Loading Joe Sandbox Report ...

Edit tour

macOS Analysis Report
extractor

Overview

General Information

Sample Name:extractor
Analysis ID:1977504
MD5:f97fc3d0dd6b217a92df567ad8f3d555
SHA1:9306110d082ad86169c76d765c7d334f24747094
SHA256:fe336a032b564eef07afb2f8a478b0e0a37d9a1a6c4c1e7cd01e404cc5dd2853
Infos:

Detection

Nukesped
Score:96
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Nukesped
Terminates the command-line application Terminal (probably to hinder manual analysis)
Antivirus detection for dropped file
Deletes the saved state of the command-line application Terminal (probably to avoid forensic reconstruction of shell activity)
Opens PDF files, sometimes used to disguise malicious intentions
Writes Mach-O files to untypical directories
Opens applications from non-standard application directories
Terminates several processes with shell command 'killall'
Contains symbols with suspicious names likely related to networking
Reads the systems hostname
Opens applications that might be created ones
Writes PDF files to disk
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)
Mach-O sample file contains an ARM64 binary that executes on Apple Silicon
Queries OS software version with shell command 'sw_vers'
Contains symbols with suspicious names likely related to well-known browsers
Sample tries to kill a process (SIGKILL)
Sample is a FAT Mach-O sample containing binaries for multiple architectures
Writes RTF files to disk
Reads hardware related sysctl values
Creates user-wide 'launchd' managed services aka launch agents
Reads the saved state of applications
Creates code signed application bundles
Mach-O contains sections with high entropy indicating compressed/encrypted content
Executes commands using a shell command-line interpreter
Reads the systems OS release and/or type
Creates application bundles
Contains symbols with paths
Executes the "rm" command used to delete files or directories
Executes the "pgrep" command search for and/or send signals to processes
Writes FAT Mach-O files to disk

Classification

Analysis Advice

Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.
Joe Sandbox Version:35.0.0 Citrine
Analysis ID:1977504
Start date and time:2022-08-18 12:34:03 +02:00
Joe Sandbox Product:Cloud
Overall analysis duration:0h 3m 57s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:extractor
Cookbook file name:macOS - Big Sur - load provided binary as normal user.jbs
Analysis system description:Mac Mini, Big Sur (Office 2019 16.55, Java 1.8.0_311)
Analysis Mode:default
Detection:MAL
Classification:mal96.troj.evad.mac@0/17@1/0
  • Excluded IPs from analysis (whitelisted): 17.57.12.11
  • Excluded domains from analysis (whitelisted): b._dns-sd._udp.0.0.168.192.in-addr.arpa, gsp64-ssl.ls-apple.com.akadns.net, db._dns-sd._udp.0.0.168.192.in-addr.arpa
Command:sudo -u drew /Users/drew/Desktop/extractor
PID:866
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • System is mac-bigsur
  • sudo (MD5: f21c2a2dc106642f7c38801e121c8c86) Arguments: /usr/bin/sudo -u drew /Users/drew/Desktop/extractor
    • sudo New Fork (PID: 867, Parent: 866)
    • extractor (MD5: f97fc3d0dd6b217a92df567ad8f3d555) Arguments: /Users/drew/Desktop/extractor
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (open '/Users/drew/Library/Fonts/Coinbase_online_careers_2022_07.pdf' && rm -rf '/Users/drew/Library/Saved Application State/com.apple.Terminal.savedState') 2>&1
        • bash New Fork (PID: 869, Parent: 868)
          • bash New Fork (PID: 870, Parent: 869)
          • open (MD5: 81d0c6fefba2004d451915c6fa861914) Arguments: open /Users/drew/Library/Fonts/Coinbase_online_careers_2022_07.pdf
          • bash New Fork (PID: 873, Parent: 869)
          • rm (MD5: 6cd9e187f33d60ce3cb05b12435f0673) Arguments: rm -rf /Users/drew/Library/Saved Application State/com.apple.Terminal.savedState
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (tar zxvf '/Users/drew/Library/Fonts/safarifontsagent_' -C '/Users/drew/Library/Fonts') 2>&1
        • bash New Fork (PID: 875, Parent: 874)
        • tar (MD5: dbeb13c3b2ade21995470fde7650314a) Arguments: tar zxvf /Users/drew/Library/Fonts/safarifontsagent_ -C /Users/drew/Library/Fonts
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (tar zxvf '/Users/drew/Library/Fonts/fontsupdater_' -C '/Users/drew/Library/Fonts') 2>&1
        • bash New Fork (PID: 877, Parent: 876)
        • tar (MD5: dbeb13c3b2ade21995470fde7650314a) Arguments: tar zxvf /Users/drew/Library/Fonts/fontsupdater_ -C /Users/drew/Library/Fonts
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (pgrep -f safarifontsagent) 2>&1
        • bash New Fork (PID: 879, Parent: 878)
        • pgrep (MD5: 8c476a299c23f6971101e7bbd6462c3c) Arguments: pgrep -f safarifontsagent
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (pgrep -f safarifontsagent) 2>&1
        • bash New Fork (PID: 881, Parent: 880)
        • pgrep (MD5: 8c476a299c23f6971101e7bbd6462c3c) Arguments: pgrep -f safarifontsagent
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (open -a '/Users/drew/Library/Fonts/FinderFontsUpdater.app') 2>&1
        • bash New Fork (PID: 883, Parent: 882)
        • open (MD5: 81d0c6fefba2004d451915c6fa861914) Arguments: open -a /Users/drew/Library/Fonts/FinderFontsUpdater.app
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (pgrep -f safarifontsagent) 2>&1
        • bash New Fork (PID: 899, Parent: 898)
        • pgrep (MD5: 8c476a299c23f6971101e7bbd6462c3c) Arguments: pgrep -f safarifontsagent
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (killall Terminal) 2>&1
        • bash New Fork (PID: 901, Parent: 900)
        • killall (MD5: f3e64d320b9eed9c6dbd97435daddded) Arguments: killall Terminal
  • Preview (MD5: 510c4010daefc87831ff8730ab2f5092) Arguments: /System/Applications/Preview.app/Contents/MacOS/Preview
  • FinderFontsUpdater (MD5: fc5d8c6ccf10d0b900baa394d2ead97d) Arguments: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater
    • safarifontsagent (MD5: ded8cac968d278aeb2889dc7552e46e1) Arguments: /Users/drew/Library/Fonts/safarifontsagent
      • sh New Fork (PID: 887, Parent: 886)
      • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c sw_vers -productVersion
      • sw_vers (MD5: 7e6a3895092064bd002ecb1d4300b0db) Arguments: sw_vers -productVersion
  • cleanup
SourceRuleDescriptionAuthorStrings
extractorJoeSecurity_Nukesped_2Yara detected NukespedJoe Security
    SourceRuleDescriptionAuthorStrings
    /Users/drew/Library/Fonts/safarifontsagentJoeSecurity_Nukesped_2Yara detected NukespedJoe Security
      /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdaterJoeSecurity_Nukesped_2Yara detected NukespedJoe Security
        SourceRuleDescriptionAuthorStrings
        Process Memory Space: extractor PID: 867JoeSecurity_Nukesped_2Yara detected NukespedJoe Security
          Process Memory Space: FinderFontsUpdater PID: 884JoeSecurity_Nukesped_2Yara detected NukespedJoe Security
            Process Memory Space: safarifontsagent PID: 886JoeSecurity_Nukesped_2Yara detected NukespedJoe Security
              No Snort rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: extractorAvira: detected
              Source: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdaterAvira: detection malicious, Label: OSX/NukeSped.kgzti
              Source: /Users/drew/Library/Fonts/safarifontsagentAvira: detection malicious, Label: OSX/NukeSped.xxlef
              Source: unknownHTTPS traffic detected: 64.44.102.6:443 -> 192.168.0.52:49483 version: TLS 1.2
              Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 886)Writes from socket in process: dataJump to behavior
              Source: unknownNetwork traffic detected: HTTP traffic on port 49483 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49482 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49483
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49482
              Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.211
              Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.211
              Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.211
              Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.211
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0Date: Thu, 18 Aug 2022 10:34:26 GMTConnection: closeContent-Length: 1245
              Source: extractor, 00000867.00000333.9.0000000115ac3000.0000000115afb000.r--.sdmp, FinderFontsUpdater, 00000884.00000366.1.000000010bd65000.000000010bd9d000.r--.sdmp, safarifontsagent, 00000886.00000370.1.000000010e35c000.000000010e394000.r--.sdmpString found in binary or memory: http://crl.apple.com/codesigning.crl0
              Source: extractor, FinderFontsUpdater.352.dr, safarifontsagent.347.drString found in binary or memory: http://crl.apple.com/root.crl0
              Source: extractor, FinderFontsUpdater.352.dr, safarifontsagent.347.drString found in binary or memory: http://crl.apple.com/timestamp.crl0
              Source: extractor, FinderFontsUpdater.352.dr, safarifontsagent.347.drString found in binary or memory: http://ocsp.apple.com/ocsp03-devid060
              Source: extractor, CodeResources.352.dr, Info.plist.352.dr, com.safari.fontsyncagent.plist.333.dr, FinderFontsUpdater.