Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:19.0.0
Analysis ID:37008
Start time:09:40:01
Joe Sandbox Product:Cloud
Start date:03.05.2017
Overall analysis duration:0h 9m 40s
Report type:full
Sample file name:54ee71f6ad1f91a6f162bd5712d1a2e3d3111c352a0f52db630dcb4638101938.zip
Cookbook file name:default.jbs
Analysis system description:Mac Mini, El Capitan 10.11.6 (MS Office 15.25, Java 1.8.0_25)
Detection:MAL
Classification:mal72.troj.evad.macZIP@0/18@0/0


Detection

StrategyScoreRangeReportingDetection
Threshold720 - 100Report FP / FNmalicious


Classification

Signature Overview

Click to jump to signature section


Networking:

barindex
Writes from file descriptors related to (network) socketsShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 594)Writes from socket in process:
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.0.50:49327 -> 185.68.93.74:4545

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal72.troj.evad.macZIP@0/18@0/0
Writes Python scripts without typical Python file extensionsShow sources
Source: /usr/bin/base64 (PID: 586)Python file created: /private/tmp/AppStore
Submitted sample is a known malware sampleShow sources
Source: MD5 0e48346ebd57b1b6dbaa0bbad4d579dcSubmitted blacklisted sample: Spyware Dok.B

Persistence and Installation Behavior:

barindex
Executes the "PlistBuddy" command used to read and write values to plistsShow sources
Source: /bin/sh (PID: 599)Sysctl executable: /usr/sbin/sysctl -> sysctl hw.model
Reads data from the local random generatorShow sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Random device file read: /dev/random
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Random device file read: /dev/random
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 590)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 594)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 594)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 594)Random device file read: /dev/urandom
Submitted sample is a bundle that is signedShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)CodeSignature CodeResources file read: /Users/vreni/Desktop/unpack/Dokument.app/Contents/_CodeSignature/CodeResources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)CodeSignature CodeResources file read: /Users/vreni/Desktop/unpack/Dokument.app/Contents/_CodeSignature/CodeResources
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Uses the Python frameworkShow sources
Source: /Library/Frameworks/Python.framework/Versions/2.7/bin/python (PID: 590)Python framework application: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /usr/bin/python (PID: 594)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Writes log files to diskShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)Log file created: /private/tmp/loader.log
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Log file created: /private/tmp/loader.log
Writes property list (.plist) files to diskShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)XML plist file created: /Users/Shared/AppStore.app/Contents/_CodeSignature/CodeResources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)XML plist file created: /Users/Shared/AppStore.app/Contents/Info.plist
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)Binary plist file created: /Users/Shared/AppStore.app/Contents/Resources/Base.lproj/MainMenu.nib
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 590)XML plist file created: /Users/vreni/Library/LaunchAgents/com.apple.iTunes.plist
Changes permissions of written Mach-O filesShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)Permissions modifiied for written 64-bit Mach-O /Users/Shared/AppStore.app/Contents/MacOS/AppStore: bits: - usr: rx grp: rx all: rwx
Creates hidden files, links and/or directoriesShow sources
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 590)Hidden Directory created: /Users/vreni/Library/Containers/.bella/ -> /Users/vreni/Library/Containers/.bella/
Creates launch services that start periodicallyShow sources
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 590)Launch agent/daemon created with StartInterval and/or StartCalendarInterval, file created: /Users/vreni/Library/LaunchAgents/com.apple.iTunes.plist
Executes commands using a shell command-line interpreterShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)Shell command executed: /bin/bash -c chmod +x /Users/Shared/AppStore.app
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)Shell command executed: /bin/bash -c sleep 5 && rm -fR '/Users/vreni/Downloads/Dokument.app' && '/Users/Shared/AppStore.app/Contents/MacOS/AppStore' Dokument
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Shell command executed: /bin/bash -c base64 -i /tmp/tmp123 -o /tmp/AppStore -D
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Shell command executed: /bin/bash -c chmod +x /tmp/AppStore && rm -f /tmp/tmp123
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Shell command executed: /bin/bash -c /tmp/AppStore
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Shell command executed: /bin/bash -c sleep 5 && rm -fR '/Users/Shared/AppStore.app'
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 591)Shell command executed: /bin/sh -c scutil --get LocalHostName
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 592)Shell command executed: /bin/sh -c launchctl load -w /Users/vreni/Library/LaunchAgents/com.apple.iTunes.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 598)Shell command executed: /bin/sh -c scutil --get LocalHostName
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 599)Shell command executed: /bin/sh -c sysctl hw.model
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 600)Shell command executed: /bin/sh -c /usr/libexec/PlistBuddy -c 'Print :'Macmini6,1'' /System/Library/PrivateFrameworks/ServerInformation.framework/Versions/A/Resources/English.lproj/SIMachineAttributes.plist | grep marketingModel
Executes the "chmod" command used to modify permissionsShow sources
Source: /bin/bash (PID: 572)Chmod executable: /bin/chmod -> chmod +x /Users/Shared/AppStore.app
Source: /bin/bash (PID: 588)Chmod executable: /bin/chmod -> chmod +x /tmp/AppStore
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/sh (PID: 602)Grep executable: /usr/bin/grep -> grep marketingModel
Executes the "python" command used to interprete Python scriptsShow sources
Source: /tmp/AppStore (PID: 590)Python executable: /Library/Frameworks/Python.framework/Versions/2.7/bin/python -> python /tmp/AppStore
Source: /Users/vreni/Library/Containers/.bella/Bella (PID: 594)Python executable: /usr/bin/python -> python /Users/vreni/Library/Containers/.bella/Bella
Executes the "sysctl" command used to retrieve or modify kernel settingsShow sources
Source: /bin/sh (PID: 599)Sysctl executable: /usr/sbin/sysctl -> sysctl hw.model
Explicitly loads/starts launch servicesShow sources
Source: /bin/sh (PID: 592)Launch agent/daemon loaded: launchctl load -w /Users/vreni/Library/LaunchAgents/com.apple.iTunes.plist
Reads launchservices plist filesShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Reads user launchservices plist file containing default apps for corresponding filetypesShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Uses AppleScript framework/components containing Apple Script related functionalitiesShow sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Uses AppleScript scripting additions containing additional functionalities for Apple ScriptsShow sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Writes 64-bit Mach-O files to diskShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)File written: /Users/Shared/AppStore.app/Contents/MacOS/AppStore
Writes icon files to diskShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)File written: /Users/Shared/AppStore.app/Contents/Resources/AppIcon.icns
Deletes icon filesShow sources
Source: /bin/rm (PID: 603)File deleted: AppIcon.icns
Executes the "rm" command used to delete files or directoriesShow sources
Source: /bin/bash (PID: 576)Rm executable: /bin/rm -> rm -fR /Users/vreni/Downloads/Dokument.app
Source: /bin/bash (PID: 589)Rm executable: /bin/rm -> rm -f /tmp/tmp123
Source: /bin/bash (PID: 603)Rm executable: /bin/rm -> rm -fR /Users/Shared/AppStore.app
Executes the "scutil" command used to manage network related system configuration parametersShow sources
Source: /bin/sh (PID: 591)Scutil executable: /usr/sbin/scutil -> scutil --get LocalHostName
Source: /bin/sh (PID: 598)Scutil executable: /usr/sbin/scutil -> scutil --get LocalHostName
Uses sfltool in order to modify login item settingsShow sources
Source: /System/Library/CoreServices/sharedfilelistd (PID: 578)Sfltool executed with keyword 'loginitems': /usr/bin/sfltool -> /usr/bin/sfltool com.apple.loginitems SessionItems
Source: /System/Library/CoreServices/sharedfilelistd (PID: 579)Sfltool executed with keyword 'loginitems': /usr/bin/sfltool -> /usr/bin/sfltool com.apple.loginitems SessionItems
Source: /System/Library/CoreServices/sharedfilelistd (PID: 580)Sfltool executed with keyword 'loginitems': /usr/bin/sfltool -> /usr/bin/sfltool save-lists com.apple.loginitems
Source: /System/Library/CoreServices/sharedfilelistd (PID: 595)Sfltool executed with keyword 'loginitems': /usr/bin/sfltool -> /usr/bin/sfltool com.apple.loginitems SessionItems
Source: /System/Library/CoreServices/sharedfilelistd (PID: 604)Sfltool executed with keyword 'loginitems': /usr/bin/sfltool -> /usr/bin/sfltool save-lists com.apple.loginitems

Boot Survival:

barindex
Creates user-wide 'launchd' managed services aka launch agentsShow sources
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 590)Launch agent created file created: /Users/vreni/Library/LaunchAgents/com.apple.iTunes.plist

Hooking and other Techniques for Hiding and Protection:

barindex
Executes the "base64" command used to encode or decode data (e.g. files, payloads)Show sources
Source: /bin/bash (PID: 586)Base64 executable: /usr/bin/base64 -> base64 -i /tmp/tmp123 -o /tmp/AppStore -D
Moves itself during installation or deletes itself after installationShow sources
Source: /bin/rm (PID: 603)Directory deleted: /Users/Shared/AppStore.app
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 594)File deleted: /Users/vreni/Library/Containers/.bella/bella.db-journal

Malware Analysis System Evasion:

barindex
Executes the "sleep" command used to delay execution and potentially evade sandboxesShow sources
Source: /bin/bash (PID: 574)Sleep executable: /bin/sleep -> sleep 5
Source: /bin/bash (PID: 597)Sleep executable: /bin/sleep -> sleep 5

HIPS / PFW / Operating System Protection Evasion:

barindex
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)Show sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Sysctl read request: kern.safeboot (1.66)

Language, Device and Operating System Detection:

barindex
Reads the system or server version plist fileShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 570)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 590)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 590)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 594)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 594)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Reads hardware related sysctl valuesShow sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Sysctl read request: hw.availcpu (6.25)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Sysctl read request: hw.ncpu (6.3)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Sysctl read request: hw.cpu_freq (6.15)
Reads the kernel OS version valueShow sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 577)Sysctl read request: kern.osversion (1.65)
Reads the systems hostnameShow sources
Source: /bin/bash (PID: 572)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 573)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 586)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 587)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 590)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 591)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 592)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 596)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 598)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 599)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 600)Sysctl requested: kern.hostname (1.10)

Remote Access Functionality:

barindex
Installs Bella RATShow sources
Source: PIDs 590 and 586Behaviour pattern found: /Users/vreni/Library/Containers/.bella/ and /private/tmp/AppStore created
Writes files containing IP addresses of contacted hosts (e.g. command and control server)Show sources
Source: global traffic and dropped filesIP 185.68.93.74 found in file: /private/tmp/AppStore


Runtime Messages

Command:open
Exitcode:0
Killed:False
Standard Output:
Standard Error:

Yara Overview

No Yara matches

Screenshot

cam-macmac-stand

Startup

  • system is mac1
  • xpcproxy (PID: 570 PPID: 1 MD5: d68b4c6f2056c73e1d3bd228bcd6d4ff)
  • AppStore (PID: 570 PPID: 1 Overlayed Process Image: xpcproxy MD5: 9f25c1a359b9dae3f2c1abba45f0566d)
    • bash (PID: 572 PPID: 570 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
    • chmod (PID: 572 PPID: 570 Overlayed Process Image: bash MD5: ecb64579c6dd0ebee31bf8e4d4cdcc6e)
    • bash (PID: 573 PPID: 570 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
      • bash (PID: 574 PPID: 573 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
      • sleep (PID: 574 PPID: 573 Overlayed Process Image: bash MD5: a5566195e03cbb7d5df309767a4231ae)
      • bash (PID: 576 PPID: 573 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
      • rm (PID: 576 PPID: 573 Overlayed Process Image: bash MD5: e8926d2347850b76f57a1d5f0226de8b)
      • bash (PID: 577 PPID: 573 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
      • AppStore (PID: 577 PPID: 573 Overlayed Process Image: bash MD5: 9f25c1a359b9dae3f2c1abba45f0566d)
        • bash (PID: 586 PPID: 577 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
        • base64 (PID: 586 PPID: 577 Overlayed Process Image: bash MD5: 5fd54d3cab0fc8cfa60ec8eab3049f1c)
        • bash (PID: 587 PPID: 577 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
          • bash (PID: 588 PPID: 587 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
          • chmod (PID: 588 PPID: 587 Overlayed Process Image: bash MD5: ecb64579c6dd0ebee31bf8e4d4cdcc6e)
          • bash (PID: 589 PPID: 587 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
          • rm (PID: 589 PPID: 587 Overlayed Process Image: bash MD5: e8926d2347850b76f57a1d5f0226de8b)
        • bash (PID: 590 PPID: 577 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
        • AppStore (PID: 590 PPID: 577 Overlayed Process Image: bash MD5: f2f3baf7ace5d985f0ee3c9b44f5074f)
        • python (PID: 590 PPID: 577 Overlayed Process Image: AppStore MD5: 8ec51a235078596c4b2e09b4db76e73b)
        • Python (PID: 590 PPID: 577 Overlayed Process Image: python MD5: 4d6dea37ae8536c5e20573905de9cf17)
          • Python (PID: 591 PPID: 590 MD5: 4d6dea37ae8536c5e20573905de9cf17)
          • sh (PID: 591 PPID: 590 Overlayed Process Image: Python MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • scutil (PID: 591 PPID: 590 Overlayed Process Image: sh MD5: 606425562bb70289876036542086217c)
          • Python (PID: 592 PPID: 590 MD5: 4d6dea37ae8536c5e20573905de9cf17)
          • sh (PID: 592 PPID: 590 Overlayed Process Image: Python MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • launchctl (PID: 592 PPID: 590 Overlayed Process Image: sh MD5: dbfeff92b30d89c0a04dd0fbeb40ae5e)
          • Python (PID: 593 PPID: 590 MD5: 4d6dea37ae8536c5e20573905de9cf17)
          • launchctl (PID: 593 PPID: 590 Overlayed Process Image: Python MD5: dbfeff92b30d89c0a04dd0fbeb40ae5e)
        • bash (PID: 596 PPID: 577 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
          • bash (PID: 597 PPID: 596 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
          • sleep (PID: 597 PPID: 596 Overlayed Process Image: bash MD5: a5566195e03cbb7d5df309767a4231ae)
          • bash (PID: 603 PPID: 596 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
          • rm (PID: 603 PPID: 596 Overlayed Process Image: bash MD5: e8926d2347850b76f57a1d5f0226de8b)
  • sfltool (PID: 578 PPID: 224 Overlayed Process Image: sharedfilelistd MD5: 0ced48308860d34b0e0b304d9033b6b7)
  • sfltool (PID: 579 PPID: 224 Overlayed Process Image: sharedfilelistd MD5: 0ced48308860d34b0e0b304d9033b6b7)
  • sfltool (PID: 580 PPID: 224 Overlayed Process Image: sharedfilelistd MD5: 0ced48308860d34b0e0b304d9033b6b7)
  • xpcproxy (PID: 594 PPID: 1 MD5: d68b4c6f2056c73e1d3bd228bcd6d4ff)
  • Bella (PID: 594 PPID: 1 Overlayed Process Image: xpcproxy MD5: f2f3baf7ace5d985f0ee3c9b44f5074f)
  • python (PID: 594 PPID: 1 Overlayed Process Image: Bella MD5: 071afc8e1e82e53c253a8ddc7dda8f75)
  • Python (PID: 594 PPID: 1 Overlayed Process Image: python MD5: f932378ef838dcd40e9b7e55e7d7b9a0)
    • Python (PID: 598 PPID: 594 MD5: f932378ef838dcd40e9b7e55e7d7b9a0)
    • sh (PID: 598 PPID: 594 Overlayed Process Image: Python MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • scutil (PID: 598 PPID: 594 Overlayed Process Image: sh MD5: 606425562bb70289876036542086217c)
    • Python (PID: 599 PPID: 594 MD5: f932378ef838dcd40e9b7e55e7d7b9a0)
    • sh (PID: 599 PPID: 594 Overlayed Process Image: Python MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • sysctl (PID: 599 PPID: 594 Overlayed Process Image: sh MD5: 6b5514b612e9e7ea63857c6fdcab2c5b)
    • Python (PID: 600 PPID: 594 MD5: f932378ef838dcd40e9b7e55e7d7b9a0)
    • sh (PID: 600 PPID: 594 Overlayed Process Image: Python MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 601 PPID: 600 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • PlistBuddy (PID: 601 PPID: 600 Overlayed Process Image: sh MD5: b9c6344ae2b0607f8fc9d102e98ede82)
      • sh (PID: 602 PPID: 600 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • grep (PID: 602 PPID: 600 Overlayed Process Image: sh MD5: f7fe9c4af9294f2949377a12244b3d60)
  • sfltool (PID: 595 PPID: 224 Overlayed Process Image: sharedfilelistd MD5: 0ced48308860d34b0e0b304d9033b6b7)
  • sfltool (PID: 604 PPID: 224 Overlayed Process Image: sharedfilelistd MD5: 0ced48308860d34b0e0b304d9033b6b7)
  • cleanup

Created / dropped Files

File PathType and HashesMalicious
/Users/Shared/AppStore.app/Contents/Info.plist
  • Type: XML document text
  • MD5: 254128B15F6E55B6DC35F8645BA7D8DA
  • SHA: CCA7C130E5C3D77B97874DB404F4B07E9AB7C070
  • SHA-256: 9C5F9EE4235A15389A71D1021F5DF8D329B11D4427BA8D7E8960492FCD16F9AC
  • SHA-512: 44C8302EBC76EA8B8652B6FE0BA1B59B5C37FDD00B7ECDE578524856C8D0028FF0A2C383DE366E64BA43F4E87741D1289B0E48A143A78942FE96A1C595CB96D2
false
/Users/Shared/AppStore.app/Contents/MacOS/AppStore
  • Type: Mach-O 64-bit executable
  • MD5: 9F25C1A359B9DAE3F2C1ABBA45F0566D
  • SHA: 5ED684D861D51DCF8A94A1E6BE853DFD1293BBD8
  • SHA-256: 363D151D451A9687D5C0863933A15F7968D3D7018B26F6BA8DF54DEA9E2F635C
  • SHA-512: 9096346A30F27AEFFA43C5D734029C6FCF650C52C47B0D2CB2C4EC4038AF2C4BC3B3417E87675D4E87CD6CE885ABDC697BD223BDEBB9216627786A87BF184D96
false
/Users/Shared/AppStore.app/Contents/PkgInfo
  • Type: ASCII text, with very long lines, with no line terminators
  • MD5: 23B7D7D024ABB0F558420E098800BF27
  • SHA: 9F9EEA0CFE2D65F2C3D6B092E375B40782D08F31
  • SHA-256: 82502191C9484B04D685374F9879A0066069C49B8ACAE7A04B01D38D07E8ECA0
  • SHA-512: F77D501528DD0CED155C80406CFBEE38D5D3649B64D2A9324F3D6CEE39491EB8F54CDEBAE49C6E21A20D2309D8FAE1B01C41631224811E73483DB25A2695738C
false
/Users/Shared/AppStore.app/Contents/Resources/AppIcon.icns
  • Type: data
  • MD5: 0EB3D0406A86558D0B827BF7689764B5
  • SHA: A917E697A84B275D19B21AC1E17DB1019F03424C
  • SHA-256: 6FAD33BDB2A180EFF845EAA24557E625E16E23C16025BE441EAC2B082C304B30
  • SHA-512: 8BA6509C29E336063F4265407637FAE4AB12D219733F28F5FB99D12A3F93DF6E16E5532763CCBE0746002D77877759A724B2F2A7FBAFDEAB4D40CBC02DFC401F
false
/Users/Shared/AppStore.app/Contents/Resources/Base.lproj/MainMenu.nib
  • Type: Apple binary property list
  • MD5: EE946ED8BF9C844ECC99088241CED16D
  • SHA: 521477D9D7FD27D63F4AC4DFD6EF0009146ED443
  • SHA-256: C10B659AE02103B882C69A6579FE06A2A099D16F42FE4F8B2CE2B6B1BA7B5FAB
  • SHA-512: 4D0ACBC54240C0C087146735CC279A17A059D69C29AB848A4176340F25651BCFCE02E376FE65938C44991728C0EEBB853C906F56C0C1E175EE92EBB8D90D53E1
false
/Users/Shared/AppStore.app/Contents/Resources/de.lproj/MainMenu.strings
  • Type: UTF-8 Unicode text
  • MD5: 3D6B225898C3FF73ED0D665E06E4B7E3
  • SHA: 68BE3BA840067211D1C0BA905930C19C32511F12
  • SHA-256: 969E93772975A6023E5432983F0C1989F27114A048980AFFBF6DB80F5E8D098F
  • SHA-512: DC5469E9C3162989B7782AB810F5DCF372D7CBB0DBF5AC7D12A727037DFB079DFCF700EE000C8F100DDEC0805B46A2FE5A7A4487A26042223EC771F1CEAFE4A3
false
/Users/Shared/AppStore.app/Contents/Resources/en.lproj/MainMenu.strings
  • Type: UTF-8 Unicode text
  • MD5: 5F50073CFC9E92D2D522CDD61E5A0ED7
  • SHA: F87B301CC6A494D57E49D37B111CA38A60DB3845
  • SHA-256: 496EBBBFEA4917BA3EDB7E80E25058A2ED62F9AE15CD0A40ADDFBE78C374366B
  • SHA-512: 5EBCB1D233F316A029819DF8FDB4AAE6C3EFAA2AA3F58F86F8DBB8E815D410F170FC7CFFA12FDEC3582310F446F66708BC7A007CCC0AC34DA66B18AFEFAEB94B
false
/Users/Shared/AppStore.app/Contents/_CodeSignature/CodeResources
  • Type: XML document text
  • MD5: 9517A02B854AC7AA2CE409F0B9B88984
  • SHA: 93361304FFDA577B3B62F481C050FB7404B47F34
  • SHA-256: 52520D199D1146DD910602782E398C032995A98C281A6CA931F96E45735AF3C8
  • SHA-512: 3DE98345AEBE4E1E9F1DAF88F48A53E08300C64045869A77A67ABD381966011AF477C48672941414BCE26D8942B0F8A98F5D5B6840BD7579CFB4869959F7D003
false
/Users/vreni/Library/LaunchAgents/com.apple.iTunes.plist
  • Type: XML document text
  • MD5: 105B5F93A435D45109C80AC2437580A9
  • SHA: 8B1E419CB8523790020499960FD8BEFB69058AF6
  • SHA-256: 19E6E592ED61AB118B324CD0C5B34FC9E2800AFF3CAEB0ECD5986FB85EAAAB13
  • SHA-512: F8CA07A3EEF48E56741A830018CA74C7479647C70542CF0808D925718F8B287DC51B9ADFB4FCD3C1EC8A63AD9B44181CA3C8FAD9E1A979EDED24C0EDB13F1DE3
false
/dev/null
  • Type: ASCII text
  • MD5: 32DA26296DA48081D8C0991D1D3798D4
  • SHA: B592249D0883D9726C0BF067D553A29C95E3DC5E
  • SHA-256: 3C0594EA434E9D3553B46F48893F9B20222EB8DC93506EBAFB8D4DDAE7C6B590
  • SHA-512: 9C070707C206A59A5FDCDF35CCCA7DD49408196FF5CC8869FD62C81589DFA80BA2A70ECA820CFEDD49F6E47F18EEB71D164D75208111F12E84B39079921D9372
false
/private/tmp/AppStore
  • Type: a python script text executable
  • MD5: F2F3BAF7ACE5D985F0EE3C9B44F5074F
  • SHA: 309204F4DA8842984435CCBB503EFFA3F546CAEA
  • SHA-256: CA2AA09ACD29DFAD9450F5D177D5E059D3F1EBD1C5CEF62AB62D7E2346D42174
  • SHA-512: BC543A057B464F26862A425D2A753272885700EC3468C112CA91D7289B51691CB192BD5665A93E3E83D0800D915226C48A69B5CFE78CFE9E58B6BFA6A7424720
true
/private/tmp/loader.log
  • Type: ASCII text
  • MD5: 0EF631D5B6EC43F79B7F7549A0135DF2
  • SHA: C44B1F50183FE09E5CBC251DDC8E2EE41E7AD56D
  • SHA-256: F7935DE17F55DFE8C5AFF15E1285AC245759F236F95C0C586320A9423F43DDE4
  • SHA-512: FB73FB31DC4651B6C831AF69FB4DACB00FFB7702FDD88DD5419776C495B89EFCC37BE4038EA51E2C13F444C86F3A39813B029FDA0ED8C688EE5828F11D2516B2
false
/private/tmp/tmp123
  • Type: ASCII text, with very long lines
  • MD5: 1A46127FB5A6457817E0CA3F28ABC946
  • SHA: DA1ABC08F2850C854EA90E97C13C0AED4727B185
  • SHA-256: C1C432EE77075725621BF50A4D211CA51CF98CF6F28511C1D93C36595C240892
  • SHA-512: 65022F356FB561AB3A256AD8D75CA6445EA0E8F45EF6B611781080F45929BC57D68B4DEC1B8CE2128BE51D6FB2F422C7614FB6C85E3C2308719548A67FBE0534
false

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryFlagASNASN NameMalicious
8.8.8.8United States
15169GoogleIncfalse
17.252.76.100United States
714AppleIncfalse
17.188.165.205United States
714AppleIncfalse
17.253.20.125United States
6185AppleIncfalse
224.0.0.251Reserved
2541JumpManagementSRLfalse
185.68.93.74Russian Federation
56577RelinkLTDtrue

Static File Info

General

File type:Zip archive data, at least v2.0 to extract
TrID:
  • Mac OS X Application Bundle (25504/1) 86.41%
  • ZIP compressed archive (4004/1) 13.57%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.02%
File name:54ee71f6ad1f91a6f162bd5712d1a2e3d3111c352a0f52db630dcb4638101938.zip
File size:96065
MD5:0e48346ebd57b1b6dbaa0bbad4d579dc
SHA1:1e7be91179410a9d78cc4401aa3f9a7b62e8a59a
SHA256:54ee71f6ad1f91a6f162bd5712d1a2e3d3111c352a0f52db630dcb4638101938
SHA512:0725cd1b8d1902ca18cae6f3443d288e60ab81455dc4fb268b56b2b6443e66b09d904a9f47ce47b06c65a3b840506ecf752f77bb5063e587744d5aeb5aabb44b
File Content Preview:PK.........\.J................Dokument.app/PK.........\.J................Dokument.app/Contents/PK.........\.J............%...Dokument.app/Contents/_CodeSignature/PK.........\.J.m$N........2...Dokument.app/Contents/_CodeSignature/CodeResources..]S.@....W..

Static App Info

General Informations

Package Info:APPL????
Property List File:<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>BuildMachineOSBuild</key><string>13F1911</string><key>CFBundleDevelopmentRegion</key><string>en</string><key>CFBundleExecutable</key><string>AppStore</string><key>CFBundleIconFile</key><string>AppIcon</string><key>CFBundleIdentifier</key><string>Trusteer.AppStore</string><key>CFBundleInfoDictionaryVersion</key><string>6.0</string><key>CFBundleName</key><string>AppStore</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleShortVersionString</key><string>1.0</string><key>CFBundleSignature</key><string>????</string><key>CFBundleVersion</key><string>1</string><key>DTCompiler</key><string>com.apple.compilers.llvm.clang.1_0</string><key>DTPlatformBuild</key><string>6A2008a</string><key>DTPlatformVersion</key><string>GM</string><key>DTSDKBuild</key><string>14A382</string><key>DTSDKName</key><string>macosx10.10</string><key>DTXcode</key><string>0611</string><key>DTXcodeBuild</key><string>6A2008a</string><key>LSMinimumSystemVersion</key><string>10.9</string><key>LSUIElement</key><true/><key>NSHumanReadableCopyright</key><string>Copyright 2017 Trusteer. All rights reserved.</string><key>NSMainNibFile</key><string>MainMenu</string><key>NSPrincipalClass</key><string>NSApplication</string><key>NSUserNotificationAlertStyle</key><string>alert</string></dict></plist>

Resources

NameType
Info.plistXML document text
PkgInfoASCII text, with no line terminators
AppStoreMach-O 64-bit executable
AppIcon.icnsdata
MainMenu.nibApple binary property list
MainMenu.stringsUTF-8 Unicode text
MainMenu.stringsUTF-8 Unicode text
CodeResourcesXML document text
Info.plistXML document text
PkgInfoASCII text, with no line terminators
AppStoreMach-O 64-bit executable
AppIcon.icnsdata
MainMenu.nibApple binary property list
MainMenu.stringsUTF-8 Unicode text
MainMenu.stringsUTF-8 Unicode text
CodeResourcesXML document text

Static Mach Info

General Informations for header0

Endian:<
Size:64-bit
Architecture:x86_64
Filetype:execute
Nbr. of load commands:22
segment_command_64
NameValue
segname__PAGEZERO
fileoff0
maxprot0
vmsize4294967296
nsects0
flags0
filesize0
vmaddr0
initprot0
segment_command_64
NameValue
segname__TEXT
fileoff0
maxprot7
vmsize20480
nsects12
flags0
filesize20480
vmaddr4294967296
initprot5
Datassectname__text
segname__TEXT
reloff0
addr4294971134
align0
nreloc0
flags2147484672
offset3838
reserved20
reserved10
reserved30
size8956
sectname__stubs
segname__TEXT
reloff0
addr4294980090
align1
nreloc0
flags2147484680
offset12794
reserved26
reserved10
reserved30
size150
sectname__stub_helper
segname__TEXT
reloff0
addr4294980240
align2
nreloc0
flags2147484672
offset12944
reserved20
reserved10
reserved30
size266
sectname__objc_methname
segname__TEXT
reloff0
addr4294980506
align0
nreloc0
flags2
offset13210
reserved20
reserved10
reserved30
size2749
sectname__cstring
segname__TEXT
reloff0
addr4294983255
align0
nreloc0
flags2
offset15959
reserved20
reserved10
reserved30
size1214
sectname__objc_classname
segname__TEXT
reloff0
addr4294984469
align0
nreloc0
flags2
offset17173
reserved20
reserved10
reserved30
size106
sectname__objc_methtype
segname__TEXT
reloff0
addr4294984575
align0
nreloc0
flags2
offset17279
reserved20
reserved10
reserved30
size1177
sectname__const
segname__TEXT
reloff0
addr4294985752
align3
nreloc0
flags0
offset18456
reserved20
reserved10
reserved30
size8
sectname__gcc_except_tab
segname__TEXT
reloff0
addr4294985760
align2
nreloc0
flags0
offset18464
reserved20
reserved10
reserved30
size1508
sectname__ustring
segname__TEXT
reloff0
addr4294987268
align1
nreloc0
flags0
offset19972
reserved20
reserved10
reserved30
size212
sectname__unwind_info
segname__TEXT
reloff0
addr4294987480
align2
nreloc0
flags0
offset20184
reserved20
reserved10
reserved30
size164
sectname__eh_frame
segname__TEXT
reloff0
addr4294987648
align3
nreloc0
flags0
offset20352
reserved20
reserved10
reserved30
size128
segment_command_64
NameValue
segname__DATA
fileoff20480
maxprot7
vmsize155648
nsects16
flags0
filesize155648
vmaddr4294987776
initprot3
Datassectname__nl_symbol_ptr
segname__DATA
reloff0
addr4294987776
align3
nreloc0
flags6
offset20480
reserved20
reserved125
reserved30
size16
sectname__got
segname__DATA
reloff0
addr4294987792
align3
nreloc0
flags6
offset20496
reserved20
reserved127
reserved30
size48
sectname__la_symbol_ptr
segname__DATA
reloff0
addr4294987840
align3
nreloc0
flags7
offset20544
reserved20
reserved133
reserved30
size200
sectname__cfstring
segname__DATA
reloff0
addr4294988040
align3
nreloc0
flags0
offset20744
reserved20
reserved10
reserved30
size1312
sectname__objc_classlist
segname__DATA
reloff0
addr4294989352
align3
nreloc0
flags268435456
offset22056
reserved20
reserved10
reserved30
size16
sectname__objc_catlist
segname__DATA
reloff0
addr4294989368
align3
nreloc0
flags268435456
offset22072
reserved20
reserved10
reserved30
size8
sectname__objc_protolist
segname__DATA
reloff0
addr4294989376
align3
nreloc0
flags0
offset22080
reserved20
reserved10
reserved30
size24
sectname__objc_imageinfo
segname__DATA
reloff0
addr4294989400
align2
nreloc0
flags0
offset22104
reserved20
reserved10
reserved30
size8
sectname__objc_const
segname__DATA
reloff0
addr4294989408
align3
nreloc0
flags0
offset22112
reserved20
reserved10
reserved30
size3392
sectname__objc_selrefs
segname__DATA
reloff0
addr4294992800
align3
nreloc0
flags268435461
offset25504
reserved20
reserved10
reserved30
size448
sectname__objc_classrefs
segname__DATA
reloff0
addr4294993248
align3
nreloc0
flags268435456
offset25952
reserved20
reserved10
reserved30
size112
sectname__objc_superrefs
segname__DATA
reloff0
addr4294993360
align3
nreloc0
flags268435456
offset26064
reserved20
reserved10
reserved30
size8
sectname__objc_ivar
segname__DATA
reloff0
addr4294993368
align3
nreloc0
flags0
offset26072
reserved20
reserved10
reserved30
size72
sectname__objc_data
segname__DATA
reloff0
addr4294993440
align3
nreloc0
flags0
offset26144
reserved20
reserved10
reserved30
size160
sectname__data
segname__DATA
reloff0
addr4294993600
align4
nreloc0
flags0
offset26304
reserved20
reserved10
reserved30
size149792
sectname__bss
segname__DATA
reloff0
addr4295143392
align3
nreloc0
flags1
offset0
reserved20
reserved10
reserved30
size8
segment_command_64
NameValue
segname__LINKEDIT
fileoff176128
maxprot7
vmsize16384
nsects0
flags0
filesize14304
vmaddr4295143424
initprot1
dyld_info_command
NameValue
lazy_bind_size600
lazy_bind_off177112
weak_bind_size0
rebase_size224
export_off177712
export_size32
bind_off176352
rebase_off176128
bind_size760
weak_bind_off0
symtab_command
NameValue
strsize1016
symoff177856
stroff178904
nsyms51
dysymtab_command
NameValue
extreloff0
nlocrel0
indirectsymoff178672
modtaboff0
nextrel0
iundefsym2
nmodtab0
ilocalsym0
nundefsym49
nextrefsyms0
locreloff0
ntoc0
nlocalsym1
tocoff0
extrefsymoff0
nindirectsyms58
iextdefsym1
nextdefsym1
dylinker_command
NameValue
name12
Data/usr/lib/dyld
uuid_command
NameValue
uuidaa5e23e769d236e89aa0415a3e4291bb
version_min_command
NameValue
version657664
reserved657920
source_version_command
NameValue
version0
entry_point_command
NameValue
stacksize0
entryoff4519
dylib_command
NameValue
compatibility_version0.44.1
timestampThu Jan 01 01:00:02 1970
name24
current_version4096.127.4
Data/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.228.0
Data/usr/lib/libobjc.A.dylib
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.189.4
Data/usr/lib/libSystem.B.dylib
dylib_command
NameValue
compatibility_version0.45.0
timestampThu Jan 01 01:00:02 1970
name24
current_version3584.63.5
Data/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
dylib_command
NameValue
compatibility_version0.150.0
timestampThu Jan 01 01:00:02 1970
name24
current_version4096.127.4
Data/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
rpath_command
NameValue
path12
Data@executable_path/../Frameworks
linkedit_data_command
NameValue
dataoff177744
datassize40
linkedit_data_command
NameValue
dataoff177784
datassize0
linkedit_data_command
NameValue
dataoff177784
datassize72
linkedit_data_command
NameValue
dataoff179920
datassize10512

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Mai 3, 2017 09:40:32.672120094 MESZ53547978.8.8.8192.168.0.50
Mai 3, 2017 09:42:41.189059973 MESZ53535353192.168.0.50224.0.0.251
Mai 3, 2017 09:42:50.268868923 MESZ493274545192.168.0.50185.68.93.74
Mai 3, 2017 09:42:50.268913984 MESZ454549327185.68.93.74192.168.0.50
Mai 3, 2017 09:42:50.269211054 MESZ493274545192.168.0.50185.68.93.74
Mai 3, 2017 09:42:50.269515038 MESZ493274545192.168.0.50185.68.93.74
Mai 3, 2017 09:42:50.269526958 MESZ454549327185.68.93.74192.168.0.50
Mai 3, 2017 09:44:49.014049053 MESZ123123192.168.0.5017.253.20.125
Mai 3, 2017 09:46:06.790956974 MESZ491555223192.168.0.5017.188.165.205
Mai 3, 2017 09:46:06.790987015 MESZ52234915517.188.165.205192.168.0.50
Mai 3, 2017 09:46:06.791913986 MESZ492115223192.168.0.5017.252.76.100
Mai 3, 2017 09:46:06.791940928 MESZ52234921117.252.76.100192.168.0.50
Mai 3, 2017 09:46:07.017128944 MESZ52234915517.188.165.205192.168.0.50
Mai 3, 2017 09:46:07.017640114 MESZ491555223192.168.0.5017.188.165.205
Mai 3, 2017 09:46:07.075546026 MESZ52234921117.252.76.100192.168.0.50
Mai 3, 2017 09:46:07.075982094 MESZ492115223192.168.0.5017.252.76.100

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Mai 3, 2017 09:40:32.672120094 MESZ53547978.8.8.8192.168.0.50
Mai 3, 2017 09:42:41.189059973 MESZ53535353192.168.0.50224.0.0.251
Mai 3, 2017 09:44:49.014049053 MESZ123123192.168.0.5017.253.20.125

ICMP Packets

TimestampSource IPDest IPChecksumCodeType
Mai 3, 2017 09:40:32.672396898 MESZ192.168.0.508.8.8.82682(Port unreachable)Destination Unreachable

System Behavior

Analysis Process: xpcproxy PID: 570 Parent PID: 1

General

Start time:09:40:35
Start date:03/05/2017
Path:/usr/libexec/xpcproxy
File size:42656 bytes
MD5 hash:d68b4c6f2056c73e1d3bd228bcd6d4ff

Chronological Activities

Analysis Process: AppStore PID: 570 Parent PID: 1

General

Start time:09:40:35
Start date:03/05/2017
Path:/Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore
File size:190432 bytes
MD5 hash:9f25c1a359b9dae3f2c1abba45f0566d

Chronological Activities

Analysis Process: bash PID: 572 Parent PID: 570

General

Start time:09:40:35
Start date:03/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

Chronological Activities

Analysis Process: chmod PID: 572 Parent PID: 570

General

Start time:09:40:35
Start date:03/05/2017
Path:/bin/chmod
File size:33904 bytes
MD5 hash:ecb64579c6dd0ebee31bf8e4d4cdcc6e

Chronological Activities

Analysis Process: bash PID: 573 Parent PID: 570

General

Start time:09:40:35
Start date:03/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

Chronological Activities

Analysis Process: bash PID: 574 Parent PID: 573

General

Start time:09:40:35
Start date:03/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

Chronological Activities

Analysis Process: sleep PID: 574 Parent PID: 573

General

Start time:09:40:35
Start date:03/05/2017
Path:/bin/sleep
File size:17984 bytes
MD5 hash:a5566195e03cbb7d5df309767a4231ae

Chronological Activities

Analysis Process: bash PID: 576 Parent PID: 573

General

Start time:09:40:40
Start date:03/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

Chronological Activities

Analysis Process: rm PID: 576 Parent PID: 573

General

Start time:09:40:40
Start date:03/05/2017
Path:/bin/rm
File size:23744 bytes
MD5 hash:e8926d2347850b76f57a1d5f0226de8b

Chronological Activities

Analysis Process: bash PID: 577 Parent PID: 573

General

Start time:09:40:40
Start date:03/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

Chronological Activities

Analysis Process: AppStore PID: 577 Parent PID: 573

General

Start time:09:40:40
Start date:03/05/2017
Path:/Users/Shared/AppStore.app/Contents/MacOS/AppStore
File size:190432 bytes
MD5 hash:9f25c1a359b9dae3f2c1abba45f0566d

Chronological Activities

Analysis Process: bash PID: 586 Parent PID: 577

General

Start time:09:42:42
Start date:03/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

Chronological Activities

Analysis Process: base64 PID: 586 Parent PID: 577

General

Start time:09:42:42
Start date:03/05/2017
Path:/usr/bin/base64
File size:23136 bytes
MD5 hash:5fd54d3cab0fc8cfa60ec8eab3049f1c

Chronological Activities

Analysis Process: bash PID: 587 Parent PID: 577

General

Start time:09:42:42
Start date:03/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

Chronological Activities

Analysis Process: bash PID: 588 Parent PID: 587

General

Start time:09:42:42
Start date:03/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

Chronological Activities

Analysis Process: chmod PID: 588 Parent PID: 587

General

Start time:09:42:42
Start date:03/05/2017
Path:/bin/chmod
File size:33904 bytes
MD5 hash:ecb64579c6dd0ebee31bf8e4d4cdcc6e

Chronological Activities

Analysis Process: bash PID: 589 Parent PID: 587

General

Start time:09:42:42
Start date:03/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

Chronological Activities

Analysis Process: rm PID: 589 Parent PID: 587

General

Start time:09:42:42
Start date:03/05/2017
Path:/bin/rm
File size:23744 bytes
MD5 hash:e8926d2347850b76f57a1d5f0226de8b

Chronological Activities

Analysis Process: bash PID: 590 Parent PID: 577

General

Start time:09:42:42
Start date:03/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

Chronological Activities

Analysis Process: AppStore PID: 590 Parent PID: 577

General

Start time:09:42:42
Start date:03/05/2017
Path:/tmp/AppStore
File size:112154 bytes
MD5 hash:f2f3baf7ace5d985f0ee3c9b44f5074f

Chronological Activities

Analysis Process: python PID: 590 Parent PID: 577

General

Start time:09:42:42
Start date:03/05/2017
Path:/Library/Frameworks/Python.framework/Versions/2.7/bin/python
File size:25624 bytes
MD5 hash:8ec51a235078596c4b2e09b4db76e73b

Chronological Activities

Analysis Process: Python PID: 590 Parent PID: 577

General

Start time:09:42:42
Start date:03/05/2017
Path:/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:24960 bytes
MD5 hash:4d6dea37ae8536c5e20573905de9cf17

Chronological Activities

Analysis Process: Python PID: 591 Parent PID: 590

General

Start time:09:42:43
Start date:03/05/2017
Path:/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:24960 bytes
MD5 hash:4d6dea37ae8536c5e20573905de9cf17

Chronological Activities

Analysis Process: sh PID: 591 Parent PID: 590

General

Start time:09:42:43
Start date:03/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: scutil PID: 591 Parent PID: 590

General

Start time:09:42:43
Start date:03/05/2017
Path:/usr/sbin/scutil
File size:216656 bytes
MD5 hash:606425562bb70289876036542086217c

Chronological Activities

Analysis Process: Python PID: 592 Parent PID: 590

General

Start time:09:42:43
Start date:03/05/2017
Path:/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:24960 bytes
MD5 hash:4d6dea37ae8536c5e20573905de9cf17

Chronological Activities

Analysis Process: sh PID: 592 Parent PID: 590

General

Start time:09:42:43
Start date:03/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: launchctl PID: 592 Parent PID: 590

General

Start time:09:42:43
Start date:03/05/2017
Path:/bin/launchctl
File size:124048 bytes
MD5 hash:dbfeff92b30d89c0a04dd0fbeb40ae5e

Chronological Activities

Analysis Process: Python PID: 593 Parent PID: 590

General

Start time:09:42:44
Start date:03/05/2017
Path:/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:24960 bytes
MD5 hash:4d6dea37ae8536c5e20573905de9cf17

Chronological Activities

Analysis Process: launchctl PID: 593 Parent PID: 590

General

Start time:09:42:44
Start date:03/05/2017
Path:/bin/launchctl
File size:124048 bytes
MD5 hash:dbfeff92b30d89c0a04dd0fbeb40ae5e

Chronological Activities

Analysis Process: bash PID: 596 Parent PID: 577

General

Start time:09:42:49
Start date:03/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

Chronological Activities

Analysis Process: bash PID: 597 Parent PID: 596

General

Start time:09:42:49
Start date:03/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

Chronological Activities

Analysis Process: sleep PID: 597 Parent PID: 596

General

Start time:09:42:49
Start date:03/05/2017
Path:/bin/sleep
File size:17984 bytes
MD5 hash:a5566195e03cbb7d5df309767a4231ae

Chronological Activities

Analysis Process: bash PID: 603 Parent PID: 596

General

Start time:09:42:54
Start date:03/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

Chronological Activities

Analysis Process: rm PID: 603 Parent PID: 596

General

Start time:09:42:54
Start date:03/05/2017
Path:/bin/rm
File size:23744 bytes
MD5 hash:e8926d2347850b76f57a1d5f0226de8b

Chronological Activities

Analysis Process: sharedfilelistd PID: 578 Parent PID: 224

General

Start time:09:40:40
Start date:03/05/2017
Path:/System/Library/CoreServices/sharedfilelistd
File size:123616 bytes
MD5 hash:f27d37ceb90584465739b7527f7c7b2d

Chronological Activities

Analysis Process: sfltool PID: 578 Parent PID: 224

General

Start time:09:40:41
Start date:03/05/2017
Path:/usr/bin/sfltool
File size:79456 bytes
MD5 hash:0ced48308860d34b0e0b304d9033b6b7

Chronological Activities

Analysis Process: sharedfilelistd PID: 579 Parent PID: 224

General

Start time:09:40:44
Start date:03/05/2017
Path:/System/Library/CoreServices/sharedfilelistd
File size:123616 bytes
MD5 hash:f27d37ceb90584465739b7527f7c7b2d

Chronological Activities

Analysis Process: sfltool PID: 579 Parent PID: 224

General

Start time:09:40:44
Start date:03/05/2017
Path:/usr/bin/sfltool
File size:79456 bytes
MD5 hash:0ced48308860d34b0e0b304d9033b6b7

Chronological Activities

Analysis Process: sharedfilelistd PID: 580 Parent PID: 224

General

Start time:09:40:50
Start date:03/05/2017
Path:/System/Library/CoreServices/sharedfilelistd
File size:123616 bytes
MD5 hash:f27d37ceb90584465739b7527f7c7b2d

Chronological Activities

Analysis Process: sfltool PID: 580 Parent PID: 224

General

Start time:09:40:50
Start date:03/05/2017
Path:/usr/bin/sfltool
File size:79456 bytes
MD5 hash:0ced48308860d34b0e0b304d9033b6b7

Chronological Activities

Analysis Process: xpcproxy PID: 594 Parent PID: 1

General

Start time:09:42:48
Start date:03/05/2017
Path:/usr/libexec/xpcproxy
File size:42656 bytes
MD5 hash:d68b4c6f2056c73e1d3bd228bcd6d4ff

Chronological Activities

Analysis Process: Bella PID: 594 Parent PID: 1

General

Start time:09:42:48
Start date:03/05/2017
Path:/Users/vreni/Library/Containers/.bella/Bella
File size:112154 bytes
MD5 hash:f2f3baf7ace5d985f0ee3c9b44f5074f

Chronological Activities

Analysis Process: python PID: 594 Parent PID: 1

General

Start time:09:42:48
Start date:03/05/2017
Path:/usr/bin/python
File size:66736 bytes
MD5 hash:071afc8e1e82e53c253a8ddc7dda8f75

Chronological Activities

Analysis Process: Python PID: 594 Parent PID: 1

General

Start time:09:42:48
Start date:03/05/2017
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:25152 bytes
MD5 hash:f932378ef838dcd40e9b7e55e7d7b9a0

Chronological Activities

Analysis Process: Python PID: 598 Parent PID: 594

General

Start time:09:42:49
Start date:03/05/2017
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:25152 bytes
MD5 hash:f932378ef838dcd40e9b7e55e7d7b9a0

Chronological Activities

Analysis Process: sh PID: 598 Parent PID: 594

General

Start time:09:42:49
Start date:03/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: scutil PID: 598 Parent PID: 594

General

Start time:09:42:49
Start date:03/05/2017
Path:/usr/sbin/scutil
File size:216656 bytes
MD5 hash:606425562bb70289876036542086217c

Chronological Activities

Analysis Process: Python PID: 599 Parent PID: 594

General

Start time:09:42:49
Start date:03/05/2017
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:25152 bytes
MD5 hash:f932378ef838dcd40e9b7e55e7d7b9a0

Chronological Activities

Analysis Process: sh PID: 599 Parent PID: 594

General

Start time:09:42:49
Start date:03/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sysctl PID: 599 Parent PID: 594

General

Start time:09:42:49
Start date:03/05/2017
Path:/usr/sbin/sysctl
File size:60608 bytes
MD5 hash:6b5514b612e9e7ea63857c6fdcab2c5b

Chronological Activities

Analysis Process: Python PID: 600 Parent PID: 594

General

Start time:09:42:49
Start date:03/05/2017
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:25152 bytes
MD5 hash:f932378ef838dcd40e9b7e55e7d7b9a0

Chronological Activities

Analysis Process: sh PID: 600 Parent PID: 594

General

Start time:09:42:49
Start date:03/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 601 Parent PID: 600

General

Start time:09:42:49
Start date:03/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: PlistBuddy PID: 601 Parent PID: 600

General

Start time:09:42:49
Start date:03/05/2017
Path:/usr/libexec/PlistBuddy
File size:40992 bytes
MD5 hash:b9c6344ae2b0607f8fc9d102e98ede82

Chronological Activities

Analysis Process: sh PID: 602 Parent PID: 600

General

Start time:09:42:49
Start date:03/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: grep PID: 602 Parent PID: 600

General

Start time:09:42:49
Start date:03/05/2017
Path:/usr/bin/grep
File size:33712 bytes
MD5 hash:f7fe9c4af9294f2949377a12244b3d60

Chronological Activities

Analysis Process: sharedfilelistd PID: 595 Parent PID: 224

General

Start time:09:42:49
Start date:03/05/2017
Path:/System/Library/CoreServices/sharedfilelistd
File size:123616 bytes
MD5 hash:f27d37ceb90584465739b7527f7c7b2d

Chronological Activities

Analysis Process: sfltool PID: 595 Parent PID: 224

General

Start time:09:42:49
Start date:03/05/2017
Path:/usr/bin/sfltool
File size:79456 bytes
MD5 hash:0ced48308860d34b0e0b304d9033b6b7

Chronological Activities

Analysis Process: sharedfilelistd PID: 604 Parent PID: 224

General

Start time:09:42:55
Start date:03/05/2017
Path:/System/Library/CoreServices/sharedfilelistd
File size:123616 bytes
MD5 hash:f27d37ceb90584465739b7527f7c7b2d

Chronological Activities

Analysis Process: sfltool PID: 604 Parent PID: 224

General

Start time:09:42:55
Start date:03/05/2017
Path:/usr/bin/sfltool
File size:79456 bytes
MD5 hash:0ced48308860d34b0e0b304d9033b6b7

Chronological Activities