Play interactive tour

Edit tour

Analysis Report x03hxefIsS

Overview

General Information

Sample Name:	x03hxefIsS
Analysis ID:	114942
MD5:	06334cb14c1512bf2794af8dae5ab357
SHA1:	e615632c9998e4d3e5acd8851864ed09b02c77d2
SHA256:	e94781e3da02c7f1426fd23cbd0a375cceac8766fe79c8bc4d4458d6fe64697c
Most interesting Screenshot:

Detection

OceanLotus

Score:	96
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Detected macOS OceanLotus

Yara detected OceanLotus

Denies being traced/debugged (via ptrace PT_DENY_ATTACH)

Executes the "ioreg" command used to gather hardware information (I/O kit registry)

Explicitly modifies time stamps using the "touch" command

Likely queries the I/O Kit registry to detect VMs (based on "IOPlatformExpertDevice" class)

Queries the Boot ROM version of the machine (might be used for detecting native machines, i.e. VM presence)

Queries the Manufacturer of the machine (might be used for detecting VM presence)

Queries the unique Apple serial number of the machine

Sample file contains a Mach-O with an entry point into CFstrings (probably to hamper static analysis)

Executes commands using a shell command-line interpreter

Executes the "grep" command used to find patterns in files or piped streams

Executes the "sleep" command used to delay execution and potentially evade sandboxes

Executes the "sysctl" command used to retrieve or modify kernel settings

Executes the "system_profiler" command used to collect detailed system hardware and software information

Executes the "touch" command used to create files or modify time stamps

Executes the "uname" command used to read OS and architecture name

Hides files and/or directories from GUI

Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)

Queries OS software version with shell command 'sw_vers'

Reads hardware related sysctl values

Reads launchservices plist files

Reads the sysctl hardware model value (might be used for detecting VM presence)

Reads the systems OS release and/or type

Reads the systems hostname

Classification

Startup

system is mac1

mono-sgen32 New Fork (PID: 541, Parent: 495)

x03hxefIsS (MD5: 06334cb14c1512bf2794af8dae5ab357) Arguments: /Users/henry/Desktop/x03hxefIsS

sh New Fork (PID: 542, Parent: 541)

sh New Fork (PID: 543, Parent: 542)

system_profiler (MD5: 28bae8e36d2b8a65b50a54ee327298b8) Arguments: system_profiler SPHardwareDataType

system_profiler New Fork (PID: 545, Parent: 543)

sh New Fork (PID: 544, Parent: 542)

awk (MD5: fa9db7f6c4a0287ceb78a3bd34524ada) Arguments: awk /Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }

sh New Fork (PID: 546, Parent: 541)

sh New Fork (PID: 547, Parent: 546)

ioreg (MD5: c728ee7d6c0e4941de5ab855a856f473) Arguments: ioreg -l

sh New Fork (PID: 548, Parent: 546)

grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -e Manufacturer

sh New Fork (PID: 549, Parent: 546)

sleep (MD5: cd4336ba78cb5b78f50d0f935036c332) Arguments: sleep 2

sh New Fork (PID: 550, Parent: 541)

sh New Fork (PID: 551, Parent: 550)

sysctl (MD5: dc0558d3d932acb68af969ace5df58cc) Arguments: sysctl hw.model

sh New Fork (PID: 552, Parent: 550)

sleep (MD5: cd4336ba78cb5b78f50d0f935036c332) Arguments: sleep 2

sh New Fork (PID: 553, Parent: 541)

sh New Fork (PID: 554, Parent: 553)

ioreg (MD5: c728ee7d6c0e4941de5ab855a856f473) Arguments: ioreg -rd1 -c IOPlatformExpertDevice

sh New Fork (PID: 555, Parent: 553)

awk (MD5: fa9db7f6c4a0287ceb78a3bd34524ada) Arguments: awk /IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }

sh New Fork (PID: 556, Parent: 541)

sh New Fork (PID: 557, Parent: 556)

touch (MD5: 4aacabad02929f18b00a9b6ef85e0605) Arguments: touch -t 1504231000 /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex

sh New Fork (PID: 558, Parent: 541)

sh New Fork (PID: 559, Parent: 558)

sw_vers (MD5: d33f7f9efd4158694d0d58879b54f89d) Arguments: sw_vers -productVersion

sh New Fork (PID: 560, Parent: 541)

sh New Fork (PID: 561, Parent: 560)

uname (MD5: b1c1eadf36eaaad76210c21573f65b47) Arguments: uname -m

sh New Fork (PID: 562, Parent: 541)

sh New Fork (PID: 563, Parent: 562)

sw_vers (MD5: d33f7f9efd4158694d0d58879b54f89d) Arguments: sw_vers -productVersion

sh New Fork (PID: 564, Parent: 541)

sh New Fork (PID: 565, Parent: 564)

uname (MD5: b1c1eadf36eaaad76210c21573f65b47) Arguments: uname -m

cleanup

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000541.00000252.1.0000000100000000.000000010001a000.r-x.sdmp	JoeSecurity_OceanLotus	Yara detected OceanLotus	Joe Security

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: x03hxefIsS

Avira: detected

Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.207
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.85.115
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.207
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.85.115

Source: x03hxefIsS, 00000541.00000252.1.00000000f008f000.00000000f00aa000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: x03hxefIsS, 00000541.00000252.1.00000000f008f000.00000000f00aa000.r--.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: x03hxefIsS, 00000541.00000252.1.00000000f008f000.00000000f00aa000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: x03hxefIsS, 00000541.00000252.1.00000000f008f000.00000000f00aa000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: x03hxefIsS, 00000541.00000252.1.00000000f008f000.00000000f00aa000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0

Source: classification engine

Classification label: mal96.troj.spyw.evad.mac@0/4@0/0

Persistence and Installation Behavior:

Explicitly modifies time stamps using the "touch" command

Show sources

Source: /bin/sh (PID: 557)

Touch executable uses timestamp modification options: touch -t 1504231000 /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex

Jump to behavior

Sample file contains a Mach-O with an entry point into CFstrings (probably to hamper static analysis)

Show sources

Source: submission

Entry point in __cfstring: 0xF0000E44

Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)	Shell command executed: sh -c system_profiler SPHardwareDataType 2>/dev/null \| awk '/Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }' 2>/dev/null	Jump to behavior
Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)	Shell command executed: sh -c ioreg -l \| grep -e 'Manufacturer' 2>&1 & sleep 2 kill $! > /dev/null 2>&1	Jump to behavior
Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)	Shell command executed: sh -c sysctl hw.model 2>&1 & sleep 2 kill $! > /dev/null 2>&1	Jump to behavior
Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)	Shell command executed: sh -c ioreg -rd1 -c IOPlatformExpertDevice \| awk '/IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }' 2>&1	Jump to behavior
Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)	Shell command executed: sh -c touch -t 1504231000 '/Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex' > /dev/null 2>&1	Jump to behavior
Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)	Shell command executed: sh -c sw_vers -productVersion 2>&1	Jump to behavior
Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)	Shell command executed: sh -c uname -m 2>&1	Jump to behavior

Source: /bin/sh (PID: 548)

Grep executable: /usr/bin/grep -> grep -e Manufacturer

Jump to behavior

Source: /bin/sh (PID: 551)

Sysctl executable: /usr/sbin/sysctl -> sysctl hw.model

Jump to behavior

Source: /bin/sh (PID: 557)

Touch executable: /usr/bin/touch -> touch -t 1504231000 /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex

Jump to behavior

Source: /bin/sh (PID: 543)	Shell process: system_profiler SPHardwareDataType	Jump to behavior
Source: /bin/sh (PID: 544)	Shell process: awk /Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }	Jump to behavior
Source: /bin/sh (PID: 547)	Shell process: ioreg -l	Jump to behavior
Source: /bin/sh (PID: 548)	Shell process: grep -e Manufacturer	Jump to behavior
Source: /bin/sh (PID: 549)	Shell process: sleep 2	Jump to behavior
Source: /bin/sh (PID: 551)	Shell process: sysctl hw.model	Jump to behavior
Source: /bin/sh (PID: 552)	Shell process: sleep 2	Jump to behavior
Source: /bin/sh (PID: 554)	Shell process: ioreg -rd1 -c IOPlatformExpertDevice	Jump to behavior
Source: /bin/sh (PID: 555)	Shell process: awk /IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }	Jump to behavior
Source: /bin/sh (PID: 557)	Shell process: touch -t 1504231000 /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex	Jump to behavior
Source: /bin/sh (PID: 559)	Shell process: sw_vers -productVersion	Jump to behavior
Source: /bin/sh (PID: 561)	Shell process: uname -m	Jump to behavior
Source: /bin/sh (PID: 563)	Shell process: sw_vers -productVersion	Jump to behavior
Source: /bin/sh (PID: 565)	Shell process: uname -m	Jump to behavior

Source: /usr/sbin/system_profiler (PID: 545)

Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist

Jump to behavior

Source: /bin/sh (PID: 544)	Awk executable: /usr/bin/awk -> awk /Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }			Jump to behavior
Source: /bin/sh (PID: 555)	Awk executable: /usr/bin/awk -> awk /IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Denies being traced/debugged (via ptrace PT_DENY_ATTACH)

Show sources

Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)

PTRACE system call (PT_DENY_ATTACH): PID 541 denies future traces

Jump to behavior

Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)	Hidden flag set: /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex			Jump to behavior
Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)	Hidden flag set: /tmp/store			Jump to behavior

Malware Analysis System Evasion:

Likely queries the I/O Kit registry to detect VMs (based on "IOPlatformExpertDevice" class)

Show sources

Source: /bin/sh (PID: 554)

IOreg executable: /usr/sbin/ioreg ioreg -rd1 -c IOPlatformExpertDevice

Jump to behavior

Queries the Boot ROM version of the machine (might be used for detecting native machines, i.e. VM presence)

Show sources

Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)	Boot ROM Version keywords found in command: /bin/sh sh -c system_profiler SPHardwareDataType 2>/dev/null \| awk '/Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }' 2>/dev/null			Jump to behavior
Source: /bin/sh (PID: 544)	Boot ROM Version keywords found in command: /usr/bin/awk awk /Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }			Jump to behavior

Queries the Manufacturer of the machine (might be used for detecting VM presence)

Show sources

Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)	Manufacturer keyword found in command: /bin/sh sh -c ioreg -l \| grep -e 'Manufacturer' 2>&1 & sleep 2 kill $! > /dev/null 2>&1			Jump to behavior
Source: /bin/sh (PID: 548)	Manufacturer keyword found in command: /usr/bin/grep grep -e Manufacturer			Jump to behavior

Source: /bin/sh (PID: 549)	Sleep executable: /bin/sleep -> sleep 2			Jump to behavior
Source: /bin/sh (PID: 552)	Sleep executable: /bin/sleep -> sleep 2			Jump to behavior

Source: /usr/sbin/system_profiler (PID: 545)	Sysctl read request: hw.model (6.2)			Jump to behavior
Source: /usr/sbin/sysctl (PID: 551)	Sysctl read request: hw.model (6.2)			Jump to behavior

Language, Device and Operating System Detection:

Executes the "ioreg" command used to gather hardware information (I/O kit registry)

Show sources

Source: /bin/sh (PID: 547)	IOreg executable: /usr/sbin/ioreg ioreg -l			Jump to behavior
Source: /bin/sh (PID: 554)	IOreg executable: /usr/sbin/ioreg ioreg -rd1 -c IOPlatformExpertDevice			Jump to behavior

Queries the unique Apple serial number of the machine

Show sources

Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)	IOPlatformSerialNumber keyword found in command: /bin/sh sh -c ioreg -rd1 -c IOPlatformExpertDevice \| awk '/IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }' 2>&1			Jump to behavior
Source: /bin/sh (PID: 555)	IOPlatformSerialNumber keyword found in command: /usr/bin/awk awk /IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }			Jump to behavior

Source: /bin/sh (PID: 559)	sw_vers executed: sw_vers -productVersion			Jump to behavior
Source: /bin/sh (PID: 563)	sw_vers executed: sw_vers -productVersion			Jump to behavior

Source: /usr/sbin/system_profiler (PID: 545)	Sysctl read request: hw.cpu_freq (6.15)			Jump to behavior
Source: /usr/sbin/system_profiler (PID: 545)	Sysctl read request: hw.memsize (6.24)			Jump to behavior

Source: /usr/bin/uname (PID: 561)	Sysctl requested: kern.ostype (1.1)	Jump to behavior
Source: /usr/bin/uname (PID: 561)	Sysctl requested: kern.osrelease (1.2)	Jump to behavior
Source: /usr/bin/uname (PID: 565)	Sysctl requested: kern.ostype (1.1)	Jump to behavior
Source: /usr/bin/uname (PID: 565)	Sysctl requested: kern.osrelease (1.2)	Jump to behavior

Source: /bin/sh (PID: 542)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 546)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 550)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 553)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 556)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 558)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 560)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /usr/bin/uname (PID: 561)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 562)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 564)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /usr/bin/uname (PID: 565)	Sysctl requested: kern.hostname (1.10)	Jump to behavior

Source: /usr/bin/sw_vers (PID: 559)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /usr/bin/sw_vers (PID: 563)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Stealing of Sensitive Information:

Detected macOS OceanLotus

Show sources

Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)

IOC file dropped: /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex

Jump to dropped file

Yara detected OceanLotus

Show sources

Source: Yara match

File source: 00000541.00000252.1.0000000100000000.000000010001a000.r-x.sdmp, type: MEMORY

Source: /bin/sh (PID: 543)	System_profiler executable: /usr/sbin/system_profiler system_profiler SPHardwareDataType			Jump to behavior
Source: /usr/sbin/system_profiler (PID: 543)	System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full			Jump to behavior

Source: /bin/sh (PID: 561)	Uname executable: /usr/bin/uname -> uname -m			Jump to behavior
Source: /bin/sh (PID: 565)	Uname executable: /usr/bin/uname -> uname -m			Jump to behavior

Remote Access Functionality:

Detected macOS OceanLotus

Show sources

Source: /Users/henry/Desktop/x03hxefIsS (PID: 541)

IOC file dropped: /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex

Jump to dropped file

Yara detected OceanLotus

Show sources

Source: Yara match

File source: 00000541.00000252.1.0000000100000000.000000010001a000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter11	Path Interception	Path Interception	Disable or Modify Tools1	OS Credential Dumping	Security Software Discovery31	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Remote Access Software1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion31	LSASS Memory	Virtualization/Sandbox Evasion31	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Scripting1	Security Account Manager	System Information Discovery591	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Timestomp1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
x03hxefIsS	100%	Avira	OSX/OceanLotus.bldbf

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
17.253.57.207	Domain:	unknown	United States		6185	APPLE-AUSTINUS	false
2.20.85.115	Domain:	unknown	European Union		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox Version:	30.0.0 Red Diamond
Analysis ID:	114942
Start date:	14.10.2020
Start time:	10:54:51
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 4m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	x03hxefIsS
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:	MAL
Classification:	mal96.troj.spyw.evad.mac@0/4@0/0
Warnings:	Show All Excluded domains from analysis (whitelisted): lb._dns-sd._udp.0.0.168.192.in-addr.arpa

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AKAMAI-ASUS	FileZilla_3.50.0_win64_sponsored-setup.exe	Get hash	malicious	Browse	2.20.85.140
	http://dbms.pamllaw.com/667697573657070652e6d6172746940626d732e636f6d	Get hash	malicious	Browse	104.83.125.139
	https://tinyurl.com/y4w2x5ys.	Get hash	malicious	Browse	23.210.249.92
	simplehat.clicker.apk	Get hash	malicious	Browse	2.20.86.12
	https://www.bookiebashing.net/check	Get hash	malicious	Browse	104.108.39.131
	https://joom.ag/uZDC	Get hash	malicious	Browse	104.83.104.145
	PowerISO7-x64 (1).exe	Get hash	malicious	Browse	23.210.249.140
	http://maternelleblagis.canalblog.com	Get hash	malicious	Browse	92.122.33.192
	https://cccounty-my.sharepoint.com:443/:b:/g/personal/dcdresources_dcd_cccounty_us/EUTPpLmihCZElHfBN94ej30BH3c6TXJbdk-hHh5SOas_2w?e=4%3aOYrxgD&at=9	Get hash	malicious	Browse	23.211.149.25
	Ne3oNxfdDc.dll	Get hash	malicious	Browse	2.18.68.31
	http://stats.microsoft.regsvc.com/ls/click?upn=zlJxa2Hk8pF9EfXJzUvSxTaJfA-2Fc7Qb3no3nwWqILNMYhhhfpUOx2gVwUG-2FD5h-2Fobo2L_HZoQO8l0GE-2FmT39GZ8fj9txC9u3-2FfTGZV1Ev5sfZUu2ugpv0xqav-2F7OwuyPt0nwKtd6LuUjO0HgIUvRkMKIG8fIj0wzsFwKNKeK9ewuqKUtZVfo98Fz1ZLU3feLmWeUP3qv3IJhwk5ocqxzDg9C5HhgjVXaZhDmo9MpNTJbpeidt2-2FzTpj8S9M4INkI5rvAZWzJY0iPy71wG54oyewrWsard6OTqNHyTrm0QQJY2Xzu5lZ1TfTtp-2FVZZXj5jTWV6SdjyZqJQCzYzcsJwPnaNFSqXn5j3-2BQGV2qGja3tyRojq9zn-2B0eEq-2B0RkMda2db1YRQutS5-2FZnCehj1LHjNF7z-2F1z2lxOVkD-2BnrX-2FsFUq1Zw-2BZU-2BjH-2FwryjCMxKq0qA-2B0SfaWF20Rhxv9NoqlOOQPBg-3D-3D	Get hash	malicious	Browse	104.74.143.169
	http://stats.microsoft.regsvc.com/ls/click?upn=zlJxa2Hk8pF9EfXJzUvSxTaJfA-2Fc7Qb3no3nwWqILNMYhhhfpUOx2gVwUG-2FD5h-2Fobo2L_HZoQO8l0GE-2FmT39GZ8fj9txC9u3-2FfTGZV1Ev5sfZUu2ugpv0xqav-2F7OwuyPt0nwKtd6LuUjO0HgIUvRkMKIG8fIj0wzsFwKNKeK9ewuqKUtZVfo98Fz1ZLU3feLmWeUP3qv3IJhwk5ocqxzDg9C5HhgjVXaZhDmo9MpNTJbpeidt2-2FzTpj8S9M4INkI5rvAZWzJY0iPy71wG54oyewrWsard6OTqNHyTrm0QQJY2Xzu5lZ1TfTtp-2FVZZXj5jTWV6SdjyZqJQCzYzcsJwPnaNFSqXn5j3-2BQGV2qGja3tyRojq9zn-2B0eEq-2B0RkMda2db1YRQutS5-2FZnCehj1LHjNF7z-2F1z2lxOVkD-2BnrX-2FsFUq1Zw-2BZU-2BjH-2FwryjCMxKq0qA-2B0SfaWF20Rhxv9NoqlOOQPBg-3D-3D	Get hash	malicious	Browse	104.74.143.169
	CORVID-19.docx	Get hash	malicious	Browse	104.83.83.17
	http://www.onionringsandthings.com	Get hash	malicious	Browse	104.83.100.41
	https://s.id/sqV8s	Get hash	malicious	Browse	2.20.85.235
	https://us-east-2.protection.sophos.com/?d=canva.com&u=aHR0cHM6Ly93d3cuY2FudmEuY29tL2Rlc2lnbi9EQUVKWVVaNkpfSS9qU0ExMkpCVms2RF9lWUx4Qmo3R0tRL3ZpZXc_dXRtX2NvbnRlbnQ9REFFSllVWjZKX0kmdXRtX2NhbXBhaWduPWRlc2lnbnNoYXJlJnV0bV9tZWRpdW09bGluayZ1dG1fc291cmNlPXNoYXJlYnV0dG9u&e=c2FmZXJyb2FkczIwMjBAYXRzc2EuY29t&t=cXFSVXk3R01PdWVvZHN4SnA1M2dYU0JrUVV5RDEvaTJBMnI2YVhXWjZyST0=&h=236c0b0933b3424891f3af7a9d59faee	Get hash	malicious	Browse	23.210.249.242
	https://www.canva.com/design/DAEJRw-Cekg/yqHz7lRXkcf0H9s6UXEU-Q/view?utm_content=DAEJRw-Cekg&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	2.20.85.242
	https://www.paperturn-view.com/?pid=MTE116034	Get hash	malicious	Browse	2.20.85.242
	sysmain.dll	Get hash	malicious	Browse	92.122.253.103
	bc.dll	Get hash	malicious	Browse	2.18.68.31

JA3 Fingerprints

No context

Dropped Files

No context

Runtime Messages

Command:	/Users/henry/Desktop/x03hxefIsS
Exit Code:
Exit Code Info:
Killed:	True
Standard Output:
Standard Error:

Created / dropped Files

/Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex Download File
Process:	/Users/henry/Desktop/x03hxefIsS
File Type:	data
Category:	dropped
Size (bytes):	32
Entropy (8bit):	4.9375
Encrypted:	false
SSDEEP:	3:TxMSpzX2nJ:mSpzK
MD5:	CC0E85A2E563F6E55B9DBB7704AB4AD0
SHA1:	717CFFE17D5793732F9A0C41B7EF243D84E84CFD
SHA-256:	5E4F3F442ECE2BC618F0B8A9CFAE9DC98193CDF3778B9D2D74E10CC1A31E5E5F
SHA-512:	4EEC26FC3B7C28F7AA21A74AA125C5D5FA151F47A693A6A65E3723D3477A633FDFE60AA3DA38545B9EFEDC68A4CD2B1CF448F3279FAE38866AD56EAA2A9DA55C
Malicious:	true
Reputation:	low
Preview:	...K..?PB3..kj...b.KG.n...o.....

/dev/null Download File
Process:	/bin/sh
File Type:	ASCII text
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.118275160770976
Encrypted:	false
SSDEEP:	3:oDfFDglaWtdAJ:GglaM+
MD5:	743629BD6877C2D528CE71AAFA775EA9
SHA1:	CD4081863E79EA75F8CA39CE69B8E9FF572A401E
SHA-256:	576E59B31CCD9CF25DDB602222C9FF691B3A54D05E4370DDFF557B66B967B085
SHA-512:	B94E5E4E7C9DF57AC2FFDCCD1E4B6D7E67C1E0511DAF9459C4AB1C1B6872A7A23FBDD2E1F6CA82CB0775765E8F86DFDE49BA15D346EEEE339686B8F1F3C37CAD
Malicious:	true
Reputation:	low
Preview:	sh: line 0: kill: (551) - No such process.

/private/tmp/store Download File
Process:	/Users/henry/Desktop/x03hxefIsS
File Type:	data
Category:	dropped
Size (bytes):	108184
Entropy (8bit):	7.740162603183254
Encrypted:	false
SSDEEP:	3072:Ux/yo3A+mUf6/i8kMKDx/yo3A+mUf6/i8kMKs:j+ry/i2Kk+ry/i2Ks
MD5:	EFB6827A24009EC26E8E988F1D3573BA
SHA1:	8DFC8DB340D77A32DD8BB5140B94E45D9DC6FB07
SHA-256:	26463E27BB9654D0FA1D75FA9B6D211822891A6F22E731FFE8BF21056B962729
SHA-512:	4FAAC58A33CB10377A2BBA9C80C1F9C14A12B5BEFBC602C9586C12E7EA8F3EA7A91888675C1E742EEE71AA8FD4FBAD46D47F52F61B21064B9E6DA9840D7C59B4
Malicious:	false
Reputation:	low
Preview:	........g....0r..D}.. .LD.....&.v...M.....L:..o...Z.....I..rw@F.....f....fp.R..................Db.P.e#@3Y@.W.+v..c%.cC...o~.......;D.j."NXd..w...E...$45.4%.......z.X.g9.WMTm.W[R..7..V..B..r..eM.N.Y2...+n..K...pY3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v..c%.cC.Y3...+v.

Static File Info

General
File type:	Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL>
Entropy (8bit):	7.519905462932771
TrID:
File name:	x03hxefIsS
File size:	47944
MD5:	06334cb14c1512bf2794af8dae5ab357
SHA1:	e615632c9998e4d3e5acd8851864ed09b02c77d2
SHA256:	e94781e3da02c7f1426fd23cbd0a375cceac8766fe79c8bc4d4458d6fe64697c
SHA512:	c0d4f17a15cba1cd97e75598ade0e8f7acee9f77db22c891081b6d5e55552337ab8adc05d639a0128e2ed1c38157b289fa925bd54c6453c29823c4ae422af082
SSDEEP:	768:TmVQsnZgS+zTFDWF51Fc/AaIf2Ozprbs120mhhK7n0LTneAHJ/8lJh:TSQs+NzB+Hc/At+OVrNLe0LiWkD
File Content Preview:	....................................H...__PAGEZERO..............................................................__TEXT..........................................................__cfstring......__TEXT.........................................................

Static Mach Info

General Information for header 1
Endian:	<
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	5
Entry point:	0xF0000E44

segment_command_64 aggregated: 3

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0xF0000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0xF0000000

vmsize

0xB000

fileoff

0x0

filesize

0xB000

maxprot

0x7

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	align	reloff	nreloc	flags
__cfstring	__TEXT	0xF00008FD	0xA703	0x8FD	0x0	0x0	0	0x80000400

Name	Value
segname	__LINKEDIT
vmaddr	0xF000B000
vmsize	0x1000
fileoff	0xB000
filesize	0xB48
maxprot	0x7
initprot	0x5
nsects	0
flags	0x0

version_min_command aggregated: 1

Name	Value
version	656896
sdk	656896

thread_command aggregated: 1

Name	Value
flavor	4
count	42

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2020 10:55:52.626899958 CEST	49236	80	192.168.0.50	17.253.57.207
Oct 14, 2020 10:55:52.627125025 CEST	49237	80	192.168.0.50	2.20.85.115
Oct 14, 2020 10:55:52.635431051 CEST	80	49236	17.253.57.207	192.168.0.50
Oct 14, 2020 10:55:52.635894060 CEST	49236	80	192.168.0.50	17.253.57.207
Oct 14, 2020 10:55:52.647068977 CEST	80	49237	2.20.85.115	192.168.0.50
Oct 14, 2020 10:55:52.647546053 CEST	49237	80	192.168.0.50	2.20.85.115

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2020 10:57:15.720314980 CEST	51908	53	192.168.0.50	8.8.8.8
Oct 14, 2020 10:57:15.735826015 CEST	53	51908	8.8.8.8	192.168.0.50

System Behavior

Analysis Process: mono-sgen32 PID: 541 Parent PID: 495

General

Start time:	10:55:28
Start date:	14/10/2020
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	n/a
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Chronological Activities

Analysis Process: x03hxefIsS PID: 541 Parent PID: 495

General

Start time:	10:55:28
Start date:	14/10/2020
Path:	/Users/henry/Desktop/x03hxefIsS
Arguments:	/Users/henry/Desktop/x03hxefIsS
File size:	47944 bytes
MD5 hash:	06334cb14c1512bf2794af8dae5ab357

Chronological Activities

Analysis Process: sh PID: 542 Parent PID: 541

General

Start time:	10:55:28
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: sh PID: 543 Parent PID: 542

General

Start time:	10:55:28
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: system_profiler PID: 543 Parent PID: 542

General

Start time:	10:55:28
Start date:	14/10/2020
Path:	/usr/sbin/system_profiler
Arguments:	system_profiler SPHardwareDataType
File size:	45472 bytes
MD5 hash:	28bae8e36d2b8a65b50a54ee327298b8

Chronological Activities

Analysis Process: system_profiler PID: 545 Parent PID: 543

General

Start time:	10:55:28
Start date:	14/10/2020
Path:	/usr/sbin/system_profiler
Arguments:	n/a
File size:	45472 bytes
MD5 hash:	28bae8e36d2b8a65b50a54ee327298b8

Chronological Activities

Analysis Process: sh PID: 544 Parent PID: 542

General

Start time:	10:55:28
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: awk PID: 544 Parent PID: 542

General

Start time:	10:55:28
Start date:	14/10/2020
Path:	/usr/bin/awk
Arguments:	awk /Boot ROM Version/ {split($0, line, ':') printf('%s', line[2]) }
File size:	112592 bytes
MD5 hash:	fa9db7f6c4a0287ceb78a3bd34524ada

Chronological Activities

Analysis Process: sh PID: 546 Parent PID: 541

General

Start time:	10:55:29
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: sh PID: 547 Parent PID: 546

General

Start time:	10:55:29
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: ioreg PID: 547 Parent PID: 546

General

Start time:	10:55:29
Start date:	14/10/2020
Path:	/usr/sbin/ioreg
Arguments:	ioreg -l
File size:	45040 bytes
MD5 hash:	c728ee7d6c0e4941de5ab855a856f473

Chronological Activities

Analysis Process: sh PID: 548 Parent PID: 546

General

Start time:	10:55:29
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: grep PID: 548 Parent PID: 546

General

Start time:	10:55:29
Start date:	14/10/2020
Path:	/usr/bin/grep
Arguments:	grep -e Manufacturer
File size:	33936 bytes
MD5 hash:	2b3efb273296881708ea2914c612e0eb

Chronological Activities

Analysis Process: sh PID: 549 Parent PID: 546

General

Start time:	10:55:29
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: sleep PID: 549 Parent PID: 546

General

Start time:	10:55:29
Start date:	14/10/2020
Path:	/bin/sleep
Arguments:	sleep 2
File size:	18080 bytes
MD5 hash:	cd4336ba78cb5b78f50d0f935036c332

Chronological Activities

Analysis Process: sh PID: 550 Parent PID: 541

General

Start time:	10:55:31
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: sh PID: 551 Parent PID: 550

General

Start time:	10:55:31
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: sysctl PID: 551 Parent PID: 550

General

Start time:	10:55:31
Start date:	14/10/2020
Path:	/usr/sbin/sysctl
Arguments:	sysctl hw.model
File size:	60608 bytes
MD5 hash:	dc0558d3d932acb68af969ace5df58cc

Chronological Activities

Analysis Process: sh PID: 552 Parent PID: 550

General

Start time:	10:55:31
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: sleep PID: 552 Parent PID: 550

General

Start time:	10:55:31
Start date:	14/10/2020
Path:	/bin/sleep
Arguments:	sleep 2
File size:	18080 bytes
MD5 hash:	cd4336ba78cb5b78f50d0f935036c332

Chronological Activities

Analysis Process: sh PID: 553 Parent PID: 541

General

Start time:	10:55:33
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: sh PID: 554 Parent PID: 553

General

Start time:	10:55:33
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: ioreg PID: 554 Parent PID: 553

General

Start time:	10:55:33
Start date:	14/10/2020
Path:	/usr/sbin/ioreg
Arguments:	ioreg -rd1 -c IOPlatformExpertDevice
File size:	45040 bytes
MD5 hash:	c728ee7d6c0e4941de5ab855a856f473

Chronological Activities

Analysis Process: sh PID: 555 Parent PID: 553

General

Start time:	10:55:33
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: awk PID: 555 Parent PID: 553

General

Start time:	10:55:33
Start date:	14/10/2020
Path:	/usr/bin/awk
Arguments:	awk /IOPlatformSerialNumber/ { split($0, line, '\'') printf('%s', line[4]) }
File size:	112592 bytes
MD5 hash:	fa9db7f6c4a0287ceb78a3bd34524ada

Chronological Activities

Analysis Process: sh PID: 556 Parent PID: 541

General

Start time:	10:55:33
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: sh PID: 557 Parent PID: 556

General

Start time:	10:55:33
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: touch PID: 557 Parent PID: 556

General

Start time:	10:55:33
Start date:	14/10/2020
Path:	/usr/bin/touch
Arguments:	touch -t 1504231000 /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex
File size:	23376 bytes
MD5 hash:	4aacabad02929f18b00a9b6ef85e0605

Chronological Activities

Analysis Process: sh PID: 558 Parent PID: 541

General

Start time:	10:55:33
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: sh PID: 559 Parent PID: 558

General

Start time:	10:55:33
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: sw_vers PID: 559 Parent PID: 558

General

Start time:	10:55:33
Start date:	14/10/2020
Path:	/usr/bin/sw_vers
Arguments:	sw_vers -productVersion
File size:	18848 bytes
MD5 hash:	d33f7f9efd4158694d0d58879b54f89d

Chronological Activities

Analysis Process: sh PID: 560 Parent PID: 541

General

Start time:	10:55:33
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: sh PID: 561 Parent PID: 560

General

Start time:	10:55:33
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: uname PID: 561 Parent PID: 560

General

Start time:	10:55:33
Start date:	14/10/2020
Path:	/usr/bin/uname
Arguments:	uname -m
File size:	18416 bytes
MD5 hash:	b1c1eadf36eaaad76210c21573f65b47

Chronological Activities

Analysis Process: sh PID: 562 Parent PID: 541

General

Start time:	10:55:49
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: sh PID: 563 Parent PID: 562

General

Start time:	10:55:49
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: sw_vers PID: 563 Parent PID: 562

General

Start time:	10:55:49
Start date:	14/10/2020
Path:	/usr/bin/sw_vers
Arguments:	sw_vers -productVersion
File size:	18848 bytes
MD5 hash:	d33f7f9efd4158694d0d58879b54f89d

Chronological Activities

Analysis Process: sh PID: 564 Parent PID: 541

General

Start time:	10:55:49
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: sh PID: 565 Parent PID: 564

General

Start time:	10:55:49
Start date:	14/10/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: uname PID: 565 Parent PID: 564

General

Start time:	10:55:49
Start date:	14/10/2020
Path:	/usr/bin/uname
Arguments:	uname -m
File size:	18416 bytes
MD5 hash:	b1c1eadf36eaaad76210c21573f65b47

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report x03hxefIsS

Overview

General Information

Detection

Signatures

Classification

Startup

Yara Overview

Memory Dumps

Signature Overview

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Signature Similarity

Similar Samples

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Runtime Messages

Created / dropped Files

Static File Info

General

Static Mach Info

General Information for header 1

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

System Behavior

Analysis Process: mono-sgen32 PID: 541 Parent PID: 495

General

Analysis Process: x03hxefIsS PID: 541 Parent PID: 495

General

Analysis Process: sh PID: 542 Parent PID: 541

General

Analysis Process: sh PID: 543 Parent PID: 542

General

Analysis Process: system_profiler PID: 543 Parent PID: 542

General

Analysis Process: system_profiler PID: 545 Parent PID: 543

General

Analysis Process: sh PID: 544 Parent PID: 542

General

Analysis Process: awk PID: 544 Parent PID: 542

General

Analysis Process: sh PID: 546 Parent PID: 541

General

Analysis Process: sh PID: 547 Parent PID: 546

General

Analysis Process: ioreg PID: 547 Parent PID: 546