Analysis Report Meeting_Agenda.zip
Overview
General Information |
---|
Joe Sandbox Version: | 25.0.0 |
Analysis ID: | 66291 |
Start date: | 24.12.2018 |
Start time: | 09:33:49 |
Joe Sandbox Product: | Cloud |
Overall analysis duration: | 0h 6m 0s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Meeting_Agenda.zip |
Cookbook file name: | defaultmacfilecookbook.jbs |
Analysis system description: | Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25) |
Detection: | MAL |
Classification: | mal60.troj.evad.macZIP@0/11@5/0 |
Detection |
---|
Strategy | Score | Range | Reporting | Whitelisted | Detection | |
---|---|---|---|---|---|---|
Threshold | 60 | 0 - 100 | Report FP / FN | false |
Classification |
---|
Analysis Advice |
---|
All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control |
---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting1 | Hidden Files and Directories21 | Port Monitors | Hidden Files and Directories21 | Credential Dumping | System Information Discovery11 | Application Deployment Software | Data from Local System | Data Compressed | Standard Non-Application Layer Protocol1 |
Replication Through Removable Media | Service Execution | Port Monitors | Accessibility Features | Scripting1 | Network Sniffing | Application Window Discovery | Remote Services | Data from Removable Media | Exfiltration Over Other Network Medium | Remote Access Tools1 |
Drive-by Compromise | Windows Management Instrumentation | Accessibility Features | Path Interception | Code Signing2 | Input Capture | Query Registry | Windows Remote Management | Data from Network Shared Drive | Automated Exfiltration | Standard Application Layer Protocol11 |
Signature Overview |
---|
Click to jump to signature section
Networking: |
---|
Connects to IPs without corresponding DNS lookups | Show sources |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Tries to resolve domain names, but no domain seems valid (expired dropper behavior) | Show sources |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Performs DNS lookups | Show sources |
Source: | DNS traffic detected: |
System Summary: |
---|
Classification label | Show sources |
Source: | Classification label: |
Persistence and Installation Behavior: |
---|
Writes Mach-O files to untypical directories | Show sources |
Source: | 64-bit Mach-O written to unusual path: | Jump to dropped file |
Changes permissions of written Mach-O files | Show sources |
Source: | Permissions modified for written 64-bit Mach-O /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode: | Jump to dropped file |
Creates hidden files, links and/or directories | Show sources |
Source: | Hidden file created: | Jump to behavior |
Executes commands using a shell command-line interpreter | Show sources |
Source: | Shell command executed: | Jump to behavior |
Executes the "curl" command used to transfer data via the network (typically using HTTP/S) | Show sources |
Source: | Curl executable: | Jump to behavior |
Opens applications that may be created ones | Show sources |
Source: | Application opened: | Jump to behavior |
Reads launchservices plist files | Show sources |
Source: | Launchservices plist file read: | Jump to behavior | ||
Source: | Launchservices plist file read: | Jump to behavior | ||
Source: | Launchservices plist file read: | Jump to behavior | ||
Source: | Launchservices plist file read: | Jump to behavior | ||
Source: | Launchservices plist file read: | Jump to behavior |
Reads user launchservices plist file containing default apps for corresponding file types | Show sources |
Source: | Preferences launchservices plist file read: | Jump to behavior | ||
Source: | Preferences launchservices plist file read: | Jump to behavior |
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour) | Show sources |
Source: | CFNetwork info plist opened: | Jump to behavior |
Writes 64-bit Mach-O files to disk | Show sources |
Source: | File written: | Jump to dropped file |
Writes RTF files to disk | Show sources |
Source: | File written: | Jump to dropped file |
Writes icon files to disk | Show sources |
Source: | File written: | Jump to dropped file |
App bundle is code signed | Show sources |
Source: | CodeResources XML file: | ||
Source: | CodeResources XML file: |
Submitted sample is a bundle that is signed | Show sources |
Source: | CodeSignature CodeResources file read: | Jump to behavior | ||
Source: | CodeSignature CodeResources file read: | Jump to behavior |
Uses AppleKeyboardLayouts bundle containing keyboard layouts | Show sources |
Source: | AppleKeyboardLayouts info plist opened: | Jump to behavior | ||
Source: | AppleKeyboardLayouts info plist opened: | Jump to behavior |
Writes property list (.plist) files to disk | Show sources |
Source: | XML plist file created: | Jump to dropped file | ||
Source: | XML plist file created: | Jump to dropped file | ||
Source: | Binary plist file created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection: |
---|
Contains functionality to launch an application with a docker icon (i.e. hidden to the user) | Show sources |
Source: | XML plist file created with NSUIElement = 1: | Jump to dropped file |
Contains functionality to register custom URL schemes (potentially used for hidden execution via browsers) | Show sources |
Source: | XML plist file created with CFBundleURLSchemes: | Jump to dropped file |
Language, Device and Operating System Detection: |
---|
Reads the systems hostname | Show sources |
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior |
Reads the system or server version plist file | Show sources |
Source: | System or server version plist file read: | Jump to behavior | ||
Source: | System or server version plist file read: | Jump to behavior | ||
Source: | System or server version plist file read: | Jump to behavior |
Remote Access Functionality: |
---|
Detected macOS WindTail | Show sources |
Source: | IOC file dropped: | Jump to dropped file |
Runtime Messages |
---|
Command: | open |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | |
Standard Error: |
Behavior Graph |
---|
Yara Overview |
---|
Antivirus Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Startup |
---|
|
Created / dropped Files |
---|
Process: | /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode |
File Type: | |
Size (bytes): | 1810 |
Entropy (8bit): | 5.130244541175711 |
Encrypted: | false |
MD5: | 34D8507FA6AF3F52C4261459135815EF |
SHA1: | 49607CD7D1EF6BDB8387CC8522DEAFC8452D1564 |
SHA-256: | 1ED70921FE4C0DF16031054A9ED835053B3657084D15CE7E1DE68BDDCC88CEE5 |
SHA-512: | 485BEBDBF797F5A9191DF6856661C19240703741D2604A45E64ADE87C426ADE21BC63428D6F96AE3C879CDC3D0BAD3804308D741E84C4254A3809EC5C126342D |
Malicious: | true |
Reputation: | low |
Process: | /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode |
File Type: | |
Size (bytes): | 109376 |
Entropy (8bit): | 5.787503965793262 |
Encrypted: | false |
MD5: | C211DFF0D9ECFF416A1BF5A588EC2D5D |
SHA1: | 1AA298A15E1A74B93F6C1B6F88A4CA9C245BF896 |
SHA-256: | 842F8D9ACC11438DEF811F07EBAD5BC675DFFFBCF491F5F04209D31CCD6D18E5 |
SHA-512: | 3B72D233A9B1296B14ACA376B069E18CE95B0BEEA3F593B577CFA846D77081848B73C65F8CA6B98AA7F066D2BFF1A4205E51A6C514B67F390D0F159E545EB9EA |
Malicious: | true |
Reputation: | low |
Process: | /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode |
File Type: | |
Size (bytes): | 8 |
Entropy (8bit): | 1.75 |
Encrypted: | false |
MD5: | 23B7D7D024ABB0F558420E098800BF27 |
SHA1: | 9F9EEA0CFE2D65F2C3D6B092E375B40782D08F31 |
SHA-256: | 82502191C9484B04D685374F9879A0066069C49B8ACAE7A04B01D38D07E8ECA0 |
SHA-512: | F77D501528DD0CED155C80406CFBEE38D5D3649B64D2A9324F3D6CEE39491EB8F54CDEBAE49C6E21A20D2309D8FAE1B01C41631224811E73483DB25A2695738C |
Malicious: | false |
Reputation: | low |
Process: | /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode |
File Type: | |
Size (bytes): | 16 |
Entropy (8bit): | 3.0306390622295662 |
Encrypted: | false |
MD5: | 3A03271C6A1394968ED69B46BFDD3515 |
SHA1: | 6A199ED458DE7729B3A6F6B61A73A9CA69A6372A |
SHA-256: | 6355AF909AA663850F9B722981630DEAF70F1C683A3F275FA1EC3E682EBBCE44 |
SHA-512: | 63B6DC7B78110228284735127BEE085DCDA8428374BB476FAF206AF86E8AA9AA37893FE722B8C0D355E166DDD8AF27468C87324C7BE72A467D72086F177D97E3 |
Malicious: | false |
Reputation: | low |
Process: | /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode |
File Type: | |
Size (bytes): | 227766 |
Entropy (8bit): | 7.736381501953322 |
Encrypted: | false |
MD5: | 1CF99B2FA4C1BDF355824FC49025D3E5 |
SHA1: | 7A6806C824EAF06D15906A6585019209AA07468A |
SHA-256: | B743C0443BB9B3D4AE6E13609F2CECAFF0CAB9D9B89837B805B4D03122DA0D6E |
SHA-512: | 5DB375621C9AA8B12B4CC6DA2D62F9AC1098A30887C9746B131E831EB4F61CA02371B38932501AB94965BF672E567BA8F7AEA0FC434A4408ABED8150DC1E38A9 |
Malicious: | false |
Reputation: | low |
Process: | /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode |
File Type: | |
Size (bytes): | 436 |
Entropy (8bit): | 4.962904598670011 |
Encrypted: | false |
MD5: | F0D4A61CAF597423FF07C5E9B24A345E |
SHA1: | 60A248148B319DE26E36424D25021C2488E23CE8 |
SHA-256: | B4386FE1CEF65CD91E6C8ECC065D117089083F91B7CADBF0C3E5EAE20E8B9640 |
SHA-512: | E361011499CF70FC71E247FDDA71F49D913654A983AA4AE67D00DC977E53B9CF0D88D4D2AC07EFE248261C3AB6E3345E829E22DDA3E51DCCC221A94C660ACE69 |
Malicious: | false |
Reputation: | low |
Process: | /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode |
File Type: | |
Size (bytes): | 92 |
Entropy (8bit): | 3.2610300066712608 |
Encrypted: | false |
MD5: | 51EF59B60E5B41B91519CC662A9FE886 |
SHA1: | 3222CA0C39EB50AAF8126BAF852E55430C4718AF |
SHA-256: | 39CF2EE07B7B333E7C179D0BF4D798A5B72AF6A4E584F51E642703BBFA4FC828 |
SHA-512: | 3952A908B72D44040F5072F6344F6327FC78981C3AA55E931ACAE84C0C9BCC0D148991CD564AF4803765C328CBF5F7EFE9EB558FC56E47E8206B7B706026F30A |
Malicious: | false |
Reputation: | low |
Process: | /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode |
File Type: | |
Size (bytes): | 1183 |
Entropy (8bit): | 6.409092690797022 |
Encrypted: | false |
MD5: | 01C8F3B137E4FF4EB3F1547AE7503B24 |
SHA1: | 137805C46825A28DC007229B9995B4FEFCA252D6 |
SHA-256: | 5DBF8A652E848D0D102A86E1F07BEF1937ED39F149ED123579EA45F36FBBF5D2 |
SHA-512: | 428121AD3308293F6E7621015FC913276166D3667F25E976D3609A657D5FE3769F64C054B2062760312C988FE29F7861C908EC7808BEF2DE5BC6942E2869B841 |
Malicious: | false |
Reputation: | low |
Process: | /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode |
File Type: | |
Size (bytes): | 3214 |
Entropy (8bit): | 4.961458379982957 |
Encrypted: | false |
MD5: | 48845BD7B264E458CA47855981E44818 |
SHA1: | C22AEF8AD246A7C05345556B8ED17E4DCBD90B72 |
SHA-256: | A0A47E9C1A5A79AFC68324B11BA7462B88C966D9FD708550A24358DF87AF4DE9 |
SHA-512: | 4E844C5A65A525683E203F737670DD1545AB08C51C1BB92F32D155A48A996F51513BD5815534999AE73925B1E87BE6C27117787709E02D9E8DEA967792E96924 |
Malicious: | false |
Reputation: | low |
Process: | /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode |
File Type: | |
Size (bytes): | 63 |
Entropy (8bit): | 4.8322169792551914 |
Encrypted: | false |
MD5: | B2C5D0885B31377CDC574C3E82B61B99 |
SHA1: | F5085653F6B01F44FC1A8939AFC72AE7F454AFE9 |
SHA-256: | 6E06A818BE46110A80BAF3DBD0E893C9A01847E2BF3882B476D76387973A28BF |
SHA-512: | 517F58CF309FB20BFE9CAB932AF52B66BC43BA0DD17EF9DFD9D892DC01ADB01E355CB88935420DE2EF53028305404EE166F00252FB8D71139CAA6616AD5BF845 |
Malicious: | false |
Reputation: | low |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
string2me.com | unknown | unknown | false | unknown | |
flux2key.com | unknown | unknown | false | unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|
17.253.55.204 | United States | 6185 | APPLE-AUSTIN-AppleIncUS | false |
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.994905888951247 |
TrID: |
|
File name: | Meeting_Agenda.zip |
File size: | 252284 |
MD5: | 36284fdcd2c9cf53973adcae9d5144d1 |
SHA1: | 4613f5b1e172cb08d6a2e7f2186e2fdd875b24e5 |
SHA256: | ad282e5ba2bc06a128eb20da753350278a2e47ab545fdab808e94a2ff7b4061e |
SHA512: | 9f0fbca947e0fbe11455ec58cecdb4b5038f35c55de2cb777d4ed44ca7d60088ce85d77527ea5bf56a7785a00a82686219b7b79694a06fefd10be5670e2c90c3 |
SSDEEP: | 6144:KDY6w9qtblTi2V1UIQ70PtsTKGVwb+3G8DwiP:KDTttZVCIU0Pt+K4wb+W8DD |
File Content Preview: | PK..........7J................Meeting_Agenda.app/UX.....XX..X....PK........3.7J................Meeting_Agenda.app/Contents/UX.....X...X....PK........3.7J............+...Meeting_Agenda.app/Contents/_CodeSignature/UX.....X...X....PK........3.7J............8 |
Static App Info |
---|
General Informations | |
---|---|
Package Info: | |
Property List File: |
Resources |
---|
Name | Type |
---|---|
Info.plist | XML document text |
PkgInfo | ASCII text, with no line terminators |
usrnode | Mach-O 64-bit executable |
WXBN.icns | data |
Credits.rtf | Rich Text Format data, unknown version |
InfoPlist.strings | Little-endian UTF-16 Unicode C program text |
MainMenu.nib | Apple binary property list |
CodeResources | XML document text |
Info.plist | XML document text |
PkgInfo | ASCII text, with no line terminators |
usrnode | Mach-O 64-bit executable |
WXBN.icns | data |
Credits.rtf | Rich Text Format data, unknown version |
InfoPlist.strings | Little-endian UTF-16 Unicode C program text |
MainMenu.nib | Apple binary property list |
CodeResources | XML document text |
Static Mach Info |
---|
General Informations for header0 | |
---|---|
Endian: | |
Size: | |
Architecture: | |
Filetype: | |
Nbr. of load commands: |
segment_command_64 |
---|
Name | Value | |
---|---|---|
segname | __PAGEZERO | |
fileoff | 0 | |
maxprot | 0 | |
vmsize | 4294967296 | |
nsects | 0 | |
flags | 0 | |
filesize | 0 | |
vmaddr | 0 | |
initprot | 0 |
segment_command_64 |
---|
Name | Value | |
---|---|---|
segname | __TEXT | |
fileoff | 0 | |
maxprot | 7 | |
vmsize | 77824 | |
nsects | 11 | |
flags | 0 | |
filesize | 77824 | |
vmaddr | 4294967296 | |
initprot | 5 | |
Datas | sectname | __text |
segname | __TEXT | |
reloff | 0 | |
addr | 4294974600 | |
align | 2 | |
nreloc | 0 | |
flags | 2147484672 | |
offset | 7304 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 31843 | |
sectname | __stubs | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295006444 | |
align | 1 | |
nreloc | 0 | |
flags | 2147484680 | |
offset | 39148 | |
reserved2 | 6 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 498 | |
sectname | __stub_helper | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295006944 | |
align | 2 | |
nreloc | 0 | |
flags | 2147484672 | |
offset | 39648 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 846 | |
sectname | __objc_methname | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295007790 | |
align | 0 | |
nreloc | 0 | |
flags | 2 | |
offset | 40494 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 5216 | |
sectname | __cstring | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295013008 | |
align | 4 | |
nreloc | 0 | |
flags | 2 | |
offset | 45712 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 2383 | |
sectname | __ustring | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295015392 | |
align | 1 | |
nreloc | 0 | |
flags | 0 | |
offset | 48096 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 142 | |
sectname | __objc_classname | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295015534 | |
align | 0 | |
nreloc | 0 | |
flags | 2 | |
offset | 48238 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 172 | |
sectname | __objc_methtype | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295015706 | |
align | 0 | |
nreloc | 0 | |
flags | 2 | |
offset | 48410 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 1369 | |
sectname | __const | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295017088 | |
align | 4 | |
nreloc | 0 | |
flags | 0 | |
offset | 49792 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 20912 | |
sectname | __unwind_info | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295038000 | |
align | 2 | |
nreloc | 0 | |
flags | 0 | |
offset | 70704 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 480 | |
sectname | __eh_frame | |
segname | __TEXT | |
reloff | 0 | |
addr | 4295038480 | |
align | 3 | |
nreloc | 0 | |
flags | 0 | |
offset | 71184 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 6632 |
segment_command_64 |
---|
Name | Value | |
---|---|---|
segname | __DATA | |
fileoff | 77824 | |
maxprot | 7 | |
vmsize | 16384 | |
nsects | 20 | |
flags | 0 | |
filesize | 12288 | |
vmaddr | 4295045120 | |
initprot | 3 | |
Datas | sectname | __program_vars |
segname | __DATA | |
reloff | 0 | |
addr | 4295045120 | |
align | 3 | |
nreloc | 0 | |
flags | 0 | |
offset | 77824 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 40 | |
sectname | __nl_symbol_ptr | |
segname | __DATA | |
reloff | 0 | |
addr | 4295045160 | |
align | 3 | |
nreloc | 0 | |
flags | 6 | |
offset | 77864 | |
reserved2 | 0 | |
reserved1 | 83 | |
reserved3 | 0 | |
size | 16 | |
sectname | __got | |
segname | __DATA | |
reloff | 0 | |
addr | 4295045176 | |
align | 3 | |
nreloc | 0 | |
flags | 6 | |
offset | 77880 | |
reserved2 | 0 | |
reserved1 | 85 | |
reserved3 | 0 | |
size | 80 | |
sectname | __la_symbol_ptr | |
segname | __DATA | |
reloff | 0 | |
addr | 4295045256 | |
align | 3 | |
nreloc | 0 | |
flags | 7 | |
offset | 77960 | |
reserved2 | 0 | |
reserved1 | 95 | |
reserved3 | 0 | |
size | 664 | |
sectname | __cfstring | |
segname | __DATA | |
reloff | 0 | |
addr | 4295045920 | |
align | 3 | |
nreloc | 0 | |
flags | 0 | |
offset | 78624 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 2080 | |
sectname | __objc_classlist | |
segname | __DATA | |
reloff | 0 | |
addr | 4295048000 | |
align | 3 | |
nreloc | 0 | |
flags | 268435456 | |
offset | 80704 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 40 | |
sectname | __objc_nlclslist | |
segname | __DATA | |
reloff | 0 | |
addr | 4295048040 | |
align | 3 | |
nreloc | 0 | |
flags | 268435456 | |
offset | 80744 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 8 | |
sectname | __objc_catlist | |
segname | __DATA | |
reloff | 0 | |
addr | 4295048048 | |
align | 3 | |
nreloc | 0 | |
flags | 268435456 | |
offset | 80752 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 40 | |
sectname | __objc_protolist | |
segname | __DATA | |
reloff | 0 | |
addr | 4295048088 | |
align | 3 | |
nreloc | 0 | |
flags | 0 | |
offset | 80792 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 40 | |
sectname | __objc_imageinfo | |
segname | __DATA | |
reloff | 0 | |
addr | 4295048128 | |
align | 2 | |
nreloc | 0 | |
flags | 0 | |
offset | 80832 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 8 | |
sectname | __objc_const | |
segname | __DATA | |
reloff | 0 | |
addr | 4295048136 | |
align | 3 | |
nreloc | 0 | |
flags | 0 | |
offset | 80840 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 6056 | |
sectname | __objc_selrefs | |
segname | __DATA | |
reloff | 0 | |
addr | 4295054192 | |
align | 3 | |
nreloc | 0 | |
flags | 268435461 | |
offset | 86896 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 1480 | |
sectname | __objc_protorefs | |
segname | __DATA | |
reloff | 0 | |
addr | 4295055672 | |
align | 3 | |
nreloc | 0 | |
flags | 0 | |
offset | 88376 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 16 | |
sectname | __objc_classrefs | |
segname | __DATA | |
reloff | 0 | |
addr | 4295055688 | |
align | 3 | |
nreloc | 0 | |
flags | 268435456 | |
offset | 88392 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 248 | |
sectname | __objc_superrefs | |
segname | __DATA | |
reloff | 0 | |
addr | 4295055936 | |
align | 3 | |
nreloc | 0 | |
flags | 268435456 | |
offset | 88640 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 24 | |
sectname | __objc_ivar | |
segname | __DATA | |
reloff | 0 | |
addr | 4295055960 | |
align | 3 | |
nreloc | 0 | |
flags | 0 | |
offset | 88664 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 248 | |
sectname | __objc_data | |
segname | __DATA | |
reloff | 0 | |
addr | 4295056208 | |
align | 3 | |
nreloc | 0 | |
flags | 0 | |
offset | 88912 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 480 | |
sectname | __data | |
segname | __DATA | |
reloff | 0 | |
addr | 4295056688 | |
align | 3 | |
nreloc | 0 | |
flags | 0 | |
offset | 89392 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 464 | |
sectname | __common | |
segname | __DATA | |
reloff | 0 | |
addr | 4295057152 | |
align | 3 | |
nreloc | 0 | |
flags | 1 | |
offset | 0 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 40 | |
sectname | __bss | |
segname | __DATA | |
reloff | 0 | |
addr | 4295057200 | |
align | 4 | |
nreloc | 0 | |
flags | 1 | |
offset | 0 | |
reserved2 | 0 | |
reserved1 | 0 | |
reserved3 | 0 | |
size | 1025 |
segment_command_64 |
---|
Name | Value | |
---|---|---|
segname | __LINKEDIT | |
fileoff | 90112 | |
maxprot | 7 | |
vmsize | 20480 | |
nsects | 0 | |
flags | 0 | |
filesize | 19264 | |
vmaddr | 4295061504 | |
initprot | 1 |
dyld_info_command |
---|
Name | Value | |
---|---|---|
lazy_bind_size | 1808 | |
lazy_bind_off | 91944 | |
weak_bind_size | 16 | |
rebase_size | 368 | |
export_off | 93752 | |
export_size | 192 | |
bind_off | 90480 | |
rebase_off | 90112 | |
bind_size | 1448 | |
weak_bind_off | 91928 |
symtab_command |
---|
Name | Value | |
---|---|---|
strsize | 2344 | |
symoff | 94160 | |
stroff | 96904 | |
nsyms | 127 |
dysymtab_command |
---|
Name | Value | |
---|---|---|
extreloff | 0 | |
nlocrel | 0 | |
indirectsymoff | 96192 | |
modtaboff | 0 | |
nextrel | 0 | |
iundefsym | 2 | |
nmodtab | 0 | |
ilocalsym | 0 | |
nundefsym | 125 | |
nextrefsyms | 0 | |
locreloff | 0 | |
ntoc | 0 | |
nlocalsym | 1 | |
tocoff | 0 | |
extrefsymoff | 0 | |
nindirectsyms | 178 | |
iextdefsym | 1 | |
nextdefsym | 1 |
dylinker_command |
---|
Name | Value | |
---|---|---|
name | 12 | Data | /usr/lib/dyld |
uuid_command |
---|
Name | Value | |
---|---|---|
uuid | 0c515d6269c53afe9f017105626230fe |
version_min_command |
---|
Name | Value | |
---|---|---|
version | 657152 | |
reserved | 657920 |
dylib_command |
---|
Name | Value | |
---|---|---|
compatibility_version | 2312.0.0 | |
timestamp | Thu Jan 01 01:00:02 1970 | |
name | 24 | |
current_version | 2312.0.0 | Data | /usr/lib/libcrypto.0.9.8.dylib |
dylib_command |
---|
Name | Value | |
---|---|---|
compatibility_version | 0.1.0 | |
timestamp | Thu Jan 01 01:00:02 1970 | |
name | 24 | |
current_version | 0.21.0 | Data | /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa |
dylib_command |
---|
Name | Value | |
---|---|---|
compatibility_version | 0.44.1 | |
timestamp | Thu Jan 01 01:00:02 1970 | |
name | 24 | |
current_version | 5120.129.4 | Data | /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation |
dylib_command |
---|
Name | Value | |
---|---|---|
compatibility_version | 0.1.0 | |
timestamp | Thu Jan 01 01:00:02 1970 | |
name | 24 | |
current_version | 0.228.0 | Data | /usr/lib/libobjc.A.dylib |
dylib_command |
---|
Name | Value | |
---|---|---|
compatibility_version | 0.7.0 | |
timestamp | Thu Jan 01 01:00:02 1970 | |
name | 24 | |
current_version | 256.104.0 | Data | /usr/lib/libstdc++.6.dylib |
dylib_command |
---|
Name | Value | |
---|---|---|
compatibility_version | 0.1.0 | |
timestamp | Thu Jan 01 01:00:02 1970 | |
name | 24 | |
current_version | 0.189.4 | Data | /usr/lib/libSystem.B.dylib |
dylib_command |
---|
Name | Value | |
---|---|---|
compatibility_version | 0.45.0 | |
timestamp | Thu Jan 01 01:00:02 1970 | |
name | 24 | |
current_version | 14592.67.5 | Data | /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit |
dylib_command |
---|
Name | Value | |
---|---|---|
compatibility_version | 0.150.0 | |
timestamp | Thu Jan 01 01:00:02 1970 | |
name | 24 | |
current_version | 4608.129.4 | Data | /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation |
dylib_command |
---|
Name | Value | |
---|---|---|
compatibility_version | 0.1.0 | |
timestamp | Thu Jan 01 01:00:02 1970 | |
name | 24 | |
current_version | 0.62.0 | Data | /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices |
linkedit_data_command |
---|
Name | Value | |
---|---|---|
dataoff | 93944 | |
datassize | 216 |
linkedit_data_command |
---|
Name | Value | |
---|---|---|
dataoff | 94160 | |
datassize | 0 |
linkedit_data_command |
---|
Name | Value | |
---|---|---|
dataoff | 99248 | |
datassize | 10128 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dez 24, 2018 09:34:58.404784918 MEZ | 56981 | 53 | 192.168.0.50 | 8.8.8.8 |
Dez 24, 2018 09:34:58.409457922 MEZ | 53 | 56981 | 8.8.8.8 | 192.168.0.50 |
Dez 24, 2018 09:34:58.622513056 MEZ | 55248 | 53 | 192.168.0.50 | 8.8.8.8 |
Dez 24, 2018 09:34:59.259896994 MEZ | 50843 | 53 | 192.168.0.50 | 8.8.8.8 |
Dez 24, 2018 09:34:59.469114065 MEZ | 53 | 50843 | 8.8.8.8 | 192.168.0.50 |
Dez 24, 2018 09:34:59.469690084 MEZ | 50843 | 53 | 192.168.0.50 | 8.8.4.4 |
Dez 24, 2018 09:34:59.627952099 MEZ | 55248 | 53 | 192.168.0.50 | 8.8.8.8 |
Dez 24, 2018 09:34:59.679302931 MEZ | 53 | 50843 | 8.8.4.4 | 192.168.0.50 |
Dez 24, 2018 09:34:59.835935116 MEZ | 53 | 55248 | 8.8.8.8 | 192.168.0.50 |
Dez 24, 2018 09:34:59.836395979 MEZ | 55248 | 53 | 192.168.0.50 | 8.8.4.4 |
Dez 24, 2018 09:35:00.049880981 MEZ | 53 | 55248 | 8.8.4.4 | 192.168.0.50 |
Dez 24, 2018 09:35:20.063322067 MEZ | 49236 | 80 | 192.168.0.50 | 17.253.55.204 |
Dez 24, 2018 09:35:20.074521065 MEZ | 80 | 49236 | 17.253.55.204 | 192.168.0.50 |
Dez 24, 2018 09:35:20.074728966 MEZ | 49236 | 80 | 192.168.0.50 | 17.253.55.204 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dez 24, 2018 09:34:58.404784918 MEZ | 56981 | 53 | 192.168.0.50 | 8.8.8.8 |
Dez 24, 2018 09:34:58.409457922 MEZ | 53 | 56981 | 8.8.8.8 | 192.168.0.50 |
Dez 24, 2018 09:34:58.622513056 MEZ | 55248 | 53 | 192.168.0.50 | 8.8.8.8 |
Dez 24, 2018 09:34:59.259896994 MEZ | 50843 | 53 | 192.168.0.50 | 8.8.8.8 |
Dez 24, 2018 09:34:59.469114065 MEZ | 53 | 50843 | 8.8.8.8 | 192.168.0.50 |
Dez 24, 2018 09:34:59.469690084 MEZ | 50843 | 53 | 192.168.0.50 | 8.8.4.4 |
Dez 24, 2018 09:34:59.627952099 MEZ | 55248 | 53 | 192.168.0.50 | 8.8.8.8 |
Dez 24, 2018 09:34:59.679302931 MEZ | 53 | 50843 | 8.8.4.4 | 192.168.0.50 |
Dez 24, 2018 09:34:59.835935116 MEZ | 53 | 55248 | 8.8.8.8 | 192.168.0.50 |
Dez 24, 2018 09:34:59.836395979 MEZ | 55248 | 53 | 192.168.0.50 | 8.8.4.4 |
Dez 24, 2018 09:35:00.049880981 MEZ | 53 | 55248 | 8.8.4.4 | 192.168.0.50 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Dez 24, 2018 09:34:58.622513056 MEZ | 192.168.0.50 | 8.8.8.8 | 0x47bb | Standard query (0) | A (IP address) | IN (0x0001) | |
Dez 24, 2018 09:34:59.259896994 MEZ | 192.168.0.50 | 8.8.8.8 | 0x5aa1 | Standard query (0) | A (IP address) | IN (0x0001) | |
Dez 24, 2018 09:34:59.469690084 MEZ | 192.168.0.50 | 8.8.4.4 | 0x5aa1 | Standard query (0) | A (IP address) | IN (0x0001) | |
Dez 24, 2018 09:34:59.627952099 MEZ | 192.168.0.50 | 8.8.8.8 | 0x47bb | Standard query (0) | A (IP address) | IN (0x0001) | |
Dez 24, 2018 09:34:59.836395979 MEZ | 192.168.0.50 | 8.8.4.4 | 0x47bb | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Dez 24, 2018 09:34:59.469114065 MEZ | 8.8.8.8 | 192.168.0.50 | 0x5aa1 | Server failure (2) | none | none | A (IP address) | IN (0x0001) | |
Dez 24, 2018 09:34:59.679302931 MEZ | 8.8.4.4 | 192.168.0.50 | 0x5aa1 | Server failure (2) | none | none | A (IP address) | IN (0x0001) | |
Dez 24, 2018 09:34:59.835935116 MEZ | 8.8.8.8 | 192.168.0.50 | 0x47bb | Server failure (2) | none | none | A (IP address) | IN (0x0001) | |
Dez 24, 2018 09:35:00.049880981 MEZ | 8.8.4.4 | 192.168.0.50 | 0x47bb | Server failure (2) | none | none | A (IP address) | IN (0x0001) |
System Behavior |
---|
General |
---|
Start time: | 09:34:56 |
Start date: | 24/12/2018 |
Path: | /usr/libexec/xpcproxy |
File size: | 43488 bytes |
MD5 hash: | d1bb9a4899f0af921e8188218b20d744 |
General |
---|
Start time: | 09:34:56 |
Start date: | 24/12/2018 |
Path: | /Users/henry/Desktop/unpack/Meeting_Agenda.app/Contents/MacOS/usrnode |
File size: | 109376 bytes |
MD5 hash: | c211dff0d9ecff416a1bf5a588ec2d5d |
General |
---|
Start time: | 09:34:57 |
Start date: | 24/12/2018 |
Path: | /bin/sh |
File size: | 618512 bytes |
MD5 hash: | 8aa60b22a5d30418a002b340989384dc |
General |
---|
Start time: | 09:34:57 |
Start date: | 24/12/2018 |
Path: | /usr/bin/open |
File size: | 105952 bytes |
MD5 hash: | 40ed6d8f35c9f20484b97582d296398f |
General |
---|
Start time: | 09:34:57 |
Start date: | 24/12/2018 |
Path: | /usr/libexec/xpcproxy |
File size: | 43488 bytes |
MD5 hash: | d1bb9a4899f0af921e8188218b20d744 |
General |
---|
Start time: | 09:34:57 |
Start date: | 24/12/2018 |
Path: | /Users/henry/Library/Meeting_Agenda.app/Contents/MacOS/usrnode |
File size: | 109376 bytes |
MD5 hash: | c211dff0d9ecff416a1bf5a588ec2d5d |
General |
---|
Start time: | 09:34:57 |
Start date: | 24/12/2018 |
Path: | /usr/bin/curl |
File size: | 185104 bytes |
MD5 hash: | 078cd73f58d3d8f875eed22522ff73f7 |