Loading ...

Play interactive tourEdit tour

Analysis Report M4BfJpvkrT

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:78343
Start date:21.06.2019
Start time:14:57:12
Joe Sandbox Product:Cloud
Overall analysis duration:0h 3m 57s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:M4BfJpvkrT
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:MAL
Classification:mal68.troj.evad.mac@0/4@0/0

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold680 - 100Report FP / FNfalsemalicious

Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementHidden Files and Directories21Port MonitorsHidden Files and Directories21Input Capture1System Service DiscoveryApplication Deployment SoftwareInput Capture1Data Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionLaunch Agent3Accessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote Access Tools1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol1

Signature Overview

Click to jump to signature section


Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 17.57.146.20
Source: unknownTCP traffic detected without corresponding DNS query: 17.57.146.20
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 17.188.166.11
Source: unknownTCP traffic detected without corresponding DNS query: 17.188.166.11
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.212
Source: unknownTCP traffic detected without corresponding DNS query: 2.20.214.243
Source: unknownTCP traffic detected without corresponding DNS query: 2.20.214.243
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.212
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Source: unknownTCP traffic detected without corresponding DNS query: 89.34.111.113
Contains symbols related to proxy configurationShow sources
Source: symbolStatic MACH information: _CFNetworkCopyProxiesForURL
Source: symbolStatic MACH information: _CFNetworkExecuteProxyAutoConfigurationURL
Source: symbolStatic MACH information: _kCFProxyAutoConfigurationURLKey
Source: symbolStatic MACH information: _kCFProxyHostNameKey
Source: symbolStatic MACH information: _kCFProxyPortNumberKey
Source: symbolStatic MACH information: _kCFProxyTypeAutoConfigurationURL
Source: symbolStatic MACH information: _kCFProxyTypeHTTP
Source: symbolStatic MACH information: _kCFProxyTypeKey
Source: symbolStatic MACH information: _kCFProxyTypeSOCKS
Urls found in memory or binary dataShow sources
Source: M4BfJpvkrTString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: M4BfJpvkrTString found in binary or memory: http://www.google.com
Source: M4BfJpvkrTString found in binary or memory: http://www.google.com%USER%Unknown%
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49318 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49314 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains symbols related to keyboard/mouse eventsShow sources
Source: symbolStatic MACH information: _CGEventCreateKeyboardEvent
Source: symbolStatic MACH information: _CGEventCreateMouseEvent

System Summary:

barindex
Malicious sample detected (through custom Yara rule)Show sources
Source: M4BfJpvkrT, type: SAMPLEMatched rule: Detects OSX Netwire A
Source: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder, type: DROPPEDMatched rule: Detects OSX Netwire A
Classification labelShow sources
Source: classification engineClassification label: mal68.troj.evad.mac@0/4@0/0

Data Obfuscation:

barindex
Contains symbols with suspicious network related namesShow sources
Source: symbolStatic MACH information: _CGSConnectionGetPID
Source: symbolStatic MACH information: __CFCopyServerVersionDictionary
Source: symbolStatic MACH information: __CGSDefaultConnection
Source: symbolStatic MACH information: _connect$UNIX2003
Source: symbolStatic MACH information: _gethostbyname
Source: symbolStatic MACH information: _kCFProxyPortNumberKey
Source: symbolStatic MACH information: _kCFProxyTypeHTTP
Source: symbolStatic MACH information: _kCFProxyTypeSOCKS
Source: symbolStatic MACH information: _send$UNIX2003
Source: symbolStatic MACH information: _setsockopt
Source: symbolStatic MACH information: _socket
Source: symbolStatic MACH information: _CGSConnectionGetPID
Source: symbolStatic MACH information: __CFCopyServerVersionDictionary
Source: symbolStatic MACH information: __CGSDefaultConnection
Source: symbolStatic MACH information: _connect$UNIX2003
Source: symbolStatic MACH information: _gethostbyname
Source: symbolStatic MACH information: _kCFProxyPortNumberKey
Source: symbolStatic MACH information: _kCFProxyTypeHTTP
Source: symbolStatic MACH information: _kCFProxyTypeSOCKS
Source: symbolStatic MACH information: _send$UNIX2003
Source: symbolStatic MACH information: _setsockopt
Source: symbolStatic MACH information: _socket
Imports the IOKit library (often used to register services)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Persistence and Installation Behavior:

barindex
Executes hidden filesShow sources
Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 606)File in hidden directory executed: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder -Jump to behavior
Writes Mach-O files to hidden directoriesShow sources
Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)32-bit Mach-O written to hidden directory: /Users/henry/.defaults/Finder.app/Contents/MacOS/FinderJump to dropped file
Changes permissions of written Mach-O filesShow sources
Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)Permissions modified for written 32-bit Mach-O /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder: bits: - usr: rwx grp: rwx all: rwxJump to dropped file
Contains symbols related to login items (used for persistence)Show sources
Source: symbolStatic MACH information: _LSSharedFileListCopySnapshot
Source: symbolStatic MACH information: _LSSharedFileListCreate
Source: symbolStatic MACH information: _LSSharedFileListInsertItemURL
Source: symbolStatic MACH information: _LSSharedFileListItemRemove
Source: symbolStatic MACH information: _LSSharedFileListItemResolve
Source: symbolStatic MACH information: _kLSSharedFileListItemLast
Source: symbolStatic MACH information: _kLSSharedFileListSessionLoginItems
Contains symbols related to terminating processesShow sources
Source: symbolStatic MACH information: _KillProcess
Creates application bundlesShow sources
Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)Bundle Info.plist file created: /Users/henry/.defaults/Finder.app/Contents/Info.plistJump to behavior
Creates hidden files, links and/or directoriesShow sources
Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)Hidden Directory created: /Users/henry/.defaults -> /Users/henry/.defaultsJump to behavior
Source: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder (PID: 606)Hidden file created: /Users/henry/.defaults/Finder.app/Contents/MacOS/.settings.confJump to behavior
Reads launchservices plist filesShow sources
Source: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder (PID: 606)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Writes 32-bit Mach-O files to diskShow sources
Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)File written: /Users/henry/.defaults/Finder.app/Contents/MacOS/FinderJump to dropped file
Writes property list (.plist) files to diskShow sources
Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)XML plist file created: /Users/henry/.defaults/Finder.app/Contents/Info.plistJump to dropped file

Boot Survival:

barindex
Creates user-wide 'launchd' managed services aka launch agentsShow sources
Source: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder (PID: 606)Launch agent created file created: /Users/henry/Library/LaunchAgents/com.mac.host.plistJump to behavior

Remote Access Functionality:

barindex
Detected macOS NetWireShow sources
Source: /Users/henry/Desktop/M4BfJpvkrT (PID: 605)IOC file dropped: /Users/henry/.defaults/Finder.app/Contents/MacOS/FinderJump to dropped file
Source: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder (PID: 606)IOC file dropped: /Users/henry/Library/LaunchAgents/com.mac.host.plistJump to dropped file


Runtime Messages

Command:/Users/henry/Desktop/M4BfJpvkrT
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Yara Overview

Initial Sample

SourceRuleDescriptionAuthor
M4BfJpvkrTJoeSecurity_NetwireADetects OSX Netwire AJoe Security

PCAP (Network Traffic)

No yara matches

Dropped Files

SourceRuleDescriptionAuthor
/Users/henry/.defaults/Finder.app/Contents/MacOS/FinderJoeSecurity_NetwireADetects OSX Netwire AJoe Security

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
2.20.214.243http://Destalo.ptGet hashmaliciousBrowse
    17.253.57.212NoMAD.pkgGet hashmaliciousBrowse

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      unknownInvoice0186.pdfGet hashmaliciousBrowse
      • 192.168.0.40
      P_2038402.xlsxGet hashmaliciousBrowse
      • 192.168.0.44
      bad.pdfGet hashmaliciousBrowse
      • 192.168.0.44
      RFQ.pdfGet hashmaliciousBrowse
      • 192.168.0.44
      100323.pdfGet hashmaliciousBrowse
      • 192.168.0.44
      Copy.pdfGet hashmaliciousBrowse
      • 127.0.0.1
      2.exeGet hashmaliciousBrowse
      • 192.168.0.40
      UPPB502981.docGet hashmaliciousBrowse
      • 192.168.0.44
      Adm_Boleto.via2.comGet hashmaliciousBrowse
      • 192.168.0.40
      00ECF4AD.exeGet hashmaliciousBrowse
      • 192.168.0.40
      PDF_100987464500.exeGet hashmaliciousBrowse
      • 192.168.0.40
      filedata.exeGet hashmaliciousBrowse
      • 192.168.0.40
      .exeGet hashmaliciousBrowse
      • 192.168.1.60
      33redacted@threatwave.comGet hashmaliciousBrowse
      • 192.168.1.71
      unknownInvoice0186.pdfGet hashmaliciousBrowse
      • 192.168.0.40
      P_2038402.xlsxGet hashmaliciousBrowse
      • 192.168.0.44
      bad.pdfGet hashmaliciousBrowse
      • 192.168.0.44
      RFQ.pdfGet hashmaliciousBrowse
      • 192.168.0.44
      100323.pdfGet hashmaliciousBrowse
      • 192.168.0.44
      Copy.pdfGet hashmaliciousBrowse
      • 127.0.0.1
      2.exeGet hashmaliciousBrowse
      • 192.168.0.40
      UPPB502981.docGet hashmaliciousBrowse
      • 192.168.0.44
      Adm_Boleto.via2.comGet hashmaliciousBrowse
      • 192.168.0.40
      00ECF4AD.exeGet hashmaliciousBrowse
      • 192.168.0.40
      PDF_100987464500.exeGet hashmaliciousBrowse
      • 192.168.0.40
      filedata.exeGet hashmaliciousBrowse
      • 192.168.0.40
      .exeGet hashmaliciousBrowse
      • 192.168.1.60
      33redacted@threatwave.comGet hashmaliciousBrowse
      • 192.168.1.71

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Antivirus and Machine Learning Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      cam-macmac-stand

      Startup

      • system is mac1
      • mono-sgen32 (PID: 605 PPID: 556 MD5: 8910349f44a940d8d79318367855b236)
      • M4BfJpvkrT (PID: 605 PPID: 556 Overlayed Process Image: mono-sgen32 MD5: de3a8b1e149312dac5b8584a33c3f3c6)
        • M4BfJpvkrT (PID: 606 PPID: 605 MD5: de3a8b1e149312dac5b8584a33c3f3c6)
        • Finder (PID: 606 PPID: 605 Overlayed Process Image: M4BfJpvkrT MD5: de3a8b1e149312dac5b8584a33c3f3c6)
      • cleanup

      Created / dropped Files

      /Users/henry/.defaults/Finder.app/Contents/Info.plist
      Process:/Users/henry/Desktop/M4BfJpvkrT
      File Type:XML 1.0 document, ASCII text
      Size (bytes):808
      Entropy (8bit):5.136979553002211
      Encrypted:false
      MD5:544085C5414EFF1A0E67CD13724E17C1
      SHA1:D7CF7B196E2AAF3674A747DE54C77785C19C80D7
      SHA-256:A2648050A4AB00595EBE849088FB0310E33C234AA2E93D478909161CCE376824
      SHA-512:C19D7D5065A6FFE3D97F3FECFF9B05C2CC903085A2F284B57580F2A1AC4F9067E6B0F18877719EC71AF31DBD888322FA1EA8444C95BEACC761344B3CE97F71D4
      Malicious:false
      Reputation:low
      Preview:<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>CFBundleDevelopmentRegion</key>..<string>English</string>..<key>CFBundleExecutable</key>..<string>Finder</string>..<key>CFBundleInfoDictionaryVersion</key>..<string>6.0</string>..<key>CFBundleName</key>..<string>Finder</string>..<key>CFBundlePackageType</key>..<string>APPL</string>..<key>CFBundleShortVersionString</key>..<string>4.5.3</string>..<key>CFBundleVersion</key>..<string>99.2</string>..<key>LSMinimumSystemVersion</key>..<string>10.3</string>..<key>NSMainNibFile</key>..<string>Finder</string>..<key>NSPrincipalClass</key>..<string>NSApplication</string>..<key>NSUIElement</key>..<string>true</string>.</dict>.</plist>.
      /Users/henry/.defaults/Finder.app/Contents/MacOS/.settings.conf
      Process:/Users/henry/.defaults/Finder.app/Contents/MacOS/Finder
      File Type:data
      Size (bytes):127
      Entropy (8bit):6.482663722154125
      Encrypted:false
      MD5:55EC2A40C7BE0B67332058BF3E3006D8
      SHA1:C2337A77E4431536903BBC86106AEBC75397D0DA
      SHA-256:820573EC77C6D202D08BDDDC937D02103B40B3D64E029D48DB2678E69D180AAB
      SHA-512:381E1DBF92F6F2E43FE53E32FDFA40A9FA342DD2E4FAE5540972E66D9B7362548AF2AF477864F2E64F3E0714EF9B8820C5E7441AB639ACCBBD12B977C2FEFCE8
      Malicious:false
      Reputation:low
      Preview:M..w...3..s0.no....6..v.%..ey.....>+]Q....]f..YV..t.+.15.Tpe........kJ...{..2+...p<....+....b..^0.e..Wb........#..K.Y.
      /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder
      Process:/Users/henry/Desktop/M4BfJpvkrT
      File Type:Mach-O i386 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|NO_HEAP_EXECUTION>
      Size (bytes):63768
      Entropy (8bit):6.120626354964268
      Encrypted:false
      MD5:DE3A8B1E149312DAC5B8584A33C3F3C6
      SHA1:23017A55B3D25A2597B7148214FD8FB2372591A5
      SHA-256:07A4E04EE8B4C8DC0F7507F56DC24DB00537D4637AFEE43DBB9357D4D54F6FF4
      SHA-512:CBCE20E10203B3AA36ACD478664874B0A8FF3535F0671D2DB9DE0E6A5022EFB99A445922156F31B10BDFF1CB177782B5AA4AE7D8ED306171C2525A597C997DB8
      Malicious:true
      Yara Hits:
      • Rule: JoeSecurity_NetwireA, Description: Detects OSX Netwire A, Source: /Users/henry/.defaults/Finder.app/Contents/MacOS/Finder, Author: Joe Security
      Reputation:low
      Preview:................................8...__PAGEZERO..............................................__TEXT..........................................__text..........__TEXT..........l...Z...l...........................__symbol_stub...__TEXT..............~..............................__stub_helper...__TEXT..........D.......D...........................__const.........__TEXT..........@.......@...........................__cstring.......__TEXT.......... ....... ...........................__unwind_info...__TEXT..............H.......................................__DATA...............@..........................__dyld..........__DATA..............................................__nl_symbol_ptr.__DATA..............P...............................__la_symbol_ptr.__DATA..........l...T...l...........................__cfstring......__DATA..............0...............................__data..........__DATA..............................................__common........__DATA..................................
      /Users/henry/Library/LaunchAgents/com.mac.host.plist
      Process:/Users/henry/.defaults/Finder.app/Contents/MacOS/Finder
      File Type:XML 1.0 document, ASCII text
      Size (bytes):465
      Entropy (8bit):5.096775148549045
      Encrypted:false
      MD5:57CF5F2464E46E09ECC5F991E7E7FD8B
      SHA1:FA3EEE4932ED8B239E1AF72E7E10E3FFAF0B200A
      SHA-256:38A99CC00D692D39D1F423FA5B2A1493CE5C3E8CBA0DFA0EA6D9C84A1E77E5CB
      SHA-512:F388AE9CB1C499525180D819C5B66CBC963CF28C884A11D87C9BA2C4962A45E19351707C7EFA86C574BBD4133A27B74A5390886B9233286716F15E02BAC0DF18
      Malicious:true
      Reputation:low
      Preview:<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN.."http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>. <key>Label</key>. <string>com.mac.host</string>. <key>ProgramArguments</key>. <array>. <string>/Users/henry/.defaults/Finder.app/Contents/MacOS/Finder</string>. </array>. <key>RunAtLoad</key>. <true/>. <key>KeepAlive</key>. <false/>.</dict>.</plist>.

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPCountryFlagASNASN NameMalicious
      2.20.214.243
      European Union
      20940unknownfalse
      89.34.111.113
      Belize
      47447unknownfalse
      17.57.146.20
      United States
      714APPLE-ENGINEERING-AppleIncUSfalse
      17.188.166.11
      United States
      714APPLE-ENGINEERING-AppleIncUSfalse
      17.253.57.212
      United States
      6185APPLE-AUSTIN-AppleIncUSfalse

      Static File Info

      General

      File type:Mach-O i386 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|NO_HEAP_EXECUTION>
      Entropy (8bit):6.120626354964268
      TrID:
      • Mac OS X Mach-O 32bit Intel executable (4004/1) 100.00%
      File name:M4BfJpvkrT
      File size:63768
      MD5:de3a8b1e149312dac5b8584a33c3f3c6
      SHA1:23017a55b3d25a2597b7148214fd8fb2372591a5
      SHA256:07a4e04ee8b4c8dc0f7507f56dc24db00537d4637afee43dbb9357d4d54f6ff4
      SHA512:cbce20e10203b3aa36acd478664874b0a8ff3535f0671d2db9de0e6a5022efb99a445922156f31b10bdff1cb177782b5aa4ae7d8ed306171c2525a597c997db8
      SSDEEP:1536:4RCG77G7iHHn959DHXFoQ0hQihLv1SNObMih:WCw1HHn79D3FAQkI9ih
      File Content Preview:................................8...__PAGEZERO..............................................__TEXT..........................................__text..........__TEXT..........l...Z...l...........................__symbol_stub...__TEXT..............~..........

      Static Mach Info

      General Informations for header0

      Endian:<
      Size:32-bit
      Architecture:i386
      Filetype:execute
      Nbr. of load commands:19
      Entry point:0x196C
      segment_command
      NameValue
      segname__PAGEZERO
      fileoff0x0
      maxprot0x0
      vmsize0x1000
      nsects0
      flags0x0
      filesize0x0
      vmaddr0x0
      initprot0x0
      segment_command
      NameValue
      segname__TEXT
      fileoff0x0
      maxprot0x7
      vmsize0xD000
      nsects6
      flags0x0
      filesize0xD000
      vmaddr0x1000
      initprot0x5
      Datassectname__text
      segname__TEXT
      reloff0x0
      addr0x196C
      align0x2
      nreloc0
      flags0x80000400
      offset0x96C
      reserved20
      reserved10
      size0xAD5A
      sectname__symbol_stub
      segname__TEXT
      reloff0x0
      addr0xC6C6
      align0x1
      nreloc0
      flags0x80000408
      offset0xB6C6
      reserved26
      reserved10
      size0x37E
      sectname__stub_helper
      segname__TEXT
      reloff0x0
      addr0xCA44
      align0x2
      nreloc0
      flags0x80000400
      offset0xBA44
      reserved20
      reserved10
      size0x6FA
      sectname__const
      segname__TEXT
      reloff0x0
      addr0xD140
      align0x4
      nreloc0
      flags0x0
      offset0xC140
      reserved20
      reserved10
      size0x7E0
      sectname__cstring
      segname__TEXT
      reloff0x0
      addr0xD920
      align0x0
      nreloc0
      flags0x2
      offset0xC920
      reserved20
      reserved10
      size0x68B
      sectname__unwind_info
      segname__TEXT
      reloff0x0
      addr0xDFAC
      align0x2
      nreloc0
      flags0x0
      offset0xCFAC
      reserved20
      reserved10
      size0x48
      segment_command
      NameValue
      segname__DATA
      fileoff0xD000
      maxprot0x7
      vmsize0x24000
      nsects7
      flags0x0
      filesize0x1000
      vmaddr0xE000
      initprot0x3
      Datassectname__dyld
      segname__DATA
      reloff0x0
      addr0xE000
      align0x2
      nreloc0
      flags0x0
      offset0xD000
      reserved20
      reserved10
      size0x1C
      sectname__nl_symbol_ptr
      segname__DATA
      reloff0x0
      addr0xE01C
      align0x2
      nreloc0
      flags0x6
      offset0xD01C
      reserved20
      reserved1149
      size0x50
      sectname__la_symbol_ptr
      segname__DATA
      reloff0x0
      addr0xE06C
      align0x2
      nreloc0
      flags0x7
      offset0xD06C
      reserved20
      reserved1169
      size0x254
      sectname__cfstring
      segname__DATA
      reloff0x0
      addr0xE2C0
      align0x2
      nreloc0
      flags0x0
      offset0xD2C0
      reserved20
      reserved10
      size0x30
      sectname__data
      segname__DATA
      reloff0x0
      addr0xE2F0
      align0x2
      nreloc0
      flags0x0
      offset0xD2F0
      reserved20
      reserved10
      size0x418
      sectname__common
      segname__DATA
      reloff0x0
      addr0xE708
      align0x2
      nreloc0
      flags0x1
      offset0x0
      reserved20
      reserved10
      size0x10
      sectname__bss
      segname__DATA
      reloff0x0
      addr0xE720
      align0x4
      nreloc0
      flags0x1
      offset0x0
      reserved20
      reserved10
      size0x234D8
      segment_command
      NameValue
      segname__LINKEDIT
      fileoff0xE000
      maxprot0x7
      vmsize0x1918
      nsects0
      flags0x0
      filesize0x1918
      vmaddr0x32000
      initprot0x1
      symtab_command
      NameValue
      strsize3028
      symoff57344
      stroff60740
      nsyms175
      dysymtab_command
      NameValue
      extreloff59444
      nlocrel0
      indirectsymoff59468
      modtaboff0
      nextrel3
      iundefsym2
      nmodtab0
      ilocalsym0
      nundefsym173
      nextrefsyms0
      locreloff0
      ntoc0
      nlocalsym1
      tocoff0
      extrefsymoff0
      nindirectsyms318
      iextdefsym1
      nextdefsym1
      dylinker_command
      NameValue
      name12
      Data/usr/lib/dyld
      uuid_command
      NameValue
      uuid8c8ac65d8f7c368aad5ae7fd9d58e63c
      version_min_command
      NameValue
      version656640
      reserved658432
      dylib_command
      NameValue
      compatibility_version0.1.0
      timestampThu Jan 1 01:00:02 1970
      name24
      current_version4864.7.3
      Data/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
      dylib_command
      NameValue
      compatibility_version0.1.0
      timestampThu Jan 1 01:00:02 1970
      name24
      current_version0.19.1
      Data/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
      dylib_command
      NameValue
      compatibility_version0.150.0
      timestampThu Jan 1 01:00:02 1970
      name24
      current_version2048.69.5
      Data/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
      dylib_command
      NameValue
      compatibility_version0.1.0
      timestampThu Jan 1 01:00:02 1970
      name24
      current_version0.22.0
      Data/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
      dylib_command
      NameValue
      compatibility_version0.1.0
      timestampThu Jan 1 01:00:02 1970
      name24
      current_version15362.214.4
      Data/usr/lib/libSystem.B.dylib
      dylib_command
      NameValue
      compatibility_version0.1.0
      timestampThu Jan 1 01:00:02 1970
      name24
      current_version0.48.0
      Data/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
      dylib_command
      NameValue
      compatibility_version0.1.0
      timestampThu Jan 1 01:00:02 1970
      name24
      current_version15362.120.3
      Data/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
      dylib_command
      NameValue
      compatibility_version0.1.0
      timestampThu Jan 1 01:00:02 1970
      name24
      current_version0.233.1
      Data/usr/lib/libgcc_s.1.dylib
      linkedit_data_command
      NameValue
      dataoff57344
      datassize0

      Symbols

      Symbol
      radr://5614542
      __mh_execute_header
      _CFArrayGetCount
      _CFArrayGetValueAtIndex
      _CFBundleCopyBundleURL
      _CFBundleGetMainBundle
      _CFDataCreateMutable
      _CFDataGetLength
      _CFDataGetMutableBytePtr
      _CFDictionaryCreateMutable
      _CFDictionaryGetValue
      _CFDictionaryGetValueIfPresent
      _CFDictionarySetValue
      _CFEqual
      _CFNetworkCopyProxiesForURL
      _CFNetworkExecuteProxyAutoConfigurationURL
      _CFNumberCreate
      _CFNumberGetValue
      _CFRelease
      _CFRetain
      _CFRunLoopAddSource
      _CFRunLoopGetCurrent
      _CFRunLoopRunInMode
      _CFRunLoopSourceInvalidate
      _CFRunLoopSourceIsValid
      _CFStringCreateWithCString
      _CFStringCreateWithFormat
      _CFStringGetCString
      _CFStringGetSystemEncoding
      _CFURLCreateFromFileSystemRepresentation
      _CFURLCreateWithBytes
      _CFURLGetFileSystemRepresentation
      _CGDisplayCreateImage
      _CGEventCreate
      _CGEventCreateKeyboardEvent
      _CGEventCreateMouseEvent
      _CGEventPost
      _CGEventSetLocation
      _CGEventSetType
      _CGImageDestinationAddImage
      _CGImageDestinationCreateWithData
      _CGImageDestinationFinalize
      _CGMainDisplayID
      _CGSConnectionGetPID
      _CGSGetWindowOwner
      _CGWindowListCopyWindowInfo
      _GetProcessForPID
      _IOPMAssertionCreateWithName
      _KillProcess
      _LSSharedFileListCopySnapshot
      _LSSharedFileListCreate
      _LSSharedFileListInsertItemURL
      _LSSharedFileListItemRemove
      _LSSharedFileListItemResolve
      _SCDynamicStoreCopyProxies
      _ShowHideProcess
      __CFCopyServerVersionDictionary
      __CFCopySystemVersionDictionary
      __CGSDefaultConnection
      ___CFConstantStringClassReference
      ___error
      ___snprintf_chk
      ___stack_chk_fail
      ___stack_chk_guard
      ___toupper
      __kCFSystemVersionBuildVersionKey
      __kCFSystemVersionProductNameKey
      __kCFSystemVersionProductVersionKey
      _asprintf
      _cfmakeraw
      _chdir
      _chmod$UNIX2003
      _clogl
      _closedir$UNIX2003
      _closelog
      _connect$UNIX2003
      _dlclose
      _dlopen
      _dlsym
      _dup
      _endutxent
      _execlp
      _execv
      _execvp
      _exit
      _fcntl$UNIX2003
      _fork
      _free
      _fstat
      _ftruncate
      _getenv
      _geteuid
      _gethostbyname
      _gethostname
      _getpid
      _getppid
      _getpwuid
      _getutxent
      _gmtime
      _grantpt
      _host_page_size
      _host_statistics
      _inet_ntop
      _ioctl
      _kCFAllocatorDefault
      _kCFProxyAutoConfigurationURLKey
      _kCFProxyHostNameKey
      _kCFProxyPortNumberKey
      _kCFProxyTypeAutoConfigurationURL
      _kCFProxyTypeHTTP
      _kCFProxyTypeKey
      _kCFProxyTypeSOCKS
      _kCFTypeDictionaryKeyCallBacks
      _kCFTypeDictionaryValueCallBacks
      _kCGImageDestinationLossyCompressionQuality
      _kCGWindowName
      _kCGWindowNumber
      _kLSSharedFileListItemLast
      _kLSSharedFileListSessionLoginItems
      _kUTTypeJPEG
      _kill$UNIX2003
      _localtime
      _lseek
      _lstat
      _mach_host_self
      _malloc
      _memcpy
      _memset
      _mkdir
      _open$UNIX2003
      _opendir$UNIX2003
      _pipe
      _posix_openpt
      _proc_listpids
      _proc_pidfdinfo
      _proc_pidinfo
      _proc_pidpath
      _pthread_attr_init
      _pthread_attr_setdetachstate
      _pthread_create
      _pthread_mutex_init
      _pthread_mutex_lock
      _pthread_mutex_unlock
      _ptsname
      _read$UNIX2003
      _readdir
      _realloc
      _recv$UNIX2003
      _rename
      _rmdir
      _select$UNIX2003
      _send$UNIX2003
      _setsid
      _setsockopt
      _setutxent
      _shutdown
      _sigaction
      _sigprocmask
      _socket
      _stat
      _strlen
      _strstr
      _sysctl
      _sysctlnametomib
      _tcgetattr
      _tcsetattr
      _time
      _times
      _umask
      _uname
      _unlink
      _unlockpt
      _usleep$UNIX2003
      _waitpid$UNIX2003
      _write$UNIX2003

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jun 21, 2019 14:58:23.425559044 CEST49314443192.168.0.5089.34.111.113
      Jun 21, 2019 14:58:24.430048943 CEST49314443192.168.0.5089.34.111.113
      Jun 21, 2019 14:58:25.433072090 CEST49314443192.168.0.5089.34.111.113
      Jun 21, 2019 14:58:26.434040070 CEST49314443192.168.0.5089.34.111.113
      Jun 21, 2019 14:58:27.436391115 CEST49314443192.168.0.5089.34.111.113
      Jun 21, 2019 14:58:28.439338923 CEST49314443192.168.0.5089.34.111.113
      Jun 21, 2019 14:58:28.464098930 CEST491585223192.168.0.5017.57.146.20
      Jun 21, 2019 14:58:28.487529039 CEST52234915817.57.146.20192.168.0.50
      Jun 21, 2019 14:58:28.487546921 CEST52234915817.57.146.20192.168.0.50
      Jun 21, 2019 14:58:28.487958908 CEST491585223192.168.0.5017.57.146.20
      Jun 21, 2019 14:58:30.448913097 CEST49314443192.168.0.5089.34.111.113
      Jun 21, 2019 14:58:30.471621990 CEST491575223192.168.0.5017.188.166.11
      Jun 21, 2019 14:58:30.579502106 CEST52234915717.188.166.11192.168.0.50
      Jun 21, 2019 14:58:30.579713106 CEST491575223192.168.0.5017.188.166.11
      Jun 21, 2019 14:58:34.455954075 CEST49314443192.168.0.5089.34.111.113
      Jun 21, 2019 14:58:42.463490009 CEST49314443192.168.0.5089.34.111.113
      Jun 21, 2019 14:58:45.820000887 CEST4931280192.168.0.5017.253.57.212
      Jun 21, 2019 14:58:45.820245981 CEST4931380192.168.0.502.20.214.243
      Jun 21, 2019 14:58:45.826286077 CEST80493132.20.214.243192.168.0.50
      Jun 21, 2019 14:58:45.826716900 CEST4931380192.168.0.502.20.214.243
      Jun 21, 2019 14:58:45.833061934 CEST804931217.253.57.212192.168.0.50
      Jun 21, 2019 14:58:45.833678007 CEST4931280192.168.0.5017.253.57.212
      Jun 21, 2019 14:58:58.506849051 CEST49314443192.168.0.5089.34.111.113
      Jun 21, 2019 14:59:30.556160927 CEST49314443192.168.0.5089.34.111.113
      Jun 21, 2019 14:59:48.559796095 CEST49318443192.168.0.5089.34.111.113
      Jun 21, 2019 14:59:49.562325954 CEST49318443192.168.0.5089.34.111.113
      Jun 21, 2019 14:59:50.563291073 CEST49318443192.168.0.5089.34.111.113
      Jun 21, 2019 14:59:51.563900948 CEST49318443192.168.0.5089.34.111.113
      Jun 21, 2019 14:59:52.566622972 CEST49318443192.168.0.5089.34.111.113
      Jun 21, 2019 14:59:53.569016933 CEST49318443192.168.0.5089.34.111.113
      Jun 21, 2019 14:59:55.570472002 CEST49318443192.168.0.5089.34.111.113
      Jun 21, 2019 14:59:59.573554039 CEST49318443192.168.0.5089.34.111.113
      Jun 21, 2019 15:00:07.587693930 CEST49318443192.168.0.5089.34.111.113
      Jun 21, 2019 15:00:23.608505964 CEST49318443192.168.0.5089.34.111.113

      System Behavior

      General

      Start time:14:58:22
      Start date:21/06/2019
      Path:/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
      File size:3722408 bytes
      MD5 hash:8910349f44a940d8d79318367855b236

      General

      Start time:14:58:22
      Start date:21/06/2019
      Path:/Users/henry/Desktop/M4BfJpvkrT
      File size:63768 bytes
      MD5 hash:de3a8b1e149312dac5b8584a33c3f3c6

      General

      Start time:14:58:22
      Start date:21/06/2019
      Path:/Users/henry/Desktop/M4BfJpvkrT
      File size:63768 bytes
      MD5 hash:de3a8b1e149312dac5b8584a33c3f3c6

      General

      Start time:14:58:22
      Start date:21/06/2019
      Path:/Users/henry/.defaults/Finder.app/Contents/MacOS/Finder
      File size:63768 bytes
      MD5 hash:de3a8b1e149312dac5b8584a33c3f3c6