Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

macOS Analysis Report
softwareupdate

Overview

General Information

Sample Name:softwareupdate
Analysis ID:560377
MD5:9dc9d317a9b63599bbc1ceba6437226e
SHA1:ee0678e58868ebd6603cc2e06a134680d2012c1b
SHA256:f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348
Infos:

Detection

DazzleSpy
Score:72
Range:0 - 100
Whitelisted:false

Signatures

Yara detected DazzleSpy
Multi AV Scanner detection for submitted file
Creates hidden Mach-O files
Writes Mach-O files to hidden directories
Executes hidden files
Contains functionality related to keyboard/mouse events
Contains symbols with suspicious names likely related to encryption
Contains symbols with suspicious names likely related to networking
Reads the systems hostname
Detected TCP or UDP traffic on non-standard ports
Creates memory-persistent launch services
Explicitly loads/starts launch services
Creates user-wide 'launchd' managed services aka launch agents
Creates 'launchd' managed services aka launch agents with bundle ID names to possibly disguise malicious intentions
Creates hidden files, links and/or directories
Executes commands using a shell command-line interpreter
Writes 64-bit Mach-O files to disk
Contains symbols with paths

Classification

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:560377
Start date:26.01.2022
Start time:13:00:22
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 47s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:softwareupdate
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Virtual Machine, High Sierra (Office 2016 16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Analysis Mode:default
Detection:MAL
Classification:mal72.troj.spyw.evad.mac@0/3@0/0

Warnings

  • Excluded IPs from analysis (whitelisted): 104.92.88.33, 2.22.33.179
  • Excluded domains from analysis (whitelisted): cds-cdn.v.aaplimg.com, cds.apple.com.edgekey.net, e11408.d.akamaiedge.net, cds.apple.com.akadns.net, help.origin-apple.com.akadns.net, cds.apple.com, help.apple.com, e14768.dscb.akamaiedge.net, help-ar.apple.com.edgekey.net, lb._dns-sd._udp.0.11.168.192.in-addr.arpa

Runtime Messages

Command:/Users/berri/Desktop/softwareupdate
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • System is macvm-highsierra
  • softwareupdate (MD5: 9dc9d317a9b63599bbc1ceba6437226e) Arguments: /Users/berri/Desktop/softwareupdate
    • bash New Fork (PID: 832, Parent: 830)
    • launchctl (MD5: 17fad4b994d600d0a5b6bc02b55c2c80) Arguments: launchctl load /var/root/Library/LaunchAgents/com.apple.softwareupdate.plist
  • softwareupdate (MD5: 9dc9d317a9b63599bbc1ceba6437226e) Arguments: /var/root/.local/softwareupdate 1
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
softwareupdateJoeSecurity_DazzleSpyYara detected DazzleSpyJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    /private/var/root/.local/.dat.nosync033e.YhhF3lJoeSecurity_DazzleSpyYara detected DazzleSpyJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000830.00000263.1.0000000109b97000.0000000109bcd000.r--.sdmpJoeSecurity_DazzleSpyYara detected DazzleSpyJoe Security
        00000830.00000263.9.0000000109b97000.0000000109bcd000.r--.sdmpJoeSecurity_DazzleSpyYara detected DazzleSpyJoe Security
          00000831.00000264.9.0000000109b97000.0000000109bcd000.r--.sdmpJoeSecurity_DazzleSpyYara detected DazzleSpyJoe Security
            00000830.00000263.9.0000000109b1f000.0000000109b87000.r-x.sdmpJoeSecurity_DazzleSpyYara detected DazzleSpyJoe Security
              00000831.00000264.9.0000000109b1f000.0000000109b87000.r-x.sdmpJoeSecurity_DazzleSpyYara detected DazzleSpyJoe Security
                Click to see the 3 entries

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection