Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

macOS Analysis Report
pwm_3.3.1.1_aarch64.dmg

Overview

General Information

Sample Name:pwm_3.3.1.1_aarch64.dmg
Analysis ID:752914
MD5:860615adad871e67d0e2a362f7824b7b
SHA1:462830c61a38b1d0c501b34bad200aec74ce3763
SHA256:8ad57fb0368aeb7b73c4ef77da30bc9193f200a2c53b2b1cfa6d8dec6bdf0c8a
Infos:

Detection

Score:0
Range:0 - 100
Whitelisted:false

Signatures

Reads launchservices plist files

Classification

Analysis Advice

Exit code suggests that the sample could not be started, try to look at standard streams or writes to anonymous pipes for possible reason.
Non-zero exit code suggests an error during the execution. Lookup the error code for hints.

General Information

Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:752914
Start date and time:2022-11-24 01:14:52 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 55s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:pwm_3.3.1.1_aarch64.dmg
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Virtual Machine, High Sierra (Office 2016 16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Analysis Mode:default
Detection:CLEAN
Classification:clean0.macDMG@0/0@0/0

Runtime Messages

Command:open "/Volumes/PWMinder_3.3.1.1/PWMinder.app"
PID:899
Exit Code:1
Exit Code Info:
Killed:False
Standard Output:

Standard Error:LSOpenURLsWithRole() failed with error -10825 for the file /Volumes/PWMinder_3.3.1.1/PWMinder.app.

Process Tree

  • System is macvm-highsierra
  • open (MD5: 40ed6d8f35c9f20484b97582d296398f) Arguments:
  • cleanup

Yara Signatures

No yara matches

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownTCP traffic detected without corresponding DNS query: 17.253.15.199
Source: unknownTCP traffic detected without corresponding DNS query: 104.76.200.212
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.15.199
Source: unknownTCP traffic detected without corresponding DNS query: 104.76.200.212
Source: classification engineClassification label: clean0.macDMG@0/0@0/0
Source: /usr/bin/open (PID: 899)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: submissionCodeSign Info: Executable=/Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder
Source: /usr/bin/open (PID: 899)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Invalid Code Signature		OS Credential Dumping11
System Information Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Code Signing		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


cam-macmac-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
pwm_3.3.1.1_aarch64.dmg0%VirustotalBrowse

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
104.76.200.212
unknownUnited States
3462HINETDataCommunicationBusinessGroupTWfalse

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:bzip2 compressed data, block size = 100k
Entropy (8bit):7.999667491831585
TrID:
  • Disk Image (Macintosh), bzip2 (12509/2) 80.61%
  • bzip2 compressed archive (3009/2) 19.39%
File name:pwm_3.3.1.1_aarch64.dmg
File size:70962562
MD5:860615adad871e67d0e2a362f7824b7b
SHA1:462830c61a38b1d0c501b34bad200aec74ce3763
SHA256:8ad57fb0368aeb7b73c4ef77da30bc9193f200a2c53b2b1cfa6d8dec6bdf0c8a
SHA512:599faee0a185213f548362ed74f8a2f1c84593d2a82415911d202d015bb516e45080f1938d8da72c36c43a3d0e5ead8760bdb0d91b31672ea3ed1510f7167859
SSDEEP:1572864:lZRFFYejQjasEfJNLPOWEtNOUF4txXp5Tm+UWuBgWPkW/:Zf5QjasEfvLlEL9F8xXLq2ugWJ
TLSH:86F73376A59DA8D3CBC6573781CB17409DA04E37B9DF88480391FB8E283D61A7A14CBD
File Content Preview:BZh11AY&SY..0....F ......@... .1...i...j:\.....N.$;'.;.BZh11AY&SY5|.........P.@....BH.........@... .u.=SA.....i...R..M.4....\g...(.^.d].\.*.....A..B.H.0H+........=.4C.....~.I...A...R.W...).......BZh91AY&SY..|...........it"@@.@h .B@..... ...... @M.....MF.d

CodeSign Information

["Executable=/Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder","Identifier=ca.ewert.pwMinder","Format=app bundle with Mach-O thin (arm64)","CodeDirectory v=20500 size=1629 flags=0x10000(???) hashes=40+7 location=embedded","Hash type=sha256 size=32","CandidateCDHash sha256=1a98b2e41fb9171a59c858927332f7e7b4f3a3f9","Hash choices=sha256","Executable Segment base=0","Executable Segment limit=81920","Executable Segment flags=0x1","Page size=4096","CDHash=1a98b2e41fb9171a59c858927332f7e7b4f3a3f9","Signature size=8974","Authority=Developer ID Application: Victor Ewert (E8AGSEF5A4)","Authority=Developer ID Certification Authority","Authority=Apple Root CA","Timestamp=18 Nov 2022 at 00:21:05","Info.plist entries=18","TeamIdentifier=E8AGSEF5A4","Sealed Resources version=2 rules=13 files=170","Internal requirements count=1 size=180"]

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Nov 24, 2022 01:15:55.930634022 CET4929380192.168.11.1117.253.15.199
Nov 24, 2022 01:15:55.930963039 CET4929480192.168.11.11104.76.200.212
Nov 24, 2022 01:15:55.938900948 CET804929317.253.15.199192.168.11.11
Nov 24, 2022 01:15:55.939439058 CET4929380192.168.11.1117.253.15.199
Nov 24, 2022 01:15:55.941752911 CET8049294104.76.200.212192.168.11.11
Nov 24, 2022 01:15:55.942219973 CET4929480192.168.11.11104.76.200.212

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Nov 24, 2022 01:15:57.337600946 CET137137192.168.11.11192.168.11.255
Nov 24, 2022 01:15:57.338084936 CET137137192.168.11.11192.168.11.255

System Behavior

General

Start time:01:16:49
Start date:24/11/2022
Path:/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:n/a
File size:3722408 bytes
MD5 hash:8910349f44a940d8d79318367855b236

General

Start time:01:16:49
Start date:24/11/2022
Path:/usr/bin/open
Arguments:
File size:105952 bytes
MD5 hash:40ed6d8f35c9f20484b97582d296398f