Search in progress...
Analysis Report
Overview
General Information |
|---|
| Joe Sandbox Version: | 18.0.0 |
| Analysis ID: | 32821 |
| Start time: | 14:51:16 |
| Joe Sandbox Product: | Cloud |
| Start date: | 07.02.2017 |
| Overall analysis duration: | 0h 9m 35s |
| Report type: | full |
| Sample file name: | 52efcfe30f96a85c9c068880c20663db64f0e08346e0f3b59c2e5bbcb41ba73c.app |
| Cookbook file name: | default.jbs |
| Analysis system description: | Mac Mini, El Capitan 10.11.6 (Java 1.8.0_25) |
| Detection: | MAL |
| Classification: | mal60.spyw.troj.macAPP@0/4@0/0 |
Detection |
|---|
| Strategy | Score | Range | Reporting | Detection | |
|---|---|---|---|---|---|
| Threshold | 60 | 0 - 100 | Report FP / FN |  | |
Classification |
|---|
Signature Overview |
|---|
Click to jump to signature section
Networking: |   |
|---|
| Downloads files from webservers via HTTP | Show sources | ||
| Source: global traffic | HTTP traffic detected: | ||
| Reads from file descriptors related to (network) sockets | Show sources | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Reads from socket in process: | ||
| Writes from file descriptors related to (network) sockets | Show sources | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Writes from socket in process: | ||
| Detected TCP or UDP traffic on non-standard ports | Show sources | ||
| Source: global traffic | TCP traffic: | ||
Stealing of Sensitive Information: | |
|---|
| Executes the "uname" command used to read OS and architecture name | Show sources | ||
| Source: /bin/sh (PID: 533) | Uname executable: | ||
| Enumerates the installed applications | Show sources | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Application directory enumerated: | ||
| Executes the "dscl" command with authonly argument (probably to verify the login password) | Show sources | ||
| Source: /bin/sh (PID: 531) | Security executable: | ||
| Executes the "ifconfig" command used to gather network information | Show sources | ||
| Source: /bin/sh (PID: 535) | Ifconfig executable: | ||
| Executes the "security" command used to access the keychain | Show sources | ||
| Source: /bin/sh (PID: 534) | Security executable: | ||
Persistence and Installation Behavior: | |
|---|
| Reads data from the local random generator | Show sources | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Random device file read: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Random device file read: | ||
| Uses AppleKeyboardLayouts bundle containing keyboard layouts | Show sources | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | AppleKeyboardLayouts info plist opened: | ||
| Executes commands using a shell command-line interpreter | Show sources | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 530) | Shell command executed: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 533) | Shell command executed: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 534) | Shell command executed: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 535) | Shell command executed: | ||
| Executes the "grep" command used to find patterns in files or piped streams | Show sources | ||
| Source: /bin/sh (PID: 532) | Grep executable: | ||
| Reads launchservices plist files | Show sources | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Launchservices plist file read: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Launchservices plist file read: | ||
| Reads user launchservices plist file containing default apps for corresponding filetypes | Show sources | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Preferences launchservices plist file read: | ||
| Uses AppleScript framework/components containing Apple Script related functionalities | Show sources | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | AppleScript framework/component info plist opened: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | AppleScript framework/component info plist opened: | ||
| Uses AppleScript scripting additions containing additional functionalities for Apple Scripts | Show sources | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | AppleScript scripting addition info plist opened: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | AppleScript scripting addition info plist opened: | ||
| Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour) | Show sources | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | CFNetwork info plist opened: | ||
System Summary: | |
|---|
| Classification label | Show sources | ||
| Source: classification engine | Classification label: | ||
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| Reads the sysctl safe boot value (probably to check if the system is in safe boot mode) | Show sources | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Sysctl read request: | ||
Language, Device and Operating System Detection: | |
|---|
| Reads the system or server version plist file | Show sources | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | System or server version plist file read: | ||
| Reads hardware related sysctl values | Show sources | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Sysctl read request: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Sysctl read request: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Sysctl read request: | ||
| Reads the kernel OS version value | Show sources | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Sysctl read request: | ||
| Reads the systems OS release and/or type | Show sources | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Sysctl requested: | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Sysctl requested: | ||
| Source: /usr/bin/uname (PID: 533) | Sysctl requested: | ||
| Source: /usr/bin/uname (PID: 533) | Sysctl requested: | ||
| Reads the systems hostname | Show sources | ||
| Source: /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool (PID: 527) | Sysctl requested: | ||
| Source: /bin/sh (PID: 530) | Sysctl requested: | ||
| Source: /bin/sh (PID: 533) | Sysctl requested: | ||
| Source: /usr/bin/uname (PID: 533) | Sysctl requested: | ||
| Source: /bin/sh (PID: 534) | Sysctl requested: | ||
| Source: /bin/sh (PID: 535) | Sysctl requested: | ||
Runtime Messages |
|---|
| Command: | open |
| Exitcode: | 0 |
| Killed: | False |
| Standard Output: | |
| Standard Error: |
Yara Overview |
|---|
| No Yara matches |
|---|
Screenshot |
|---|
Startup |
|---|
|
Created / dropped Files |
|---|
| File Path | Type and Hashes |
|---|---|
| |
| |
| |
|
Contacted Domains/Contacted IPs |
|---|
Contacted Domains |
|---|
| No contacted domains info |
|---|
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Country | Flag | ASN | ASN Name |
|---|---|---|---|---|
| 17.253.54.125 | United States | 6185 | AppleInc | |
| 224.0.0.251 | Reserved | 2541 | JumpManagementSRL | |
| 46.17.97.37 | Russian Federation | 57043 | HOSTKEYBV | |
| 8.8.4.4 | United States | 15169 | GoogleInc |
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| TrID: |
|
| File name: | 52efcfe30f96a85c9c068880c20663db64f0e08346e0f3b59c2e5bbcb41ba73c.app |
| File size: | 238118 |
| MD5: | 787d664e842961f2a335139407f91a70 |
| SHA1: | a323168f95d1a1c65186888c6dd16cd2f9f8539a |
| SHA256: | 52efcfe30f96a85c9c068880c20663db64f0e08346e0f3b59c2e5bbcb41ba73c |
| SHA512: | 2f211e76588c59fcfb5156be1615f1eddf272db8ced149683faaeae9c5d222b721fbe04921a95ca47546c48e6ecb65448651e5b77c1393537c2a1b3fc3a77ecc |
| File Content Preview: | PK..........5J................addone flashplayer.app/PK..........5J............ ...addone flashplayer.app/Contents/PK........p..I3..U........*...addone flashplayer.app/Contents/Info.plist...r.0....S..[.3.I:.L..6S ..........,y$.p....'.L.!.wz('....k......GK |
Static Mach Info |
|---|
General Informations for header0 | |
|---|---|
| Endian: | |
| Size: | |
| Architecture: | |
| Filetype: | |
| Nbr. of load commands: | 20 |
segment_command_64 |
|---|
| Name | Value | |
|---|---|---|
| segname | __PAGEZERO | |
| fileoff | 0 | |
| maxprot | 0 | |
| vmsize | 4294967296 | |
| nsects | 0 | |
| flags | 0 | |
| filesize | 0 | |
| vmaddr | 0 | |
| initprot | 0 | |
segment_command_64 |
|---|
| Name | Value | |
|---|---|---|
| segname | __TEXT | |
| fileoff | 0 | |
| maxprot | 7 | |
| vmsize | 172032 | |
| nsects | 10 | |
| flags | 0 | |
| filesize | 172032 | |
| vmaddr | 4294967296 | |
| initprot | 5 | |
| Datas | sectname | __text |
| segname | __TEXT | |
| reloff | 0 | |
| addr | 4294972672 | |
| align | 4 | |
| nreloc | 0 | |
| flags | 2147484672 | |
| offset | 5376 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 113268 | |
| sectname | __stubs | |
| segname | __TEXT | |
| reloff | 0 | |
| addr | 4295085940 | |
| align | 1 | |
| nreloc | 0 | |
| flags | 2147484680 | |
| offset | 118644 | |
| reserved2 | 6 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 540 | |
| sectname | __stub_helper | |
| segname | __TEXT | |
| reloff | 0 | |
| addr | 4295086480 | |
| align | 2 | |
| nreloc | 0 | |
| flags | 2147484672 | |
| offset | 119184 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 916 | |
| sectname | __objc_methname | |
| segname | __TEXT | |
| reloff | 0 | |
| addr | 4295087396 | |
| align | 0 | |
| nreloc | 0 | |
| flags | 2 | |
| offset | 120100 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 5029 | |
| sectname | __cstring | |
| segname | __TEXT | |
| reloff | 0 | |
| addr | 4295092432 | |
| align | 4 | |
| nreloc | 0 | |
| flags | 2 | |
| offset | 125136 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 25535 | |
| sectname | __objc_classname | |
| segname | __TEXT | |
| reloff | 0 | |
| addr | 4295117967 | |
| align | 0 | |
| nreloc | 0 | |
| flags | 2 | |
| offset | 150671 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 196 | |
| sectname | __objc_methtype | |
| segname | __TEXT | |
| reloff | 0 | |
| addr | 4295118163 | |
| align | 0 | |
| nreloc | 0 | |
| flags | 2 | |
| offset | 150867 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 1268 | |
| sectname | __const | |
| segname | __TEXT | |
| reloff | 0 | |
| addr | 4295119440 | |
| align | 4 | |
| nreloc | 0 | |
| flags | 0 | |
| offset | 152144 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 17520 | |
| sectname | __unwind_info | |
| segname | __TEXT | |
| reloff | 0 | |
| addr | 4295136960 | |
| align | 2 | |
| nreloc | 0 | |
| flags | 0 | |
| offset | 169664 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 1192 | |
| sectname | __eh_frame | |
| segname | __TEXT | |
| reloff | 0 | |
| addr | 4295138152 | |
| align | 3 | |
| nreloc | 0 | |
| flags | 0 | |
| offset | 170856 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 1176 | |
segment_command_64 |
|---|
| Name | Value | |
|---|---|---|
| segname | __DATA | |
| fileoff | 172032 | |
| maxprot | 7 | |
| vmsize | 61440 | |
| nsects | 20 | |
| flags | 0 | |
| filesize | 53248 | |
| vmaddr | 4295139328 | |
| initprot | 3 | |
| Datas | sectname | __nl_symbol_ptr |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295139328 | |
| align | 3 | |
| nreloc | 0 | |
| flags | 6 | |
| offset | 172032 | |
| reserved2 | 0 | |
| reserved1 | 90 | |
| reserved3 | 0 | |
| size | 16 | |
| sectname | __got | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295139344 | |
| align | 3 | |
| nreloc | 0 | |
| flags | 6 | |
| offset | 172048 | |
| reserved2 | 0 | |
| reserved1 | 92 | |
| reserved3 | 0 | |
| size | 192 | |
| sectname | __la_symbol_ptr | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295139536 | |
| align | 3 | |
| nreloc | 0 | |
| flags | 7 | |
| offset | 172240 | |
| reserved2 | 0 | |
| reserved1 | 116 | |
| reserved3 | 0 | |
| size | 720 | |
| sectname | __mod_init_func | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295140256 | |
| align | 3 | |
| nreloc | 0 | |
| flags | 9 | |
| offset | 172960 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 8 | |
| sectname | __const | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295140272 | |
| align | 4 | |
| nreloc | 0 | |
| flags | 0 | |
| offset | 172976 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 37248 | |
| sectname | __cfstring | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295177520 | |
| align | 3 | |
| nreloc | 0 | |
| flags | 0 | |
| offset | 210224 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 2112 | |
| sectname | __objc_classlist | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295179632 | |
| align | 3 | |
| nreloc | 0 | |
| flags | 268435456 | |
| offset | 212336 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 40 | |
| sectname | __objc_nlclslist | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295179672 | |
| align | 3 | |
| nreloc | 0 | |
| flags | 268435456 | |
| offset | 212376 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 8 | |
| sectname | __objc_protolist | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295179680 | |
| align | 3 | |
| nreloc | 0 | |
| flags | 0 | |
| offset | 212384 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 32 | |
| sectname | __objc_imageinfo | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295179712 | |
| align | 2 | |
| nreloc | 0 | |
| flags | 0 | |
| offset | 212416 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 8 | |
| sectname | __objc_const | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295179720 | |
| align | 3 | |
| nreloc | 0 | |
| flags | 0 | |
| offset | 212424 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 5136 | |
| sectname | __objc_selrefs | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295184856 | |
| align | 3 | |
| nreloc | 0 | |
| flags | 268435461 | |
| offset | 217560 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 1160 | |
| sectname | __objc_protorefs | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295186016 | |
| align | 3 | |
| nreloc | 0 | |
| flags | 0 | |
| offset | 218720 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 16 | |
| sectname | __objc_classrefs | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295186032 | |
| align | 3 | |
| nreloc | 0 | |
| flags | 268435456 | |
| offset | 218736 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 192 | |
| sectname | __objc_superrefs | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295186224 | |
| align | 3 | |
| nreloc | 0 | |
| flags | 268435456 | |
| offset | 218928 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 24 | |
| sectname | __objc_ivar | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295186248 | |
| align | 3 | |
| nreloc | 0 | |
| flags | 0 | |
| offset | 218952 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 136 | |
| sectname | __objc_data | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295186384 | |
| align | 3 | |
| nreloc | 0 | |
| flags | 0 | |
| offset | 219088 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 480 | |
| sectname | __data | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295186864 | |
| align | 4 | |
| nreloc | 0 | |
| flags | 0 | |
| offset | 219568 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 2056 | |
| sectname | __bss | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295188928 | |
| align | 4 | |
| nreloc | 0 | |
| flags | 1 | |
| offset | 0 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 7936 | |
| sectname | __common | |
| segname | __DATA | |
| reloff | 0 | |
| addr | 4295196864 | |
| align | 2 | |
| nreloc | 0 | |
| flags | 1 | |
| offset | 0 | |
| reserved2 | 0 | |
| reserved1 | 0 | |
| reserved3 | 0 | |
| size | 16 | |
segment_command_64 |
|---|
| Name | Value | |
|---|---|---|
| segname | __LINKEDIT | |
| fileoff | 225280 | |
| maxprot | 7 | |
| vmsize | 65536 | |
| nsects | 0 | |
| flags | 0 | |
| filesize | 65136 | |
| vmaddr | 4295200768 | |
| initprot | 1 | |
dyld_info_command |
|---|
| Name | Value | |
|---|---|---|
| lazy_bind_size | 1984 | |
| lazy_bind_off | 230824 | |
| weak_bind_size | 0 | |
| rebase_size | 3864 | |
| export_off | 232808 | |
| export_size | 6744 | |
| bind_off | 229144 | |
| rebase_off | 225280 | |
| bind_size | 1680 | |
| weak_bind_off | 0 | |
symtab_command |
|---|
| Name | Value | |
|---|---|---|
| strsize | 27944 | |
| symoff | 240304 | |
| stroff | 262472 | |
| nsyms | 1334 | |
dysymtab_command |
|---|
| Name | Value | |
|---|---|---|
| extreloff | 0 | |
| nlocrel | 0 | |
| indirectsymoff | 261648 | |
| modtaboff | 0 | |
| nextrel | 0 | |
| iundefsym | 1199 | |
| nmodtab | 0 | |
| ilocalsym | 0 | |
| nundefsym | 135 | |
| nextrefsyms | 0 | |
| locreloff | 0 | |
| ntoc | 0 | |
| nlocalsym | 854 | |
| tocoff | 0 | |
| extrefsymoff | 0 | |
| nindirectsyms | 206 | |
| iextdefsym | 854 | |
| nextdefsym | 345 | |
dylinker_command |
|---|
| Name | Value | |
|---|---|---|
| name | 12 | Data | /usr/lib/dyld |
uuid_command |
|---|
| Name | Value | |
|---|---|---|
| uuid | 3ae7704b3c19329fa4517c61564647a2 | |
version_min_command |
|---|
| Name | Value | |
|---|---|---|
| version | 657664 | |
| reserved | 658432 | |
source_version_command |
|---|
| Name | Value | |
|---|---|---|
| version | 0 | |
entry_point_command |
|---|
| Name | Value | |
|---|---|---|
| stacksize | 0 | |
| entryoff | 29776 | |
dylib_command |
|---|
| Name | Value | |
|---|---|---|
| compatibility_version | 0.1.0 | |
| timestamp | Thu Jan 01 01:00:02 1970 | |
| name | 24 | |
| current_version | 0.22.0 | Data | /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa |
dylib_command |
|---|
| Name | Value | |
|---|---|---|
| compatibility_version | 0.44.1 | |
| timestamp | Thu Jan 01 01:00:02 1970 | |
| name | 24 | |
| current_version | 0.69.5 | Data | /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation |
dylib_command |
|---|
| Name | Value | |
|---|---|---|
| compatibility_version | 0.1.0 | |
| timestamp | Thu Jan 01 01:00:02 1970 | |
| name | 24 | |
| current_version | 0.228.0 | Data | /usr/lib/libobjc.A.dylib |
dylib_command |
|---|
| Name | Value | |
|---|---|---|
| compatibility_version | 0.1.0 | |
| timestamp | Thu Jan 01 01:00:02 1970 | |
| name | 24 | |
| current_version | 0.214.4 | Data | /usr/lib/libSystem.B.dylib |
dylib_command |
|---|
| Name | Value | |
|---|---|---|
| compatibility_version | 0.45.0 | |
| timestamp | Thu Jan 01 01:00:02 1970 | |
| name | 24 | |
| current_version | 15104.224.5 | Data | /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit |
dylib_command |
|---|
| Name | Value | |
|---|---|---|
| compatibility_version | 0.150.0 | |
| timestamp | Thu Jan 01 01:00:02 1970 | |
| name | 24 | |
| current_version | 3840.68.5 | Data | /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation |
linkedit_data_command |
|---|
| Name | Value | |
|---|---|---|
| dataoff | 239552 | |
| datassize | 752 | |
linkedit_data_command |
|---|
| Name | Value | |
|---|---|---|
| dataoff | 240304 | |
| datassize | 0 | |
Network Behavior |
|---|
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 7, 2017 14:52:02.805604935 MEZ | 50395 | 53 | 192.168.0.50 | 8.8.4.4 |
| Feb 7, 2017 14:52:02.937772989 MEZ | 53 | 50395 | 8.8.4.4 | 192.168.0.50 |
| Feb 7, 2017 14:52:05.046710968 MEZ | 5353 | 5353 | 192.168.0.50 | 224.0.0.251 |
| Feb 7, 2017 14:52:05.278057098 MEZ | 5353 | 5353 | 192.168.0.50 | 224.0.0.251 |
| Feb 7, 2017 14:52:05.738709927 MEZ | 49205 | 80 | 192.168.0.50 | 46.17.97.37 |
| Feb 7, 2017 14:52:05.738769054 MEZ | 80 | 49205 | 46.17.97.37 | 192.168.0.50 |
| Feb 7, 2017 14:52:05.739032030 MEZ | 49205 | 80 | 192.168.0.50 | 46.17.97.37 |
| Feb 7, 2017 14:52:05.770603895 MEZ | 49205 | 80 | 192.168.0.50 | 46.17.97.37 |
| Feb 7, 2017 14:52:05.770622969 MEZ | 80 | 49205 | 46.17.97.37 | 192.168.0.50 |
| Feb 7, 2017 14:52:10.722229004 MEZ | 49205 | 80 | 192.168.0.50 | 46.17.97.37 |
| Feb 7, 2017 14:52:10.722454071 MEZ | 80 | 49205 | 46.17.97.37 | 192.168.0.50 |
| Feb 7, 2017 14:52:10.722703934 MEZ | 49205 | 80 | 192.168.0.50 | 46.17.97.37 |
| Feb 7, 2017 14:52:45.606662035 MEZ | 123 | 123 | 192.168.0.50 | 17.253.54.125 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 7, 2017 14:52:02.805604935 MEZ | 50395 | 53 | 192.168.0.50 | 8.8.4.4 |
| Feb 7, 2017 14:52:02.937772989 MEZ | 53 | 50395 | 8.8.4.4 | 192.168.0.50 |
| Feb 7, 2017 14:52:05.046710968 MEZ | 5353 | 5353 | 192.168.0.50 | 224.0.0.251 |
| Feb 7, 2017 14:52:05.278057098 MEZ | 5353 | 5353 | 192.168.0.50 | 224.0.0.251 |
| Feb 7, 2017 14:52:45.606662035 MEZ | 123 | 123 | 192.168.0.50 | 17.253.54.125 |
HTTP Request Dependency Graph |
|---|
|
HTTP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Header | Total Bytes Transfered (KB) |
|---|---|---|---|---|---|---|
| Feb 7, 2017 14:52:05.770603895 MEZ | 49205 | 80 | 192.168.0.50 | 46.17.97.37 | 32 |
System Behavior |
|---|
General |
|---|
| Start time: | 14:51:47 |
| Start date: | 07/02/2017 |
| Path: | /usr/libexec/xpcproxy |
| File size: | 42656 bytes |
| MD5 hash: | d68b4c6f2056c73e1d3bd228bcd6d4ff |
General |
|---|
| Start time: | 14:51:47 |
| Start date: | 07/02/2017 |
| Path: | /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool |
| File size: | 290416 bytes |
| MD5 hash: | f8e4cab429263406fbf11b41fd539839 |
General |
|---|
| Start time: | 14:52:04 |
| Start date: | 07/02/2017 |
| Path: | /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool |
| File size: | 290416 bytes |
| MD5 hash: | f8e4cab429263406fbf11b41fd539839 |
General |
|---|
| Start time: | 14:52:04 |
| Start date: | 07/02/2017 |
| Path: | /bin/sh |
| File size: | 632672 bytes |
| MD5 hash: | 2cc3c26641112c1bd0173f396b7d7662 |
General |
|---|
| Start time: | 14:52:04 |
| Start date: | 07/02/2017 |
| Path: | /bin/sh |
| File size: | 632672 bytes |
| MD5 hash: | 2cc3c26641112c1bd0173f396b7d7662 |
General |
|---|
| Start time: | 14:52:04 |
| Start date: | 07/02/2017 |
| Path: | /usr/bin/dscl |
| File size: | 197760 bytes |
| MD5 hash: | 492456daec08a84883daad0b84b7b6ee |
General |
|---|
| Start time: | 14:52:04 |
| Start date: | 07/02/2017 |
| Path: | /bin/sh |
| File size: | 632672 bytes |
| MD5 hash: | 2cc3c26641112c1bd0173f396b7d7662 |
General |
|---|
| Start time: | 14:52:04 |
| Start date: | 07/02/2017 |
| Path: | /usr/bin/grep |
| File size: | 33712 bytes |
| MD5 hash: | f7fe9c4af9294f2949377a12244b3d60 |
General |
|---|
| Start time: | 14:52:04 |
| Start date: | 07/02/2017 |
| Path: | /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool |
| File size: | 290416 bytes |
| MD5 hash: | f8e4cab429263406fbf11b41fd539839 |
General |
|---|
| Start time: | 14:52:04 |
| Start date: | 07/02/2017 |
| Path: | /bin/sh |
| File size: | 632672 bytes |
| MD5 hash: | 2cc3c26641112c1bd0173f396b7d7662 |
General |
|---|
| Start time: | 14:52:04 |
| Start date: | 07/02/2017 |
| Path: | /usr/bin/uname |
| File size: | 18320 bytes |
| MD5 hash: | 78f4785c0c51531f1c01d4161c96563f |
General |
|---|
| Start time: | 14:52:04 |
| Start date: | 07/02/2017 |
| Path: | /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool |
| File size: | 290416 bytes |
| MD5 hash: | f8e4cab429263406fbf11b41fd539839 |
General |
|---|
| Start time: | 14:52:04 |
| Start date: | 07/02/2017 |
| Path: | /bin/sh |
| File size: | 632672 bytes |
| MD5 hash: | 2cc3c26641112c1bd0173f396b7d7662 |
General |
|---|
| Start time: | 14:52:04 |
| Start date: | 07/02/2017 |
| Path: | /usr/bin/security |
| File size: | 234560 bytes |
| MD5 hash: | 6323b6bd0865d2300eb65a512f8c560c |
General |
|---|
| Start time: | 14:52:04 |
| Start date: | 07/02/2017 |
| Path: | /Users/vreni/Desktop/unpack/addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool |
| File size: | 290416 bytes |
| MD5 hash: | f8e4cab429263406fbf11b41fd539839 |
General |
|---|
| Start time: | 14:52:04 |
| Start date: | 07/02/2017 |
| Path: | /bin/sh |
| File size: | 632672 bytes |
| MD5 hash: | 2cc3c26641112c1bd0173f396b7d7662 |
General |
|---|
| Start time: | 14:52:04 |
| Start date: | 07/02/2017 |
| Path: | /sbin/ifconfig |
| File size: | 67232 bytes |
| MD5 hash: | 07379e226dcd8ec0ab80c577c1bf8325 |