macOS Analysis Report
pwm_3.3.1.1_x86-64.dmg

Overview

General Information

Sample Name:	pwm_3.3.1.1_x86-64.dmg
Analysis ID:	752916
MD5:	26e236876eb64279f77d118fbac3f06d
SHA1:	5519ff231aedc7394c5dd350b0b6058f253874c7
SHA256:	bd03a05dc21fa6ed0a3b35165df535896966f0f28279e07e7934d5e9e9ade8d8
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false

Signatures

Reads the systems hostname

Reads hardware related sysctl values

Creates hidden files, links and/or directories

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Reads the systems OS release and/or type

Reads launchservices plist files

Classification

Signatures

Source: unknown

DNS traffic detected: queries for: etappservices.appspot.com

Source: /Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder (PID: 901)

Writes from socket in process: data

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.15.202
Source: unknown	TCP traffic detected without corresponding DNS query: 88.221.168.210
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.15.202
Source: unknown	TCP traffic detected without corresponding DNS query: 88.221.168.210
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

HTTP traffic detected: POST /expiryCheck HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 168Host: etappservices.appspot.comConnection: Keep-AliveUser-Agent: Apache-HttpClient/4.5.13 (Java/17.0.5)Accept-Encoding: gzip,deflateData Raw: 61 70 70 6c 69 63 61 74 69 6f 6e 49 64 3d 30 26 61 70 70 6c 69 63 61 74 69 6f 6e 56 65 72 69 6f 6e 3d 33 2e 33 2e 31 26 6f 70 65 72 61 74 69 6e 67 53 79 73 74 65 6d 3d 4d 61 63 2b 4f 53 2b 58 2b 25 32 38 31 30 2e 31 33 2e 32 25 32 39 26 6d 61 63 68 69 6e 65 55 69 64 3d 66 30 34 32 63 64 35 37 31 61 39 65 62 35 66 39 63 34 62 31 65 36 39 34 64 63 61 31 38 64 36 66 26 65 78 70 69 72 79 54 69 6d 65 73 74 61 6d 70 3d 31 36 37 31 38 34 35 32 38 35 33 39 36 26 61 73 73 75 6d 65 64 46 74 75 3d 74 72 75 65 Data Ascii: applicationId=0&applicationVerion=3.3.1&operatingSystem=Mac+OS+X+%2810.13.2%29&machineUid=f042cd571a9eb5f9c4b1e694dca18d6f&expiryTimestamp=1671845285396&assumedFtu=true

Source: /Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder (PID: 901)

Reads from socket in process: data

Jump to behavior

Source: classification engine

Classification label: clean3.macDMG@0/24@2/0

Source: pwm_3.3.1.1_x86-64.dmg

Binary or memory string: !eL.VbP

Creates hidden files, links and/or directories

Source: /Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder (PID: 901)

Hidden Directory created: /Users/berri/.pwminder -> /Users/berri/.pwminder

Jump to behavior

Reads launchservices plist files

Source: /usr/bin/open (PID: 900)	Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist			Jump to behavior
Source: /Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder (PID: 901)	Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist			Jump to behavior

Source: /Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder (PID: 901)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Jump to behavior

Source: /Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder (PID: 901)	Random device file read: /dev/urandom	Jump to behavior
Source: /Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder (PID: 901)	Random device file read: /dev/urandom	Jump to behavior
Source: /Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder (PID: 901)	Random device file read: /dev/random	Jump to behavior

Source: /Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder (PID: 901)

Log file created: /Users/berri/.pwminder/log/PWMinder.log

Jump to dropped file

Source: submission

CodeSign Info: Executable=/Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Source: /Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder (PID: 901)

Sysctl read request: kern.safeboot (1.66)

Jump to behavior

Reads the systems hostname

Source: /Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder (PID: 901)

Sysctl requested: kern.hostname (1.10)

Jump to behavior

Reads hardware related sysctl values

Source: /Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder (PID: 901)	Sysctl read request: hw.ncpu (6.3)	Jump to behavior
Source: /Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder (PID: 901)	Sysctl read request: hw.memsize (6.24)	Jump to behavior
Source: /Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder (PID: 901)	Sysctl read request: hw.availcpu (6.25)	Jump to behavior

Reads the systems OS release and/or type

Source: /Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder (PID: 901)	Sysctl requested: kern.ostype (1.1)			Jump to behavior
Source: /Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder (PID: 901)	Sysctl requested: kern.osrelease (1.2)			Jump to behavior

Source: /usr/bin/open (PID: 900)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /Volumes/PWMinder_3.3.1.1/PWMinder.app/Contents/MacOS/PWMinder (PID: 901)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
88.221.168.210	unknown	European Union		16625	AKAMAI-ASUS	false
142.250.186.148	etappservices.appspot.com	United States		15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
etappservices.appspot.com	142.250.186.148	true

ID:	752916
Product:	CloudBasic
Start time:	01:26:02
Start date:	24.11.2022
Sample:	pwm_3.3.1.1_x86-64.dmg
Cookbook:	defaultmacfilecookbook.jbs
System description:	Virtual Machine, High Sierra (Office 2016 16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Architecture:	MAC
MD5:	26e236876eb64279f77d118fbac3f06d
SHA1:	5519ff231aedc7394c5dd350b0b6058f253874c7
SHA256:	bd03a05dc21fa6ed0a3b35165df535896966f0f28279e07e7934d5e9e9ade8d8
Filetype:	Disk Image (Macintosh), bzip2 (12509/2) 80.61%

Name	Type	MD5	SHA1	SHA256
/Users/berri/.pwminder/log/PWMinder.log	ASCII text	9FA50D77023B581571559014E07D0ECF	4D82EA3E2395C964A1B0F1959F935F3D14F4A6D5	6AB1E0EB70B3EF28A355872C03598DA925D33DF3B3DCCFF051058DDC4417EC15
/dev/null	ASCII text	CCFCB0B67D8546EE6284AA9FCD6BB116	AB0F40DFDE13EAA0626F05D60336F3D13A121B79	98061827B4A4B51922A620D0BCD46CDFDDDD3CC83BC0C98DB8B9A05FD13063B9
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/hsperfdata_berri/901	data	7DEA362B3FAC8E00956A4952A3D4F474	05FE405753166F125559E7C9AC558654F107C7E9	AF5570F5A1810B7AF78CAF4BC70A660F0DF51E42BAF91D4DE5B2328DE0E83DFC
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio10219926841058769522.tmp	GIF image data, version 89a, 32 x 32	973E211C65BC4D1B913ABE1EFC0FDA87	85855CE98B94F4CD0E341F1161435C23CFB11FE4	9C28AE36A99253ACFF1B773C167CB37F86B7FB1C3F7EA336A564283046A49F77
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio10224466244630806701.tmp	GIF image data, version 89a, 32 x 32	C5B6E97C0A3AD985FAFB4100B3EC7A48	F19A7053B2CFB1694542F400ADB39DA6D03B1D76	D256F259A88CCCF3477DB914BC5481CF30448F5F14AF72E98341576985EF46F8
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio10459773673903316017.tmp	GIF image data, version 89a, 32 x 32	52FD36B0B8FAE96A602EDD5AD182BF75	54DF664F7CDFDF7B33845031699081467907C764	0A7393EF1EE4F2969915BAD38B35BDD71980109CA59D835278EA992E8246EFAC
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio12938241649503612607.tmp	GIF image data, version 89a, 32 x 32	72A7DEDE3D9214D98194E3BB75EB1972	5C0E9CEBBD0CCC42D1E618B47A65E278A2A4911C	4F03A03AA0105A88ABD446FB27908787E9B4DC10E7BA6BF7D45BDA8F04E6DF3D
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio13412971084950237612.tmp	GIF image data, version 89a, 32 x 32	EC99D36A8AC6C648CDABCA70F6A0BC83	4093B2B4CE08F507935169D822AC02E555CDFADA	B1B49DECEF7F459CEEAC2D815AFEDF00FF69D2BB31128613A06784AB9BFA0223
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio13578127288510142521.tmp	GIF image data, version 89a, 32 x 32	ED53FC949DDBDF4EADEFD9A87104122D	A0FB5F4CE1B159F2E989E7A3A6AE4B987BADAB7C	1A7A76248AC7BB85BEF027B04FFA97190D51B0050D34CEA4AACD8EB15DC59A03
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio16244522733088286171.tmp	GIF image data, version 89a, 32 x 32	642565FBC584D7DFD1F3C07A960C13B8	EFEC89BEE218E73EAC3601BBD158DC890B5E4CCE	C8661EA4C44231232A9AABE491D76E372C55EE508917199A34E25A1EB70B0B84
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio2086714674483719818.tmp	GIF image data, version 89a, 32 x 32	A218D502A65437F5EC01AB4C53ABA21B	657E1A7B42BCE3E7686B7352A3D910B10AC07C5E	9A1563B281587FA7C3521F2EDE91C3B1F3EED931A5002855E660A1F7B1F5A306
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio216252107100245977.tmp	GIF image data, version 89a, 32 x 32	00913B549FE9528B8AF912CC7A0603D3	9E8782B0C01DCD65DBB7D2D52257683970F7ED2A	DCB1E08CD60160E62454FFEB9F3B034B907EF941DF20E281F2D3CE628E8713DA
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio2223170928174613939.tmp	GIF image data, version 89a, 32 x 32	80A2A9FD43C81D00DABE8940739A09F9	872F19AB0D529168BA418AF53548AE87688FBD83	80573875DA6572ABB6B35B943FB9442F52B1DFBFD7C7926EB0FA064349DA0E06
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio2999633974807869622.tmp	GIF image data, version 89a, 32 x 32	41C538A5777BB007FF524FBB082EB7EA	B43180E06FFA68DA5F18C4F7106FE33B58D6CF8B	18100D5483B6FF5FEDB9780C250F4C1E70E527DCF4CC8C99BB6EDD54DCA0F405
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio3815422977875359551.tmp	GIF image data, version 89a, 32 x 32	CD1A29180A36D5315309DADE8891D7B1	EAB2138F9175211C6353224FFBBA28844CE7F38A	E6C935C003CA1699B633A91427CA83F35B356E9F10414B2ED52899F53BAA958C
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio5224863052943678154.tmp	GIF image data, version 89a, 32 x 32	08C476ADA11D963F548AD67EB0932645	B1B7447B421106F8E9DD3D9A2A557DF3B4D426FA	2DC300157DC87449F8B2853350C0BA0342ACD883105D2F835A3D0D7EB7E23F17
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio5352537162059109128.tmp	GIF image data, version 89a, 32 x 32	1CE83B1F6B8C7D440F51FCD01C50F0EF	C78A3F9C36880ECD6DDA0B620342FD881309BAA6	ECDE79A8A92EEE2026999F4ABBD55C9785DA57809A7CDE42EBC810E645AD3BBD
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio6164943713436445280.tmp	GIF image data, version 89a, 9 x 9	5500729E3245B4BC78ADDFA79EF43984	7F8E755B3D26D0100F3DD2057EDDFD02FB97C7D9	BC288BD31CE5BD2013AD7FE24933EA69044BF94FCDED6010977FBF0566E2A922
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio6359674507834563537.tmp	GIF image data, version 89a, 32 x 32	A05F262CB23CFF803A0E7BDD235B819B	4E5E292C1ACAB061A628157D01025BD0C69E52C8	A4858E4EE4C3EAE37C797603CBE4177576EDBDDA1486FA6FF56EABBC08825F1C
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio6665906469700978227.tmp	GIF image data, version 89a, 32 x 32	6D01A4C7AB5AC88FCF97B93217AB25D4	CD39486EC73155B3C4E1AB10B20C69262A09ECAB	45CBC2F4469E0294737DDB777BA37C40DECAAB97161A1E421337BDB93B8EEAD6
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio7103516844854627969.tmp	GIF image data, version 89a, 9 x 9	DBEB6AC81C07D0B4E76000859309B1E5	69755A6C206C094E91CF5D1086B1D3BF0FC4C7C8	9863E46319CAD2BD1A809C7DFAB7EE0A44667B25A9389543E18F04EA894A055A
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio7212544972120051578.tmp	GIF image data, version 89a, 32 x 32	0F8E2C9B6E60429824D76F1D08F56EB0	9B3372A501E04CC847ACB4A0A56FB14F0E27A414	671F63EB768753D4CC6F92F0C1C7405F7998337CD7D5605946C7852EAE06328F
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio9716126586112586483.tmp	GIF image data, version 89a, 32 x 32	E76C48F0DB9AF83B03C31A5C074F0BE4	C3EB6C0B650386AC38716B1F41C48556B4D49855	DCE5C691E91E35286CB27DA1C7BBA3938162184E743A1D6F1BC8EB3B1D925830
/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/imageio9745765645810963695.tmp	GIF image data, version 89a, 9 x 9	6A3211DBC3E2ABB4208D58DDBAE780BB	74D6839C87CEE7D906FA9EAEF2A63FCDC8C24544	7997AFB7530BD0CAB7D3677EE9F9FC9F1959E9246953896B3A4A235D76FA8128

macOS Analysis Report
pwm_3.3.1.1_x86-64.dmg

Overview

General Information

Detection

Signatures

Classification

Signatures

Networking

System Summary

Persistence and Installation Behavior

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

macOS Analysis Report pwm_3.3.1.1_x86-64.dmg

Overview

General Information

Detection

Signatures

Classification

Signatures

Networking

System Summary

Persistence and Installation Behavior

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

macOS Analysis Report
pwm_3.3.1.1_x86-64.dmg