Loading ...

Play interactive tourEdit tour

Analysis Report finfisher.dmg

Overview

General Information

Sample Name:finfisher.dmg
Analysis ID:113412
MD5:e734730dcad82a6bd050b0d3b89b44e3
SHA1:e1df29dcb571fd3296ed4a5d2689178acee355b5
SHA256:4f3003dd2ed8dcb68133f95c14e28b168bd0f52e5ae9842f528d3f7866495cea

Most interesting Screenshot:

Detection

FinSpy
Score:100
Range:0 - 100
Whitelisted:false

Signatures

Detected macOS FinSpy (FinFisher) trojan
Malicious sample detected (through community Yara rule)
Yara detected FinSpy
App bundle contains hidden files/directories
Attaches disk images with shell command 'hdiutil'
Creates kernel extensions
Denies being traced/debugged (via ptrace PT_DENY_ATTACH)
Executes hidden files
Opens applications from non-standard application directories
Queries the Manufacturer of the machine (might be used for detecting VM presence)
Sets full permissions to files and/or directories
Writes DER encoded certificate files to disk without the typical file extension
Writes Mach-O files to untypical directories
Changes permissions of written Mach-O files
Contains symbols with paths
Contains symbols with suspicious names likely related to encryption
Contains symbols with suspicious names likely related to networking
Creates and/or modifies files and/or directories in common kernel extension directories
Creates application bundles
Creates hidden files, links and/or directories
Creates memory-persistent launch services
Creates user-wide 'launchd' managed services aka launch agents
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "chown" command used to modify ownership and group ownership
Executes the "grep" command used to find patterns in files or piped streams
Executes the "ps" command used to list the status of processes
Executes the "rm" command used to delete files or directories
Executes the "security_authtrampoline" command used to authorize execution with root privileges (GUI prompt)
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Executes the "system_profiler" command used to collect detailed system hardware and software information
Explicitly loads kernel extensions
Explicitly loads/starts launch services
Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)
Opens applications that might be created ones
Reads hardware related sysctl values
Reads launchservices plist files
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)
Reads the systems OS release and/or type
Reads the systems hostname
Reads user launchservices plist file containing default apps for corresponding file types
Sample or dropped file has a small TEXT segment size indicating that the actual code is not in this segment hampering debugging
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)
Uses Security framework containing interfaces for system-level user authentication and authorization
Writes 32-bit Mach-O files to disk
Writes 64-bit Mach-O files to disk
Writes Python scripts without typical Python file extensions
Writes ZIP files to disk
Writes certificate files to disk
Yara signature match

Classification

Startup

  • system is mac-mojave
  • Install Caglayan (MD5: 083628f5eaf3d1d5018d45dd10391d9f) Arguments: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/Install Caglayan
    • bash New Fork (PID: 773, Parent: 772)
      • bash New Fork (PID: 774, Parent: 773)
        • bash New Fork (PID: 775, Parent: 774)
        • dirname (MD5: 6c2a99249cf9eefc79be8dc17bcc5758) Arguments: dirname /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/Install Caglayan
    • bash New Fork (PID: 776, Parent: 772)
    • open (MD5: 429e364174ecacaa7bd753b1d15a998e) Arguments: open .log/ARA0848.app
    • bash New Fork (PID: 782, Parent: 772)
    • sleep (MD5: 819cf284f59840e52b6b17f4ed2512e8) Arguments: sleep 2
    • bash New Fork (PID: 786, Parent: 772)
    • rm (MD5: 269d0bd0553e7eafb6e3f70026eeda2b) Arguments: rm Install alayan
    • bash New Fork (PID: 787, Parent: 772)
    • mv (MD5: 71b4f7c9a383f7c62c738273039ba658) Arguments: mv installer Install alayan
    • bash New Fork (PID: 788, Parent: 772)
    • rm (MD5: 269d0bd0553e7eafb6e3f70026eeda2b) Arguments: rm -rf .log
    • bash New Fork (PID: 789, Parent: 772)
  • installer (MD5: 405bb24ade435693b11af1d81e2bb279) Arguments: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
    • sh New Fork (PID: 778, Parent: 777)
      • sh New Fork (PID: 779, Parent: 778)
      • sh New Fork (PID: 780, Parent: 778)
      • egrep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: egrep -i Manufacturer: (parallels|vmware|virtualbox)
    • helper New Fork (PID: 783, Parent: 777)
      • helper New Fork (PID: 792, Parent: 783)
      • security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /usr/sbin/chown auth 3 root:wheel /Users/ben/Library/Caches/org.logind.ctp.archive/installer
      • chown (MD5: 4412bd1c28443ef4cc603af3ad92ddc0) Arguments: /usr/sbin/chown root:wheel /Users/ben/Library/Caches/org.logind.ctp.archive/installer
      • helper New Fork (PID: 793, Parent: 783)
      • security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /bin/chmod auth 3 06777 /Users/ben/Library/Caches/org.logind.ctp.archive/installer
      • chmod (MD5: d7df83ea3a49de5d07e0c1730e910852) Arguments: /bin/chmod 06777 /Users/ben/Library/Caches/org.logind.ctp.archive/installer
  • logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind
    • sh New Fork (PID: 802, Parent: 801)
      • sh New Fork (PID: 803, Parent: 802)
      • ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef
      • sh New Fork (PID: 804, Parent: 802)
      • grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind
    • logind New Fork (PID: 819, Parent: 801)
    • kextstat New Fork (PID: 822, Parent: 801)
    • kextload New Fork (PID: 823, Parent: 801)
  • logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind
    • sh New Fork (PID: 828, Parent: 827)
      • sh New Fork (PID: 829, Parent: 828)
      • ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef
      • sh New Fork (PID: 830, Parent: 828)
      • grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind
    • logind New Fork (PID: 831, Parent: 827)
    • kextstat New Fork (PID: 833, Parent: 827)
    • kextload New Fork (PID: 834, Parent: 827)
  • logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind
    • sh New Fork (PID: 836, Parent: 835)
      • sh New Fork (PID: 837, Parent: 836)
      • ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef
      • sh New Fork (PID: 838, Parent: 836)
      • grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind
    • logind New Fork (PID: 839, Parent: 835)
    • kextstat New Fork (PID: 840, Parent: 835)
    • kextload New Fork (PID: 841, Parent: 835)
  • logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind
    • sh New Fork (PID: 843, Parent: 842)
      • sh New Fork (PID: 844, Parent: 843)
      • ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef
      • sh New Fork (PID: 845, Parent: 843)
      • grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind
    • logind New Fork (PID: 846, Parent: 842)
    • kextstat New Fork (PID: 847, Parent: 842)
    • kextload New Fork (PID: 848, Parent: 842)
  • logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind
    • sh New Fork (PID: 850, Parent: 849)
      • sh New Fork (PID: 851, Parent: 850)
      • ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef
      • sh New Fork (PID: 852, Parent: 850)
      • grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind
    • logind New Fork (PID: 853, Parent: 849)
    • kextstat New Fork (PID: 854, Parent: 849)
    • kextload New Fork (PID: 855, Parent: 849)
  • logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind
    • sh New Fork (PID: 857, Parent: 856)
      • sh New Fork (PID: 858, Parent: 857)
      • ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef
      • sh New Fork (PID: 859, Parent: 857)
      • grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind
    • logind New Fork (PID: 860, Parent: 856)
    • kextstat New Fork (PID: 861, Parent: 856)
    • kextload New Fork (PID: 862, Parent: 856)
  • logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind
    • sh New Fork (PID: 864, Parent: 863)
      • sh New Fork (PID: 865, Parent: 864)
      • ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef
      • sh New Fork (PID: 866, Parent: 864)
      • grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind
    • logind New Fork (PID: 867, Parent: 863)
    • kextstat New Fork (PID: 868, Parent: 863)
    • kextload New Fork (PID: 869, Parent: 863)
  • logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind
    • sh New Fork (PID: 871, Parent: 870)
      • sh New Fork (PID: 872, Parent: 871)
      • ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef
      • sh New Fork (PID: 873, Parent: 871)
      • grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind
    • logind New Fork (PID: 875, Parent: 870)
    • kextstat New Fork (PID: 876, Parent: 870)
    • kextload New Fork (PID: 877, Parent: 870)
  • logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind
    • sh New Fork (PID: 879, Parent: 878)
      • sh New Fork (PID: 880, Parent: 879)
      • ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef
      • sh New Fork (PID: 881, Parent: 879)
      • grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind
    • logind New Fork (PID: 882, Parent: 878)
    • kextstat New Fork (PID: 883, Parent: 878)
    • kextload New Fork (PID: 884, Parent: 878)
  • logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind
    • sh New Fork (PID: 886, Parent: 885)
      • sh New Fork (PID: 887, Parent: 886)
      • ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef
      • sh New Fork (PID: 888, Parent: 886)
      • grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind
    • logind New Fork (PID: 889, Parent: 885)
    • kextstat New Fork (PID: 890, Parent: 885)
    • kextload New Fork (PID: 891, Parent: 885)
  • logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind
    • sh New Fork (PID: 893, Parent: 892)
      • sh New Fork (PID: 894, Parent: 893)
      • ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef
      • sh New Fork (PID: 895, Parent: 893)
      • grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind
    • logind New Fork (PID: 896, Parent: 892)
    • kextstat New Fork (PID: 897, Parent: 892)
    • kextload New Fork (PID: 898, Parent: 892)
  • logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind
    • sh New Fork (PID: 900, Parent: 899)
      • sh New Fork (PID: 901, Parent: 900)
      • ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef
      • sh New Fork (PID: 902, Parent: 900)
      • grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind
    • logind New Fork (PID: 903, Parent: 899)
    • kextstat New Fork (PID: 904, Parent: 899)
    • kextload New Fork (PID: 905, Parent: 899)
  • logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind
    • sh New Fork (PID: 907, Parent: 906)
      • sh New Fork (PID: 908, Parent: 907)
      • ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef
      • sh New Fork (PID: 909, Parent: 907)
      • grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind
    • logind New Fork (PID: 910, Parent: 906)
    • kextstat New Fork (PID: 911, Parent: 906)
    • kextload New Fork (PID: 912, Parent: 906)
  • logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind
    • sh New Fork (PID: 914, Parent: 913)
      • sh New Fork (PID: 915, Parent: 914)
      • ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef
      • sh New Fork (PID: 916, Parent: 914)
      • grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind
    • logind New Fork (PID: 917, Parent: 913)
    • kextstat New Fork (PID: 918, Parent: 913)
    • kextload New Fork (PID: 919, Parent: 913)
  • logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind
    • sh New Fork (PID: 921, Parent: 920)
      • sh New Fork (PID: 922, Parent: 921)
      • ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef
      • sh New Fork (PID: 923, Parent: 921)
      • grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind
    • logind New Fork (PID: 924, Parent: 920)
    • kextstat New Fork (PID: 925, Parent: 920)
    • kextload New Fork (PID: 926, Parent: 920)
  • logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind
    • sh New Fork (PID: 928, Parent: 927)
      • sh New Fork (PID: 929, Parent: 928)
      • ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef
      • sh New Fork (PID: 930, Parent: 928)
      • grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind
    • logind New Fork (PID: 931, Parent: 927)
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
finfisher.dmgJoeSecurity_FinSpy_2Yara detected FinSpyJoe Security
    installerJoeSecurity_FinSpy_2Yara detected FinSpyJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      /Users/ben/Library/Caches/org.logind.ctp.archive/helper2hacktool_macos_exploit_cve_5889http://www.cvedetails.com/cve/cve-2015-5889@mimeframe
      • 0xcc:$a1: /etc/sudoers
      • 0x18a:$a1: /etc/sudoers
      • 0x2cc:$a1: /etc/sudoers
      • 0x305:$a1: /etc/sudoers
      • 0xfc:$a2: /etc/crontab
      • 0x1bf:$a2: /etc/crontab
      • 0x263:$a2: /etc/crontab
      • 0x155:$a3: * * * * * root echo
      • 0x16a:$a4: ALL ALL=(ALL) NOPASSWD: ALL
      • 0x211:$a5: /usr/bin/rsh
      • 0x227:$a6: localhost
      /Users/ben/Library/Caches/org.logind.ctp.archive/installerJoeSecurity_FinSpy_2Yara detected FinSpyJoe Security

        Signature Overview

        Click to jump to signature section

        Show All Signature Results
        Source: submissionMach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
        Source: submissionMach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security

        Cryptography:

        barindex
        Writes DER encoded certificate files to disk without the typical file extensionShow sources
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)DER file created: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/installer.p7Jump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)DER file created: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/prodSvce.crlJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)DER file created: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/cds.crlJump to dropped file
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: _CRYPTO_free
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: _ERR_load_crypto_strings
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installerMach-O symbol: _crypthead.calls
        Source: finfisher.dmgString found in binary or memory: http://crl.apple.com/root.crl0
        Source: finfisher.dmgString found in binary or memory: http://crl.apple.com/timestamp.crl0
        Source: finfisher.dmgString found in binary or memory: http://ocsp.apple.com/ocsp-devid010
        Source: finfisher.dmgString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
        Source: finfisher.dmgString found in binary or memory: http://www.apple.com/appleca0
        Source: finfisher.dmgString found in binary or memory: http://www.bluedomepress.com
        Source: finfisher.dmgString found in binary or memory: http://www.bluedomepress.com/about/privacypolicy
        Source: finfisher.dmgString found in binary or memory: http://www.bluedomepress.com/about/termsofuse
        Source: finfisher.dmgString found in binary or memory: http://www.winimage.com/zLibDll
        Source: finfisher.dmgString found in binary or memory: https://www.apple.com/appleca/0

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/helper2, type: DROPPEDMatched rule: http://www.cvedetails.com/cve/cve-2015-5889 Author: @mimeframe
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)Python file created: /Users/ben/Library/Caches/org.logind.ctp.archive/helper2Jump to dropped file
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/helper2, type: DROPPEDMatched rule: hacktool_macos_exploit_cve_5889 author = @mimeframe, description = http://www.cvedetails.com/cve/cve-2015-5889, reference = https://www.exploit-db.com/exploits/38371/
        Source: classification engineClassification label: mal100.troj.evad.macDMG@0/49@0/0
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/NAIB.o
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/ParamChecker.o
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/SignatureVerification.o
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/main.o
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/Release/libinstall.a(InstallLogMsgs.o)
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/Release/libinstall.a(LibInstall.o)
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/Bootstrapper.o
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/Downloader.o
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/ErrorDialogController.o
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/LocalizedStrings.o
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/LibInstall/src/
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/LibInstall/src/
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/LibInstall/src/LibInstall.h
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/Runtime/Core/include/runtime/mac/embeddedmessages.h
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/generic/
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/Release/libinstall.a(MacInstall.o)
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/Release/libinstall.a(SharedMacUtils.o)
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/LibInstall/platform/OSX/../../../../shared/platform/mac/
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/LibInstall/platform/OSX/../../../../shared/platform/mac/SharedMacUtils.h
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/LibInstall/platform/OSX/Mac/
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/mac/
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/mac/
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/mac/
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/mac/
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/mac/
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/mac/
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/mac/
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installerMach-O symbol: /SourceCache/arclite/arclite-34/source/
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installerMach-O symbol: /Users/dev/DevStuff/obfuscator/build/lib/arc/libarclite_macosx.a(arclite.o)
        Source: dropped file installer.311.drMach-O symbol: /jenkins/ws/St_Make/code/build/mac/int/AIR.build/Release/SelfExtractor.build/Objects-normal/x86_64/SelfExtractor-E79CFC41C1857C8E.o
        Source: dropped file installer.311.drMach-O symbol: /jenkins/ws/St_Make/code/products/AIR/Runtime/SelfExtractor/
        Source: dropped file helper.290.drMach-O symbol: /Users/dev/DevStuff/obfuscator/build/lib/arc/libarclite_macosx.a(arclite.o)
        Source: dropped file helper.290.drMach-O symbol: /SourceCache/arclite/arclite-34/source/
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: _OBJC_IVAR_$_Downloader.bytesReceived
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: _OBJC_IVAR_$_Downloader.bytesReceived
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: _objc_msgSend
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: _objc_msgSendSuper2
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: _objc_msgSend_fixup
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: _objc_msgSend_stret
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: _NSSearchPathForDirectoriesInDomains
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installerMach-O symbol: _NSURLErrorDomain
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installerMach-O symbol: _NSSearchPathForDirectoriesInDomains
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installerMach-O symbol: _objc_msgSend
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installerMach-O symbol: _objc_msgSendSuper2
        Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installerMach-O symbol: _objc_msgSend_fixup
        Source: dropped file installer.311.drMach-O symbol: _objc_msgSend
        Source: dropped file helper.290.drMach-O symbol: _objc_msgSend
        Source: dropped file helper.290.drMach-O symbol: _objc_msgSend_fixup
        Source: dropped file helper3.290.drMach-O symbol: _mach_port_insert_right
        Source: dropped file helper3.290.drMach-O symbol: _mach_port_allocate
        Source: dropped file helper3.290.drMach-O symbol: _kIOMasterPortDefault
        Source: dropped file helper3.290.drMach-O symbol: _objc_msgSend
        Source: dropped file helper3.290.drMach-O symbol: _IOConnectCallScalarMethod
        Source: dropped file helper3.290.drMach-O symbol: _IOConnectRelease
        Source: initial sampleMach-O header: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
        Source: submissionMach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
        Source: submissionMach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security

        Persistence and Installation Behavior:

        barindex
        Attaches disk images with shell command 'hdiutil'Show sources
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/installer (PID: 794)Hdiutil command executed: /usr/bin/hdiutil attach /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/AIRInstaller.dmg -mountpoint /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPointJump to behavior
        Executes hidden filesShow sources
        Source: /usr/libexec/xpcproxy (PID: 777)File in hidden directory executed: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installerJump to behavior
        Opens applications from non-standard application directoriesShow sources
        Source: /bin/bash (PID: 776)Application opened: open .log/ARA0848.appJump to behavior
        Sets full permissions to files and/or directoriesShow sources
        Source: /usr/libexec/security_authtrampoline (PID: 793)Chmod executable with 777: /bin/chmod -> /bin/chmod 06777 /Users/ben/Library/Caches/org.logind.ctp.archive/installerJump to behavior
        Writes DER encoded certificate files to disk without the typical file extensionShow sources
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)DER file created: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/installer.p7Jump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)DER file created: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/prodSvce.crlJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)DER file created: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/cds.crlJump to dropped file
        Writes Mach-O files to untypical directoriesShow sources
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)64-bit Mach-O written to unusual path: /Users/ben/Library/Caches/org.logind.ctp.archive/helperJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)32-bit Mach-O written to unusual path: /Users/ben/Library/Caches/org.logind.ctp.archive/helper3Jump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)64-bit Mach-O written to unusual path: /Users/ben/Library/Caches/org.logind.ctp.archive/installerJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)64-bit Mach-O written to unusual path: /Users/ben/Library/Caches/org.logind.ctp.archive/logindJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)64-bit Mach-O written to unusual path: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/MacOS/logindJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)64-bit Mach-O written to unusual path: /Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/MacOS/logindJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)Permissions modified for written 64-bit Mach-O /Users/ben/Library/Caches/org.logind.ctp.archive/helper: bits: - usr: rx grp: rx all: rwxJump to dropped file
        Source: /bin/chmod (PID: 793)Permissions modified for written 64-bit Mach-O /Users/ben/Library/Caches/org.logind.ctp.archive/installer: bits: ug usr: rwx grp: rwx all: rwxJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)File moved: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext -> /System/Library/Extensions/logind.kextJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Owner / group modified: /System/Library/Extensions/logind.kextJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Owner / group modified: /System/Library/Extensions/logind.kext/ContentsJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Owner / group modified: /System/Library/Extensions/logind.kext/Contents/MacOSJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Owner / group modified: /System/Library/Extensions/logind.kext/Contents/MacOS/logindJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Owner / group modified: /System/Library/Extensions/logind.kext/Contents/ResourcesJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Owner / group modified: /System/Library/Extensions/logind.kext/Contents/Resources/en.lprojJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Owner / group modified: /System/Library/Extensions/logind.kext/Contents/Resources/en.lproj/InfoPlist.stringsJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Owner / group modified: /System/Library/Extensions/logind.kext/Contents/Info.plistJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Permissions modified: /System/Library/Extensions/logind.kextJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Permissions modified: /System/Library/Extensions/logind.kext/ContentsJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Permissions modified: /System/Library/Extensions/logind.kext/Contents/MacOSJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Permissions modified: /System/Library/Extensions/logind.kext/Contents/MacOS/logindJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Permissions modified: /System/Library/Extensions/logind.kext/Contents/ResourcesJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Permissions modified: /System/Library/Extensions/logind.kext/Contents/Resources/en.lprojJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Permissions modified: /System/Library/Extensions/logind.kext/Contents/Resources/en.lproj/InfoPlist.stringsJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Permissions modified: /System/Library/Extensions/logind.kext/Contents/Info.plistJump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)Bundle Info.plist File created: /Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/Resources/7f.bundle/Contents/Info.plistJump to behavior
        Source: /System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper (PID: 797)Hidden File created: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/.autodiskmountedJump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)Hidden File created: /Users/ben/Library/Caches/.dat.nosync0309.NWxLXeJump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)Shell command executed: /bin/sh -c system_profiler SPUSBDataType | egrep -i 'Manufacturer: (parallels|vmware|virtualbox)'Jump to behavior
        Source: /private/etc/logind (PID: 801)Shell command executed: /bin/sh -c ps -ef | grep 'logind'Jump to behavior
        Source: /private/etc/logind (PID: 827)Shell command executed: /bin/sh -c ps -ef | grep 'logind'Jump to behavior
        Source: /private/etc/logind (PID: 835)Shell command executed: /bin/sh -c ps -ef | grep 'logind'Jump to behavior
        Source: /private/etc/logind (PID: 842)Shell command executed: /bin/sh -c ps -ef | grep 'logind'Jump to behavior
        Source: /private/etc/logind (PID: 849)Shell command executed: /bin/sh -c ps -ef | grep 'logind'Jump to behavior
        Source: /private/etc/logind (PID: 856)Shell command executed: /bin/sh -c ps -ef | grep 'logind'Jump to behavior
        Source: /private/etc/logind (PID: 863)Shell command executed: /bin/sh -c ps -ef | grep 'logind'Jump to behavior
        Source: /private/etc/logind (PID: 870)Shell command executed: /bin/sh -c ps -ef | grep 'logind'Jump to behavior
        Source: /private/etc/logind (PID: 878)Shell command executed: /bin/sh -c ps -ef | grep 'logind'Jump to behavior
        Source: /private/etc/logind (PID: 885)Shell command executed: /bin/sh -c ps -ef | grep 'logind'Jump to behavior
        Source: /private/etc/logind (PID: 892)Shell command executed: /bin/sh -c ps -ef | grep 'logind'Jump to behavior
        Source: /private/etc/logind (PID: 899)Shell command executed: /bin/sh -c ps -ef | grep 'logind'Jump to behavior
        Source: /private/etc/logind (PID: 906)Shell command executed: /bin/sh -c ps -ef | grep 'logind'Jump to behavior
        Source: /private/etc/logind (PID: 913)Shell command executed: /bin/sh -c ps -ef | grep 'logind'Jump to behavior
        Source: /private/etc/logind (PID: 920)Shell command executed: /bin/sh -c ps -ef | grep 'logind'Jump to behavior
        Source: /private/etc/logind (PID: 927)Shell command executed: /bin/sh -c ps -ef | grep 'logind'Jump to behavior
        Source: /usr/libexec/security_authtrampoline (PID: 793)Chmod executable: /bin/chmod -> /bin/chmod 06777 /Users/ben/Library/Caches/org.logind.ctp.archive/installerJump to behavior
        Source: /usr/libexec/security_authtrampoline (PID: 792)Chown executable: /usr/sbin/chown -> /usr/sbin/chown root:wheel /Users/ben/Library/Caches/org.logind.ctp.archive/installerJump to behavior
        Source: /bin/sh (PID: 804)Grep executable: /usr/bin/grep -> grep logindJump to behavior
        Source: /bin/sh (PID: 830)Grep executable: /usr/bin/grep -> grep logindJump to behavior
        Source: /bin/sh (PID: 838)Grep executable: /usr/bin/grep -> grep logindJump to behavior
        Source: /bin/sh (PID: 845)Grep executable: /usr/bin/grep -> grep logindJump to behavior
        Source: /bin/sh (PID: 852)Grep executable: /usr/bin/grep -> grep logindJump to behavior
        Source: /bin/sh (PID: 859)Grep executable: /usr/bin/grep -> grep logindJump to behavior
        Source: /bin/sh (PID: 866)Grep executable: /usr/bin/grep -> grep logindJump to behavior
        Source: /bin/sh (PID: 873)Grep executable: /usr/bin/grep -> grep logindJump to behavior
        Source: /bin/sh (PID: 881)Grep executable: /usr/bin/grep -> grep logindJump to behavior
        Source: /bin/sh (PID: 888)Grep executable: /usr/bin/grep -> grep logindJump to behavior
        Source: /bin/sh (PID: 895)Grep executable: /usr/bin/grep -> grep logindJump to behavior
        Source: /bin/sh (PID: 902)Grep executable: /usr/bin/grep -> grep logindJump to behavior
        Source: /bin/sh (PID: 909)Grep executable: /usr/bin/grep -> grep logindJump to behavior
        Source: /bin/sh (PID: 916)Grep executable: /usr/bin/grep -> grep logindJump to behavior
        Source: /bin/sh (PID: 923)Grep executable: /usr/bin/grep -> grep logindJump to behavior
        Source: /bin/sh (PID: 930)Grep executable: /usr/bin/grep -> grep logindJump to behavior
        Source: /bin/sh (PID: 803)Ps executable: /bin/ps -> ps -efJump to behavior
        Source: /bin/sh (PID: 829)Ps executable: /bin/ps -> ps -efJump to behavior
        Source: /bin/sh (PID: 837)Ps executable: /bin/ps -> ps -efJump to behavior
        Source: /bin/sh (PID: 844)Ps executable: /bin/ps -> ps -efJump to behavior
        Source: /bin/sh (PID: 851)Ps executable: /bin/ps -> ps -efJump to behavior
        Source: /bin/sh (PID: 858)Ps executable: /bin/ps -> ps -efJump to behavior
        Source: /bin/sh (PID: 865)Ps executable: /bin/ps -> ps -efJump to behavior
        Source: /bin/sh (PID: 872)Ps executable: /bin/ps -> ps -efJump to behavior
        Source: /bin/sh (PID: 880)Ps executable: /bin/ps -> ps -efJump to behavior
        Source: /bin/sh (PID: 887)Ps executable: /bin/ps -> ps -efJump to behavior
        Source: /bin/sh (PID: 894)Ps executable: /bin/ps -> ps -efJump to behavior
        Source: /bin/sh (PID: 901)Ps executable: /bin/ps -> ps -efJump to behavior
        Source: /bin/sh (PID: 908)Ps executable: /bin/ps -> ps -efJump to behavior
        Source: /bin/sh (PID: 915)Ps executable: /bin/ps -> ps -efJump to behavior
        Source: /bin/sh (PID: 922)Ps executable: /bin/ps -> ps -efJump to behavior
        Source: /bin/sh (PID: 929)Ps executable: /bin/ps -> ps -efJump to behavior
        Source: /bin/bash (PID: 786)Rm executable: /bin/rm -> rm Install alayanJump to behavior
        Source: /bin/bash (PID: 788)Rm executable: /bin/rm -> rm -rf .logJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/helper (PID: 792)Security_authtrampoline executable: /usr/libexec/security_authtrampoline /usr/libexec/security_authtrampoline /usr/sbin/chown auth 3 root:wheel /Users/ben/Library/Caches/org.logind.ctp.archive/installerJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/helper (PID: 793)Security_authtrampoline executable: /usr/libexec/security_authtrampoline /usr/libexec/security_authtrampoline /bin/chmod auth 3 06777 /Users/ben/Library/Caches/org.logind.ctp.archive/installerJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Launch agent/daemon loaded: /bin/launchctl load /Library/LaunchAgents/logind.plistJump to behavior
        Source: /bin/sh (PID: 779)Shell process: system_profiler SPUSBDataTypeJump to behavior
        Source: /bin/sh (PID: 780)Shell process: egrep -i Manufacturer: (parallels|vmware|virtualbox)Jump to behavior
        Source: /bin/sh (PID: 803)Shell process: ps -efJump to behavior
        Source: /bin/sh (PID: 804)Shell process: grep logindJump to behavior
        Source: /bin/sh (PID: 829)Shell process: ps -efJump to behavior
        Source: /bin/sh (PID: 830)Shell process: grep logindJump to behavior
        Source: /bin/sh (PID: 837)Shell process: ps -efJump to behavior
        Source: /bin/sh (PID: 838)Shell process: grep logindJump to behavior
        Source: /bin/sh (PID: 844)Shell process: ps -efJump to behavior
        Source: /bin/sh (PID: 845)Shell process: grep logindJump to behavior
        Source: /bin/sh (PID: 851)Shell process: ps -efJump to behavior
        Source: /bin/sh (PID: 852)Shell process: grep logindJump to behavior
        Source: /bin/sh (PID: 858)Shell process: ps -efJump to behavior
        Source: /bin/sh (PID: 859)Shell process: grep logindJump to behavior
        Source: /bin/sh (PID: 865)Shell process: ps -efJump to behavior
        Source: /bin/sh (PID: 866)Shell process: grep logindJump to behavior
        Source: /bin/sh (PID: 872)Shell process: ps -efJump to behavior
        Source: /bin/sh (PID: 873)Shell process: grep logindJump to behavior
        Source: /bin/sh (PID: 880)Shell process: ps -efJump to behavior
        Source: /bin/sh (PID: 881)Shell process: grep logindJump to behavior
        Source: /bin/sh (PID: 887)Shell process: ps -efJump to behavior
        Source: /bin/sh (PID: 888)Shell process: grep logindJump to behavior
        Source: /bin/sh (PID: 894)Shell process: ps -efJump to behavior
        Source: /bin/sh (PID: 895)Shell process: grep logindJump to behavior
        Source: /bin/sh (PID: 901)Shell process: ps -efJump to behavior
        Source: /bin/sh (PID: 902)Shell process: grep logindJump to behavior
        Source: /bin/sh (PID: 908)Shell process: ps -efJump to behavior
        Source: /bin/sh (PID: 909)Shell process: grep logindJump to behavior
        Source: /bin/sh (PID: 915)Shell process: ps -efJump to behavior
        Source: /bin/sh (PID: 916)Shell process: grep logindJump to behavior
        Source: /bin/sh (PID: 922)Shell process: ps -efJump to behavior
        Source: /bin/sh (PID: 923)Shell process: grep logindJump to behavior
        Source: /bin/sh (PID: 929)Shell process: ps -efJump to behavior
        Source: /bin/sh (PID: 930)Shell process: grep logindJump to behavior
        Source: /bin/bash (PID: 776)Application opened: open .log/ARA0848.appJump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)Launchservices plist file read: /Users/ben/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)Launchservices plist file read: /Users/ben/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)Launchservices plist file read: /Users/ben/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)Preferences launchservices plist file read: /Users/ben/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)Preferences launchservices plist file read: /Users/ben/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)Preferences launchservices plist file read: /Users/ben/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)Security framework info plist opened: /System/Library/Frameworks/Security.framework/Resources/Info.plistJump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)Security framework info plist opened: /System/Library/Frameworks/Security.framework/Resources/Info.plistJump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)File written: /Users/ben/Library/Caches/org.logind.ctp.archive/helper3Jump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)File written: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/installerJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)File written: /Users/ben/Library/Caches/org.logind.ctp.archive/helperJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)File written: /Users/ben/Library/Caches/org.logind.ctp.archive/installerJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)File written: /Users/ben/Library/Caches/org.logind.ctp.archive/logindJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)File written: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/MacOS/logindJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)File written: /Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/MacOS/logindJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)ZIP file created: /Users/ben/Library/Caches/.dat.nosync0309.NWxLXeJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)CRL file created: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/prodSvce.crlJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)CRL file created: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/cds.crlJump to dropped file
        Source: extracted file from GPT submissionCodeResources XML file: caglayan-macos/Install Caglayan.app/Contents/_CodeSignature/CodeResources
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)Random device file read: /dev/randomJump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)Random device file read: /dev/randomJump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)XML plist file created: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.plistJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)XML plist file created: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/Info.plistJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)XML plist file created: /Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/Info.plistJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)XML plist file created: /Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/Resources/logind.plistJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)XML plist file created: /Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/Resources/7f.bundle/Contents/Info.plistJump to dropped file
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file moved: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.plist -> /Library/LaunchAgents/logind.plistJump to behavior
        Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)Launch agent created File moved: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.plist -> /Library/LaunchAgents/logind.plistJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        App bundle contains hidden files/directoriesShow sources
        Source: archive file from GPT submissionHidden directory : caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/Resources/English.lproj/InfoPlist.strings
        Source: archive file from GPT submissionHidden directory : caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/Info.plist
        Source: archive file from GPT submissionHidden directory : caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/Resources/data
        Source: archive file from GPT submissionHidden directory : caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/Resources/res
        Source: archive file from GPT submissionHidden directory : caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/PkgInfo
        Source: archive file from GPT submissionHidden directory : caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
        Source: archive file from GPT submissionHidden directory : caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/Resources/English.lproj/MainMenu.nib
        Creates kernel extensionsShow sources
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)Kext Info.plist File created: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/Info.plistJump to behavior
        Denies being traced/debugged (via ptrace PT_DENY_ATTACH)Show sources
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)PTRACE system call (PT_DENY_ATTACH): PID 777 denies future tracesJump to behavior
        Source: /private/etc/logind (PID: 801)Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kextJump to behavior
        Source: /private/etc/logind (PID: 827)Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kextJump to behavior
        Source: /private/etc/logind (PID: 835)Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kextJump to behavior
        Source: /private/etc/logind (PID: 842)Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kextJump to behavior
        Source: /private/etc/logind (PID: 849)Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kextJump to behavior
        Source: /private/etc/logind (PID: 856)Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kextJump to behavior
        Source: /private/etc/logind (PID: 863)Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kextJump to behavior
        Source: /private/etc/logind (PID: 870)Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kextJump to behavior
        Source: /private/etc/logind (PID: 878)Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kextJump to behavior
        Source: /private/etc/logind (PID: 885)Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kextJump to behavior
        Source: /private/etc/logind (PID: 892)Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kextJump to behavior
        Source: /private/etc/logind (PID: 899)Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kextJump to behavior
        Source: /private/etc/logind (PID: 906)Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kextJump to behavior
        Source: /private/etc/logind (PID: 913)Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kextJump to behavior
        Source: /private/etc/logind (PID: 920)Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kextJump to behavior

        Malware Analysis System Evasion:

        barindex
        Queries the Manufacturer of the machine (might be used for detecting VM presence)Show sources
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)Manufacturer keyword found in command: /bin/sh /bin/sh -c system_profiler SPUSBDataType | egrep -i 'Manufacturer: (parallels|vmware|virtualbox)'Jump to behavior
        Source: /bin/sh (PID: 780)Manufacturer keyword found in command: /usr/bin/egrep egrep -i Manufacturer: (parallels|vmware|virtualbox)Jump to behavior
        Source: /bin/bash (PID: 782)Sleep executable: /bin/sleep -> sleep 2Jump to behavior
        Source: finfisher.dmgBinary or memory string: system_profiler SPUSBDataType | egrep -i "Manufacturer: (parallels|vmware|virtualbox)"
        Source: AIRInstaller.dmg.322.drBinary or memory string: pQEMu<
        Source: finfisher.dmgBinary or memory string: vmware
        Source: finfisher.dmgBinary or memory string: MDMyMDEyNDgxMVowIQIQHGFsBuOe7gYOHWuGm9a85xcNMTYwOTE5MTMxODIxWjAhAhAcaqxJ4H3B
        Source: finfisher.dmgBinary or memory string: ptracereshw.modelvmwarevirtualboxparallelssystem_profiler SPUSBDataType | egrep -i "Manufacturer: (parallels|vmware|virtualbox)"/bin/sh-c%@NSString/usr/bin/pythonhelper2kern.osrelease.system.privilege.admin/usr/sbin/chownroot:wheel/bin/chmod06777/sbin/mount_nfs/System/Library/CoreServices/Finder.app/bin/launchctlloadunload/sbin/kextunloadhelperinstallerlogind%2x/tmpdata80.bundle.ziparch.ziporg.logind.ctp.archive80.bundlelogind.kext/System/Library/ExtensionsStorage.framework/Library/Frameworkslogind.plist/Library/LaunchAgents/private/etcContents/Resources/7f.bundle/Contents/Resourcesrbr+bwb1.2.5-FailedError occursError occurs while getting file info/\\/Failed to reading zip filedelegateT@,&,N,V_delegate_objc_autoreleasePoolPush_objc_autoreleasePoolPop__TEXT__LINKEDIT_object_setInstanceVariable_object_setIvar_object_copy_objc_retain_objc_retainBlock_objc_release_objc_autorelease_objc_retainAutorelease_objc_autoreleaseReturnValue_objc_retainAutoreleaseReturnValue_objc_retainAutoreleasedReturnValue_objc_storeStrongdefaultManagermainBundleresourcePathstringByAppendingPathComponent:fileExistsAtPath:stringWithCString:encoding:rangeOfString:options:allocinitsetLaunchPath:stringWithFormat:arrayWithObjects:setArguments:pipesetStandardOutput:fileHandleForReadinglaunchwaitUntilExitterminationStatusreadDataToEndOfFilelengthremoveOldResourceexpandPayloadexecuteTrampolineinstallPayloadinstalleraskUserPermission:removeTracescompressedPayloadremove:expandedPayloadpayloaddataUsingEncoding:dataWithContentsOfFile:bytesdataWithBytes:length:writeToFile:atomically:systemTempunzip:to:isAfterPatchlaunchNewStylelaunchOldStylefileExistsAtPath:isDirectory:numberWithUnsignedLong:dictionaryWithObjectsAndKeys:trampolinesetAttributes:ofItemAtPath:error:bundlePathremoveItemAtPath:error:stringWithUTF8String:componentsSeparatedByString:objectAtIndex:intValueUTF8StringapplicationShouldTerminate:application:openFile:application:openFiles:application:openTempFile:applicationShouldOpenUntitledFile:applicationOpenUntitledFile:application:openFileWithoutUI:application:printFile:application:printFiles:withSettings:showPrintPanels:applicationShouldTerminateAfterLastWindowClosed:applicationShouldHandleReopen:hasVisibleWindows:applicationDockMenu:application:willPresentError:application:didRegisterForRemoteNotificationsWithDeviceToken:application:didFailToRegisterForRemoteNotificationsWithError:application:didReceiveRemoteNotification:application:willEncodeRestorableState:application:didDecodeRestorableState:applicationWillFinishLaunching:applicationDidFinishLaunching:applicationWillHide:applicationDidHide:applicationWillUnhide:applicationDidUnhide:applicationWillBecomeActive:applicationDidBecomeActive:applicationWillResignActive:applicationDidResignActive:applicationWillUpdate:applicationDidUpdate:applicationWillTerminate:applicationDidChangeScreenParameters:applicationDidChangeOcclusionState:isEqual:hashsuperclassclassselfzoneperformSelector:performSelector:withObject:performSelector:with
        Source: helper3.290.drMach-O __TEXT segment size: 0x4000 <= 16 KB
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)Sysctl read request: kern.safeboot (1.66)Jump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)Sysctl read request: kern.safeboot (1.66)Jump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)Sysctl read request: hw.availcpu (6.25)Jump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)Sysctl read request: hw.memsize (6.24)Jump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)Sysctl read request: hw.ncpu (6.3)Jump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)Sysctl read request: hw.availcpu (6.25)Jump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)Sysctl read request: hw.ncpu (6.3)Jump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)Sysctl read request: hw.availcpu (6.25)Jump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)Sysctl requested: kern.ostype (1.1)Jump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)Sysctl requested: kern.osrelease (1.2)Jump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)Sysctl requested: kern.osrelease (1.2)Jump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)Sysctl requested: kern.osrelease (1.2)Jump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)Sysctl requested: kern.ostype (1.1)Jump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/Install Caglayan (PID: 772)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/sh (PID: 778)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/sh (PID: 802)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/sh (PID: 828)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/sh (PID: 836)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/sh (PID: 843)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/sh (PID: 850)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/sh (PID: 857)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/sh (PID: 864)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/sh (PID: 871)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/sh (PID: 879)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/sh (PID: 886)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/sh (PID: 893)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/sh (PID: 900)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/sh (PID: 907)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/sh (PID: 914)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/sh (PID: 921)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /bin/sh (PID: 928)Sysctl requested: kern.hostname (1.10)Jump to behavior
        Source: /usr/bin/open (PID: 776)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 819)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 831)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 839)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 846)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 853)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 860)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 867)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 875)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 882)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 889)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 896)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 903)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 910)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 917)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
        Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 924)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

        Stealing of Sensitive Information:

        barindex
        Detected macOS FinSpy (FinFisher) trojanShow sources
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/helperJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/helper2Jump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/helper3Jump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/installerJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/logindJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/Info.plistJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/MacOS/logindJump to dropped file
        Yara detected FinSpyShow sources
        Source: Yara matchFile source: finfisher.dmg, type: SAMPLE
        Source: Yara matchFile source: installer, type: SAMPLE
        Source: Yara matchFile source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer, type: DROPPED
        Source: /bin/sh (PID: 779)System_profiler executable: /usr/sbin/system_profiler system_profiler SPUSBDataTypeJump to behavior
        Source: /usr/sbin/system_profiler (PID: 779)System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPUSBDataType -detailLevel fullJump to behavior

        Remote Access Functionality:

        barindex
        Detected macOS FinSpy (FinFisher) trojanShow sources
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/helperJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/helper2Jump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/helper3Jump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/installerJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/logindJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/Info.plistJump to dropped file
        Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/MacOS/logindJump to dropped file
        Yara detected FinSpyShow sources
        Source: Yara matchFile source: finfisher.dmg, type: SAMPLE
        Source: Yara matchFile source: installer, type: SAMPLE
        Source: Yara matchFile source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer, type: DROPPED

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsCommand and Scripting Interpreter1LC_LOAD_DYLIB Addition1LC_LOAD_DYLIB Addition1Masquerading2OS Credential DumpingSecurity Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScripting2Launch Agent3Launch Agent3Virtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsUser Execution1Launch Daemon2Launch Daemon2Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Plist Modification1Plist Modification1Scripting2NTDSSystem Information Discovery171Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronKernel Modules and Extensions12Kernel Modules and Extensions12Hidden Files and Directories21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonCode Signing1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Shell
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 113412 Sample: finfisher.dmg Startdate: 28/09/2020 Architecture: MAC Score: 100 89 Malicious sample detected (through community Yara rule) 2->89 91 Detected macOS FinSpy (FinFisher) trojan 2->91 93 Yara detected FinSpy 2->93 95 6 other signatures 2->95 10 xpcproxy installer 20 2->10         started        14 xpcproxy Install Caglayan 2->14         started        16 xpcproxy logind 2->16         started        18 15 other processes 2->18 process3 file4 73 /Users/ben/Library...ntents/MacOS/logind, Mach-O 10->73 dropped 75 /Users/ben/Library...ntents/MacOS/logind, Mach-O 10->75 dropped 77 /Users/ben/Library...Contents/Info.plist, XML 10->77 dropped 79 5 other malicious files 10->79 dropped 103 Executes hidden files 10->103 20 helper 10->20         started        22 sh 10->22         started        24 installer 10->24         started        26 bash Install alayan 4 14->26         started        29 bash open 14->29         started        34 5 other processes 14->34 32 sh 16->32         started        36 3 other processes 16->36 38 58 other processes 18->38 signatures5 process6 file7 40 helper security_authtrampoline chmod 20->40         started        43 helper security_authtrampoline chown 20->43         started        45 sh egrep 22->45         started        47 sh system_profiler 22->47         started        49 launchctl 24->49         started        81 /private/var/folde...00gn/T/prodSvce.crl, data 26->81 dropped 83 /private/var/folde...00gn/T/installer.p7, data 26->83 dropped 85 /private/var/folde...w0000gn/T/installer, Mach-O 26->85 dropped 87 /private/var/folde...5mw0000gn/T/cds.crl, data 26->87 dropped 51 installer 1 26->51         started        105 Opens applications from non-standard application directories 29->105 55 2 other processes 32->55 53 bash 34->53         started        57 30 other processes 38->57 signatures8 process9 signatures10 97