Analysis Report

Overview

General Information

Joe Sandbox Version:
Analysis ID:	106246
Start time:	13:50:18
Joe Sandbox Product:	Cloud
Start date:	29/02/2016
Overall analysis duration:	0h 6m 20s
Report type:	full
Sample file name:	com.apple.exe
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Mac Mini, Yosemite 10.10.3 (Java 1.8.0_45)
Detection:	MAL
Classification:	mal52.evad.macEXE@0/0@3/0

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	52	0 - 100	Report FP / FN

Classification

Signature Overview

Click to jump to signature section

Networking:

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: www.comeinbaby.com

Writes from file descriptors related to (network) sockets

Show sources

Source: /Users/vreni/Desktop/com.apple.exe (PID: 390)

Writes from socket in process:

System Summary:

Classification label

Show sources

Source: classification engine

Classification label: mal52.evad.macEXE@0/0@3/0

Data Obfuscation:

Imports the Security library (often used for certificate, key, keychain, or secure transport handling)

Show sources

Source: initial sample

Static MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security

Persistence and Installation Behavior:

Reads data from the local random generator

Show sources

Source: /Users/vreni/Desktop/com.apple.exe (PID: 390)

Random device file read: /dev/urandom

Executes commands using a shell command-line interpreter

Show sources

Source: /Users/vreni/Desktop/com.apple.exe (PID: 390)	Shell command executed: sh -c touch -c -t 201409100044 /usr/bin/periodicdate touch -c -t 201409100044 /usr/bin/systemkeychain-helper touch -c -t 201409100044 /usr/bin/com.apple.appstore.PluginHelper touch -c -t 201409100044 /usr/bin/com.apple.MailServiceAgentHelper touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.systemkeychain-helper.plist touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.appstore.plughelper.plist touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist touch -c -t 201409100044 /usr/bin/stty5.11.pl touch -c -t 201409100044 /etc/manpath.d/ rm -rf /var/log/system.log
Source: /Users/vreni/Desktop/com.apple.exe (PID: 390)	Shell command executed: sh -c ps -ef\|grep Xcode \|grep -v grep
Source: /Users/vreni/Desktop/com.apple.exe (PID: 390)	Shell command executed: sh -c ps -ef\|grep iTunes \|grep -v grep
Source: /Users/vreni/Desktop/com.apple.exe (PID: 390)	Shell command executed: sh -c mkdir -p /System/Library/QuickTime/QuickTimeFireWireDOLBY.component

Executes the "grep" command used to find patterns in files or piped streams

Show sources

Source: /bin/sh (PID: 405)	Grep executable: /usr/bin/grep -> grep Xcode
Source: /bin/sh (PID: 406)	Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 409)	Grep executable: /usr/bin/grep -> grep iTunes
Source: /bin/sh (PID: 410)	Grep executable: /usr/bin/grep -> grep -v grep

Executes the "mkdir" command used to create folders

Show sources

Source: /bin/sh (PID: 411)

Mkdir executable: /bin/mkdir -> mkdir -p /System/Library/QuickTime/QuickTimeFireWireDOLBY.component

Executes the "ps" command used to list the status of processes

Show sources

Source: /bin/sh (PID: 404)	Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 408)	Ps executable: /bin/ps -> ps -ef

Executes the "touch" command used to create files or modify time stamps

Show sources

Source: /bin/sh (PID: 392)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /usr/bin/periodicdate
Source: /bin/sh (PID: 393)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /usr/bin/systemkeychain-helper
Source: /bin/sh (PID: 394)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /usr/bin/com.apple.appstore.PluginHelper
Source: /bin/sh (PID: 395)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /usr/bin/com.apple.MailServiceAgentHelper
Source: /bin/sh (PID: 396)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist
Source: /bin/sh (PID: 397)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.systemkeychain-helper.plist
Source: /bin/sh (PID: 398)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.appstore.plughelper.plist
Source: /bin/sh (PID: 399)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist
Source: /bin/sh (PID: 400)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /usr/bin/stty5.11.pl
Source: /bin/sh (PID: 401)	Touch executable: /usr/bin/touch -> touch -c -t 201409100044 /etc/manpath.d/

Executes the "rm" command used to delete files or directories

Show sources

Source: /bin/sh (PID: 402)

Rm executable: /bin/rm -> rm -rf /var/log/system.log

Explicitly modifies time stamps using the "touch" command

Show sources

Source: /bin/sh (PID: 392)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /usr/bin/periodicdate
Source: /bin/sh (PID: 393)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /usr/bin/systemkeychain-helper
Source: /bin/sh (PID: 394)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /usr/bin/com.apple.appstore.PluginHelper
Source: /bin/sh (PID: 395)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /usr/bin/com.apple.MailServiceAgentHelper
Source: /bin/sh (PID: 396)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist
Source: /bin/sh (PID: 397)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.systemkeychain-helper.plist
Source: /bin/sh (PID: 398)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.appstore.plughelper.plist
Source: /bin/sh (PID: 399)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /System/Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist
Source: /bin/sh (PID: 400)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /usr/bin/stty5.11.pl
Source: /bin/sh (PID: 401)	Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -c -t 201409100044 /etc/manpath.d/

Hooking and other Techniques for Hiding and Protection:

Deletes system log files

Show sources

Source: /bin/rm (PID: 402)

Log files deleted: /var/log/system.log

Language, Device and Operating System Detection:

Reads the system or server version plist file

Show sources

Source: /Users/vreni/Desktop/com.apple.exe (PID: 390)

System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist

Reads the systems hostname

Show sources

Source: /bin/sh (PID: 391)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 403)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 407)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 411)	Sysctl requested: kern.hostname (1.10)

Runtime Messages

Command:	/Users/vreni/Desktop/com.apple.exe
Exitcode:
Killed:	True
Standard Output:
Standard Error:

Yara Overview

No Yara matches

Screenshot

Startup

system is mac1 /Library/Frameworks/Mono.framework/Versions/3.4.0/bin/mono-sgen (PID: 390 PPID: 360 MD5: 7c3e15e217e2e1e7b6a39829a01fbb27) /Users/vreni/Desktop/com.apple.exe (PID: 390 PPID: 360 Overlayed Process Image: /Library/Frameworks/Mono.framework/Versions/3.4.0/bin/mono-sgen MD5: dca13b4ff64bcd6876c13bbb4a22f450) /bin/sh (PID: 391 PPID: 390 MD5: bae6979e8dc9910cd5fec0e5214e9681) /bin/sh (PID: 392 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681) /usr/bin/touch (PID: 392 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50) /bin/sh (PID: 393 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681) /usr/bin/touch (PID: 393 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50) /bin/sh (PID: 394 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681) /usr/bin/touch (PID: 394 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50) /bin/sh (PID: 395 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681) /usr/bin/touch (PID: 395 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50) /bin/sh (PID: 396 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681) /usr/bin/touch (PID: 396 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50) /bin/sh (PID: 397 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681) /usr/bin/touch (PID: 397 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50) /bin/sh (PID: 398 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681) /usr/bin/touch (PID: 398 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50) /bin/sh (PID: 399 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681) /usr/bin/touch (PID: 399 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50) /bin/sh (PID: 400 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681) /usr/bin/touch (PID: 400 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50) /bin/sh (PID: 401 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681) /usr/bin/touch (PID: 401 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50) /bin/sh (PID: 402 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681) /bin/rm (PID: 402 PPID: 391 Overlayed Process Image: /bin/sh MD5: cac0af1a62f7b12325d5b7a0ed082afd) /bin/sh (PID: 403 PPID: 390 MD5: bae6979e8dc9910cd5fec0e5214e9681) /bin/sh (PID: 404 PPID: 403 MD5: bae6979e8dc9910cd5fec0e5214e9681) /bin/ps (PID: 404 PPID: 403 Overlayed Process Image: /bin/sh MD5: cfb8ba7fee3f6044f3d76175903d98b1) /bin/sh (PID: 405 PPID: 403 MD5: bae6979e8dc9910cd5fec0e5214e9681) /usr/bin/grep (PID: 405 PPID: 403 Overlayed Process Image: /bin/sh MD5: 74c51bf745713fd2d8007f3611366a23) /bin/sh (PID: 406 PPID: 403 MD5: bae6979e8dc9910cd5fec0e5214e9681) /usr/bin/grep (PID: 406 PPID: 403 Overlayed Process Image: /bin/sh MD5: 74c51bf745713fd2d8007f3611366a23) /bin/sh (PID: 407 PPID: 390 MD5: bae6979e8dc9910cd5fec0e5214e9681) /bin/sh (PID: 408 PPID: 407 MD5: bae6979e8dc9910cd5fec0e5214e9681) /bin/ps (PID: 408 PPID: 407 Overlayed Process Image: /bin/sh MD5: cfb8ba7fee3f6044f3d76175903d98b1) /bin/sh (PID: 409 PPID: 407 MD5: bae6979e8dc9910cd5fec0e5214e9681) /usr/bin/grep (PID: 409 PPID: 407 Overlayed Process Image: /bin/sh MD5: 74c51bf745713fd2d8007f3611366a23) /bin/sh (PID: 410 PPID: 407 MD5: bae6979e8dc9910cd5fec0e5214e9681) /usr/bin/grep (PID: 410 PPID: 407 Overlayed Process Image: /bin/sh MD5: 74c51bf745713fd2d8007f3611366a23) /bin/sh (PID: 411 PPID: 390 MD5: bae6979e8dc9910cd5fec0e5214e9681) /bin/mkdir (PID: 411 PPID: 390 Overlayed Process Image: /bin/sh MD5: a83457fe11bfb3492e076d782ec60e9a) cleanup

system is mac1

/Library/Frameworks/Mono.framework/Versions/3.4.0/bin/mono-sgen (PID: 390 PPID: 360 MD5: 7c3e15e217e2e1e7b6a39829a01fbb27)

/Users/vreni/Desktop/com.apple.exe (PID: 390 PPID: 360 Overlayed Process Image: /Library/Frameworks/Mono.framework/Versions/3.4.0/bin/mono-sgen MD5: dca13b4ff64bcd6876c13bbb4a22f450)

/bin/sh (PID: 391 PPID: 390 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/bin/sh (PID: 392 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/usr/bin/touch (PID: 392 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50)

/bin/sh (PID: 393 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/usr/bin/touch (PID: 393 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50)

/bin/sh (PID: 394 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/usr/bin/touch (PID: 394 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50)

/bin/sh (PID: 395 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/usr/bin/touch (PID: 395 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50)

/bin/sh (PID: 396 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/usr/bin/touch (PID: 396 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50)

/bin/sh (PID: 397 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/usr/bin/touch (PID: 397 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50)

/bin/sh (PID: 398 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/usr/bin/touch (PID: 398 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50)

/bin/sh (PID: 399 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/usr/bin/touch (PID: 399 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50)

/bin/sh (PID: 400 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/usr/bin/touch (PID: 400 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50)

/bin/sh (PID: 401 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/usr/bin/touch (PID: 401 PPID: 391 Overlayed Process Image: /bin/sh MD5: dc0979650a009f58fa8f119565d4ea50)

/bin/sh (PID: 402 PPID: 391 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/bin/rm (PID: 402 PPID: 391 Overlayed Process Image: /bin/sh MD5: cac0af1a62f7b12325d5b7a0ed082afd)

/bin/sh (PID: 403 PPID: 390 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/bin/sh (PID: 404 PPID: 403 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/bin/ps (PID: 404 PPID: 403 Overlayed Process Image: /bin/sh MD5: cfb8ba7fee3f6044f3d76175903d98b1)

/bin/sh (PID: 405 PPID: 403 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/usr/bin/grep (PID: 405 PPID: 403 Overlayed Process Image: /bin/sh MD5: 74c51bf745713fd2d8007f3611366a23)

/bin/sh (PID: 406 PPID: 403 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/usr/bin/grep (PID: 406 PPID: 403 Overlayed Process Image: /bin/sh MD5: 74c51bf745713fd2d8007f3611366a23)

/bin/sh (PID: 407 PPID: 390 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/bin/sh (PID: 408 PPID: 407 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/bin/ps (PID: 408 PPID: 407 Overlayed Process Image: /bin/sh MD5: cfb8ba7fee3f6044f3d76175903d98b1)

/bin/sh (PID: 409 PPID: 407 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/usr/bin/grep (PID: 409 PPID: 407 Overlayed Process Image: /bin/sh MD5: 74c51bf745713fd2d8007f3611366a23)

/bin/sh (PID: 410 PPID: 407 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/usr/bin/grep (PID: 410 PPID: 407 Overlayed Process Image: /bin/sh MD5: 74c51bf745713fd2d8007f3611366a23)

/bin/sh (PID: 411 PPID: 390 MD5: bae6979e8dc9910cd5fec0e5214e9681)

/bin/mkdir (PID: 411 PPID: 390 Overlayed Process Image: /bin/sh MD5: a83457fe11bfb3492e076d782ec60e9a)

cleanup

Created / dropped Files

No created / dropped files found

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active
www.comeinbaby.com	141.8.226.14	true

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	ASN	ASN Name
8.8.8.8	United States	15169	GoogleInc
8.8.4.4	United States	15169	GoogleInc
141.8.226.14	Switzerland	40034	ConfluenceNetworksInc
17.171.8.16	United States	714	AppleInc

Static File Info

General
File type:	Mach-O 64-bit executable
TrID:	Mac OS X Mach-O 64bit Intel executable (4004/1) 100.00%
File name:	com.apple.exe
File size:	603332
MD5:	dca13b4ff64bcd6876c13bbb4a22f450
SHA1:	890f5456a79b185669294a706b5fc6f3c572b83b
SHA256:	f5280bf8c9305bfa2bc80e75a02cda6cb79fd3c3baa5ca0447ca6b4f41530c6d
SHA512:	12a610ac3a7979bd7cd293326025ecdbf4d24a8eab9549d0063c7d54550dcbe2bbeefa281fe6be16d16db29abb6e205b7200cc0e125e955ebdb0046ca2172f54

Static Mach Info

General Informations for header0
Endian:	<
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	23

segment_command_64

Name	Value
segname	__PAGEZERO
fileoff	0
maxprot	0
vmsize	4294967296
nsects	0
flags	0
filesize	0
vmaddr	0
initprot	0

segment_command_64

Name	Value
segname	__TEXT
fileoff	0
maxprot	7
vmsize	299008
nsects	12
flags	0
filesize	299008
vmaddr	4294967296
initprot	5
Datas	sectname	__text
	segname	__TEXT
	reloff	0
	addr	4294974976
	align	4
	nreloc	0
	flags	2147484672
	offset	7680
	reserved2	0
	reserved1	0
	reserved3	0
	size	193923
	sectname	__stubs
	segname	__TEXT
	reloff	0
	addr	4295168900
	align	1
	nreloc	0
	flags	2147484680
	offset	201604
	reserved2	6
	reserved1	0
	reserved3	0
	size	1152
	sectname	__stub_helper
	segname	__TEXT
	reloff	0
	addr	4295170052
	align	2
	nreloc	0
	flags	2147484672
	offset	202756
	reserved2	0
	reserved1	0
	reserved3	0
	size	1936
	sectname	__cstring
	segname	__TEXT
	reloff	0
	addr	4295171988
	align	0
	nreloc	0
	flags	2
	offset	204692
	reserved2	0
	reserved1	0
	reserved3	0
	size	9716
	sectname	__objc_methname
	segname	__TEXT
	reloff	0
	addr	4295181704
	align	0
	nreloc	0
	flags	2
	offset	214408
	reserved2	0
	reserved1	0
	reserved3	0
	size	14814
	sectname	__objc_classname
	segname	__TEXT
	reloff	0
	addr	4295196518
align	0
nreloc	0
flags	2
offset	229222
reserved2	0
reserved1	0
reserved3	0
size	471
sectname	__objc_methtype
segname	__TEXT
reloff	0
addr	4295196989
align	0
nreloc	0
flags	2
offset	229693
reserved2	0
reserved1	0
reserved3	0
size	3358
sectname	__gcc_except_tab
segname	__TEXT
reloff	0
addr	4295200348
align	2
nreloc	0
flags	0
offset	233052
reserved2	0
reserved1	0
reserved3	0
size	6268
sectname	__const
segname	__TEXT
reloff	0
addr	4295206624
align	4
nreloc	0
flags	0
offset	239328
reserved2	0
reserved1	0
reserved3	0
size	808
sectname	__ustring
segname	__TEXT
reloff	0
addr	4295207432
align	1
nreloc	0
flags	0
offset	240136
reserved2	0
reserved1	0
reserved3	0
size	62
sectname	__unwind_info
segname	__TEXT
reloff	0
addr	4295207494
align	0
nreloc	0
flags	0
offset	240198
reserved2	0
reserved1	0
reserved3	0
size	7800
sectname	__eh_frame
segname	__TEXT
reloff	0
addr	4295215296
align	3
nreloc	0
flags	0
offset	248000
reserved2	0
reserved1	0
reserved3	0
size	51008

segment_command_64

Name	Value
segname	__DATA
fileoff	299008
maxprot	7
vmsize	49152
nsects	21
flags	0
filesize	49152
vmaddr	4295266304
initprot	3
Datas	sectname	__program_vars
	segname	__DATA
	reloff	0
	addr	4295266304
	align	3
	nreloc	0
	flags	0
	offset	299008
	reserved2	0
	reserved1	0
	reserved3	0
	size	40
	sectname	__nl_symbol_ptr
	segname	__DATA
	reloff	0
	addr	4295266344
	align	3
	nreloc	0
	flags	6
	offset	299048
	reserved2	0
	reserved1	192
	reserved3	0
	size	16
	sectname	__got
	segname	__DATA
	reloff	0
	addr	4295266360
	align	3
	nreloc	0
	flags	6
	offset	299064
	reserved2	0
	reserved1	194
	reserved3	0
	size	264
	sectname	__la_symbol_ptr
	segname	__DATA
	reloff	0
	addr	4295266624
	align	3
	nreloc	0
	flags	7
	offset	299328
	reserved2	0
	reserved1	227
	reserved3	0
	size	1536
	sectname	__const
	segname	__DATA
	reloff	0
	addr	4295268160
	align	4
	nreloc	0
	flags	0
	offset	300864
	reserved2	0
	reserved1	0
	reserved3	0
	size	9168
	sectname	__objc_classlist
	segname	__DATA
	reloff	0
	addr	4295277328
align	3
nreloc	0
flags	268435456
offset	310032
reserved2	0
reserved1	0
reserved3	0
size	136
sectname	__objc_nlclslist
segname	__DATA
reloff	0
addr	4295277464
align	3
nreloc	0
flags	268435456
offset	310168
reserved2	0
reserved1	0
reserved3	0
size	8
sectname	__objc_catlist
segname	__DATA
reloff	0
addr	4295277472
align	0
nreloc	0
flags	268435456
offset	310176
reserved2	0
reserved1	0
reserved3	0
size	0
sectname	__objc_protolist
segname	__DATA
reloff	0
addr	4295277472
align	3
nreloc	0
flags	0
offset	310176
reserved2	0
reserved1	0
reserved3	0
size	24
sectname	__objc_imageinfo
segname	__DATA
reloff	0
addr	4295277496
align	2
nreloc	0
flags	0
offset	310200
reserved2	0
reserved1	0
reserved3	0
size	8
sectname	__objc_const
segname	__DATA
reloff	0
addr	4295277504
align	3
nreloc	0
flags	0
offset	310208
reserved2	0
reserved1	0
reserved3	0
size	22456
sectname	__objc_selrefs
segname	__DATA
reloff	0
addr	4295299960
align	3
nreloc	0
flags	268435461
offset	332664
reserved2	0
reserved1	0
reserved3	0
size	3432
sectname	__objc_protorefs
segname	__DATA
reloff	0
addr	4295303392
align	3
nreloc	0
flags	0
offset	336096
reserved2	0
reserved1	0
reserved3	0
size	16
sectname	__objc_classrefs
segname	__DATA
reloff	0
addr	4295303408
align	3
nreloc	0
flags	268435456
offset	336112
reserved2	0
reserved1	0
reserved3	0
size	312
sectname	__objc_superrefs
segname	__DATA
reloff	0
addr	4295303720
align	3
nreloc	0
flags	268435456
offset	336424
reserved2	0
reserved1	0
reserved3	0
size	112
sectname	__objc_data
segname	__DATA
reloff	0
addr	4295303832
align	3
nreloc	0
flags	0
offset	336536
reserved2	0
reserved1	0
reserved3	0
size	1440
sectname	__cfstring
segname	__DATA
reloff	0
addr	4295305272
align	3
nreloc	0
flags	0
offset	337976
reserved2	0
reserved1	0
reserved3	0
size	7328
sectname	__objc_ivar
segname	__DATA
reloff	0
addr	4295312600
align	3
nreloc	0
flags	0
offset	345304
reserved2	0
reserved1	0
reserved3	0
size	1072
sectname	__data
segname	__DATA
reloff	0
addr	4295313680
align	4
nreloc	0
flags	0
offset	346384
reserved2	0
reserved1	0
reserved3	0
size	552
sectname	__common
segname	__DATA
reloff	0
addr	4295314232
align	3
nreloc	0
flags	1
offset	0
reserved2	0
reserved1	0
reserved3	0
size	41
sectname	__bss
segname	__DATA
reloff	0
addr	4295314280
align	3
nreloc	0
flags	1
offset	0
reserved2	0
reserved1	0
reserved3	0
size	32

segment_command_64

Name	Value
segname	__LINKEDIT
fileoff	348160
maxprot	7
vmsize	258048
nsects	0
flags	0
filesize	255172
vmaddr	4295315456
initprot	1

dyld_info_command

Name	Value
lazy_bind_size	4624
lazy_bind_off	351320
weak_bind_size	0
rebase_size	1024
export_off	355944
export_size	192
bind_off	349184
rebase_off	348160
bind_size	2136
weak_bind_off	0

symtab_command

Name	Value
strsize	128104
symoff	357696
stroff	475228
nsyms	7241

dysymtab_command

Name	Value
extreloff	0
nlocrel	0
indirectsymoff	473552
modtaboff	0
nextrel	0
iundefsym	6986
nmodtab	0
ilocalsym	0
nundefsym	255
nextrefsyms	0
locreloff	0
ntoc	0
nlocalsym	6977
tocoff	0
extrefsymoff	0
nindirectsyms	419
iextdefsym	6977
nextdefsym	9

dylinker_command

Name	Value
name	12
Data	/usr/lib/dyld

uuid_command

Name	Value
uuid	cdcc275eb6ae33e2b73cf5f708453f21

version_min_command

Name	Value
version	657152
reserved	657664

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	0.19.1
Data	/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

dylib_command

Name	Value
compatibility_version	0.9.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	0.158.0
Data	/usr/lib/libsqlite3.dylib

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	256.225.1
Data	/System/Library/Frameworks/CoreData.framework/Versions/A/CoreData

dylib_command

Name	Value
compatibility_version	0.44.1
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	3328.32.4
Data	/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	0.228.0
Data	/usr/lib/libobjc.A.dylib

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	0.120.0
Data	/usr/lib/libc++.1.dylib

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	257.173.4
Data	/usr/lib/libSystem.B.dylib

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	3584.175.216
Data	/System/Library/Frameworks/Security.framework/Versions/A/Security

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	0.59.0
Data	/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices

dylib_command

Name	Value
compatibility_version	0.150.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	3584.87.3
Data	/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

linkedit_data_command

Name	Value
dataoff	356136
datassize	1560

linkedit_data_command

Name	Value
dataoff	357696
datassize	0

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 29, 2016 13:52:00.493599892 MEZ	53444	53	192.168.0.50	8.8.8.8
Feb 29, 2016 13:52:00.493664026 MEZ	53078	53	192.168.0.50	8.8.8.8
Feb 29, 2016 13:52:00.493793011 MEZ	53	53078	8.8.8.8	192.168.0.50
Feb 29, 2016 13:52:00.874620914 MEZ	53	53444	8.8.8.8	192.168.0.50
Feb 29, 2016 13:52:01.615581989 MEZ	53078	53	192.168.0.50	8.8.4.4
Feb 29, 2016 13:52:01.615631104 MEZ	53	53078	8.8.4.4	192.168.0.50
Feb 29, 2016 13:52:01.616506100 MEZ	49229	2018	192.168.0.50	141.8.226.14
Feb 29, 2016 13:52:01.616530895 MEZ	2018	49229	141.8.226.14	192.168.0.50
Feb 29, 2016 13:52:01.616792917 MEZ	49229	2018	192.168.0.50	141.8.226.14
Feb 29, 2016 13:52:01.617094994 MEZ	49229	2018	192.168.0.50	141.8.226.14
Feb 29, 2016 13:52:01.617105961 MEZ	2018	49229	141.8.226.14	192.168.0.50
Feb 29, 2016 13:52:14.582782984 MEZ	49229	2018	192.168.0.50	141.8.226.14
Feb 29, 2016 13:52:14.582910061 MEZ	2018	49229	141.8.226.14	192.168.0.50
Feb 29, 2016 13:52:14.583229065 MEZ	49229	2018	192.168.0.50	141.8.226.14
Feb 29, 2016 13:52:14.587341070 MEZ	49230	2018	192.168.0.50	141.8.226.14
Feb 29, 2016 13:52:14.587373018 MEZ	2018	49230	141.8.226.14	192.168.0.50
Feb 29, 2016 13:52:14.587650061 MEZ	49230	2018	192.168.0.50	141.8.226.14
Feb 29, 2016 13:52:14.587795019 MEZ	49230	2018	192.168.0.50	141.8.226.14
Feb 29, 2016 13:52:14.587805986 MEZ	2018	49230	141.8.226.14	192.168.0.50
Feb 29, 2016 13:52:28.693981886 MEZ	49230	2018	192.168.0.50	141.8.226.14
Feb 29, 2016 13:52:28.694119930 MEZ	2018	49230	141.8.226.14	192.168.0.50
Feb 29, 2016 13:52:28.694477081 MEZ	49230	2018	192.168.0.50	141.8.226.14
Feb 29, 2016 13:52:37.673428059 MEZ	49225	80	192.168.0.50	17.171.8.16
Feb 29, 2016 13:52:37.673537970 MEZ	80	49225	17.171.8.16	192.168.0.50
Feb 29, 2016 13:52:37.673794031 MEZ	49225	80	192.168.0.50	17.171.8.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 29, 2016 13:52:00.493599892 MEZ	53444	53	192.168.0.50	8.8.8.8
Feb 29, 2016 13:52:00.493664026 MEZ	53078	53	192.168.0.50	8.8.8.8
Feb 29, 2016 13:52:00.493793011 MEZ	53	53078	8.8.8.8	192.168.0.50
Feb 29, 2016 13:52:00.874620914 MEZ	53	53444	8.8.8.8	192.168.0.50
Feb 29, 2016 13:52:01.615581989 MEZ	53078	53	192.168.0.50	8.8.4.4
Feb 29, 2016 13:52:01.615631104 MEZ	53	53078	8.8.4.4	192.168.0.50

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 29, 2016 13:52:00.493599892 MEZ	192.168.0.50	8.8.8.8	0xa325	Standard query (0)	www.comeinbaby.com	A (IP address)	IN (0x0001)
Feb 29, 2016 13:52:00.493664026 MEZ	192.168.0.50	8.8.8.8	0xcb99	Standard query (0)	www.comeinbaby.com	28	IN (0x0001)
Feb 29, 2016 13:52:01.615581989 MEZ	192.168.0.50	8.8.4.4	0xcb99	Standard query (0)	www.comeinbaby.com	28	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	CName	Address	Type	Class
Feb 29, 2016 13:52:00.493793011 MEZ	8.8.8.8	192.168.0.50	0xcb99	Not Implemented (4)	www.comeinbaby.com	none	none	28	IN (0x0001)
Feb 29, 2016 13:52:00.874620914 MEZ	8.8.8.8	192.168.0.50	0xa325	No error (0)	www.comeinbaby.com		141.8.226.14	A (IP address)	IN (0x0001)
Feb 29, 2016 13:52:01.615631104 MEZ	8.8.4.4	192.168.0.50	0xcb99	Not Implemented (4)	www.comeinbaby.com	none	none	28	IN (0x0001)

System Behavior

Analysis Process: mono-sgen PID: 390 Parent PID: 360

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/Library/Frameworks/Mono.framework/Versions/3.4.0/bin/mono-sgen
File size:	4224484 bytes
MD5 hash:	7c3e15e217e2e1e7b6a39829a01fbb27

Chronological Activities

Analysis Process: com.apple.exe PID: 390 Parent PID: 360

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/Users/vreni/Desktop/com.apple.exe
File size:	603332 bytes
MD5 hash:	dca13b4ff64bcd6876c13bbb4a22f450

Chronological Activities

Analysis Process: sh PID: 391 Parent PID: 390

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: sh PID: 392 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: touch PID: 392 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/usr/bin/touch
File size:	19280 bytes
MD5 hash:	dc0979650a009f58fa8f119565d4ea50

Chronological Activities

Analysis Process: sh PID: 393 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: touch PID: 393 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/usr/bin/touch
File size:	19280 bytes
MD5 hash:	dc0979650a009f58fa8f119565d4ea50

Chronological Activities

Analysis Process: sh PID: 394 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: touch PID: 394 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/usr/bin/touch
File size:	19280 bytes
MD5 hash:	dc0979650a009f58fa8f119565d4ea50

Chronological Activities

Analysis Process: sh PID: 395 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: touch PID: 395 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/usr/bin/touch
File size:	19280 bytes
MD5 hash:	dc0979650a009f58fa8f119565d4ea50

Chronological Activities

Analysis Process: sh PID: 396 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: touch PID: 396 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/usr/bin/touch
File size:	19280 bytes
MD5 hash:	dc0979650a009f58fa8f119565d4ea50

Chronological Activities

Analysis Process: sh PID: 397 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: touch PID: 397 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/usr/bin/touch
File size:	19280 bytes
MD5 hash:	dc0979650a009f58fa8f119565d4ea50

Chronological Activities

Analysis Process: sh PID: 398 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: touch PID: 398 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/usr/bin/touch
File size:	19280 bytes
MD5 hash:	dc0979650a009f58fa8f119565d4ea50

Chronological Activities

Analysis Process: sh PID: 399 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: touch PID: 399 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/usr/bin/touch
File size:	19280 bytes
MD5 hash:	dc0979650a009f58fa8f119565d4ea50

Chronological Activities

Analysis Process: sh PID: 400 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: touch PID: 400 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/usr/bin/touch
File size:	19280 bytes
MD5 hash:	dc0979650a009f58fa8f119565d4ea50

Chronological Activities

Analysis Process: sh PID: 401 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: touch PID: 401 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/usr/bin/touch
File size:	19280 bytes
MD5 hash:	dc0979650a009f58fa8f119565d4ea50

Chronological Activities

Analysis Process: sh PID: 402 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: rm PID: 402 Parent PID: 391

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/rm
File size:	19760 bytes
MD5 hash:	cac0af1a62f7b12325d5b7a0ed082afd

Chronological Activities

Analysis Process: sh PID: 403 Parent PID: 390

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: sh PID: 404 Parent PID: 403

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: ps PID: 404 Parent PID: 403

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/ps
File size:	46688 bytes
MD5 hash:	cfb8ba7fee3f6044f3d76175903d98b1

Chronological Activities

Analysis Process: sh PID: 405 Parent PID: 403

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: grep PID: 405 Parent PID: 403

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/usr/bin/grep
File size:	29760 bytes
MD5 hash:	74c51bf745713fd2d8007f3611366a23

Chronological Activities

Analysis Process: sh PID: 406 Parent PID: 403

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: grep PID: 406 Parent PID: 403

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/usr/bin/grep
File size:	29760 bytes
MD5 hash:	74c51bf745713fd2d8007f3611366a23

Chronological Activities

Analysis Process: sh PID: 407 Parent PID: 390

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: sh PID: 408 Parent PID: 407

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: ps PID: 408 Parent PID: 407

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/ps
File size:	46688 bytes
MD5 hash:	cfb8ba7fee3f6044f3d76175903d98b1

Chronological Activities

Analysis Process: sh PID: 409 Parent PID: 407

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: grep PID: 409 Parent PID: 407

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/usr/bin/grep
File size:	29760 bytes
MD5 hash:	74c51bf745713fd2d8007f3611366a23

Chronological Activities

Analysis Process: sh PID: 410 Parent PID: 407

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: grep PID: 410 Parent PID: 407

General

Start time:	13:51:59
Start date:	29/02/2016
Path:	/usr/bin/grep
File size:	29760 bytes
MD5 hash:	74c51bf745713fd2d8007f3611366a23

Chronological Activities

Analysis Process: sh PID: 411 Parent PID: 390

General

Start time:	13:52:27
Start date:	29/02/2016
Path:	/bin/sh
File size:	628704 bytes
MD5 hash:	bae6979e8dc9910cd5fec0e5214e9681

Chronological Activities

Analysis Process: mkdir PID: 411 Parent PID: 390

General

Start time:	13:52:27
Start date:	29/02/2016
Path:	/bin/mkdir
File size:	14512 bytes
MD5 hash:	a83457fe11bfb3492e076d782ec60e9a

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Classification

Signature Overview

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Runtime Messages

Yara Overview

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

Static Mach Info

General Informations for header0

segment_command_64

segment_command_64

segment_command_64

segment_command_64

dyld_info_command

symtab_command

dysymtab_command

dylinker_command

uuid_command

version_min_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

linkedit_data_command

linkedit_data_command

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: mono-sgen PID: 390 Parent PID: 360

General

Analysis Process: com.apple.exe PID: 390 Parent PID: 360

General

Analysis Process: sh PID: 391 Parent PID: 390

General

Analysis Process: sh PID: 392 Parent PID: 391

General

Analysis Process: touch PID: 392 Parent PID: 391

General

Analysis Process: sh PID: 393 Parent PID: 391

General

Analysis Process: touch PID: 393 Parent PID: 391

General

Analysis Process: sh PID: 394 Parent PID: 391

General

Analysis Process: touch PID: 394 Parent PID: 391

General

Analysis Process: sh PID: 395 Parent PID: 391