Analysis Report

Overview

General Information

Joe Sandbox Version:	21.0.0
Analysis ID:	48021
Start time:	10:37:03
Joe Sandbox Product:	Cloud
Start date:	16.01.2018
Overall analysis duration:	0h 9m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MaMi
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, El Capitan 10.11.6 (MS Office 15.34, Java 1.8.0_131)
Detection:	MAL
Classification:	mal80.troj.spyw.evad.mac@0/43@5/0

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	80	0 - 100	Report FP / FN

Classification

Signature Overview

Click to jump to signature section

Cryptography:

Imports (root) certificates into the systems keychain typically to intercept SSL traffic or bypass code integrity protections

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Certificate import: /usr/bin/security -> /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Users/luke/Desktop/MaMi.bin

Writes DER encoded certificate files to disk without the typical file extension

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

DER file created: /Users/luke/Desktop/.dat.nosync0201.Jo8P8B

Networking:

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /?r=9jc3i8XAbBPh_SVJQUQMiFWKWE9RYEK6JViGhaUYGHAYT3PiZABNyX3y-tKFjbgD5_8POTdplyBinajb97o1If7zCzR18UCtQ2i4ObCx2dpWKhG2VCVNdWJqFMjFRYYt2ESeWm24gTzYVGMNbOgzf6qV92lBPjYi4S_ReFM5CiSC6aQGX9sMdWYckHXKG4mSk-pgf__svmzjvNx5TioAqNDZnyT3dcYL7ftr0__I1T2vujIgXH7cHolsvyPM0mL1_SwfyLc5BCaSgKtFU8zWVyrQ8xC3Hq8ez3uJWtCToFXhwT-Zs5K0QRPoeDldKoE8X0sovErtC7bbeT3T7-_VX1bbzRGcT9ujraFOhWJTPSCVTHJf_jFq2p6NSwpM26PPeBS2NpWwIs-n266MLXRGM75xjcGz2ybVRLqegEoN226KJRhhLtVjA-c2ddfJuPbMjEWRn7jwfSOFRAuszW1dfWR5oc0H2KdsHMZaH9BCv2jIkWIPLdbko7gbUe7jCuX5E_wiYbc3wjmy903wKiLxWHJDabVoSkuLP9auX3UKJQuBFvs_Ty95UEKIxBmHC50R1Crcsq47rSej7DWUXaqrCJgYAGw0SHYYP5ADY75FV6jrT5C2YyDtlDygzej-m9DNRDJq268rTdsYGLV-QwU3-Y-jyxjGmxMwiv_upoVtRcqyQLhgb4igduxcdGdHHoXd4NQUkYWVZJTDfzZh5u1Rv71kn9HvgQfNaOASkVj0XOEeWaBYWnsXqbvdCMkB6jz0XzUbyhsPxc99zI1E90ULe96RA1qtZPlqZdErF3anES4m0zrwVxm1qsgPT6zxaWbb3FUn_Kaot4AHNRhOO6CRXJxXwhZlqaG8LHC1kxQBtYVrSrhGSrr8a_BaM-XInpz7eXcLyK0mlfMtNft0fGtT7dISjExcsKlBzWydT96ywKN2oPNJjkcugIq5i9bm06O-cY-z04cv5SBSi14T7OgvEpB5um58n7YJwDJ2QEsC6EoQNazIOo71kNEka
Source: global traffic	HTTP traffic detected: GET /?r=9jc3i8XAbBPh_SVJQUQMiFWKWE9RYEK6JViGhaUYGHAYT3PiZABNyX3y-tKFjbgD5_8POTdplyBinajb97o1If7zCzR18UCtQ2i4ObCx2dpWKhG2VCVNdWJqFMjFRYYt2ESeWm24gTzYVGMNbOgzf6qV92lBPjYi4S_ReFM5CiSC6aQGX9sMdWYckHXKG4mSk-pgf__svmzjvNx5TioAqNDZnyT3dcYL7ftr0__I1T2vujIgXH7cHolsvyPM0mL1_SwfyLc5BCaSgKtFU8zWVyrQ8xC3Hq8ez3uJWtCToFXhwT-Zs5K0QRPoeDldKoE8X0sovErtC7bbeT3T7-_VX1bbzRGcT9ujraFOhWJTPSCVTHJf_jFq2p6NSwpM26PPeBS2NpWwIs-n266MLXRGM75xjcGz2ybVRLqegEoN226KJRhhLtVjA-c2ddfJuPbMjEWRn7jwfSOFRAuszW1dfWR5oc0H2KdsHMZaH9BCv2jIkWIPLdbko7gbUe7jCuX5E_wiYbc3wjmy903wKiLxWHJDabVoSkuLP9auX3UKJQuBFvs_Ty95UEKIxBmHC50R1Crcsq47rSej7DWUXaqrCJgYAGw0SHYYP5ADY75FV6jrT5C2YyDtlDygzej-m9DNRDJq268rTdsYGLV-QwU3-Y-jyxjGmxMwiv_upoVtRcqyQLhgb4igduxcdGdHHoXd4NQUkYWVZJTDfzZh5u1Rv71kn9HvgQfNaOASkVj0XOEeWaBYWnsXqbvdCMkB6jz0XzUbyhsPxc99zI1E90ULe96RA1qtZPlqZdErF3anES4m0zrwVxm1qsgPT6zxaWbb3FUn_Kaot4AHNRhOO6CRXJxXwhZlqaG8LHC1kxQBtYVrSrhGSrr8a_BaM-XInpz7eXcLyK0mlfMtNft0fGtT7dISjExcsKlBzWydT96ywKN2oPNJjkcugIq5i9bm06O-cY-z04cv5SBSi14T7OgvEpB5um58n7YJwDJ2QEsC6EoQNazIOo71kNEka
Source: global traffic	HTTP traffic detected: GET /?r=9jc3i8XAbBPh_SVJQUQMiFWKWE9RYEK6JViGhaUYGHAYT3PiZABNyX3y-tKFjbgD5_8POTdplyBinajb97o1If7zCzR18UCtQ2i4ObCx2dpWKhG2VCVNdWJqFMjFRYYt2ESeWm24gTzYVGMNbOgzf6qV92lBPjYi4S_ReFM5CiSC6aQGX9sMdWYckHXKG4mSk-pgf__svmzjvNx5TioAqNDZnyT3dcYL7ftr0__I1T2vujIgXH7cHolsvyPM0mL1_SwfyLc5BCaSgKtFU8zWVyrQ8xC3Hq8ez3uJWtCToFXhwT-Zs5K0QRPoeDldKoE8X0sovErtC7bbeT3T7-_VX1bbzRGcT9ujraFOhWJTPSCVTHJf_jFq2p6NSwpM26PPeBS2NpWwIs-n266MLXRGM75xjcGz2ybVRLqegEoN226KJRhhLtVjA-c2ddfJuPbMjEWRn7jwfSOFRAuszW1dfWR5oc0H2KdsHMZaH9BCv2jIkWIPLdbko7gbUe7jCuX5E_wiYbc3wjmy903wKiLxWHJDabVoSkuLP9auX3UKJQuBFvs_Ty95UEKIxBmHC50R1Crcsq47rSej7DWUXaqrCJgYAGw0SHYYP5ADY75FV6jrT5C2YyDtlDygzej-m9DNRDJq268rTdsYGLV-QwU3-Y-jyxjGmxMwiv_upoVtRcqyQLhgb4igduxcdGdHHoXd4NQUkYWVZJTDfzZh5u1Rv71kn9HvgQfNaOASkVj0XOEeWaBYWnsXqbvdCMkB6jz0XzUbyhsPxc99zI1E90ULe96RA1qtZPlqZdErF3anES4m0zrwVxm1qsgPT6zxaWbb3FUn_Kaot4AHNRhOO6CRXJxXwhZlqaG8LHC1kxQBtYVrSrhGSrr8a_BaM-XInpz7eXcLyK0mlfMtNft0fGtT7dISjExcsKlBzWydT96ywKN2oPNJjkcugIq5i9bm06O-cY-z04cv5SBSi14T7OgvEpB5um58n7YJwDJ2QEsC6EoQNazIOo71kNEka

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: W7

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Host: squartera.infoUser-Agent: Content-Type: application/x-www-form-urlencodedContent-Length: 2347Accept-Encoding: gzipConnection: close

Reads from file descriptors related to (network) sockets

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Reads from socket in process: data

Urls found in memory or binary data

Show sources

Source: MaMi	String found in binary or memory: http://bbc.com
Source: MaMi	String found in binary or memory: http://cnn.com
Source: MaMi	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49191 -> 443

Writes from file descriptors related to (network) sockets

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Writes from socket in process: data

Executes the "networksetup" command used to configure network settings

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)	Networksetup executable: /usr/sbin/networksetup -> /usr/sbin/networksetup -listnetworkserviceorder
Source: /Users/luke/Desktop/MaMi (PID: 513)	Networksetup executable: /usr/sbin/networksetup -> /usr/sbin/networksetup -getdnsservers Ethernet

Explicitly retrieves the order of network devices used for connecting to the network

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Networksetup with list network services order args: /usr/sbin/networksetup -listnetworkserviceorder

Explicitly retrieves the configured DNS servers

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Networksetup with get DNS servers args: /usr/sbin/networksetup -getdnsservers Ethernet

System Summary:

Classification label

Show sources

Source: classification engine

Classification label: mal80.troj.spyw.evad.mac@0/43@5/0

Data Obfuscation:

Imports the IOKit library (often used to register services)

Show sources

Source: initial sample

Static MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Persistence and Installation Behavior:

Executes the "awk" command used to scan for patterns (typically in standard output)

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Awk executable: /usr/bin/awk -> /usr/bin/awk /IOPlatformSerialNumber/ { print $4 }

Reads data from the local random generator

Show sources

Source: /usr/libexec/diskmanagementd (PID: 509)	Random device file read: /dev/random
Source: /Users/luke/Desktop/MaMi (PID: 513)	Random device file read: /dev/urandom
Source: /Users/luke/Desktop/MaMi (PID: 513)	Random device file read: /dev/random
Source: /usr/bin/security (PID: 598)	Random device file read: /dev/random

Uses AppleKeyboardLayouts bundle containing keyboard layouts

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Writes property list (.plist) files to disk

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist-new
Source: /bin/cp (PID: 518)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 520)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 524)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 526)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 537)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 539)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 543)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 545)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 549)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 551)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 555)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 557)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 561)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 563)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 567)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 569)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 573)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 575)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 579)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 581)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 585)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 587)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 595)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 597)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 603)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 605)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 609)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 611)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 615)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 617)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 621)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 623)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 627)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 629)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 633)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 635)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old

Creates hidden files, links and/or directories

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)	Hidden file created: /Users/luke/Library/Application Support/.dat.nosync0201.GCXGyu
Source: /Users/luke/Desktop/MaMi (PID: 513)	Hidden file created: /Users/luke/Desktop/.dat.nosync0201.Jo8P8B

Executes commands using a shell command-line interpreter

Show sources

Source: /usr/sbin/networksetup (PID: 517)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 519)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 523)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 525)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 536)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 538)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 542)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 544)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 548)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 550)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 554)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 556)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 560)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 562)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 566)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 568)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 572)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 574)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 578)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 580)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 584)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 586)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 594)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 596)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 602)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 604)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 608)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 610)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 614)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 616)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 620)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 622)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 626)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 628)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 632)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 634)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old

Executes the "scutil" command used to manage network related system configuration parameters

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Scutil executable: /usr/sbin/scutil -> /usr/sbin/scutil

Many shell processes execute programs via execve syscall (may be indicative for malicious behavior)

Show sources

Source: /bin/sh (PID: 518)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 520)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 524)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 526)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 537)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 539)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 543)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 545)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 549)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 551)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 555)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 557)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 561)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 563)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 567)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 569)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 573)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 575)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 579)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 581)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 585)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 587)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 595)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 597)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 603)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 605)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 609)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 611)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 615)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 617)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 621)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 623)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 627)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 629)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 633)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 635)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old

Samples exit code indicates no error despite standard error output

Show sources

Source: submitted sample

Stderr: 2018-01-16 11:38:38.416 MaMi[513:4712] chmodding parent /var/root/Library/Cookies with perm 700: exit code = 0

Writes DER encoded certificate files to disk without the typical file extension

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

DER file created: /Users/luke/Desktop/.dat.nosync0201.Jo8P8B

Hooking and other Techniques for Hiding and Protection:

Moves itself during installation or deletes itself after installation

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

File deleted: /Users/luke/Desktop/MaMi

Language, Device and Operating System Detection:

Reads the system or server version plist file

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist

Reads the systems hostname

Show sources

Source: /bin/sh (PID: 518)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 520)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 524)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 526)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 537)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 539)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 543)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 545)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 549)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 551)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 555)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 557)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 561)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 563)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 567)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 569)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 573)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 575)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 579)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 581)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 585)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 587)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 595)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 597)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 603)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 605)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 609)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 611)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 615)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 617)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 621)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 623)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 627)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 629)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 633)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 635)	Sysctl requested: kern.hostname (1.10)

Executes the "ioreg" command used to gather hardware information (I/O kit registry)

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

IOreg executable: /usr/sbin/ioreg -> /usr/sbin/ioreg -l

Queries the unique Apple serial number of the machine

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

IOPlatformSerialNumber keyword found in command: /usr/bin/awk /usr/bin/awk /IOPlatformSerialNumber/ { print $4 }

Stealing of Sensitive Information:

Executes the "security" command used to access the keychain

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Security executable: /usr/bin/security -> /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Users/luke/Desktop/MaMi.bin

Imports (root) certificates into the systems keychain typically to intercept SSL traffic or bypass code integrity protections

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Certificate import: /usr/bin/security -> /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Users/luke/Desktop/MaMi.bin

Runtime Messages

Command:	/Users/luke/Desktop/MaMi
Exitcode:	0
Killed:	False
Standard Output:
Standard Error:	2018-01-16 11:38:38.416 MaMi[513:4712] chmodding parent /var/root/Library/Cookies with perm 700

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Screenshot

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Classification

Signature Overview

Cryptography:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Runtime Messages

Behavior Graph

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Antivirus Detection

Initial Sample

Dropped Files

Domains

Screenshot