Loading Joe Sandbox Report ...

Edit tour

macOS Analysis Report
ZNznZtSA34

Overview

General Information

Sample Name:ZNznZtSA34
Analysis ID:165917
MD5:51731fd8bd72d6cc4c8a58810d1a627f
SHA1:f44215738d5d0032b890bd596a597c19ef1a672c
SHA256:55571ac52e1f02f18af77e2f3314382c982a37744b58732dfc15faac9d66619f
Infos:

Detection

Nukesped
Score:80
Range:0 - 100
Whitelisted:false

Signatures

Yara detected Nukesped
Terminates the command-line application Terminal (probably to hinder manual analysis)
Deletes the saved state of the command-line application Terminal (probably to avoid forensic reconstruction of shell activity)
Opens PDF files, sometimes used to disguise malicious intentions
Writes Mach-O files to untypical directories
Opens applications from non-standard application directories
Terminates several processes with shell command 'killall'
Contains symbols with suspicious names likely related to networking
Reads the systems hostname
Opens applications that might be created ones
Writes PDF files to disk
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)
Queries OS software version with shell command 'sw_vers'
Contains symbols with suspicious names likely related to well-known browsers
Sample tries to kill a process (SIGKILL)
Sample is a FAT Mach-O sample containing binaries for multiple architectures
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Writes RTF files to disk
Reads hardware related sysctl values
Creates user-wide 'launchd' managed services aka launch agents
Reads the saved state of applications
Creates code signed application bundles
Mach-O contains sections with high entropy indicating compressed/encrypted content
Executes commands using a shell command-line interpreter
Reads the systems OS release and/or type
Creates application bundles
Contains symbols with paths
Executes the "rm" command used to delete files or directories
Executes the "pgrep" command search for and/or send signals to processes
Writes FAT Mach-O files to disk

Classification

Analysis Advice

All domains contacted by the sample do not resolve. The sample is likely an old dropper which does no longer work.
Joe Sandbox Version:
Analysis ID:165917
Start date and time: 04/05/202212:10:412022-05-04 12:10:41 +02:00
Joe Sandbox Product:Cloud
Overall analysis duration:0h 4m 53s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:ZNznZtSA34
Cookbook file name:macOS - Big Sur - load provided binary as normal user.jbs
Analysis system description:Mac Mini, Big Sur (Office 2019 16.55, Java 1.8.0_311)
Analysis Mode:default
Detection:MAL
Classification:mal80.troj.evad.mac@0/15@1/0
  • Excluded domains from analysis (whitelisted): b._dns-sd._udp.0.0.168.192.in-addr.arpa, db._dns-sd._udp.0.0.168.192.in-addr.arpa
Command:sudo -u drew /Users/drew/Desktop/ZNznZtSA34
PID:1110
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • System is mac-bigsur
  • sudo (MD5: f21c2a2dc106642f7c38801e121c8c86) Arguments: /usr/bin/sudo -u drew /Users/drew/Desktop/ZNznZtSA34
    • sudo New Fork (PID: 1111, Parent: 1110)
    • ZNznZtSA34 (MD5: 51731fd8bd72d6cc4c8a58810d1a627f) Arguments: /Users/drew/Desktop/ZNznZtSA34
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (open '/Users/drew/Library/Fonts/BitazuCapital_JobDescription.pdf' && rm -rf '/Users/drew/Library/Saved Application State/com.apple.Terminal.savedState') 2>&1
        • bash New Fork (PID: 1113, Parent: 1112)
          • bash New Fork (PID: 1114, Parent: 1113)
          • open (MD5: 81d0c6fefba2004d451915c6fa861914) Arguments: open /Users/drew/Library/Fonts/BitazuCapital_JobDescription.pdf
          • bash New Fork (PID: 1117, Parent: 1113)
          • rm (MD5: 6cd9e187f33d60ce3cb05b12435f0673) Arguments: rm -rf /Users/drew/Library/Saved Application State/com.apple.Terminal.savedState
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (tar zxvf '/Users/drew/Library/Fonts/safarifontsagent_' -C '/Users/drew/Library/Fonts') 2>&1
        • bash New Fork (PID: 1119, Parent: 1118)
        • tar (MD5: dbeb13c3b2ade21995470fde7650314a) Arguments: tar zxvf /Users/drew/Library/Fonts/safarifontsagent_ -C /Users/drew/Library/Fonts
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (tar zxvf '/Users/drew/Library/Fonts/fontsupdater_' -C '/Users/drew/Library/Fonts') 2>&1
        • bash New Fork (PID: 1121, Parent: 1120)
        • tar (MD5: dbeb13c3b2ade21995470fde7650314a) Arguments: tar zxvf /Users/drew/Library/Fonts/fontsupdater_ -C /Users/drew/Library/Fonts
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (pgrep -f safarifontsagent) 2>&1
        • bash New Fork (PID: 1123, Parent: 1122)
        • pgrep (MD5: 8c476a299c23f6971101e7bbd6462c3c) Arguments: pgrep -f safarifontsagent
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (pgrep -f safarifontsagent) 2>&1
        • bash New Fork (PID: 1125, Parent: 1124)
        • pgrep (MD5: 8c476a299c23f6971101e7bbd6462c3c) Arguments: pgrep -f safarifontsagent
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (open -a '/Users/drew/Library/Fonts/FinderFontsUpdater.app') 2>&1
        • bash New Fork (PID: 1127, Parent: 1126)
        • open (MD5: 81d0c6fefba2004d451915c6fa861914) Arguments: open -a /Users/drew/Library/Fonts/FinderFontsUpdater.app
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (pgrep -f safarifontsagent) 2>&1
        • bash New Fork (PID: 1143, Parent: 1142)
        • pgrep (MD5: 8c476a299c23f6971101e7bbd6462c3c) Arguments: pgrep -f safarifontsagent
  • xpcproxy New Fork (PID: 1115, Parent: 1)
  • Preview (MD5: 510c4010daefc87831ff8730ab2f5092) Arguments: /System/Applications/Preview.app/Contents/MacOS/Preview
  • xpcproxy New Fork (PID: 1128, Parent: 1)
  • FinderFontsUpdater (MD5: c6ad06ba0f0d2305596e013ae19c8b5a) Arguments: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater
    • safarifontsagent (MD5: 8fd522272d06d460ea668d2f87a1e353) Arguments: /Users/drew/Library/Fonts/safarifontsagent
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (killall Terminal) 2>&1
        • bash New Fork (PID: 1132, Parent: 1131)
        • killall (MD5: f3e64d320b9eed9c6dbd97435daddded) Arguments: killall Terminal
      • sh New Fork (PID: 1133, Parent: 1130)
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c sw_vers -productVersion
      • sw_vers (MD5: 7e6a3895092064bd002ecb1d4300b0db) Arguments: sw_vers -productVersion
  • cleanup
SourceRuleDescriptionAuthorStrings
ZNznZtSA34JoeSecurity_Nukesped_2Yara detected NukespedJoe Security
    SourceRuleDescriptionAuthorStrings
    /Users/drew/Library/Fonts/safarifontsagentJoeSecurity_Nukesped_2Yara detected NukespedJoe Security
      SourceRuleDescriptionAuthorStrings
      Process Memory Space: safarifontsagent PID: 1130JoeSecurity_Nukesped_2Yara detected NukespedJoe Security
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results
        Source: unknownDNS traffic detected: query: onlinestockwatch.net replaycode: Name error (3)
        Source: unknownTCP traffic detected without corresponding DNS query: 17.57.146.68
        Source: unknownTCP traffic detected without corresponding DNS query: 17.57.146.68
        Source: ZNznZtSA34, FinderFontsUpdater.389.dr, safarifontsagent.385.drString found in binary or memory: http://certs.apple.com/wwdrg3.der01
        Source: ZNznZtSA34, 00001111.00000371.1.000000010c66c000.000000010c6a4000.r--.sdmp, FinderFontsUpdater, 00001128.00000404.1.0000000104f76000.0000000104fae000.r--.sdmp, safarifontsagent, 00001130.00000408.1.00000001113af000.00000001113e7000.r--.sdmpString found in binary or memory: http://crl.apple.com/codesigning.crl0
        Source: ZNznZtSA34, FinderFontsUpdater.389.dr, safarifontsagent.385.drString found in binary or memory: http://crl.apple.com/root.crl0
        Source: ZNznZtSA34, FinderFontsUpdater.389.dr, safarifontsagent.385.drString found in binary or memory: http://ocsp.apple.com/ocsp03-applerootca0.
        Source: ZNznZtSA34, FinderFontsUpdater.389.dr, safarifontsagent.385.drString found in binary or memory: http://ocsp.apple.com/ocsp03-wwdrg3040
        Source: ZNznZtSA34, CodeResources.389.dr, com.safari.fontsyncagent.plist.371.dr, FinderFontsUpdater.389.dr, Info.plist.389.dr, safarifontsagent.385.drString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
        Source: ZNznZtSA34, 00001111.00000371.1.000000010c66c000.000000010c6a4000.r--.sdmp, FinderFontsUpdater, 00001128.00000404.1.0000000104f76000.0000000104fae000.r--.sdmp, safarifontsagent, 00001130.00000408.1.00000001113af000.00000001113e7000.r--.sdmpString found in binary or memory: http://www.apple.com/appleca/root.crl0
        Source: safarifontsagent, 00001130.00000408.1.0000000107c08000.0000000107c0c000.rw-.sdmp, safarifontsagent.385.drString found in binary or memory: https://onlinestockwatch.net
        Source: ZNznZtSA34, FinderFontsUpdater.389.dr, safarifontsagent.385.drString found in binary or memory: https://www.apple.com/appleca/0
        Source: ZNznZtSA34, FinderFontsUpdater.389.dr, safarifontsagent.385.drString found in binary or memory: https://www.apple.com/certificateauthority/0
        Source: unknownDNS traffic detected: queries for: onlinestockwatch.net
        Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)SIGKILL sent: pid: 1112, result: successfulJump to behavior
        Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)SIGKILL sent: pid: 1118, result: successfulJump to behavior
        Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)SIGKILL sent: pid: 1120, result: successfulJump to behavior
        Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)SIGKILL sent: pid: 1122, result: successfulJump to behavior
        Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)SIGKILL sent: pid: 1124, result: successfulJump to behavior
        Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)SIGKILL sent: pid: 1126, result: successfulJump to behavior
        Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)SIGKILL sent: pid: 1142, result: successfulJump to behavior
        Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 1130)SIGKILL sent: pid: 1131, result: successfulJump to behavior
        Source: classification engineClassification label: mal80.troj.evad.mac@0/15@1/0
        Source: dropped file: safarifontsagent.385.drMach-O symbol: _g_szServerUrl
        Source: dropped file: safarifontsagent.385.drMach-O symbol: _g_szServerUrl
        Source: dropped file: safarifontsagent.385.drMach-O symbol: _g_szServerUrl
        Source: dropped file: safarifontsagent.385.drMach-O symbol: _g_szServerUrl
        Source: submission: ZNznZtSA34Mach-O symbol: __Z15IsSafariFAExistv
        Source: submission: ZNznZtSA34Mach-O symbol: __Z15IsSafariFAExistv
        Source: submission: ZNznZtSA34Mach-O symbol: __Z15IsSafariFAExistv
        Source: submission: ZNznZtSA34Mach-O symbol: __Z15IsSafariFAExistv
        Source: submission: ZNznZtSA34Mach-O symbol: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/SelfExtractor.build/Release/SelfExtractor.build/Objects-normal/x86_64/main.o
        Source: submission: ZNznZtSA34Mach-O symbol: /Volumes/Dev/Shared/Mac/SelfExtractor/SelfExtractor/
        Source: submission: ZNznZtSA34Mach-O symbol: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/SelfExtractor.build/Release/SelfExtractor.build/Objects-normal/arm64/main.o
        Source: submission: ZNznZtSA34Mach-O symbol: /Volumes/Dev/Shared/Mac/SelfExtractor/SelfExtractor/
        Source: dropped file: safarifontsagent.385.drMach-O symbol: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../include/c++/v1/string.h
        Source: dropped file: safarifontsagent.385.drMach-O symbol: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/DownAndExec.build/Release/DownAndExec.build/Objects-normal/x86_64/main.o
        Source: dropped file: safarifontsagent.385.drMach-O symbol: /Volumes/Dev/Shared/Mac/DownAndExec/DownAndExec/
        Source: dropped file: safarifontsagent.385.drMach-O symbol: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/DownAndExec.build/Release/DownAndExec.build/Objects-normal/arm64/main.o
        Source: dropped file: safarifontsagent.385.drMach-O symbol: /Volumes/Dev/Shared/Mac/DownAndExec/DownAndExec/
        Source: dropped file: FinderFontsUpdater.389.drMach-O symbol: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/FinderFontsUpdater.build/Release/FinderFontsUpdater.build/Objects-normal/x86_64/AppDelegate.o
        Source: dropped file: FinderFontsUpdater.389.drMach-O symbol: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/arc/libarclite_macosx.a(arclite.o)
        Source: dropped file: FinderFontsUpdater.389.drMach-O symbol: /Library/Caches/com.apple.xbs/Sources/arclite/arclite-76/source/
        Source: dropped file: FinderFontsUpdater.389.drMach-O symbol: /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.0.Internal.sdk/usr/include/_ctype.h
        Source: dropped file: FinderFontsUpdater.389.drMach-O symbol: /Volumes/Dev/Shared/Mac/DroperApp/DroperApp/
        Source: dropped file: FinderFontsUpdater.389.drMach-O symbol: /Volumes/Dev/Shared/Mac/DroperApp/DroperApp/
        Source: dropped file: FinderFontsUpdater.389.drMach-O symbol: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/FinderFontsUpdater.build/Release/FinderFontsUpdater.build/Objects-normal/x86_64/main.o
        Source: dropped file: FinderFontsUpdater.389.drMach-O symbol: /Volumes/Dev/Shared/Mac/DroperApp/DroperApp/
        Source: dropped file: FinderFontsUpdater.389.drMach-O symbol: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/FinderFontsUpdater.build/Release/FinderFontsUpdater.build/Objects-normal/arm64/main.o
        Source: dropped file: FinderFontsUpdater.389.drMach-O symbol: /Volumes/Dev/Shared/Mac/DroperApp/DroperApp/
        Source: dropped file: FinderFontsUpdater.389.drMach-O symbol: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/FinderFontsUpdater.build/Release/FinderFontsUpdater.build/Objects-normal/arm64/AppDelegate.o

        Persistence and Installation Behavior

        barindex
        Source: /usr/bin/tar (PID: 1119)FAT Mach-O written to unusual path: /Users/drew/Library/Fonts/safarifontsagentJump to dropped file
        Source: /usr/bin/tar (PID: 1121)FAT Mach-O written to unusual path: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdaterJump to dropped file
        Source: /bin/bash (PID: 1127)Application opened: open -a /Users/drew/Library/Fonts/FinderFontsUpdater.appJump to behavior
        Source: /bin/bash (PID: 1132)Killall command executed: killall TerminalJump to behavior
        Source: /bin/bash (PID: 1127)Application opened: open -a /Users/drew/Library/Fonts/FinderFontsUpdater.appJump to behavior
        Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)File written: /Users/drew/Library/Fonts/BitazuCapital_JobDescription.pdfJump to dropped file
        Source: submissionFile header: Mach-O fat file with 2 architectures
        Source: /usr/bin/tar (PID: 1121)File written: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/Credits.rtfJump to dropped file
        Source: /bin/rm (PID: 1117)Saved state directory opened: /Users/drew/Library/Saved Application State/com.apple.Terminal.savedStateJump to behavior
        Source: /usr/bin/tar (PID: 1121)Bundle code signature resource File created: FinderFontsUpdater.app/Contents/_CodeSignature/CodeResourcesJump to behavior
        Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1112)Shell command executed: bash -c (open '/Users/drew/Library/Fonts/BitazuCapital_JobDescription.pdf' && rm -rf '/Users/drew/Library/Saved Application State/com.apple.Terminal.savedState') 2>&1Jump to behavior
        Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1118)Shell command executed: bash -c (tar zxvf '/Users/drew/Library/Fonts/safarifontsagent_' -C '/Users/drew/Library/Fonts') 2>&1Jump to behavior
        Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1120)Shell command executed: bash -c (tar zxvf '/Users/drew/Library/Fonts/fontsupdater_' -C '/Users/drew/Library/Fonts') 2>&1Jump to behavior
        Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1122)Shell command executed: bash -c (pgrep -f safarifontsagent) 2>&1Jump to behavior
        Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1124)Shell command executed: bash -c (pgrep -f safarifontsagent) 2>&1Jump to behavior
        Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1126)Shell command executed: bash -c (open -a '/Users/drew/Library/Fonts/FinderFontsUpdater.app') 2>&1Jump to behavior
        Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1142)Shell command executed: bash -c (pgrep -f safarifontsagent) 2>&1Jump to behavior
        Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 1130)Shell command executed: sh -c sw_vers -productVersionJump to behavior
        Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 1131)Shell command executed: bash -c (killall Terminal) 2>&1Jump to behavior
        Source: /bin/sh (PID: 1133)Shell command executed: sh -c sw_vers -productVersionJump to behavior
        Source: /usr/bin/tar (PID: 1121)Bundle Info.plist File created: FinderFontsUpdater.app/Contents/Info.plistJump to behavior
        Source: /bin/bash (PID: 1117)Rm executable: /bin/rm -> rm -rf /Users/drew/Library/Saved Application State/com.apple.Terminal.savedStateJump to behavior
        Source: /bin/bash (PID: 1123)Pgrep executable: /usr/bin/pgrep -> pgrep -f safarifontsagentJump to behavior
        Source: /bin/bash (PID: 1125)Pgrep executable: /usr/bin/pgrep -> pgrep -f safarifontsagentJump to behavior
        Source: /bin/bash (PID: 1143)Pgrep executable: /usr/bin/pgrep -> pgrep -f safarifontsagentJump to behavior
        Source: /usr/bin/tar (PID: 1119)File written: /Users/drew/Library/Fonts/safarifontsagentJump to dropped file
        Source: /usr/bin/tar (PID: 1121)File written: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdaterJump to dropped file
        Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)XML plist file created: /Users/drew/Library/LaunchAgents/com.safari.fontsyncagent.plistJump to dropped file
        Source: /usr/bin/tar (PID: 1121)XML plist file created: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Info.plistJump to dropped file
        Source: /usr/bin/tar (PID: 1121)Binary plist file created: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/MainMenu.nibJump to dropped file
        Source: /usr/bin/tar (PID: 1121)XML plist file created: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/_CodeSignature/CodeResourcesJump to dropped file
        Source: submissionString containing user path: /Users/home/Library/Fonts/Log.txt
        Source: submissionString containing user path: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/SelfExtractor.build/R
        Source: submissionString containing user path: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/SelfExtractor.build/R
        Source: /System/Applications/Preview.app/Contents/MacOS/Preview (PID: 1115)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
        Source: /System/Applications/Preview.app/Contents/MacOS/Preview (PID: 1115)Random device file read: /dev/randomJump to behavior
        Source: submissionCodeSign Info: Executable=/Users/drew/Desktop/ZNznZtSA34
        Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)Launch agent created File created: /Users/drew/Library/LaunchAgents//com.safari.fontsyncagent.plistJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: /bin/bash (PID: 1132)Kills( terminal apps: killall TerminalJump to behavior
        Source: /bin/bash (PID: 1117)Saved state deleted: /bin/rm -> rm -rf /Users/drew/Library/Saved Application State/com.apple.Terminal.savedStateJump to behavior
        Source: /bin/bash (PID: 1114)PDF opened with default viewer: open /Users/drew/Library/Fonts/BitazuCapital_JobDescription.pdfJump to behavior
        Source: ZNznZtSA34Submission file: section __data with 7.9921 entropy (max. 8.0)
        Source: ZNznZtSA34Submission file: section __data with 7.9921 entropy (max. 8.0)
        Source: /System/Applications/Preview.app/Contents/MacOS/Preview (PID: 1115)Sysctl read request: kern.safeboot (1.66)Jump to behavior
        Source: /bin/bash (PID: 1112)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/bash (PID: 1118)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/bash (PID: 1120)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/bash (PID: 1122)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/bash (PID: 1124)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/bash (PID: 1126)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/bash (PID: 1142)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 1130)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/bash (PID: 1131)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/bash (PID: 1133)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/bash (PID: 1133)sw_vers executed: sw_vers -productVersionJump to behavior
        Source: /System/Applications/Preview.app/Contents/MacOS/Preview (PID: 1115)Sysctl read request: hw.ncpu (6.3)Jump to behavior
        Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 1130)Sysctl requested: kern.ostype (1.1)Jump to behavior
        Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 1130)Sysctl requested: kern.osrelease (1.2)Jump to behavior
        Source: /usr/bin/open (PID: 1114)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /usr/bin/open (PID: 1127)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /System/Applications/Preview.app/Contents/MacOS/Preview (PID: 1115)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /usr/bin/sw_vers (PID: 1133)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: ZNznZtSA34, type: SAMPLE
        Source: Yara matchFile source: Process Memory Space: safarifontsagent PID: 1130, type: MEMORYSTR
        Source: Yara matchFile source: /Users/drew/Library/Fonts/safarifontsagent, type: DROPPED

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: ZNznZtSA34, type: SAMPLE
        Source: Yara matchFile source: Process Memory Space: safarifontsagent PID: 1130, type: MEMORYSTR
        Source: Yara matchFile source: /Users/drew/Library/Fonts/safarifontsagent, type: DROPPED
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Command and Scripting Interpreter
        1
        Launch Agent
        1
        Launch Agent
        2
        Masquerading
        OS Credential Dumping51
        System Information Discovery
        Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
        Non-Application Layer Protocol
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts1
        Scripting
        1
        Plist Modification
        1
        Plist Modification
        1
        Scripting
        LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Application Layer Protocol
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
        Invalid Code Signature
        Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
        Code Signing
        NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Obfuscated Files or Information
        LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        File Deletion
        Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Shell
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 165917 Sample: ZNznZtSA34 Startdate: 04/05/2022 Architecture: MAC Score: 80 62 onlinestockwatch.net 2->62 72 Yara detected Nukesped 2->72 10 mono-sgen64 sudo 2->10         started        12 xpcproxy FinderFontsUpdater 2->12         started        14 xpcproxy Preview 4 2->14         started        signatures3 process4 process5 16 sudo ZNznZtSA34 4 10->16         started        19 FinderFontsUpdater safarifontsagent 1 12->19         started        file6 56 /Users/drew/Librar..._JobDescription.pdf, PDF 16->56 dropped 21 ZNznZtSA34 bash 16->21         started        23 ZNznZtSA34 bash 16->23         started        25 ZNznZtSA34 bash 16->25         started        31 4 other processes 16->31 27 safarifontsagent bash 19->27         started        29 sh bash sw_vers 19->29         started        process7 process8 33 bash tar 1 21->33         started        37 bash tar 7 23->37         started        39 bash 25->39         started        41 bash killall 27->41         started        43 bash open