macOS Analysis Report Guard.py
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Classification
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 138361 |
Start date: | 09.07.2021 |
Start time: | 14:50:17 |
Joe Sandbox Product: | Cloud |
Overall analysis duration: | 0h 7m 54s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Guard.py |
Cookbook file name: | defaultmacinteractivecookbook.jbs |
Analysis system description: | Mac Mini, Mojave (Java JDK 11.0.4, Adobe Reader 2019.012.20034, Flash 32.0.0.223) |
Analysis Mode: | default |
Detection: | MAL |
Classification: | mal48.troj.macPY@0/7@0/0 |
Process Tree |
---|
|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_WildPressure | Yara detected WildPressure | Joe Security |
Jbx Signature Overview |
---|
Click to jump to signature section
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: |
Source: | Classification label: |
Source: | Hidden Directory created: | Jump to behavior |
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior |
Source: | Python executable: | Jump to behavior | ||
Source: | Python executable: | Jump to behavior |
Source: | Launch agent/daemon listed: | Jump to behavior | ||
Source: | Launch agent/daemon listed: | Jump to behavior | ||
Source: | Launch agent/daemon listed: | Jump to behavior | ||
Source: | Launch agent/daemon listed: | Jump to behavior | ||
Source: | Launch agent/daemon listed: | Jump to behavior | ||
Source: | Launch agent/daemon listed: | Jump to behavior |
Source: | Launch agent/daemon loaded: | Jump to behavior |
Source: | Random device file read: | Jump to behavior | ||
Source: | Random device file read: | Jump to behavior |
Source: | Python framework application: | Jump to behavior | ||
Source: | Python framework application: | Jump to behavior |
Source: | XML plist file created: | |||
Source: | XML plist file created: | Jump to dropped file |
Source: | Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: | Jump to behavior | ||
Source: | Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: | Jump to behavior |
Source: | Launch agent created File created: | Jump to behavior |
Source: | Launch agent created File created: | Jump to behavior |
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior |
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior |
Source: | System or server version plist file read: | Jump to behavior | ||
Source: | System or server version plist file read: | Jump to behavior |
Stealing of Sensitive Information: |
---|
Yara detected WildPressure | Show sources |
Source: | File source: |
Source: | Uname executable: | Jump to behavior | ||
Source: | Uname executable: | Jump to behavior |
Remote Access Functionality: |
---|
Yara detected WildPressure | Show sources |
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting2 | Launch Agent4 | Launch Agent4 | Masquerading1 | OS Credential Dumping | System Information Discovery31 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Launchctl1 | Launch Daemon2 | Launch Daemon2 | Scripting2 | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Plist Modification1 | Plist Modification1 | Hidden Files and Directories1 | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
17.57.146.21 | unknown | United States | 714 | APPLE-ENGINEERINGUS | false |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python |
File Type: | |
Category: | dropped |
Size (bytes): | 453 |
Entropy (8bit): | 5.06657532790356 |
Encrypted: | false |
SSDEEP: | 12:TMHd4+tJVEdQsv9SUlfVegXqOf/fpXf6X6NPfHu:2d6ysvBPzm |
MD5: | B35AFD2D2D5D8CFE077105210B9CDF4D |
SHA1: | 8D9D3B6C26266CE079B38E20868A957486307338 |
SHA-256: | 19187B64335830FE8AC6B65D20F86E9CF33D60C4E6B9BAA8FA83FBEBDC5ED3D9 |
SHA-512: | F3C216CB4C1942195FEBF4B72F047EEC7F091A5488A7AE7938D6E206F402F551948B6D129A3C14E2941BE9A02B5FD07A7FF6CA49F9160D065D1E70C7E0F41EC6 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python |
File Type: | |
Category: | dropped |
Size (bytes): | 20 |
Entropy (8bit): | 2.8393538721672007 |
Encrypted: | false |
SSDEEP: | 3:YVhUcURr:YLa |
MD5: | E9F7B9A08EFA61B96B651D38DAEA5DB7 |
SHA1: | B47D94F6C950090696F69323FCBCC39A59253B8F |
SHA-256: | CCB4560876F74B9F95F3D39EE1F7BFA02591589C16F655C80E6B665222562140 |
SHA-512: | 9B62224E74D1900E81AFF95C53CEBAA77F8F00C89FDF7FD8AE009C876C3E243B80DD63C5B864E3EA6CC1FEE69AEBF46FAFA3D91D1F6166825AE67DA11E059155 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | /bin/bash |
File Type: | |
Category: | dropped |
Size (bytes): | 253 |
Entropy (8bit): | 4.874058389807945 |
Encrypted: | false |
SSDEEP: | 6:qEMKET7eCexw+iMKETXAfVAiCeWipErMKETXAfVAiCeWiK:Pc7enxic1inW2EVc1inWB |
MD5: | 16E39173708E5480255DFBBE0C1661F9 |
SHA1: | 4D945F75EF7D49EAEAA17B65145D43AD2D16AF4A |
SHA-256: | 57B9BD83410BCDF7767C123E9FFA67CF19D01A6E2254A78F338C82BFF7FCFF66 |
SHA-512: | B7B40FD18B1BE2A4BA01AFBE1E4FF2C1E0C0E9BC8AA07C915BFE295B3CF4CD62B9A4A37314A605FBF50821CA018F1914020767F42AC04CAE5FED4656524C6EC5 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | /usr/bin/login |
File Type: | |
Category: | dropped |
Size (bytes): | 628 |
Entropy (8bit): | 0.35801480786883905 |
Encrypted: | false |
SSDEEP: | 3:nV2illylyJ6H//ll:nEilly40H// |
MD5: | C30E8FAF9B4152B692E17677478D3DA8 |
SHA1: | 3E5D785027C89F0B75696FE80408EC7F4EFCEBF9 |
SHA-256: | 1AA0E26C40D0153D4E799089EE7E39A5CFE2D71A529303F6BD36BC69908A1AFC |
SHA-512: | C0A02857531169AB68878DAFA97478C7E04286DEAE2806A8F7745D19950167D53AF21DFEC973BE8208B930205AEE570C615CBB966D202DCF54198A8E8BDA7B51 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 4.542893708708479 |
TrID: | |
File name: | Guard.py |
File size: | 61283 |
MD5: | 5544ef6de35ae95ecdc458f4ff3803d6 |
SHA1: | 232206eff46b7ac78e68d8a84c65713749209743 |
SHA256: | 1448f34fcde1e6d7df000c38a61c3dd6d5fd304f9ad60cadfa3deb875b6b088f |
SHA512: | 066a9c473e99165f0e6251a52ee9e308683418778965c18a17c7a2f72679e974efb42118e54423c783b3a5c34b3abe1dc836979000b367f837ad70b171a272f4 |
SSDEEP: | 768:6lnGgg6UlD9Sw3tF9+26B2mUK4Des9hr9aBd0hY418TPpzNNs9bRyW:6lnTg6U/5R+26Bqb3hu418TBBNkFyW |
File Content Preview: | import os..import threading..from abc import ABCMeta, abstractmethod..import random..import binascii..from xml.etree.ElementTree import SubElement, XML, Element, tostring..import sys..import urllib..import urllib2..import string..import subprocess..import |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 9, 2021 14:54:16.426594973 CEST | 49225 | 5223 | 192.168.0.51 | 17.57.146.21 |
Jul 9, 2021 14:54:16.443608046 CEST | 5223 | 49225 | 17.57.146.21 | 192.168.0.51 |
Jul 9, 2021 14:54:16.443895102 CEST | 49225 | 5223 | 192.168.0.51 | 17.57.146.21 |
System Behavior |
---|
General |
---|
Start time: | 14:51:33 |
Start date: | 09/07/2021 |
Path: | /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal |
Arguments: | n/a |
File size: | 1156656 bytes |
MD5 hash: | a4bebc8ebbc11f7d16f489163827b3ff |
General |
---|
Start time: | 14:51:34 |
Start date: | 09/07/2021 |
Path: | /usr/bin/login |
Arguments: | login -pf ben |
File size: | 76288 bytes |
MD5 hash: | 5d62c3fb21c0d809c90674223d2629f5 |
General |
---|
Start time: | 14:51:34 |
Start date: | 09/07/2021 |
Path: | /usr/bin/login |
Arguments: | n/a |
File size: | 76288 bytes |
MD5 hash: | 5d62c3fb21c0d809c90674223d2629f5 |
General |
---|
Start time: | 14:51:34 |
Start date: | 09/07/2021 |
Path: | /bin/bash |
Arguments: | -bash |
File size: | 618416 bytes |
MD5 hash: | 0313fd399b143fc40cd52a1679018305 |
General |
---|
Start time: | 14:51:34 |
Start date: | 09/07/2021 |
Path: | /bin/bash |
Arguments: | n/a |
File size: | 618416 bytes |
MD5 hash: | 0313fd399b143fc40cd52a1679018305 |
General |
---|
Start time: | 14:51:34 |
Start date: | 09/07/2021 |
Path: | /bin/bash |
Arguments: | n/a |
File size: | 618416 bytes |
MD5 hash: | 0313fd399b143fc40cd52a1679018305 |
General |
---|
Start time: | 14:51:34 |
Start date: | 09/07/2021 |
Path: | /usr/libexec/path_helper |
Arguments: | /usr/libexec/path_helper -s |
File size: | 18992 bytes |
MD5 hash: | 0403286476d3e8908d852969c2188790 |
General |
---|
Start time: | 14:51:34 |
Start date: | 09/07/2021 |
Path: | /bin/bash |
Arguments: | n/a |
File size: | 618416 bytes |
MD5 hash: | 0313fd399b143fc40cd52a1679018305 |
General |
---|
Start time: | 14:51:34 |
Start date: | 09/07/2021 |
Path: | /bin/mkdir |
Arguments: | mkdir -m 700 -p /Users/ben/.bash_sessions |
File size: | 18592 bytes |
MD5 hash: | 0948c3e8dfd7f3d3628ca8b819092ccf |
General |
---|
Start time: | 14:51:34 |
Start date: | 09/07/2021 |
Path: | /bin/bash |
Arguments: | n/a |
File size: | 618416 bytes |
MD5 hash: | 0313fd399b143fc40cd52a1679018305 |
General |
---|
Start time: | 14:51:34 |
Start date: | 09/07/2021 |
Path: | /bin/bash |
Arguments: | n/a |
File size: | 618416 bytes |
MD5 hash: | 0313fd399b143fc40cd52a1679018305 |
General |
---|
Start time: | 14:51:34 |
Start date: | 09/07/2021 |
Path: | /usr/bin/touch |
Arguments: | /usr/bin/touch /Users/ben/.bash_sessions/1476C622-8CCC-456D-9F74-6FE7755942D0.historynew |
File size: | 23392 bytes |
MD5 hash: | b1fc3a8e0ae32021b9f29be4ff196129 |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /bin/bash |
Arguments: | n/a |
File size: | 618416 bytes |
MD5 hash: | 0313fd399b143fc40cd52a1679018305 |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /Library/Frameworks/Python.framework/Versions/2.7/bin/python |
Arguments: | python Guard.py |
File size: | 25624 bytes |
MD5 hash: | be65ae5f9bd784375fd70bec94da6a60 |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python |
Arguments: | /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python Guard.py |
File size: | 24960 bytes |
MD5 hash: | 8fedf0b5ee3045d5621b0518e9a4b375 |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /bin/sh |
Arguments: | n/a |
File size: | 618480 bytes |
MD5 hash: | 348affb69862798fd7b2f8874437f649 |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /bin/sh |
Arguments: | n/a |
File size: | 618480 bytes |
MD5 hash: | 348affb69862798fd7b2f8874437f649 |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /usr/bin/uname |
Arguments: | uname -p |
File size: | 18432 bytes |
MD5 hash: | a1c51069ef3a88caedd3a7739941aaef |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python |
Arguments: | n/a |
File size: | 24960 bytes |
MD5 hash: | 8fedf0b5ee3045d5621b0518e9a4b375 |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /bin/launchctl |
Arguments: | launchctl list |
File size: | 121296 bytes |
MD5 hash: | 3e04cf4fe184467aa2dbf4e4d5c72f3d |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python |
Arguments: | n/a |
File size: | 24960 bytes |
MD5 hash: | 8fedf0b5ee3045d5621b0518e9a4b375 |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /bin/launchctl |
Arguments: | launchctl list |
File size: | 121296 bytes |
MD5 hash: | 3e04cf4fe184467aa2dbf4e4d5c72f3d |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python |
Arguments: | n/a |
File size: | 24960 bytes |
MD5 hash: | 8fedf0b5ee3045d5621b0518e9a4b375 |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /bin/launchctl |
Arguments: | launchctl list |
File size: | 121296 bytes |
MD5 hash: | 3e04cf4fe184467aa2dbf4e4d5c72f3d |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /bin/sh |
Arguments: | n/a |
File size: | 618480 bytes |
MD5 hash: | 348affb69862798fd7b2f8874437f649 |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /bin/launchctl |
Arguments: | launchctl load -w /Users/ben/Library/LaunchAgents/com.apple.pyapple.plist |
File size: | 121296 bytes |
MD5 hash: | 3e04cf4fe184467aa2dbf4e4d5c72f3d |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python |
Arguments: | n/a |
File size: | 24960 bytes |
MD5 hash: | 8fedf0b5ee3045d5621b0518e9a4b375 |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /bin/launchctl |
Arguments: | launchctl list |
File size: | 121296 bytes |
MD5 hash: | 3e04cf4fe184467aa2dbf4e4d5c72f3d |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /usr/libexec/xpcproxy |
Arguments: | n/a |
File size: | 44048 bytes |
MD5 hash: | 4782e7ebd2985d32bc84f1f71c8f8fb7 |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /usr/bin/python |
Arguments: | /usr/bin/python /Users/ben/Desktop/Guard.py |
File size: | 66880 bytes |
MD5 hash: | ec07cbbd621933f37e0141118a5b0bac |
General |
---|
Start time: | 14:51:54 |
Start date: | 09/07/2021 |
Path: | /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python |
Arguments: | /usr/bin/python /Users/ben/Desktop/Guard.py |
File size: | 51744 bytes |
MD5 hash: | 7058b515356cdcf3fada0e8d34926c7d |
General |
---|
Start time: | 14:51:55 |
Start date: | 09/07/2021 |
Path: | /bin/sh |
Arguments: | n/a |
File size: | 618480 bytes |
MD5 hash: | 348affb69862798fd7b2f8874437f649 |
General |
---|
Start time: | 14:51:55 |
Start date: | 09/07/2021 |
Path: | /bin/sh |
Arguments: | n/a |
File size: | 618480 bytes |
MD5 hash: | 348affb69862798fd7b2f8874437f649 |
General |
---|
Start time: | 14:51:55 |
Start date: | 09/07/2021 |
Path: | /usr/bin/uname |
Arguments: | uname -p |
File size: | 18432 bytes |
MD5 hash: | a1c51069ef3a88caedd3a7739941aaef |
General |
---|
Start time: | 14:51:55 |
Start date: | 09/07/2021 |
Path: | /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python |
Arguments: | n/a |
File size: | 51744 bytes |
MD5 hash: | 7058b515356cdcf3fada0e8d34926c7d |
General |
---|
Start time: | 14:51:55 |
Start date: | 09/07/2021 |
Path: | /bin/launchctl |
Arguments: | launchctl list |
File size: | 121296 bytes |
MD5 hash: | 3e04cf4fe184467aa2dbf4e4d5c72f3d |
General |
---|
Start time: | 14:51:55 |
Start date: | 09/07/2021 |
Path: | /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python |
Arguments: | n/a |
File size: | 51744 bytes |
MD5 hash: | 7058b515356cdcf3fada0e8d34926c7d |
General |
---|
Start time: | 14:51:55 |
Start date: | 09/07/2021 |
Path: | /bin/launchctl |
Arguments: | launchctl list |
File size: | 121296 bytes |
MD5 hash: | 3e04cf4fe184467aa2dbf4e4d5c72f3d |