Edit tour

macOS Analysis Report
y8g2Ga0Gas.dmg

Overview

General Information

Sample Name:	y8g2Ga0Gas.dmg (renamed file extension from none to dmg, renamed because original name is a hash value)
Original Sample Name:	y8g2Ga0Gas
Analysis ID:	1339915
MD5:	083063794bbe6431381802a205689410
SHA1:	9690fcebe639ec25690527bf0e6f0929dc62bcee
SHA256:	9f0a2164016509cf59fe996f5a8016ee84162aa51d0e9870e589bae6fdd55aac
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false

Signatures

Contains symbols with suspicious names likely related to encryption

Contains symbols with suspicious names likely related to networking

Uses AppleScript framework/components containing Apple Script related functionalities

Reads the systems hostname

Reads hardware related sysctl values

Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'

Executes commands using a shell command-line interpreter

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Reads launchservices plist files

Contains symbols with paths

Uses AppleScript scripting additions containing additional functionalities for Apple Scripts

Classification

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1339915
Start date and time:	2023-11-09 18:49:50 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, High Sierra (Office 2016 16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:	10.13
CPU architecture:	x86_64
Analysis Mode:	default
Sample file name:	y8g2Ga0Gas.dmg (renamed file extension from none to dmg)
Original Sample Name:	y8g2Ga0Gas
Detection:	CLEAN
Classification:	clean5.macDMG@0/5@0/0

Warnings

Excluded IPs from analysis (whitelisted): 17.253.97.201, 17.253.97.205, 23.222.225.102, 17.253.97.204, 17.253.97.202, 17.253.3.205, 17.253.3.201, 17.253.97.203
Excluded domains from analysis (whitelisted): cds-cdn.v.aaplimg.com, e11408.d.akamaiedge.net, cds.apple.com.akadns.net, ocsp-a.g.aaplimg.com, cds.apple.com, help-ar.apple.com.edgekey.net, crl.g.aaplimg.com, crl.apple.com, valid.apple.com, lb._dns-sd._udp.0.11.168.192.in-addr.arpa, ocsp-lb.apple.com.akadns.net, ocsp.apple.com, valid.origin-apple.com.akadns.net, help.origin-apple.com.akadns.net, valid-apple.g.aaplimg.com, help.apple.com, world-gen.g.aaplimg.com
VT rate limit hit for: extracted-dmg.zip

Runtime Messages

Command:	open "/Volumes/AppleApp/AppleApp"
PID:	910
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

System is macvm-highsierra

mono-sgen32 New Fork (PID: 910, Parent: 825)

open (MD5: 40ed6d8f35c9f20484b97582d296398f) Arguments:

Terminal New Fork (PID: 911, Parent: 274)

bash (MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6) Arguments: -bash

bash New Fork (PID: 913, Parent: 912)

bash New Fork (PID: 914, Parent: 913)

path_helper (MD5: acce8bf4d8df1d53bc6e22f1a723b11a) Arguments: /usr/libexec/path_helper -s

bash New Fork (PID: 915, Parent: 912)

mkdir (MD5: 135a3b94b3d9efccb4c8cd23ac404571) Arguments: mkdir -m 700 -p /Users/berri/.bash_sessions

bash New Fork (PID: 916, Parent: 912)

bash New Fork (PID: 917, Parent: 916)

touch (MD5: 4aacabad02929f18b00a9b6ef85e0605) Arguments: /usr/bin/touch /Users/berri/.bash_sessions/D6FAA9EC-ED54-4B54-857A-E4141CC43C12.historynew

bash New Fork (PID: 918, Parent: 912)

AppleApp (MD5: 38b5c3c2cdad34da7cb069e836bfbf96) Arguments: /Volumes/AppleApp/AppleApp

sh New Fork (PID: 920, Parent: 918)

dscl (MD5: 2072d2ac07a471913b06fed4b4bd55cf) Arguments: dscl . authonly berri

sh New Fork (PID: 921, Parent: 918)

osascript (MD5: 86c0eb9ab6768a4a8e723dcda40bc65a) Arguments: osascript -e display dialog 'Required System Upgrade. Please enter passphrase for berri.' default answer '' with icon caution buttons {'Continue'} default button 'Continue' giving up after 150 with title 'Application wants to install helper'

cleanup

Osascript command executed: osascript -e display dialog 'Required System Upgrade. Please enter passphrase for berri.' default answer '' with icon caution buttons {'Continue'} default button 'Continue' giving up after 150 with title 'Application wants to install helper'

Jump to behavior

Source: /Volumes/AppleApp/AppleApp (PID: 918)	Shell command executed: sh -c dscl . authonly 'berri' ''			Jump to behavior
Source: /Volumes/AppleApp/AppleApp (PID: 918)	Shell command executed: sh -c osascript -e 'display dialog 'Required System Upgrade. Please enter passphrase for berri.' default answer '' with icon caution buttons {'Continue'} default button 'Continue' giving up after 150 with title 'Application wants to install helper''			Jump to behavior

Source: /usr/bin/open (PID: 910)	Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 921)	Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist			Jump to behavior

Source: /usr/bin/osascript (PID: 921)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 921)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist			Jump to behavior

Source: /usr/bin/osascript (PID: 921)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Jump to behavior

Source: /usr/bin/osascript (PID: 921)

Random device file read: /dev/random

Jump to behavior

Source: /usr/bin/osascript (PID: 921)

Sysctl read request: kern.safeboot (1.66)

Jump to behavior

Source: /bin/bash (PID: 912)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 920)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 921)	Sysctl requested: kern.hostname (1.10)	Jump to behavior

Source: /usr/bin/osascript (PID: 921)

Sysctl read request: hw.availcpu (6.25)

Jump to behavior

Source: /usr/bin/open (PID: 910)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 921)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	1 Scripting	Path Interception	Path Interception	1 Scripting	OS Credential Dumping	41 System Information Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	3 AppleScript	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.54.68.207	unknown	United States		22773	ASN-CXA-ALL-CCI-22773-RDCUS	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-CXA-ALL-CCI-22773-RDCUS	7pmemg0WCP.elf	Get hash	malicious	Unknown	Browse	68.98.241.186
	kuru.arm7.elf	Get hash	malicious	Unknown	Browse	72.200.22.149
	arm5-20231108-0341.elf	Get hash	malicious	Unknown	Browse	98.190.165.81
	0xc2s.arm7.elf	Get hash	malicious	Mirai	Browse	98.166.214.184
	ERKXITRd1T.elf	Get hash	malicious	Mirai	Browse	70.165.89.92
	t42n199q79.elf	Get hash	malicious	Mirai, Okiru	Browse	98.170.53.240
	TqA3GrJsfl.elf	Get hash	malicious	Mirai	Browse	24.120.99.121
	N7B7a9u4Sa.elf	Get hash	malicious	Mirai	Browse	68.105.173.219
	mIba7sY5sD.elf	Get hash	malicious	Okiru	Browse	24.56.52.145
	pbl0DZaV58.elf	Get hash	malicious	Okiru	Browse	98.172.168.0
	xd71bUi4mH.elf	Get hash	malicious	Mirai	Browse	184.178.189.48
	arm5.elf	Get hash	malicious	Unknown	Browse	72.194.198.197
	arm7.elf	Get hash	malicious	Mirai	Browse	174.79.178.121
	x86.elf	Get hash	malicious	Unknown	Browse	70.179.67.118
	mips.elf	Get hash	malicious	Unknown	Browse	216.231.6.154
	skid.arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	68.11.187.194
	skid.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	98.176.87.212
	https://acrobat.adobe.com/id/urn:aaid:sc:US:b1c915de-7158-4dd9-aa63-db461c226178	Get hash	malicious	HTMLPhisher	Browse	23.54.68.233
	ODfOto3gt3.elf	Get hash	malicious	Unknown	Browse	164.175.183.133
	x86.elf	Get hash	malicious	Mirai	Browse	68.15.222.24

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/dev/ttys000

Download File

Process:	/usr/bin/osascript
File Type:	ASCII text
Category:	dropped
Size (bytes):	64
Entropy (8bit):	4.843139062229567
Encrypted:	false
SSDEEP:	3:tWIaiV4dLQbwDOr3Z/WOv:kjiVQLA4ODoA
MD5:	35A10920836F63E89B93678875F940C9
SHA1:	B9F687A7DC526165F044A17F2DB62BE4C904F0A1
SHA-256:	382597B1E4688AA9893080916CA172B1767685A41A890820D9F014E0ABA99C69
SHA-512:	BA7830456E8D94A9E9BD7FC8EB67A5A2CD12F3FCE5E1A7D0591B3849A8CF066AA98D2EB536FA6A133F0B8C3EC96EA4F0FE1C061C02B27FDDA415B39835BB31F7
Malicious:	false
Reputation:	low
Preview:	2023-11-09 18:50:58.539 osascript[921:6748] ApplePersistence=NO.

/private/var/run/utmpx

Download File

Process:	/usr/bin/login
File Type:	data
Category:	dropped
Size (bytes):	628
Entropy (8bit):	0.4026640284876976
Encrypted:	false
SSDEEP:	3:N/sV2illBly+5V4lll/:N0EillBly+Xol
MD5:	C685FF1EE189C39015647906AE5A9A3F
SHA1:	1094017AC239022FEE8E9C652BB75DC16162B890
SHA-256:	2A564831B501A1938B3B59DB970D7FA1D32B86714D06528F2C5944518C54800F
SHA-512:	49AC2BD8170790F7964BB8B1C096E6E51514ED0F7EC568E19337195347BCBC3018FD523E6756E9B06ACCC309B2A99209064173B29D64334F0436895408F70B8D
Malicious:	false
Reputation:	low
Preview:	berri...........................................................................................................................................................................................................................................................s000ttys000...................................Me2...................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	zlib compressed data
Entropy (8bit):	7.993920664189166
TrID:	Disk Image (Macintosh), GPT (HFS) (11500/0) 45.99% Disk Image (Macintosh), zlib (10501/1) 42.00% Disk Image (Macintosh), bzlib (best compression) (2002/1) 8.01% ZLIB compressed file (1001/1) 4.00%
File name:	y8g2Ga0Gas.dmg
File size:	526'515 bytes
MD5:	083063794bbe6431381802a205689410
SHA1:	9690fcebe639ec25690527bf0e6f0929dc62bcee
SHA256:	9f0a2164016509cf59fe996f5a8016ee84162aa51d0e9870e589bae6fdd55aac
SHA512:	6fefc51ae9ab69838a5a3b4e0e504a4f8256fedec35197234f20d0de8b77d573148893f081231884e9da89bac464db6e2bb47f3a18b74f9d62c67e0dba5fcb96
SSDEEP:	12288:U6C+kOb60HEqozy/wgUfdC5Lq4VsU1Um65dR9wt1TaCDsEf3Wc:pC2/HtYxfdCtq4sUKTcrThsxc
TLSH:	54B423BCAA3A3FDBDED945B4BE3B07638DAF04D32930026120B54D9D51A67463BD086D
File Content Preview:	x.s.bb``(z.0.F$......x...1..@...U/..<@...!....A...1..Q]ml4..{...~1S....dVRmr...........n.....ZU.......u..xL..2u..N...=L..c)[....................................H.Rx...m...}......b..g.c...PT..J..Vh.........%..~.@..26uZB..:.m.R#..nS........(q^...V....@.V.

Archive DMG

Archived Files

File Path	File Attributes	File Size
AppleApp		345'664 bytes

Extracted Files

AppleApp

File path:	AppleApp
File size:	345'664 bytes
File type:	Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>]

Static Mach Info

General Information for header 1
Endian:	little-endian
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	16
Entry point:	0xE3A8

segment_command_64 aggregated: 4

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x14000

fileoff

0x0

filesize

0x14000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x100000C78	0x105A4	0xC78	6.3743	0x2	0x0	0	0x80000400
__stubs	__TEXT	0x10001121C	0xEA	0x1121C	3.0995	0x1	0x0	0	0x80000408
__stub_helper	__TEXT	0x100011308	0x196	0x11308	3.9038	0x2	0x0	0	0x80000400
__const	__TEXT	0x1000114A0	0x13A0	0x114A0	2.7358	0x4	0x0	0	0x0
__cstring	__TEXT	0x100012840	0x15CD	0x12840	5.1218	0x0	0x0	0	0x2
__unwind_info	__TEXT	0x100013E10	0x1F0	0x13E10	4.9279	0x2	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x100014000

vmsize

0x4000

fileoff

0x14000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__nl_symbol_ptr	__DATA	0x100014000	0x8	0x14000	-0.0000	0x3	0x0	0	0x6
__got	__DATA	0x100014008	0x18	0x14008	-0.0000	0x3	0x0	0	0x6
__la_symbol_ptr	__DATA	0x100014020	0x138	0x14020	2.5308	0x3	0x0	0	0x7
__const	__DATA	0x100014160	0x1A8	0x14160	2.7358	0x4	0x0	0	0x0
__data	__DATA	0x100014310	0x7F8	0x14310	4.5099	0x4	0x0	0	0x0
__bss	__DATA	0x100014B08	0x8	0x0	0.0000	0x3	0x0	0	0x1
__common	__DATA	0x100014B10	0x280	0x0	0.0000	0x4	0x0	0	0x1

Name	Value
segname	__LINKEDIT
vmaddr	0x100018000
vmsize	0x10000
fileoff	0x18000
filesize	0xC510
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	98304
rebase_size	24
bind_off	98328
bind_size	56
weak_bind_off	0
weak_bind_size	0
lazy_bind_off	98384
lazy_bind_size	624
export_off	99008
export_size	32

symtab_command aggregated: 1

Name	Value
symoff	99336
nsyms	1098
stroff	117232
strsize	11640

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	1055
iextdefsym	1055
nextdefsym	1
iundefsym	1056
nundefsym	42
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	116904
nindirectsyms	82
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'\xb8O\x8dJ\xbb!3\xa7\xa7%\x98\xc9\xd6X_\x1d'

version_min_command aggregated: 1

Name	Value
version	658688
sdk	852224

source_version_command aggregated: 1

Name	Value
version	0

entry_point_command aggregated: 1

Name	Value
entryoff	58280
stacksize	0

dylib_command aggregated: 1

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1319.0.0

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

linkedit_data_command aggregated: 3

Name	Value
dataoff	99040
datasize	280

Name	Value
dataoff	99320
datasize	16

Name	Value
dataoff	128880
datasize	19872

Internal Symbols

/Users/cloud/xxx/build/Build/Intermediates.noindex/xxx.build/Release/xxx.build/Objects-normal/x86_64/main.o

/Users/cloud/xxx/xxx/

_GrabFolder

_SearchAndGrabChromium

_Telegram

___assert_rtn

___bzero

___memcpy_chk

___memset_chk

___stack_chk_fail

___stack_chk_guard

__getenv

__memcpy

__memset

__mh_execute_header

__strcat

__strcmp

__strcpy

__strlen

__strncmp

__strpbrk

__strtok

__strtok.next_token

_checkvalid

_close

_closedir

_connect

_environ

_exec

_fclose

_ff_parsedata

_fflush

_fgmode

_fopen

_fread

_free

_freopen

_fseeko

_fsize

_ftello

_fwrite

_getPlugWallets

_getpwd

_inet_addr

_is_directory

_localtime

_main

_malloc

_masterpass

_memcmp

_memcpy

_memset

_miniz_def_alloc_func

_miniz_def_free_func

_miniz_def_realloc_func

_mktime

_mz_adler32

_mz_bitmasks

_mz_compress

_mz_compress2

_mz_compressBound

_mz_crc32

_mz_crc32.s_crc_table

_mz_deflate

_mz_deflateBound

_mz_deflateEnd

_mz_deflateInit

_mz_deflateInit2

_mz_deflateReset

_mz_error

_mz_error.s_error_descs

_mz_file_read_func_stdio

_mz_free

_mz_inflate

_mz_inflateEnd

_mz_inflateInit

_mz_inflateInit2

_mz_inflateReset

_mz_uncompress

_mz_uncompress2

_mz_version

_mz_zip_add_mem_to_archive_file_in_place

_mz_zip_add_mem_to_archive_file_in_place_v2

_mz_zip_array_ensure_capacity

_mz_zip_array_ensure_capacity.cold.1

_mz_zip_clear_last_error

_mz_zip_compute_crc32_callback

_mz_zip_end

_mz_zip_extract_archive_file_to_heap

_mz_zip_extract_archive_file_to_heap_v2

_mz_zip_file_read_func

_mz_zip_file_stat_internal

_mz_zip_file_write_callback

_mz_zip_file_write_func

_mz_zip_get_archive_file_start_offset

_mz_zip_get_archive_size

_mz_zip_get_central_dir_size

_mz_zip_get_cfile

_mz_zip_get_error_string

_mz_zip_get_last_error

_mz_zip_get_mode

_mz_zip_get_type

_mz_zip_heap_write_func

_mz_zip_is_zip64

_mz_zip_mem_read_func

_mz_zip_peek_last_error

_mz_zip_read_archive_data

_mz_zip_reader_end

_mz_zip_reader_end_internal

_mz_zip_reader_extract_file_iter_new

_mz_zip_reader_extract_file_to_callback

_mz_zip_reader_extract_file_to_cfile

_mz_zip_reader_extract_file_to_file

_mz_zip_reader_extract_file_to_heap

_mz_zip_reader_extract_file_to_mem

_mz_zip_reader_extract_file_to_mem_no_alloc

_mz_zip_reader_extract_iter_free

_mz_zip_reader_extract_iter_new

_mz_zip_reader_extract_iter_read

_mz_zip_reader_extract_to_callback

_mz_zip_reader_extract_to_cfile

_mz_zip_reader_extract_to_file

_mz_zip_reader_extract_to_heap

_mz_zip_reader_extract_to_mem

_mz_zip_reader_extract_to_mem_no_alloc

_mz_zip_reader_extract_to_mem_no_alloc1

_mz_zip_reader_file_stat

_mz_zip_reader_get_filename

_mz_zip_reader_get_num_files

_mz_zip_reader_init

_mz_zip_reader_init_cfile

_mz_zip_reader_init_file

_mz_zip_reader_init_file_v2

_mz_zip_reader_init_file_v2_rpb

_mz_zip_reader_init_internal

_mz_zip_reader_init_mem

_mz_zip_reader_is_file_a_directory

_mz_zip_reader_is_file_encrypted

_mz_zip_reader_is_file_supported

_mz_zip_reader_locate_file

_mz_zip_reader_locate_file_v2

_mz_zip_reader_read_central_dir

_mz_zip_set_last_error

_mz_zip_time_t_to_dos_time

_mz_zip_validate_archive

_mz_zip_validate_file

_mz_zip_validate_file_archive

_mz_zip_validate_mem_archive

_mz_zip_writer_add_cfile

_mz_zip_writer_add_file

_mz_zip_writer_add_from_zip_reader

_mz_zip_writer_add_from_zip_reader.cold.1

_mz_zip_writer_add_mem

_mz_zip_writer_add_mem_ex

_mz_zip_writer_add_mem_ex_v2

_mz_zip_writer_add_mem_ex_v2.cold.1

_mz_zip_writer_add_mem_ex_v2.cold.2

_mz_zip_writer_add_put_buf_callback

_mz_zip_writer_add_read_buf_callback

_mz_zip_writer_add_read_buf_callback.cold.1

_mz_zip_writer_add_to_central_dir

_mz_zip_writer_create_local_dir_header

_mz_zip_writer_create_zip64_extra_data

_mz_zip_writer_end

_mz_zip_writer_end_internal

_mz_zip_writer_finalize_archive

_mz_zip_writer_finalize_heap_archive

_mz_zip_writer_init

_mz_zip_writer_init_cfile

_mz_zip_writer_init_file

_mz_zip_writer_init_file_v2

_mz_zip_writer_init_from_reader

_mz_zip_writer_init_from_reader_v2

_mz_zip_writer_init_from_reader_v2_noreopen

_mz_zip_writer_init_heap

_mz_zip_writer_init_heap_v2

_mz_zip_writer_init_v2

_mz_zip_writer_write_zeros

_mz_zip_zero_struct

_names

_open

_opendir$INODE64

_parseFF

_pclose

_pikfolder

_plugin_paths

_popen

_pwd_getted

_read

_readdir$INODE64

_readwrite

_realloc

_remove

_s_tdefl_large_dist_extra

_s_tdefl_large_dist_sym

_s_tdefl_len_extra

_s_tdefl_len_sym

_s_tdefl_packed_code_size_syms_swizzle

_s_tdefl_small_dist_extra

_s_tdefl_small_dist_sym

_send

_send_data_via_http

_snprintf

_socket

_stat$INODE64

_strlen

_tcc

_tdefl_compress

_tdefl_compress.cold.1

_tdefl_compress.cold.2

_tdefl_compress.cold.3

_tdefl_compress.cold.4

_tdefl_compress.cold.5

_tdefl_compress.cold.6

_tdefl_compress.cold.7

_tdefl_compress_block

_tdefl_compress_block.cold.1

_tdefl_compress_block.cold.10

_tdefl_compress_block.cold.11

_tdefl_compress_block.cold.12

_tdefl_compress_block.cold.13

_tdefl_compress_block.cold.14

_tdefl_compress_block.cold.2

_tdefl_compress_block.cold.3

_tdefl_compress_block.cold.4

_tdefl_compress_block.cold.5

_tdefl_compress_block.cold.6

_tdefl_compress_block.cold.7

_tdefl_compress_block.cold.8

_tdefl_compress_block.cold.9

_tdefl_compress_buffer

_tdefl_compress_buffer.cold.1

_tdefl_compress_mem_to_heap

_tdefl_compress_mem_to_mem

_tdefl_compress_mem_to_output

_tdefl_compressor_alloc

_tdefl_compressor_free

_tdefl_create_comp_flags_from_zip_params

_tdefl_flush_block

_tdefl_flush_block.cold.1

_tdefl_flush_block.cold.2

_tdefl_flush_output_buffer

_tdefl_get_adler32

_tdefl_get_prev_return_status

_tdefl_init

_tdefl_optimize_huffman_table

_tdefl_output_buffer_putter

_tdefl_write_image_to_png_file_in_memory

_tdefl_write_image_to_png_file_in_memory_ex

_tdefl_write_image_to_png_file_in_memory_ex.chans

_tdefl_write_image_to_png_file_in_memory_ex.s_tdefl_png_num_probes

_time

_tinfl_decompress

_tinfl_decompress.cold.1

_tinfl_decompress.s_dist_base

_tinfl_decompress.s_dist_extra

_tinfl_decompress.s_length_base

_tinfl_decompress.s_length_extra

_tinfl_decompress.s_min_table_sizes

_tinfl_decompress_mem_to_callback

_tinfl_decompress_mem_to_heap

_tinfl_decompress_mem_to_mem

_tinfl_decompressor_alloc

_tinfl_decompressor_free

_userinfo

_utime

_writeall

_writetext

_zip

dyld_stub_binder

main.c

External Symbols

___assert_rtn

___bzero

___memcpy_chk

___memset_chk

___stack_chk_fail

_close

_closedir

_connect

_fclose

_fflush

_fopen

_fread

_free

_freopen

_fseeko

_ftello

_fwrite

_inet_addr

_localtime

_malloc

_memcmp

_memcpy

_memset

_mktime

_open

_opendir$INODE64

_pclose

_popen

_read

_readdir$INODE64

_realloc

_remove

_send

_snprintf

_socket

_stat$INODE64

_strlen

_time

_utime

General Information for header 2
Endian:	little-endian
Size:	64-bit
Architecture:	arm64
Filetype:	execute
Nbr. of load commands:	17
Entry point:	0xDF68

segment_command_64 aggregated: 5

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x14000

fileoff

0x0

filesize

0x14000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x10000194C	0xF7E4	0x194C	6.6464	0x2	0x0	0	0x80000400
__stubs	__TEXT	0x100011130	0x1D4	0x11130	3.7094	0x2	0x0	0	0x80000408
__stub_helper	__TEXT	0x100011304	0x1EC	0x11304	3.7714	0x2	0x0	0	0x80000400
__const	__TEXT	0x1000114F0	0x13B0	0x114F0	2.7603	0x4	0x0	0	0x0
__cstring	__TEXT	0x1000128A0	0x152F	0x128A0	5.0927	0x0	0x0	0	0x2
__unwind_info	__TEXT	0x100013DD0	0x22C	0x13DD0	4.8648	0x2	0x0	0	0x0

Name

Value

segname

__DATA_CONST

vmaddr

0x100014000

vmsize

0x4000

fileoff

0x14000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x10

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__got	__DATA_CONST	0x100014000	0x20	0x14000	-0.0000	0x3	0x0	0	0x6
__const	__DATA_CONST	0x100014020	0x1A8	0x14020	2.7603	0x3	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x100018000

vmsize

0x4000

fileoff

0x18000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__la_symbol_ptr	__DATA	0x100018000	0x138	0x18000	2.5076	0x3	0x0	0	0x7
__data	__DATA	0x100018138	0x7E0	0x18138	4.5435	0x3	0x0	0	0x0
__bss	__DATA	0x100018918	0x8	0x0	0.0000	0x3	0x0	0	0x1
__common	__DATA	0x100018920	0x274	0x0	0.0000	0x3	0x0	0	0x1

Name	Value
segname	__LINKEDIT
vmaddr	0x10001C000
vmsize	0x10000
fileoff	0x1C000
filesize	0xC640
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	114688
rebase_size	24
bind_off	114712
bind_size	80
weak_bind_off	0
weak_bind_size	0
lazy_bind_off	114792
lazy_bind_size	600
export_off	115392
export_size	32

symtab_command aggregated: 1

Name	Value
symoff	115712
nsyms	1105
stroff	133720
strsize	11712

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	1061
iextdefsym	1061
nextdefsym	1
iundefsym	1062
nundefsym	43
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	133392
nindirectsyms	82
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'O\x97\x12\xf1 \xc7?8\xba\xa4D\xd5"\xf1\xc9\xa4'

build_version_command aggregated: 1

Name

Value

platform

minos

720896

sdk

852224

ntools

Datas

source_version_command aggregated: 1

Name	Value
version	0

entry_point_command aggregated: 1

Name	Value
entryoff	57192
stacksize	0

dylib_command aggregated: 1

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1319.0.0

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

linkedit_data_command aggregated: 3

Name	Value
dataoff	115424
datasize	288

Name	Value
dataoff	115712
datasize	0

Name	Value
dataoff	145440
datasize	20000

Internal Symbols

/Users/cloud/xxx/build/Build/Intermediates.noindex/xxx.build/Release/xxx.build/Objects-normal/arm64/main.o

/Users/cloud/xxx/xxx/

_GrabFolder

_OUTLINED_FUNCTION_0

_SearchAndGrabChromium

_Telegram

___assert_rtn

___chkstk_darwin

___memcpy_chk

___memset_chk

___stack_chk_fail

___stack_chk_guard

__dyld_private

__getenv

__memcpy

__memset

__mh_execute_header

__strcat

__strcmp

__strcpy

__strlen

__strncmp

__strpbrk

__strtok

__strtok.next_token

_bzero

_checkvalid

_close

_closedir

_connect

_environ

_exec

_fclose

_ff_parsedata

_fflush

_fgmode

_fopen

_fread

_free

_freopen

_fseeko

_fsize

_ftello

_fwrite

_getPlugWallets

_getpwd

_inet_addr

_is_directory

_localtime

_main

_malloc

_masterpass

_memcmp

_memcpy

_memset

_miniz_def_alloc_func

_miniz_def_free_func

_miniz_def_realloc_func

_mktime

_mz_adler32

_mz_bitmasks

_mz_compress

_mz_compress2

_mz_compressBound

_mz_crc32

_mz_crc32.s_crc_table

_mz_deflate

_mz_deflateBound

_mz_deflateEnd

_mz_deflateInit

_mz_deflateInit2

_mz_deflateReset

_mz_error

_mz_error.s_error_descs

_mz_file_read_func_stdio

_mz_free

_mz_inflate

_mz_inflateEnd

_mz_inflateInit

_mz_inflateInit2

_mz_inflateReset

_mz_uncompress

_mz_uncompress2

_mz_version

_mz_zip_add_mem_to_archive_file_in_place

_mz_zip_add_mem_to_archive_file_in_place_v2

_mz_zip_array_ensure_capacity

_mz_zip_array_ensure_capacity.cold.1

_mz_zip_clear_last_error

_mz_zip_compute_crc32_callback

_mz_zip_end

_mz_zip_extract_archive_file_to_heap

_mz_zip_extract_archive_file_to_heap_v2

_mz_zip_file_read_func

_mz_zip_file_stat_internal

_mz_zip_file_write_callback

_mz_zip_file_write_func

_mz_zip_get_archive_file_start_offset

_mz_zip_get_archive_size

_mz_zip_get_central_dir_size

_mz_zip_get_cfile

_mz_zip_get_error_string

_mz_zip_get_last_error

_mz_zip_get_mode

_mz_zip_get_type

_mz_zip_heap_write_func

_mz_zip_is_zip64

_mz_zip_mem_read_func

_mz_zip_peek_last_error

_mz_zip_read_archive_data

_mz_zip_reader_end

_mz_zip_reader_end_internal

_mz_zip_reader_extract_file_iter_new

_mz_zip_reader_extract_file_to_callback

_mz_zip_reader_extract_file_to_cfile

_mz_zip_reader_extract_file_to_file

_mz_zip_reader_extract_file_to_heap

_mz_zip_reader_extract_file_to_mem

_mz_zip_reader_extract_file_to_mem_no_alloc

_mz_zip_reader_extract_iter_free

_mz_zip_reader_extract_iter_new

_mz_zip_reader_extract_iter_read

_mz_zip_reader_extract_to_callback

_mz_zip_reader_extract_to_cfile

_mz_zip_reader_extract_to_file

_mz_zip_reader_extract_to_heap

_mz_zip_reader_extract_to_mem

_mz_zip_reader_extract_to_mem_no_alloc

_mz_zip_reader_extract_to_mem_no_alloc1

_mz_zip_reader_file_stat

_mz_zip_reader_get_filename

_mz_zip_reader_get_num_files

_mz_zip_reader_init

_mz_zip_reader_init_cfile

_mz_zip_reader_init_file

_mz_zip_reader_init_file_v2

_mz_zip_reader_init_file_v2_rpb

_mz_zip_reader_init_internal

_mz_zip_reader_init_mem

_mz_zip_reader_is_file_a_directory

_mz_zip_reader_is_file_encrypted

_mz_zip_reader_is_file_supported

_mz_zip_reader_locate_file

_mz_zip_reader_locate_file_v2

_mz_zip_reader_read_central_dir

_mz_zip_set_last_error

_mz_zip_time_t_to_dos_time

_mz_zip_validate_archive

_mz_zip_validate_file

_mz_zip_validate_file_archive

_mz_zip_validate_mem_archive

_mz_zip_writer_add_cfile

_mz_zip_writer_add_file

_mz_zip_writer_add_from_zip_reader

_mz_zip_writer_add_from_zip_reader.cold.1

_mz_zip_writer_add_mem

_mz_zip_writer_add_mem_ex

_mz_zip_writer_add_mem_ex_v2

_mz_zip_writer_add_mem_ex_v2.cold.1

_mz_zip_writer_add_mem_ex_v2.cold.2

_mz_zip_writer_add_put_buf_callback

_mz_zip_writer_add_read_buf_callback

_mz_zip_writer_add_read_buf_callback.cold.1

_mz_zip_writer_add_to_central_dir

_mz_zip_writer_create_local_dir_header

_mz_zip_writer_create_zip64_extra_data

_mz_zip_writer_end

_mz_zip_writer_end_internal

_mz_zip_writer_finalize_archive

_mz_zip_writer_finalize_heap_archive

_mz_zip_writer_init

_mz_zip_writer_init_cfile

_mz_zip_writer_init_file

_mz_zip_writer_init_file_v2

_mz_zip_writer_init_from_reader

_mz_zip_writer_init_from_reader_v2

_mz_zip_writer_init_from_reader_v2_noreopen

_mz_zip_writer_init_heap

_mz_zip_writer_init_heap_v2

_mz_zip_writer_init_v2

_mz_zip_writer_write_zeros

_mz_zip_zero_struct

_names

_open

_opendir

_parseFF

_pclose

_pikfolder

_plugin_paths

_popen

_pwd_getted

_read

_readdir

_readwrite

_realloc

_remove

_s_tdefl_large_dist_extra

_s_tdefl_large_dist_sym

_s_tdefl_len_extra

_s_tdefl_len_sym

_s_tdefl_packed_code_size_syms_swizzle

_s_tdefl_small_dist_extra

_s_tdefl_small_dist_sym

_send

_send_data_via_http

_snprintf

_socket

_stat

_strlen

_tcc

_tdefl_compress

_tdefl_compress.cold.1

_tdefl_compress.cold.2

_tdefl_compress.cold.3

_tdefl_compress.cold.4

_tdefl_compress.cold.5

_tdefl_compress_block

_tdefl_compress_block.cold.1

_tdefl_compress_block.cold.10

_tdefl_compress_block.cold.11

_tdefl_compress_block.cold.12

_tdefl_compress_block.cold.13

_tdefl_compress_block.cold.14

_tdefl_compress_block.cold.15

_tdefl_compress_block.cold.16

_tdefl_compress_block.cold.2

_tdefl_compress_block.cold.3

_tdefl_compress_block.cold.4

_tdefl_compress_block.cold.5

_tdefl_compress_block.cold.6

_tdefl_compress_block.cold.7

_tdefl_compress_block.cold.8

_tdefl_compress_block.cold.9

_tdefl_compress_buffer

_tdefl_compress_buffer.cold.1

_tdefl_compress_mem_to_heap

_tdefl_compress_mem_to_mem

_tdefl_compress_mem_to_output

_tdefl_compressor_alloc

_tdefl_compressor_free

_tdefl_create_comp_flags_from_zip_params

_tdefl_flush_block

_tdefl_flush_block.cold.1

_tdefl_flush_block.cold.2

_tdefl_flush_output_buffer

_tdefl_get_adler32

_tdefl_get_prev_return_status

_tdefl_init

_tdefl_optimize_huffman_table

_tdefl_output_buffer_putter

_tdefl_write_image_to_png_file_in_memory

_tdefl_write_image_to_png_file_in_memory_ex

_tdefl_write_image_to_png_file_in_memory_ex.chans

_tdefl_write_image_to_png_file_in_memory_ex.s_tdefl_png_num_probes

_time

_tinfl_decompress

_tinfl_decompress.cold.1

_tinfl_decompress.s_dist_base

_tinfl_decompress.s_dist_extra

_tinfl_decompress.s_length_base

_tinfl_decompress.s_length_extra

_tinfl_decompress.s_min_table_sizes

_tinfl_decompress_mem_to_callback

_tinfl_decompress_mem_to_heap

_tinfl_decompress_mem_to_mem

_tinfl_decompressor_alloc

_tinfl_decompressor_free

_userinfo

_utime

_writeall

_writetext

_zip

dyld_stub_binder

main.c

External Symbols

___assert_rtn

___memcpy_chk

___memset_chk

___stack_chk_fail

_bzero

_close

_closedir

_connect

_fclose

_fflush

_fopen

_fread

_free

_freopen

_fseeko

_ftello

_fwrite

_inet_addr

_localtime

_malloc

_memcmp

_memcpy

_memset

_mktime

_open

_opendir

_pclose

_popen

_read

_readdir

_realloc

_remove

_send

_snprintf

_socket

_stat

_strlen

_time

_utime

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 9, 2023 18:51:15.128129959 CET	49376	80	192.168.11.11	23.54.68.207
Nov 9, 2023 18:51:15.226351023 CET	80	49376	23.54.68.207	192.168.11.11
Nov 9, 2023 18:51:15.227341890 CET	49376	80	192.168.11.11	23.54.68.207

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 9, 2023 18:51:12.512646914 CET	53	52126	1.1.1.1	192.168.11.11

System Behavior

Analysis Process: mono-sgen32 PID: 910, Parent PID: 825

General

Start time (UTC):	17:50:57
Start date (UTC):	09/11/2023
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	-
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Start time (UTC):	17:50:57
Start date (UTC):	09/11/2023
Path:	/usr/bin/open
Arguments:
File size:	105952 bytes
MD5 hash:	40ed6d8f35c9f20484b97582d296398f

Start time (UTC):	17:50:57
Start date (UTC):	09/11/2023
Path:	/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
Arguments:	-
File size:	1146752 bytes
MD5 hash:	a2b0287283ddfff78d8324fd5485ccde

Start time (UTC):	17:50:57
Start date (UTC):	09/11/2023
Path:	/usr/bin/login
Arguments:	login -pf berri
File size:	76288 bytes
MD5 hash:	6ddb73606071fa8d7f63886d38971353

Start time (UTC):	17:50:57
Start date (UTC):	09/11/2023
Path:	/usr/bin/login
Arguments:	-
File size:	76288 bytes
MD5 hash:	6ddb73606071fa8d7f63886d38971353

Start time (UTC):	17:50:57
Start date (UTC):	09/11/2023
Path:	/bin/bash
Arguments:	-bash
File size:	618448 bytes
MD5 hash:	a17c5d0e7f7f4f69c6218066c2a3e1b6

Start time (UTC):	17:50:57
Start date (UTC):	09/11/2023
Path:	/bin/bash
Arguments:	-
File size:	618448 bytes
MD5 hash:	a17c5d0e7f7f4f69c6218066c2a3e1b6

Start time (UTC):	17:50:57
Start date (UTC):	09/11/2023
Path:	/bin/bash
Arguments:	-
File size:	618448 bytes
MD5 hash:	a17c5d0e7f7f4f69c6218066c2a3e1b6

Start time (UTC):	17:50:57
Start date (UTC):	09/11/2023
Path:	/usr/libexec/path_helper
Arguments:	/usr/libexec/path_helper -s
File size:	18976 bytes
MD5 hash:	acce8bf4d8df1d53bc6e22f1a723b11a

Start time (UTC):	17:50:57
Start date (UTC):	09/11/2023
Path:	/bin/bash
Arguments:	-
File size:	618448 bytes
MD5 hash:	a17c5d0e7f7f4f69c6218066c2a3e1b6

Start time (UTC):	17:50:57
Start date (UTC):	09/11/2023
Path:	/bin/mkdir
Arguments:	mkdir -m 700 -p /Users/berri/.bash_sessions
File size:	18592 bytes
MD5 hash:	135a3b94b3d9efccb4c8cd23ac404571

Start time (UTC):	17:50:57
Start date (UTC):	09/11/2023
Path:	/bin/bash
Arguments:	-
File size:	618448 bytes
MD5 hash:	a17c5d0e7f7f4f69c6218066c2a3e1b6

Start time (UTC):	17:50:57
Start date (UTC):	09/11/2023
Path:	/bin/bash
Arguments:	-
File size:	618448 bytes
MD5 hash:	a17c5d0e7f7f4f69c6218066c2a3e1b6

Start time (UTC):	17:50:57
Start date (UTC):	09/11/2023
Path:	/usr/bin/touch
Arguments:	/usr/bin/touch /Users/berri/.bash_sessions/D6FAA9EC-ED54-4B54-857A-E4141CC43C12.historynew
File size:	23376 bytes
MD5 hash:	4aacabad02929f18b00a9b6ef85e0605

Start time (UTC):	17:50:57
Start date (UTC):	09/11/2023
Path:	/bin/bash
Arguments:	-
File size:	618448 bytes
MD5 hash:	a17c5d0e7f7f4f69c6218066c2a3e1b6

Start time (UTC):	17:50:57
Start date (UTC):	09/11/2023
Path:	/Volumes/AppleApp/AppleApp
Arguments:	/Volumes/AppleApp/AppleApp
File size:	499128 bytes
MD5 hash:	38b5c3c2cdad34da7cb069e836bfbf96

Start time (UTC):	17:50:57
Start date (UTC):	09/11/2023
Path:	/bin/sh
Arguments:	-
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Start time (UTC):	17:50:58
Start date (UTC):	09/11/2023
Path:	/usr/bin/dscl
Arguments:	dscl . authonly berri
File size:	202560 bytes
MD5 hash:	2072d2ac07a471913b06fed4b4bd55cf

Start time (UTC):	17:50:58
Start date (UTC):	09/11/2023
Path:	/bin/sh
Arguments:	-
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Start time (UTC):	17:50:58
Start date (UTC):	09/11/2023
Path:	/usr/bin/osascript
Arguments:	osascript -e display dialog 'Required System Upgrade. Please enter passphrase for berri.' default answer '' with icon caution buttons {'Continue'} default button 'Continue' giving up after 150 with title 'Application wants to install helper'
File size:	43136 bytes
MD5 hash:	86c0eb9ab6768a4a8e723dcda40bc65a

Source: extracted file from submission: AppleApp	Mach-O symbol: _mz_zip_reader_is_file_encrypted
Source: extracted file from submission: AppleApp	Mach-O symbol: _mz_zip_reader_is_file_encrypted
Source: extracted file from submission: AppleApp	Mach-O symbol: _mz_zip_reader_is_file_encrypted
Source: extracted file from submission: AppleApp	Mach-O symbol: _mz_zip_reader_is_file_encrypted

Source: extracted file from submission: AppleApp	Mach-O symbol: _connect
Source: extracted file from submission: AppleApp	Mach-O symbol: _send
Source: extracted file from submission: AppleApp	Mach-O symbol: _send_data_via_http
Source: extracted file from submission: AppleApp	Mach-O symbol: _send_data_via_http
Source: extracted file from submission: AppleApp	Mach-O symbol: _socket
Source: extracted file from submission: AppleApp	Mach-O symbol: _inet_addr
Source: extracted file from submission: AppleApp	Mach-O symbol: _connect
Source: extracted file from submission: AppleApp	Mach-O symbol: _send
Source: extracted file from submission: AppleApp	Mach-O symbol: _send_data_via_http
Source: extracted file from submission: AppleApp	Mach-O symbol: _send_data_via_http
Source: extracted file from submission: AppleApp	Mach-O symbol: _socket
Source: extracted file from submission: AppleApp	Mach-O symbol: _inet_addr

Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.68.207
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.68.207

Source: AppleApp, 00000918.00000290.1.0000000106ae1000.0000000106afc000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: AppleApp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: AppleApp, 00000918.00000290.1.0000000106ae1000.0000000106afc000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: AppleApp, 00000918.00000290.1.0000000106ae1000.0000000106afc000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: AppleApp, 00000918.00000290.1.0000000106ae1000.0000000106afc000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0

Source: extracted file from submission: AppleApp	Mach-O symbol: /Users/cloud/xxx/xxx/
Source: extracted file from submission: AppleApp	Mach-O symbol: /Users/cloud/xxx/build/Build/Intermediates.noindex/xxx.build/Release/xxx.build/Objects-normal/x86_64/main.o
Source: extracted file from submission: AppleApp	Mach-O symbol: /Users/cloud/xxx/xxx/
Source: extracted file from submission: AppleApp	Mach-O symbol: /Users/cloud/xxx/build/Build/Intermediates.noindex/xxx.build/Release/xxx.build/Objects-normal/arm64/main.o

Source: /usr/bin/osascript (PID: 921)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 921)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist			Jump to behavior

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
Tactics:	Execution
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report y8g2Ga0Gas.dmg

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/dev/ttys000

/private/var/run/utmpx

Static File Info

General

Archive DMG

Archived Files

Extracted Files

AppleApp

Static Mach Info

General Information for header 1

Internal Symbols

External Symbols

General Information for header 2

Internal Symbols

External Symbols

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

System Behavior

Analysis Process: mono-sgen32 PID: 910, Parent PID: 825

General

Chronological Activities

Analysis Process: open PID: 910, Parent PID: 825

General

Chronological Activities

Analysis Process: Terminal PID: 911, Parent PID: 274

General

Chronological Activities

Analysis Process: login PID: 911, Parent PID: 274

General

Chronological Activities

Analysis Process: login PID: 912, Parent PID: 911

macOS Analysis Report
y8g2Ga0Gas.dmg