Edit tour

macOS Analysis Report
ZNznZtSA34

Overview

General Information

Sample Name:	ZNznZtSA34
Analysis ID:	165917
MD5:	51731fd8bd72d6cc4c8a58810d1a627f
SHA1:	f44215738d5d0032b890bd596a597c19ef1a672c
SHA256:	55571ac52e1f02f18af77e2f3314382c982a37744b58732dfc15faac9d66619f
Infos:

Detection

Nukesped

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Nukesped

Terminates the command-line application Terminal (probably to hinder manual analysis)

Deletes the saved state of the command-line application Terminal (probably to avoid forensic reconstruction of shell activity)

Opens PDF files, sometimes used to disguise malicious intentions

Writes Mach-O files to untypical directories

Opens applications from non-standard application directories

Terminates several processes with shell command 'killall'

Contains symbols with suspicious names likely related to networking

Reads the systems hostname

Opens applications that might be created ones

Writes PDF files to disk

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Queries OS software version with shell command 'sw_vers'

Contains symbols with suspicious names likely related to well-known browsers

Sample tries to kill a process (SIGKILL)

Sample is a FAT Mach-O sample containing binaries for multiple architectures

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Writes RTF files to disk

Reads hardware related sysctl values

Creates user-wide 'launchd' managed services aka launch agents

Reads the saved state of applications

Creates code signed application bundles

Mach-O contains sections with high entropy indicating compressed/encrypted content

Executes commands using a shell command-line interpreter

Reads the systems OS release and/or type

Creates application bundles

Contains symbols with paths

Executes the "rm" command used to delete files or directories

Executes the "pgrep" command search for and/or send signals to processes

Writes FAT Mach-O files to disk

Classification

Analysis Advice

All domains contacted by the sample do not resolve. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox Version:
Analysis ID:	165917
Start date and time: 04/05/202212:10:41	2022-05-04 12:10:41 +02:00
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 4m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ZNznZtSA34
Cookbook file name:	macOS - Big Sur - load provided binary as normal user.jbs
Analysis system description:	Mac Mini, Big Sur (Office 2019 16.55, Java 1.8.0_311)
Analysis Mode:	default
Detection:	MAL
Classification:	mal80.troj.evad.mac@0/15@1/0

Warnings

Excluded domains from analysis (whitelisted): b._dns-sd._udp.0.0.168.192.in-addr.arpa, db._dns-sd._udp.0.0.168.192.in-addr.arpa

Runtime Messages

Command:	sudo -u drew /Users/drew/Desktop/ZNznZtSA34
PID:	1110
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

System is mac-bigsur

mono-sgen64 New Fork (PID: 1110, Parent: 1068)

sudo (MD5: f21c2a2dc106642f7c38801e121c8c86) Arguments: /usr/bin/sudo -u drew /Users/drew/Desktop/ZNznZtSA34

sudo New Fork (PID: 1111, Parent: 1110)

ZNznZtSA34 (MD5: 51731fd8bd72d6cc4c8a58810d1a627f) Arguments: /Users/drew/Desktop/ZNznZtSA34

ZNznZtSA34 New Fork (PID: 1112, Parent: 1111)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (open '/Users/drew/Library/Fonts/BitazuCapital_JobDescription.pdf' && rm -rf '/Users/drew/Library/Saved Application State/com.apple.Terminal.savedState') 2>&1

bash New Fork (PID: 1113, Parent: 1112)

bash New Fork (PID: 1114, Parent: 1113)

open (MD5: 81d0c6fefba2004d451915c6fa861914) Arguments: open /Users/drew/Library/Fonts/BitazuCapital_JobDescription.pdf

bash New Fork (PID: 1117, Parent: 1113)

rm (MD5: 6cd9e187f33d60ce3cb05b12435f0673) Arguments: rm -rf /Users/drew/Library/Saved Application State/com.apple.Terminal.savedState

ZNznZtSA34 New Fork (PID: 1118, Parent: 1111)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (tar zxvf '/Users/drew/Library/Fonts/safarifontsagent_' -C '/Users/drew/Library/Fonts') 2>&1

bash New Fork (PID: 1119, Parent: 1118)

tar (MD5: dbeb13c3b2ade21995470fde7650314a) Arguments: tar zxvf /Users/drew/Library/Fonts/safarifontsagent_ -C /Users/drew/Library/Fonts

ZNznZtSA34 New Fork (PID: 1120, Parent: 1111)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (tar zxvf '/Users/drew/Library/Fonts/fontsupdater_' -C '/Users/drew/Library/Fonts') 2>&1

bash New Fork (PID: 1121, Parent: 1120)

tar (MD5: dbeb13c3b2ade21995470fde7650314a) Arguments: tar zxvf /Users/drew/Library/Fonts/fontsupdater_ -C /Users/drew/Library/Fonts

ZNznZtSA34 New Fork (PID: 1122, Parent: 1111)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (pgrep -f safarifontsagent) 2>&1

bash New Fork (PID: 1123, Parent: 1122)

pgrep (MD5: 8c476a299c23f6971101e7bbd6462c3c) Arguments: pgrep -f safarifontsagent

ZNznZtSA34 New Fork (PID: 1124, Parent: 1111)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (pgrep -f safarifontsagent) 2>&1

bash New Fork (PID: 1125, Parent: 1124)

pgrep (MD5: 8c476a299c23f6971101e7bbd6462c3c) Arguments: pgrep -f safarifontsagent

ZNznZtSA34 New Fork (PID: 1126, Parent: 1111)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (open -a '/Users/drew/Library/Fonts/FinderFontsUpdater.app') 2>&1

bash New Fork (PID: 1127, Parent: 1126)

open (MD5: 81d0c6fefba2004d451915c6fa861914) Arguments: open -a /Users/drew/Library/Fonts/FinderFontsUpdater.app

ZNznZtSA34 New Fork (PID: 1142, Parent: 1111)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (pgrep -f safarifontsagent) 2>&1

bash New Fork (PID: 1143, Parent: 1142)

pgrep (MD5: 8c476a299c23f6971101e7bbd6462c3c) Arguments: pgrep -f safarifontsagent

xpcproxy New Fork (PID: 1115, Parent: 1)

Preview (MD5: 510c4010daefc87831ff8730ab2f5092) Arguments: /System/Applications/Preview.app/Contents/MacOS/Preview

xpcproxy New Fork (PID: 1128, Parent: 1)

FinderFontsUpdater (MD5: c6ad06ba0f0d2305596e013ae19c8b5a) Arguments: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater

FinderFontsUpdater New Fork (PID: 1130, Parent: 1128)

safarifontsagent (MD5: 8fd522272d06d460ea668d2f87a1e353) Arguments: /Users/drew/Library/Fonts/safarifontsagent

safarifontsagent New Fork (PID: 1131, Parent: 1130)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: bash -c (killall Terminal) 2>&1

bash New Fork (PID: 1132, Parent: 1131)

killall (MD5: f3e64d320b9eed9c6dbd97435daddded) Arguments: killall Terminal

sh New Fork (PID: 1133, Parent: 1130)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c sw_vers -productVersion

sw_vers (MD5: 7e6a3895092064bd002ecb1d4300b0db) Arguments: sw_vers -productVersion

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ZNznZtSA34	JoeSecurity_Nukesped_2	Yara detected Nukesped	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
/Users/drew/Library/Fonts/safarifontsagent	JoeSecurity_Nukesped_2	Yara detected Nukesped	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: safarifontsagent PID: 1130	JoeSecurity_Nukesped_2	Yara detected Nukesped	Joe Security

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown

DNS traffic detected: query: onlinestockwatch.net replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 17.57.146.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.57.146.68

Source: ZNznZtSA34, FinderFontsUpdater.389.dr, safarifontsagent.385.dr	String found in binary or memory: http://certs.apple.com/wwdrg3.der01
Source: ZNznZtSA34, 00001111.00000371.1.000000010c66c000.000000010c6a4000.r--.sdmp, FinderFontsUpdater, 00001128.00000404.1.0000000104f76000.0000000104fae000.r--.sdmp, safarifontsagent, 00001130.00000408.1.00000001113af000.00000001113e7000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: ZNznZtSA34, FinderFontsUpdater.389.dr, safarifontsagent.385.dr	String found in binary or memory: http://crl.apple.com/root.crl0
Source: ZNznZtSA34, FinderFontsUpdater.389.dr, safarifontsagent.385.dr	String found in binary or memory: http://ocsp.apple.com/ocsp03-applerootca0.
Source: ZNznZtSA34, FinderFontsUpdater.389.dr, safarifontsagent.385.dr	String found in binary or memory: http://ocsp.apple.com/ocsp03-wwdrg3040
Source: ZNznZtSA34, CodeResources.389.dr, com.safari.fontsyncagent.plist.371.dr, FinderFontsUpdater.389.dr, Info.plist.389.dr, safarifontsagent.385.dr	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: ZNznZtSA34, 00001111.00000371.1.000000010c66c000.000000010c6a4000.r--.sdmp, FinderFontsUpdater, 00001128.00000404.1.0000000104f76000.0000000104fae000.r--.sdmp, safarifontsagent, 00001130.00000408.1.00000001113af000.00000001113e7000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: safarifontsagent, 00001130.00000408.1.0000000107c08000.0000000107c0c000.rw-.sdmp, safarifontsagent.385.dr	String found in binary or memory: https://onlinestockwatch.net
Source: ZNznZtSA34, FinderFontsUpdater.389.dr, safarifontsagent.385.dr	String found in binary or memory: https://www.apple.com/appleca/0
Source: ZNznZtSA34, FinderFontsUpdater.389.dr, safarifontsagent.385.dr	String found in binary or memory: https://www.apple.com/certificateauthority/0

Source: unknown

DNS traffic detected: queries for: onlinestockwatch.net

Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)	SIGKILL sent: pid: 1112, result: successful	Jump to behavior
Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)	SIGKILL sent: pid: 1118, result: successful	Jump to behavior
Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)	SIGKILL sent: pid: 1120, result: successful	Jump to behavior
Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)	SIGKILL sent: pid: 1122, result: successful	Jump to behavior
Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)	SIGKILL sent: pid: 1124, result: successful	Jump to behavior
Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)	SIGKILL sent: pid: 1126, result: successful	Jump to behavior
Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)	SIGKILL sent: pid: 1142, result: successful	Jump to behavior
Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 1130)	SIGKILL sent: pid: 1131, result: successful	Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.mac@0/15@1/0

Source: dropped file: safarifontsagent.385.dr	Mach-O symbol: _g_szServerUrl
Source: dropped file: safarifontsagent.385.dr	Mach-O symbol: _g_szServerUrl
Source: dropped file: safarifontsagent.385.dr	Mach-O symbol: _g_szServerUrl
Source: dropped file: safarifontsagent.385.dr	Mach-O symbol: _g_szServerUrl

Source: submission: ZNznZtSA34	Mach-O symbol: __Z15IsSafariFAExistv
Source: submission: ZNznZtSA34	Mach-O symbol: __Z15IsSafariFAExistv
Source: submission: ZNznZtSA34	Mach-O symbol: __Z15IsSafariFAExistv
Source: submission: ZNznZtSA34	Mach-O symbol: __Z15IsSafariFAExistv

Source: submission: ZNznZtSA34	Mach-O symbol: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/SelfExtractor.build/Release/SelfExtractor.build/Objects-normal/x86_64/main.o
Source: submission: ZNznZtSA34	Mach-O symbol: /Volumes/Dev/Shared/Mac/SelfExtractor/SelfExtractor/
Source: submission: ZNznZtSA34	Mach-O symbol: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/SelfExtractor.build/Release/SelfExtractor.build/Objects-normal/arm64/main.o
Source: submission: ZNznZtSA34	Mach-O symbol: /Volumes/Dev/Shared/Mac/SelfExtractor/SelfExtractor/
Source: dropped file: safarifontsagent.385.dr	Mach-O symbol: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../include/c++/v1/string.h
Source: dropped file: safarifontsagent.385.dr	Mach-O symbol: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/DownAndExec.build/Release/DownAndExec.build/Objects-normal/x86_64/main.o
Source: dropped file: safarifontsagent.385.dr	Mach-O symbol: /Volumes/Dev/Shared/Mac/DownAndExec/DownAndExec/
Source: dropped file: safarifontsagent.385.dr	Mach-O symbol: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/DownAndExec.build/Release/DownAndExec.build/Objects-normal/arm64/main.o
Source: dropped file: safarifontsagent.385.dr	Mach-O symbol: /Volumes/Dev/Shared/Mac/DownAndExec/DownAndExec/
Source: dropped file: FinderFontsUpdater.389.dr	Mach-O symbol: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/FinderFontsUpdater.build/Release/FinderFontsUpdater.build/Objects-normal/x86_64/AppDelegate.o
Source: dropped file: FinderFontsUpdater.389.dr	Mach-O symbol: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/arc/libarclite_macosx.a(arclite.o)
Source: dropped file: FinderFontsUpdater.389.dr	Mach-O symbol: /Library/Caches/com.apple.xbs/Sources/arclite/arclite-76/source/
Source: dropped file: FinderFontsUpdater.389.dr	Mach-O symbol: /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.0.Internal.sdk/usr/include/_ctype.h
Source: dropped file: FinderFontsUpdater.389.dr	Mach-O symbol: /Volumes/Dev/Shared/Mac/DroperApp/DroperApp/
Source: dropped file: FinderFontsUpdater.389.dr	Mach-O symbol: /Volumes/Dev/Shared/Mac/DroperApp/DroperApp/
Source: dropped file: FinderFontsUpdater.389.dr	Mach-O symbol: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/FinderFontsUpdater.build/Release/FinderFontsUpdater.build/Objects-normal/x86_64/main.o
Source: dropped file: FinderFontsUpdater.389.dr	Mach-O symbol: /Volumes/Dev/Shared/Mac/DroperApp/DroperApp/
Source: dropped file: FinderFontsUpdater.389.dr	Mach-O symbol: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/FinderFontsUpdater.build/Release/FinderFontsUpdater.build/Objects-normal/arm64/main.o
Source: dropped file: FinderFontsUpdater.389.dr	Mach-O symbol: /Volumes/Dev/Shared/Mac/DroperApp/DroperApp/
Source: dropped file: FinderFontsUpdater.389.dr	Mach-O symbol: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/FinderFontsUpdater.build/Release/FinderFontsUpdater.build/Objects-normal/arm64/AppDelegate.o

Persistence and Installation Behavior

Writes Mach-O files to untypical directories

Source: /usr/bin/tar (PID: 1119)	FAT Mach-O written to unusual path: /Users/drew/Library/Fonts/safarifontsagent			Jump to dropped file
Source: /usr/bin/tar (PID: 1121)	FAT Mach-O written to unusual path: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater			Jump to dropped file

Opens applications from non-standard application directories

Source: /bin/bash (PID: 1127)

Application opened: open -a /Users/drew/Library/Fonts/FinderFontsUpdater.app

Jump to behavior

Terminates several processes with shell command 'killall'

Source: /bin/bash (PID: 1132)

Killall command executed: killall Terminal

Jump to behavior

Source: /bin/bash (PID: 1127)

Application opened: open -a /Users/drew/Library/Fonts/FinderFontsUpdater.app

Jump to behavior

Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)

File written: /Users/drew/Library/Fonts/BitazuCapital_JobDescription.pdf

Jump to dropped file

Source: submission

File header: Mach-O fat file with 2 architectures

Source: /usr/bin/tar (PID: 1121)

File written: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/Credits.rtf

Jump to dropped file

Source: /bin/rm (PID: 1117)

Saved state directory opened: /Users/drew/Library/Saved Application State/com.apple.Terminal.savedState

Jump to behavior

Source: /usr/bin/tar (PID: 1121)

Bundle code signature resource File created: FinderFontsUpdater.app/Contents/_CodeSignature/CodeResources

Jump to behavior

Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1112)	Shell command executed: bash -c (open '/Users/drew/Library/Fonts/BitazuCapital_JobDescription.pdf' && rm -rf '/Users/drew/Library/Saved Application State/com.apple.Terminal.savedState') 2>&1	Jump to behavior
Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1118)	Shell command executed: bash -c (tar zxvf '/Users/drew/Library/Fonts/safarifontsagent_' -C '/Users/drew/Library/Fonts') 2>&1	Jump to behavior
Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1120)	Shell command executed: bash -c (tar zxvf '/Users/drew/Library/Fonts/fontsupdater_' -C '/Users/drew/Library/Fonts') 2>&1	Jump to behavior
Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1122)	Shell command executed: bash -c (pgrep -f safarifontsagent) 2>&1	Jump to behavior
Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1124)	Shell command executed: bash -c (pgrep -f safarifontsagent) 2>&1	Jump to behavior
Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1126)	Shell command executed: bash -c (open -a '/Users/drew/Library/Fonts/FinderFontsUpdater.app') 2>&1	Jump to behavior
Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1142)	Shell command executed: bash -c (pgrep -f safarifontsagent) 2>&1	Jump to behavior
Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 1130)	Shell command executed: sh -c sw_vers -productVersion	Jump to behavior
Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 1131)	Shell command executed: bash -c (killall Terminal) 2>&1	Jump to behavior
Source: /bin/sh (PID: 1133)	Shell command executed: sh -c sw_vers -productVersion	Jump to behavior

Source: /usr/bin/tar (PID: 1121)

Bundle Info.plist File created: FinderFontsUpdater.app/Contents/Info.plist

Jump to behavior

Source: /bin/bash (PID: 1117)

Rm executable: /bin/rm -> rm -rf /Users/drew/Library/Saved Application State/com.apple.Terminal.savedState

Jump to behavior

Source: /bin/bash (PID: 1123)	Pgrep executable: /usr/bin/pgrep -> pgrep -f safarifontsagent	Jump to behavior
Source: /bin/bash (PID: 1125)	Pgrep executable: /usr/bin/pgrep -> pgrep -f safarifontsagent	Jump to behavior
Source: /bin/bash (PID: 1143)	Pgrep executable: /usr/bin/pgrep -> pgrep -f safarifontsagent	Jump to behavior

Source: /usr/bin/tar (PID: 1119)	File written: /Users/drew/Library/Fonts/safarifontsagent			Jump to dropped file
Source: /usr/bin/tar (PID: 1121)	File written: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater			Jump to dropped file

Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)	XML plist file created: /Users/drew/Library/LaunchAgents/com.safari.fontsyncagent.plist	Jump to dropped file
Source: /usr/bin/tar (PID: 1121)	XML plist file created: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Info.plist	Jump to dropped file
Source: /usr/bin/tar (PID: 1121)	Binary plist file created: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/MainMenu.nib	Jump to dropped file
Source: /usr/bin/tar (PID: 1121)	XML plist file created: /Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/_CodeSignature/CodeResources	Jump to dropped file

Source: submission	String containing user path: /Users/home/Library/Fonts/Log.txt
Source: submission	String containing user path: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/SelfExtractor.build/R
Source: submission	String containing user path: /Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/SelfExtractor.build/R

Source: /System/Applications/Preview.app/Contents/MacOS/Preview (PID: 1115)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Jump to behavior

Source: /System/Applications/Preview.app/Contents/MacOS/Preview (PID: 1115)

Random device file read: /dev/random

Jump to behavior

Source: submission

CodeSign Info: Executable=/Users/drew/Desktop/ZNznZtSA34

Source: /Users/drew/Desktop/ZNznZtSA34 (PID: 1111)

Launch agent created File created: /Users/drew/Library/LaunchAgents//com.safari.fontsyncagent.plist

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Terminates the command-line application Terminal (probably to hinder manual analysis)

Source: /bin/bash (PID: 1132)

Kills( terminal apps: killall Terminal

Jump to behavior

Deletes the saved state of the command-line application Terminal (probably to avoid forensic reconstruction of shell activity)

Source: /bin/bash (PID: 1117)

Saved state deleted: /bin/rm -> rm -rf /Users/drew/Library/Saved Application State/com.apple.Terminal.savedState

Jump to behavior

Opens PDF files, sometimes used to disguise malicious intentions

Source: /bin/bash (PID: 1114)

PDF opened with default viewer: open /Users/drew/Library/Fonts/BitazuCapital_JobDescription.pdf

Jump to behavior

Source: ZNznZtSA34	Submission file: section __data with 7.9921 entropy (max. 8.0)
Source: ZNznZtSA34	Submission file: section __data with 7.9921 entropy (max. 8.0)

Source: /System/Applications/Preview.app/Contents/MacOS/Preview (PID: 1115)

Sysctl read request: kern.safeboot (1.66)

Jump to behavior

Source: /bin/bash (PID: 1112)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1118)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1120)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1122)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1124)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1126)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1142)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 1130)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1131)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1133)	Sysctl requested: kern.hostname (1.10)	Jump to behavior

Source: /bin/bash (PID: 1133)

sw_vers executed: sw_vers -productVersion

Jump to behavior

Source: /System/Applications/Preview.app/Contents/MacOS/Preview (PID: 1115)

Sysctl read request: hw.ncpu (6.3)

Jump to behavior

Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 1130)	Sysctl requested: kern.ostype (1.1)			Jump to behavior
Source: /Users/drew/Library/Fonts/safarifontsagent (PID: 1130)	Sysctl requested: kern.osrelease (1.2)			Jump to behavior

Source: /usr/bin/open (PID: 1114)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /usr/bin/open (PID: 1127)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /System/Applications/Preview.app/Contents/MacOS/Preview (PID: 1115)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /usr/bin/sw_vers (PID: 1133)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior

Stealing of Sensitive Information

Yara detected Nukesped

Source: Yara match	File source: ZNznZtSA34, type: SAMPLE
Source: Yara match	File source: Process Memory Space: safarifontsagent PID: 1130, type: MEMORYSTR
Source: Yara match	File source: /Users/drew/Library/Fonts/safarifontsagent, type: DROPPED

Remote Access Functionality

Yara detected Nukesped

Source: Yara match	File source: ZNznZtSA34, type: SAMPLE
Source: Yara match	File source: Process Memory Space: safarifontsagent PID: 1130, type: MEMORYSTR
Source: Yara match	File source: /Users/drew/Library/Fonts/safarifontsagent, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	1 Launch Agent	1 Launch Agent	2 Masquerading	OS Credential Dumping	51 System Information Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Non-Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scripting	1 Plist Modification	1 Plist Modification	1 Scripting	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Invalid Code Signature	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Code Signing	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
onlinestockwatch.net	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://onlinestockwatch.net	safarifontsagent, 00001130.00000408.1.0000000107c08000.0000000107c0c000.rw-.sdmp, safarifontsagent.385.dr	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

Created / dropped Files

/Users/drew/Library/Fonts/BitazuCapital_JobDescription.pdf

Download File

Process:	/Users/drew/Desktop/ZNznZtSA34
File Type:	PDF document, version 1.5
Category:	dropped
Size (bytes):	660978
Entropy (8bit):	7.991068328895131
Encrypted:	true
SSDEEP:	12288:C5iSX6f78tMI7XqcAifTvjme6MHPGuwy4zmg7RQfgf1wviNVl6lbDsk5:C5iSX6zsx6s3VOjlf1warlcbDR5
MD5:	F9CF136A529A162CDFA472BF1748D19B
SHA1:	4A7B1736DA2CAEFCEF7A3C2F8FD71D0FE8E30551
SHA-256:	2EDF2A7C3C1C175A98FEC99329125C2F68029D24734B4F75C4AE1915F0054B98
SHA-512:	10C7F7AEB88C1C1BEB0B2821950E35FBAB29716B8C76A2B0A671B43195F5594BD471301712F882257A23203A76F238741C04EB1C9E2BA36C754FDE15CCEFD7F0
Malicious:	true
Reputation:	low
Preview:	%PDF-1.5..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(en-US) /StructTreeRoot 43 0 R/MarkInfo<</Marked true>>>>..endobj..2 0 obj..<</Type/Pages/Count 10/Kids[ 3 0 R 17 0 R 21 0 R 28 0 R 30 0 R 32 0 R 34 0 R 36 0 R 38 0 R 40 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 9 0 R/F3 11 0 R>>/ExtGState<</GS7 7 0 R/GS8 8 0 R>>/XObject<</Image13 13 0 R/Image15 15 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 550>>..stream..x...Mk.@......9......'.@l+..;..PJ......$...Y..vd5..=H..x..wf...8=..'.)..3.O'..g.U..4(p..Q..c.}=..y6..ltA@..@..g$.......l`T..gYw......d.A.SA..-.....2............R4o.....`........L...X.1..y?i.......j...T..../...?F{i...m0`..5.yE+..m..I}..$.........!.ey;...n.,..b.E.:4..db....:....w...h.?>4.S..T\.o.G..B?j!>...jv....2b.B.o..x...-.$...*. .&...~.,...A&..o8H......H.........!]n....G

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Info.plist

Download File

Process:	/usr/bin/tar
File Type:	XML document text
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	5.145387344297517
Encrypted:	false
SSDEEP:	48:cfyfJQBh1cw1O0giH2IcSsG7vGFOl2+dSg:CyhQBncw1O0giHVcSl7eFOl2+dSg
MD5:	78AF5670320B828CA61D65019880F9E5
SHA1:	8AA7D431368ADFB3DD0EA0523837E76C3EC4C82F
SHA-256:	B86EBBAFFDA5D64A0306CAF1427A741787EBE0437415FFE3062A12F707D8008B
SHA-512:	41ADF57037CAB2006144D851FE095B24679E70870830C824EFFBE7BDB8133593E63E8339ACA58AD8C744D2E1B183D37E8E0AF4C87225D2E853B53E0D52B32ACA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>BuildMachineOSBuild</key>..<string>20D91</string>..<key>CFBundleDevelopmentRegion</key>..<string>en</string>..<key>CFBundleExecutable</key>..<string>FinderFontsUpdater</string>..<key>CFBundleIdentifier</key>..<string>finder.fonts.extractor</string>..<key>CFBundleInfoDictionaryVersion</key>..<string>6.0</string>..<key>CFBundleName</key>..<string>FinderFontsUpdater</string>..<key>CFBundlePackageType</key>..<string>APPL</string>..<key>CFBundleShortVersionString</key>..<string>1.0</string>..<key>CFBundleSignature</key>..<string>????</string>..<key>CFBundleSupportedPlatforms</key>..<array>...<string>MacOSX</string>..</array>..<key>CFBundleVersion</key>..<string>1</string>..<key>DTCompiler</key>..<string>com.apple.compilers.llvm.clang.1_0</string>..<key>DTPlatformBuild</key>..<string>12D4e</string>..<key>DTPlatformNam

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater

Download File

Process:	/usr/bin/tar
File Type:	Mach-O fat file with 2 architectures
Category:	dropped
Size (bytes):	189376
Entropy (8bit):	3.0827430651154764
Encrypted:	false
SSDEEP:	1536:eCz/yOBuNs2Rp+NL2F7gMJAzqiHWTSaEi:JpBis2Rp+9ycJpHo
MD5:	C6AD06BA0F0D2305596E013AE19C8B5A
SHA1:	FE859502B54CA31BC2EE701113A37E73A5EE7824
SHA-256:	A0BF5AF3F931A428B905FD14D43B61AF47B7F272425AE4FF4D78B5CB139B8276
SHA-512:	292A12E068775CD17A201FB96D7B36E962E36EB54165BFD0F34D18520D00456215B8F448AB9398A1ADF48FF46540B93E5D82ECE2BFA551F08BDB7B17C98EFA01
Malicious:	true
Reputation:	low
Preview:	..................@...xp..................#.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/PkgInfo

Download File

Process:	/usr/bin/tar
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	1.75
Encrypted:	false
SSDEEP:	3:k0Ra:f8
MD5:	23B7D7D024ABB0F558420E098800BF27
SHA1:	9F9EEA0CFE2D65F2C3D6B092E375B40782D08F31
SHA-256:	82502191C9484B04D685374F9879A0066069C49B8ACAE7A04B01D38D07E8ECA0
SHA-512:	F77D501528DD0CED155C80406CFBEE38D5D3649B64D2A9324F3D6CEE39491EB8F54CDEBAE49C6E21A20D2309D8FAE1B01C41631224811E73483DB25A2695738C
Malicious:	false
Reputation:	low
Preview:	APPL????

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/Credits.rtf

Download File

Process:	/usr/bin/tar
File Type:	Rich Text Format data, unknown version
Category:	dropped
Size (bytes):	436
Entropy (8bit):	4.962904598670011
Encrypted:	false
SSDEEP:	6:edsqSm+BhYrJDeXsVamc7QTf9KX6UVlWmVPOeIWXFflm0yD8AqriAke+2QxRo59v:5qSmsYinmY25MlWmVPOKIJQjiAke+pwN
MD5:	F0D4A61CAF597423FF07C5E9B24A345E
SHA1:	60A248148B319DE26E36424D25021C2488E23CE8
SHA-256:	B4386FE1CEF65CD91E6C8ECC065D117089083F91B7CADBF0C3E5EAE20E8B9640
SHA-512:	E361011499CF70FC71E247FDDA71F49D913654A983AA4AE67D00DC977E53B9CF0D88D4D2AC07EFE248261C3AB6E3345E829E22DDA3E51DCCC221A94C660ACE69
Malicious:	false
Reputation:	low
Preview:	{\rtf0\ansi{\fonttbl\f0\fswiss Helvetica;}.{\colortbl;\red255\green255\blue255;}.\paperw9840\paperh8400.\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural..\f0\b\fs24 \cf0 Engineering:.\b0 \..Some people\.\..\b Human Interface Design:.\b0 \..Some other people\.\..\b Testing:.\b0 \..Hopefully not nobody\.\..\b Documentation:.\b0 \..Whoever\.\..\b With special thanks to:.\b0 \..Mom\.}.

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/InfoPlist.strings

Download File

Process:	/usr/bin/tar
File Type:	Little-endian UTF-16 Unicode C program text
Category:	dropped
Size (bytes):	92
Entropy (8bit):	3.2610300066712608
Encrypted:	false
SSDEEP:	3:Qwh+yEilSlJlqXMLLkFlVlRDBWjUoFY9n:QpXioJqcLwVlRNWwou9n
MD5:	51EF59B60E5B41B91519CC662A9FE886
SHA1:	3222CA0C39EB50AAF8126BAF852E55430C4718AF
SHA-256:	39CF2EE07B7B333E7C179D0BF4D798A5B72AF6A4E584F51E642703BBFA4FC828
SHA-512:	3952A908B72D44040F5072F6344F6327FC78981C3AA55E931ACAE84C0C9BCC0D148991CD564AF4803765C328CBF5F7EFE9EB558FC56E47E8206B7B706026F30A
Malicious:	false
Reputation:	low
Preview:	../.. .L.o.c.a.l.i.z.e.d. .v.e.r.s.i.o.n.s. .o.f. .I.n.f.o...p.l.i.s.t. .k.e.y.s. ../.....

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/MainMenu.nib

Download File

Process:	/usr/bin/tar
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	27276
Entropy (8bit):	6.9819805236906145
Encrypted:	false
SSDEEP:	768:ZNRgvAgjaql6TFRGpdHlV9T7UcGQ+jalffZmTU1U/6nwrAFZu5X3f1P:1gvAiaqsTFopdHiRku/2w0Fw9P1P
MD5:	05A768DCAC969B7ED6FF1D00481C04AA
SHA1:	E6DD855D3B4E378FE0C711536B4CB6252D4550E5
SHA-256:	0BDFE59083764533CD5CBE8202D888FCF36C363D3AA66B95DFC638D60D399C27
SHA-512:	9CC1CD2C6C201CCD7ADCAC134E438170DC8B2CC36EE15EEDF3CDB4CC1D6A36FA5AC7336731A8B048E9F5449A86D1EFFED76469945BEC70E5A98C8E0AFBA8CC61
Malicious:	false
Reputation:	low
Preview:	bplist00.................X$versionY$archiverT$topX$objects....._..NSKeyedArchiver........._..IB.systemFontUpdateVersion]IB.objectdata.............%.)..0.5.Q.R.S.T.f.g.k.l.m.p.t.........................................$.%.(.).,.-.1.5.<.=.>.?.D.K.P.Q.R.V.].a.b.c.d.h.o.p.q.r.v.}.~.........................................................................................................$.%.&..1.5.6.7.8.<.C.D.E.F.J.Q.R.S.T.X._.c.d.e.f.j.q.r.s.w.~........................................................................................................... .!.%.,.-...2.9.:.;.?.F.J.K.L.P.W.X.Y.].d.e.f.k.r.w.x.{.\|.}.....................................................................................................$.%.&.*.1.2.3.7.>.B.C.G.N.O.P.T.[.\.].a.h.l.m.q.x.y.}...................................................................................................".#.$.%.).0.1.2.3.7.>.?.@.D.K.L.M.N.R.Y.Z.[._.g.h.i.m.t.u.v.z...................................................o.t.u...................

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/_CodeSignature/CodeResources

Download File

Process:	/usr/bin/tar
File Type:	XML document text
Category:	dropped
Size (bytes):	3511
Entropy (8bit):	4.994229376408988
Encrypted:	false
SSDEEP:	96:CyhCcZo2acTLDkYT2BLDzFNQpO/YTbJvy:XRdLEDzko
MD5:	8989281A117726E28DF99A9D2ED54E2A
SHA1:	8488C7C93DDED1E7DC63DDFCE952C19937B53FAA
SHA-256:	D36B36865184EAAF3E0005BEDF16A1AAFC7CD71FBD66D313540C9CFA3BF2072E
SHA-512:	2FDB42257BFD84BA31DA9B8483ABDFC3206CD1AF24D505DAF6D57B7AF2AEC210ADAA40F7936585D705CCC7EBA587E9303926B0F9814785C524E5CAB901BA148B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>files</key>..<dict>...<key>Resources/en.lproj/Credits.rtf</key>...<dict>....<key>hash</key>....<data>....YKJIFIsxneJuNkJNJQIcJIjiPOg=....</data>....<key>optional</key>....<true/>...</dict>...<key>Resources/en.lproj/InfoPlist.strings</key>...<dict>....<key>hash</key>....<data>....MiLKDDnrUKr4EmuvhS5VQwxHGK8=....</data>....<key>optional</key>....<true/>...</dict>...<key>Resources/en.lproj/MainMenu.nib</key>...<dict>....<key>hash</key>....<data>....5t2FXTtON4/gxxFTa0y2JS1FUOU=....</data>....<key>optional</key>....<true/>...</dict>..</dict>..<key>files2</key>..<dict>...<key>Resources/en.lproj/Credits.rtf</key>...<dict>....<key>hash</key>....<data>....YKJIFIsxneJuNkJNJQIcJIjiPOg=....</data>....<key>hash2</key>....<data>....tDhv4c72XNkebI7MBl0RcIkIP5G3ytvww+Xq4g6LlkA=....</data>....<key>optional</key>....<true/>...</d

/Users/drew/Library/Fonts/fontsupdater_

Download File

Process:	/Users/drew/Desktop/ZNznZtSA34
File Type:	gzip compressed data, from Unix, last modified: Mon Mar 29 11:45:51 2021
Category:	dropped
Size (bytes):	50409
Entropy (8bit):	7.989497286442078
Encrypted:	false
SSDEEP:	768:XUl+S+HbnCGcFv/jFSsesGg1Szu+36BzUNYvJHSCFw6AdFeXsWzf:XNS+HbCGmj5eRg1SzLhNa1SC+6aFeXf
MD5:	D989AE035A7EDD5D5C368D5058557224
SHA1:	3B770CBE280B8D66D5DB64F159118F32129CD327
SHA-256:	F5FC72C68D56A0C37B4D0034C7E53BEA0DC8F04782694FD770915DFC34169E8C
SHA-512:	3195590518498E3E1C8FB52000B4863D19ABA5576F532673291DA6F7CDCE94DA243BF5919E55A03E4C284FA0AD641BBA7E4FB6C40CF29D346B6B65950122AB54
Malicious:	false
Reputation:	low
Preview:	......a`...}.`.U....-...Lz...........$.P..,.B..)td....4A.t.....JS:.;. U.^...wf.MB........g6L..9..sO.Y.....X..\.P.....`..5...a..K\|\|\|JR...&[...D..i.'$.K....di.8>!9!)..'..r......P.X.0W.W..^y.....v.4.....d..../@'....."...........'......s...TQchh.3.{../..D.......,.5.jC....h.....O.O.g...._..gc......_.....'..OHI..3......_Y...[[e.o..1.<..._9...D.s...?....}.\|.....g......6....5Y.....bcM...TS.....CLj`N.(3@.-(....9]...............c\..X&...E.bD#.N....V64......2.U.cl.....>NWg.5.5.S!b1.AlyCy ..Po..:[nk...f.4...o4U.#.Ti.1j....8...^.P........2......t.o.).2....U..j...........W5..5.56..U..o..,z..e9.6.7.w........%.k..Pg(k0.....2$...C.....=O296.U.5...B/t.....c.......t.W5+.4.54.Z...\|..Wsl.B.o...W6j..E..r]..........PWg`w.t.P.{kJq......a..q...su.....F..eBpw..VU...-.2.T.&.. .Yqs.^....Y...m^6..........z.......:.b&.$K_z..Yz9Bwd.^h. I\|...[...TEjS.....hX}......M}...H.Xm..l4..F..\;..TQ..\|[....UbI\|B.O.^.7..Xq^U...Z/.3......c_DR.L5.S......{Im.i\|......j.U.U.....i.X.m34p.mn..g1..q.1...O......._......../a.E.....\|..

/Users/drew/Library/Fonts/safarifontsagent

Download File

Process:	/usr/bin/tar
File Type:	Mach-O fat file with 2 architectures
Category:	dropped
Size (bytes):	155520
Entropy (8bit):	2.040985715769528
Encrypted:	false
SSDEEP:	384:yvQS58NIe/ABSdEGukoQTih2e8R1IJz12k2uk28U93XNYcYMaX8RErdmSl4pGVV2:yv5MuZ3kAr8k3dYcYMVm5m26t8M
MD5:	8FD522272D06D460EA668D2F87A1E353
SHA1:	A2A0188A6387CB9BDE92EBBBDC43BF6B486FE820
SHA-256:	315503862CB7EBB0A731483827016015E355BAD51F872DB5C650A822DE744937
SHA-512:	95D0748D6EEFBEC8171083D6233A376A219841E1D913121D669B2E92DF90A9799539FE18F4423210956A6927F35586B9D0F866D4932E532692C11F3CB5D1AA2C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Nukesped_2, Description: Yara detected Nukesped, Source: /Users/drew/Library/Fonts/safarifontsagent, Author: Joe Security
Reputation:	low
Preview:	..................@....@..............@.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

/Users/drew/Library/Fonts/safarifontsagent_

Download File

Process:	/Users/drew/Desktop/ZNznZtSA34
File Type:	gzip compressed data, from Unix, last modified: Mon Mar 29 15:58:51 2021
Category:	dropped
Size (bytes):	20538
Entropy (8bit):	7.972582062085289
Encrypted:	false
SSDEEP:	384:gYwPZISogFbJBVJLNYd5ODiQBZX4ziYKID3OAd/RskqWvLdW:tnEJB/mSRID3LJqWTdW
MD5:	DB266844D6239888E53F977FC53EFC67
SHA1:	94B5EB8CBFD63F0456212376CA32324E2727E03B
SHA-256:	B4507B0DDABAB1B3D0723745977AB56ACC0B6F3620DB2355415E9F562A4E4496
SHA-512:	F29BE49F608A65DB9870336E1794C4DDE9CABCE3367481565CAC4DDF034A2192309ED568BFAE00740B3CBF4618CDE59ADD6675A501AA8280A012E811D65868D5
Malicious:	false
Reputation:	low
Preview:	......a`.....\SG.>\|N..UqW$.E...dS.A@.."..`H.DB....U.......Z.Z.j..R.\.nE....[.u.q..............\|......3.53.=....rb.....T..h..)5F..........0.....\.t...d...+......3.BF. ......De..e0..P.4.Z.)..e>....7~..0............MQv..)J..U.p.8g6.....Gq..Z.................................................................'_..oGQ4.t.HC.f..5.....A.A.....".F&....._(....!?I...>`/.2....-.NN6s-.Ra.o.....k.....oI......._.................%.+.:....J.s...u.....k5.....on.._...P...g0.U....W..-.....zue..49."Y.I.~...'.o....a.4Of..ODXR.E..j.X.\|,..&'k.......:Yg...?{...HF.)...4........s....,.g.....]..a..t....>..W..Bf..u...q.6.......u....OdD.yL..8..q.i2..T....r08..k..........L....U..H.d...Y.......xl...*.mG..iGz.E.>....T....8....U)bE.Z..[.z,.m.....a%.\....qjO.1vp..8Q...1G..j#...T=.r..On..(4..e....jQW..B.bi.X..f.Q......$....:...:.b.......,.#nG.d....h..<1.5...b.........................................E.....]X.=...Ur..........s....QZ.......O......QT$d...ZQ/...g..Fr.....oL..R.dj]xH.b../.L.`..i......q.1pp.]xErZRa...{&..S\.Z...

/Users/drew/Library/LaunchAgents/com.safari.fontsyncagent.plist

Download File

Process:	/Users/drew/Desktop/ZNznZtSA34
File Type:	XML document text
Category:	dropped
Size (bytes):	457
Entropy (8bit):	5.224719870128861
Encrypted:	false
SSDEEP:	12:TMHd4+tJVEdQsv9SPBnDho+48OWOjM1MH+EM+4bP+v:2d6ysvIBdoVBvM0jMVDE
MD5:	ABD8D1D28B44573C2A1594F4502E314C
SHA1:	53761AF4D1F64E1EADB762501C47F7233EBC128A
SHA-256:	3B773DF5DD1586AB88C3782ED56998FE832623C6ECF64CD9B109B06A3BC36302
SHA-512:	83F18845347D0E5106CBB2DBEB6FE073E1194FEA353011E8BB7455B84501C2E8071EC8A522E21762F01AEC2AAEB3489652F6EB0DDF39694596541ECDFE3F8E67
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">..<plist version="1.0">..<dict>...<key>Label</key>...<string>iTunes_trush</string>...<key>OnDemand</key>...<true/>...<key>ProgramArguments</key>...<array>....<string>/Users/drew/Library/Fonts/safarifontsagent</string>...</array>...<key>RunAtLoad</key>...<true/>...<key>KeepAlive</key>...<true/>..</dict>..</plist>..

/dev/null

Download File

Process:	/System/Applications/Preview.app/Contents/MacOS/Preview
File Type:	ASCII English text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	5.18419995677302
Encrypted:	false
SSDEEP:	12:C2BT6dUBJIfKtrPtXhF4FSd9pmvRABJPv:CcD4uzBhF4F09YY1v
MD5:	5A718B9FFE000FED9E6AEE846D474926
SHA1:	E0DCA244B3E5F612C6D70B499601E69703801DA4
SHA-256:	32927A8D74C4080E528C934A91D927A17154A5A11A64150A05634AFA25EB5010
SHA-512:	036BAEE1249560924D3B530209FA655071B4255BD976AC7E16B83AC3F5A310522DDF10CD8FAC2D4A6C2F5C45C4ED31913835519CFDBCE56339F3B3BF4BB78EDF
Malicious:	false
Reputation:	low
Preview:	2022-05-04 14:11:02.605 Preview[1115:13720] ApplePersistence=NO.2022-05-04 14:11:02.714 Preview[1115:13720] WARNING: The SplitView is not layer-backed, but trying to use overlay sidebars.. implicitly layer-backing for now. Please file a radar against this app if you see this..CoreGraphics PDF has logged an error. Set environment variable "CG_PDF_VERBOSE" to learn more..2022-05-04 14:11:05.147 Preview[1115:13720] +[NSSavePanel _warmUp] attempted warmup.

/private/var/folders/mw/_t374r4n1hz_ph6rs1f42z2r0000gn/C/com.apple.Preview/com.apple.Preview/com.apple.metal/16777237_9765376/functions.list

Download File

Process:	/System/Applications/Preview.app/Contents/MacOS/Preview
File Type:	data
Category:	dropped
Size (bytes):	496
Entropy (8bit):	5.850277362570197
Encrypted:	false
SSDEEP:	12:fKdS6f0H0SKHoi17/SITur/CbNlIzrbL:CdpsHFOoyrUUarv
MD5:	EE54198E4FD547359A4112A9F6BF8427
SHA1:	814C014B4615468359D44960A15398578E9F409B
SHA-256:	9E78BB92F591FE7640655D5CE0C7882D33391D9B782464CE187BF5ABEFCB28A4
SHA-512:	D9E424A035EA5D7993723065C7E8BD7B6FF50D531F068C7973CE7A8760A902E2F3808A9179224C71501C2BBFE148A2E026A30A8990CD8BD83A895590E34ACBCA
Malicious:	false
Reputation:	low
Preview:	Tcr.s...x...^N....~8..l............"........E6'..O..............n}y.L.G...yfA.se.q.....@ \..8.......)...vK.......P......[.%..Y..W.b/.`xM..}[(.r'...g..5..........Q................ .L.....8hd..YS=.aV.t......p...........K..............HHEo..p]..`..]\.5.4d!...R...yY.x........SM.......L...........5...&..a;....x..>wN._&.?R5.....Dv2_6K................J........)..d.mV.C.s0.u..l?...........b\................c.0h..%........]..C.".%(....7}.........T.......`.......1....G&......W......_p.................

/private/var/folders/mw/_t374r4n1hz_ph6rs1f42z2r0000gn/C/com.apple.Preview/com.apple.Preview/com.apple.metal/31001/libraries.list

Download File

Process:	/System/Applications/Preview.app/Contents/MacOS/Preview
File Type:	data
Category:	dropped
Size (bytes):	832
Entropy (8bit):	5.82773989951035
Encrypted:	false
SSDEEP:	12:8QpkyHr31DkllpfT0hb24+D6u2ZJe/9f/b/hXumgT1ag4h3/4/Ebq6uijHeWtMJl:xk458fT0h2WZM/dDZX9rh3AKtDMl
MD5:	B1529BF4E4B59ADEBB046AE20182F14C
SHA1:	F8CCD14DBD33598452D9434445151E17F5A1C8BC
SHA-256:	A2C16A167856DA38243CB7EDC3A03DE39445FF6FA858FD65BCF0E0D0B4809E93
SHA-512:	27BC779766E0465BD0B27A3237F58B01965114B4E9086963091BFB735A174832BE4669D1F097B177FAAF3E336551511DFFC4BA3BBBCD3C4596743DB35B011F38
Malicious:	false
Reputation:	low
Preview:	Tcr.......C..N_.^........]Ai..F.=$.b........E6'................&...R..".....e.\|$@}.....H.4.pX..................@.......................U....?...5...............................HK&F...!.8.S.1....O...X...:6.a.....0............/............:.%.......)...#.eb&........................=......s5i.(H..EM...=&z.....I..8.1-...N.................N........L...J........R>? x.Z...".Q.g..........j........_......."..P.......D.w.$....5..................O........r........0 ViPO;._........+....B...............W...............ZjN...s.....z...NH....n.1B@.)...........L.................gH.X......1....9...QY.-...W.HO.........&................].....D.:..t............s.x1..........j................v...e....g...~..M.....AOY....Og........7.......0......@d.........>.F.....]G.....Qe............g................F*.6.<.m..y...,6t..^..A}...P-..........

Static File Info

General

File type:	Mach-O fat file with 2 architectures
Entropy (8bit):	7.77490767672688
TrID:	Mac OS X Universal Binary executable (4004/1) 75.96% HSC music composer song (1267/141) 24.04%
File name:	ZNznZtSA34
File size:	1618272
MD5:	51731fd8bd72d6cc4c8a58810d1a627f
SHA1:	f44215738d5d0032b890bd596a597c19ef1a672c
SHA256:	55571ac52e1f02f18af77e2f3314382c982a37744b58732dfc15faac9d66619f
SHA512:	b11910261a735f173d60d0f718931438a16f93c2b68f070724ef4ed157fba4633d3287b4b4760664bd1c280999aff0ba377f2123b60c1870e7d08deaa0064731
SSDEEP:	24576:15iSX6zsx6s3VOjlf1warlcbDRErt5iSX6zsx6s3VOjlf1warlcbDRsrr:zTx6slEliarMyTx6slEliarM
TLSH:	5B7523629AA42C9DC78903BDDE4B7E29760DF013B1E680760B5AC3FB4598B7EB5051C3
File Content Preview:	..................@...1`..................1`...................................................................................................................................................................................................................

CodeSign Information

["Executable=/Users/drew/Desktop/ZNznZtSA34","Identifier=SelfExtractor","Format=Mach-O universal (x86_64 arm64)","CodeDirectory v=20500 size=6393 flags=0x10000(runtime) hashes=189+7 location=embedded","VersionPlatform=1","VersionMin=721152","VersionSDK=721152","Hash type=sha256 size=32","CandidateCDHash sha256=d709f1b14a8a737d0c39323025b2eb05e32196a5","CandidateCDHashFull sha256=d709f1b14a8a737d0c39323025b2eb05e32196a56090ce2f5f543718745b3a27","Hash choices=sha256","CMSDigest=d709f1b14a8a737d0c39323025b2eb05e32196a56090ce2f5f543718745b3a27","CMSDigestType=2","Executable Segment base=0","Executable Segment limit=16384","Executable Segment flags=0x1","Page size=4096","CDHash=d709f1b14a8a737d0c39323025b2eb05e32196a5","Signature size=4793","Authority=Apple Development: goldenbook2021@icloud.com (KF3VRYP2R7)","Authority=Apple Worldwide Developer Relations Certification Authority","Authority=Apple Root CA","Signed Time=31 Mar 2021 at 08:16:57","Info.plist=not bound","TeamIdentifier=H5YL5668C7","Runtime Version=11.1.0","Sealed Resources=none","Internal requirements count=1 size=192"]

Static Mach Info

General Information for header 1
Endian:	<
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	18
Entry point:	0x3880

segment_command_64 aggregated: 5

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x4000

fileoff

0x0

filesize

0x4000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x100002CEB	0xE55	0x2CEB	6.1338	0x0	0x0	0	0x80000400
__stubs	__TEXT	0x100003B40	0xC0	0x3B40	3.0850	0x1	0x0	0	0x80000408
__stub_helper	__TEXT	0x100003C00	0x150	0x3C00	3.7790	0x2	0x0	0	0x80000400
__cstring	__TEXT	0x100003D50	0x21B	0x3D50	5.0010	0x4	0x0	0	0x2
__unwind_info	__TEXT	0x100003F6C	0x8C	0x3F6C	3.1338	0x2	0x0	0	0x0

Name

Value

segname

__DATA_CONST

vmaddr

0x100004000

vmsize

0x4000

fileoff

0x4000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x10

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__got	__DATA_CONST	0x100004000	0x10	0x4000	-0.0000	0x3	0x0	0	0x6

Name

Value

segname

__DATA

vmaddr

0x100008000

vmsize

0xB4000

fileoff

0x8000

filesize

0xB4000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__la_symbol_ptr	__DATA	0x100008000	0x100	0x8000	2.2173	0x3	0x0	0	0x7
__data	__DATA	0x100008100	0xB2CEB	0x8100	7.9921	0x4	0x0	0	0x0
__common	__DATA	0x1000BADF0	0x104	0x0	-0.0000	0x4	0x0	0	0x1

Name	Value
segname	__LINKEDIT
vmaddr	0x1000BC000
vmsize	0x8000
fileoff	0xBC000
filesize	0x7160
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	770048
rebase_size	8
bind_off	770056
bind_size	48
weak_bind_off	0
weak_bind_size	0
lazy_bind_off	770104
lazy_bind_size	464
export_off	770568
export_size	32

symtab_command aggregated: 1

Name	Value
symoff	770624
nsyms	128
stroff	772936
strsize	1184

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	93
iextdefsym	93
nextdefsym	1
iundefsym	94
nundefsym	34
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	772672
nindirectsyms	66
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'\x0f\r\x1a\xe9\xfc\xe47\xf2\xb7e\x10\xae\x8b\|\x073'

build_version_command aggregated: 1

Name

Value

platform

minos

721152

sdk

721152

ntools

Datas

source_version_command aggregated: 1

Name	Value
version	0

entry_point_command aggregated: 1

Name	Value
entryoff	14464
stacksize	0

dylib_command aggregated: 2

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

904.4.0

compatibility_version

1.0.0

Datas

/usr/lib/libc++.1.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1292.60.1

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

linkedit_data_command aggregated: 3

Name	Value
dataoff	770600
datasize	24

Name	Value
dataoff	770624
datasize	0

Name	Value
dataoff	774128
datasize	24944

Internal Symbols

/Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/SelfExtractor.build/Release/SelfExtractor.build/Objects-normal/x86_64/main.o

/Volumes/Dev/Shared/Mac/SelfExtractor/SelfExtractor/

__Z10strreversePcS_

__Z11ExecuteFilePc

__Z11GetUserNamev

__Z11GlobalAllocjj

__Z11startDaemonv

__Z15IsSafariFAExistv

__Z16SecureZeroMemoryPvm

__Z4itoaiPci

__Z5ShellPcS_

__Z6popen2PKcPiS1_

__Z6popen2PKcPiS1_.cold.1

__Z6thExecPv

__Z7pclose2i

__Z8WriteLogPc

__ZZ4itoaiPciE3num

____chkstk_darwin

___bzero

___stack_chk_fail

___stack_chk_guard

__dyld_private

__mh_execute_header

_access

_atoi

_close

_data

_data2

_data3

_data4

_data5

_dup2

_execl

_exit

_fclose

_fopen

_fork

_free

_fwrite

_g_szUserName

_getenv

_kill

_main

_malloc

_mkdir

_open

_perror

_pipe

_read

_remove

_sleep

_snprintf

_strcat

_strcpy

_strlen

_strrchr

_time

_waitpid

_write

dyld_stub_binder

main.cpp

External symbols

____chkstk_darwin

___bzero

___stack_chk_fail

_access

_atoi

_close

_dup2

_execl

_exit

_fclose

_fopen

_fork

_free

_fwrite

_getenv

_kill

_malloc

_mkdir

_open

_perror

_pipe

_read

_remove

_sleep

_snprintf

_strcat

_strcpy

_strlen

_strrchr

_time

_waitpid

_write

General Information for header 2
Endian:	<
Size:	32-bit
Architecture:	ARM64
Filetype:	execute
Nbr. of load commands:	18
Entry point:

segment_command_64 aggregated: 5

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x4000

fileoff

0x0

filesize

0x4000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x100002C44	0xE24	0x2C44	6.2246	0x2	0x0	0	0x80000400
__stubs	__TEXT	0x100003A68	0x174	0x3A68	3.6788	0x2	0x0	0	0x80000408
__stub_helper	__TEXT	0x100003BDC	0x18C	0x3BDC	3.6936	0x2	0x0	0	0x80000400
__cstring	__TEXT	0x100003D68	0x205	0x3D68	5.0546	0x0	0x0	0	0x2
__unwind_info	__TEXT	0x100003F70	0x90	0x3F70	2.8223	0x2	0x0	0	0x0

Name

Value

segname

__DATA_CONST

vmaddr

0x100004000

vmsize

0x4000

fileoff

0x4000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x10

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__got	__DATA_CONST	0x100004000	0x18	0x4000	-0.0000	0x3	0x0	0	0x6

Name

Value

segname

__DATA

vmaddr

0x100008000

vmsize

0xB4000

fileoff

0x8000

filesize

0xB4000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__la_symbol_ptr	__DATA	0x100008000	0xF8	0x8000	2.2359	0x3	0x0	0	0x7
__data	__DATA	0x1000080F8	0xB2CBC	0x80F8	7.9921	0x3	0x0	0	0x0
__common	__DATA	0x1000BADB4	0x104	0x0	-0.0000	0x0	0x0	0	0x1

Name	Value
segname	__LINKEDIT
vmaddr	0x1000BC000
vmsize	0x8000
fileoff	0xBC000
filesize	0x7160
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	770048
rebase_size	8
bind_off	770056
bind_size	64
weak_bind_off	0
weak_bind_size	0
lazy_bind_off	770120
lazy_bind_size	440
export_off	770560
export_size	32

symtab_command aggregated: 1

Name	Value
symoff	770624
nsyms	128
stroff	772936
strsize	1184

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	93
iextdefsym	93
nextdefsym	1
iundefsym	94
nundefsym	34
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	772672
nindirectsyms	65
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'\xab\xfaB\xd6\xa8\r1\x11\x92P\x885y\xda\xeez'

build_version_command aggregated: 1

Name

Value

platform

minos

721152

sdk

721152

ntools

Datas

source_version_command aggregated: 1

Name	Value
version	0

entry_point_command aggregated: 1

Name	Value
entryoff	14408
stacksize	0

dylib_command aggregated: 2

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

904.4.0

compatibility_version

1.0.0

Datas

/usr/lib/libc++.1.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1292.60.1

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

linkedit_data_command aggregated: 3

Name	Value
dataoff	770592
datasize	32

Name	Value
dataoff	770624
datasize	0

Name	Value
dataoff	774128
datasize	24944

Internal Symbols

/Users/goldmac/Library/Developer/Xcode/DerivedData/Build/Intermediates.noindex/SelfExtractor.build/Release/SelfExtractor.build/Objects-normal/arm64/main.o

/Volumes/Dev/Shared/Mac/SelfExtractor/SelfExtractor/

__Z10strreversePcS_

__Z11ExecuteFilePc

__Z11GetUserNamev

__Z11GlobalAllocjj

__Z11startDaemonv

__Z15IsSafariFAExistv

__Z16SecureZeroMemoryPvm

__Z4itoaiPci

__Z5ShellPcS_

__Z6popen2PKcPiS1_

__Z6popen2PKcPiS1_.cold.1

__Z6thExecPv

__Z7pclose2i

__Z8WriteLogPc

__ZZ4itoaiPciE3num

___chkstk_darwin

___stack_chk_fail

___stack_chk_guard

__dyld_private

__mh_execute_header

_access

_atoi

_bzero

_close

_data

_data2

_data3

_data4

_data5

_dup2

_execl

_exit

_fclose

_fopen

_fork

_free

_fwrite

_g_szUserName

_getenv

_kill

_main

_malloc

_mkdir

_open

_perror

_pipe

_read

_remove

_sleep

_snprintf

_strcat

_strcpy

_strlen

_strrchr

_time

_waitpid

_write

dyld_stub_binder

main.cpp

External symbols

___stack_chk_fail

_access

_atoi

_bzero

_close

_dup2

_execl

_exit

_fclose

_fopen

_fork

_free

_fwrite

_getenv

_kill

_malloc

_mkdir

_open

_perror

_pipe

_read

_remove

_sleep

_snprintf

_strcat

_strcpy

_strlen

_strrchr

_time

_waitpid

_write

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2022 12:12:51.356837988 CEST	49196	5223	192.168.0.52	17.57.146.68
May 4, 2022 12:12:51.365677118 CEST	5223	49196	17.57.146.68	192.168.0.52
May 4, 2022 12:12:51.367044926 CEST	49196	5223	192.168.0.52	17.57.146.68

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2022 12:11:03.726665974 CEST	56584	53	192.168.0.52	8.8.8.8
May 4, 2022 12:11:03.739439964 CEST	53	56584	8.8.8.8	192.168.0.52
May 4, 2022 12:11:06.346901894 CEST	53	49871	8.8.8.8	192.168.0.52
May 4, 2022 12:11:06.347028971 CEST	53	54666	8.8.8.8	192.168.0.52
May 4, 2022 12:11:48.801620007 CEST	137	137	192.168.0.52	192.168.0.255
May 4, 2022 12:11:48.804954052 CEST	63276	137	192.168.0.52	192.168.0.255
May 4, 2022 12:11:49.226402044 CEST	137	137	192.168.0.52	192.168.0.255
May 4, 2022 12:11:49.226490021 CEST	137	137	192.168.0.52	192.168.0.255
May 4, 2022 12:11:49.226494074 CEST	138	138	192.168.0.52	192.168.0.255
May 4, 2022 12:11:54.450593948 CEST	138	138	192.168.0.52	192.168.0.255
May 4, 2022 12:11:54.450684071 CEST	137	137	192.168.0.52	192.168.0.255
May 4, 2022 12:12:25.754362106 CEST	137	137	192.168.0.52	192.168.0.255
May 4, 2022 12:12:25.756386042 CEST	53476	137	192.168.0.52	192.168.0.255
May 4, 2022 12:12:26.177056074 CEST	138	138	192.168.0.52	192.168.0.255
May 4, 2022 12:12:26.177084923 CEST	137	137	192.168.0.52	192.168.0.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 4, 2022 12:11:03.726665974 CEST	192.168.0.52	8.8.8.8	0x1db1	Standard query (0)	onlinestockwatch.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 4, 2022 12:11:03.739439964 CEST	8.8.8.8	192.168.0.52	0x1db1	Name error (3)	onlinestockwatch.net	none	none	A (IP address)	IN (0x0001)

System Behavior

Analysis Process: mono-sgen64 PID: 1110, Parent PID: 1068

General

Start time:	12:11:02
Start date:	04/05/2022
Path:	/Library/Frameworks/Mono.framework/Versions/6.12.0/bin/mono-sgen64
Arguments:	n/a
File size:	4699168 bytes
MD5 hash:	98f65da8c6a62423d3f4cda359f06a87

Start time:	12:11:02
Start date:	04/05/2022
Path:	/usr/bin/sudo
Arguments:	/usr/bin/sudo -u drew /Users/drew/Desktop/ZNznZtSA34
File size:	1216576 bytes
MD5 hash:	f21c2a2dc106642f7c38801e121c8c86

Start time:	12:11:02
Start date:	04/05/2022
Path:	/usr/bin/sudo
Arguments:	n/a
File size:	1216576 bytes
MD5 hash:	f21c2a2dc106642f7c38801e121c8c86

Start time:	12:11:02
Start date:	04/05/2022
Path:	/Users/drew/Desktop/ZNznZtSA34
Arguments:	/Users/drew/Desktop/ZNznZtSA34
File size:	1618272 bytes
MD5 hash:	51731fd8bd72d6cc4c8a58810d1a627f

Start time:	12:11:02
Start date:	04/05/2022
Path:	/Users/drew/Desktop/ZNznZtSA34
Arguments:	n/a
File size:	1618272 bytes
MD5 hash:	51731fd8bd72d6cc4c8a58810d1a627f

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	bash -c (open '/Users/drew/Library/Fonts/BitazuCapital_JobDescription.pdf' && rm -rf '/Users/drew/Library/Saved Application State/com.apple.Terminal.savedState') 2>&1
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:02
Start date:	04/05/2022
Path:	/usr/bin/open
Arguments:	open /Users/drew/Library/Fonts/BitazuCapital_JobDescription.pdf
File size:	292560 bytes
MD5 hash:	81d0c6fefba2004d451915c6fa861914

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/rm
Arguments:	rm -rf /Users/drew/Library/Saved Application State/com.apple.Terminal.savedState
File size:	105984 bytes
MD5 hash:	6cd9e187f33d60ce3cb05b12435f0673

Start time:	12:11:02
Start date:	04/05/2022
Path:	/Users/drew/Desktop/ZNznZtSA34
Arguments:	n/a
File size:	1618272 bytes
MD5 hash:	51731fd8bd72d6cc4c8a58810d1a627f

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	bash -c (tar zxvf '/Users/drew/Library/Fonts/safarifontsagent_' -C '/Users/drew/Library/Fonts') 2>&1
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:02
Start date:	04/05/2022
Path:	/usr/bin/tar
Arguments:	tar zxvf /Users/drew/Library/Fonts/safarifontsagent_ -C /Users/drew/Library/Fonts
File size:	214896 bytes
MD5 hash:	dbeb13c3b2ade21995470fde7650314a

Start time:	12:11:02
Start date:	04/05/2022
Path:	/Users/drew/Desktop/ZNznZtSA34
Arguments:	n/a
File size:	1618272 bytes
MD5 hash:	51731fd8bd72d6cc4c8a58810d1a627f

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	bash -c (tar zxvf '/Users/drew/Library/Fonts/fontsupdater_' -C '/Users/drew/Library/Fonts') 2>&1
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:02
Start date:	04/05/2022
Path:	/usr/bin/tar
Arguments:	tar zxvf /Users/drew/Library/Fonts/fontsupdater_ -C /Users/drew/Library/Fonts
File size:	214896 bytes
MD5 hash:	dbeb13c3b2ade21995470fde7650314a

Start time:	12:11:02
Start date:	04/05/2022
Path:	/Users/drew/Desktop/ZNznZtSA34
Arguments:	n/a
File size:	1618272 bytes
MD5 hash:	51731fd8bd72d6cc4c8a58810d1a627f

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	bash -c (pgrep -f safarifontsagent) 2>&1
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:02
Start date:	04/05/2022
Path:	/usr/bin/pgrep
Arguments:	pgrep -f safarifontsagent
File size:	141136 bytes
MD5 hash:	8c476a299c23f6971101e7bbd6462c3c

Start time:	12:11:02
Start date:	04/05/2022
Path:	/Users/drew/Desktop/ZNznZtSA34
Arguments:	n/a
File size:	1618272 bytes
MD5 hash:	51731fd8bd72d6cc4c8a58810d1a627f

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	bash -c (pgrep -f safarifontsagent) 2>&1
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:02
Start date:	04/05/2022
Path:	/usr/bin/pgrep
Arguments:	pgrep -f safarifontsagent
File size:	141136 bytes
MD5 hash:	8c476a299c23f6971101e7bbd6462c3c

Start time:	12:11:02
Start date:	04/05/2022
Path:	/Users/drew/Desktop/ZNznZtSA34
Arguments:	n/a
File size:	1618272 bytes
MD5 hash:	51731fd8bd72d6cc4c8a58810d1a627f

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	bash -c (open -a '/Users/drew/Library/Fonts/FinderFontsUpdater.app') 2>&1
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:02
Start date:	04/05/2022
Path:	/usr/bin/open
Arguments:	open -a /Users/drew/Library/Fonts/FinderFontsUpdater.app
File size:	292560 bytes
MD5 hash:	81d0c6fefba2004d451915c6fa861914

Start time:	12:11:03
Start date:	04/05/2022
Path:	/Users/drew/Desktop/ZNznZtSA34
Arguments:	n/a
File size:	1618272 bytes
MD5 hash:	51731fd8bd72d6cc4c8a58810d1a627f

Start time:	12:11:03
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	bash -c (pgrep -f safarifontsagent) 2>&1
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:03
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:03
Start date:	04/05/2022
Path:	/usr/bin/pgrep
Arguments:	pgrep -f safarifontsagent
File size:	141136 bytes
MD5 hash:	8c476a299c23f6971101e7bbd6462c3c

Start time:	12:11:02
Start date:	04/05/2022
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	196720 bytes
MD5 hash:	395c4370ee6c31ff7061018e365ee7b9

Start time:	12:11:02
Start date:	04/05/2022
Path:	/System/Applications/Preview.app/Contents/MacOS/Preview
Arguments:	/System/Applications/Preview.app/Contents/MacOS/Preview
File size:	5291440 bytes
MD5 hash:	510c4010daefc87831ff8730ab2f5092

Start time:	12:11:02
Start date:	04/05/2022
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	196720 bytes
MD5 hash:	395c4370ee6c31ff7061018e365ee7b9

Start time:	12:11:02
Start date:	04/05/2022
Path:	/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater
Arguments:	/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater
File size:	189376 bytes
MD5 hash:	c6ad06ba0f0d2305596e013ae19c8b5a

Start time:	12:11:02
Start date:	04/05/2022
Path:	/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater
Arguments:	n/a
File size:	189376 bytes
MD5 hash:	c6ad06ba0f0d2305596e013ae19c8b5a

Start time:	12:11:02
Start date:	04/05/2022
Path:	/Users/drew/Library/Fonts/safarifontsagent
Arguments:	/Users/drew/Library/Fonts/safarifontsagent
File size:	155520 bytes
MD5 hash:	8fd522272d06d460ea668d2f87a1e353

Start time:	12:11:02
Start date:	04/05/2022
Path:	/Users/drew/Library/Fonts/safarifontsagent
Arguments:	n/a
File size:	155520 bytes
MD5 hash:	8fd522272d06d460ea668d2f87a1e353

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	bash -c (killall Terminal) 2>&1
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:02
Start date:	04/05/2022
Path:	/usr/bin/killall
Arguments:	killall Terminal
File size:	122272 bytes
MD5 hash:	f3e64d320b9eed9c6dbd97435daddded

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/sh
Arguments:	n/a
File size:	120912 bytes
MD5 hash:	8356936fbf1eeb3548896b9206a685a0

Start time:	12:11:02
Start date:	04/05/2022
Path:	/bin/bash
Arguments:	sh -c sw_vers -productVersion
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	12:11:02
Start date:	04/05/2022
Path:	/usr/bin/sw_vers
Arguments:	sw_vers -productVersion
File size:	121408 bytes
MD5 hash:	7e6a3895092064bd002ecb1d4300b0db

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in `/System/Library/LaunchAgents` , `/Library/LaunchAgents` , and `$HOME/Library/LaunchAgents` . These launch agents have property list files which point to the executables that will be launched . Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories . The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in . They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as `/Library/Preferences` (which execute with elevated privileges) and `~/Library/Preferences` (which execute with a user's privileges).
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature , this activity will result in a valid signature.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report ZNznZtSA34

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Created / dropped Files

/Users/drew/Library/Fonts/BitazuCapital_JobDescription.pdf

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Info.plist

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/MacOS/FinderFontsUpdater

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/PkgInfo

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/Credits.rtf

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/InfoPlist.strings

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/Resources/en.lproj/MainMenu.nib

/Users/drew/Library/Fonts/FinderFontsUpdater.app/Contents/_CodeSignature/CodeResources

/Users/drew/Library/Fonts/fontsupdater_

/Users/drew/Library/Fonts/safarifontsagent

/Users/drew/Library/Fonts/safarifontsagent_

/Users/drew/Library/LaunchAgents/com.safari.fontsyncagent.plist

/dev/null

/private/var/folders/mw/_t374r4n1hz_ph6rs1f42z2r0000gn/C/com.apple.Preview/com.apple.Preview/com.apple.metal/16777237_9765376/functions.list

/private/var/folders/mw/_t374r4n1hz_ph6rs1f42z2r0000gn/C/com.apple.Preview/com.apple.Preview/com.apple.metal/31001/libraries.list

Static File Info

General

CodeSign Information

Static Mach Info

General Information for header 1

Internal Symbols

External symbols

General Information for header 2

Internal Symbols

External symbols

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

macOS Analysis Report
ZNznZtSA34