Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

macOS Analysis Report
pwm_3.3.1.1_aarch64.dmg

Overview

General Information

Sample Name:pwm_3.3.1.1_aarch64.dmg
Analysis ID:752914
MD5:860615adad871e67d0e2a362f7824b7b
SHA1:462830c61a38b1d0c501b34bad200aec74ce3763
SHA256:8ad57fb0368aeb7b73c4ef77da30bc9193f200a2c53b2b1cfa6d8dec6bdf0c8a
Infos:

Detection

Score:0
Range:0 - 100
Whitelisted:false

Signatures

Reads launchservices plist files

Classification

Analysis Advice

Exit code suggests that the sample could not be started, try to look at standard streams or writes to anonymous pipes for possible reason.
Non-zero exit code suggests an error during the execution. Lookup the error code for hints.

General Information

Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:752914
Start date and time:2022-11-24 01:14:52 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 55s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:pwm_3.3.1.1_aarch64.dmg
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Virtual Machine, High Sierra (Office 2016 16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Analysis Mode:default
Detection:CLEAN
Classification:clean0.macDMG@0/0@0/0

Runtime Messages

Command:open "/Volumes/PWMinder_3.3.1.1/PWMinder.app"
PID:899
Exit Code:1
Exit Code Info:
Killed:False
Standard Output:

Standard Error:LSOpenURLsWithRole() failed with error -10825 for the file /Volumes/PWMinder_3.3.1.1/PWMinder.app.

Process Tree

  • System is macvm-highsierra
  • open (MD5: 40ed6d8f35c9f20484b97582d296398f) Arguments:
  • cleanup

Yara Signatures

No yara matches

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownTCP traffic detected without corresponding DNS query: 17.253.15.199
Source: unknownTCP traffic detected without corresponding DNS query: 104.76.200.212
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.15.199
Source: unknownTCP traffic detected without corresponding DNS query: 104.76.200.212
Source: classification engineClassification label: clean0.macDMG@0/0@0/0
Source: /usr/bin/open (PID: 899)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: submissionCodeSign Info: Executable=/Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder
Source: /usr/bin/open (PID: 899)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Invalid Code Signature		OS Credential Dumping11
System Information Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Code Signing		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


cam-macmac-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
pwm_3.3.1.1_aarch64.dmg0%VirustotalBrowse

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
104.76.200.212
unknownUnited States
3462HINETDataCommunicationBusinessGroupTWfalse

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
104.76.200.212https://cdn.fafopin.cfd/static/i2/Installer.app.zipGet hashmaliciousBrowse
    https://tastelesstrees.comGet hashmaliciousBrowse
      rp2Get hashmaliciousBrowse
        https://www.us-kiyn.topGet hashmaliciousBrowse
          https://easyonlineformshere.com/api/links/go/20/65/4381Get hashmaliciousBrowse
            Inv748591.HTMGet hashmaliciousBrowse
              PsorophoraGet hashmaliciousBrowse
                triper_Meeting_schedule_template.xlsmGet hashmaliciousBrowse
                  https://Ow1w.top/5apcqgoonGet hashmaliciousBrowse
                    http://eportallsecuree.clickfunnels.com/optin1664291284073Get hashmaliciousBrowse
                      https://poshevent.net/wp-content/redirect.html?key=eb667ee0b71570b9719b1319684be60784f6b64c&url_01=https://coutel-openers-tuskwise.s3.eu-central-003.backblazeb2.com/index.html&url_02=https://carburising-chairmanships-isoclinally.s3.usGet hashmaliciousBrowse
                        Installer.app.zipGet hashmaliciousBrowse
                          WormholeInstaller.dmgGet hashmaliciousBrowse
                            AdobeFlashPlayer 2.dmgGet hashmaliciousBrowse
                              https://take-yourprizes.lifeGet hashmaliciousBrowse
                                https://cuttooscete.comGet hashmaliciousBrowse
                                  VV4FdpC89j.machoGet hashmaliciousBrowse
                                    https://1drv.ms/o/s!BGG5FqNjySqcgewSN-Q22UuAdIukyA?e=3ewOUR9ONk6Fppl2WCvSNA&at=9Get hashmaliciousBrowse
                                      https://www.citizen33unlock.my-vigor.de/shawnn.htmlGet hashmaliciousBrowse
                                        http://143.198.188.100Get hashmaliciousBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          HINETDataCommunicationBusinessGroupTWsmShnU1y9O.elfGet hashmaliciousBrowse
                                          • 122.117.195.167
                                          kdyk6GXc2I.elfGet hashmaliciousBrowse
                                          • 1.168.57.152
                                          87uWrdTuhh.elfGet hashmaliciousBrowse
                                          • 218.174.91.130
                                          5Aa4A98Heg.elfGet hashmaliciousBrowse
                                          • 36.239.51.104
                                          ZARjjCi30K.elfGet hashmaliciousBrowse
                                          • 61.225.110.229
                                          fpkbDaRE8f.elfGet hashmaliciousBrowse
                                          • 122.124.101.126
                                          1RGtHIxh3W.elfGet hashmaliciousBrowse
                                          • 114.47.3.88
                                          SecuriteInfo.com.Linux.Siggen.9999.28349.23669.elfGet hashmaliciousBrowse
                                          • 59.127.140.99
                                          BNZ1YSrXfP.elfGet hashmaliciousBrowse
                                          • 168.95.14.196
                                          zg8P6HaVf2.elfGet hashmaliciousBrowse
                                          • 60.251.49.13
                                          arm.elfGet hashmaliciousBrowse
                                          • 125.224.121.16
                                          phantom.arm.elfGet hashmaliciousBrowse
                                          • 211.23.120.158
                                          01z4dXu6Nk.elfGet hashmaliciousBrowse
                                          • 114.38.135.130
                                          KekPvSTHnu.elfGet hashmaliciousBrowse
                                          • 114.42.75.177
                                          Mddos.arm7.elfGet hashmaliciousBrowse
                                          • 1.35.83.226
                                          Mddos.arm.elfGet hashmaliciousBrowse
                                          • 36.224.35.217
                                          SecuriteInfo.com.Linux.Siggen.9999.25037.18823.elfGet hashmaliciousBrowse
                                          • 118.161.5.167
                                          RpJjOODAwE.elfGet hashmaliciousBrowse
                                          • 114.45.202.88
                                          gx86.elfGet hashmaliciousBrowse
                                          • 114.44.5.4
                                          ibdo3Uz0Kc.elfGet hashmaliciousBrowse
                                          • 125.225.109.234

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          No created / dropped files found

                                          Static File Info

                                          General

                                          File type:bzip2 compressed data, block size = 100k
                                          Entropy (8bit):7.999667491831585
                                          TrID:
                                          • Disk Image (Macintosh), bzip2 (12509/2) 80.61%
                                          • bzip2 compressed archive (3009/2) 19.39%
                                          File name:pwm_3.3.1.1_aarch64.dmg
                                          File size:70962562
                                          MD5:860615adad871e67d0e2a362f7824b7b
                                          SHA1:462830c61a38b1d0c501b34bad200aec74ce3763
                                          SHA256:8ad57fb0368aeb7b73c4ef77da30bc9193f200a2c53b2b1cfa6d8dec6bdf0c8a
                                          SHA512:599faee0a185213f548362ed74f8a2f1c84593d2a82415911d202d015bb516e45080f1938d8da72c36c43a3d0e5ead8760bdb0d91b31672ea3ed1510f7167859
                                          SSDEEP:1572864:lZRFFYejQjasEfJNLPOWEtNOUF4txXp5Tm+UWuBgWPkW/:Zf5QjasEfvLlEL9F8xXLq2ugWJ
                                          TLSH:86F73376A59DA8D3CBC6573781CB17409DA04E37B9DF88480391FB8E283D61A7A14CBD
                                          File Content Preview:BZh11AY&SY..0....F ......@... .1...i...j:\.....N.$;'.;.BZh11AY&SY5|.........P.@....BH.........@... .u.=SA.....i...R..M.4....\g...(.^.d].\.*.....A..B.H.0H+........=.4C.....~.I...A...R.W...).......BZh91AY&SY..|...........it"@@.@h .B@..... ...... @M.....MF.d

                                          CodeSign Information

                                          ["Executable=/Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder","Identifier=ca.ewert.pwMinder","Format=app bundle with Mach-O thin (arm64)","CodeDirectory v=20500 size=1629 flags=0x10000(???) hashes=40+7 location=embedded","Hash type=sha256 size=32","CandidateCDHash sha256=1a98b2e41fb9171a59c858927332f7e7b4f3a3f9","Hash choices=sha256","Executable Segment base=0","Executable Segment limit=81920","Executable Segment flags=0x1","Page size=4096","CDHash=1a98b2e41fb9171a59c858927332f7e7b4f3a3f9","Signature size=8974","Authority=Developer ID Application: Victor Ewert (E8AGSEF5A4)","Authority=Developer ID Certification Authority","Authority=Apple Root CA","Timestamp=18 Nov 2022 at 00:21:05","Info.plist entries=18","TeamIdentifier=E8AGSEF5A4","Sealed Resources version=2 rules=13 files=170","Internal requirements count=1 size=180"]

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 24, 2022 01:15:55.930634022 CET4929380192.168.11.1117.253.15.199
                                          Nov 24, 2022 01:15:55.930963039 CET4929480192.168.11.11104.76.200.212
                                          Nov 24, 2022 01:15:55.938900948 CET804929317.253.15.199192.168.11.11
                                          Nov 24, 2022 01:15:55.939439058 CET4929380192.168.11.1117.253.15.199
                                          Nov 24, 2022 01:15:55.941752911 CET8049294104.76.200.212192.168.11.11
                                          Nov 24, 2022 01:15:55.942219973 CET4929480192.168.11.11104.76.200.212

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 24, 2022 01:15:57.337600946 CET137137192.168.11.11192.168.11.255
                                          Nov 24, 2022 01:15:57.338084936 CET137137192.168.11.11192.168.11.255

                                          System Behavior

                                          General

                                          Start time:01:16:49
                                          Start date:24/11/2022
                                          Path:/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
                                          Arguments:n/a
                                          File size:3722408 bytes
                                          MD5 hash:8910349f44a940d8d79318367855b236

                                          Chronological Activities

                                          General

                                          Start time:01:16:49
                                          Start date:24/11/2022
                                          Path:/usr/bin/open
                                          Arguments:
                                          File size:105952 bytes
                                          MD5 hash:40ed6d8f35c9f20484b97582d296398f

                                          Chronological Activities