Analysis Report

Overview

General Information

Analysis ID:	26
Start time:	10:02:05
Start date:	25/09/2014
Overall analysis duration:	0h 7m 14s
Report type:	full
Sample file name:	9283c61f8cce4258c8111aaf098d21ee
Cookbook file name:	keylogging.jbs
Analysis system description:	Mac OS X, Mavericks, clean

Detection

Strategy	Report FP/FN
Threshold

Signature Overview

Networking:

Urls found in memory or binary data

Show sources

Source: 9283c61f8cce4258c8111aaf098d21ee	String found in binary or memory: http://220.175.13.250:82http://220.175.13.250:821000-
Source: 9283c61f8cce4258c8111aaf098d21ee	String found in binary or memory: http://www.apple.com/dtds/propertylist-1.0.dtd

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Captures keyboard strokes that are written to a log file

Show sources

Source: /Applications/TextEdit.app/Contents/MacOS/TextEdit

Detected decoy string in file: /private/var/folders/6s/pncyckn14gl55c5_8kr9m_k80000gn/T/com.apple.TextEdit/TemporaryItems/(A Document Being Saved By TextEdit)/Unsaved TextEdit Document.rtf

Writes property list (.plist) files to disk with content indicative for key loggers

Show sources

Source: /usr/bin/tar

XML plist file created with lower-case letters in tags: /Library/.local/Keymap.plist

Persistence and Installation Behavior:

Writes property list (.plist) files to disk

Show sources

Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	XML plist file created: /Library/LaunchDaemons/com.updated.launchagent.plist
Source: /usr/bin/tar	XML plist file created: /Library/.local/Keymap.plist
Source: /usr/bin/tar	XML plist file created: /Library/.local/updated.kext/Contents/Info.plist
Source: /Applications/TextEdit.app/Contents/MacOS/TextEdit	XML plist file created: /private/var/folders/6s/pncyckn14gl55c5_8kr9m_k80000gn/T/com.apple.TextEdit/TemporaryItems/(A Document Being Saved By TextEdit)/com.apple.TextEdit.plist

Creates and/or modifies files and/or directories in common kernel extension directories

Show sources

Source: /bin/mv	File moved: /Library/.local/updated.kext -> /System/Library/Extensions/updated.kext
Source: /bin/chmod	Permissions modified: /System/Library/Extensions/updated.kext

Creates code signed kernel extensions

Show sources

Source: /usr/bin/tar	Kext code signature resource file created: updated.kext/Contents/Info.plist
Source: /bin/mv	Kext code signature resource file created in extensions directory: /Library/.local/updated.kext -> /System/Library/Extensions/updated.kext

Creates hidden files, links and/or directories

Show sources

Source: /bin/mkdir	Hidden directory created: /Library/.local
Source: /Library/.local/EventMonitor	Hidden file created: /Library/.local/.logfile

Executes commands using a shell command-line interpreter

Show sources

Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	Shell command executed: sh -c mkdir -p /Library/LaunchDaemons
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	Shell command executed: sh -c mkdir -p /Library/.local
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	Shell command executed: sh -c /bin/chmod +x /Library/.local/updated
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	Shell command executed: sh -c /bin/chmod +x /Library/.local/update
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	Shell command executed: sh -c /bin/chmod +x /Library/.local/reweb
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	Shell command executed: sh -c chmod -R 777 /Library/.local/
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	Shell command executed: sh -c tar -xf /Library/.local/kext.tar -C /Library/.local/
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	Shell command executed: sh -c /bin/mv -f /Library/.local/updated.kext /System/Library/Extensions/updated.kext
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	Shell command executed: sh -c /bin/chmod -R 755 /System/Library/Extensions/updated.kext
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	Shell command executed: sh -c /bin/chown -R root:wheel /System/Library/Extensions/updated.kext
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	Shell command executed: sh -c /sbin/kextload /System/Library/Extensions/updated.kext
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	Shell command executed: sh -c /bin/chmod +x /Library/.local/EventMonitor
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	Shell command executed: sh -c rm /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	Shell command executed: sh -c /Library/.local/reweb &
Source: /Library/.local/reweb	Shell command executed: sh -c chmod -R 777 /Library/.local
Source: /Library/.local/reweb	Shell command executed: sh -c killall -9 updated
Source: /Library/.local/reweb	Shell command executed: sh -c killall -9 update
Source: /Library/.local/reweb	Shell command executed: sh -c /Library/.local/updated
Source: /Library/.local/updated	Shell command executed: sh -c killall -9 reweb
Source: /Library/.local/updated	Shell command executed: sh -c /Library/.local/EventMonitor &
Source: /Library/.local/updated	Shell command executed: sh -c /Library/.local/update

Writes 64-bit Mach-O files to disk

Show sources

Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	File written: /Library/.local/reweb
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	File written: /Library/.local/update
Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee	File written: /Library/.local/updated
Source: /usr/bin/tar	File written: /Library/.local/EventMonitor

Writes FAT Mach-O files to disk

Show sources

Source: /usr/bin/tar

File written: /Library/.local/updated.kext/Contents/MacOS/logKext

Writes RTF files to disk

Show sources

Source: /Applications/TextEdit.app/Contents/MacOS/TextEdit

File written: /private/var/folders/6s/pncyckn14gl55c5_8kr9m_k80000gn/T/com.apple.TextEdit/TemporaryItems/(A Document Being Saved By TextEdit)/Unsaved TextEdit Document.rtf

Terminates processes by executing the killall command

Show sources

Source: /bin/sh	Killall command executed: killall -9 updated
Source: /bin/sh	Killall command executed: killall -9 update
Source: /bin/sh	Killall command executed: killall -9 reweb

Boot Survival:

Creates memory-persistent launch services

Show sources

Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee

Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Library/LaunchDaemons/com.updated.launchagent.plist

Creates system-wide 'launchd' managed services aka launch daemons

Show sources

Source: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee

Launch daemon created, file created: /Library/LaunchDaemons/com.updated.launchagent.plist

Hooking and other Techniques for Hiding and Protection:

Explicitly loads kernel extensions

Show sources

Source: /bin/sh

Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/updated.kext

Creates kernel extensions

Show sources

Source: /usr/bin/tar	Kext Info.plist file created: updated.kext/Contents/Info.plist
Source: /bin/mv	Kext Info.plist file created in extensions directory: /Library/.local/updated.kext -> /System/Library/Extensions/updated.kext

Moves itself during installation or deletes itself after installation

Show sources

Source: /bin/rm

File deleted: /Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee

Stealing of Sensitive Information:

Captures keyboard strokes that are written to a log file

Show sources

Source: /Applications/TextEdit.app/Contents/MacOS/TextEdit

Detected decoy string in file: /private/var/folders/6s/pncyckn14gl55c5_8kr9m_k80000gn/T/com.apple.TextEdit/TemporaryItems/(A Document Being Saved By TextEdit)/Unsaved TextEdit Document.rtf

Runtime Messages

Command:	/Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee
Exitcode:	0
Killed:	False
Standard Output:	/Library/.local /Library/LaunchDaemons /proc/self/launch -> [/Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee] /proc/self/exe -> [/Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee]
Standard Error:	sh: /bin/chown: No such file or directory No matching processes were found No matching processes were found 2014-09-25 12:03:48.011 updated[449:c07] Hello; World!

Yara Overview

No Yara matches

Screenshot

Startup

system is mac-mavericks

/Library/Frameworks/Mono.framework/Versions/3.4.0/bin/mono-sgen (PID: 425 MD5: 36506d3dd9fa0fbfc7329e20ca1a4194)

/Users/urugan/Desktop/9283c61f8cce4258c8111aaf098d21ee (PID: 425 Overlayed Process Image: /Library/Frameworks/Mono.framework/Versions/3.4.0/bin/mono-sgen MD5: f34726c65d00492002ba8aef5cab9084)

/bin/sh (PID: 426 MD5: 5e013647982463a5cde1143b88519a0b)

/bin/mkdir (PID: 426 Overlayed Process Image: /bin/sh MD5: ef0eef7376bcd2e7254d76f8448f7cbe)

/bin/sh (PID: 427 MD5: 5e013647982463a5cde1143b88519a0b)

/bin/mkdir (PID: 427 Overlayed Process Image: /bin/sh MD5: ef0eef7376bcd2e7254d76f8448f7cbe)

/bin/sh (PID: 428 MD5: 5e013647982463a5cde1143b88519a0b)

/bin/chmod (PID: 428 Overlayed Process Image: /bin/sh MD5: 751c097604656513c3f35bdc6315e603)

/bin/sh (PID: 429 MD5: 5e013647982463a5cde1143b88519a0b)

/bin/chmod (PID: 429 Overlayed Process Image: /bin/sh MD5: 751c097604656513c3f35bdc6315e603)

/bin/sh (PID: 432 MD5: 5e013647982463a5cde1143b88519a0b)

/bin/chmod (PID: 432 Overlayed Process Image: /bin/sh MD5: 751c097604656513c3f35bdc6315e603)

/bin/sh (PID: 433 MD5: 5e013647982463a5cde1143b88519a0b)

/bin/chmod (PID: 433 Overlayed Process Image: /bin/sh MD5: 751c097604656513c3f35bdc6315e603)

/bin/sh (PID: 434 MD5: 5e013647982463a5cde1143b88519a0b)

/usr/bin/tar (PID: 434 Overlayed Process Image: /bin/sh MD5: aba6eaf8fb18ab0f193f4d83beef750b)

/bin/sh (PID: 435 MD5: 5e013647982463a5cde1143b88519a0b)

/bin/mv (PID: 435 Overlayed Process Image: /bin/sh MD5: 7a97329a3eadefa196d30694ef25ba85)

/bin/sh (PID: 436 MD5: 5e013647982463a5cde1143b88519a0b)

/bin/chmod (PID: 436 Overlayed Process Image: /bin/sh MD5: 751c097604656513c3f35bdc6315e603)

/bin/sh (PID: 437 MD5: 5e013647982463a5cde1143b88519a0b)

/bin/sh (PID: 438 MD5: 5e013647982463a5cde1143b88519a0b)

/sbin/kextload (PID: 438 Overlayed Process Image: /bin/sh MD5: 2f9426e6040db0ea31df0f0a99f2a9da)

/bin/sh (PID: 439 MD5: 5e013647982463a5cde1143b88519a0b)

/bin/chmod (PID: 439 Overlayed Process Image: /bin/sh MD5: 751c097604656513c3f35bdc6315e603)

/bin/sh (PID: 441 MD5: 5e013647982463a5cde1143b88519a0b)

/bin/rm (PID: 441 Overlayed Process Image: /bin/sh MD5: 4f71f779249ed438a4903ae4f3b704eb)

/bin/sh (PID: 442 MD5: 5e013647982463a5cde1143b88519a0b)

/bin/sh (PID: 443 MD5: 5e013647982463a5cde1143b88519a0b)

/Library/.local/reweb (PID: 443 Overlayed Process Image: /bin/sh MD5: 23b06d80dd7d3799dbbe1a1333534482)

/bin/sh (PID: 444 MD5: 5e013647982463a5cde1143b88519a0b)

/bin/chmod (PID: 444 Overlayed Process Image: /bin/sh MD5: 751c097604656513c3f35bdc6315e603)

/bin/sh (PID: 445 MD5: 5e013647982463a5cde1143b88519a0b)

/usr/bin/killall (PID: 445 Overlayed Process Image: /bin/sh MD5: abf593d7fc091c4a91c552439b3cccb2)

/bin/sh (PID: 446 MD5: 5e013647982463a5cde1143b88519a0b)

/usr/bin/killall (PID: 446 Overlayed Process Image: /bin/sh MD5: abf593d7fc091c4a91c552439b3cccb2)

/bin/sh (PID: 449 MD5: 5e013647982463a5cde1143b88519a0b)

/Library/.local/updated (PID: 449 Overlayed Process Image: /bin/sh MD5: ceeceb4585780228660ebc17300540ea)

/bin/sh (PID: 450 MD5: 5e013647982463a5cde1143b88519a0b)

/usr/bin/killall (PID: 450 Overlayed Process Image: /bin/sh MD5: abf593d7fc091c4a91c552439b3cccb2)

/bin/sh (PID: 451 MD5: 5e013647982463a5cde1143b88519a0b)

/bin/sh (PID: 452 MD5: 5e013647982463a5cde1143b88519a0b)

/Library/.local/EventMonitor (PID: 452 Overlayed Process Image: /bin/sh MD5: 88a7221e4928ae90ef6506604fe58e06)

/bin/sh (PID: 453 MD5: 5e013647982463a5cde1143b88519a0b)

/Library/.local/update (PID: 453 Overlayed Process Image: /bin/sh MD5: 80e7dc419bafa8bf59d2bda6bcde885d)

/bin/sh (PID: 467 MD5: 5e013647982463a5cde1143b88519a0b)

/Library/.local/update (PID: 467 Overlayed Process Image: /bin/sh MD5: 80e7dc419bafa8bf59d2bda6bcde885d)

/bin/sh (PID: 472 MD5: 5e013647982463a5cde1143b88519a0b)

/Library/.local/update (PID: 472 Overlayed Process Image: /bin/sh MD5: 80e7dc419bafa8bf59d2bda6bcde885d)

/bin/sh (PID: 473 MD5: 5e013647982463a5cde1143b88519a0b)

/Library/.local/update (PID: 473 Overlayed Process Image: /bin/sh MD5: 80e7dc419bafa8bf59d2bda6bcde885d)

/sbin/launchd (PID: 455 MD5: ba25b3aa91447246a1d2abf0be919078)

/Applications/TextEdit.app/Contents/MacOS/TextEdit (PID: 455 Overlayed Process Image: /sbin/launchd MD5: c4108c7bbaebd2a2fad1bd35616a5b5d)

cleanup

Created / dropped Files

File Path	Type and Hashes
/Library/.local/.logfile	Type: ASCII text MD5: 8C6FB9479396A7E19926EDEFA422DE5B SHA: B802AA458B05850F84C0C12B171E9D6D5DB0EA26 SHA-256: D0F5EDDEC5561B541F409BD2F8C3177A55AEA8BF32E4C4261BAB37D0F153D2D9 SHA-512: A0D2EF626235AE8761688D9411D15862290F5BDB67F89A9A373DA121C73B1DA48C70C09CDBE14751B3B7C6393939CED59688DA5142126F577F12E464298DF49C
/Library/.local/EventMonitor	Type: Mach-O 64-bit executable MD5: FEB0EB9B8AFEC8E9FE1701ECCAD04663 SHA: C9EE392FD578B1717CC6484D9EB54E68D6D134BB SHA-256: 96CFA3A39A84A981BC4816933AF7C15B12F24FE7CA3C0BF9C6CBC171772BC886 SHA-512: DCC53DDB3110785173A47B9A5C0D655748E95C6D9BF2C18393A1CD1C0A40FE4990903FFE5D7893F85B43FB4ECDBE7DB2B3C0779AE8F808F8016B82C66B07D7E6
/Library/.local/Keymap.plist	Type: XML document text MD5: D0F53854A079B07776FC4CCBC2B2AC26 SHA: 8D0717EB755DE9CC9363D403A6C6C66CBE9491E6 SHA-256: FADED92F96B815D9DA986C5163742C1E4990E41A8697B85404C5793F94B6E513 SHA-512: 3D7C8587A5BE7A2257F666BC34C33384A28C14D02471568CF77A16A1B66CF4EFB4523F363C16830ED1F3A0CE471100238B00DA45EDCD77E882AB413C5900B665
/Library/.local/kext.tar	Type: tar archive MD5: 491F2E748E2F49981C9EA73676102A6F SHA: 06DE5373692EE78E055AE3F6830CF09118676DF7 SHA-256: 3F4376CB1E7548A8D7B3E7A031DB35237DDCEA78F5F2F090489BE6BE8E8DB87F SHA-512: 8A3E6B4D8984EF79C55AAA199CEEDB7B1D055547FB3688C287C8E397E07D9F8919F5317DCA7B990EEB18101D8D2624F127C062F7C4A7547F688E762BA9712479
/Library/.local/libweb.db	Type: SQLite 3.x database MD5: 650EB9D68AEFAD455C61BF296D708C84 SHA: 39570E08421C524F2A58D8A42A7E1AA7E4B66623 SHA-256: 9EC199CB4288D94BE08DE12ABDD9CE8F96D87178874F254B85C037775525FF33 SHA-512: A5FF73CB0CC584FBA90ABB02127E42377C6E609B2DA7777DE280BF144515E095F0AD722EB65AA4F55040D65B0CFC723816817028EA885E78A9E3B84C82267C17
/Library/.local/reweb	Type: Mach-O 64-bit executable MD5: FDE7CABCA850EAD6FC3A9BA41A2E71D2 SHA: 1392D1D58C6982137BD14AF715CE9B981E9EA121 SHA-256: 14E763ED4E95BF13A5B5C4CE98EDBE2BBBEC0D776D66726DFE2DD8B1F3079CB1 SHA-512: 3A6024EC8A94EB58888FE198A789537B1367F31CC0C5A7E4672A51AD435F3CA1F451573ECCFE9C740980131A4275EFE735B95D276E1480EAF18B928812B4B192
/Library/.local/update	Type: Mach-O 64-bit executable MD5: DD27B8ACF7962AF660EB7B881E4A7692 SHA: 9037691775E54A33003D428D4C0751B2227A2D0A SHA-256: E355571159A7A300BDEFA5D703EF058511957AEE1D858A4F4390B452AA6F9026 SHA-512: 847151FCE2EDE17A265F98EBBC8E0112B74F34F72333F3B0112725426F3DC6144AD5BD5ED41FD4B3AD9BF4DDE8A4151F547FEEFD6447E4AE3166B33FB79FE6D7
/Library/.local/updated	Type: Mach-O 64-bit executable MD5: 028D18A219DD5D55CF338B029A95AA30 SHA: A81565B6D491784746B4E695065DD2BEDDCB5930 SHA-256: DA41913F363849DADE9AA2E818157ED960D7A3D987A73D34F171C622FBD48F2A SHA-512: C92589CEAE7B4AF797374E6626625612CD194F755065DBF80FAC7D9FF97B5E042BC33D941788AF7279142C98377B777C4AFB19DE9C621EE493371C40CC660A49
/Library/.local/updated.kext/Contents/Info.plist	Type: XML document text MD5: 301AB49C26D23264BFACC486E4B7CF17 SHA: 1DA4435E4BBA063228D4E5E09B0EBD437EFB95DE SHA-256: B694A03A7AE4B25FAF1E62300D271FB9EB14228F32B0D841D6A869D7BCE7654A SHA-512: 89D05C5BF8BC31FED5AE3D1489F9590E93486E9CF13AA79D6B33819111E3DAB9D7C0B3BB82AA3A8F8E02A2BB93E19DACC54D08F5037913D213486C02EAEDEB77
/Library/.local/updated.kext/Contents/MacOS/logKext	Type: Mach-O fat file with 3 architectures MD5: 7D9FE634D6262B7091B5B74B1E762DDD SHA: C6D424B739C0FD7B7B4D8A37405EC7E7238B4ACB SHA-256: 3FEBDF069B02E52FB469B8BEB5EC48633481B75F2E945F575B20CD99DE648686 SHA-512: 0A7C0F5B920DF83789525B52556143A95F0C0B4D891FB9F89C22CD20FA7021444E45D8C7E3DEA185782648653D00CEFB3DD7FA77F9E7FCDA252ECAC1E64C0B14
/Library/.local/updated.kext/Contents/Resources/English.lproj/InfoPlist.strings	Type: Big-endian UTF-16 Unicode C program text MD5: C0B10F40CF4F4FF6C3129DA5BE6BC6AD SHA: 98661391A301B67F05E50138E10F63BB6B3E801B SHA-256: 4FCF89AE5A79E7C2B214085BD682E431B0A78ABD635B686BF9A6EA4C7D3E47B8 SHA-512: BD949E4B087D73B644AC4DF16EA6D2A3EF2BECEEBF3C274B179E966C5DC2B6A686BCB0102493C4D5F793A7D05A8CD5A481D304401D13F72142BE9DAB988C7484
/Library/LaunchDaemons/com.updated.launchagent.plist	Type: XML document text MD5: B2A697A0A5B9741C32D32FD2F45EA524 SHA: C2EED4C189D6F770953B9BF998A867DF70027865 SHA-256: EBE9BA31C6A479FC7868C6C97452A53F2B4D0BF93FC077550B0F05708936F50F SHA-512: E1D86575A2210E634FD44B254C8B12BF683891DCEF65814034C677F8631C444DD75656261BB20232EF8EF94D71E7D3BE79ED1479DB0A8A9145EDE74E0AD40030
/dev/null	Type: ASCII text MD5: D4DA619F6775B786886026C3D89E4368 SHA: 665E25945C211ACC66E27FA460032BA37A5EB5AD SHA-256: ED5D478809B0A10B0CD4E4A9C4FF971C777F3C2A3E296A1A1528000C6D8DD7EE SHA-512: 81011A2A2447F9AAF189E4FD750552397532659191B838D2F42CE412788DC2F48771C2914DDD91DA5A303E7F9649FDD281A078C7323E47C8921FBC13A0E2A683
/private/var/folders/6s/pncyckn14gl55c5_8kr9m_k80000gn/T/com.apple.TextEdit/TemporaryItems/(A Document Being Saved By TextEdit)/Unsaved TextEdit Document.rtf	Type: Rich Text Format data, version 1, ANSI MD5: 0424A05215E47E9A18818AC63895E263 SHA: 03850398296CA2E24F3E493CE7D7122D77EEE252 SHA-256: 94610309BCE8E2431C4BE42DA517D5B5D904B039CEEBB1ECB49BC01FCD1AD78D SHA-512: 9AEB7C3F06D44E49377A17CE602B9F4DDD8EC86F4D114C91A51F785F0BE3D756FF1294851F26465689B051C6C07EB0C863581D94E90888F4EF509EC68DF98F35
/private/var/folders/6s/pncyckn14gl55c5_8kr9m_k80000gn/T/com.apple.TextEdit/TemporaryItems/(A Document Being Saved By TextEdit)/com.apple.TextEdit.plist	Type: XML document text MD5: 52E81AECB68AD9142D48F2E21BBDDC3C SHA: E7C68F250C75A85BFAA92F2546DE25BD7DAC717E SHA-256: 7ADD0505E5BDFB5551FAFCF948FE8037CB8DC40B92F0437494F5EC788531882B SHA-512: 43009C791EF4D6ABD84CC8FD805E2B8432BB3DCF1E8A42498088B6EFE4DEEBDA50DE89260B650203BAD548399C5B64AFAA9CC69B2E34610D01194FB8B5519CC4
/private/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/tmpsqlitetruncatedbHmyDZW	Type: SQLite 3.x database MD5: AB00F86F25CD94794824D39F8A1DDAAA SHA: 7F4E8AAFDC5D96960CC63990C9DD9EA81D0EA888 SHA-256: C52ED7ABC929B9CA74C6E6D39CB740457BE849DE1EED2EAC0C997E5F9421E7BF SHA-512: FBBC64D6EE59A6A3C21B5635E195F0B4A715EEB3E905588434CF3270380DA1A82E8E1E58D775F6CDB19E5DDF684D85EED087FD168C3D821478D64AB74154465F
/private/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/tmpsqlitetruncatedbHmyDZW-journal	Type: data MD5: 4370431CC86506BA1DEA0611AD546A60 SHA: 7160D716E283D103904F8C7B25554BDD0DEE449E SHA-256: B5850B3B8D8FDC37536CBCEE801346B2503AE6F82E500DD6241F4B578FD5D27D SHA-512: E9F681EEBD60389FA53ACB266E9B05A3C27FD142CBBDB6131317DC20FBB7008BF0F17DC180EDF52F0DB1C2646E7CC74B8C194E55A0B9507B666B3908E19C4357
/private/var/root/Library/Caches/update/Cache.db	Type: SQLite 3.x database MD5: E0EA9C6B8145C5F1C03D340060DB8B8D SHA: 4857A6102B19C53CE948C092C774A79C8C13A391 SHA-256: 64133F861EF5B41B847AFF5BF93BDCFC2723001635969786DC581906FE7FA189 SHA-512: E12D37DA9BC85F09C1430F81A57E07A5CC86A8AFA7A690E65D9DAFB0F0C1E0E1C524B5AEAE930D5163B852FD3DD260BAE8A52746B63A01CB47B3560922E1C24B
/private/var/root/Library/Caches/update/Cache.db-journal	Type: data MD5: E560F3E807B4361DF820720881541C83 SHA: 7196CCA2533115BE80894C4A73D534275E7C2912 SHA-256: 9515BB5DFBCCCCACA7D72F8C5D4DA5E2CC3A66E90DFBBDF924D5F92A436A86FA SHA-512: 2B289AC2B23334A22B645640818E7BA3419D4AA1014C3A11D68BF1AA9F7D552071F60DC5BCEC112F2F0459C872EBF791CA250AAAC45AA5406394FA127ABB9058
/private/var/root/Library/Caches/update/Cache.db-wal	Type: data MD5: 3217265219A45A2E35F4E0E767428A37 SHA: E89FB5A74F23C7A83A10E7EECE068AE43A87B229 SHA-256: 09ADDC66005D69BB21F4CA64C9F5B5C05578F314CC8C23D37FFC8B0F296E6754 SHA-512: 3F4E2103626215260F2A04E504579F504B1EF8BE913AE9869A9439B9DF083467B0B3305E49C175769F97780018E4B4A5AAEF79966C67BA69E853BEBB419DA1FA

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General
File type:	Mach-O 64-bit executable
TrID:	Mac OS X Mach-O 64bit Intel executable (4004/1) 100.00%
File name:	9283c61f8cce4258c8111aaf098d21ee
File size:	352160
MD5:	9283c61f8cce4258c8111aaf098d21ee
SHA1:	cb27650db5fd999d2a599d95ad0b5ccb031ce517
SHA256:	59539ff9af82c0e4e73809a954cf2776636774e6c42c281f3b0e5f1656e93679
SHA512:	5e08bc7b3d9d8bfc769a360ad3eda745dd8a35acd1ce5067f9ffec64e5f77e3fb502a6de0159f40067b58277c81f1ead01a815ca86332e97973fd6a790c852d5

Static Mach Info

General Informations for header0
Endian:	<
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	13

segment_command_64

Name	Value
segname	__PAGEZERO
fileoff	0
maxprot	0
vmsize	4294967296
nsects	0
flags	0
filesize	0
vmaddr	0
initprot	0

segment_command_64

Name	Value
segname	__TEXT
fileoff	0
maxprot	7
vmsize	8192
nsects	6
flags	0
filesize	8192
vmaddr	4294967296
initprot	5
Datas	sectname	__text
	segname	__TEXT
	reloff	0
	addr	4294969200
	align	4
	nreloc	0
	flags	2147484672
	offset	1904
	reserved2	0
	reserved1	0
	reserved3	0
	size	4653
	sectname	__stubs
	segname	__TEXT
	reloff	0
	addr	4294973854
	align	1
	nreloc	0
	flags	2147484680
	offset	6558
	reserved2	6
	reserved1	0
	reserved3	0
	size	126
	sectname	__stub_helper
	segname	__TEXT
	reloff	0
	addr	4294973980
	align	2
	nreloc	0
	flags	2147484672
	offset	6684
	reserved2	0
	reserved1	0
	reserved3	0
	size	228
	sectname	__cstring
	segname	__TEXT
	reloff	0
	addr	4294974208
	align	3
	nreloc	0
	flags	2
	offset	6912
	reserved2	0
	reserved1	0
	reserved3	0
	size	1118
	sectname	__unwind_info
	segname	__TEXT
	reloff	0
	addr	4294975326
	align	0
	nreloc	0
	flags	0
	offset	8030
	reserved2	0
	reserved1	0
	reserved3	0
	size	80
	sectname	__eh_frame
	segname	__TEXT
	reloff	0
	addr	4294975408
align	3
nreloc	0
flags	0
offset	8112
reserved2	0
reserved1	0
reserved3	0
size	80

segment_command_64

Name	Value
segname	__DATA
fileoff	8192
maxprot	7
vmsize	335872
nsects	6
flags	0
filesize	335872
vmaddr	4294975488
initprot	3
Datas	sectname	__program_vars
	segname	__DATA
	reloff	0
	addr	4294975488
	align	4
	nreloc	0
	flags	0
	offset	8192
	reserved2	0
	reserved1	0
	reserved3	0
	size	40
	sectname	__nl_symbol_ptr
	segname	__DATA
	reloff	0
	addr	4294975528
	align	3
	nreloc	0
	flags	6
	offset	8232
	reserved2	0
	reserved1	21
	reserved3	0
	size	16
	sectname	__got
	segname	__DATA
	reloff	0
	addr	4294975544
	align	3
	nreloc	0
	flags	6
	offset	8248
	reserved2	0
	reserved1	23
	reserved3	0
	size	8
	sectname	__la_symbol_ptr
	segname	__DATA
	reloff	0
	addr	4294975552
	align	3
	nreloc	0
	flags	7
	offset	8256
	reserved2	0
	reserved1	24
	reserved3	0
	size	168
	sectname	__data
	segname	__DATA
	reloff	0
	addr	4294975744
	align	5
	nreloc	0
	flags	0
	offset	8448
	reserved2	0
	reserved1	0
	reserved3	0
	size	332900
	sectname	__common
	segname	__DATA
	reloff	0
	addr	4295308648
align	3
nreloc	0
flags	1
offset	0
reserved2	0
reserved1	0
reserved3	0
size	32

segment_command_64

Name	Value
segname	__LINKEDIT
fileoff	344064
maxprot	7
vmsize	4096
nsects	0
flags	0
filesize	1948
vmaddr	4295311360
initprot	1

dyld_info_command

Name	Value
lazy_bind_size	352
lazy_bind_off	344128
weak_bind_size	0
rebase_size	8
export_off	344480
export_size	264
bind_off	344072
rebase_off	344064
bind_size	56
weak_bind_off	0

symtab_command

Name	Value
strsize	424
symoff	344752
stroff	345588
nsyms	41

dysymtab_command

Name	Value
extreloff	0
nlocrel	0
indirectsymoff	345408
modtaboff	0
nextrel	0
iundefsym	18
nmodtab	0
ilocalsym	0
nundefsym	23
nextrefsyms	0
locreloff	0
ntoc	0
nlocalsym	1
tocoff	0
extrefsymoff	0
nindirectsyms	45
iextdefsym	1
nextdefsym	17

dylinker_command

Name	Value
name	12
Data	/usr/lib/dyld

uuid_command

Name	Value
uuid	fZ?rF

version_min_command

Name	Value
version	657152
reserved	0

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	256.159.0
Data	/usr/lib/libSystem.B.dylib

linkedit_data_command

Name	Value
dataoff	344744
datassize	8

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2014 10:04:53.023255110 MESZ	5353	5353	192.168.50.109	224.0.0.251

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2014 10:04:53.023255110 MESZ	5353	5353	192.168.50.109	224.0.0.251

System Behavior

Analysis Process: mono-sgen PID: 425 Parent PID: 371

General

Start time:	10:03:31
Start date:	25/09/2014
Path:	/Library/Frameworks/Mono.framework/Versions/3.4.0/bin/mono-sgen
File size:	4224484 bytes
MD5 hash:	36506d3dd9fa0fbfc7329e20ca1a4194

Start time:	10:03:32
Start date:	25/09/2014
Path:	/bin/sh
File size:	1228304 bytes
MD5 hash:	5e013647982463a5cde1143b88519a0b

Start time:	10:03:33
Start date:	25/09/2014
Path:	/bin/sh
File size:	1228304 bytes
MD5 hash:	5e013647982463a5cde1143b88519a0b

Start time:	10:03:34
Start date:	25/09/2014
Path:	/bin/chmod
File size:	26080 bytes
MD5 hash:	751c097604656513c3f35bdc6315e603

Start time:	10:03:35
Start date:	25/09/2014
Path:	/bin/sh
File size:	1228304 bytes
MD5 hash:	5e013647982463a5cde1143b88519a0b

Start time:	10:03:36
Start date:	25/09/2014
Path:	/bin/chmod
File size:	26080 bytes
MD5 hash:	751c097604656513c3f35bdc6315e603

Start time:	10:03:37
Start date:	25/09/2014
Path:	/bin/sh
File size:	1228304 bytes
MD5 hash:	5e013647982463a5cde1143b88519a0b

Start time:	10:03:47
Start date:	25/09/2014
Path:	/bin/sh
File size:	1228304 bytes
MD5 hash:	5e013647982463a5cde1143b88519a0b

Start time:	10:03:48
Start date:	25/09/2014
Path:	/bin/sh
File size:	1228304 bytes
MD5 hash:	5e013647982463a5cde1143b88519a0b

Start time:	10:03:49
Start date:	25/09/2014
Path:	/bin/sh
File size:	1228304 bytes
MD5 hash:	5e013647982463a5cde1143b88519a0b

Start time:	10:04:34
Start date:	25/09/2014
Path:	/bin/sh
File size:	1228304 bytes
MD5 hash:	5e013647982463a5cde1143b88519a0b

Start time:	10:05:19
Start date:	25/09/2014
Path:	/bin/sh
File size:	1228304 bytes
MD5 hash:	5e013647982463a5cde1143b88519a0b

Start time:	10:06:04
Start date:	25/09/2014
Path:	/bin/sh
File size:	1228304 bytes
MD5 hash:	5e013647982463a5cde1143b88519a0b

Start time:	10:06:49
Start date:	25/09/2014
Path:	/bin/sh
File size:	1228304 bytes
MD5 hash:	5e013647982463a5cde1143b88519a0b

Start time:	10:04:48
Start date:	25/09/2014
Path:	/sbin/launchd
File size:	194160 bytes
MD5 hash:	ba25b3aa91447246a1d2abf0be919078

Start time:	10:04:49
Start date:	25/09/2014
Path:	/Applications/TextEdit.app/Contents/MacOS/TextEdit
File size:	166576 bytes
MD5 hash:	c4108c7bbaebd2a2fad1bd35616a5b5d

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Signature Overview

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Stealing of Sensitive Information:

Runtime Messages

Yara Overview

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

Static Mach Info

General Informations for header0

segment_command_64

segment_command_64

segment_command_64

segment_command_64

dyld_info_command

symtab_command

dysymtab_command

dylinker_command

uuid_command

version_min_command

dylib_command

linkedit_data_command

Network Behavior

TCP Packets

UDP Packets

System Behavior

Analysis Process: mono-sgen PID: 425 Parent PID: 371

General

Analysis Process: 9283c61f8cce4258c8111aaf098d21ee PID: 425 Parent PID: 371

General

Analysis Process: sh PID: 426 Parent PID: 425

General

Analysis Process: mkdir PID: 426 Parent PID: 425

General

Analysis Process: sh PID: 427 Parent PID: 425

General

Analysis Process: mkdir PID: 427 Parent PID: 425

General

Analysis Process: sh PID: 428 Parent PID: 425

General

Analysis Process: chmod PID: 428 Parent PID: 425

General

Analysis Process: sh PID: 429 Parent PID: 425

General

Analysis Process: chmod PID: 429 Parent PID: 425

General

Analysis Process: sh PID: 432 Parent PID: 425

General

Analysis Process: chmod PID: 432 Parent PID: 425

General

Analysis Process: sh PID: 433 Parent PID: 425

General

Analysis Process: chmod PID: 433 Parent PID: 425

General

Analysis Process: sh PID: 434 Parent PID: 425

General

Analysis Process: tar PID: 434 Parent PID: 425

General

Analysis Process: sh PID: 435 Parent PID: 425

General

Analysis Process: mv PID: 435 Parent PID: 425

General

Analysis Process: sh PID: 436 Parent PID: 425

General

Analysis Process: chmod PID: 436 Parent PID: 425