macOS
Analysis Report
extractor
Overview
General Information
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Classification
Analysis Advice
Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior. |
Joe Sandbox Version: | 35.0.0 Citrine |
Analysis ID: | 1977504 |
Start date and time: | 2022-08-18 12:34:03 +02:00 |
Joe Sandbox Product: | Cloud |
Overall analysis duration: | 0h 3m 57s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | extractor |
Cookbook file name: | macOS - Big Sur - load provided binary as normal user.jbs |
Analysis system description: | Mac Mini, Big Sur (Office 2019 16.55, Java 1.8.0_311) |
Analysis Mode: | default |
Detection: | MAL |
Classification: | mal96.troj.evad.mac@0/17@1/0 |
- Excluded IPs from analysis (whitelisted): 17.57.12.11
- Excluded domains from analysis (whitelisted): b._dns-sd._udp.0.0.168.192.in-addr.arpa, gsp64-ssl.ls-apple.com.akadns.net, db._dns-sd._udp.0.0.168.192.in-addr.arpa
Command: | sudo -u drew /Users/drew/Desktop/extractor |
PID: | 866 |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | |
Standard Error: |
- System is mac-bigsur
- mono-sgen64 New Fork (PID: 866, Parent: 824)
- sudo New Fork (PID: 867, Parent: 866)
- extractor New Fork (PID: 868, Parent: 867)
- extractor New Fork (PID: 874, Parent: 867)
- bash New Fork (PID: 875, Parent: 874)
- extractor New Fork (PID: 876, Parent: 867)
- bash New Fork (PID: 877, Parent: 876)
- extractor New Fork (PID: 878, Parent: 867)
- bash New Fork (PID: 879, Parent: 878)
- extractor New Fork (PID: 880, Parent: 867)
- bash New Fork (PID: 881, Parent: 880)
- extractor New Fork (PID: 882, Parent: 867)
- bash New Fork (PID: 883, Parent: 882)
- extractor New Fork (PID: 898, Parent: 867)
- bash New Fork (PID: 899, Parent: 898)
- extractor New Fork (PID: 900, Parent: 867)
- bash New Fork (PID: 901, Parent: 900)
- xpcproxy New Fork (PID: 871, Parent: 1)
- xpcproxy New Fork (PID: 884, Parent: 1)
- FinderFontsUpdater New Fork (PID: 886, Parent: 884)
- sh New Fork (PID: 887, Parent: 886)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nukesped_2 | Yara detected Nukesped | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nukesped_2 | Yara detected Nukesped | Joe Security | ||
JoeSecurity_Nukesped_2 | Yara detected Nukesped | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nukesped_2 | Yara detected Nukesped | Joe Security | ||
JoeSecurity_Nukesped_2 | Yara detected Nukesped | Joe Security | ||
JoeSecurity_Nukesped_2 | Yara detected Nukesped | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira: | ||
Source: | Avira: |
Source: | HTTPS traffic detected: |
Source: | Writes from socket in process: | Jump to behavior |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Reads from socket in process: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: |
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior |
Source: | Classification label: |
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: |
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: |
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: | ||
Source: | Mach-O symbol: |
Persistence and Installation Behavior |
---|
Source: | FAT Mach-O written to unusual path: | Jump to dropped file | ||
Source: | FAT Mach-O written to unusual path: | Jump to dropped file |
Source: | Application opened: | Jump to behavior |
Source: | Killall command executed: | Jump to behavior |
Source: | Application opened: | Jump to behavior |
Source: | File written: | Jump to dropped file |
Source: | Mach-O header: |
Source: | File header: |
Source: | File written: | Jump to dropped file |
Source: | Saved state directory opened: | Jump to behavior |
Source: | Bundle code signature resource File created: | Jump to behavior |
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior |
Source: | Bundle Info.plist File created: | Jump to behavior |
Source: | Rm executable: | Jump to behavior |
Source: | Pgrep executable: | Jump to behavior | ||
Source: | Pgrep executable: | Jump to behavior | ||
Source: | Pgrep executable: | Jump to behavior |
Source: | File written: | Jump to dropped file | ||
Source: | File written: | Jump to dropped file |
Source: | XML plist file created: | Jump to dropped file | ||
Source: | XML plist file created: | Jump to dropped file | ||
Source: | Binary plist file created: | Jump to dropped file | ||
Source: | XML plist file created: | Jump to dropped file |
Source: | AppleKeyboardLayouts info plist opened: | Jump to behavior |
Source: | Random device file read: | Jump to behavior |
Source: | CodeSign Info: |
Source: | Launch agent created File created: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Kills( terminal apps: | Jump to behavior |
Source: | Saved state deleted: | Jump to behavior |
Source: | PDF opened with default viewer: | Jump to behavior |
Source: | Submission file: | ||
Source: | Submission file: |
Source: | Sysctl read request: | Jump to behavior |
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior |
Source: | sw_vers executed: | Jump to behavior |
Source: | Sysctl read request: | Jump to behavior |
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior |
Source: | System or server version plist file read: | Jump to behavior | ||
Source: | System or server version plist file read: | Jump to behavior | ||
Source: | System or server version plist file read: | Jump to behavior | ||
Source: | System or server version plist file read: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Command and Scripting Interpreter | 1 Launch Agent | 1 Launch Agent | 2 Masquerading | OS Credential Dumping | 51 System Information Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 1 Scripting | 1 Plist Modification | 1 Plist Modification | 1 Scripting | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 3 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 3 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Invalid Code Signature | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 4 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 11 Code Signing | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 File Deletion | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | OSX/NukeSped.usvpp |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | OSX/NukeSped.kgzti | ||
100% | Avira | OSX/NukeSped.xxlef |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
concrecapital.com | 64.44.102.6 | true | false | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
64.44.102.6 | concrecapital.com | United States | 20278 | NEXEONUS | false |
Samplename | Analysis ID | SHA256 | Similarity |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
NEXEONUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Process: | /Users/drew/Desktop/extractor |
File Type: | |
Category: | dropped |
Size (bytes): | 318027 |
Entropy (8bit): | 7.944220553559856 |
Encrypted: | false |
SSDEEP: | 6144:zz11yfjGJT+ovconp8LRSl5Jh1E8lWxmAab4dDhkc8dhX5+DABYQs47qhrJ:zz11Sj1yco8VGTh1plWxXab4BhWhuA7W |
MD5: | 22374D49B4C6C27EB10A135BD93722E9 |
SHA1: | 456C6023BE5D736D2524573355DCD358EE0297B8 |
SHA-256: | 2B4E8F1927927BDC2F71914BA1F12511D9B6BDBDB2DF390E267F54DC4F8919DD |
SHA-512: | 91E568D920F0DA302E6E31A1734880AA2FB3E29900AE0153E6B793DFF40E776C6B8CA6FF299F0E3696F28DBB6D91B7D23D8B3BF2707EF28F947436B91D148DB4 |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | /Users/drew/Library/Fonts/safarifontsagent |
File Type: | |
Category: | dropped |
Size (bytes): | 1245 |
Entropy (8bit): | 5.462849750105637 |
Encrypted: | false |
SSDEEP: | 24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5 |
MD5: | 5343C1A8B203C162A3BF3870D9F50FD4 |
SHA1: | 04B5B886C20D88B57EEA6D8FF882624A4AC1E51D |
SHA-256: | DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F |
SHA-512: | E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949 |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | /usr/bin/tar |
File Type: | |
Category: | dropped |
Size (bytes): | 1573 |
Entropy (8bit): | 5.15430518157656 |
Encrypted: | false |
SSDEEP: | 24:2dfyiwBFAw6wBh1Ma6w4oRw0gp/sH2PggjeeDbMMcoK/fV2+3NrGuh:cfyfyQBh1cw1O0giH2IgSOb1XKl2+dSg |
MD5: | C15E31E36E539D5D9CB1128BBE15D395 |
SHA1: | B048FF7D1D22DE090E29F34AAA408F0685CB0D02 |
SHA-256: | 484DA0EC3AD87282F44387F45ACB1D4B5BA8334012F12AE6074798056F7FF7FE |
SHA-512: | 065D5B92E9EEFABED21369CC5F924E4FBA40C3FCF6334C5D83C35B44BA78333267D10EF36134864D941EA161A26CBF1976E2ED342A51C88EEDE1540760E9F6B0 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | /usr/bin/tar |
File Type: | |
Category: | dropped |
Size (bytes): | 186240 |
Entropy (8bit): | 3.3442384430459433 |
Encrypted: | false |
SSDEEP: | 1536:2i39V8ffffffffffffffffA3d7GbYpwNevg2KSf/6n2aVK:39V8ffffffffffffffffQlGvO1NHK |
MD5: | FC5D8C6CCF10D0B900BAA394D2EAD97D |
SHA1: | 041AFAF8EF2A8556AAC3FB051E52D19219552E9D |
SHA-256: | 798020270861FDD6C293AE8BA13E86E100CE048830F86233910A2826FACD4272 |
SHA-512: | A5E66C67CA27255A7531AA5966ADA6ABF3F201037AD24FEA9FBF0ED7D783C6C9CEFD5122D9F7F7731AE33271BF08B4DA5689FA1D1C238862A5D72E44BAFDB8E5 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | /usr/bin/tar |
File Type: | |
Category: | dropped |
Size (bytes): | 8 |
Entropy (8bit): | 1.75 |
Encrypted: | false |
SSDEEP: | 3:k0Ra:f8 |
MD5: | 23B7D7D024ABB0F558420E098800BF27 |
SHA1: | 9F9EEA0CFE2D65F2C3D6B092E375B40782D08F31 |
SHA-256: | 82502191C9484B04D685374F9879A0066069C49B8ACAE7A04B01D38D07E8ECA0 |
SHA-512: | F77D501528DD0CED155C80406CFBEE38D5D3649B64D2A9324F3D6CEE39491EB8F54CDEBAE49C6E21A20D2309D8FAE1B01C41631224811E73483DB25A2695738C |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/Credits.rtf
Download File
Process: | /usr/bin/tar |
File Type: | |
Category: | dropped |
Size (bytes): | 436 |
Entropy (8bit): | 4.962904598670011 |
Encrypted: | false |
SSDEEP: | 6:edsqSm+BhYrJDeXsVamc7QTf9KX6UVlWmVPOeIWXFflm0yD8AqriAke+2QxRo59v:5qSmsYinmY25MlWmVPOKIJQjiAke+pwN |
MD5: | F0D4A61CAF597423FF07C5E9B24A345E |
SHA1: | 60A248148B319DE26E36424D25021C2488E23CE8 |
SHA-256: | B4386FE1CEF65CD91E6C8ECC065D117089083F91B7CADBF0C3E5EAE20E8B9640 |
SHA-512: | E361011499CF70FC71E247FDDA71F49D913654A983AA4AE67D00DC977E53B9CF0D88D4D2AC07EFE248261C3AB6E3345E829E22DDA3E51DCCC221A94C660ACE69 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/InfoPlist.strings
Download File
Process: | /usr/bin/tar |
File Type: | |
Category: | dropped |
Size (bytes): | 92 |
Entropy (8bit): | 3.2610300066712608 |
Encrypted: | false |
SSDEEP: | 3:Qwh+yEilSlJlqXMLLkFlVlRDBWjUoFY9n:QpXioJqcLwVlRNWwou9n |
MD5: | 51EF59B60E5B41B91519CC662A9FE886 |
SHA1: | 3222CA0C39EB50AAF8126BAF852E55430C4718AF |
SHA-256: | 39CF2EE07B7B333E7C179D0BF4D798A5B72AF6A4E584F51E642703BBFA4FC828 |
SHA-512: | 3952A908B72D44040F5072F6344F6327FC78981C3AA55E931ACAE84C0C9BCC0D148991CD564AF4803765C328CBF5F7EFE9EB558FC56E47E8206B7B706026F30A |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/MainMenu.nib/keyedobjects-101300.nib
Download File
Process: | /usr/bin/tar |
File Type: | |
Category: | dropped |
Size (bytes): | 22249 |
Entropy (8bit): | 5.639194002428614 |
Encrypted: | false |
SSDEEP: | 384:ytC1Al51MJpFIJ27Q/XZ8XiQqO04itpAfkKQitevBnk3:y+AlHSp5A8XiQJ04+pAfFQ+evBO |
MD5: | 83719FD98251D7F540E0281E3E03A321 |
SHA1: | E266D0D03CD5138DA9254E107CDEDF2BFC0C3CD9 |
SHA-256: | BA09E35790C9D3DA55ECC913BF07EC3EFF97760DB302A4B8DE432C62C7A394DC |
SHA-512: | BC903033B636BB6553370E6B197042E5CDB8998D6F4D7A73C59A4C5A2AC6A7ABC84DB5324644A548F18599328B04D77C32DB802EAF5C46316BA9D3E1ADE20978 |
Malicious: | false |
Reputation: | low |
Preview: |
/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/MainMenu.nib/keyedobjects.nib
Download File
Process: | /usr/bin/tar |
File Type: | |
Category: | dropped |
Size (bytes): | 29085 |
Entropy (8bit): | 6.962852813594106 |
Encrypted: | false |
SSDEEP: | 768:Ry7gv8jB0RS53OiveWgZf3TUh31wtgUYt/CRQif/Qf2:Y7gv8jB0Ro+iveW/h36t9i/Cmk/Qf2 |
MD5: | B1F27FBE4245B3EA320ABB1C4E9BDE54 |
SHA1: | 1942918DF0286004EC08ED95EF94D236C4BDBABC |
SHA-256: | 766EBE8C195FBAC9EE6131CA3C524ADC64C0EA92CBF34EB6A95F88B81946032A |
SHA-512: | 666ABF8D010D5C26BB7778EA4C6E4D774AEAEF7E1516FCC8F2E1D50A1394A96B9662D5ED2728F2B5CE415F0EC471A08BC5429506488BCEB586503F9984A16D52 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | /usr/bin/tar |
File Type: | |
Category: | dropped |
Size (bytes): | 4022 |
Entropy (8bit): | 5.053079564031308 |
Encrypted: | false |
SSDEEP: | 96:CyhCcNfFhxr2acTDfkhxlkYT2BLDzFNQpO/YTbJvy:XRNdLuPsLlEDzko |
MD5: | 7DF6D87BE250F96F11D6ACE4E2EC01A2 |
SHA1: | 3732A48FD1C48BFAEEA8D1680935BFE18B853D97 |
SHA-256: | 90CD523AB11FF5AD239F40C06A085B506A489E829B3038D6DFCBF562467A1A09 |
SHA-512: | 56E7B85EAB8DB6848EB33C3A7DF76C337EFA98B8F10E0B555DFFC5BDBAEE17CEEA32833DA9B32842EAAC2B123D42F898CF7679E901B3824B5AF9EA58598534A0 |
Malicious: | false |
Preview: |
Process: | /Users/drew/Desktop/extractor |
File Type: | |
Category: | dropped |
Size (bytes): | 60554 |
Entropy (8bit): | 7.990008230981145 |
Encrypted: | true |
SSDEEP: | 1536:bqTQi4Qcocdlcd4BEaCiA95VpjEwE6uXjJUquN/lM9dEn9iZx8M:OMpj3cdeEaRG5sp7XjJ4ZlWew8M |
MD5: | 11254CB76109B288873E2E83B5F9B811 |
SHA1: | EE4B2A77BFE4C5A436269DD4E9F6338185B1C7BF |
SHA-256: | 35C094F9389B41ABB55ACB9159AF36730B69722F351F0D8DF4B32A11711A5F02 |
SHA-512: | 7DF31546D64C758AC4A4BEC6D91CD7C74E64A4B0DE8B6341D1CB96B47262267FD26B516DA9BEDC6C018DDD8D51E4F7DE7B076F26752AF4FEC6C3E721523546BD |
Malicious: | false |
Preview: |
Process: | /usr/bin/tar |
File Type: | |
Category: | dropped |
Size (bytes): | 153424 |
Entropy (8bit): | 2.424111241614667 |
Encrypted: | false |
SSDEEP: | 768:1kVx5g+Mk9F8+Vab8WuLb6Gzn6E8oVab8:yVD59FvVK2H6GGE9VK |
MD5: | DED8CAC968D278AEB2889DC7552E46E1 |
SHA1: | 605214C45F2D7EA8D41125558DD8AD3B6AE92B57 |
SHA-256: | 49046DFEAEFC59747E45E013F3AB5A2895B4245CFAA218DD2863D86451104506 |
SHA-512: | A16ACA216041F2322BFBA25665CEA7FC1C896C3B05005E97789C4E505B7DB158223205ED77ACA8F0620ADA5599DF7D67AE17744E260C3E5EBBB6AE522048E439 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Preview: |
Process: | /Users/drew/Desktop/extractor |
File Type: | |
Category: | dropped |
Size (bytes): | 22631 |
Entropy (8bit): | 7.9764733074201555 |
Encrypted: | false |
SSDEEP: | 384:XRgyWYu6xpOjtd4L2VQnYU/405uk9BBAhp58FPrmkx1sYekPWxliDFpzmU3Iy2YW:Xa1Yu6xpikrY+4/SBEp50Tzx6dkPWniI |
MD5: | 0862E2DB7C590EB428B8E22370BE253C |
SHA1: | 838F9F17D6476B690D3CA6394F1DD41F5C2BCEDB |
SHA-256: | A0BE0CDAE4DBF89631EEED2DB3A92791B3D9E5E8FDA438D26D2DC81FF5712D1A |
SHA-512: | 78D622BE240B59F8B18EFAEE19059EA44CB990541AADE14891F350627A1BA18C1379873C85CA90CB9E9D3F5AC6DB95BCEAD11D182F4A7F30B872A47818BE531F |
Malicious: | true |
Preview: |
Process: | /Users/drew/Desktop/extractor |
File Type: | |
Category: | dropped |
Size (bytes): | 457 |
Entropy (8bit): | 5.224719870128861 |
Encrypted: | false |
SSDEEP: | 12:TMHd4+tJVEdQsv9SPBnDho+48OWOjM1MH+EM+4bP+v:2d6ysvIBdoVBvM0jMVDE |
MD5: | ABD8D1D28B44573C2A1594F4502E314C |
SHA1: | 53761AF4D1F64E1EADB762501C47F7233EBC128A |
SHA-256: | 3B773DF5DD1586AB88C3782ED56998FE832623C6ECF64CD9B109B06A3BC36302 |
SHA-512: | 83F18845347D0E5106CBB2DBEB6FE073E1194FEA353011E8BB7455B84501C2E8071EC8A522E21762F01AEC2AAEB3489652F6EB0DDF39694596541ECDFE3F8E67 |
Malicious: | false |
Preview: |
Process: | /System/Applications/Preview.app/Contents/MacOS/Preview |
File Type: | |
Category: | dropped |
Size (bytes): | 523 |
Entropy (8bit): | 5.182041805967763 |
Encrypted: | false |
SSDEEP: | 12:d7offKtrPtXhF4FS5X4QiKIwfPRUypYmEytPv:wuzBhF4FyV1fpdphpv |
MD5: | 1ECA6980DC7F0CB67A961CD2E95BEF37 |
SHA1: | 70B26F798E9CEF560740095744DA7222704E94F6 |
SHA-256: | FDF3720B4A8E1792743DDF504429BABB71744F391F3A97D94F84DD381EA7EF12 |
SHA-512: | 1FAB308390847F95D90DB8E94143042450B57C00387210E122119C6782043AA838A3D9503DD02D9C04CBC1205487032416BF1862A9E5C3338B5341D5E8D66957 |
Malicious: | false |
Preview: |
/private/var/folders/mw/_t374r4n1hz_ph6rs1f42z2r0000gn/C/com.apple.Preview/com.apple.Preview/com.apple.metal/16777237_9765376/functions.list
Download File
Process: | /System/Applications/Preview.app/Contents/MacOS/Preview |
File Type: | |
Category: | dropped |
Size (bytes): | 776 |
Entropy (8bit): | 5.923210089718743 |
Encrypted: | false |
SSDEEP: | 12:fKZ8h50K/i1eITur/WrSOaXbUf/puB7jyoNlIhrbL:CjuaUeGOaXA3g5Mrv |
MD5: | F812D1A4E5719EFAF480553162F0699D |
SHA1: | F3E17CDA042562D709A6170A454A5AF620B85B83 |
SHA-256: | 1C2E2A6A40006EC8005F64D362CA36D3E9A3C6A64631656BD7A06C7CA49A6371 |
SHA-512: | 78C0CC2C1C06C0840938F7E47F81E54E30783BDEC580E8172B00C78603834E6966D4BEF56988BDED72A629C52E5B1A4330C9D0C628154BEB15B63A170573894D |
Malicious: | false |
Preview: |
/private/var/folders/mw/_t374r4n1hz_ph6rs1f42z2r0000gn/C/com.apple.Preview/com.apple.Preview/com.apple.metal/31001/libraries.list
Download File
Process: | /System/Applications/Preview.app/Contents/MacOS/Preview |
File Type: | |
Category: | dropped |
Size (bytes): | 1392 |
Entropy (8bit): | 6.013033529682525 |
Encrypted: | false |
SSDEEP: | 24:xk4in2nL4fT0h65unS/daZXvlFt8OKLJQDsIJLt3AQNyHEc1Rt:Jc2nLsTo3ZflFGOMWDvJJA+ykc1 |
MD5: | 9CF9EFB57C920DEAE36CA119DDDECE25 |
SHA1: | 636A0E92FE3B0556AD4B174CE8F2B07D35511904 |
SHA-256: | C86EF08C752094A5088320168B259C9059D350C67AB60280C974FD9DBA567515 |
SHA-512: | DC8A485DBBAC9A9B0E6C4C9AEF6D1132F1C942F331A4CCF4F6E4A53276BCF1A25BF26D331CC08BBF0D4660FF8966E01A77F08D829C14CD15BC93FC0AE8A1A10A |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.476280271617914 |
TrID: |
|
File name: | extractor |
File size: | 958160 |
MD5: | f97fc3d0dd6b217a92df567ad8f3d555 |
SHA1: | 9306110d082ad86169c76d765c7d334f24747094 |
SHA256: | fe336a032b564eef07afb2f8a478b0e0a37d9a1a6c4c1e7cd01e404cc5dd2853 |
SHA512: | f6a8a53f4b242e7ee4a57dbe4f0f107d56be72c226e013bf1157303c4e1f6ecfc1bdf6d799c9bdab20c76c86cc3b997d260cd80922483a7b8a13641e63f79609 |
SSDEEP: | 24576:qx1mymeCXt67AiWH7gHgDx1mymeCXt67AwWH7gH:lymft67AiWHYgiymft67AwWHY |
TLSH: | AD15121359086CDED5A8DBB17F0F3D1E3A59B1A1A1C72996362ECEC63710F3A984314E |
File Content Preview: | ..................@............................................................................................................................................................................................................................................ |
|
General Information for header 1 | |
Endian: | |
Size: | |
Architecture: | |
Filetype: | |
Nbr. of load commands: | |
Entry point: |
Name | Value |
---|---|
segname | __PAGEZERO |
vmaddr | 0x0 |
vmsize | 0x100000000 |
fileoff | 0x0 |
filesize | 0x0 |
maxprot | 0x0 |
initprot | 0x0 |
nsects | 0 |
flags | 0x0 |
Name | Value | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
segname | __TEXT | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
vmaddr | 0x100000000 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
vmsize | 0x4000 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
fileoff | 0x0 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
filesize | 0x4000 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
maxprot | 0x5 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
initprot | 0x5 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
nsects | 5 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
flags | 0x0 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Datas |
|
Name | Value | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
segname | __DATA_CONST | ||||||||||||||||||||
vmaddr | 0x100004000 | ||||||||||||||||||||
vmsize | 0x4000 | ||||||||||||||||||||
fileoff | 0x4000 | ||||||||||||||||||||
filesize | 0x4000 | ||||||||||||||||||||
maxprot | 0x3 | ||||||||||||||||||||
initprot | 0x3 | ||||||||||||||||||||
nsects | 1 | ||||||||||||||||||||
flags | 0x10 | ||||||||||||||||||||
Datas |
|
Name | Value | ||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
segname | __DATA | ||||||||||||||||||||||||||||||||||||||||
vmaddr | 0x100008000 | ||||||||||||||||||||||||||||||||||||||||
vmsize | 0x64000 | ||||||||||||||||||||||||||||||||||||||||
fileoff | 0x8000 | ||||||||||||||||||||||||||||||||||||||||
filesize | 0x64000 | ||||||||||||||||||||||||||||||||||||||||
maxprot | 0x3 | ||||||||||||||||||||||||||||||||||||||||
initprot | 0x3 | ||||||||||||||||||||||||||||||||||||||||
nsects | 3 | ||||||||||||||||||||||||||||||||||||||||
flags | 0x0 | ||||||||||||||||||||||||||||||||||||||||
Datas |
|
Name | Value |
---|---|
segname | __LINKEDIT |
vmaddr | 0x10006C000 |
vmsize | 0x8000 |
fileoff | 0x6C000 |
filesize | 0x5ED0 |
maxprot | 0x1 |
initprot | 0x1 |
nsects | 0 |
flags | 0x0 |
Name | Value |
---|---|
rebase_off | 442368 |
rebase_size | 8 |
bind_off | 442376 |
bind_size | 48 |
weak_bind_off | 0 |
weak_bind_size | 0 |
lazy_bind_off | 442424 |
lazy_bind_size | 464 |
export_off | 442888 |
export_size | 32 |
Name | Value |
---|---|
symoff | 442944 |
nsyms | 57 |
stroff | 444120 |
strsize | 632 |
Name | Value |
---|---|
ilocalsym | 0 |
nlocalsym | 22 |
iextdefsym | 22 |
nextdefsym | 1 |
iundefsym | 23 |
nundefsym | 34 |
tocoff | 0 |
ntoc | 0 |
modtaboff | 0 |
nmodtab | 0 |
extrefsymoff | 0 |
nextrefsyms | 0 |
indirectsymoff | 443856 |
nindirectsyms | 66 |
extreloff | 0 |
nextrel | 0 |
locreloff | 0 |
nlocrel | 0 |
Name | Value |
---|---|
name | 12 |
Datas |
Name | Value |
---|---|
uuid | b'l\xcc\x072\x07\xb35s\xabp\xa0\xdehp\xdcp' |
Name | Value |
---|---|
platform | 1 |
minos | 721152 |
sdk | 786688 |
ntools | 1 |
Datas |
Name | Value |
---|---|
version | 0 |
Name | Value |
---|---|
entryoff | 14737 |
stacksize | 0 |
Name | Value |
---|---|
name | 24 |
timestamp | Thu Jan 1 01:00:02 1970 |
current_version | 1200.3.0 |
compatibility_version | 1.0.0 |
Datas |
Name | Value |
---|---|
name | 24 |
timestamp | Thu Jan 1 01:00:02 1970 |
current_version | 1311.0.0 |
compatibility_version | 1.0.0 |
Datas |
Name | Value |
---|---|
dataoff | 442920 |
datasize | 24 |
Name | Value |
---|---|
dataoff | 442944 |
datasize | 0 |
Name | Value |
---|---|
dataoff | 444752 |
datasize | 21888 |
__Z10strreversePcS_ |
__Z11ExecuteFilePc |
__Z11GetUserNamev |
__Z11GlobalAllocjj |
__Z11startDaemonv |
__Z15IsSafariFAExistv |
__Z16SecureZeroMemoryPvm |
__Z4itoaiPci |
__Z5ShellPcS_ |
__Z6popen2PKcPiS1_ |
__Z6thExecPv |
__Z7pclose2i |
__Z8WriteLogPc |
__ZZ4itoaiPciE3num |
____chkstk_darwin |
___bzero |
___stack_chk_fail |
___stack_chk_guard |
__dyld_private |
__mh_execute_header |
_access |
_atoi |
_close |
_data |
_data2 |
_data3 |
_data4 |
_data5 |
_dup2 |
_execl |
_exit |
_fclose |
_fopen |
_fork |
_free |
_fwrite |
_g_szUserName |
_getenv |
_kill |
_main |
_malloc |
_mkdir |
_open |
_perror |
_pipe |
_read |
_remove |
_sleep |
_snprintf |
_strcat |
_strcpy |
_strlen |
_strrchr |
_time |
_waitpid |
_write |
dyld_stub_binder |
____chkstk_darwin |
___bzero |
___stack_chk_fail |
_access |
_atoi |
_close |
_dup2 |
_execl |
_exit |
_fclose |
_fopen |
_fork |
_free |
_fwrite |
_getenv |
_kill |
_malloc |
_mkdir |
_open |
_perror |
_pipe |
_read |
_remove |
_sleep |
_snprintf |
_strcat |
_strcpy |
_strlen |
_strrchr |
_time |
_waitpid |
_write |
General Information for header 2 | |
Endian: | |
Size: | |
Architecture: | |
Filetype: | |
Nbr. of load commands: | |
Entry point: |
Name | Value |
---|---|
segname | __PAGEZERO |
vmaddr | 0x0 |
vmsize | 0x100000000 |
fileoff | 0x0 |
filesize | 0x0 |
maxprot | 0x0 |
initprot | 0x0 |
nsects | 0 |
flags | 0x0 |
Name | Value | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
segname | __TEXT | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
vmaddr | 0x100000000 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
vmsize | 0x4000 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
fileoff | 0x0 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
filesize | 0x4000 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
maxprot | 0x5 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
initprot | 0x5 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
nsects | 5 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
flags | 0x0 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Datas |
|
Name | Value | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
segname | __DATA_CONST | ||||||||||||||||||||
vmaddr | 0x100004000 | ||||||||||||||||||||
vmsize | 0x4000 | ||||||||||||||||||||
fileoff | 0x4000 | ||||||||||||||||||||
filesize | 0x4000 | ||||||||||||||||||||
maxprot | 0x3 | ||||||||||||||||||||
initprot | 0x3 | ||||||||||||||||||||
nsects | 1 | ||||||||||||||||||||
flags | 0x10 | ||||||||||||||||||||
Datas |
|
Name | Value | ||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
segname | __DATA | ||||||||||||||||||||||||||||||||||||||||
vmaddr | 0x100008000 | ||||||||||||||||||||||||||||||||||||||||
vmsize | 0x64000 | ||||||||||||||||||||||||||||||||||||||||
fileoff | 0x8000 | ||||||||||||||||||||||||||||||||||||||||
filesize | 0x64000 | ||||||||||||||||||||||||||||||||||||||||
maxprot | 0x3 | ||||||||||||||||||||||||||||||||||||||||
initprot | 0x3 | ||||||||||||||||||||||||||||||||||||||||
nsects | 3 | ||||||||||||||||||||||||||||||||||||||||
flags | 0x0 | ||||||||||||||||||||||||||||||||||||||||
Datas |
|
Name | Value |
---|---|
segname | __LINKEDIT |
vmaddr | 0x10006C000 |
vmsize | 0x8000 |
fileoff | 0x6C000 |
filesize | 0x5ED0 |
maxprot | 0x1 |
initprot | 0x1 |
nsects | 0 |
flags | 0x0 |
Name | Value |
---|---|
rebase_off | 442368 |
rebase_size | 8 |
bind_off | 442376 |
bind_size | 64 |
weak_bind_off | 0 |
weak_bind_size | 0 |
lazy_bind_off | 442440 |
lazy_bind_size | 440 |
export_off | 442880 |
export_size | 32 |
Name | Value |
---|---|
symoff | 442936 |
nsyms | 57 |
stroff | 444112 |
strsize | 632 |
Name | Value |
---|---|
ilocalsym | 0 |
nlocalsym | 22 |
iextdefsym | 22 |
nextdefsym | 1 |
iundefsym | 23 |
nundefsym | 34 |
tocoff | 0 |
ntoc | 0 |
modtaboff | 0 |
nmodtab | 0 |
extrefsymoff | 0 |
nextrefsyms | 0 |
indirectsymoff | 443848 |
nindirectsyms | 65 |
extreloff | 0 |
nextrel | 0 |
locreloff | 0 |
nlocrel | 0 |
Name | Value |
---|---|
name | 12 |
Datas |
Name | Value |
---|---|
uuid | b'5\xde\xd7\x0f\x99X:T\xa11m\x1fhs\xdfY' |
Name | Value |
---|---|
platform | 1 |
minos | 721152 |
sdk | 786688 |
ntools | 1 |
Datas |
Name | Value |
---|---|
version | 0 |
Name | Value |
---|---|
entryoff | 14540 |
stacksize | 0 |
Name | Value |
---|---|
name | 24 |
timestamp | Thu Jan 1 01:00:02 1970 |
current_version | 1200.3.0 |
compatibility_version | 1.0.0 |
Datas |
Name | Value |
---|---|
name | 24 |
timestamp | Thu Jan 1 01:00:02 1970 |
current_version | 1311.0.0 |
compatibility_version | 1.0.0 |
Datas |
Name | Value |
---|---|
dataoff | 442912 |
datasize | 24 |
Name | Value |
---|---|
dataoff | 442936 |
datasize | 0 |
Name | Value |
---|---|
dataoff | 444752 |
datasize | 21888 |
__Z10strreversePcS_ |
__Z11ExecuteFilePc |
__Z11GetUserNamev |
__Z11GlobalAllocjj |
__Z11startDaemonv |
__Z15IsSafariFAExistv |
__Z16SecureZeroMemoryPvm |
__Z4itoaiPci |
__Z5ShellPcS_ |
__Z6popen2PKcPiS1_ |
__Z6thExecPv |
__Z7pclose2i |
__Z8WriteLogPc |
__ZZ4itoaiPciE3num |
___chkstk_darwin |
___stack_chk_fail |
___stack_chk_guard |
__dyld_private |
__mh_execute_header |
_access |
_atoi |
_bzero |
_close |
_data |
_data2 |
_data3 |
_data4 |
_data5 |
_dup2 |
_execl |
_exit |
_fclose |
_fopen |
_fork |
_free |
_fwrite |
_g_szUserName |
_getenv |
_kill |
_main |
_malloc |
_mkdir |
_open |
_perror |
_pipe |
_read |
_remove |
_sleep |
_snprintf |
_strcat |
_strcpy |
_strlen |
_strrchr |
_time |
_waitpid |
_write |
dyld_stub_binder |
___stack_chk_fail |
_access |
_atoi |
_bzero |
_close |
_dup2 |
_execl |
_exit |
_fclose |
_fopen |
_fork |
_free |
_fwrite |
_getenv |
_kill |
_malloc |
_mkdir |
_open |
_perror |
_pipe |
_read |
_remove |
_sleep |
_snprintf |
_strcat |
_strcpy |
_strlen |
_strrchr |
_time |
_waitpid |
_write |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 18, 2022 12:34:25.771799088 CEST | 49483 | 443 | 192.168.0.52 | 64.44.102.6 |
Aug 18, 2022 12:34:25.771842003 CEST | 443 | 49483 | 64.44.102.6 | 192.168.0.52 |
Aug 18, 2022 12:34:25.772105932 CEST | 49483 | 443 | 192.168.0.52 | 64.44.102.6 |
Aug 18, 2022 12:34:25.783437014 CEST | 49483 | 443 | 192.168.0.52 | 64.44.102.6 |
Aug 18, 2022 12:34:25.783453941 CEST | 443 | 49483 | 64.44.102.6 | 192.168.0.52 |
Aug 18, 2022 12:34:26.140419960 CEST | 443 | 49483 | 64.44.102.6 | 192.168.0.52 |
Aug 18, 2022 12:34:26.140734911 CEST | 49483 | 443 | 192.168.0.52 | 64.44.102.6 |
Aug 18, 2022 12:34:26.288233042 CEST | 49483 | 443 | 192.168.0.52 | 64.44.102.6 |
Aug 18, 2022 12:34:26.288273096 CEST | 443 | 49483 | 64.44.102.6 | 192.168.0.52 |
Aug 18, 2022 12:34:26.288808107 CEST | 443 | 49483 | 64.44.102.6 | 192.168.0.52 |
Aug 18, 2022 12:34:26.288949966 CEST | 49483 | 443 | 192.168.0.52 | 64.44.102.6 |
Aug 18, 2022 12:34:26.289230108 CEST | 49483 | 443 | 192.168.0.52 | 64.44.102.6 |
Aug 18, 2022 12:34:26.332864046 CEST | 443 | 49483 | 64.44.102.6 | 192.168.0.52 |
Aug 18, 2022 12:34:26.399652958 CEST | 443 | 49483 | 64.44.102.6 | 192.168.0.52 |
Aug 18, 2022 12:34:26.399741888 CEST | 443 | 49483 | 64.44.102.6 | 192.168.0.52 |
Aug 18, 2022 12:34:26.399846077 CEST | 49483 | 443 | 192.168.0.52 | 64.44.102.6 |
Aug 18, 2022 12:34:26.400019884 CEST | 49483 | 443 | 192.168.0.52 | 64.44.102.6 |
Aug 18, 2022 12:34:26.400113106 CEST | 49483 | 443 | 192.168.0.52 | 64.44.102.6 |
Aug 18, 2022 12:34:26.400130033 CEST | 443 | 49483 | 64.44.102.6 | 192.168.0.52 |
Aug 18, 2022 12:36:13.567575932 CEST | 443 | 49482 | 17.253.57.211 | 192.168.0.52 |
Aug 18, 2022 12:36:13.567601919 CEST | 443 | 49482 | 17.253.57.211 | 192.168.0.52 |
Aug 18, 2022 12:36:13.567898989 CEST | 49482 | 443 | 192.168.0.52 | 17.253.57.211 |
Aug 18, 2022 12:36:13.567955017 CEST | 49482 | 443 | 192.168.0.52 | 17.253.57.211 |
Aug 18, 2022 12:36:13.568097115 CEST | 49482 | 443 | 192.168.0.52 | 17.253.57.211 |
Aug 18, 2022 12:36:13.568388939 CEST | 49482 | 443 | 192.168.0.52 | 17.253.57.211 |
Aug 18, 2022 12:36:13.576956987 CEST | 443 | 49482 | 17.253.57.211 | 192.168.0.52 |
Aug 18, 2022 12:36:13.576982021 CEST | 443 | 49482 | 17.253.57.211 | 192.168.0.52 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 18, 2022 12:34:25.755146980 CEST | 52067 | 53 | 192.168.0.52 | 8.8.8.8 |
Aug 18, 2022 12:34:25.769753933 CEST | 53 | 52067 | 8.8.8.8 | 192.168.0.52 |
Aug 18, 2022 12:34:28.624675035 CEST | 53 | 59212 | 8.8.8.8 | 192.168.0.52 |
Aug 18, 2022 12:34:28.624697924 CEST | 53 | 61916 | 8.8.8.8 | 192.168.0.52 |
Aug 18, 2022 12:34:35.631336927 CEST | 137 | 137 | 192.168.0.52 | 192.168.0.255 |
Aug 18, 2022 12:35:14.021058083 CEST | 53 | 52558 | 8.8.8.8 | 192.168.0.52 |
Aug 18, 2022 12:35:15.696243048 CEST | 137 | 137 | 192.168.0.52 | 192.168.0.255 |
Aug 18, 2022 12:35:56.969883919 CEST | 137 | 137 | 192.168.0.52 | 192.168.0.255 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Aug 18, 2022 12:34:25.755146980 CEST | 192.168.0.52 | 8.8.8.8 | 0x6c93 | Standard query (0) | A (IP address) | IN (0x0001) |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Aug 18, 2022 12:34:25.769753933 CEST | 8.8.8.8 | 192.168.0.52 | 0x6c93 | No error (0) | 64.44.102.6 | A (IP address) | IN (0x0001) |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port |
---|---|---|---|---|
0 | 192.168.0.52 | 49483 | 64.44.102.6 | 443 |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-18 10:34:26 UTC | 0 | OUT | |
2022-08-18 10:34:26 UTC | 0 | IN | |
2022-08-18 10:34:26 UTC | 0 | IN |
System Behavior
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /Library/Frameworks/Mono.framework/Versions/6.12.0/bin/mono-sgen64 |
Arguments: | n/a |
File size: | 4699168 bytes |
MD5 hash: | 98f65da8c6a62423d3f4cda359f06a87 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /usr/bin/sudo |
Arguments: | /usr/bin/sudo -u drew /Users/drew/Desktop/extractor |
File size: | 1216576 bytes |
MD5 hash: | f21c2a2dc106642f7c38801e121c8c86 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /usr/bin/sudo |
Arguments: | n/a |
File size: | 1216576 bytes |
MD5 hash: | f21c2a2dc106642f7c38801e121c8c86 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /Users/drew/Desktop/extractor |
Arguments: | /Users/drew/Desktop/extractor |
File size: | 958160 bytes |
MD5 hash: | f97fc3d0dd6b217a92df567ad8f3d555 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /Users/drew/Desktop/extractor |
Arguments: | n/a |
File size: | 958160 bytes |
MD5 hash: | f97fc3d0dd6b217a92df567ad8f3d555 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | bash -c (open '/Users/drew/Library/Fonts/Coinbase_online_careers_2022_07.pdf' && rm -rf '/Users/drew/Library/Saved Application State/com.apple.Terminal.savedState') 2>&1 |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | n/a |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | n/a |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /usr/bin/open |
Arguments: | open /Users/drew/Library/Fonts/Coinbase_online_careers_2022_07.pdf |
File size: | 292560 bytes |
MD5 hash: | 81d0c6fefba2004d451915c6fa861914 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | n/a |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /bin/rm |
Arguments: | rm -rf /Users/drew/Library/Saved Application State/com.apple.Terminal.savedState |
File size: | 105984 bytes |
MD5 hash: | 6cd9e187f33d60ce3cb05b12435f0673 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /Users/drew/Desktop/extractor |
Arguments: | n/a |
File size: | 958160 bytes |
MD5 hash: | f97fc3d0dd6b217a92df567ad8f3d555 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | bash -c (tar zxvf '/Users/drew/Library/Fonts/safarifontsagent_' -C '/Users/drew/Library/Fonts') 2>&1 |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | n/a |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /usr/bin/tar |
Arguments: | tar zxvf /Users/drew/Library/Fonts/safarifontsagent_ -C /Users/drew/Library/Fonts |
File size: | 214896 bytes |
MD5 hash: | dbeb13c3b2ade21995470fde7650314a |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /Users/drew/Desktop/extractor |
Arguments: | n/a |
File size: | 958160 bytes |
MD5 hash: | f97fc3d0dd6b217a92df567ad8f3d555 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | bash -c (tar zxvf '/Users/drew/Library/Fonts/fontsupdater_' -C '/Users/drew/Library/Fonts') 2>&1 |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | n/a |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /usr/bin/tar |
Arguments: | tar zxvf /Users/drew/Library/Fonts/fontsupdater_ -C /Users/drew/Library/Fonts |
File size: | 214896 bytes |
MD5 hash: | dbeb13c3b2ade21995470fde7650314a |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /Users/drew/Desktop/extractor |
Arguments: | n/a |
File size: | 958160 bytes |
MD5 hash: | f97fc3d0dd6b217a92df567ad8f3d555 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | bash -c (pgrep -f safarifontsagent) 2>&1 |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | n/a |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /usr/bin/pgrep |
Arguments: | pgrep -f safarifontsagent |
File size: | 141136 bytes |
MD5 hash: | 8c476a299c23f6971101e7bbd6462c3c |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /Users/drew/Desktop/extractor |
Arguments: | n/a |
File size: | 958160 bytes |
MD5 hash: | f97fc3d0dd6b217a92df567ad8f3d555 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | bash -c (pgrep -f safarifontsagent) 2>&1 |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | n/a |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /usr/bin/pgrep |
Arguments: | pgrep -f safarifontsagent |
File size: | 141136 bytes |
MD5 hash: | 8c476a299c23f6971101e7bbd6462c3c |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /Users/drew/Desktop/extractor |
Arguments: | n/a |
File size: | 958160 bytes |
MD5 hash: | f97fc3d0dd6b217a92df567ad8f3d555 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | bash -c (open -a '/Users/drew/Library/Fonts/FinderFontsUpdater.app') 2>&1 |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | n/a |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /usr/bin/open |
Arguments: | open -a /Users/drew/Library/Fonts/FinderFontsUpdater.app |
File size: | 292560 bytes |
MD5 hash: | 81d0c6fefba2004d451915c6fa861914 |
Start time: | 12:34:25 |
Start date: | 18/08/2022 |
Path: | /Users/drew/Desktop/extractor |
Arguments: | n/a |
File size: | 958160 bytes |
MD5 hash: | f97fc3d0dd6b217a92df567ad8f3d555 |
Start time: | 12:34:25 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | bash -c (pgrep -f safarifontsagent) 2>&1 |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:25 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | n/a |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:25 |
Start date: | 18/08/2022 |
Path: | /usr/bin/pgrep |
Arguments: | pgrep -f safarifontsagent |
File size: | 141136 bytes |
MD5 hash: | 8c476a299c23f6971101e7bbd6462c3c |
Start time: | 12:34:25 |
Start date: | 18/08/2022 |
Path: | /Users/drew/Desktop/extractor |
Arguments: | n/a |
File size: | 958160 bytes |
MD5 hash: | f97fc3d0dd6b217a92df567ad8f3d555 |
Start time: | 12:34:25 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | bash -c (killall Terminal) 2>&1 |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:25 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | n/a |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:25 |
Start date: | 18/08/2022 |
Path: | /usr/bin/killall |
Arguments: | killall Terminal |
File size: | 122272 bytes |
MD5 hash: | f3e64d320b9eed9c6dbd97435daddded |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /usr/libexec/xpcproxy |
Arguments: | n/a |
File size: | 196720 bytes |
MD5 hash: | 395c4370ee6c31ff7061018e365ee7b9 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /System/Applications/Preview.app/Contents/MacOS/Preview |
Arguments: | /System/Applications/Preview.app/Contents/MacOS/Preview |
File size: | 5291440 bytes |
MD5 hash: | 510c4010daefc87831ff8730ab2f5092 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /usr/libexec/xpcproxy |
Arguments: | n/a |
File size: | 196720 bytes |
MD5 hash: | 395c4370ee6c31ff7061018e365ee7b9 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater |
Arguments: | /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater |
File size: | 186240 bytes |
MD5 hash: | fc5d8c6ccf10d0b900baa394d2ead97d |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater |
Arguments: | n/a |
File size: | 186240 bytes |
MD5 hash: | fc5d8c6ccf10d0b900baa394d2ead97d |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /Users/drew/Library/Fonts/safarifontsagent |
Arguments: | /Users/drew/Library/Fonts/safarifontsagent |
File size: | 153424 bytes |
MD5 hash: | ded8cac968d278aeb2889dc7552e46e1 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /bin/sh |
Arguments: | n/a |
File size: | 120912 bytes |
MD5 hash: | 8356936fbf1eeb3548896b9206a685a0 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /bin/bash |
Arguments: | sh -c sw_vers -productVersion |
File size: | 1296704 bytes |
MD5 hash: | c1edb59ec6a40884fc3c4e201d31b1d5 |
Start time: | 12:34:24 |
Start date: | 18/08/2022 |
Path: | /usr/bin/sw_vers |
Arguments: | sw_vers -productVersion |
File size: | 121408 bytes |
MD5 hash: | 7e6a3895092064bd002ecb1d4300b0db |