Edit tour
macOS
Analysis Report
Launcher.dmg
Overview
General Information
Detection
CTHULHU STEALER
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Writes files with sensitive content related to the Cthulhu stealer
Yara detected CTHULHU STEALER
Accesses directories and/or files with sensitive browser data likely for credential stealing
Executes Apple scripts that request for passwords (for privilege escalation or leakage)
Executes the "csrutil" command used to retrieve or modify the "System Integrity Protection" configuration
Executes the "security" command used to access the keychain
Uses known network protocols on non-standard ports
Writes files containing the user's password
Writes files with content indentifying the system (indicating system fingerprinting)
Accesses files related to crypto wallets (potentially stealing the sensitive information)
Contains symbols with suspicious names likely related to anti-analysis
Contains symbols with suspicious names likely related to encryption
Contains symbols with suspicious names likely related to networking
Contains symbols with suspicious names likely related to well-known browsers
Creates hidden files, links and/or directories
Detected TCP or UDP traffic on non-standard ports
Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'
Executes the "pgrep" command search for and/or send signals to processes
Executes the "rm" command used to delete files or directories
Executes the "system_profiler" command used to collect detailed system hardware and software information
Executes the "touch" command used to create files or modify time stamps
Mach-O contains sections with high entropy indicating compressed/encrypted content
May check the online IP address of the machine
Uses AppleScript framework/components containing Apple Script related functionalities
Uses AppleScript scripting additions containing additional functionalities for Apple Scripts
Writes ZIP files to disk
Classification
Joe Sandbox version: | |
Analysis ID: | 4043688 |
Start date and time: | 2024-08-26 12:46:10 +02:00 |
Joe Sandbox product: | Cloud |
Overall analysis duration: | 0h 9m 59s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultmacinteractivecookbook.jbs |
Analysis system description: | Mac Mini, Apple Silicon ARM64, Ventura (Office 2021, Java 1.8.0_381, Adobe Reader DC 23, Chrome 116, Firefox 116) |
macOS major version: | 13 |
CPU architecture: | arm64 |
Analysis Mode: | default |
Sample name: | Launcher.dmg |
Detection: | MAL |
Classification: | mal84.troj.spyw.evad.macDMG@0/28@2/0 |
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many JMT_LOOKUP calls found.
⊘Runtime messages are not available for Live Interaction sessions
- System is mac-arm-ventura
- Terminal New Fork (PID: 1230, Parent: 470)
- login New Fork (PID: 1231, Parent: 1230)
- bash New Fork (PID: 1234, Parent: 1231)
- bash New Fork (PID: 1237, Parent: 1231)
- Launch New Fork (PID: 1238, Parent: 1237)
- Launch New Fork (PID: 1251, Parent: 1238)
- Launch New Fork (PID: 1260, Parent: 1238)
- Launch New Fork (PID: 1261, Parent: 1238)
- Launch New Fork (PID: 1262, Parent: 1238)
- Launch New Fork (PID: 1263, Parent: 1238)
- system_profiler New Fork (PID: 1269, Parent: 1263)
- system_profiler New Fork (PID: 1270, Parent: 1263)
- system_profiler New Fork (PID: 1271, Parent: 1270)
- Launch New Fork (PID: 1272, Parent: 1238)
- bash New Fork (PID: 1239, Parent: 1231)
- bash New Fork (PID: 1252, Parent: 1231)
- bash New Fork (PID: 1253, Parent: 1231)
- bash New Fork (PID: 1254, Parent: 1231)
- bash New Fork (PID: 1255, Parent: 1254)
- bash New Fork (PID: 1256, Parent: 1254)
- bash New Fork (PID: 1259, Parent: 1231)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CTHULHUSTEALER | Yara detected CTHULHU STEALER | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CTHULHUSTEALER | Yara detected CTHULHU STEALER | Joe Security | ||
JoeSecurity_CTHULHUSTEALER | Yara detected CTHULHU STEALER | Joe Security | ||
JoeSecurity_CTHULHUSTEALER | Yara detected CTHULHU STEALER | Joe Security |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: |