Analysis Report

Overview

General Information

Joe Sandbox Version:
Analysis ID:	106246
Start time:	13:50:18
Joe Sandbox Product:	Cloud
Start date:	29/02/2016
Overall analysis duration:	0h 6m 20s
Report type:	full
Sample file name:	com.apple.exe
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Mac Mini, Yosemite 10.10.3 (Java 1.8.0_45)
Detection:	MAL
Classification:	mal52.evad.macEXE@0/0@3/0

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	52	0 - 100	Report FP / FN

Classification

Signature Overview

Click to jump to signature section

Networking:

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: www.comeinbaby.com

Writes from file descriptors related to (network) sockets

Show sources

Source: /Users/vreni/Desktop/com.apple.exe (PID: 390)

Writes from socket in process:

System Summary:

Classification label

Show sources

Source: classification engine

Classification label: mal52.evad.macEXE@0/0@3/0

Data Obfuscation:

Imports the Security library (often used for certificate, key, keychain, or secure transport handling)

Show sources

Source: initial sample

Static MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security

Persistence and Installation Behavior:

Reads data from the local random generator

Show sources

Source: /Users/vreni/Desktop/com.apple.exe (PID: 390)

Random device file read: /dev/urandom

Executes commands using a shell command-line interpreter

Show sources

Source: /Users/vreni/Desktop/com.apple.exe (PID: 390)	Shell command executed: sh -c touch -c -t 201409100044 /usr/bin/periodicdate touch -c -t 201409100044 /usr/bin/systemkeychain-helper touch -c -t 201409100044 /usr/bin/com.apple.appstore.PluginHelper touch -c -t 201409100044 /usr/bin/com.apple.MailServiceAgentHelper touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.systemkeychain-helper.plist touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.appstore.plughelper.plist touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist touch -c -t 201409100044 /usr/bin/stty5.11.pl touch -c -t 201409100044 /etc/manpath.d/ rm -rf /var/log/system.log
Source: /Users/vreni/Desktop/com.apple.exe (PID: 390)	Shell command executed: sh -c ps -ef\|grep Xcode \|grep -v grep
Source: /Users/vreni/Desktop/com.apple.exe (PID: 390)	Shell command executed: sh -c ps -ef\|grep iTunes \|grep -v grep
Source: /Users/vreni/Desktop/com.apple.exe (PID: 390)	Shell command executed: sh -c mkdir -p /System/Library/QuickTime/QuickTimeFireWireDOLBY.component

Executes the "grep" command used to find patterns in files or piped streams

Show sources

Source: /bin/sh (PID: 405)	Grep executable: /usr/bin/grep -> grep Xcode
Source: /bin/sh (PID: 406)	Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 409)	Grep executable: /usr/bin/grep -> grep iTunes
Source: /bin/sh (PID: 410)	Grep executable: /usr/bin/grep -> grep -v grep

Executes the "mkdir" command used to create folders

Show sources

Source: /bin/sh (PID: 411)

Mkdir executable: /bin/mkdir -> mkdir -p /System/Library/QuickTime/QuickTimeFireWireDOLBY.component

Executes the "ps" command used to list the status of processes

Show sources

Source: /bin/sh (PID: 404)	Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 408)	Ps executable: /bin/ps -> ps -ef

Executes the "touch" command used to create files or modify time stamps

Show sources

Source: /bin/sh (PID: 392)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /usr/bin/periodicdate
Source: /bin/sh (PID: 393)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /usr/bin/systemkeychain-helper
Source: /bin/sh (PID: 394)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /usr/bin/com.apple.appstore.PluginHelper
Source: /bin/sh (PID: 395)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /usr/bin/com.apple.MailServiceAgentHelper
Source: /bin/sh (PID: 396)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist
Source: /bin/sh (PID: 397)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.systemkeychain-helper.plist
Source: /bin/sh (PID: 398)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.appstore.plughelper.plist
Source: /bin/sh (PID: 399)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist
Source: /bin/sh (PID: 400)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /usr/bin/stty5.11.pl
Source: /bin/sh (PID: 401)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /etc/manpath.d/

Executes the "rm" command used to delete files or directories

Show sources

Source: /bin/sh (PID: 402)

Rm executable: /bin/rm -> rm -rf /var/log/system.log

Explicitly modifies time stamps using the "touch" command

Show sources

Source: /bin/sh (PID: 392)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /usr/bin/periodicdate
Source: /bin/sh (PID: 393)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /usr/bin/systemkeychain-helper
Source: /bin/sh (PID: 394)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /usr/bin/com.apple.appstore.PluginHelper
Source: /bin/sh (PID: 395)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /usr/bin/com.apple.MailServiceAgentHelper
Source: /bin/sh (PID: 396)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist
Source: /bin/sh (PID: 397)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.systemkeychain-helper.plist
Source: /bin/sh (PID: 398)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.appstore.plughelper.plist
Source: /bin/sh (PID: 399)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist
Source: /bin/sh (PID: 400)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /usr/bin/stty5.11.pl
Source: /bin/sh (PID: 401)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /etc/manpath.d/

Hooking and other Techniques for Hiding and Protection:

Deletes system log files

Show sources

Source: /bin/rm (PID: 402)

Log files deleted: /var/log/system.log

Language, Device and Operating System Detection:

Reads the system or server version plist file

Show sources

Source: /Users/vreni/Desktop/com.apple.exe (PID: 390)

System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist

Reads the systems hostname

Show sources

Source: /bin/sh (PID: 391)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 403)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 407)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 411)	Sysctl requested: kern.hostname (1.10)

Runtime Messages

Command:	/Users/vreni/Desktop/com.apple.exe
Exitcode:
Killed:	True
Standard Output:
Standard Error:

Yara Overview

No Yara matches

Screenshot

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Classification

Signature Overview

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Runtime Messages

Yara Overview

Screenshot