Analysis Report

Overview

General Information

Joe Sandbox Version:	18.0.0
Analysis ID:	31316
Start time:	15:42:08
Joe Sandbox Product:	Cloud
Start date:	06.01.2017
Overall analysis duration:	0h 7m 21s
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Mac Mini, El Capitan 10.11.6 (Java 1.8.0_25)
Detection:	MAL
Classification:	mal48.adwa.mac@0/19@20/0

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	48	0 - 100	Report FP / FN

Classification

Signature Overview

Click to jump to signature section

Operating System Destruction:

Found many Apple Mail windows (potential window denial of service)

Show sources

Source: Window Recorder

Window detected: many windows: 8 for /Applications/Mail.app/Contents/MacOS/Mail

Networking:

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1 Host: safari-serverhost.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OK Date: Fri, 06 Jan 2017 14:42:41 GMT Server: Apache Last-Modified: Mon, 02 Jan 2017 16:07:38 GMT Accept-Ranges: bytes Content-Length: 845 Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 28 66 75 6e 63 74 69 6f 6e 28 69 2c 73 2c 6f 2c 67 2c 72 2c 61 2c 6d 29 7b 69 5b 27 47 6f 6f 67 6c 65 41 6e 61 6c 79 74 69 63 73 4f 62 6a 65 63 74 27 5d 3d 72 3b 69 5b 72 5d 3d 69 5b 72 5d 7c 7c 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 20 20 28 69 5b 72 5d 2e 71 3d 69 5b 72 5d 2e 71 7c 7c 5b 5d 29 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 2c 69 5b 72 5d 2e 6c 3d 31 2a 6e 65 77 20 44 61 74 65 28 29 3b 61 3d 73 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 6f 29 2c 0a 20 20 6d 3d 73 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 6f 29 5b 30 5d 3b 61 2e 61 73 79 6e 63 3d 31 3b 61 2e 73 72 63 3d 67 3b 6d 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 61 2c 6d 29 0a 20 20 7d 29 28 77 69 6e 64 6f 77 2c 64 6f 63 75 6d 65 6e 74 2c 2
Source: global traffic	HTTP traffic detected: GET /jquery-1.12.0.min.js HTTP/1.1 Host: code.jquery.com Connection: keep-alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7 Accept-Language: en-us Referer: http://safari-serverhost.net/ Accept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /10.html HTTP/1.1 Host: safari-serverhost.net Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7 Accept-Language: en-us Referer: http://safari-serverhost.net/ Accept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OK Date: Fri, 06 Jan 2017 14:42:43 GMT Server: Apache Last-Modified: Mon, 02 Jan 2017 16:00:21 GMT Accept-Ranges: bytes Content-Length: 2622 Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 0a 3c 74 69 74 6c 65 3e 41 70 70 6c 65 20 41 6c 65 72 74 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 28 66 75 6e 63 74 69 6f 6e 28 69 2c 73 2c 6f 2c 67 2c 72 2c 61 2c 6d 29 7b 69 5b 27 47 6f 6f 67 6c 65 41 6e 61 6c 79 74 69 63 73 4f 62 6a 65 63 74 27 5d 3d 72 3b 69 5b 72 5d 3d 69 5b 72 5d 7c 7c 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 20 20 28 69 5b 72 5d 2e 71 3d 69 5b 72 5d 2e 71 7c 7c 5b 5d 29 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 2c 69 5b 72 5d 2e 6c 3d 31 2a 6e 65 77 20 44 61 74 65 28 29 3b 61 3d 73 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 6f 29 2c 0a 20 20 6d 3d 73 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 6f 29 5b 30 5d 3b 61 2e 61 73 79 6e 63 3d 31 3b 61 2e 73 72 63 3d 67 3b 6d

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: configuration.apple.com

Reads from file descriptors related to (network) sockets

Show sources

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	Reads from socket in process:
Source: /Applications/Mail.app/Contents/MacOS/Mail (PID: 440)	Reads from socket in process:

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443

Writes from file descriptors related to (network) sockets

Show sources

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	Writes from socket in process:
Source: /Applications/Mail.app/Contents/MacOS/Mail (PID: 440)	Writes from socket in process:

Persistence and Installation Behavior:

Reads data from the local random generator

Show sources

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	Random device file read: /dev/random
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	Random device file read: /dev/random
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	Random device file read: /dev/random
Source: /Applications/Mail.app/Contents/MacOS/Mail (PID: 440)	Random device file read: /dev/random

Uses AppleKeyboardLayouts bundle containing keyboard layouts

Show sources

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /Applications/Mail.app/Contents/MacOS/Mail (PID: 440)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Writes property list (.plist) files to disk

Show sources

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	Binary plist file created: /Users/vreni/Library/Safari/lock/.dat.nosync01b1.5TTqmr
Source: /Applications/Mail.app/Contents/MacOS/Mail (PID: 440)	XML plist file created: /private/var/folders/rz/z4lzdb9n2yg9fdd643nf823w0000gn/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/SyncedFilesInfo.plist
Source: /Applications/Mail.app/Contents/MacOS/Mail (PID: 440)	XML plist file created: /private/var/folders/rz/z4lzdb9n2yg9fdd643nf823w0000gn/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/VIPSenders.plist

Creates hidden files, links and/or directories

Show sources

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)

Hidden file created: /Users/vreni/Library/Safari/lock/.dat.nosync01b1.5TTqmr

Opens the Safari browser app

Show sources

Source: /usr/libexec/xpcproxy (PID: 433)

Safari app opened: /Applications/Safari.app/Contents/MacOS/Safari

Reads launchservices plist files

Show sources

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /Applications/Mail.app/Contents/MacOS/Mail (PID: 440)	Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist

Reads user launchservices plist file containing default apps for corresponding filetypes

Show sources

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)

Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist

Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)

Show sources

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)

CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist

System Summary:

Classification label

Show sources

Source: classification engine

Classification label: mal48.adwa.mac@0/19@20/0

Safari starts Apple Mail automatically

Show sources

Source: /usr/libexec/xpcproxy	Process spawned: /Applications/Safari.app/Contents/MacOS/Safari
Source: /usr/libexec/xpcproxy	Process spawned: /Applications/Mail.app/Contents/MacOS/Mail

HIPS / PFW / Operating System Protection Evasion:

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Show sources

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	Sysctl read request: kern.safeboot (1.66)
Source: /Applications/Mail.app/Contents/MacOS/Mail (PID: 440)	Sysctl read request: kern.safeboot (1.66)

Language, Device and Operating System Detection:

Reads the system or server version plist file

Show sources

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /Applications/Mail.app/Contents/MacOS/Mail (PID: 440)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist

Reads hardware related sysctl values

Show sources

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	Sysctl read request: hw.availcpu (6.25)
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	Sysctl read request: hw.ncpu (6.3)
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	Sysctl read request: hw.cpu_freq (6.15)
Source: /Applications/Mail.app/Contents/MacOS/Mail (PID: 440)	Sysctl read request: hw.ncpu (6.3)
Source: /Applications/Mail.app/Contents/MacOS/Mail (PID: 440)	Sysctl read request: hw.cpu_freq (6.15)
Source: /Applications/Mail.app/Contents/MacOS/Mail (PID: 440)	Sysctl read request: hw.availcpu (6.25)

Reads the kernel OS version value

Show sources

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	Sysctl read request: kern.osversion (1.65)
Source: /Applications/Mail.app/Contents/MacOS/Mail (PID: 440)	Sysctl read request: kern.osversion (1.65)

Reads the systems OS release and/or type

Show sources

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	Sysctl requested: kern.ostype (1.1)
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	Sysctl requested: kern.osrelease (1.2)
Source: /Applications/Mail.app/Contents/MacOS/Mail (PID: 440)	Sysctl requested: kern.ostype (1.1)
Source: /Applications/Mail.app/Contents/MacOS/Mail (PID: 440)	Sysctl requested: kern.osrelease (1.2)

Reads the systems hostname

Show sources

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 433)	Sysctl requested: kern.hostname (1.10)
Source: /Applications/Mail.app/Contents/MacOS/Mail (PID: 440)	Sysctl requested: kern.hostname (1.10)

Yara Overview

No Yara matches

Screenshot

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Classification

Signature Overview

Operating System Destruction:

Networking:

Persistence and Installation Behavior:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Yara Overview

Screenshot