Edit tour
macOS
Analysis Report
pwm_3.3.1.1_aarch64.dmg
Overview
General Information
Detection
Score: | 0 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Reads launchservices plist files
Classification
Analysis Advice
Exit code suggests that the sample could not be started, try to look at standard streams or writes to anonymous pipes for possible reason. |
Non-zero exit code suggests an error during the execution. Lookup the error code for hints. |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 752914 |
Start date and time: | 2022-11-24 01:14:52 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 55s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | pwm_3.3.1.1_aarch64.dmg |
Cookbook file name: | defaultmacfilecookbook.jbs |
Analysis system description: | Virtual Machine, High Sierra (Office 2016 16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099) |
Analysis Mode: | default |
Detection: | CLEAN |
Classification: | clean0.macDMG@0/0@0/0 |
Command: | open "/Volumes/PWMinder_3.3.1.1/PWMinder.app" |
PID: | 899 |
Exit Code: | 1 |
Exit Code Info: | |
Killed: | False |
Standard Output: | |
Standard Error: | LSOpenURLsWithRole() failed with error -10825 for the file /Volumes/PWMinder_3.3.1.1/PWMinder.app. |
⊘No yara matches
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Classification label: |
Source: | Launchservices plist file read: | Jump to behavior |
Source: | CodeSign Info: |
Source: | System or server version plist file read: | Jump to behavior |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 1 Invalid Code Signature | OS Credential Dumping | 11 System Information Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Code Signing | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.76.200.212 | unknown | United States | 3462 | HINETDataCommunicationBusinessGroupTW | false |
⊘No created / dropped files found
File type: | |
Entropy (8bit): | 7.999667491831585 |
TrID: |
|
File name: | pwm_3.3.1.1_aarch64.dmg |
File size: | 70962562 |
MD5: | 860615adad871e67d0e2a362f7824b7b |
SHA1: | 462830c61a38b1d0c501b34bad200aec74ce3763 |
SHA256: | 8ad57fb0368aeb7b73c4ef77da30bc9193f200a2c53b2b1cfa6d8dec6bdf0c8a |
SHA512: | 599faee0a185213f548362ed74f8a2f1c84593d2a82415911d202d015bb516e45080f1938d8da72c36c43a3d0e5ead8760bdb0d91b31672ea3ed1510f7167859 |
SSDEEP: | 1572864:lZRFFYejQjasEfJNLPOWEtNOUF4txXp5Tm+UWuBgWPkW/:Zf5QjasEfvLlEL9F8xXLq2ugWJ |
TLSH: | 86F73376A59DA8D3CBC6573781CB17409DA04E37B9DF88480391FB8E283D61A7A14CBD |
File Content Preview: | BZh11AY&SY..0....F ......@... .1...i...j:\.....N.$;'.;.BZh11AY&SY5|.........P.@....BH.........@... .u.=SA.....i...R..M.4....\g...(.^.d].\.*.....A..B.H.0H+........=.4C.....~.I...A...R.W...).......BZh91AY&SY..|...........it"@@.@h .B@..... ...... @M.....MF.d |
|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 24, 2022 01:15:55.930634022 CET | 49293 | 80 | 192.168.11.11 | 17.253.15.199 |
Nov 24, 2022 01:15:55.930963039 CET | 49294 | 80 | 192.168.11.11 | 104.76.200.212 |
Nov 24, 2022 01:15:55.938900948 CET | 80 | 49293 | 17.253.15.199 | 192.168.11.11 |
Nov 24, 2022 01:15:55.939439058 CET | 49293 | 80 | 192.168.11.11 | 17.253.15.199 |
Nov 24, 2022 01:15:55.941752911 CET | 80 | 49294 | 104.76.200.212 | 192.168.11.11 |
Nov 24, 2022 01:15:55.942219973 CET | 49294 | 80 | 192.168.11.11 | 104.76.200.212 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 24, 2022 01:15:57.337600946 CET | 137 | 137 | 192.168.11.11 | 192.168.11.255 |
Nov 24, 2022 01:15:57.338084936 CET | 137 | 137 | 192.168.11.11 | 192.168.11.255 |
System Behavior
Start time: | 01:16:49 |
Start date: | 24/11/2022 |
Path: | /Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32 |
Arguments: | n/a |
File size: | 3722408 bytes |
MD5 hash: | 8910349f44a940d8d79318367855b236 |
Start time: | 01:16:49 |
Start date: | 24/11/2022 |
Path: | /usr/bin/open |
Arguments: | |
File size: | 105952 bytes |
MD5 hash: | 40ed6d8f35c9f20484b97582d296398f |