Loading Joe Sandbox Report ...

Edit tour

macOS Analysis Report
Launcher.dmg

Overview

General Information

Sample name:Launcher.dmg
Analysis ID:4043688
MD5:35d531cea797134df28c7102cfc291a1
SHA1:289171f80fb40e483339fa1ace44695d2b19a801
SHA256:6483094f7784c424891644a85d5535688c8969666e16a194d397dc66779b0b12
Infos:

Detection

CTHULHU STEALER
Score:84
Range:0 - 100
Whitelisted:false

Signatures

Writes files with sensitive content related to the Cthulhu stealer
Yara detected CTHULHU STEALER
Accesses directories and/or files with sensitive browser data likely for credential stealing
Executes Apple scripts that request for passwords (for privilege escalation or leakage)
Executes the "csrutil" command used to retrieve or modify the "System Integrity Protection" configuration
Executes the "security" command used to access the keychain
Uses known network protocols on non-standard ports
Writes files containing the user's password
Writes files with content indentifying the system (indicating system fingerprinting)
Accesses files related to crypto wallets (potentially stealing the sensitive information)
Contains symbols with suspicious names likely related to anti-analysis
Contains symbols with suspicious names likely related to encryption
Contains symbols with suspicious names likely related to networking
Contains symbols with suspicious names likely related to well-known browsers
Creates hidden files, links and/or directories
Detected TCP or UDP traffic on non-standard ports
Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'
Executes the "pgrep" command search for and/or send signals to processes
Executes the "rm" command used to delete files or directories
Executes the "system_profiler" command used to collect detailed system hardware and software information
Executes the "touch" command used to create files or modify time stamps
Mach-O contains sections with high entropy indicating compressed/encrypted content
May check the online IP address of the machine
Uses AppleScript framework/components containing Apple Script related functionalities
Uses AppleScript scripting additions containing additional functionalities for Apple Scripts
Writes ZIP files to disk

Classification

Joe Sandbox version:
Analysis ID:4043688
Start date and time:2024-08-26 12:46:10 +02:00
Joe Sandbox product:Cloud
Overall analysis duration:0h 9m 59s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultmacinteractivecookbook.jbs
Analysis system description:Mac Mini, Apple Silicon ARM64, Ventura (Office 2021, Java 1.8.0_381, Adobe Reader DC 23, Chrome 116, Firefox 116)
macOS major version:13
CPU architecture:arm64
Analysis Mode:default
Sample name:Launcher.dmg
Detection:MAL
Classification:mal84.troj.spyw.evad.macDMG@0/28@2/0
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many JMT_LOOKUP calls found.
Runtime messages are not available for Live Interaction sessions
  • System is mac-arm-ventura
  • Terminal New Fork (PID: 1230, Parent: 470)
  • login (MD5: 14b465cfd148ee4bc8330f9ae22683dc) Arguments: login -pf rodrigo
    • login New Fork (PID: 1231, Parent: 1230)
    • bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: -bash
      • bash New Fork (PID: 1232, Parent: 1231)
        • bash New Fork (PID: 1233, Parent: 1232)
        • path_helper (MD5: a555e586fad78194999d457bf7693b1d) Arguments: /usr/libexec/path_helper -s
      • bash New Fork (PID: 1234, Parent: 1231)
      • mkdir (MD5: 80c8877b68a14c3a6c46cb653611c53e) Arguments: mkdir -m 700 -p /Users/rodrigo/.bash_sessions
      • bash New Fork (PID: 1235, Parent: 1231)
        • bash New Fork (PID: 1236, Parent: 1235)
        • touch (MD5: a26a786a3e1eeb6b490b94dc799165a4) Arguments: /usr/bin/touch /Users/rodrigo/.bash_sessions/DCAE3CE8-EA97-49BC-B27E-2AE560A9E1DB.historynew
      • bash New Fork (PID: 1237, Parent: 1231)
      • Launch (MD5: 3eefdd8aa489b6b043dc4ef5e3804303) Arguments: /Volumes/Launch/Launch
        • Launch New Fork (PID: 1238, Parent: 1237)
        • Launch (MD5: 3eefdd8aa489b6b043dc4ef5e3804303) Arguments: /Volumes/Launch/Launch background
          • Launch New Fork (PID: 1251, Parent: 1238)
          • osascript (MD5: 4fa520f20abf9ce4356b13b13ad43785) Arguments: osascript -e display dialog "To launch the application, you need to update the system settings\n\nPlease enter your password." default answer "" with hidden answer with icon caution buttons {"Cancel", "OK"} default button "OK" with title "System Preferences"
          • Launch New Fork (PID: 1260, Parent: 1238)
          • osascript (MD5: 4fa520f20abf9ce4356b13b13ad43785) Arguments: osascript -e display dialog "MacOS wants to access the MetaMask" default answer "" with icon POSIX file "/var/folders/lz/nsqjk8n92l30_9hwqkbhfpym0000gp/T/ic.png1884498256" buttons {"Cancel", "OK"} default button "OK" with title "Wallet Connect"
          • Launch New Fork (PID: 1261, Parent: 1238)
          • security (MD5: 05bb69f46a91f9b057f2e279de6a9435) Arguments: security list-keychains
          • Launch New Fork (PID: 1262, Parent: 1238)
          • cp (MD5: 3f64ee5b039cadf4a26446e5d9a86f83) Arguments: cp /Users/rodrigo/Library/Application Support/Binance/.finger-print.fp /Users/Shared/NW/Wallet/binance/finger-print.fp
          • Launch New Fork (PID: 1263, Parent: 1238)
          • system_profiler (MD5: f5b1d8a583467cae5c5d5589e6a1895f) Arguments: system_profiler SPHardwareDataType SPSoftwareDataType
            • system_profiler (MD5: f5b1d8a583467cae5c5d5589e6a1895f) Arguments: /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full
            • system_profiler (MD5: f5b1d8a583467cae5c5d5589e6a1895f) Arguments: /usr/sbin/system_profiler -nospawn -xml SPSoftwareDataType -detailLevel full
              • csrutil (MD5: 434fecbeddbeb8b98548b9fb668abf68) Arguments: /usr/bin/csrutil status
          • Launch New Fork (PID: 1272, Parent: 1238)
          • pgrep (MD5: 911fc806df3e124db2bde32c85922535) Arguments: pgrep firefox
      • bash New Fork (PID: 1239, Parent: 1231)
        • bash New Fork (PID: 1240, Parent: 1239)
          • bash New Fork (PID: 1241, Parent: 1240)
          • date (MD5: 3a91f607c030997a44afa8b20669e6d1) Arguments: /bin/date +%s
      • bash New Fork (PID: 1242, Parent: 1231)
        • bash New Fork (PID: 1243, Parent: 1242)
        • touch (MD5: a26a786a3e1eeb6b490b94dc799165a4) Arguments: /usr/bin/touch /Users/rodrigo/.bash_sessions/DCAE3CE8-EA97-49BC-B27E-2AE560A9E1DB.historynew
      • bash New Fork (PID: 1244, Parent: 1231)
        • bash New Fork (PID: 1245, Parent: 1244)
        • cp (MD5: 3f64ee5b039cadf4a26446e5d9a86f83) Arguments: /bin/cp /Users/rodrigo/.bash_history /Users/rodrigo/.bash_sessions/DCAE3CE8-EA97-49BC-B27E-2AE560A9E1DB.history
      • bash New Fork (PID: 1246, Parent: 1231)
        • bash New Fork (PID: 1247, Parent: 1246)
      • bash New Fork (PID: 1249, Parent: 1231)
        • bash New Fork (PID: 1250, Parent: 1249)
        • cat (MD5: a9d3d79b6a261dde4afc11aa38eed643) Arguments: /bin/cat /Users/rodrigo/.bash_sessions/DCAE3CE8-EA97-49BC-B27E-2AE560A9E1DB.historynew
      • bash New Fork (PID: 1252, Parent: 1231)
      • bash New Fork (PID: 1253, Parent: 1231)
      • shlock (MD5: 9b281feb7bdfb37957b925fa62600d84) Arguments: /usr/bin/shlock -f /Users/rodrigo/.bash_sessions/_expiration_lockfile -p 1231
      • bash New Fork (PID: 1254, Parent: 1231)
        • bash New Fork (PID: 1255, Parent: 1254)
        • find (MD5: 5a05ccb58a15b03e44f32ad68f86b166) Arguments: /usr/bin/find /Users/rodrigo/.bash_sessions -type f -mtime +2w -print -delete
        • bash New Fork (PID: 1256, Parent: 1254)
        • wc (MD5: 364829db2c2cd2d7e68eabb91217d0a6) Arguments: /usr/bin/wc -l
      • bash New Fork (PID: 1257, Parent: 1231)
        • bash New Fork (PID: 1258, Parent: 1257)
        • touch (MD5: a26a786a3e1eeb6b490b94dc799165a4) Arguments: /usr/bin/touch /Users/rodrigo/.bash_sessions/_expiration_check_timestamp
      • bash New Fork (PID: 1259, Parent: 1231)
      • rm (MD5: dba08d0ccaff1fa37865ef9a1c8ed34d) Arguments: /bin/rm /Users/rodrigo/.bash_sessions/_expiration_lockfile
  • cleanup
SourceRuleDescriptionAuthorStrings
LaunchJoeSecurity_CTHULHUSTEALERYara detected CTHULHU STEALERJoe Security
    SourceRuleDescriptionAuthorStrings
    Process Memory Space: Launch PID: 1237JoeSecurity_CTHULHUSTEALERYara detected CTHULHU STEALERJoe Security
      Process Memory Space: Launch PID: 1238JoeSecurity_CTHULHUSTEALERYara detected CTHULHU STEALERJoe Security
        Process Memory Space: Launch PID: 1238JoeSecurity_CTHULHUSTEALERYara detected CTHULHU STEALERJoe Security
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.fiatScalarFromMontgomery
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.fiatScalarMul
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.fiatScalarAdd
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.fiatScalarFromBytes
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.d2
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.feOne
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.basepointNafTablePrecomp
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.d
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.basepointNafTable
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.basepointNafTable.func1
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519..stmp_9
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519..stmp_2
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519..stmp_8
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519..stmp_10
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519..stmp_11
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519..stmp_0
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519..stmp_1
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*projP2).FromP1xP1
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519..inittask
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*projP1xP1).SubAffine
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*projP1xP1).Double
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*projP1xP1).Sub
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*projP1xP1).Add
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*projP1xP1).AddAffine
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*nafLookupTable8).FromP3
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*projCached).FromP3
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*affineCached).FromP3
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*nafLookupTable5).FromP3
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*Scalar).nonAdjacentForm
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*Scalar).setShortBytes
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*Scalar).bytes
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*Scalar).SetCanonicalBytes
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*Scalar).SetUniformBytes
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*Point).fromP1xP1
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*Point).fromP2
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*Point).VarTimeDoubleScalarBaseMult
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*Point).bytes
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*Point).Negate
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*Point).SetBytes
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/edwards25519.(*Point).Add
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/boring.(*PublicKeyECDH).Bytes
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/boring/sig.StandardCrypto.abi0
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.supportADX
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/boring.(*PrivateKeyECDH).PublicKey
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.init
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.rr
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.addMulVVW1536.abi0
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.addMulVVW2048.abi0
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.NewModulusFromBig
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.addMulVVW1024.abi0
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod..inittask
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Nat).setBytes
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Nat).shiftIn
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Nat).montgomeryMul
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Nat).montgomeryReduction
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Nat).Sub
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Nat).maybeSubtractModulus
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Nat).SetBytes
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Nat).SetOverflowingBytes
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Nat).Mul
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Nat).IsZero
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Nat).Mod
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Nat).ExpShort
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Nat).ExpandFor
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Nat).Equal
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Nat).Exp
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Nat).Add
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Nat).Bytes
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Modulus).Nat
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Modulus).Size
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/internal/bigmod.(*Modulus).BitLen
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/hmac.New.func1
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/hmac.New.func1.1
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/hmac..stmp_0
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/hmac.New
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/hmac.(*hmac).Sum
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/hmac.(*hmac).Write
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/hmac.(*hmac).Reset
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/hmac.(*hmac).Size
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/hmac.(*hmac).BlockSize
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic.panicIfNotOnCurve
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic.zForAffine
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic.p384
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic.p521
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic.p256
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic.p256Curve.Inverse
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic.matchesSpecificCurve
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic.p224
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic.initP521
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic.initonce
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic.initP384
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic.initP224
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic.initP256
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic.Unmarshal
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic.initAll
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic..stmp_6
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic.Marshal
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic..stmp_4
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic..stmp_5
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic..stmp_36
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic..stmp_35
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic..stmp_30
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic..stmp_33
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic..stmp_28
          Source: extracted file from submission: LaunchMach-O symbol: _crypto/elliptic..stmp_3
          Source: extracted file from submission