Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 18.0.0 |
Analysis ID: | 32821 |
Start time: | 14:51:16 |
Joe Sandbox Product: | Cloud |
Start date: | 07.02.2017 |
Overall analysis duration: | 0h 9m 35s |
Report type: | full |
Sample file name: | 52efcfe30f96a85c9c068880c20663db64f0e08346e0f3b59c2e5bbcb41ba73c.app |
Cookbook file name: | default.jbs |
Analysis system description: | Mac Mini, El Capitan 10.11.6 (Java 1.8.0_25) |
Detection: | MAL |
Classification: | mal60.spyw.troj.macAPP@0/4@0/0 |
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 60 | 0 - 100 | Report FP / FN |
Classification |
---|
Signature Overview |
---|
Click to jump to signature section
Networking: |
---|
Downloads files from webservers via HTTP | Show sources |
Source: global traffic | HTTP traffic detected: |
Reads from file descriptors related to (network) sockets | Show sources |
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Reads from socket in process: |
Writes from file descriptors related to (network) sockets | Show sources |
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Writes from socket in process: |
Detected TCP or UDP traffic on non-standard ports | Show sources |
Source: global traffic | TCP traffic: |
Stealing of Sensitive Information: |
---|
Executes the "uname" command used to read OS and architecture name | Show sources |
Source: /bin/sh (PID: 533) | Uname executable: |
Enumerates the installed applications | Show sources |
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: |
Executes the "dscl" command with authonly argument (probably to verify the login password) | Show sources |
Source: /bin/sh (PID: 531) | Security executable: |
Executes the "ifconfig" command used to gather network information | Show sources |
Source: /bin/sh (PID: 535) | Ifconfig executable: |
Executes the "security" command used to access the keychain | Show sources |
Source: /bin/sh (PID: 534) | Security executable: |
Persistence and Installation Behavior: |
---|
Reads data from the local random generator | Show sources |
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Random device file read: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Random device file read: |
Uses AppleKeyboardLayouts bundle containing keyboard layouts | Show sources |
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | AppleKeyboardLayouts info plist opened: |
Executes commands using a shell command-line interpreter | Show sources |
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 530) | Shell command executed: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 533) | Shell command executed: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 534) | Shell command executed: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 535) | Shell command executed: |
Executes the "grep" command used to find patterns in files or piped streams | Show sources |
Source: /bin/sh (PID: 532) | Grep executable: |
Reads launchservices plist files | Show sources |
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Launchservices plist file read: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Launchservices plist file read: |
Reads user launchservices plist file containing default apps for corresponding filetypes | Show sources |
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Preferences launchservices plist file read: |
Uses AppleScript framework/components containing Apple Script related functionalities | Show sources |
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | AppleScript framework/component info plist opened: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | AppleScript framework/component info plist opened: |
Uses AppleScript scripting additions containing additional functionalities for Apple Scripts | Show sources |
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | AppleScript scripting addition info plist opened: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | AppleScript scripting addition info plist opened: |
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour) | Show sources |
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | CFNetwork info plist opened: |
System Summary: |
---|
Classification label | Show sources |
Source: classification engine | Classification label: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode) | Show sources |
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Sysctl read request: |
Language, Device and Operating System Detection: |
---|
Reads the system or server version plist file | Show sources |
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | System or server version plist file read: |
Reads hardware related sysctl values | Show sources |
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Sysctl read request: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Sysctl read request: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Sysctl read request: |
Reads the kernel OS version value | Show sources |
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Sysctl read request: |
Reads the systems OS release and/or type | Show sources |
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Sysctl requested: | ||
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Sysctl requested: | ||
Source: /usr/bin/uname (PID: 533) | Sysctl requested: | ||
Source: /usr/bin/uname (PID: 533) | Sysctl requested: |
Reads the systems hostname | Show sources |
Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Sysctl requested: | ||
Source: /bin/sh (PID: 530) | Sysctl requested: | ||
Source: /bin/sh (PID: 533) | Sysctl requested: | ||
Source: /usr/bin/uname (PID: 533) | Sysctl requested: | ||
Source: /bin/sh (PID: 534) | Sysctl requested: | ||
Source: /bin/sh (PID: 535) | Sysctl requested: |
Runtime Messages |
---|
Command: | open |
Exitcode: | 0 |
Killed: | False |
Standard Output: | |
Standard Error: |
Yara Overview |
---|
No Yara matches |
---|
Screenshot |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Path | Type and Hashes |
---|---|
| |
| |
| |
|
Contacted Domains/Contacted IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Country | Flag | ASN | ASN Name |
---|---|---|---|---|
17.253.54.125 | United States | 6185 | AppleInc | |
224.0.0.251 | Reserved | 2541 | JumpManagementSRL | |
46.17.97.37 | Russian Federation | 57043 | HOSTKEYBV | |
8.8.4.4 | United States | 15169 | GoogleInc |
Static File Info |
---|
General | |
---|---|
File type: | |
TrID: |
|
File name: | 52efcfe30f96a85c9c068880c20663db64f0e08346e0f3b59c2e5bbcb41ba73c.app |
File size: | 238118 |
MD5: | 787d664e842961f2a335139407f91a70 |
SHA1: | a323168f95d1a1c65186888c6dd16cd2f9f8539a |
SHA256: | 52efcfe30f96a85c9c068880c20663db64f0e08346e0f3b59c2e5bbcb41ba73c |
SHA512: | 2f211e76588c59fcfb5156be1615f1eddf272db8ced149683faaeae9c5d222b721fbe04921a95ca47546c48e6ecb65448651e5b77c1393537c2a1b3fc3a77ecc |
File Content Preview: | PK..........5J................addone flashplayer.app/PK..........5J............ ...addone flashplayer.app/Contents/PK........p..I3..U........*...addone flashplayer.app/Contents/Info.plist...r.0....S..[.3.I:.L..6S ..........,y$.p....'.L.!.wz('....k......GK |
Static Mach Info |
---|
General Informations for header0 | |
---|---|
Endian: | |
Size: | |
Architecture: | |
Filetype: | |
Nbr. of load commands: | 20 |
segment_command_64 |
---|
Name | Value | |
---|---|---|
segname | __PAGEZERO | |
fileoff | 0 | |
maxprot | 0 | |
vmsize | 4294967296 | |
nsects | 0 | |
flags | 0 | |
filesize | 0 | |
vmaddr | 0 | |
initprot | 0 |
segment_command_64 |
---|
Name | Value | |
---|---|---|
segname | __TEXT | |
fileoff | 0 | |
maxprot | 7 | |
vmsize | 172032 | |
nsects | 10 | |
flags | 0 | |
filesize | 172032 | |
vmaddr | 4294967296 | |
initprot | 5 | |
Datas | sectname | __text |
segname | __TEXT | |
reloff | 0 | |
addr | 4294972672 | |
align | 4 | |
nreloc | 0 | |
flags | 2147484672 | |
offset | 5376 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 113268 | |
sectname | __stubs | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295085940 | |
align | 1 | |
nreloc | 0 | |
flags | 2147484680 | |
offset | 118644 | |
reserved2 | 6 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 540 | |
sectname | __stub_helper | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295086480 | |
align | 2 | |
nreloc | 0 | |
flags | 2147484672 | |
offset | 119184 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 916 | |
sectname | __objc_methname | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295087396 | |
align | 0 | |
nreloc | 0 | |
flags | 2 | |
offset | 120100 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 5029 | |
sectname | __cstring | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295092432 | |
align | 4 | |
nreloc | 0 | |
flags | 2 | |
offset | 125136 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 25535 | |
sectname | __objc_classname | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295117967 | |
align | 0 | |
nreloc | 0 | |
flags | 2 | |
offset | 150671 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 196 | |
sectname | __objc_methtype | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295118163 | |
align | 0 | |
nreloc | 0 | |
flags | 2 | |
offset | 150867 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 1268 | |
sectname | __const | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295119440 | |
align | 4 | |
nreloc | 0 | |
flags | 0 | |
offset | 152144 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 17520 | |
sectname | __unwind_info | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295136960 | |
align | 2 | |
nreloc | 0 | |
flags | 0 | |
offset | 169664 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 1192 | |
sectname | __eh_frame | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295138152 | |
align | 3 | |
nreloc | 0 | |
flags | 0 | |
offset | 170856 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 1176 |
segment_command_64 |
---|
Name | Value | |
---|---|---|
segname | __DATA | |
fileoff | 172032 | |
maxprot | 7 | |
vmsize | 61440 | |
nsects | 20 | |
flags | 0 | |
filesize | 53248 | |
vmaddr | 4295139328 | |
initprot | 3 | |
Datas | sectname | __nl_symbol_ptr |
segname | __DATA | |
reloff | 0 | |
addr | 4295139328 | |
align | 3 | |
nreloc | 0 | |
flags | 6 | |
offset | 172032 | |
reserved2 | 0 | |
reserved1 | 90 | |
reserved3 | 0 | |
size | 16 | |
sectname | __got | |
segname | __DATA | |
reloff | 0 | |
addr | 4295139344 | |
align | 3 | |
nreloc | 0 | |
flags | 6 | |
offset | 172048 | |
reserved2 | 0 | |
reserved1 | 92 | |
reserved3 | 0 | |
size | 192 | |
sectname | __la_symbol_ptr | |
segname | __DATA | |
reloff | 0 | |
addr | 4295139536 | |
align | 3 | |
nreloc | 0 | |
flags | 7 | |
offset | 172240 | |
reserved2 | 0 | |
reserved1 | 116 | |
reserved3 | 0 | |
size | 720 | |
sectname | __mod_init_func | |
segname | __DATA | |
reloff | 0 | |
addr | 4295140256 | |
align | 3 | |
nreloc | 0 | |
flags | 9 | |
offset | 172960 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 8 | |
sectname | __const | |
segname | __DATA | |
reloff | 0 | |
addr | 4295140272 | |
align | 4 | |
nreloc | 0 | |
flags | 0 | |
offset | 172976 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 37248 | |
sectname | __cfstring | |
segname | __DATA | |
reloff | 0 | |
addr | 4295177520 | |
align | 3 | |
nreloc | 0 | |
flags | 0 | |
offset | 210224 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 2112 | |
sectname | __objc_classlist | |
segname | __DATA | |
reloff | 0 | |
addr | 4295179632 | |
align | 3 | |
nreloc | 0 | |
flags | 268435456 | |
offset | 212336 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 40 | |
sectname | __objc_nlclslist | |
segname | __DATA | |
reloff | 0 | |
addr | 4295179672 | |
align | 3 | |
nreloc | 0 | |
flags | 268435456 | |
offset | 212376 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 8 | |
sectname | __objc_protolist | |
segname | __DATA | |
reloff | 0 | |
addr | 4295179680 | |
align | 3 | |
nreloc | 0 | |
flags | 0 | |
offset | 212384 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 32 | |
sectname | __objc_imageinfo | |
segname | __DATA | |
reloff | 0 | |
addr | 4295179712 | |
align | 2 | |
nreloc | 0 | |
flags | 0 | |
offset | 212416 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 8 | |
sectname | __objc_const | |
segname | __DATA | |
reloff | 0 | |
addr | 4295179720 | |
align | 3 | |
nreloc | 0 | |
flags | 0 | |
offset | 212424 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 5136 | |
sectname | __objc_selrefs | |
segname | __DATA | |
reloff | 0 | |
addr | 4295184856 | |
align | 3 | |
nreloc | 0 | |
flags | 268435461 | |
offset | 217560 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 1160 | |
sectname | __objc_protorefs | |
segname | __DATA | |
reloff | 0 | |
addr | 4295186016 | |
align | 3 | |
nreloc | 0 | |
flags | 0 | |
offset | 218720 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 16 | |
sectname | __objc_classrefs | |
segname | __DATA | |
reloff | 0 | |
addr | 4295186032 | |
align | 3 | |
nreloc | 0 | |
flags | 268435456 | |
offset | 218736 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 192 | |
sectname | __objc_superrefs | |
segname | __DATA | |
reloff | 0 | |
addr | 4295186224 | |
align | 3 | |
nreloc | 0 | |
flags | 268435456 | |
offset | 218928 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 24 | |
sectname | __objc_ivar | |
segname | __DATA | |
reloff | 0 | |
addr | 4295186248 | |
align | 3 | |
nreloc | 0 | |
flags | 0 | |
offset | 218952 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 136 | |
sectname | __objc_data | |
segname | __DATA | |
reloff | 0 | |
addr | 4295186384 | |
align | 3 | |
nreloc | 0 | |
flags | 0 | |
offset | 219088 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 480 | |
sectname | __data | |
segname | __DATA | |
reloff | 0 | |
addr | 4295186864 | |
align | 4 | |
nreloc | 0 | |
flags | 0 | |
offset | 219568 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 2056 | |
sectname | __bss | |
segname | __DATA | |
reloff | 0 | |
addr | 4295188928 | |
align | 4 | |
nreloc | 0 | |
flags | 1 | |
offset | 0 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 7936 | |
sectname | __common | |
segname | __DATA | |
reloff | 0 | |
addr | 4295196864 | |
align | 2 | |
nreloc | 0 | |
flags | 1 | |
offset | 0 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 16 |
segment_command_64 |
---|
Name | Value | |
---|---|---|
segname | __LINKEDIT | |
fileoff | 225280 | |
maxprot | 7 | |
vmsize | 65536 | |
nsects | 0 | |
flags | 0 | |
filesize | 65136 | |
vmaddr | 4295200768 | |
initprot | 1 |
dyld_info_command |
---|
Name | Value | |
---|---|---|
lazy_bind_size | 1984 | |
lazy_bind_off | 230824 | |
weak_bind_size | 0 | |
rebase_size | 3864 | |
export_off | 232808 | |
export_size | 6744 | |
bind_off | 229144 | |
rebase_off | 225280 | |
bind_size | 1680 | |
weak_bind_off | 0 |
symtab_command |
---|
Name | Value | |
---|---|---|
strsize | 27944 | |
symoff | 240304 | |
stroff | 262472 | |
nsyms | 1334 |
dysymtab_command |
---|
Name | Value | |
---|---|---|
extreloff | 0 | |
nlocrel | 0 | |
indirectsymoff | 261648 | |
modtaboff | 0 | |
nextrel | 0 | |
iundefsym | 1199 | |
nmodtab | 0 | |
ilocalsym | 0 | |
nundefsym | 135 | |
nextrefsyms | 0 | |
locreloff | 0 | |
ntoc | 0 | |
nlocalsym | 854 | |
tocoff | 0 | |
extrefsymoff | 0 | |
nindirectsyms | 206 | |
iextdefsym | 854 | |
nextdefsym | 345 |
dylinker_command |
---|
Name | Value | |
---|---|---|
name | 12 | Data | /usr/lib/dyld |
uuid_command |
---|
Name | Value | |
---|---|---|
uuid | 3ae7704b3c19329fa4517c61564647a2 |
version_min_command |
---|
Name | Value | |
---|---|---|
version | 657664 | |
reserved | 658432 |
source_version_command |
---|
Name | Value | |
---|---|---|
version | 0 |
entry_point_command |
---|
Name | Value | |
---|---|---|
stacksize | 0 | |
entryoff | 29776 |
dylib_command |
---|
Name | Value | |
---|---|---|
compatibility_version | 0.1.0 | |
timestamp | Thu Jan 01 01:00:02 1970 | |
name | 24 | |
current_version | 0.22.0 | Data | /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa |
dylib_command |
---|
Name | Value | |
---|---|---|
compatibility_version | 0.44.1 | |
timestamp | Thu Jan 01 01:00:02 1970 | |
name | 24 | |
current_version | 0.69.5 | Data | /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation |
dylib_command |
---|
Name | Value | |
---|---|---|
compatibility_version | 0.1.0 | |
timestamp | Thu Jan 01 01:00:02 1970 | |
name | 24 | |
current_version | 0.228.0 | Data | /usr/lib/libobjc.A.dylib |
dylib_command |
---|
Name | Value | |
---|---|---|
compatibility_version | 0.1.0 | |
timestamp | Thu Jan 01 01:00:02 1970 | |
name | 24 | |
current_version | 0.214.4 | Data | /usr/lib/libSystem.B.dylib |
dylib_command |
---|
Name | Value | |
---|---|---|
compatibility_version | 0.45.0 | |
timestamp | Thu Jan 01 01:00:02 1970 | |
name | 24 | |
current_version | 15104.224.5 | Data | /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit |
dylib_command |
---|
Name | Value | |
---|---|---|
compatibility_version | 0.150.0 | |
timestamp | Thu Jan 01 01:00:02 1970 | |
name | 24 | |
current_version | 3840.68.5 | Data | /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation |
linkedit_data_command |
---|
Name | Value | |
---|---|---|
dataoff | 239552 | |
datassize | 752 |
linkedit_data_command |
---|
Name | Value | |
---|---|---|
dataoff | 240304 | |
datassize | 0 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 7, 2017 14:52:02.805604935 MEZ | 50395 | 53 | 192.168.0.50 | 8.8.4.4 |
Feb 7, 2017 14:52:02.937772989 MEZ | 53 | 50395 | 8.8.4.4 | 192.168.0.50 |
Feb 7, 2017 14:52:05.046710968 MEZ | 5353 | 5353 | 192.168.0.50 | 224.0.0.251 |
Feb 7, 2017 14:52:05.278057098 MEZ | 5353 | 5353 | 192.168.0.50 | 224.0.0.251 |
Feb 7, 2017 14:52:05.738709927 MEZ | 49205 | 80 | 192.168.0.50 | 46.17.97.37 |
Feb 7, 2017 14:52:05.738769054 MEZ | 80 | 49205 | 46.17.97.37 | 192.168.0.50 |
Feb 7, 2017 14:52:05.739032030 MEZ | 49205 | 80 | 192.168.0.50 | 46.17.97.37 |
Feb 7, 2017 14:52:05.770603895 MEZ | 49205 | 80 | 192.168.0.50 | 46.17.97.37 |
Feb 7, 2017 14:52:05.770622969 MEZ | 80 | 49205 | 46.17.97.37 | 192.168.0.50 |
Feb 7, 2017 14:52:10.722229004 MEZ | 49205 | 80 | 192.168.0.50 | 46.17.97.37 |
Feb 7, 2017 14:52:10.722454071 MEZ | 80 | 49205 | 46.17.97.37 | 192.168.0.50 |
Feb 7, 2017 14:52:10.722703934 MEZ | 49205 | 80 | 192.168.0.50 | 46.17.97.37 |
Feb 7, 2017 14:52:45.606662035 MEZ | 123 | 123 | 192.168.0.50 | 17.253.54.125 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 7, 2017 14:52:02.805604935 MEZ | 50395 | 53 | 192.168.0.50 | 8.8.4.4 |
Feb 7, 2017 14:52:02.937772989 MEZ | 53 | 50395 | 8.8.4.4 | 192.168.0.50 |
Feb 7, 2017 14:52:05.046710968 MEZ | 5353 | 5353 | 192.168.0.50 | 224.0.0.251 |
Feb 7, 2017 14:52:05.278057098 MEZ | 5353 | 5353 | 192.168.0.50 | 224.0.0.251 |
Feb 7, 2017 14:52:45.606662035 MEZ | 123 | 123 | 192.168.0.50 | 17.253.54.125 |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Header | Total Bytes Transfered (KB) |
---|---|---|---|---|---|---|
Feb 7, 2017 14:52:05.770603895 MEZ | 49205 | 80 | 192.168.0.50 | 46.17.97.37 | 32 |
System Behavior |
---|
General |
---|
Start time: | 14:51:47 |
Start date: | 07/02/2017 |
Path: | /usr/libexec/xpcproxy |
File size: | 42656 bytes |
MD5 hash: | d68b4c6f2056c73e1d3bd228bcd6d4ff |
General |
---|
Start time: | 14:51:47 |
Start date: | 07/02/2017 |
Path: | /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool |
File size: | 290416 bytes |
MD5 hash: | f8e4cab429263406fbf11b41fd539839 |
General |
---|
Start time: | 14:52:04 |
Start date: | 07/02/2017 |
Path: | /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool |
File size: | 290416 bytes |
MD5 hash: | f8e4cab429263406fbf11b41fd539839 |
General |
---|
Start time: | 14:52:04 |
Start date: | 07/02/2017 |
Path: | /bin/sh |
File size: | 632672 bytes |
MD5 hash: | 2cc3c26641112c1bd0173f396b7d7662 |
General |
---|
Start time: | 14:52:04 |
Start date: | 07/02/2017 |
Path: | /bin/sh |
File size: | 632672 bytes |
MD5 hash: | 2cc3c26641112c1bd0173f396b7d7662 |
General |
---|
Start time: | 14:52:04 |
Start date: | 07/02/2017 |
Path: | /usr/bin/dscl |
File size: | 197760 bytes |
MD5 hash: | 492456daec08a84883daad0b84b7b6ee |
General |
---|
Start time: | 14:52:04 |
Start date: | 07/02/2017 |
Path: | /bin/sh |
File size: | 632672 bytes |
MD5 hash: | 2cc3c26641112c1bd0173f396b7d7662 |
General |
---|
Start time: | 14:52:04 |
Start date: | 07/02/2017 |
Path: | /usr/bin/grep |
File size: | 33712 bytes |
MD5 hash: | f7fe9c4af9294f2949377a12244b3d60 |
General |
---|
Start time: | 14:52:04 |
Start date: | 07/02/2017 |
Path: | /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool |
File size: | 290416 bytes |
MD5 hash: | f8e4cab429263406fbf11b41fd539839 |
General |
---|
Start time: | 14:52:04 |
Start date: | 07/02/2017 |
Path: | /bin/sh |
File size: | 632672 bytes |
MD5 hash: | 2cc3c26641112c1bd0173f396b7d7662 |
General |
---|
Start time: | 14:52:04 |
Start date: | 07/02/2017 |
Path: | /usr/bin/uname |
File size: | 18320 bytes |
MD5 hash: | 78f4785c0c51531f1c01d4161c96563f |
General |
---|
Start time: | 14:52:04 |
Start date: | 07/02/2017 |
Path: | /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool |
File size: | 290416 bytes |
MD5 hash: | f8e4cab429263406fbf11b41fd539839 |
General |
---|
Start time: | 14:52:04 |
Start date: | 07/02/2017 |
Path: | /bin/sh |
File size: | 632672 bytes |
MD5 hash: | 2cc3c26641112c1bd0173f396b7d7662 |
General |
---|
Start time: | 14:52:04 |
Start date: | 07/02/2017 |
Path: | /usr/bin/security |
File size: | 234560 bytes |
MD5 hash: | 6323b6bd0865d2300eb65a512f8c560c |
General |
---|
Start time: | 14:52:04 |
Start date: | 07/02/2017 |
Path: | /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool |
File size: | 290416 bytes |
MD5 hash: | f8e4cab429263406fbf11b41fd539839 |
General |
---|
Start time: | 14:52:04 |
Start date: | 07/02/2017 |
Path: | /bin/sh |
File size: | 632672 bytes |
MD5 hash: | 2cc3c26641112c1bd0173f396b7d7662 |
General |
---|
Start time: | 14:52:04 |
Start date: | 07/02/2017 |
Path: | /sbin/ifconfig |
File size: | 67232 bytes |
MD5 hash: | 07379e226dcd8ec0ab80c577c1bf8325 |