ID: 85 Sample Name: jetbrains-toolbox Cookbook: defaultmacfilecookbook.jbs Time: 19:01:50 Date: 18/12/2020 Version: 31.0.0 Emerald Table of Contents
Table of Contents 2 Analysis Report jetbrains-toolbox 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Yara Overview 3 Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 4 Thumbnails 4 Antivirus, Machine Learning and Genetic Malware Detection 4 Initial Sample 5 Dropped Files 5 Domains 5 URLs 5 Domains and IPs 5 Contacted Domains 5 Contacted IPs 5 Public 6 General Information 6 Joe Sandbox View / Context 6 IPs 6 Domains 7 ASN 7 JA3 Fingerprints 7 Dropped Files 7 Runtime Messages 7 Created / dropped Files 7 Static File Info 7 General 8 Network Behavior 8 Network Port Distribution 8 TCP Packets 8 UDP Packets 8 System Behavior 8 Analysis Process: mono-sgen32 PID: 570 Parent PID: 493 8 General 8 Analysis Process: jetbrains-toolbox PID: 570 Parent PID: 493 9 General 9 File Activities 9 File Created 9 File Read 9 File Written 9 Directory Enumerated 9 Directory Created 9
Copyright null 2020 Page 2 of 9 Analysis Report jetbrains-toolbox
Overview
General Information Detection Signatures Classification
Sample jetbrains-toolbox Name: RReeaaddss lllaauunncchhsseerrrvviiicceess ppllliiissttt fffiiillleess Analysis ID: 85 Reads launchservices plist files
MD5: 4650b54b3ec808…
Ransomware SHA1: 2b9318975b9e56… Miner Spreading SHA256: f1a93cf94ae4e62… mmaallliiiccciiioouusss malicious
Evader Phishing Most interesting Screenshot: sssuusssppiiiccciiioouusss suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Score: 0 Range: 0 - 100 Whitelisted: false
Startup
system is macvm-highsierra mono-sgen32 New Fork (PID: 570, Parent: 493) jetbrains-toolbox (MD5: 4650b54b3ec8085cb599c7a8bd6c7501) Arguments: /Users/berri/Desktop/jetbrains-toolbox cleanup
Yara Overview
No yara matches
Signature Overview
• Networking • System Summary • Persistence and Installation Behavior
Click to jump to signature section
There are no malicious signatures, click here to show all signatures .
Copyright null 2020 Page 3 of 9 Mitre Att&ck Matrix
Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Path Direct OS System Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Management Interception Interception Volume Credential Information Services Local Over Other Obfuscation Insecure Track Device System Instrumentation Access Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization
Behavior Graph
Hide Legend Legend: Process Signature Created File DNS/IP Info Behavior Graph Is Dropped
ID: 85 Number of created Files
Sample: jetbrains-toolbox Shell
Startdate: 18/12/2020 Is malicious Architecture: MAC Internet Score: 0
17.253.113.201, 49247, 80 APPLE-AUSTINUS started United States
mono-sgen32 jetbrains-toolbox
4
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection
Copyright null 2020 Page 4 of 9 Initial Sample
Source Detection jetbrains- 0% toolbox
Dropped Files
No Antivirus matches
Domains
No Antivirus matches
URLs
No Antivirus matches
Domains and IPs
Contacted Domains
No contacted domains info
Contacted IPs
Copyright null 2020 Page 5 of 9 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs
Public
IP Domain Country Flag ASN ASN Name Malicious 17.253.113.201 unknown United States 6185 APPLE-AUSTINUS false
General Information
Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 85 Start date: 18.12.2020 Start time: 19:01:50 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 15s Hypervisor based Inspection enabled: false Report type: light Sample file name: jetbrains-toolbox Cookbook file name: defaultmacfilecookbook.jbs Analysis system description: Virtual Machine, High Sierra (Office 2016 v16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099) Detection: CLEAN Classification: clean0.mac@0/1@0/0 Warnings: Show All
Joe Sandbox View / Context
IPs
No context
Copyright null 2020 Page 6 of 9 Domains
No context
ASN
Match Associated Sample Name / URL SHA 256 Detection Link Context APPLE-AUSTINUS in3.dmg Get hash malicious Browse 17.253.57.208 https://billychemr324.github.io/santipxzic/index1.html? Get hash malicious Browse 17.253.57.202 bbre=aod9435 dialog-ee-x-2.8.1.493.dmg Get hash malicious Browse 17.253.57.204 Player.dmg Get hash malicious Browse 17.253.57.204 help-servicee.ml Get hash malicious Browse 17.253.57.208 owauth1tadsoh1itndereql1nysa1ier1rnrhnthaesinlp.us- Get hash malicious Browse 17.253.55.203 east-2.elasticbeanstalk.com/#[email protected] test.kunmiskincare.com/index.php Get hash malicious Browse 17.253.57.204
JA3 Fingerprints
No context
Dropped Files
No context
Runtime Messages
Command: /Users/berri/Desktop/jetbrains-toolbox Exit Code: 1 Exit Code Info: Killed: False Standard Output: Standard Error: dlopen /Users/berri/Desktop/Contents/Frameworks/Chromium Embedded Framework.framework/Chromium Embedded Framework: dlopen(/Users/berri/Desktop/Contents/Frameworks/Chromium Embedded Framework.framework/Chromium Embedded Framework; 261): image not found
Created / dropped Files
/Users/berri/Library/Logs/JetBrains/Toolbox/toolbox.log Process: /Users/berri/Desktop/jetbrains-toolbox File Type: ASCII text Category: dropped Size (bytes): 655 Entropy (8bit): 4.880191875967347 Encrypted: false SSDEEP: 12:As+1FC+mStCS+1FC+mStCS+1FC+JjM7Y+1FC+0TKgKUrAI81:AFC+mtC+mtC+Jw7pC+0LKD MD5: 59032D88AAD3AA3898A8BA55681A544E SHA1: 11E51ACF3AEB2333C6E63C42AD646F57BE27018C SHA-256: 9EDBB4DA466AD055636960B9ECCB744861936B867EAA8856ABFB703422AF3C11 SHA-512: 7E3818C4D05CF262E750C36E26FD2503D73DF8F6EFBFD1F5A3AABBCDB7D3FA4467F9B8ED07F09D67E0F614D1C8EE5ED90A236D21E741202E3F19AC2E9FF5F5 81 Malicious: false Reputation: low Preview: ..======.Logger initialized.1.19.7784 570 2020-12-18 20:02:42.162 INFO ---- (native) attach (shared memory) 1359118319 got -1 from shmget.1.19.7784 570 2020-12-18 20:02:42.162 INFO ---- (native) attach (shared memory) 1359118319 got -1 from shmge t.1.19.7784 570 2020-12-18 20:02:42.162 INFO ---- (native) ensureSingleInstance master.1.19.7784 570 2020-12-18 20:02:42.162 INFO ---- (native) loadCefLibForMac Can not load libcef_wrapper /Users/berri/Desktop/Contents/Frameworks/Chromium Embedded Framework.framework/Chromium Embedded Frame work.
Static File Info
Copyright null 2020 Page 7 of 9 General File type: Mach-O 64-bit x86_64 executable, flags:< NOUNDEFS|DYLDLINK|TWOLEVEL|WEAK_DEFINES| BINDS_TO_WEAK|PIE> Entropy (8bit): 5.862814325252487 TrID: Mac OS X Mach-O 64bit Intel executable (20004/1) 100.00% File name: jetbrains-toolbox File size: 10149776 MD5: 4650b54b3ec8085cb599c7a8bd6c7501 SHA1: 2b9318975b9e5626390e8994be0c6dee09e4eea9 SHA256: f1a93cf94ae4e62eaa00566169aadf60ad2661a958a52a6 96c656a0b719899f2 SHA512: b0903873398ce65d87855085e1e9a10cd9c7d911785601 c98dcbbb03d69c27fb6804e6a728c6217b8a56288aa4ce 18ecab137a603a876a4edde6cb860f254fb7 SSDEEP: 98304:8NZ5iRN4mt6a8Ng9JHxbgfrAMDuHgOc96W+TG sG+0Gs:uLf5aH File Content Preview: ...... !...... H...__PAGEZERO...... __TEXT...... )...... )...... __text...... __TEXT...... P<...... V.%.....P< ......
Network Behavior
Network Port Distribution
Total Packets: 3 • 53 (DNS) • 80 (HTTP)
TCP Packets
UDP Packets
System Behavior
Analysis Process: mono-sgen32 PID: 570 Parent PID: 493
General
Start time: 19:02:41 Start date: 18/12/2020 Path: /Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32 Arguments: n/a File size: 3722408 bytes
Copyright null 2020 Page 8 of 9 MD5 hash: 8910349f44a940d8d79318367855b236
Analysis Process: jetbrains-toolbox PID: 570 Parent PID: 493
General
Start time: 19:02:41 Start date: 18/12/2020 Path: /Users/berri/Desktop/jetbrains-toolbox Arguments: /Users/berri/Desktop/jetbrains-toolbox File size: 10149776 bytes MD5 hash: 4650b54b3ec8085cb599c7a8bd6c7501
File Activities
File Created
File Read
File Written
Directory Enumerated
Directory Created
Copyright Joe Security LLC 2020
Copyright null 2020 Page 9 of 9