Play interactive tour

Edit tour

macOS Analysis Report J5RBhmpBtw

Overview

General Information

Sample Name:	J5RBhmpBtw
Analysis ID:	551503
MD5:	e06e06752509f9cd8bc85aa1aa24dba2
SHA1:	554aef8bf44e7fa941e1190e41c8770e90f07254
SHA256:	1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac
Infos:
Most interesting Screenshot:

Detection

SysJoker

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Yara detected SysJoker

Executes commands using a shell command-line interpreter

Reads the systems hostname

Classification

Analysis Advice

Exit code suggests that the sample could not be started, try looking at standard streams or writes to anonymous pipes for possible reason

Exit code information suggests that the sample terminated abnormally, try to lookup the sample's target architecture

Non-zero exit code suggests an error during the execution. Lookup the error code for hints.

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	551503
Start date:	12.01.2022
Start time:	09:23:51
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 34s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	J5RBhmpBtw
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, High Sierra (Office 2016 16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Analysis Mode:	default
Detection:	MAL
Classification:	mal56.troj.mac@0/0@0/0
Warnings:	Show All Excluded IPs from analysis (whitelisted): 104.92.88.33, 2.22.33.179 Excluded domains from analysis (whitelisted): cds-cdn.v.aaplimg.com, cds.apple.com.edgekey.net, e11408.d.akamaiedge.net, cds.apple.com.akadns.net, help.origin-apple.com.akadns.net, cds.apple.com, help.apple.com, e14768.dscb.akamaiedge.net, help-ar.apple.com.edgekey.net, lb._dns-sd._udp.0.11.168.192.in-addr.arpa

Process Tree

System is macvm-highsierra

mono-sgen32 New Fork (PID: 829, Parent: 753)

J5RBhmpBtw (MD5: e06e06752509f9cd8bc85aa1aa24dba2) Arguments: /Users/berri/Desktop/J5RBhmpBtw

sh New Fork (PID: 830, Parent: 829)

whoami (MD5: 24c45eb23e1aae68c572939d1a906018) Arguments: whoami

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
J5RBhmpBtw	JoeSecurity_SysJoker	Yara detected SysJoker	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000829.00000279.1.000000010409b000.00000001040b3000.r-x.sdmp	JoeSecurity_SysJoker	Yara detected SysJoker	Joe Security
Process Memory Space: J5RBhmpBtw PID: 829	JoeSecurity_SysJoker	Yara detected SysJoker	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: J5RBhmpBtw	Virustotal: Detection: 16%			Perma Link
Source: J5RBhmpBtw	ReversingLabs: Detection: 13%

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49276
Source: unknown	Network traffic detected: HTTP traffic on port 49276 -> 443

Source: J5RBhmpBtw, 00000829.00000279.1.000000010f7a8000.000000010f7c3000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: J5RBhmpBtw	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: J5RBhmpBtw, 00000829.00000279.1.000000010f7a8000.000000010f7c3000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: J5RBhmpBtw, 00000829.00000279.1.000000010f7a8000.000000010f7c3000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: J5RBhmpBtw	String found in binary or memory: https://drive.google.com/uc?export=download&id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu
Source: J5RBhmpBtw	String found in binary or memory: https://drive.google.com/uc?export=download&id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eus
Source: J5RBhmpBtw, 00000829.00000279.1.000000010f7a8000.000000010f7c3000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0

Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.55.202
Source: unknown	TCP traffic detected without corresponding DNS query: 104.90.164.244
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.55.202
Source: unknown	TCP traffic detected without corresponding DNS query: 104.90.164.244

Source: classification engine

Classification label: mal56.troj.mac@0/0@0/0

Source: /Users/berri/Desktop/J5RBhmpBtw (PID: 829)

Shell command executed: sh -c whoami

Source: /bin/sh (PID: 830)

Sysctl requested: kern.hostname (1.10)

Stealing of Sensitive Information:

Yara detected SysJoker

Show sources

Source: Yara match	File source: J5RBhmpBtw, type: SAMPLE
Source: Yara match	File source: 00000829.00000279.1.000000010409b000.00000001040b3000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: J5RBhmpBtw PID: 829, type: MEMORYSTR

Remote Access Functionality:

Yara detected SysJoker

Show sources

Source: Yara match	File source: J5RBhmpBtw, type: SAMPLE
Source: Yara match	File source: 00000829.00000279.1.000000010409b000.00000001040b3000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: J5RBhmpBtw PID: 829, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Path Interception	Path Interception	Scripting1	OS Credential Dumping	System Information Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
J5RBhmpBtw	17%	Virustotal		Browse
J5RBhmpBtw	14%	ReversingLabs	MacOS.Backdoor.SysJoker

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.90.164.244	unknown	United States		16625	AKAMAI-ASUS	false

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Runtime Messages

Command:	/Users/berri/Desktop/J5RBhmpBtw
Exit Code:	134
Exit Code Info:	SIGABRT (6) Abort signal from abort
Killed:	False
Standard Output:
Standard Error:	dyld: lazy symbol binding failed: Symbol not found: __ZNSt3__14__fs10filesystem8__statusERKNS1_4pathEPNS_10error_codeE Referenced from: /Users/berri/Desktop/J5RBhmpBtw (which was built for Mac OS X 11.3) Expected in: /usr/lib/libc++.1.dylib dyld: Symbol not found: __ZNSt3__14__fs10filesystem8__statusERKNS1_4pathEPNS_10error_codeE Referenced from: /Users/berri/Desktop/J5RBhmpBtw (which was built for Mac OS X 11.3) Expected in: /usr/lib/libc++.1.dylib

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|WEAK_DEFINES\|BINDS_TO_WEAK\|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|WEAK_DEFINES\|BINDS_TO_WEAK\|PIE>]
Entropy (8bit):	4.67371613955121
TrID:	Mac OS X Universal Binary executable (4004/1) 75.96% HSC music composer song (1267/141) 24.04%
File name:	J5RBhmpBtw
File size:	360176
MD5:	e06e06752509f9cd8bc85aa1aa24dba2
SHA1:	554aef8bf44e7fa941e1190e41c8770e90f07254
SHA256:	1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac
SHA512:	78a210c5fd1ac8c601fbb4ed226e7aaf1cc5bda187807ba3020997862fd54b59081f0b7f4fdc720acfa8e3d6a35dbe9309e0b2fe38088f493a02717a1057a56e
SSDEEP:	6144:5xw19koSAgvRyrnN5ft9A7pIHWhT5FixbxLZ:CvgMrnN51qaH+T5wl
File Content Preview:	..................@.......................~....................................................................................................................................................................................................................

Static Mach Info

General Information for header 1
Endian:	<
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	19
Entry point:	0x6884

segment_command_64 aggregated: 5

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x18000

fileoff

0x0

filesize

0x18000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x100001EF0	0x124F7	0x1EF0	6.2123	0x4	0x0	0	0x80000400
__stubs	__TEXT	0x1000143E8	0x240	0x143E8	3.3352	0x1	0x0	0	0x80000408
__stub_helper	__TEXT	0x100014628	0x3A8	0x14628	4.5266	0x2	0x0	0	0x80000400
__gcc_except_tab	__TEXT	0x1000149D0	0x129C	0x149D0	6.0675	0x2	0x0	0	0x0
__const	__TEXT	0x100015C70	0x2C0	0x15C70	2.4848	0x4	0x0	0	0x0
__cstring	__TEXT	0x100015F30	0x1A7F	0x15F30	5.3235	0x4	0x0	0	0x2
__unwind_info	__TEXT	0x1000179B0	0x644	0x179B0	5.4238	0x2	0x0	0	0x0

Name

Value

segname

__DATA_CONST

vmaddr

0x100018000

vmsize

0x4000

fileoff

0x18000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x10

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__got	__DATA_CONST	0x100018000	0xB8	0x18000	0.8862	0x3	0x0	0	0x6
__mod_init_func	__DATA_CONST	0x1000180B8	0x8	0x180B8	1.7500	0x3	0x0	0	0x9
__const	__DATA_CONST	0x1000180C0	0x3C8	0x180C0	2.4848	0x3	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x10001C000

vmsize

0x4000

fileoff

0x1C000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__la_symbol_ptr	__DATA	0x10001C000	0x300	0x1C000	2.7164	0x3	0x0	0	0x7
__data	__DATA	0x10001C300	0xC	0x1C300	0.4138	0x3	0x0	0	0x0
__common	__DATA	0x10001C310	0xF0	0x0	-0.0000	0x3	0x0	0	0x1

Name	Value
segname	__LINKEDIT
vmaddr	0x100020000
vmsize	0xC000
fileoff	0x20000
filesize	0x8310
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	131072
rebase_size	56
bind_off	131128
bind_size	1360
weak_bind_off	132488
weak_bind_size	456
lazy_bind_off	132944
lazy_bind_size	3752
export_off	136696
export_size	312

symtab_command aggregated: 1

Name	Value
symoff	137440
nsyms	131
stroff	140400
strsize	4432

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	1
iextdefsym	1
nextdefsym	7
iundefsym	8
nundefsym	123
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	139536
nindirectsyms	215
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'\x81t\x81~\xf4\xcf9\x8d\x97[x`Fn\xae\xc7'

build_version_command aggregated: 1

Name

Value

platform

minos

721664

sdk

721664

ntools

Datas

source_version_command aggregated: 1

Name	Value
version	0

entry_point_command aggregated: 1

Name	Value
entryoff	26756
stacksize	0

dylib_command aggregated: 3

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

9.0.0

compatibility_version

7.0.0

Datas

/usr/lib/libcurl.4.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

905.6.0

compatibility_version

1.0.0

Datas

/usr/lib/libc++.1.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1292.100.5

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

linkedit_data_command aggregated: 3

Name	Value
dataoff	137008
datasize	360

Name	Value
dataoff	137368
datasize	72

Name	Value
dataoff	144832
datasize	19792

Internal Symbols

__NSGetExecutablePath

__Unwind_Resume

__ZNKSt13runtime_error4whatEv

__ZNKSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEPKc

__ZNKSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEmmPKcm

__ZNKSt3__120__vector_base_commonILb1EE20__throw_length_errorEv

__ZNKSt3__121__basic_string_commonILb1EE20__throw_length_errorEv

__ZNKSt3__16locale9has_facetERNS0_2idE

__ZNKSt3__16locale9use_facetERNS0_2idE

__ZNKSt3__18ios_base6getlocEv

__ZNKSt9exception4whatEv

__ZNSt11logic_errorC2EPKc

__ZNSt12length_errorD1Ev

__ZNSt13runtime_errorC1EPKc

__ZNSt13runtime_errorC1ERKS_

__ZNSt13runtime_errorD1Ev

__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE5eraseEmm

__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendEPKc

__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendEPKcm

__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6assignEPKc

__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6insertEmPKc

__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6resizeEmc

__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE9__grow_byEmmmmmm

__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE9push_backEc

__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC1ERKS5_

__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC1ERKS5_mmRKS4_

__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEED1Ev

__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEaSERKS5_

__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEE5flushEv

__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEE5writeEPKcl

__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEE6sentryC1ERS3_

__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEE6sentryD1Ev

__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEED0Ev

__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEED1Ev

__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEED2Ev

__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEElsEi

__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE5uflowEv

__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE6xsgetnEPcl

__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE6xsputnEPKcl

__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE9showmanycEv

__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEEC2Ev

__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEED2Ev

__ZNSt3__14__fs10filesystem14__current_pathEPNS_10error_codeE

__ZNSt3__14__fs10filesystem18__create_directoryERKNS1_4pathEPNS_10error_codeE

__ZNSt3__14__fs10filesystem8__removeERKNS1_4pathEPNS_10error_codeE

__ZNSt3__14__fs10filesystem8__statusERKNS1_4pathEPNS_10error_codeE

__ZNSt3__14cerrE

__ZNSt3__14coutE

__ZNSt3__15ctypeIcE2idE

__ZNSt3__16localeC1ERKS0_

__ZNSt3__16localeD1Ev

__ZNSt3__17codecvtIcc11__mbstate_tE2idE

__ZNSt3__18ios_base33__set_badbit_and_consider_rethrowEv

__ZNSt3__18ios_base4initEPv

__ZNSt3__18ios_base5clearEj

__ZNSt3__19basic_iosIcNS_11char_traitsIcEEED2Ev

__ZNSt3__19to_stringEi

__ZNSt3__19to_stringEm

__ZNSt3__1plIcNS_11char_traitsIcEENS_9allocatorIcEEEENS_12basic_stringIT_T0_T1_EEPKS6_RKS9_

__ZNSt8bad_castC1Ev

__ZNSt8bad_castD1Ev

__ZNSt9exceptionD1Ev

__ZNSt9exceptionD2Ev

__ZSt9terminatev

__ZTINSt3__113basic_filebufIcNS_11char_traitsIcEEEE

__ZTINSt3__113basic_ostreamIcNS_11char_traitsIcEEEE

__ZTINSt3__114basic_ofstreamIcNS_11char_traitsIcEEEE

__ZTINSt3__115basic_streambufIcNS_11char_traitsIcEEEE

__ZTINSt3__117bad_function_callE

__ZTISt12length_error

__ZTISt13runtime_error

__ZTISt8bad_cast

__ZTISt9exception

__ZTSNSt3__113basic_filebufIcNS_11char_traitsIcEEEE

__ZTSNSt3__114basic_ofstreamIcNS_11char_traitsIcEEEE

__ZTSNSt3__117bad_function_callE

__ZTVN10__cxxabiv120__si_class_type_infoE

__ZTVSt12length_error

__ZTVSt9exception

__ZTv0_n24_NSt3__113basic_ostreamIcNS_11char_traitsIcEEED0Ev

__ZTv0_n24_NSt3__113basic_ostreamIcNS_11char_traitsIcEEED1Ev

__ZdaPv

__ZdlPv

__Znam

__Znwm

___assert_rtn

___bzero

___cxa_allocate_exception

___cxa_atexit

___cxa_begin_catch

___cxa_end_catch

___cxa_free_exception

___cxa_get_exception_ptr

___cxa_throw

___error

___gxx_personality_v0

___stack_chk_fail

___stack_chk_guard

__mh_execute_header

_curl_easy_cleanup

_curl_easy_getinfo

_curl_easy_init

_curl_easy_perform

_curl_easy_setopt

_fclose

_fflush

_fgets

_fopen

_fread

_fseek

_fseeko

_ftello

_fwrite

_localeconv

_memchr

_memcmp

_memcpy

_memmove

_memset

_pclose

_popen

_rand

_sleep

_snprintf

_strlen

_strtod

_strtoll

_strtoull

_system

dyld_stub_binder

radr://5614542

External symbols