Analysis Report

Overview

General Information

Joe Sandbox Version:
Analysis ID:	14649
Start time:	16:39:15
Joe Sandbox Product:	Cloud
Start date:	16/02/2016
Overall analysis duration:	0h 7m 44s
Report type:	full
Sample file name:	2fe844f3dd7a95ca5cc9577008b841debfa8cf2da59aa610bbb7ee38bc7c8a2d.dmg
Cookbook file name:	default.jbs
Analysis system description:	Mac Mini, Yosemite 10.10.3 (Java 1.8.0_45)
Detection:	MAL

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	60	0 - 100	Report FP / FN

Classification

Signature Overview

Click to jump to signature section

Networking:

Urls found in memory or binary data

Show sources

Source: 2fe844f3dd7a95ca5cc9577008b841debfa8cf2da59aa610bbb7ee38bc7c8a2d.dmg

String found in binary or memory: http://www.apple.com/dtds/propertylist-1.0.dtd

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /icons/lps/images/icons/adobe_flashplayer_new_80.png HTTP/1.1 Host: instcoin.s3-website-us-east-1.amazonaws.com Accept: / Accept-Language: en-us Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko)
Source: global traffic	HTTP traffic detected: GET /img/Global/Yes_Button.png HTTP/1.1 Host: img.baseurlfbcdn.com Accept: / Accept-Language: en-us Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko)
Source: global traffic	HTTP traffic detected: GET /adobe_flashplayer_e2c7b.dmg HTTP/1.1 Host: appsstatic2fd4se5em.s3.amazonaws.com Accept: / Accept-Language: en-us Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: Installer/1 CFNetwork/720.3.13 Darwin/14.3.0 (x86_64)
Source: global traffic	HTTP traffic detected: GET /img/Global/No_Button.png HTTP/1.1 Host: img.baseurlfbcdn.com Accept: / Accept-Language: en-us Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko)
Source: global traffic	HTTP traffic detected: GET /img/Global/declineBG.png HTTP/1.1 Host: img.baseurlfbcdn.com Accept: / Accept-Language: en-us Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko)
Source: global traffic	HTTP traffic detected: GET /img/Global/No_Button_Hover.png HTTP/1.1 Host: img.baseurlfbcdn.com Accept: / Accept-Language: en-us Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko)
Source: global traffic	HTTP traffic detected: GET /img/Global/Yes_Button_Hover.png HTTP/1.1 Host: img.baseurlfbcdn.com Accept: / Accept-Language: en-us Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko)
Source: global traffic	HTTP traffic detected: GET /img/Zozopid/logo.png HTTP/1.1 Host: img.conicono.com Accept: / Accept-Language: en-us Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko)
Source: global traffic	HTTP traffic detected: GET /img/Yahahah/small_logo2.png HTTP/1.1 Host: img.conicono.com Accept: / Accept-Language: en-us Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko)
Source: global traffic	HTTP traffic detected: GET /thankyou.php HTTP/1.1 Host: softwareupdate.theinlineupdater.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17
Source: global traffic	HTTP traffic detected: GET /scripts/1/adnl.min.js HTTP/1.1 Host: cdn.castplatform.com Connection: keep-alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17 Accept-Language: en-us Referer: http://softwareupdate.theinlineupdater.net/thankyou.php Accept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /lps/TYpage/images/1459081.jpg HTTP/1.1 Host: d1ifze50bd2zo7.cloudfront.net Connection: keep-alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17 Accept-Language: en-us Referer: http://softwareupdate.theinlineupdater.net/thankyou.php Accept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /api/vv/1?callback=cb_1455640886727&ts=1455640886726&sessionId=WQdQV&siteId=224&aus=3314,1,0 HTTP/1.1 Host: d.castplatform.com Connection: keep-alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17 Accept-Language: en-us Referer: http://softwareupdate.theinlineupdater.net/thankyou.php Accept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1 Host: softwareupdate.theinlineupdater.net Connection: keep-alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17 Accept-Language: en-us Referer: http://softwareupdate.theinlineupdater.net/thankyou.php Accept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /api/mpup/1?aus=5721 HTTP/1.1 Host: d.castplatform.com Connection: keep-alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17 Accept-Language: en-us Referer: http://softwareupdate.theinlineupdater.net/thankyou.php Accept-Encoding: gzip, deflate

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: rp.conicono.com

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /Mac_Coinis/?v=5.0 HTTP/1.1 Host: os.conicono.com Connection: keep-alive Accept: */* User-Agent: ICMAC Accept-Language: en-us Content-Length: 0 Accept-Encoding: gzip, deflate

Reads from file descriptors related to (network) sockets

Show sources

Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	Reads from socket in process:
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Reads from socket in process:

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49213
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49211
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49210
Source: unknown	Network traffic detected: HTTP traffic on port 49203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49208
Source: unknown	Network traffic detected: HTTP traffic on port 49214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49215 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49217

Writes from file descriptors related to (network) sockets

Show sources

Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	Writes from socket in process:
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Writes from socket in process:

Tries to resolve many domain names, but no domain seems valid

Show sources

Source: unknown	DNS traffic detected: query: b._dns-sd._udp.0.0.168.192.in-addr.arpa replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: db._dns-sd._udp.0.0.168.192.in-addr.arpa replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: r._dns-sd._udp.0.0.168.192.in-addr.arpa replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: dr._dns-sd._udp.0.0.168.192.in-addr.arpa replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: b._dns-sd._udp.0.0.168.192.in-addr.arpa replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: db._dns-sd._udp.0.0.168.192.in-addr.arpa replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: r._dns-sd._udp.0.0.168.192.in-addr.arpa replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: dr._dns-sd._udp.0.0.168.192.in-addr.arpa replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: b._dns-sd._udp.0.0.168.192.in-addr.arpa replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: db._dns-sd._udp.0.0.168.192.in-addr.arpa replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: r._dns-sd._udp.0.0.168.192.in-addr.arpa replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: dr._dns-sd._udp.0.0.168.192.in-addr.arpa replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: b._dns-sd._udp.0.0.168.192.in-addr.arpa replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: db._dns-sd._udp.0.0.168.192.in-addr.arpa replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: r._dns-sd._udp.0.0.168.192.in-addr.arpa replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: dr._dns-sd._udp.0.0.168.192.in-addr.arpa replaycode: Server failure (2)

Persistence and Installation Behavior:

Reads data from the local random generator

Show sources

Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	Random device file read: /dev/urandom
Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	Random device file read: /dev/random
Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	Random device file read: /dev/random
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Random device file read: /dev/random
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Random device file read: /dev/random
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Random device file read: /dev/urandom
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Random device file read: /dev/random
Source: /usr/libexec/SafariNotificationAgent (PID: 429)	Random device file read: /dev/random

Uses AppleKeyboardLayouts bundle containing keyboard layouts

Show sources

Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Writes property list (.plist) files to disk

Show sources

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Binary plist file created: /Users/vreni/Library/Safari/lock/.dat019f.000
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Binary plist file created: /Users/vreni/Library/Safari/.dat019f.001
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Binary plist file created: /Users/vreni/Library/Safari/lock/.dat019f.002
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Binary plist file created: /Users/vreni/Library/Caches/Metadata/Safari/History/.tracked filenames.plist
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Binary plist file created: /Users/vreni/Library/Caches/Metadata/Safari/History/http:%2F%2Fsoftwareupdate.theinlineupdater.net%2Fthankyou.php.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Binary plist file created: /Users/vreni/Library/Safari/.dat019f.003

Creates hidden files, links and/or directories

Show sources

Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	Hidden file created: /var/folders/rz/z4lzdb9n2yg9fdd643nf823w0000gn/T/.dat018c.000
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Hidden file created: /Users/vreni/Library/Safari/lock/.dat019f.000
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Hidden file created: /Users/vreni/Library/Safari/.dat019f.001
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Hidden file created: /Users/vreni/Library/Safari/lock/.dat019f.002
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Hidden file created: /Users/vreni/Library/Safari/.dat019f.003

Executes commands using a shell command-line interpreter

Show sources

Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)

Shell command executed: /bin/sh -c codesign -dvv '/Users/vreni/Desktop/unpack/Installer/Installer.app' 2>&1 | grep -a 'Authority=Developer ID Application:' | xargs echo -n

Executes the "grep" command used to find patterns in files or piped streams

Show sources

Source: /bin/sh (PID: 405)

Grep executable: /usr/bin/grep -> grep -a Authority=Developer ID Application:

Opens the Safari browser app

Show sources

Source: /usr/libexec/xpcproxy (PID: 415)

Safari app opened: /Applications/Safari.app/Contents/MacOS/Safari

Reads launchservices plist files

Show sources

Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist

Reads user launchservices plist file containing default apps for corresponding filetypes

Show sources

Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist

Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)

Show sources

Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist

Uses Security framework containing interfaces for system-level user authentication and authorization

Show sources

Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	Security framework info plist opened: /System/Library/Frameworks/Security.framework/Resources/Info.plist
Source: /usr/bin/codesign (PID: 404)	Security framework info plist opened: /System/Library/Frameworks/Security.framework/Resources/Info.plist

Writes DMG files to disk

Show sources

Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	DMG file created: /private/var/folders/rz/z4lzdb9n2yg9fdd643nf823w0000gn/T/adobe_flashplayer_e2c7b.dmg
Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	DMG file created: /Users/vreni/Downloads/adobe_flashplayer_e2c7b.dmg

Writes files to the user's download directory

Show sources

Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)

File created in download directory: /Users/vreni/Downloads/adobe_flashplayer_e2c7b.dmg

Queries for attached disk images with shell command 'hdiutil'

Show sources

Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)

Hdiutil command executed: /usr/bin/hdiutil info -plist

Hooking and other Techniques for Hiding and Protection:

Denies being traced/debugged (via ptrace PT_DENY_ATTACH)

Show sources

Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)

PTRACE system call (PT_DENY_ATTACH): PID 396 denies future traces

Moves itself during installation or deletes itself after installation

Show sources

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Safari/lock/details.plist
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Safari/WebpageIcons.db-journal
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/https:%2F%2Fwww.google.fr%2Fsearch?client=safari&rls=en&q=python+2.7&ie=UTF-8&oe=UTF-8&gfe_rd=cr&ei=tF8uVPKHL6eA8QfEioCADg.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/https:%2F%2Fwww.google.com%2Fsearch?client=safari&rls=en&q=tor+check&ie=UTF-8&oe=UTF-8.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/https:%2F%2Fjava.com%2Fen%2Fdownload%2Finstalled.jsp.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/https:%2F%2Fjava.com%2Fverify%2F?src=install.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/https:%2F%2Fiforgot.apple.com%2Fcgi-bin%2Fiforgot.cgi?app_id=165&frame=true&language-iso=GB-EN&language-iso-2=GB-EN&prs_account_nm=vreni.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/https:%2F%2Fcheck.torproject.org%2F?lang=de.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/http:%2F%2Fwww.macupdate.com%2Fapp%2Fmac%2F20127%2Fdeep-freeze-mac.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/https:%2F%2Fwww.google.com%2Fsearch?client=safari&rls=en&q=python+2.7&ie=UTF-8&oe=UTF-8.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/https:%2F%2Fwww.google.de%2Fsearch?client=safari&rls=en&q=sourcefore+mono+3.4&ie=UTF-8&oe=UTF-8&gfe_rd=cr&ei=bWAuVIzzLcKF8QeS6IGYDQ.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/http:%2F%2Fsourceforge.net%2Fprojects%2Fmono.mirror%2Ffiles%2FMono%25203.4.0%2FMonoFramework-MRE-3.4.0.macos10.xamarin.x86.pkg%2Fdownload.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/https:%2F%2Fiforgot.apple.com%2Fpassword%2Fverify%2Fappleid?app_id=165&frame=true&language-iso=GB-EN&language-iso-2=GB-EN&prs_account_nm=vreni.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/https:%2F%2Fwww.google.de%2Fsearch?client=safari&rls=en&q=tor+check&ie=UTF-8&oe=UTF-8&gfe_rd=cr&ei=0WAuVIjDBsaF8QfcuICoDA.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/https:%2F%2Fwww.google.com%2Fsearch?client=safari&rls=en&q=sourcefore+mono+3.4&ie=UTF-8&oe=UTF-8.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/26B2F5DA-23A5-406B-A970-3E2EB350B9E9.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/C02C1007-B757-436E-BC29-BE229D6E74E0.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/http:%2F%2Fsourceforge.net%2Fprojects%2Fmono.mirror%2Ffiles%2FMono%25203.4.0%2F.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/https:%2F%2Fwww.google.ch%2Fsearch?client=safari&rls=en&q=deep+freeze+for+mac+download&ie=UTF-8&oe=UTF-8&gfe_rd=cr&ei=80wuVJz7POqX8Qee44CYCg.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/https:%2F%2Fwww.google.com%2Fsearch?client=safari&rls=en&q=deep+freeze+for+mac+download&ie=UTF-8&oe=UTF-8.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File deleted: /Users/vreni/Library/Caches/Metadata/Safari/History/https:%2F%2Fwww.python.org%2Fdownload.webhistory
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File moved: /Users/vreni/Library/Safari/lock/.dat019f.000 -> /Users/vreni/Library/Safari/lock/details.plist
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File moved: /Users/vreni/Library/Safari/.dat019f.001 -> /Users/vreni/Library/Safari/Downloads.plist
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File moved: /Users/vreni/Library/Safari/lock/.dat019f.002 -> /Users/vreni/Library/Safari/lock/details.plist
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	File moved: /Users/vreni/Library/Safari/.dat019f.003 -> /Users/vreni/Library/Safari/LastSession.plist
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Directory deleted: /Users/vreni/Library/Safari/lock

HIPS / PFW / Operating System Protection Evasion:

Executes the "codesign" command used to create and manipulate code signatures

Show sources

Source: /bin/sh (PID: 404)

Codesign executable: /usr/bin/codesign -> codesign -dvv /Users/vreni/Desktop/unpack/Installer/Installer.app

Language, Device and Operating System Detection:

Reads the system or server version plist file

Show sources

Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/libexec/SafariNotificationAgent (PID: 429)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist

Reads the systems OS release and/or type

Show sources

Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	Sysctl requested: kern.ostype (1.1)
Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	Sysctl requested: kern.osrelease (1.2)
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Sysctl requested: kern.ostype (1.1)
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Sysctl requested: kern.osrelease (1.2)

Reads the systems hostname

Show sources

Source: /Users/vreni/Desktop/unpack/Installer/Installer.app/Contents/MacOS/anginiform (PID: 396)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 403)	Sysctl requested: kern.hostname (1.10)
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 415)	Sysctl requested: kern.hostname (1.10)

Runtime Messages

Command:	open
Exitcode:	0
Killed:	False
Standard Output:
Standard Error:

Yara Overview

No Yara matches

Screenshot

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Classification

Signature Overview

Networking:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Runtime Messages

Yara Overview

Screenshot