Automated Malware Analysis Report For

Automated Malware Analysis Report For

ID: 568 Sample Name: TheUnarchiver.dmg Cookbook: defaultmacfilecookbook.jbs Time: 11:00:53 Date: 13/04/2021 Version: 31.0.0 Emerald Table of Contents Table of Contents 2 Analysis Report TheUnarchiver.dmg 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Yara Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Domains 6 URLs 6 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 7 Public 7 General Information 7 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 9 Dropped Files 9 Runtime Messages 9 Created / dropped Files 9 Static File Info 11 General 11 Network Behavior 11 Network Port Distribution 11 TCP Packets 12 UDP Packets 12 DNS Queries 12 DNS Answers 12 HTTPS Packets 12 System Behavior 12 Analysis Process: xpcproxy PID: 582 Parent PID: 1 12 General 13 File Activities 13 File Read 13 Directory Created 13 Analysis Process: The Unarchiver PID: 582 Parent PID: 1 13 General 13 File Activities 13 File Created 13 File Deleted 13 File Read 13 File Written 13 File Moved 13 Directory Enumerated 13 Directory Attributes Enumerated Bulk 13 Directory Created 13 Permission Modified 13 Copyright Joe Security LLC 2021 Page 2 of 14 Analysis Process: defaults PID: 584 Parent PID: 582 13 General 13 File Activities 13 File Created 14 File Read 14 File Written 14 File Moved 14 Directory Enumerated 14 Copyright Joe Security LLC 2021 Page 3 of 14 Analysis Report TheUnarchiver.dmg Overview General Information Detection Signatures Classification Sample TheUnarchiver.dmg Name: EExxeeccuuttteess ttthhee """ddeefffaauullltttss""" ccoommaanndd uu… Analysis ID: 568 RERexeeaacddusst ehhsaa rrrtdhdwew aa"rdrreee frrraeeulllaalttttsee"dd c ssoyymsscmctttllal vvnaadlllu uueess MD5: dabcf8ecfbd8382… RReeaaddss llhlaaauurnndccwhhassreerrr vvrieiiccleaestse pdpll liiissyttt sfffiicillleetls svalues Ransomware SHA1: be80f3fdcd6cb5d… Miner Spreading RReeaaddss ttlthaheue n sscyyhsssccetttllrl vssiaacffefees b bpooloiosttt vvfiaalellluusee (((pprrr… SHA256: 92c4ccf6b952ca4… mmaallliiiccciiioouusss RReeaaddss ttthhee ssyyssttcteetml sssa fOeS Sb orrreoelltlee vaaassleue e aa n(npddr///… malicious Evader Phishing Infos: sssuusssppiiiccciiioouusss suspicious RReeaaddss ttthhee ssyyssttteemss hOhooSss tttrnneaalemaeese and/ RReeaaddss tthhee ssyysstteemss hhoossttnnaamee cccllleeaann Most interesting Screenshot: clean URUseseaesds sCC tFFhNNee estttywwsooterrrkkm bbsuu hnnoddsllleetn ccaoomnnetttaaiiinniiinngg iii… Exploiter Banker Uses CFNetwork bundle containing i Spyware Trojan / Bot Adware Score: 3 Range: 0 - 100 Whitelisted: false Startup System is macvm-highsierra xpcproxy New Fork (PID: 582, Parent: 1) The Unarchiver (MD5: 1dca9cb2696011a7b13ffa6b9932affe) Arguments: /Volumes/The Unarchiver/The Unarchiver.app/Contents/MacOS/The Unarchiver defaults New Fork (PID: 584, Parent: 582) cleanup Yara Overview No yara matches Signature Overview • Compliance • Networking • System Summary • Persistence and Installation Behavior • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings Click to jump to signature section Copyright Joe Security LLC 2021 Page 4 of 14 There are no malicious signatures, click here to show all signatures . Mitre Att&ck Matrix Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Plist Plist Direct OS Security Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Modification 1 Modification 1 Volume Credential Software Services Local Over Other Channel 1 Insecure Track Device System Instrumentation Access Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Logon Boot or Logon Rootkit LSASS System Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Initialization Initialization Memory Information Desktop Removable Over Application Redirect Phone Wipe Data Lockout Scripts Scripts Discovery 5 1 Protocol Media Bluetooth Layer Calls/SMS Without Protocol 1 Authorization Domain At (Linux) Logon Script Logon Script Obfuscated Security Query Registry SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) (Windows) Files or Account Admin Shares Network Exfiltration Layer Track Device Device Device Information Manager Shared Protocol 2 Location Cloud Data Drive Backups Behavior Graph Hide Legend Legend: Process Behavior Graph Signature ID: 568 Created File Sample: TheUnarchiver.dmg DNS/IP Info Startdate: 13/04/2021 Is Dropped Architecture: MAC Number of created Files Score: 3 Shell Is malicious Internet 104.76.200.212, 49248, 80 17.171.27.65, 443, 49238 HINETDataCommunicationBusinessGroupTW APPLE-ENGINEERINGUS 2 other IPs or domains started United States United States xpcproxy The Unarchiver 4 started defaults 1 Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2021 Page 5 of 14 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link TheUnarchiver.dmg 0% Virustotal Browse TheUnarchiver.dmg 0% ReversingLabs Dropped Files No Antivirus matches Domains No Antivirus matches URLs Source Detection Scanner Label Link https://app.hello.devmate.com/reportPOSTHTTP_Tracking_Sender: 0% Avira URL Cloud safe https://updates.devmate.com/% 0% Avira URL Cloud safe https://issues.devmate.com/reportreportTypeTQ 0% Avira URL Cloud safe https://feedbacks.devmate.com/reportTQ 0% Avira URL Cloud safe www.andymatuschak.org/xml-namespaces/sparkle- 0% Avira URL Cloud safe Copyright Joe Security LLC 2021 Page 6 of 14 Source Detection Scanner Label Link https://sparkle-project.org/documentation/app-transport-security/WARNING: 0% Avira URL Cloud safe www.aladdinsys.com/StuffIt/ 0% Avira URL Cloud safe https://feedbacks.devmate.com/report 0% Avira URL Cloud safe https://sparkle-project.org/documentation/app-transport-security/ 0% Avira URL Cloud safe https://devmate.io/gostore 0% Avira URL Cloud safe https://app.hello.devmate.com/report 0% Avira URL Cloud safe www.andymatuschak.org/xml-namespaces/sparkle 0% Avira URL Cloud safe https://issues.devmate.com/report 0% Avira URL Cloud safe Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation cdn.theunarchiver.com 13.225.87.113 true false high URLs from Memory and Binaries Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Domain Country Flag ASN ASN Name Malicious 17.253.57.204 unknown United States 6185 APPLE-AUSTINUS false 17.171.27.65 unknown United States 714 APPLE-ENGINEERINGUS false 13.225.87.113 cdn.theunarchiver.com United States 16509 AMAZON-02US false 104.76.200.212 unknown United States 3462 HINETDataCommunicationB false usinessGroupTW General Information Copyright Joe Security LLC 2021 Page 7 of 14 Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 568 Start date: 13.04.2021 Start time: 11:00:53 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 8m 47s Hypervisor based Inspection enabled: false Report type: light Sample file name: TheUnarchiver.dmg Cookbook file name: defaultmacfilecookbook.jbs Analysis system description: Virtual Machine, High Sierra (Office 2016 v16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099) Analysis Mode: default Detection: CLEAN Classification: clean3.macDMG@0/5@1/0 Warnings: Show All Joe Sandbox View / Context IPs Match Associated Sample Name / URL SHA 256 Detection Link Context 13.225.87.113 https://navyfederal-org.uc.r.appspot.com Get hash malicious Browse 104.76.200.212 Player.app.zip Get hash malicious Browse SkilledRecord.dp Get hash malicious Browse SkilledRecorddd Get hash malicious Browse main Get hash malicious Browse Installer.8SO9iCo3 Get hash malicious Browse AdobeFlashPlayer.dmg Get hash malicious Browse sogou_mac_601a.app.zip Get hash malicious Browse Bytecode-Viewer-2.9.22.jar Get hash malicious Browse fonedog-powermymac.dmg Get hash malicious Browse AdobeFlashPlayerInstaller.dmg Get hash malicious Browse AdobeFlashPlayerInstaller.dmg Get hash malicious Browse AdobeFlashPlayer.dmg Get hash malicious Browse d6bc1dc7da4ed54a62b93b5d0f1cc40c.swf.swf Get hash malicious Browse diskdrill.dmg Get hash malicious Browse Domains No context ASN Match Associated Sample Name / URL SHA 256 Detection Link Context AMAZON-02US ntpxrxZCfL.exe Get hash malicious Browse 3.13.255.157 Ug6Q3IejBj.exe Get hash malicious Browse 52.84.150.39 OrSxEMsYDA.exe Get hash malicious Browse 3.13.255.157 Shipping-Documents.xlsx Get hash malicious Browse 52.59.165.42 shipping documents. CI PL.xlsx Get hash malicious Browse 52.59.165.42 Original Invoice-COAU7229898130.xlsx Get hash malicious Browse 18.184.197.212 NEW ORDER.xlsx Get hash malicious Browse 18.184.197.212 INV#609-005.PDF.exe Get hash malicious Browse 52.221.6.123 swift note.xlsx Get hash malicious Browse 52.59.165.42 RFQ3936.xlsx Get hash malicious Browse 52.59.165.42 Invoice-SRP0047459188e.xlsx Get hash malicious Browse 52.59.165.42 BANKINV28032021VBNSINO.xlsx Get hash malicious Browse 52.59.165.42 tmkfdBpwAx.exe Get

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    14 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us