Joe Sandbox Cloud Pro Analysis Report

Loading Joe Sandbox Report ...

Edit tour

macOS Analysis Report
CorelDRAW

Overview

General Information

Sample Name:CorelDRAW
Analysis ID:1797574
MD5:23699799f496b8e872d05f19d2b397f8
SHA1:fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8
SHA256:2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f
Infos:

Detection

GIMMICK
Score:64
Range:0 - 100
Whitelisted:false

Signatures

Yara detected GIMMICK
Writes Mach-O files to untypical directories
Process deletes its process image on disk
Moves itself during installation or deletes itself after installation
Creates system-wide 'launchd' managed services aka launch daemons based on hidden files
Contains symbols with suspicious names likely related to encryption
Reads the sysctl hardware model value (might be used for detecting VM presence)
Sample is code signed by an ad-hoc signature
Contains symbols with suspicious names likely related to networking
Explicitly unloads, stops, and/or removes launch services
Reads the systems hostname
Creates system-wide 'launchd' managed services aka launch daemons
Executes the "grep" command used to find patterns in files or piped streams
Executes the "ps" command used to list the status of processes
Mach-O sample file contains an ARM64 binary that executes on Apple Silicon
Contains symbols with suspicious names likely related to well-known browsers
Sample is a FAT Mach-O sample containing binaries for multiple architectures
Creates memory-persistent launch services
Explicitly loads/starts launch services
Creates launch services that start periodically
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)
Changes permissions of written Mach-O files
Executes commands using a shell command-line interpreter
Writes FAT Mach-O files to disk

Classification

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:1797574
Start date and time:2022-03-28 12:12:09 +02:00
Joe Sandbox Product:Cloud
Overall analysis duration:0h 3m 52s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:CorelDRAW
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, Big Sur (Office 2019 16.55, Java 1.8.0_311)
Run name:Potential for more IOCs and behavior
Analysis Mode:default
Detection:MAL
Classification:mal64.troj.evad.mac@0/14@2/0

Warnings

  • Excluded IPs from analysis (whitelisted): 172.217.168.74, 172.217.168.67
  • Excluded domains from analysis (whitelisted): oauth2.googleapis.com, ocsp.pki.goog

Runtime Messages

Command:/Users/drew/Desktop/CorelDRAW
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:/Library/LaunchDaemons/com.CorelDRAW.va.plist: Could not find specified service
Unload failed: 113: Could not find specified service

Process Tree

  • System is mac-bigsur
  • CorelDRAW (MD5: 23699799f496b8e872d05f19d2b397f8) Arguments: /Users/drew/Desktop/CorelDRAW
    • sh New Fork (PID: 1613, Parent: 1612)
    • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c ps -ef |grep CorelDRAW |grep -v /Users/drew/Desktop/CorelDRAW |grep -v 'CorelDRAW\s*Graphics\s*Suite' |awk '{print $2}' |xargs kill -9
      • bash New Fork (PID: 1614, Parent: 1613)
      • ps (MD5: 5441fc94a247a54e76339a9e5b8c2b45) Arguments: ps -ef
      • bash New Fork (PID: 1615, Parent: 1613)
      • grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep CorelDRAW
      • bash New Fork (PID: 1616, Parent: 1613)
      • grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep -v /Users/drew/Desktop/CorelDRAW
      • bash New Fork (PID: 1617, Parent: 1613)
      • grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep -v CorelDRAW\s*Graphics\s*Suite
      • bash New Fork (PID: 1618, Parent: 1613)
      • awk (MD5: 1780ae04585c36f7b86aaec7523fceb6) Arguments: awk {print $2}
      • bash New Fork (PID: 1619, Parent: 1613)
      • xargs (MD5: e5109f0c83efadc46f840033d8c89901) Arguments: xargs kill -9
    • sh New Fork (PID: 1620, Parent: 1612)
    • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c ps -ef |grep CorelDRAW |grep -v /Users/drew/Desktop/CorelDRAW |grep -v 'CorelDRAW\s*Graphics\s*Suite' |awk '{print $2}' |xargs kill -9
      • bash New Fork (PID: 1621, Parent: 1620)
      • ps (MD5: 5441fc94a247a54e76339a9e5b8c2b45) Arguments: ps -ef
      • bash New Fork (PID: 1622, Parent: 1620)
      • grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep CorelDRAW
      • bash New Fork (PID: 1623, Parent: 1620)
      • grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep -v /Users/drew/Desktop/CorelDRAW
      • bash New Fork (PID: 1624, Parent: 1620)
      • grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep -v CorelDRAW\s*Graphics\s*Suite
      • bash New Fork (PID: 1625, Parent: 1620)
      • awk (MD5: 1780ae04585c36f7b86aaec7523fceb6) Arguments: awk {print $2}
      • bash New Fork (PID: 1626, Parent: 1620)
      • xargs (MD5: e5109f0c83efadc46f840033d8c89901) Arguments: xargs kill -9
    • sh New Fork (PID: 1627, Parent: 1612)
    • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c cp /Users/drew/Desktop/CorelDRAW /var/root/Library/Preferences/CorelDRAW/CorelDRAW
    • cp (MD5: 9007c6e0352122c17fbcea99739b716e) Arguments: cp /Users/drew/Desktop/CorelDRAW /var/root/Library/Preferences/CorelDRAW/CorelDRAW
    • sh New Fork (PID: 1628, Parent: 1612)
    • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
    • launchctl (MD5: a9ce661111e6db7d90923d46f790e5c7) Arguments: launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
    • sh New Fork (PID: 1629, Parent: 1612)
    • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
    • launchctl (MD5: a9ce661111e6db7d90923d46f790e5c7) Arguments: launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
  • xpcproxy New Fork (PID: 1630, Parent: 1)
  • CorelDRAW (MD5: 23699799f496b8e872d05f19d2b397f8) Arguments: /var/root/Library/Preferences/CorelDRAW/CorelDRAW
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
CorelDRAWJoeSecurity_GIMMICKYara detected GIMMICKJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    /private/var/root/Library/Preferences/CorelDRAW/CorelDRAWJoeSecurity_GIMMICKYara detected GIMMICKJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00001612.00000367.1.00000001023ae000.00000001023ea000.r-x.sdmpJoeSecurity_GIMMICKYara detected GIMMICKJoe Security
        00001612.00000367.9.00000001023ae000.00000001023ea000.r-x.sdmpJoeSecurity_GIMMICKYara detected GIMMICKJoe Security
          Process Memory Space: CorelDRAW PID: 1612JoeSecurity_GIMMICKYara detected GIMMICKJoe Security

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results
            Source: submission: CorelDRAWMach-O symbol: _CCCrypt
            Source: submission: CorelDRAWMach-O symbol: _CCCrypt
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _CCCrypt
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _CCCrypt
            Source: CorelDRAW.398.drString found in binary or memory: http://cgi1.apnic.net/cgi-bin/my-ip.php
            Source: CorelDRAW, 00001612.00000367.1.00000001028f3000.000000010292b000.r--.sdmpString found in binary or memory: http://crl.apple.com/codesigning.crl0
            Source: CorelDRAW, .dat.nosync064c.oZUVM0.367.dr, CorelDRAW.398.drString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
            Source: CorelDRAW, 00001612.00000367.1.00000001028f3000.000000010292b000.r--.sdmpString found in binary or memory: http://www.apple.com/appleca/root.crl0
            Source: CorelDRAW, 00001612.00000367.1.00000001028f3000.000000010292b000.r--.sdmpString found in binary or memory: https://www.apple.com/appleca/0
            Source: CorelDRAW, CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/drive/v2/files/trash
            Source: CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/drive/v2/files/trash%
            Source: CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/drive/v3/files/%
            Source: CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/drive/v3/files?fields=id%2C
            Source: CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/drive/v3/files?q=%%27%
            Source: CorelDRAW, CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/upload/drive/v3/files?alt=json&uploadType=resumable
            Source: CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/upload/drive/v3/files?alt=json&uploadType=resumable%ldX-Upload-Content-Le
            Source: CorelDRAW, CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/upload/drive/v3/files?uploadType=multipart
            Source: CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/upload/drive/v3/files?uploadType=multipartdatametadataapplication/json;
            Source: unknownDNS traffic detected: queries for: pki-goog.l.google.com
            Source: classification engineClassification label: mal64.troj.evad.mac@0/14@2/0
            Source: submission: CorelDRAWMach-O symbol: _objc_msgSend
            Source: submission: CorelDRAWMach-O symbol: _objc_msgSendSuper2
            Source: submission: CorelDRAWMach-O symbol: _objc_msgSend_stret
            Source: submission: CorelDRAWMach-O symbol: _SecItemExport
            Source: submission: CorelDRAWMach-O symbol: _OBJC_CLASS_$_NSHTTPURLResponse
            Source: submission: CorelDRAWMach-O symbol: _NSURLAuthenticationMethodServerTrust
            Source: submission: CorelDRAWMach-O symbol: _NSSearchPathForDirectoriesInDomains
            Source: submission: CorelDRAWMach-O symbol: _inet_addr
            Source: submission: CorelDRAWMach-O symbol: _inet_ntoa
            Source: submission: CorelDRAWMach-O symbol: _kCFStreamPropertyHTTPProxyHost
            Source: submission: CorelDRAWMach-O symbol: _kCFStreamPropertyHTTPProxyPort
            Source: submission: CorelDRAWMach-O symbol: _kCFStreamPropertyHTTPSProxyHost
            Source: submission: CorelDRAWMach-O symbol: _kCFStreamPropertyHTTPSProxyPort
            Source: submission: CorelDRAWMach-O symbol: _kIOMasterPortDefault
            Source: submission: CorelDRAWMach-O symbol: _objc_msgSend
            Source: submission: CorelDRAWMach-O symbol: _objc_msgSendSuper2
            Source: submission: CorelDRAWMach-O symbol: _SecItemExport
            Source: submission: CorelDRAWMach-O symbol: _OBJC_CLASS_$_NSHTTPURLResponse
            Source: submission: CorelDRAWMach-O symbol: _NSURLAuthenticationMethodServerTrust
            Source: submission: CorelDRAWMach-O symbol: _NSSearchPathForDirectoriesInDomains
            Source: submission: CorelDRAWMach-O symbol: _inet_ntoa
            Source: submission: CorelDRAWMach-O symbol: _inet_addr
            Source: submission: CorelDRAWMach-O symbol: _kIOMasterPortDefault
            Source: submission: CorelDRAWMach-O symbol: _kCFStreamPropertyHTTPProxyHost
            Source: submission: CorelDRAWMach-O symbol: _kCFStreamPropertyHTTPProxyPort
            Source: submission: CorelDRAWMach-O symbol: _kCFStreamPropertyHTTPSProxyHost
            Source: submission: CorelDRAWMach-O symbol: _kCFStreamPropertyHTTPSProxyPort
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _objc_msgSend
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _objc_msgSendSuper2
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _objc_msgSend_stret
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _SecItemExport
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _OBJC_CLASS_$_NSHTTPURLResponse
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _NSURLAuthenticationMethodServerTrust
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _NSSearchPathForDirectoriesInDomains
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _inet_addr
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _inet_ntoa
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kCFStreamPropertyHTTPProxyHost
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kCFStreamPropertyHTTPProxyPort
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kCFStreamPropertyHTTPSProxyHost
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kCFStreamPropertyHTTPSProxyPort
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kIOMasterPortDefault
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _objc_msgSend
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _objc_msgSendSuper2
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _SecItemExport
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _OBJC_CLASS_$_NSHTTPURLResponse
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _NSURLAuthenticationMethodServerTrust
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _NSSearchPathForDirectoriesInDomains
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _inet_ntoa
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _inet_addr
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kIOMasterPortDefault
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kCFStreamPropertyHTTPProxyHost
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kCFStreamPropertyHTTPProxyPort
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kCFStreamPropertyHTTPSProxyHost
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kCFStreamPropertyHTTPSProxyPort
            Source: submission: CorelDRAWMach-O symbol: _OBJC_CLASS_$_NSOperationQueue
            Source: submission: CorelDRAWMach-O symbol: _OBJC_CLASS_$_NSOperationQueue
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _OBJC_CLASS_$_NSOperationQueue
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _OBJC_CLASS_$_NSOperationQueue

            Persistence and Installation Behavior

            barindex
            Writes Mach-O files to untypical directories
            Source: /bin/cp (PID: 1627)FAT Mach-O written to unusual path: /private/var/root/Library/Preferences/CorelDRAW/CorelDRAWJump to dropped file
            Process deletes its process image on disk
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Process image deleted: /Users/drew/Desktop/CorelDRAWJump to behavior
            Source: submissionCode Signing Info: Signature=adhoc
            Source: /bin/bash (PID: 1628)Launch agent/daemon unloaded: launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /bin/bash (PID: 1615)Grep executable: /usr/bin/grep -> grep CorelDRAWJump to behavior
            Source: /bin/bash (PID: 1616)Grep executable: /usr/bin/grep -> grep -v /Users/drew/Desktop/CorelDRAWJump to behavior
            Source: /bin/bash (PID: 1617)Grep executable: /usr/bin/grep -> grep -v CorelDRAW\s*Graphics\s*SuiteJump to behavior
            Source: /bin/bash (PID: 1622)Grep executable: /usr/bin/grep -> grep CorelDRAWJump to behavior
            Source: /bin/bash (PID: 1623)Grep executable: /usr/bin/grep -> grep -v /Users/drew/Desktop/CorelDRAWJump to behavior
            Source: /bin/bash (PID: 1624)Grep executable: /usr/bin/grep -> grep -v CorelDRAW\s*Graphics\s*SuiteJump to behavior
            Source: /bin/bash (PID: 1614)Ps executable: /bin/ps -> ps -efJump to behavior
            Source: /bin/bash (PID: 1621)Ps executable: /bin/ps -> ps -efJump to behavior
            Source: submissionMach-O header: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>]
            Source: submissionFile header: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>]
            Source: /bin/bash (PID: 1629)Launch agent/daemon loaded: launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Launch agent/daemon created with StartInterval and/or StartCalendarInterval, file moved: /Library/LaunchDaemons/.dat.nosync064c.oZUVM0 -> /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
            Source: /var/root/Library/Preferences/CorelDRAW/CorelDRAW (PID: 1630)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
            Source: /bin/cp (PID: 1627)Permissions modified for written FAT Mach-O /private/var/root/Library/Preferences/CorelDRAW/CorelDRAW: bits: - usr: rx grp: rx all: rwxJump to dropped file
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Shell command executed: sh -c ps -ef |grep CorelDRAW |grep -v /Users/drew/Desktop/CorelDRAW |grep -v 'CorelDRAW\s*Graphics\s*Suite' |awk '{print $2}' |xargs kill -9Jump to behavior
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Shell command executed: sh -c cp /Users/drew/Desktop/CorelDRAW /var/root/Library/Preferences/CorelDRAW/CorelDRAWJump to behavior
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Shell command executed: sh -c launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Shell command executed: sh -c launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /bin/sh (PID: 1613)Shell command executed: sh -c ps -ef |grep CorelDRAW |grep -v /Users/drew/Desktop/CorelDRAW |grep -v 'CorelDRAW\s*Graphics\s*Suite' |awk '{print $2}' |xargs kill -9Jump to behavior
            Source: /bin/sh (PID: 1620)Shell command executed: sh -c ps -ef |grep CorelDRAW |grep -v /Users/drew/Desktop/CorelDRAW |grep -v 'CorelDRAW\s*Graphics\s*Suite' |awk '{print $2}' |xargs kill -9Jump to behavior
            Source: /bin/sh (PID: 1627)Shell command executed: sh -c cp /Users/drew/Desktop/CorelDRAW /var/root/Library/Preferences/CorelDRAW/CorelDRAWJump to behavior
            Source: /bin/sh (PID: 1628)Shell command executed: sh -c launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /bin/sh (PID: 1629)Shell command executed: sh -c launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /bin/cp (PID: 1627)File written: /private/var/root/Library/Preferences/CorelDRAW/CorelDRAWJump to dropped file
            Source: submissionMach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
            Source: submissionMach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
            Source: submissionMach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
            Source: submissionMach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
            Source: submission: CorelDRAWMach-O header: dylib_command -> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
            Source: submission: CorelDRAWMach-O header: dylib_command -> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
            Source: dropped file: CorelDRAWMach-O header: dylib_command -> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
            Source: dropped file: CorelDRAWMach-O header: dylib_command -> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
            Source: /bin/bash (PID: 1618)Awk executable: /usr/bin/awk -> awk {print $2}Jump to behavior
            Source: /bin/bash (PID: 1625)Awk executable: /usr/bin/awk -> awk {print $2}Jump to behavior
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)XML plist file created: /Library/LaunchDaemons/.dat.nosync064c.oZUVM0Jump to dropped file
            Source: initial sampleMach-O header: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
            Source: initial sampleMach-O header: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
            Source: initial sampleMach-O header: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
            Source: initial sampleMach-O header: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
            Source: submission: CorelDRAWMach-O header: dylib_command -> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
            Source: submission: CorelDRAWMach-O header: dylib_command -> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
            Source: dropped file: CorelDRAWMach-O header: dylib_command -> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
            Source: dropped file: CorelDRAWMach-O header: dylib_command -> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
            Source: /var/root/Library/Preferences/CorelDRAW/CorelDRAW (PID: 1630)Random device file read: /dev/urandomJump to behavior
            Source: submitted sampleStderr: /Library/LaunchDaemons/com.CorelDRAW.va.plist: Could not find specified serviceUnload failed: 113: Could not find specified service: exit code = 0
            Source: submissionCodeSign Info: Executable=/Users/drew/Desktop/CorelDRAW

            Boot Survival

            barindex
            Creates system-wide 'launchd' managed services aka launch daemons based on hidden files
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Launch daemon created from hidden file: /Library/LaunchDaemons/.dat.nosync064c.oZUVM0 -> /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Launch daemon created File moved: /Library/LaunchDaemons/.dat.nosync064c.oZUVM0 -> /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file moved: /Library/LaunchDaemons/.dat.nosync064c.oZUVM0 -> /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Moves itself during installation or deletes itself after installation
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)File deleted: /Users/drew/Desktop/CorelDRAWJump to behavior
            Source: /var/root/Library/Preferences/CorelDRAW/CorelDRAW (PID: 1630)Sysctl read request: hw.model (6.2)Jump to behavior
            Source: CorelDRAW, 00001612.00000367.9.000000010245e000.0000000102467000.r--.sdmpBinary or memory string: framework.vmnet
            Source: CorelDRAW, 00001612.00000367.9.000000010245e000.0000000102467000.r--.sdmpBinary or memory string: framework.vmnet$
            Source: /bin/bash (PID: 1613)Sysctl requested: kern.hostname (1.10)Jump to behavior
            Source: /bin/bash (PID: 1620)Sysctl requested: kern.hostname (1.10)Jump to behavior
            Source: /bin/bash (PID: 1627)Sysctl requested: kern.hostname (1.10)Jump to behavior
            Source: /bin/bash (PID: 1628)Sysctl requested: kern.hostname (1.10)Jump to behavior
            Source: /bin/bash (PID: 1629)Sysctl requested: kern.hostname (1.10)Jump to behavior
            Source: /var/root/Library/Preferences/CorelDRAW/CorelDRAW (PID: 1630)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected GIMMICK
            Source: Yara matchFile source: CorelDRAW, type: SAMPLE
            Source: Yara matchFile source: 00001612.00000367.1.00000001023ae000.00000001023ea000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 00001612.00000367.9.00000001023ae000.00000001023ea000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CorelDRAW PID: 1612, type: MEMORYSTR
            Source: Yara matchFile source: /private/var/root/Library/Preferences/CorelDRAW/CorelDRAW, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected GIMMICK
            Source: Yara matchFile source: CorelDRAW, type: SAMPLE
            Source: Yara matchFile source: 00001612.00000367.1.00000001023ae000.00000001023ea000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 00001612.00000367.9.00000001023ae000.00000001023ea000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CorelDRAW PID: 1612, type: MEMORYSTR
            Source: Yara matchFile source: /private/var/root/Library/Preferences/CorelDRAW/CorelDRAW, type: DROPPED

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Command and Scripting Interpreter            		1
            LC_LOAD_DYLIB Addition            		1
            LC_LOAD_DYLIB Addition            		1
            Masquerading            		1
            GUI Input Capture            		11
            Security Software Discovery            		Remote Services1
            GUI Input Capture            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts1
            Scripting            		3
            Launch Agent            		3
            Launch Agent            		1
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
            Non-Application Layer Protocol            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts1
            Launchctl            		14
            Launch Daemon            		14
            Launch Daemon            		1
            Scripting            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
            Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)1
            Plist Modification            		1
            Plist Modification            		1
            Hidden Files and Directories            		NTDS1
            System Network Configuration Discovery            		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
            Invalid Code Signature            		LSA Secrets21
            System Information Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common11
            Code Signing            		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items2
            File Deletion            		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Shell
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1797574 Sample: CorelDRAW Startdate: 28/03/2022 Architecture: MAC Score: 64 44 pki-goog.l.google.com 2->44 46 Yara detected GIMMICK 2->46 8 mono-sgen64 CorelDRAW 2->8         started        12 xpcproxy CorelDRAW 2->12         started        signatures3 process4 file5 40 /Library/LaunchDae...t.nosync064c.oZUVM0, XML 8->40 dropped 48 Creates system-wide 'launchd' managed services aka launch daemons based on hidden files 8->48 50 Process deletes its process image on disk 8->50 52 Moves itself during installation or deletes itself after installation 8->52 14 sh bash cp 1 8->14         started        18 sh bash 8->18         started        20 sh bash 8->20         started        22 2 other processes 8->22 signatures6 process7 file8 42 /private/var/root/...CorelDRAW/CorelDRAW, Mach-O 14->42 dropped 54 Writes Mach-O files to untypical directories 14->54 24 bash ps 18->24         started        26 bash grep 18->26         started        28 bash grep 18->28         started        36 3 other processes 18->36 30 bash ps 20->30         started        32 bash grep 20->32         started        34 bash grep 20->34         started        38 3 other processes 20->38 signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.