macOS Analysis Report
R2n8x3VrH8.dmg

ID:	1431950
Product:	CloudBasic
Start time:	03:59:32
Start date:	26.04.2024
Sample:	R2n8x3VrH8
Cookbook:	defaultmacfilecookbook.jbs
System description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Architecture:	MAC
MD5:	50ea75b971ec961867377b45b29bf356
SHA1:	d68faef1b80f376cdf1524e14f8baa49f0074b9d
SHA256:	558c66e7283fed4e16cfbd7889f3d5500e89f637cc48968bed0450852083dbf1
Filetype:	Disk Image (Macintosh), GPT (HFS) (47000/0) 49.21%

Name	Type	MD5	SHA1	SHA256
/Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.history	ASCII text	3CF1D83B4D3FB88C6FBFF03AF9B073E5	537E5D6281B9F46447D0144B993508C17718B4A5	E8CA75DCF6851C873A9AFE480B80459702AD6B5D0C5226D307C358E913C0E0B7
/Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.historynew	ASCII text	3CF1D83B4D3FB88C6FBFF03AF9B073E5	537E5D6281B9F46447D0144B993508C17718B4A5	E8CA75DCF6851C873A9AFE480B80459702AD6B5D0C5226D307C358E913C0E0B7
/Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.session	ASCII text	9438A480B4F54968EEA9381026C61C51	6744568DB0F3C288A3D5D2DCC4AC702F696723D5	C6AC7551B00AEBE975775A371E401A2289F7270D88674CCA1EA1AF2E68645A89
/Users/bernard/.bash_sessions/shlock657	ASCII text	10E705DB6A746B814E49B5ED13EB0CDD	E5A54B4C8E808F104E56A3D8E02269CB497F4CCC	368EDA846164B56222286D7FA32728CC65AC749D44113F354480E033BE6CA9FF
/dev/ttys000	ASCII text	3E0868EAFD1323B0CE1CD226BA287923	EDC321C4056F0A0E3BD73C0E6A4677FED187E2FC	34B887C405F07ED4B27F9F9348B490C75B81C854BF67915CC4DFC2D998CB1972
/private/tmp/binary	Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable] [arm64]	334EA98682699CE32FA14B293E67F502	0821046B23C25C0CFDC2368D49018AEC57300716	FDAAA25CC6BE47BC893F773FCD7C0D8AD6C3618BF931F4B728EB5A1D920527F5
/private/tmp/xuyna/username	ASCII text, with no line terminators	78D6810E1299959F3A8DB157045AA926	0B8E0B1F37895567811A9D382317C26804F86E3A	DC814A25C3AE905AD4BA942072B101599F8E7C3617C79E3B10E9C20CA8952339
/private/var/run/utmpx	data	2A03D50FBDC5C2B757B6EA9287369DBE	4527363E7D46DF6EAE7E8435CAA54806C2453CB0	6A1726D42F1B6DCB5BF5B1D19C632891760363EC8AD9F28281BA0AC4EF0CF547

Cryptography

Source: dropped file: binary.297.dr	Mach-O symbol: _main.EncryptDecrypt
Source: dropped file: binary.297.dr	Mach-O symbol: _context.cancelCtxKey
Source: dropped file: binary.297.dr	Mach-O symbol: _main.EncryptDecrypt
Source: dropped file: binary.297.dr	Mach-O symbol: _context.cancelCtxKey

Compliance

Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49350 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49368 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49371 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49381 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49395 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49398 version: TLS 1.2

Networking

Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.(*mspan).reportZombies
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*IPAddr).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*Resolver).LookupPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*Resolver).lookupPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*TCPAddr).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*UDPAddr).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _main.send_data_via_http
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*UnixAddr).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*dnsConfig).serverOffset
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.sigsend
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*netFD).connect.func3
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*netFD).connect
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*netFD).connect.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*netFD).connect.func2
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.(*FD).SetsockoptInt
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.(*FD).SetsockoptInt.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.SendFile
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.SendFile.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.runtime_pollServerInit
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.serverInit
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.socket
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.setsockopt
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.sendfile
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.minRoutingSockaddrLen
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_socket_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_setsockopt_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_sendfile_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_getsockopt_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_getsockname_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_connect_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.chansendpc
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.chansend.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.chansend1
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.chansend
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/abi.Name.IsExported
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*syscall.SockaddrDatalink,syscall.Sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*syscall.SockaddrInet4,syscall.Sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*syscall.SockaddrInet6,syscall.Sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*syscall.SockaddrUnix,syscall.Sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _getsockopt
Source: dropped file: binary.297.dr	Mach-O symbol: _getsockname
Source: dropped file: binary.297.dr	Mach-O symbol: _connect
Source: dropped file: binary.297.dr	Mach-O symbol: _net.unixSocket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sysSocket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.socketFunc
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.getsockopt
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToUnixpacket
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.getsockname
Source: dropped file: binary.297.dr	Mach-O symbol: _net.socket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToUnix
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToUnixgram
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToUDP
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToIP
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToTCP
Source: dropped file: binary.297.dr	Mach-O symbol: _net.setDefaultMulticastSockopts
Source: dropped file: binary.297.dr	Mach-O symbol: _net.setDefaultSockopts
Source: dropped file: binary.297.dr	Mach-O symbol: _net.setDefaultListenerSockopts
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sendFile.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _net.selfConnect
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sendFile
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.connect
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.anyToSockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.parsePort
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.SocketDisableIPv6
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.Socket
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.SetsockoptInt
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.Sendfile
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.GetsockoptInt
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.Getsockname
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.Connect
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.(*SockaddrUnix).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.(*SockaddrInet6).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.(*SockaddrInet4).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.(*SockaddrDatalink).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _sync/atomic.(*Pointer[go.shape.struct { net.servers []string; net.search []string; net.ndots int; net.timeout time.Duration; net.attempts int; net.rotate bool; net.unknownOpt bool; net.lookup []string; net.err error; net.mtime time.Time; net.soffset uint32; net.singleRequest bool; net.useTCP bool; net.trustAD bool; net.noReload bool }]).Store
Source: dropped file: binary.297.dr	Mach-O symbol: _sync/atomic.(*Pointer[go.shape.struct { net.servers []string; net.search []string; net.ndots int; net.timeout time.Duration; net.attempts int; net.rotate bool; net.unknownOpt bool; net.lookup []string; net.err error; net.mtime time.Time; net.soffset uint32; net.singleRequest bool; net.useTCP bool; net.trustAD bool; net.noReload bool }]).Load
Source: dropped file: binary.297.dr	Mach-O symbol: _net.errServerTemporarilyMisbehaving
Source: dropped file: binary.297.dr	Mach-O symbol: _net.errNoAnswerFromDNSServer
Source: dropped file: binary.297.dr	Mach-O symbol: _net.errServerMisbehaving
Source: dropped file: binary.297.dr	Mach-O symbol: _type:.eq.syscall.SockaddrUnix
Source: dropped file: binary.297.dr	Mach-O symbol: _type:.eq.syscall.SockaddrInet4
Source: dropped file: binary.297.dr	Mach-O symbol: _net.getsockoptIntFunc
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.sendDirect
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.send
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.selectnbsend
Source: dropped file: binary.297.dr	Mach-O symbol: _net.ErrWriteToConnected
Source: dropped file: binary.297.dr	Mach-O symbol: _net.JoinHostPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.SplitHostPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.SplitHostPort.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _net.absDomainName
Source: dropped file: binary.297.dr	Mach-O symbol: _net._C_ai_socktype
Source: dropped file: binary.297.dr	Mach-O symbol: _net.cgoLookupPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.cgoLookupPort.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _net.cgoLookupServicePort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.cgoLookupServicePort.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _net.connectFunc
Source: dropped file: binary.297.dr	Mach-O symbol: _time.sendTime
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*net.IPAddr,net.sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*net.UnixAddr,net.sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*net.TCPAddr,net.sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*net.UDPAddr,net.sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.goLookupPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.internetSocket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.ipToSockaddrInet4
Source: dropped file: binary.297.dr	Mach-O symbol: _net.ipToSockaddrInet6
Source: dropped file: binary.297.dr	Mach-O symbol: _net.isDomainName
Source: dropped file: binary.297.dr	Mach-O symbol: _net.ipToSockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _socket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.lookupPortMap
Source: dropped file: binary.297.dr	Mach-O symbol: _setsockopt
Source: dropped file: binary.297.dr	Mach-O symbol: _sendfile
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.isExportedRuntime
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.(*mspan).reportZombies
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*IPAddr).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*Resolver).LookupPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*Resolver).lookupPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*TCPAddr).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _main.send_data_via_http
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*netFD).connect
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*netFD).connect.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*netFD).connect.func2
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*netFD).connect.func3
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.sigsend
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*UDPAddr).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*UnixAddr).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.send
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.sendDirect
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*dnsConfig).serverOffset
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.(*FD).SetsockoptInt
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.(*FD).SetsockoptInt.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.SendFile
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.SendFile.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.serverInit
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.runtime_pollServerInit
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.chansendpc
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.chansend.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.chansend1
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.chansend
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_sendfile_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_getsockopt_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_getsockname_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_connect_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.getsockopt
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.getsockname
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.connect
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.anyToSockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.SocketDisableIPv6
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.Socket
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.SetsockoptInt
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.Sendfile
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/abi.Name.IsExported
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*net.UnixAddr,net.sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*syscall.SockaddrDatalink,syscall.Sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*syscall.SockaddrInet4,syscall.Sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*syscall.SockaddrInet6,syscall.Sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*syscall.SockaddrUnix,syscall.Sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.unixSocket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sysSocket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.socket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.socketFunc
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToUnixgram
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToUnixpacket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToUDP
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToUnix
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToTCP
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToIP
Source: dropped file: binary.297.dr	Mach-O symbol: _net.setDefaultSockopts
Source: dropped file: binary.297.dr	Mach-O symbol: _net.setDefaultListenerSockopts
Source: dropped file: binary.297.dr	Mach-O symbol: _net.setDefaultMulticastSockopts
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.GetsockoptInt
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sendFile
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sendFile.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.Getsockname
Source: dropped file: binary.297.dr	Mach-O symbol: _net.selfConnect
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.Connect
Source: dropped file: binary.297.dr	Mach-O symbol: _net.parsePort
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.(*SockaddrUnix).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.(*SockaddrInet6).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.(*SockaddrInet4).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.(*SockaddrDatalink).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _sync/atomic.(*Pointer[go.shape.struct { net.servers []string; net.search []string; net.ndots int; net.timeout time.Duration; net.attempts int; net.rotate bool; net.unknownOpt bool; net.lookup []string; net.err error; net.mtime time.Time; net.soffset uint32; net.singleRequest bool; net.useTCP bool; net.trustAD bool; net.noReload bool }]).Store
Source: dropped file: binary.297.dr	Mach-O symbol: _sync/atomic.(*Pointer[go.shape.struct { net.servers []string; net.search []string; net.ndots int; net.timeout time.Duration; net.attempts int; net.rotate bool; net.unknownOpt bool; net.lookup []string; net.err error; net.mtime time.Time; net.soffset uint32; net.singleRequest bool; net.useTCP bool; net.trustAD bool; net.noReload bool }]).Load
Source: dropped file: binary.297.dr	Mach-O symbol: _type:.eq.syscall.SockaddrUnix
Source: dropped file: binary.297.dr	Mach-O symbol: _type:.eq.syscall.SockaddrInet4
Source: dropped file: binary.297.dr	Mach-O symbol: _net.errNoAnswerFromDNSServer
Source: dropped file: binary.297.dr	Mach-O symbol: _net.errServerMisbehaving
Source: dropped file: binary.297.dr	Mach-O symbol: _net.errServerTemporarilyMisbehaving
Source: dropped file: binary.297.dr	Mach-O symbol: _time.sendTime
Source: dropped file: binary.297.dr	Mach-O symbol: _net.connectFunc
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.selectnbsend
Source: dropped file: binary.297.dr	Mach-O symbol: _net.ErrWriteToConnected
Source: dropped file: binary.297.dr	Mach-O symbol: _net.JoinHostPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.SplitHostPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.SplitHostPort.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _net.absDomainName
Source: dropped file: binary.297.dr	Mach-O symbol: _net._C_ai_socktype
Source: dropped file: binary.297.dr	Mach-O symbol: _socket
Source: dropped file: binary.297.dr	Mach-O symbol: _setsockopt
Source: dropped file: binary.297.dr	Mach-O symbol: _net.cgoLookupPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.cgoLookupPort.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _net.cgoLookupServicePort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.cgoLookupServicePort.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _sendfile
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.isExportedRuntime
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.socket
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.setsockopt
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.sendfile
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.minRoutingSockaddrLen
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_socket_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_setsockopt_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*net.IPAddr,net.sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*net.UDPAddr,net.sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*net.TCPAddr,net.sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.getsockoptIntFunc
Source: dropped file: binary.297.dr	Mach-O symbol: _net.goLookupPort
Source: dropped file: binary.297.dr	Mach-O symbol: _getsockopt
Source: dropped file: binary.297.dr	Mach-O symbol: _getsockname
Source: dropped file: binary.297.dr	Mach-O symbol: _net.internetSocket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.ipToSockaddrInet6
Source: dropped file: binary.297.dr	Mach-O symbol: _net.isDomainName
Source: dropped file: binary.297.dr	Mach-O symbol: _net.ipToSockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _connect
Source: dropped file: binary.297.dr	Mach-O symbol: _net.ipToSockaddrInet4
Source: dropped file: binary.297.dr	Mach-O symbol: _net.lookupPortMap

Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.69
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.69
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.69
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.69
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.67
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.67
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.67
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.21.203
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.21.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: h3.apis.apple.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: updates.cdn-apple.com

Source: Notion, 00000641.00000296.1.000000010792b000.0000000107954000.r--.sdmp, Notion, 00000642.00000297.1.000000010792b000.0000000107954000.r--.sdmp, binary, 00000665.00000332.1.000000000a339000.000000000a362000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: Notion, 00000641.00000296.1.000000010792b000.0000000107954000.r--.sdmp, Notion, 00000642.00000297.1.000000010792b000.0000000107954000.r--.sdmp, binary, 00000665.00000332.1.000000000a339000.000000000a362000.r--.sdmp, R2n8x3VrH8.dmg	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: Notion, 00000641.00000296.1.000000010792b000.0000000107954000.r--.sdmp, Notion, 00000642.00000297.1.000000010792b000.0000000107954000.r--.sdmp, binary, 00000665.00000332.1.000000000a339000.000000000a362000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: Notion, 00000641.00000296.1.000000010792b000.0000000107954000.r--.sdmp, Notion, 00000642.00000297.1.000000010792b000.0000000107954000.r--.sdmp, binary, 00000665.00000332.1.000000000a339000.000000000a362000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: Notion, 00000641.00000296.1.000000010792b000.0000000107954000.r--.sdmp, Notion, 00000642.00000297.1.000000010792b000.0000000107954000.r--.sdmp, binary, 00000665.00000332.1.000000000a339000.000000000a362000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0

Source: unknown	Network traffic detected: HTTP traffic on port 49327 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49368
Source: unknown	Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49397 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49397
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49396
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49395
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49350
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49371
Source: unknown	Network traffic detected: HTTP traffic on port 49395 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49381
Source: unknown	Network traffic detected: HTTP traffic on port 49396 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49371 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49368 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49346 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49327
Source: unknown	Network traffic detected: HTTP traffic on port 49381 -> 443

Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49350 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49368 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49371 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49381 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49395 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49398 version: TLS 1.2

System Summary

Source: classification engine

Classification label: sus29.spyw.macDMG@0/11@2/0

Persistence and Installation Behavior

Source: /bin/sh (PID: 664)

Chmod directory: /bin/chmod -> chmod +x /tmp/binary

Jump to behavior

Source: /bin/sh (PID: 646)	Osascript command executed: osascript -e tell application 'Terminal' to close first window			Jump to behavior
Source: /private/tmp/binary (PID: 667)	Osascript command executed: osascript -e display dialog 'Required Application Helper. Please enter password:' default answer '' with icon caution buttons {'Continue'} default button 'Continue' giving up after 150 with title 'Application wants to install helper' with hidden answer			Jump to behavior

Source: /Volumes/Notion/Notion (PID: 642)	Shell command executed: sh -c osascript -e 'tell application 'Terminal' to close first window' & exit			Jump to behavior
Source: /Volumes/Notion/Notion (PID: 642)	Shell command executed: sh -c chmod +x /tmp/binary			Jump to behavior
Source: /Volumes/Notion/Notion (PID: 642)	Shell command executed: sh -c /tmp/binary			Jump to behavior

Source: /bin/sh (PID: 664)

Chmod executable: /bin/chmod -> chmod +x /tmp/binary

Jump to behavior

Source: /bin/bash (PID: 663)

Rm executable: /bin/rm -> /bin/rm /Users/bernard/.bash_sessions/_expiration_lockfile

Jump to behavior

Source: /bin/bash (PID: 662)

Touch executable: /usr/bin/touch -> /usr/bin/touch /Users/bernard/.bash_sessions/_expiration_check_timestamp

Jump to behavior

Source: /usr/bin/osascript (PID: 646)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 646)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 667)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 667)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist			Jump to behavior

Source: /usr/bin/osascript (PID: 646)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 646)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 667)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 667)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist			Jump to behavior

Source: /Volumes/Notion/Notion (PID: 642)

File written: /private/tmp/binary

Jump to dropped file

Source: /Volumes/Notion/Notion (PID: 642)

FAT Mach-O written to tmp path: /private/tmp/binary

Jump to dropped file

Source: /usr/bin/osascript (PID: 646)	Random device file read: /dev/random			Jump to behavior
Source: /tmp/binary (PID: 665)	Random device file read: /dev/urandom			Jump to behavior
Source: /tmp/binary (PID: 665)	Random device file read: /dev/urandom			Jump to behavior
Source: /usr/bin/osascript (PID: 667)	Random device file read: /dev/random			Jump to behavior
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 688)	Random device file read: /dev/random			Jump to behavior

Source: /usr/bin/osascript (PID: 646)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 667)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: /usr/bin/osascript (PID: 646)	Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc			Jump to behavior
Source: /usr/bin/osascript (PID: 667)	Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc			Jump to behavior

Malware Analysis System Evasion

Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.fpTracebackPCs
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.ptrace1
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.ptrace
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_ptrace_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _ptrace
Source: dropped file: binary.297.dr	Mach-O symbol: _type:.eq.runtime.pTraceState
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_ptrace_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _type:.eq.runtime.pTraceState
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.fpTracebackPCs
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.ptrace1
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.ptrace
Source: dropped file: binary.297.dr	Mach-O symbol: _ptrace

HIPS / PFW / Operating System Protection Evasion

Source: /usr/bin/osascript (PID: 667)

Sysctl read request: kern.safeboot (1.66)

Jump to behavior

Language, Device and Operating System Detection

Source: /tmp/binary (PID: 665)	Sysctl read request: hw.ncpu (6.3)			Jump to behavior
Source: /usr/bin/osascript (PID: 667)	Sysctl read request: hw.availcpu (6.25)			Jump to behavior

Source: /usr/bin/osascript (PID: 667)	Sysctl requested: kern.ostype (1.1)			Jump to behavior
Source: /usr/bin/osascript (PID: 667)	Sysctl requested: kern.osrelease (1.2)			Jump to behavior

Source: /bin/bash (PID: 635)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 643)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 664)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 665)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /usr/bin/osascript (PID: 667)	Sysctl requested: kern.hostname (1.10)			Jump to behavior

Source: /usr/bin/open (PID: 632)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 646)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 667)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Stealing of Sensitive Information

Source: /private/tmp/binary (PID: 666)

Security executable: /usr/bin/dscl dscl . authonly bernard

Jump to behavior