Loading ...

Play interactive tourEdit tour

macOS Analysis Report Guard.py

Overview

General Information

Sample Name:Guard.py
Analysis ID:138361
MD5:5544ef6de35ae95ecdc458f4ff3803d6
SHA1:232206eff46b7ac78e68d8a84c65713749209743
SHA256:1448f34fcde1e6d7df000c38a61c3dd6d5fd304f9ad60cadfa3deb875b6b088f
Infos:

Most interesting Screenshot:

Detection

WildPressure
Score:48
Range:0 - 100
Whitelisted:false

Signatures

Yara detected WildPressure
Creates 'launchd' managed services aka launch agents with bundle ID names to possibly disguise malicious intentions
Creates hidden files, links and/or directories
Creates memory-persistent launch services
Creates user-wide 'launchd' managed services aka launch agents
Executes commands using a shell command-line interpreter
Executes the "python" command used to interpret Python scripts
Executes the "uname" command used to read OS and architecture name
Explicitly lists launch services possibly for searching
Explicitly loads/starts launch services
Reads the systems OS release and/or type
Reads the systems hostname

Classification

General Information

Joe Sandbox Version:32.0.0 Black Diamond
Analysis ID:138361
Start date:09.07.2021
Start time:14:50:17
Joe Sandbox Product:Cloud
Overall analysis duration:0h 7m 54s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Guard.py
Cookbook file name:defaultmacinteractivecookbook.jbs
Analysis system description:Mac Mini, Mojave (Java JDK 11.0.4, Adobe Reader 2019.012.20034, Flash 32.0.0.223)
Analysis Mode:default
Detection:MAL
Classification:mal48.troj.macPY@0/7@0/0

Process Tree

  • System is mac-mojave
  • Terminal New Fork (PID: 896, Parent: 282)
  • login (MD5: 5d62c3fb21c0d809c90674223d2629f5) Arguments: login -pf ben
    • login New Fork (PID: 897, Parent: 896)
    • bash (MD5: 0313fd399b143fc40cd52a1679018305) Arguments: -bash
      • bash New Fork (PID: 898, Parent: 897)
        • bash New Fork (PID: 899, Parent: 898)
        • path_helper (MD5: 0403286476d3e8908d852969c2188790) Arguments: /usr/libexec/path_helper -s
      • bash New Fork (PID: 900, Parent: 897)
      • mkdir (MD5: 0948c3e8dfd7f3d3628ca8b819092ccf) Arguments: mkdir -m 700 -p /Users/ben/.bash_sessions
      • bash New Fork (PID: 901, Parent: 897)
        • bash New Fork (PID: 902, Parent: 901)
        • touch (MD5: b1fc3a8e0ae32021b9f29be4ff196129) Arguments: /usr/bin/touch /Users/ben/.bash_sessions/1476C622-8CCC-456D-9F74-6FE7755942D0.historynew
      • bash New Fork (PID: 903, Parent: 897)
      • python (MD5: be65ae5f9bd784375fd70bec94da6a60) Arguments: python Guard.py
      • Python (MD5: 8fedf0b5ee3045d5621b0518e9a4b375) Arguments: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python Guard.py
        • sh New Fork (PID: 904, Parent: 903)
          • sh New Fork (PID: 905, Parent: 904)
          • uname (MD5: a1c51069ef3a88caedd3a7739941aaef) Arguments: uname -p
        • Python New Fork (PID: 906, Parent: 903)
        • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl list
        • Python New Fork (PID: 907, Parent: 903)
        • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl list
        • Python New Fork (PID: 908, Parent: 903)
        • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl list
        • sh New Fork (PID: 909, Parent: 903)
        • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl load -w /Users/ben/Library/LaunchAgents/com.apple.pyapple.plist
        • Python New Fork (PID: 911, Parent: 903)
        • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl list
  • python (MD5: ec07cbbd621933f37e0141118a5b0bac) Arguments: /usr/bin/python /Users/ben/Desktop/Guard.py
  • Python (MD5: 7058b515356cdcf3fada0e8d34926c7d) Arguments: /usr/bin/python /Users/ben/Desktop/Guard.py
    • sh New Fork (PID: 912, Parent: 910)
      • sh New Fork (PID: 913, Parent: 912)
      • uname (MD5: a1c51069ef3a88caedd3a7739941aaef) Arguments: uname -p
    • Python New Fork (PID: 914, Parent: 910)
    • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl list
    • Python New Fork (PID: 915, Parent: 910)
    • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl list
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Guard.pyJoeSecurity_WildPressureYara detected WildPressureJoe Security

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: unknownTCP traffic detected without corresponding DNS query: 17.57.146.21
    Source: unknownTCP traffic detected without corresponding DNS query: 17.57.146.21
    Source: com.apple.pyapple.plist.984.drString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
    Source: classification engineClassification label: mal48.troj.macPY@0/7@0/0
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Hidden Directory created: /Users/ben/.appdata -> /Users/ben/.appdataJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Shell command executed: sh -c uname -p 2> /dev/nullJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Shell command executed: sh -c launchctl load -w /Users/ben/Library/LaunchAgents/com.apple.pyapple.plistJump to behavior
    Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 910)Shell command executed: sh -c uname -p 2> /dev/nullJump to behavior
    Source: /bin/bash (PID: 903)Python executable: /Library/Frameworks/Python.framework/Versions/2.7/bin/python -> python Guard.pyJump to behavior
    Source: /usr/libexec/xpcproxy (PID: 910)Python executable: /usr/bin/python -> /usr/bin/python /Users/ben/Desktop/Guard.pyJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 906)Launch agent/daemon listed: launchctl listJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 907)Launch agent/daemon listed: launchctl listJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 908)Launch agent/daemon listed: launchctl listJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 911)Launch agent/daemon listed: launchctl listJump to behavior
    Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 914)Launch agent/daemon listed: launchctl listJump to behavior
    Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 915)Launch agent/daemon listed: launchctl listJump to behavior
    Source: /bin/sh (PID: 909)Launch agent/daemon loaded: launchctl load -w /Users/ben/Library/LaunchAgents/com.apple.pyapple.plistJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Random device file read: /dev/urandomJump to behavior
    Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 910)Random device file read: /dev/urandomJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/bin/python (PID: 903)Python framework application: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
    Source: /usr/bin/python (PID: 910)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)XML plist file created: /Users/ben/Library/LaunchAgents/com.apple.pyapple.plist
    Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 910)XML plist file created: /Users/ben/Library/LaunchAgents/com.apple.pyapple.plistJump to dropped file
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Users/ben/Library/LaunchAgents/com.apple.pyapple.plistJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Users/ben/Library/LaunchAgents/com.apple.pyapple.plistJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Launch agent created File created: /Users/ben/Library/LaunchAgents/com.apple.pyapple.plistJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Launch agent created File created: /Users/ben/Library/LaunchAgents/com.apple.pyapple.plistJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Sysctl requested: kern.ostype (1.1)Jump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Sysctl requested: kern.osrelease (1.2)Jump to behavior
    Source: /usr/bin/uname (PID: 905)Sysctl requested: kern.ostype (1.1)Jump to behavior
    Source: /usr/bin/uname (PID: 905)Sysctl requested: kern.osrelease (1.2)Jump to behavior
    Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 910)Sysctl requested: kern.ostype (1.1)Jump to behavior
    Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 910)Sysctl requested: kern.osrelease (1.2)Jump to behavior
    Source: /usr/bin/uname (PID: 913)Sysctl requested: kern.ostype (1.1)Jump to behavior
    Source: /usr/bin/uname (PID: 913)Sysctl requested: kern.osrelease (1.2)Jump to behavior
    Source: /bin/bash (PID: 897)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 904)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /usr/bin/uname (PID: 905)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 909)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 910)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 912)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /usr/bin/uname (PID: 913)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

    Stealing of Sensitive Information:

    barindex
    Yara detected WildPressureShow sources
    Source: Yara matchFile source: Guard.py, type: SAMPLE
    Source: /bin/sh (PID: 905)Uname executable: /usr/bin/uname -> uname -pJump to behavior
    Source: /bin/sh (PID: 913)Uname executable: /usr/bin/uname -> uname -pJump to behavior

    Remote Access Functionality:

    barindex
    Yara detected WildPressureShow sources
    Source: Yara matchFile source: Guard.py, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting2Launch Agent4Launch Agent4Masquerading1OS Credential DumpingSystem Information Discovery31Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsLaunchctl1Launch Daemon2Launch Daemon2Scripting2LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Plist Modification1Plist Modification1Hidden Files and Directories1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Shell
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 138361 Sample: Guard.py Startdate: 09/07/2021 Architecture: MAC Score: 48 46 17.57.146.21, 49225, 5223 APPLE-ENGINEERINGUS United States 2->46 48 Yara detected WildPressure 2->48 10 Terminal login 2->10         started        12 xpcproxy python Python 1 2->12         started        signatures3 process4 process5 14 login bash 10->14         started        16 sh 12->16         started        18 Python launchctl 12->18         started        20 Python launchctl 12->20         started        process6 22 bash python Python 2 14->22         started        24 bash 14->24         started        26 bash 14->26         started        28 bash mkdir 14->28         started        30 sh uname 16->30         started        process7 32 sh 22->32         started        34 sh launchctl 22->34         started        36 Python launchctl 22->36         started        42 3 other processes 22->42 38 bash path_helper 24->38         started        40 bash touch 1 26->40         started        process8 44 sh uname 32->44         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.