Loading ...

Play interactive tourEdit tour

macOS Analysis Report Guard.py

Overview

General Information

Sample Name:Guard.py
Analysis ID:138361
MD5:5544ef6de35ae95ecdc458f4ff3803d6
SHA1:232206eff46b7ac78e68d8a84c65713749209743
SHA256:1448f34fcde1e6d7df000c38a61c3dd6d5fd304f9ad60cadfa3deb875b6b088f
Infos:

Most interesting Screenshot:

Detection

WildPressure
Score:48
Range:0 - 100
Whitelisted:false

Signatures

Yara detected WildPressure
Creates 'launchd' managed services aka launch agents with bundle ID names to possibly disguise malicious intentions
Creates hidden files, links and/or directories
Creates memory-persistent launch services
Creates user-wide 'launchd' managed services aka launch agents
Executes commands using a shell command-line interpreter
Executes the "python" command used to interpret Python scripts
Executes the "uname" command used to read OS and architecture name
Explicitly lists launch services possibly for searching
Explicitly loads/starts launch services
Reads the systems OS release and/or type
Reads the systems hostname

Classification

General Information

Joe Sandbox Version:32.0.0 Black Diamond
Analysis ID:138361
Start date:09.07.2021
Start time:14:50:17
Joe Sandbox Product:Cloud
Overall analysis duration:0h 7m 54s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Guard.py
Cookbook file name:defaultmacinteractivecookbook.jbs
Analysis system description:Mac Mini, Mojave (Java JDK 11.0.4, Adobe Reader 2019.012.20034, Flash 32.0.0.223)
Analysis Mode:default
Detection:MAL
Classification:mal48.troj.macPY@0/7@0/0

Process Tree

  • System is mac-mojave
  • Terminal New Fork (PID: 896, Parent: 282)
  • login (MD5: 5d62c3fb21c0d809c90674223d2629f5) Arguments: login -pf ben
    • login New Fork (PID: 897, Parent: 896)
    • bash (MD5: 0313fd399b143fc40cd52a1679018305) Arguments: -bash
      • bash New Fork (PID: 898, Parent: 897)
        • bash New Fork (PID: 899, Parent: 898)
        • path_helper (MD5: 0403286476d3e8908d852969c2188790) Arguments: /usr/libexec/path_helper -s
      • bash New Fork (PID: 900, Parent: 897)
      • mkdir (MD5: 0948c3e8dfd7f3d3628ca8b819092ccf) Arguments: mkdir -m 700 -p /Users/ben/.bash_sessions
      • bash New Fork (PID: 901, Parent: 897)
        • bash New Fork (PID: 902, Parent: 901)
        • touch (MD5: b1fc3a8e0ae32021b9f29be4ff196129) Arguments: /usr/bin/touch /Users/ben/.bash_sessions/1476C622-8CCC-456D-9F74-6FE7755942D0.historynew
      • bash New Fork (PID: 903, Parent: 897)
      • python (MD5: be65ae5f9bd784375fd70bec94da6a60) Arguments: python Guard.py
      • Python (MD5: 8fedf0b5ee3045d5621b0518e9a4b375) Arguments: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python Guard.py
        • sh New Fork (PID: 904, Parent: 903)
          • sh New Fork (PID: 905, Parent: 904)
          • uname (MD5: a1c51069ef3a88caedd3a7739941aaef) Arguments: uname -p
        • Python New Fork (PID: 906, Parent: 903)
        • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl list
        • Python New Fork (PID: 907, Parent: 903)
        • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl list
        • Python New Fork (PID: 908, Parent: 903)
        • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl list
        • sh New Fork (PID: 909, Parent: 903)
        • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl load -w /Users/ben/Library/LaunchAgents/com.apple.pyapple.plist
        • Python New Fork (PID: 911, Parent: 903)
        • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl list
  • python (MD5: ec07cbbd621933f37e0141118a5b0bac) Arguments: /usr/bin/python /Users/ben/Desktop/Guard.py
  • Python (MD5: 7058b515356cdcf3fada0e8d34926c7d) Arguments: /usr/bin/python /Users/ben/Desktop/Guard.py
    • sh New Fork (PID: 912, Parent: 910)
      • sh New Fork (PID: 913, Parent: 912)
      • uname (MD5: a1c51069ef3a88caedd3a7739941aaef) Arguments: uname -p
    • Python New Fork (PID: 914, Parent: 910)
    • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl list
    • Python New Fork (PID: 915, Parent: 910)
    • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl list
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Guard.pyJoeSecurity_WildPressureYara detected WildPressureJoe Security

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: unknownTCP traffic detected without corresponding DNS query: 17.57.146.21
    Source: unknownTCP traffic detected without corresponding DNS query: 17.57.146.21
    Source: com.apple.pyapple.plist.984.drString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
    Source: classification engineClassification label: mal48.troj.macPY@0/7@0/0
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Hidden Directory created: /Users/ben/.appdata -> /Users/ben/.appdataJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Shell command executed: sh -c uname -p 2> /dev/nullJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Shell command executed: sh -c launchctl load -w /Users/ben/Library/LaunchAgents/com.apple.pyapple.plistJump to behavior
    Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 910)Shell command executed: sh -c uname -p 2> /dev/nullJump to behavior
    Source: /bin/bash (PID: 903)Python executable: /Library/Frameworks/Python.framework/Versions/2.7/bin/python -> python Guard.pyJump to behavior
    Source: /usr/libexec/xpcproxy (PID: 910)Python executable: /usr/bin/python -> /usr/bin/python /Users/ben/Desktop/Guard.pyJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 906)Launch agent/daemon listed: launchctl listJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 907)Launch agent/daemon listed: launchctl listJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 908)Launch agent/daemon listed: launchctl listJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 911)Launch agent/daemon listed: launchctl listJump to behavior
    Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 914)Launch agent/daemon listed: launchctl listJump to behavior
    Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 915)Launch agent/daemon listed: launchctl listJump to behavior
    Source: /bin/sh (PID: 909)Launch agent/daemon loaded: launchctl load -w /Users/ben/Library/LaunchAgents/com.apple.pyapple.plistJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Random device file read: /dev/urandomJump to behavior
    Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 910)Random device file read: /dev/urandomJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/bin/python (PID: 903)Python framework application: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
    Source: /usr/bin/python (PID: 910)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)XML plist file created: /Users/ben/Library/LaunchAgents/com.apple.pyapple.plist
    Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 910)XML plist file created: /Users/ben/Library/LaunchAgents/com.apple.pyapple.plistJump to dropped file
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Users/ben/Library/LaunchAgents/com.apple.pyapple.plistJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Users/ben/Library/LaunchAgents/com.apple.pyapple.plistJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Launch agent created File created: /Users/ben/Library/LaunchAgents/com.apple.pyapple.plistJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Launch agent created File created: /Users/ben/Library/LaunchAgents/com.apple.pyapple.plistJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Sysctl requested: kern.ostype (1.1)Jump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Sysctl requested: kern.osrelease (1.2)Jump to behavior
    Source: /usr/bin/uname (PID: 905)Sysctl requested: kern.ostype (1.1)Jump to behavior
    Source: /usr/bin/uname (PID: 905)Sysctl requested: kern.osrelease (1.2)Jump to behavior
    Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 910)Sysctl requested: kern.ostype (1.1)Jump to behavior
    Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 910)Sysctl requested: kern.osrelease (1.2)Jump to behavior
    Source: /usr/bin/uname (PID: 913)Sysctl requested: kern.ostype (1.1)Jump to behavior
    Source: /usr/bin/uname (PID: 913)Sysctl requested: kern.osrelease (1.2)Jump to behavior
    Source: /bin/bash (PID: 897)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 904)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /usr/bin/uname (PID: 905)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 909)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 910)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 912)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /usr/bin/uname (PID: 913)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
    Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 903)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

    Stealing of Sensitive Information:

    barindex
    Yara detected WildPressureShow sources
    Source: Yara matchFile source: Guard.py, type: SAMPLE
    Source: /bin/sh (PID: 905)Uname executable: /usr/bin/uname -> uname -pJump to behavior
    Source: /bin/sh (PID: 913)Uname executable: /usr/bin/uname -> uname -pJump to behavior

    Remote Access Functionality:

    barindex
    Yara detected WildPressureShow sources
    Source: Yara matchFile source: Guard.py, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting2Launch Agent4Launch Agent4Masquerading1OS Credential DumpingSystem Information Discovery31Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsLaunchctl1Launch Daemon2Launch Daemon2Scripting2LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Plist Modification1Plist Modification1Hidden Files and Directories1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Shell
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 138361 Sample: Guard.py Startdate: 09/07/2021 Architecture: MAC Score: 48 46 17.57.146.21, 49225, 5223 APPLE-ENGINEERINGUS United States 2->46 48 Yara detected WildPressure 2->48 10 Terminal login 2->10         started        12 xpcproxy python Python 1 2->12         started        signatures3 process4 process5 14 login bash 10->14         started        16 sh 12->16         started        18 Python launchctl 12->18         started        20 Python launchctl 12->20         started        process6 22 bash python Python 2 14->22         started        24 bash 14->24         started        26 bash 14->26         started        28 bash mkdir 14->28         started        30 sh uname 16->30         started        process7 32 sh 22->32         started        34 sh launchctl 22->34         started        36 Python launchctl 22->36         started        42 3 other processes 22->42 38 bash path_helper 24->38         started        40 bash touch 1 26->40         started        process8 44 sh uname 32->44         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    cam-macmac-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPDomainCountryFlagASNASN NameMalicious
    17.57.146.21
    unknownUnited States
    714APPLE-ENGINEERINGUSfalse

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    /Users/ben/Library/LaunchAgents/com.apple.pyapple.plist
    Process:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):453
    Entropy (8bit):5.06657532790356
    Encrypted:false
    SSDEEP:12:TMHd4+tJVEdQsv9SUlfVegXqOf/fpXf6X6NPfHu:2d6ysvBPzm
    MD5:B35AFD2D2D5D8CFE077105210B9CDF4D
    SHA1:8D9D3B6C26266CE079B38E20868A957486307338
    SHA-256:19187B64335830FE8AC6B65D20F86E9CF33D60C4E6B9BAA8FA83FBEBDC5ED3D9
    SHA-512:F3C216CB4C1942195FEBF4B72F047EEC7F091A5488A7AE7938D6E206F402F551948B6D129A3C14E2941BE9A02B5FD07A7FF6CA49F9160D065D1E70C7E0F41EC6
    Malicious:false
    Reputation:low
    Preview: <?xml version="1.0" encoding="UTF-8"?>..<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">..<plist version="1.0">..<dict>.. <key>Label</key>.. <string>apple.scriptzxy.plist</string>.. <key>ProgramArguments</key>.. <array>.. <string>/usr/bin/python</string>.. <string>/Users/ben/Desktop/Guard.py</string>.. </array>.. <key>KeepAlive</key>.. <true/>..</dict>..</plist>
    /Users/ben/glocked.tmp
    Process:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):20
    Entropy (8bit):2.8393538721672007
    Encrypted:false
    SSDEEP:3:YVhUcURr:YLa
    MD5:E9F7B9A08EFA61B96B651D38DAEA5DB7
    SHA1:B47D94F6C950090696F69323FCBCC39A59253B8F
    SHA-256:CCB4560876F74B9F95F3D39EE1F7BFA02591589C16F655C80E6B665222562140
    SHA-512:9B62224E74D1900E81AFF95C53CEBAA77F8F00C89FDF7FD8AE009C876C3E243B80DD63C5B864E3EA6CC1FEE69AEBF46FAFA3D91D1F6166825AE67DA11E059155
    Malicious:false
    Reputation:low
    Preview: 061f0d0a01030c19140d
    /dev/ttys000
    Process:/bin/bash
    File Type:ASCII text, with escape sequences
    Category:dropped
    Size (bytes):253
    Entropy (8bit):4.874058389807945
    Encrypted:false
    SSDEEP:6:qEMKET7eCexw+iMKETXAfVAiCeWipErMKETXAfVAiCeWiK:Pc7enxic1inW2EVc1inWB
    MD5:16E39173708E5480255DFBBE0C1661F9
    SHA1:4D945F75EF7D49EAEAA17B65145D43AD2D16AF4A
    SHA-256:57B9BD83410BCDF7767C123E9FFA67CF19D01A6E2254A78F338C82BFF7FCFF66
    SHA-512:B7B40FD18B1BE2A4BA01AFBE1E4FF2C1E0C0E9BC8AA07C915BFE295B3CF4CD62B9A4A37314A605FBF50821CA018F1914020767F42AC04CAE5FED4656524C6EC5
    Malicious:false
    Reputation:low
    Preview: .]7;file://bens-Mac-mini.local/Users/ben..[?1034hbens-Mac-mini:~ ben$ cd Desktop/..]7;file://bens-Mac-mini.local/Users/ben/Desktop.bens-Mac-mini:Desktop ben$ py.t.hon Guard.py ..]7;file://bens-Mac-mini.local/Users/ben/Desktop.bens-Mac-mini:Desktop ben$
    /private/var/run/utmpx
    Process:/usr/bin/login
    File Type:data
    Category:dropped
    Size (bytes):628
    Entropy (8bit):0.35801480786883905
    Encrypted:false
    SSDEEP:3:nV2illylyJ6H//ll:nEilly40H//
    MD5:C30E8FAF9B4152B692E17677478D3DA8
    SHA1:3E5D785027C89F0B75696FE80408EC7F4EFCEBF9
    SHA-256:1AA0E26C40D0153D4E799089EE7E39A5CFE2D71A529303F6BD36BC69908A1AFC
    SHA-512:C0A02857531169AB68878DAFA97478C7E04286DEAE2806A8F7745D19950167D53AF21DFEC973BE8208B930205AEE570C615CBB966D202DCF54198A8E8BDA7B51
    Malicious:false
    Reputation:low
    Preview: ben.............................................................................................................................................................................................................................................................s000ttys000.................................vb.`....................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:Python script, ASCII text executable, with very long lines, with CRLF line terminators
    Entropy (8bit):4.542893708708479
    TrID:
      File name:Guard.py
      File size:61283
      MD5:5544ef6de35ae95ecdc458f4ff3803d6
      SHA1:232206eff46b7ac78e68d8a84c65713749209743
      SHA256:1448f34fcde1e6d7df000c38a61c3dd6d5fd304f9ad60cadfa3deb875b6b088f
      SHA512:066a9c473e99165f0e6251a52ee9e308683418778965c18a17c7a2f72679e974efb42118e54423c783b3a5c34b3abe1dc836979000b367f837ad70b171a272f4
      SSDEEP:768:6lnGgg6UlD9Sw3tF9+26B2mUK4Des9hr9aBd0hY418TPpzNNs9bRyW:6lnTg6U/5R+26Bqb3hu418TBBNkFyW
      File Content Preview:import os..import threading..from abc import ABCMeta, abstractmethod..import random..import binascii..from xml.etree.ElementTree import SubElement, XML, Element, tostring..import sys..import urllib..import urllib2..import string..import subprocess..import

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jul 9, 2021 14:54:16.426594973 CEST492255223192.168.0.5117.57.146.21
      Jul 9, 2021 14:54:16.443608046 CEST52234922517.57.146.21192.168.0.51
      Jul 9, 2021 14:54:16.443895102 CEST492255223192.168.0.5117.57.146.21

      System Behavior

      General

      Start time:14:51:33
      Start date:09/07/2021
      Path:/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
      Arguments:n/a
      File size:1156656 bytes
      MD5 hash:a4bebc8ebbc11f7d16f489163827b3ff

      General

      Start time:14:51:34
      Start date:09/07/2021
      Path:/usr/bin/login
      Arguments:login -pf ben
      File size:76288 bytes
      MD5 hash:5d62c3fb21c0d809c90674223d2629f5

      General

      Start time:14:51:34
      Start date:09/07/2021
      Path:/usr/bin/login
      Arguments:n/a
      File size:76288 bytes
      MD5 hash:5d62c3fb21c0d809c90674223d2629f5

      General

      Start time:14:51:34
      Start date:09/07/2021
      Path:/bin/bash
      Arguments:-bash
      File size:618416 bytes
      MD5 hash:0313fd399b143fc40cd52a1679018305

      General

      Start time:14:51:34
      Start date:09/07/2021
      Path:/bin/bash
      Arguments:n/a
      File size:618416 bytes
      MD5 hash:0313fd399b143fc40cd52a1679018305

      General

      Start time:14:51:34
      Start date:09/07/2021
      Path:/bin/bash
      Arguments:n/a
      File size:618416 bytes
      MD5 hash:0313fd399b143fc40cd52a1679018305

      General

      Start time:14:51:34
      Start date:09/07/2021
      Path:/usr/libexec/path_helper
      Arguments:/usr/libexec/path_helper -s
      File size:18992 bytes
      MD5 hash:0403286476d3e8908d852969c2188790

      General

      Start time:14:51:34
      Start date:09/07/2021
      Path:/bin/bash
      Arguments:n/a
      File size:618416 bytes
      MD5 hash:0313fd399b143fc40cd52a1679018305

      General

      Start time:14:51:34
      Start date:09/07/2021
      Path:/bin/mkdir
      Arguments:mkdir -m 700 -p /Users/ben/.bash_sessions
      File size:18592 bytes
      MD5 hash:0948c3e8dfd7f3d3628ca8b819092ccf

      General

      Start time:14:51:34
      Start date:09/07/2021
      Path:/bin/bash
      Arguments:n/a
      File size:618416 bytes
      MD5 hash:0313fd399b143fc40cd52a1679018305

      General

      Start time:14:51:34
      Start date:09/07/2021
      Path:/bin/bash
      Arguments:n/a
      File size:618416 bytes
      MD5 hash:0313fd399b143fc40cd52a1679018305

      General

      Start time:14:51:34
      Start date:09/07/2021
      Path:/usr/bin/touch
      Arguments:/usr/bin/touch /Users/ben/.bash_sessions/1476C622-8CCC-456D-9F74-6FE7755942D0.historynew
      File size:23392 bytes
      MD5 hash:b1fc3a8e0ae32021b9f29be4ff196129

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/bin/bash
      Arguments:n/a
      File size:618416 bytes
      MD5 hash:0313fd399b143fc40cd52a1679018305

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/Library/Frameworks/Python.framework/Versions/2.7/bin/python
      Arguments:python Guard.py
      File size:25624 bytes
      MD5 hash:be65ae5f9bd784375fd70bec94da6a60

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
      Arguments:/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python Guard.py
      File size:24960 bytes
      MD5 hash:8fedf0b5ee3045d5621b0518e9a4b375

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/bin/sh
      Arguments:n/a
      File size:618480 bytes
      MD5 hash:348affb69862798fd7b2f8874437f649

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/bin/sh
      Arguments:n/a
      File size:618480 bytes
      MD5 hash:348affb69862798fd7b2f8874437f649

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/usr/bin/uname
      Arguments:uname -p
      File size:18432 bytes
      MD5 hash:a1c51069ef3a88caedd3a7739941aaef

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
      Arguments:n/a
      File size:24960 bytes
      MD5 hash:8fedf0b5ee3045d5621b0518e9a4b375

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/bin/launchctl
      Arguments:launchctl list
      File size:121296 bytes
      MD5 hash:3e04cf4fe184467aa2dbf4e4d5c72f3d

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
      Arguments:n/a
      File size:24960 bytes
      MD5 hash:8fedf0b5ee3045d5621b0518e9a4b375

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/bin/launchctl
      Arguments:launchctl list
      File size:121296 bytes
      MD5 hash:3e04cf4fe184467aa2dbf4e4d5c72f3d

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
      Arguments:n/a
      File size:24960 bytes
      MD5 hash:8fedf0b5ee3045d5621b0518e9a4b375

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/bin/launchctl
      Arguments:launchctl list
      File size:121296 bytes
      MD5 hash:3e04cf4fe184467aa2dbf4e4d5c72f3d

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/bin/sh
      Arguments:n/a
      File size:618480 bytes
      MD5 hash:348affb69862798fd7b2f8874437f649

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/bin/launchctl
      Arguments:launchctl load -w /Users/ben/Library/LaunchAgents/com.apple.pyapple.plist
      File size:121296 bytes
      MD5 hash:3e04cf4fe184467aa2dbf4e4d5c72f3d

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
      Arguments:n/a
      File size:24960 bytes
      MD5 hash:8fedf0b5ee3045d5621b0518e9a4b375

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/bin/launchctl
      Arguments:launchctl list
      File size:121296 bytes
      MD5 hash:3e04cf4fe184467aa2dbf4e4d5c72f3d

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/usr/libexec/xpcproxy
      Arguments:n/a
      File size:44048 bytes
      MD5 hash:4782e7ebd2985d32bc84f1f71c8f8fb7

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/usr/bin/python
      Arguments:/usr/bin/python /Users/ben/Desktop/Guard.py
      File size:66880 bytes
      MD5 hash:ec07cbbd621933f37e0141118a5b0bac

      General

      Start time:14:51:54
      Start date:09/07/2021
      Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
      Arguments:/usr/bin/python /Users/ben/Desktop/Guard.py
      File size:51744 bytes
      MD5 hash:7058b515356cdcf3fada0e8d34926c7d

      General

      Start time:14:51:55
      Start date:09/07/2021
      Path:/bin/sh
      Arguments:n/a
      File size:618480 bytes
      MD5 hash:348affb69862798fd7b2f8874437f649

      General

      Start time:14:51:55
      Start date:09/07/2021
      Path:/bin/sh
      Arguments:n/a
      File size:618480 bytes
      MD5 hash:348affb69862798fd7b2f8874437f649

      General

      Start time:14:51:55
      Start date:09/07/2021
      Path:/usr/bin/uname
      Arguments:uname -p
      File size:18432 bytes
      MD5 hash:a1c51069ef3a88caedd3a7739941aaef

      General

      Start time:14:51:55
      Start date:09/07/2021
      Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
      Arguments:n/a
      File size:51744 bytes
      MD5 hash:7058b515356cdcf3fada0e8d34926c7d

      General

      Start time:14:51:55
      Start date:09/07/2021
      Path:/bin/launchctl
      Arguments:launchctl list
      File size:121296 bytes
      MD5 hash:3e04cf4fe184467aa2dbf4e4d5c72f3d

      General

      Start time:14:51:55
      Start date:09/07/2021
      Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
      Arguments:n/a
      File size:51744 bytes
      MD5 hash:7058b515356cdcf3fada0e8d34926c7d

      General

      Start time:14:51:55
      Start date:09/07/2021
      Path:/bin/launchctl
      Arguments:launchctl list
      File size:121296 bytes
      MD5 hash:3e04cf4fe184467aa2dbf4e4d5c72f3d