Loading ...

Play interactive tourEdit tour

macOS Analysis Report types-config.ts

Overview

General Information

Sample Name:types-config.ts
Analysis ID:1708605
MD5:e06e06752509f9cd8bc85aa1aa24dba2
SHA1:554aef8bf44e7fa941e1190e41c8770e90f07254
SHA256:1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac
Infos:

Most interesting Screenshot:

Detection

SysJoker
Score:64
Range:0 - 100
Whitelisted:false

Signatures

Yara detected SysJoker
Found detection on Joe Sandbox Cloud Basic
Writes Mach-O files to untypical directories
Process executable has a file extension which is uncommon (probably to disguise the executable)
Reads the systems hostname
Creates launch services that start only when a logged in GUI user exists
Creates user-wide 'launchd' managed services aka launch agents
Creates 'launchd' managed services aka launch agents with bundle ID names to possibly disguise malicious intentions
Changes permissions of written Mach-O files
Executes commands using a shell command-line interpreter
Executes the "nohup" (no hangup) command used to avoid background terminal process from being killed
Writes FAT Mach-O files to disk
Creates memory-persistent launch services

Classification

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:1708605
Start date:12.01.2022
Start time:12:24:09
Joe Sandbox Product:Cloud
Overall analysis duration:0h 3m 57s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:types-config.ts
Cookbook file name:macOS - SysJoker - load provided binary as normal user.jbs
Analysis system description:Mac Mini, Big Sur (Office 2019 16.55, Java 1.8.0_311)
Analysis Mode:default
Detection:MAL
Classification:mal64.troj.evad.macTS@0/3@7/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 80.67.82.72, 80.67.82.80
  • Excluded domains from analysis (whitelisted): lb._dns-sd._udp.0.0.168.192.in-addr.arpa, a1887.dscq.akamai.net, o.lencr.edgesuite.net

Process Tree

  • System is mac-bigsur
  • sudo (MD5: f21c2a2dc106642f7c38801e121c8c86) Arguments: /usr/bin/sudo -u drew /Users/drew/Desktop/types-config.ts
    • sudo New Fork (PID: 856, Parent: 855)
    • types-config.ts (MD5: e06e06752509f9cd8bc85aa1aa24dba2) Arguments: /Users/drew/Desktop/types-config.ts
      • sh New Fork (PID: 857, Parent: 856)
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c whoami
      • whoami (MD5: a7145a94a0b3935eed99abc716a33989) Arguments: whoami
      • sh New Fork (PID: 858, Parent: 856)
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c cp '/Users/drew/Desktop/types-config.ts' '/Users/drew/Library/MacOsServices/updateMacOs'
      • cp (MD5: 9007c6e0352122c17fbcea99739b716e) Arguments: cp /Users/drew/Desktop/types-config.ts /Users/drew/Library/MacOsServices/updateMacOs
      • sh New Fork (PID: 859, Parent: 856)
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c nohup '/Users/drew/Library/MacOsServices/updateMacOs' >/dev/null 2>&1 &
        • bash New Fork (PID: 860, Parent: 859)
        • nohup (MD5: e702c2d1c6eb0f386453aaa563b2380b) Arguments: nohup /Users/drew/Library/MacOsServices/updateMacOs
        • updateMacOs (MD5: e06e06752509f9cd8bc85aa1aa24dba2) Arguments: /Users/drew/Library/MacOsServices/updateMacOs
          • sh New Fork (PID: 861, Parent: 860)
          • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c whoami
          • whoami (MD5: a7145a94a0b3935eed99abc716a33989) Arguments: whoami
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
types-config.tsJoeSecurity_SysJokerYara detected SysJokerJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    /Users/drew/Library/MacOsServices/updateMacOsJoeSecurity_SysJokerYara detected SysJokerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000856.00000353.1.0000000107a83000.0000000107a9b000.r-x.sdmpJoeSecurity_SysJokerYara detected SysJokerJoe Security
        00000856.00000353.9.0000000107a83000.0000000107a9b000.r-x.sdmpJoeSecurity_SysJokerYara detected SysJokerJoe Security
          00000860.00000364.1.000000010df6a000.000000010df82000.r-x.sdmpJoeSecurity_SysJokerYara detected SysJokerJoe Security
            Process Memory Space: types-config.ts PID: 856JoeSecurity_SysJokerYara detected SysJokerJoe Security
              Process Memory Space: updateMacOs PID: 860JoeSecurity_SysJokerYara detected SysJokerJoe Security

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results
                Source: unknownHTTPS traffic detected: 142.250.186.110:443 -> 192.168.0.52:49386 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 142.250.186.65:443 -> 192.168.0.52:49387 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.0.52:49388 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.0.52:49390 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.0.52:49391 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.0.52:49392 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.0.52:49393 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.0.52:49394 version: TLS 1.2
                Source: unknownDNS traffic detected: queries for: drive.google.com
                Source: /Users/drew/Library/MacOsServices/updateMacOs (PID: 860)Writes from socket in process: dataJump to behavior
                Source: unknownNetwork traffic detected: HTTP traffic on port 49376 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49388
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49387
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49386
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49383
                Source: unknownNetwork traffic detected: HTTP traffic on port 49393 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49382
                Source: unknownNetwork traffic detected: HTTP traffic on port 49391 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49380
                Source: unknownNetwork traffic detected: HTTP traffic on port 49386 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49388 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49380 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49382 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49376
                Source: unknownNetwork traffic detected: HTTP traffic on port 49394 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49394
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49393
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49392
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49391
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49390
                Source: unknownNetwork traffic detected: HTTP traffic on port 49392 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49390 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49387 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49383 -> 443
                Source: unknownTCP traffic detected without corresponding DNS query: 2.16.12.64
                Source: unknownTCP traffic detected without corresponding DNS query: 2.16.12.64
                Source: unknownTCP traffic detected without corresponding DNS query: 2.16.12.64
                Source: unknownTCP traffic detected without corresponding DNS query: 23.203.78.159
                Source: unknownTCP traffic detected without corresponding DNS query: 23.203.78.159
                Source: unknownTCP traffic detected without corresponding DNS query: 23.203.78.159
                Source: unknownTCP traffic detected without corresponding DNS query: 23.203.78.159
                Source: unknownTCP traffic detected without corresponding DNS query: 17.248.145.233
                Source: unknownTCP traffic detected without corresponding DNS query: 17.248.145.233
                Source: unknownTCP traffic detected without corresponding DNS query: 17.248.145.233
                Source: unknownTCP traffic detected without corresponding DNS query: 87.248.100.168
                Source: unknownTCP traffic detected without corresponding DNS query: 87.248.100.168
                Source: unknownTCP traffic detected without corresponding DNS query: 87.248.100.168
                Source: unknownTCP traffic detected without corresponding DNS query: 87.248.100.168
                Source: types-config.ts, 00000856.00000353.1.0000000116fb5000.0000000116fed000.r--.sdmp, updateMacOs, 00000860.00000364.1.0000000115138000.0000000115170000.r--.sdmpString found in binary or memory: http://crl.apple.com/codesigning.crl0
                Source: types-config.ts, com.apple.update.plist.353.dr, updateMacOs.359.drString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
                Source: types-config.ts, 00000856.00000353.1.0000000116fb5000.0000000116fed000.r--.sdmp, updateMacOs, 00000860.00000364.1.0000000115138000.0000000115170000.r--.sdmpString found in binary or memory: http://www.apple.com/appleca/root.crl0
                Source: types-config.ts, updateMacOs.359.drString found in binary or memory: https://drive.google.com/uc?export=download&id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu
                Source: types-config.ts, updateMacOs.359.drString found in binary or memory: https://drive.google.com/uc?export=download&id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eus
                Source: null.364.drString found in binary or memory: https://graphic-updater.com
                Source: types-config.ts, 00000856.00000353.1.0000000116fb5000.0000000116fed000.r--.sdmp, updateMacOs, 00000860.00000364.1.0000000115138000.0000000115170000.r--.sdmpString found in binary or memory: https://www.apple.com/appleca/0
                Source: /Users/drew/Library/MacOsServices/updateMacOs (PID: 860)Reads from socket in process: dataJump to behavior
                Source: unknownHTTPS traffic detected: 142.250.186.110:443 -> 192.168.0.52:49386 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 142.250.186.65:443 -> 192.168.0.52:49387 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.0.52:49388 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.0.52:49390 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.0.52:49391 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.0.52:49392 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.0.52:49393 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.0.52:49394 version: TLS 1.2

                System Summary:

                barindex
                Found detection on Joe Sandbox Cloud BasicShow sources
                Source: types-config.tsJoe Sandbox Cloud Basic: Detection: malicious Score: 56 Threat Name: SysJokerPerma Link
                Source: classification engineClassification label: mal64.troj.evad.macTS@0/3@7/0

                Persistence and Installation Behavior:

                barindex
                Writes Mach-O files to untypical directoriesShow sources
                Source: /bin/cp (PID: 858)FAT Mach-O written to unusual path: /Users/drew/Library/MacOsServices/updateMacOsJump to dropped file
                Source: /Users/drew/Desktop/types-config.ts (PID: 856)Launch agent/daemon created with LimitLoadToSessionType Aqua, file created: /Users/drew/Library/LaunchAgents/com.apple.update.plistJump to behavior
                Source: /bin/cp (PID: 858)Permissions modified for written FAT Mach-O /Users/drew/Library/MacOsServices/updateMacOs: bits: - usr: rx grp: rx all: rwxJump to dropped file
                Source: /Users/drew/Desktop/types-config.ts (PID: 856)Shell command executed: sh -c whoamiJump to behavior
                Source: /Users/drew/Desktop/types-config.ts (PID: 856)Shell command executed: sh -c cp '/Users/drew/Desktop/types-config.ts' '/Users/drew/Library/MacOsServices/updateMacOs'Jump to behavior
                Source: /Users/drew/Desktop/types-config.ts (PID: 856)Shell command executed: sh -c nohup '/Users/drew/Library/MacOsServices/updateMacOs' >/dev/null 2>&1 &Jump to behavior
                Source: /bin/sh (PID: 857)Shell command executed: sh -c whoamiJump to behavior
                Source: /bin/sh (PID: 858)Shell command executed: sh -c cp '/Users/drew/Desktop/types-config.ts' '/Users/drew/Library/MacOsServices/updateMacOs'Jump to behavior
                Source: /bin/sh (PID: 859)Shell command executed: sh -c nohup '/Users/drew/Library/MacOsServices/updateMacOs' >/dev/null 2>&1 &Jump to behavior
                Source: /Users/drew/Library/MacOsServices/updateMacOs (PID: 860)Shell command executed: sh -c whoamiJump to behavior
                Source: /bin/sh (PID: 861)Shell command executed: sh -c whoamiJump to behavior
                Source: /bin/bash (PID: 860)Nohup executable: /usr/bin/nohup -> nohup /Users/drew/Library/MacOsServices/updateMacOsJump to behavior
                Source: /bin/cp (PID: 858)File written: /Users/drew/Library/MacOsServices/updateMacOsJump to dropped file
                Source: /Users/drew/Desktop/types-config.ts (PID: 856)XML plist file created: /Users/drew/Library/LaunchAgents/com.apple.update.plistJump to dropped file
                Source: /Users/drew/Desktop/types-config.ts (PID: 856)Launch agent created File created: /Users/drew/Library/LaunchAgents/com.apple.update.plistJump to behavior
                Source: /Users/drew/Desktop/types-config.ts (PID: 856)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Users/drew/Library/LaunchAgents/com.apple.update.plistJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Process executable has a file extension which is uncommon (probably to disguise the executable)Show sources
                Source: /usr/bin/sudo (PID: 856)Process executable with extension: /Users/drew/Desktop/types-config.tsJump to behavior
                Source: /Users/drew/Desktop/types-config.ts (PID: 856)Launch agent created File created: /Users/drew/Library/LaunchAgents/com.apple.update.plistJump to behavior
                Source: /bin/bash (PID: 857)Sysctl requested: kern.hostname (1.10)Jump to behavior
                Source: /bin/bash (PID: 858)Sysctl requested: kern.hostname (1.10)Jump to behavior
                Source: /bin/bash (PID: 859)Sysctl requested: kern.hostname (1.10)Jump to behavior
                Source: /bin/bash (PID: 861)Sysctl requested: kern.hostname (1.10)Jump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected SysJokerShow sources
                Source: Yara matchFile source: types-config.ts, type: SAMPLE
                Source: Yara matchFile source: 00000856.00000353.1.0000000107a83000.0000000107a9b000.r-x.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000856.00000353.9.0000000107a83000.0000000107a9b000.r-x.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000860.00000364.1.000000010df6a000.000000010df82000.r-x.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: types-config.ts PID: 856, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: updateMacOs PID: 860, type: MEMORYSTR
                Source: Yara matchFile source: /Users/drew/Library/MacOsServices/updateMacOs, type: DROPPED

                Remote Access Functionality:

                barindex
                Yara detected SysJokerShow sources
                Source: Yara matchFile source: types-config.ts, type: SAMPLE
                Source: Yara matchFile source: 00000856.00000353.1.0000000107a83000.0000000107a9b000.r-x.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000856.00000353.9.0000000107a83000.0000000107a9b000.r-x.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000860.00000364.1.000000010df6a000.000000010df82000.r-x.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: types-config.ts PID: 856, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: updateMacOs PID: 860, type: MEMORYSTR
                Source: Yara matchFile source: /Users/drew/Library/MacOsServices/updateMacOs, type: DROPPED

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsScripting1LC_LOAD_DYLIB Addition1LC_LOAD_DYLIB Addition1Masquerading21OS Credential DumpingSystem Information Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobLaunch Agent4Launch Agent4Scripting1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Launch Daemon2Launch Daemon2Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Plist Modification1Plist Modification1Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Number of created Files
                • Shell
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1708605 Sample: types-config.ts Startdate: 12/01/2022 Architecture: MAC Score: 64 29 87.248.100.168, 443, 49383 YAHOO-IRDGB United Kingdom 2->29 31 graphic-updater.com 23.254.131.176, 443, 49388, 49390 HOSTWINDSUS United States 2->31 33 6 other IPs or domains 2->33 37 Yara detected SysJoker 2->37 39 Found detection on Joe Sandbox Cloud Basic 2->39 10 mono-sgen64 sudo 2->10         started        signatures3 process4 process5 12 sudo types-config.ts 1 10->12         started        signatures6 41 Process executable has a file extension which is uncommon (probably to disguise the executable) 12->41 15 sh bash cp 1 12->15         started        19 sh bash 12->19         started        21 sh bash whoami 12->21         started        process7 file8 27 /Users/drew/Librar...ervices/updateMacOs, Mach-O 15->27 dropped 35 Writes Mach-O files to untypical directories 15->35 23 bash nohup updateMacOs 19->23         started        signatures9 process10 process11 25 sh bash whoami 23->25         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.