macOS Analysis Report J5RBhmpBtw

Overview

General Information

Sample Name: J5RBhmpBtw
Analysis ID: 551503
MD5: e06e06752509f9cd8bc85aa1aa24dba2
SHA1: 554aef8bf44e7fa941e1190e41c8770e90f07254
SHA256: 1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac
Infos:

Most interesting Screenshot:

Detection

SysJoker
Score: 56
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Yara detected SysJoker
Executes commands using a shell command-line interpreter
Reads the systems hostname

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: J5RBhmpBtw Virustotal: Detection: 16% Perma Link
Source: J5RBhmpBtw ReversingLabs: Detection: 13%

Networking:

barindex
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49276
Source: unknown Network traffic detected: HTTP traffic on port 49276 -> 443
Source: J5RBhmpBtw, 00000829.00000279.1.000000010f7a8000.000000010f7c3000.r--.sdmp String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: J5RBhmpBtw String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: J5RBhmpBtw, 00000829.00000279.1.000000010f7a8000.000000010f7c3000.r--.sdmp String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: J5RBhmpBtw, 00000829.00000279.1.000000010f7a8000.000000010f7c3000.r--.sdmp String found in binary or memory: http://www.apple.com/certificateauthority0
Source: J5RBhmpBtw String found in binary or memory: https://drive.google.com/uc?export=download&id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu
Source: J5RBhmpBtw String found in binary or memory: https://drive.google.com/uc?export=download&id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eus
Source: J5RBhmpBtw, 00000829.00000279.1.000000010f7a8000.000000010f7c3000.r--.sdmp String found in binary or memory: https://www.apple.com/appleca/0
Source: unknown TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.55.202
Source: unknown TCP traffic detected without corresponding DNS query: 104.90.164.244
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.55.202
Source: unknown TCP traffic detected without corresponding DNS query: 104.90.164.244
Source: classification engine Classification label: mal56.troj.mac@0/0@0/0

Persistence and Installation Behavior:

barindex
Executes commands using a shell command-line interpreter
Source: /Users/berri/Desktop/J5RBhmpBtw (PID: 829) Shell command executed: sh -c whoami Jump to behavior

Language, Device and Operating System Detection:

barindex
Reads the systems hostname
Source: /bin/sh (PID: 830) Sysctl requested: kern.hostname (1.10) Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected SysJoker
Source: Yara match File source: J5RBhmpBtw, type: SAMPLE
Source: Yara match File source: 00000829.00000279.1.000000010409b000.00000001040b3000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: J5RBhmpBtw PID: 829, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected SysJoker
Source: Yara match File source: J5RBhmpBtw, type: SAMPLE
Source: Yara match File source: 00000829.00000279.1.000000010409b000.00000001040b3000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: J5RBhmpBtw PID: 829, type: MEMORYSTR
cam-macmac-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.90.164.244
 unknown United States
16625 AKAMAI-ASUS false