sign in sign up
<<
Home , Obfuscation (software)

ID: 85 Sample Name: -toolbox Cookbook: defaultmacfilecookbook.jbs Time: 19:01:50 Date: 18/12/2020 Version: 31.0.0 Emerald Table of Contents

Table of Contents 2 Analysis Report jetbrains-toolbox 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Yara Overview 3 Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 4 Thumbnails 4 Antivirus, Machine Learning and Genetic Detection 4 Initial Sample 5 Dropped Files 5 Domains 5 URLs 5 Domains and IPs 5 Contacted Domains 5 Contacted IPs 5 Public 6 General Information 6 Joe Sandbox View / Context 6 IPs 6 Domains 7 ASN 7 JA3 Fingerprints 7 Dropped Files 7 Runtime Messages 7 Created / dropped Files 7 Static File Info 7 General 8 Network Behavior 8 Network Port Distribution 8 TCP Packets 8 UDP Packets 8 System Behavior 8 Analysis Process: -sgen32 PID: 570 Parent PID: 493 8 General 8 Analysis Process: jetbrains-toolbox PID: 570 Parent PID: 493 9 General 9 File Activities 9 File Created 9 File Read 9 File Written 9 Directory Enumerated 9 Directory Created 9

Copyright null 2020 Page 2 of 9 Analysis Report jetbrains-toolbox

Overview

General Information Detection Signatures Classification

Sample jetbrains-toolbox Name: RReeaaddss lllaauunncchhsseerrrvviiicceess ppllliiissttt fffiiillleess Analysis ID: 85 Reads launchservices plist files

MD5: 4650b54b3ec808…

Ransomware SHA1: 2b9318975b9e56… Miner Spreading SHA256: f1a93cf94ae4e62… mmaallliiiccciiioouusss malicious

Evader Phishing Most interesting Screenshot: sssuusssppiiiccciiioouusss suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 0 Range: 0 - 100 Whitelisted: false

Startup

system is macvm-highsierra mono-sgen32 New Fork (PID: 570, Parent: 493) jetbrains-toolbox (MD5: 4650b54b3ec8085cb599c7a8bd6c7501) Arguments: /Users/berri/Desktop/jetbrains-toolbox cleanup

Yara Overview

No yara matches

Signature Overview

• Networking • System Summary • Persistence and Installation Behavior

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Copyright null 2020 Page 3 of 9 Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Path Direct OS System Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Management Interception Interception Volume Credential Information Services Local Over Other Obfuscation Insecure Track Device System Instrumentation Access Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization

Behavior Graph

Hide Legend Legend: Process Signature Created File DNS/IP Info Behavior Graph Is Dropped

ID: 85 Number of created Files

Sample: jetbrains-toolbox Shell

Startdate: 18/12/2020 Is malicious Architecture: MAC Internet Score: 0

17.253.113.201, 49247, 80 APPLE-AUSTINUS started United States

mono-sgen32 jetbrains-toolbox

4

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Copyright null 2020 Page 4 of 9 Initial Sample

Source Detection jetbrains- 0% toolbox

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

Copyright null 2020 Page 5 of 9 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 17.253.113.201 unknown United States 6185 APPLE-AUSTINUS false

General Information

Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 85 Start date: 18.12.2020 Start time: 19:01:50 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 15s Hypervisor based Inspection enabled: false Report type: light Sample file name: jetbrains-toolbox Cookbook file name: defaultmacfilecookbook.jbs Analysis system description: Virtual Machine, High Sierra (Office 2016 v16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099) Detection: CLEAN Classification: clean0.mac@0/1@0/0 Warnings: Show All

Joe Sandbox View / Context

IPs

No context

Copyright null 2020 Page 6 of 9 Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context APPLE-AUSTINUS in3.dmg Get hash malicious Browse 17.253.57.208 https://billychemr324.github.io/santipxzic/index1.html? Get hash malicious Browse 17.253.57.202 bbre=aod9435 dialog-ee-x-2.8.1.493.dmg Get hash malicious Browse 17.253.57.204 Player.dmg Get hash malicious Browse 17.253.57.204 help-servicee.ml Get hash malicious Browse 17.253.57.208 owauth1tadsoh1itndereql1nysa1ier1rnrhnthaesinlp.us- Get hash malicious Browse 17.253.55.203 east-2.elasticbeanstalk.com/#[email protected] test.kunmiskincare.com/index.php Get hash malicious Browse 17.253.57.204

JA3 Fingerprints

No context

Dropped Files

No context

Runtime Messages

Command: /Users/berri/Desktop/jetbrains-toolbox Exit Code: 1 Exit Code Info: Killed: False Standard Output: Standard Error: dlopen /Users/berri/Desktop/Contents/Frameworks/Chromium Embedded Framework.framework/Chromium Embedded Framework: dlopen(/Users/berri/Desktop/Contents/Frameworks/Chromium Embedded Framework.framework/Chromium Embedded Framework; 261): image not found

Created / dropped Files

/Users/berri/Library/Logs/JetBrains/Toolbox/toolbox.log Process: /Users/berri/Desktop/jetbrains-toolbox File Type: ASCII text Category: dropped Size (bytes): 655 Entropy (8bit): 4.880191875967347 Encrypted: false SSDEEP: 12:As+1FC+mStCS+1FC+mStCS+1FC+JjM7Y+1FC+0TKgKUrAI81:AFC+mtC+mtC+Jw7pC+0LKD MD5: 59032D88AAD3AA3898A8BA55681A544E SHA1: 11E51ACF3AEB2333C6E63C42AD646F57BE27018C SHA-256: 9EDBB4DA466AD055636960B9ECCB744861936B867EAA8856ABFB703422AF3C11 SHA-512: 7E3818C4D05CF262E750C36E26FD2503D73DF8F6EFBFD1F5A3AABBCDB7D3FA4467F9B8ED07F09D67E0F614D1C8EE5ED90A236D21E741202E3F19AC2E9FF5F5 81 Malicious: false Reputation: low Preview: ..======.Logger initialized.1.19.7784 570 2020-12-18 20:02:42.162 INFO ---- (native) attach (shared memory) 1359118319 got -1 from shmget.1.19.7784 570 2020-12-18 20:02:42.162 INFO ---- (native) attach (shared memory) 1359118319 got -1 from shmge t.1.19.7784 570 2020-12-18 20:02:42.162 INFO ---- (native) ensureSingleInstance master.1.19.7784 570 2020-12-18 20:02:42.162 INFO ---- (native) loadCefLibForMac Can not load libcef_wrapper /Users/berri/Desktop/Contents/Frameworks/Chromium Embedded Framework.framework/Chromium Embedded Frame work.

Static File Info

Copyright null 2020 Page 7 of 9 General File type: Mach-O 64-bit x86_64 executable, flags:< NOUNDEFS|DYLDLINK|TWOLEVEL|WEAK_DEFINES| BINDS_TO_WEAK|PIE> Entropy (8bit): 5.862814325252487 TrID: Mac OS X Mach-O 64bit Intel executable (20004/1) 100.00% File name: jetbrains-toolbox File size: 10149776 MD5: 4650b54b3ec8085cb599c7a8bd6c7501 SHA1: 2b9318975b9e5626390e8994be0c6dee09e4eea9 SHA256: f1a93cf94ae4e62eaa00566169aadf60ad2661a958a52a6 96c656a0b719899f2 SHA512: b0903873398ce65d87855085e1e9a10cd9c7d911785601 c98dcbbb03d69c27fb6804e6a728c6217b8a56288aa4ce 18ecab137a603a876a4edde6cb860f254fb7 SSDEEP: 98304:8NZ5iRN4mt6a8Ng9JHxbgfrAMDuHgOc96W+TG sG+0Gs:uLf5aH File Content Preview: ...... !...... H...__PAGEZERO...... __TEXT...... )...... )...... __text...... __TEXT...... P<...... V.%.....P< ......

Network Behavior

Network Port Distribution

Total Packets: 3 • 53 (DNS) • 80 (HTTP)

TCP Packets

UDP Packets

System Behavior

Analysis Process: mono-sgen32 PID: 570 Parent PID: 493

General

Start time: 19:02:41 Start date: 18/12/2020 Path: /Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32 Arguments: n/a File size: 3722408 bytes

Copyright null 2020 Page 8 of 9 MD5 hash: 8910349f44a940d8d79318367855b236

Analysis Process: jetbrains-toolbox PID: 570 Parent PID: 493

General

Start time: 19:02:41 Start date: 18/12/2020 Path: /Users/berri/Desktop/jetbrains-toolbox Arguments: /Users/berri/Desktop/jetbrains-toolbox File size: 10149776 bytes MD5 hash: 4650b54b3ec8085cb599c7a8bd6c7501

File Activities

File Created

File Read

File Written

Directory Enumerated

Directory Created

Copyright Joe Security LLC 2020

Copyright null 2020 Page 9 of 9