--.sdmpString found in binary or memory: http://www.apple.com/appleca/root.crl0
    Source: x03hxefIsS, 00000541.00000252.1.00000000f008f000.00000000f00aa000.r--.sdmpString found in binary or memory: http://www.apple.com/certificateauthority0
    Source: x03hxefIsS, 00000541.00000252.1.00000000f008f000.00000000f00aa000.r--.sdmpString found in binary or memory: https://www.apple.com/appleca/0
    Source: classification engineClassification label: mal96.troj.spyw.evad.mac@0/4@0/0

    Persistence and Installation Behavior:

    barindex
    Explicitly modifies time stamps using the "touch" commandShow sources
    Source: /bin/sh (PID: 557)Touch executable uses timestamp modification options: touch -t 1504231000 /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appexJump to behavior
    Sample file contains a Mach-O with an entry point into CFstrings (probably to hamper static analysis)Show sources
    Source: submissionEntry point in __cfstring: 0xF0000E44
    Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)Shell command executed: sh -c system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }' 2>/dev/nullJump to behavior
    Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)Shell command executed: sh -c ioreg -l | grep -e 'Manufacturer' 2>&1 & sleep 2 kill $! > /dev/null 2>&1Jump to behavior
    Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)Shell command executed: sh -c sysctl hw.model 2>&1 & sleep 2 kill $! > /dev/null 2>&1Jump to behavior
    Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)Shell command executed: sh -c ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }' 2>&1Jump to behavior
    Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)Shell command executed: sh -c touch -t 1504231000 '/Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex' > /dev/null 2>&1Jump to behavior
    Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)Shell command executed: sh -c sw_vers -productVersion 2>&1Jump to behavior
    Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)Shell command executed: sh -c uname -m 2>&1Jump to behavior
    Source: /bin/sh (PID: 548)Grep executable: /usr/bin/grep -> grep -e ManufacturerJump to behavior
    Source: /bin/sh (PID: 551)Sysctl executable: /usr/sbin/sysctl -> sysctl hw.modelJump to behavior
    Source: /bin/sh (PID: 557)Touch executable: /usr/bin/touch -> touch -t 1504231000 /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appexJump to behavior
    Source: /bin/sh (PID: 543)Shell process: system_profiler SPHardwareDataTypeJump to behavior
    Source: /bin/sh (PID: 544)Shell process: awk /Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }Jump to behavior
    Source: /bin/sh (PID: 547)Shell process: ioreg -lJump to behavior
    Source: /bin/sh (PID: 548)Shell process: grep -e ManufacturerJump to behavior
    Source: /bin/sh (PID: 549)Shell process: sleep 2Jump to behavior
    Source: /bin/sh (PID: 551)Shell process: sysctl hw.modelJump to behavior
    Source: /bin/sh (PID: 552)Shell process: sleep 2Jump to behavior
    Source: /bin/sh (PID: 554)Shell process: ioreg -rd1 -c IOPlatformExpertDeviceJump to behavior
    Source: /bin/sh (PID: 555)Shell process: awk /IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }Jump to behavior
    Source: /bin/sh (PID: 557)Shell process: touch -t 1504231000 /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appexJump to behavior
    Source: /bin/sh (PID: 559)Shell process: sw_vers -productVersionJump to behavior
    Source: /bin/sh (PID: 561)Shell process: uname -mJump to behavior
    Source: /bin/sh (PID: 563)Shell process: sw_vers -productVersionJump to behavior
    Source: /bin/sh (PID: 565)Shell process: uname -mJump to behavior
    Source: /usr/sbin/system_profiler (PID: 545)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
    Source: /bin/sh (PID: 544)Awk executable: /usr/bin/awk -> awk /Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }Jump to behavior
    Source: /bin/sh (PID: 555)Awk executable: /usr/bin/awk -> awk /IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }Jump to behavior

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Denies being traced/debugged (via ptrace PT_DENY_ATTACH)Show sources
    Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)PTRACE system call (PT_DENY_ATTACH): PID 541 denies future tracesJump to behavior
    Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)Hidden flag set: /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appexJump to behavior
    Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)Hidden flag set: /tmp/storeJump to behavior

    Malware Analysis System Evasion:

    barindex
    Likely queries the I/O Kit registry to detect VMs (based on "IOPlatformExpertDevice" class)Show sources
    Source: /bin/sh (PID: 554)IOreg executable: /usr/sbin/ioreg ioreg -rd1 -c IOPlatformExpertDeviceJump to behavior
    Queries the Boot ROM version of the machine (might be used for detecting native machines, i.e. VM presence)Show sources
    Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)Boot ROM Version keywords found in command: /bin/sh sh -c system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }' 2>/dev/nullJump to behavior
    Source: /bin/sh (PID: 544)Boot ROM Version keywords found in command: /usr/bin/awk awk /Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }Jump to behavior
    Queries the Manufacturer of the machine (might be used for detecting VM presence)Show sources
    Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)Manufacturer keyword found in command: /bin/sh sh -c ioreg -l | grep -e 'Manufacturer' 2>&1 & sleep 2 kill $! > /dev/null 2>&1Jump to behavior
    Source: /bin/sh (PID: 548)Manufacturer keyword found in command: /usr/bin/grep grep -e ManufacturerJump to behavior
    Source: /bin/sh (PID: 549)Sleep executable: /bin/sleep -> sleep 2Jump to behavior
    Source: /bin/sh (PID: 552)Sleep executable: /bin/sleep -> sleep 2Jump to behavior
    Source: /usr/sbin/system_profiler (PID: 545)Sysctl read request: hw.model (6.2)Jump to behavior
    Source: /usr/sbin/sysctl (PID: 551)Sysctl read request: hw.model (6.2)Jump to behavior

    Language, Device and Operating System Detection:

    barindex
    Executes the "ioreg" command used to gather hardware information (I/O kit registry)Show sources
    Source: /bin/sh (PID: 547)IOreg executable: /usr/sbin/ioreg ioreg -lJump to behavior
    Source: /bin/sh (PID: 554)IOreg executable: /usr/sbin/ioreg ioreg -rd1 -c IOPlatformExpertDeviceJump to behavior
    Queries the unique Apple serial number of the machineShow sources
    Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)IOPlatformSerialNumber keyword found in command: /bin/sh sh -c ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }' 2>&1Jump to behavior
    Source: /bin/sh (PID: 555)IOPlatformSerialNumber keyword found in command: /usr/bin/awk awk /IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }Jump to behavior
    Source: /bin/sh (PID: 559)sw_vers executed: sw_vers -productVersionJump to behavior
    Source: /bin/sh (PID: 563)sw_vers executed: sw_vers -productVersionJump to behavior
    Source: /usr/sbin/system_profiler (PID: 545)Sysctl read request: hw.cpu_freq (6.15)Jump to behavior
    Source: /usr/sbin/system_profiler (PID: 545)Sysctl read request: hw.memsize (6.24)Jump to behavior
    Source: /usr/bin/uname (PID: 561)Sysctl requested: kern.ostype (1.1)Jump to behavior
    Source: /usr/bin/uname (PID: 561)Sysctl requested: kern.osrelease (1.2)Jump to behavior
    Source: /usr/bin/uname (PID: 565)Sysctl requested: kern.ostype (1.1)Jump to behavior
    Source: /usr/bin/uname (PID: 565)Sysctl requested: kern.osrelease (1.2)Jump to behavior
    Source: /bin/sh (PID: 542)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 546)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 550)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 553)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 556)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 558)Sysctl requested: ke