macOS Analysis Report
CapCut_7376205375613272081_installer.dmg

Overview

General Information

Sample name:	CapCut_7376205375613272081_installer.dmg
Analysis ID:	1466526
MD5:	1fce5d25462b93618fc8fabee0349021
SHA1:	26895b70fa6911ce088f93c9bb15e3a84f8a77e2
SHA256:	f3569a8226b3ec687da41ed5710fae7043f824f29ad1c9cde58a36190c25e541
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false

Signatures

Searches for passwords in macOS's keychain

Executes the "security" command used to access the keychain

Contains symbols with paths

Contains symbols with suspicious names likely related to networking

Queries for attached disk images with shell command 'hdiutil'

Reads hardware related sysctl values

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Reads the systems OS release and/or type

Reads the systems hostname

Uses Security framework containing interfaces for system-level user authentication and authorization

Classification

Signatures

Contains symbols with suspicious names likely related to networking

Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader27ReportClickLanguageSpecificEP8NSStringl
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader24ReportPopInstalledWindowE24PopInstalledWindowAction
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader27ReportClickLanguageSpecificEP8NSStringl
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader24ReportPopInstalledWindowE24PopInstalledWindowAction
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader21ReportPopCancelWindowE23PopuCancelWindowpActionii
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader21ReportPopCancelWindowE23PopuCancelWindowpActionii
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader20ReportInstallsStatusE16DownloaderStatusiiP8NSString
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader20ReportInstallsStatusE16DownloaderStatusiiP8NSString
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader17ReportInstallTimeEi
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader17ReportInstallTimeEi
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN12_GLOBAL__N_135g_destory_shell_event_reporter_funcE
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN12_GLOBAL__N_135g_destory_shell_event_reporter_funcE
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN12_GLOBAL__N_119g_reporter_test_urlE
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN12_GLOBAL__N_119g_reporter_test_urlE
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN12_GLOBAL__N_114g_reporter_urlE
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN12_GLOBAL__N_114g_reporter_urlE

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)

Reads from socket in process: data

Source: CapCut-Downloader	String found in binary or memory: http://certs.apple.com/devidg2.der02
Source: CapCut_7376205375613272081_installer.dmg	String found in binary or memory: http://crl.apple.com/applerootcag3.crl0
Source: CapCut-Downloader, 00000631.00000278.1.00000001112fa000.0000000111323000.r--.sdmp, CapCut-Downloader, 00000631.00000278.1.00000001063ec000.00000001063ef000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: CapCut-Downloader	String found in binary or memory: http://crl.apple.com/root.crl0
Source: CapCut-Downloader	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: CapCut-Downloader	String found in binary or memory: http://ocsp.apple.com/ocsp03-applerootca0.
Source: CapCut_7376205375613272081_installer.dmg	String found in binary or memory: http://ocsp.apple.com/ocsp03-applerootcag307
Source: CapCut_7376205375613272081_installer.dmg	String found in binary or memory: http://ocsp.apple.com/ocsp03-asica4020
Source: CapCut-Downloader	String found in binary or memory: http://ocsp.apple.com/ocsp03-devidg2010
Source: CapCut-Downloader, CodeResources	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: CapCut-Downloader, 00000631.00000278.1.00000001112fa000.0000000111323000.r--.sdmp, CapCut-Downloader, 00000631.00000278.1.00000001063ec000.00000001063ef000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: CapCut-Downloader	String found in binary or memory: http://www.apple.com/appleca0
Source: CapCut-Downloader, 00000631.00000278.1.00000001112fa000.0000000111323000.r--.sdmp, CapCut-Downloader, 00000631.00000278.1.00000001063ec000.00000001063ef000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: CapCut-Downloader, 00000631.00000278.1.00000001045e0000.0000000104797000.r--.sdmp	String found in binary or memory: http://www.apple.com/http://www.apple.com/Copyright
Source: CapCut-Downloader, 00000631.00000278.1.00000001027f3000.0000000102a1d000.r-x.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: CapCut-Downloader, 00000631.00000278.1.00000001027f3000.0000000102a1d000.r-x.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: CapCut-Downloader, 00000631.00000278.1.00000001027f3000.0000000102a1d000.r-x.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: CapCut-Downloader, 00000631.00000278.1.00000001027f3000.0000000102a1d000.r-x.sdmp	String found in binary or memory: https://editor-api-sg.capcut.com
Source: CapCut-Downloader, 00000631.00000278.1.00000001027f3000.0000000102a1d000.r-x.sdmp	String found in binary or memory: https://editor-api-sg.capcut.com/service/2/app_alert_check/
Source: CapCut-Downloader, 00000631.00000278.1.00000001027f3000.0000000102a1d000.r-x.sdmp	String found in binary or memory: https://editor-api-sg.capcut.com/service/2/desktop/device_register/
Source: CapCut-Downloader	String found in binary or memory: https://editor-api.capcutapi.com/service/2/app_alert_check/
Source: CapCut-Downloader	String found in binary or memory: https://editor-api.capcutapi.com/service/2/desktop/device_register/
Source: CapCut-Downloader	String found in binary or memory: https://editor-api.capcutapi.com/service/2/desktop/device_register/https://editor-api.capcutapi.com/
Source: CapCut-Downloader	String found in binary or memory: https://lf16-capcut.faceulv.com/obj/capcutpc-packages-us/packages/CapCut_2_6_0_834_capcutpc_0_creato
Source: CapCut-Downloader, 00000631.00000278.1.00000001027f3000.0000000102a1d000.r-x.sdmp	String found in binary or memory: https://maliva-mcs.byteoversea.com
Source: CapCut-Downloader	String found in binary or memory: https://mcs.byteoversea.net/v1/json_test
Source: CapCut-Downloader, 00000631.00000278.1.00000001027f3000.0000000102a1d000.r-x.sdmp	String found in binary or memory: https://sgali-mcs.byteoversea.com
Source: CapCut-Downloader	String found in binary or memory: https://sgali-mcs.byteoversea.com/v1/json
Source: CapCut-Downloader	String found in binary or memory: https://www.apple.com/appleca/0
Source: CapCut-Downloader	String found in binary or memory: https://www.apple.com/certificateauthority/0

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)

Writes from socket in process: data

Source: classification engine

Classification label: mal52.spyw.macDMG@0/16@0/0

Contains symbols with paths

Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MainWindow/MainWindowPages/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/Downloader/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/FlatButton/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MainWindow/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MainWindow/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MainWindow/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MainWindow/MainWindowPages/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MainWindow/MainWindowPages/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MessageBox/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/RFOverlayScrollView/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/RFOverlayScrollView/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MessageBox/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MessageBox/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MessageBox/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MessageBox/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MessageBox/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MessageBox/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MessageBox/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/AppDelegate.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/BorderlessWindow.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/TTBanner/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/TTBanner/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/TTBanner/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/TTBanner/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/TTBanner/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/TTBanner/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/TTBanner/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/TTProgressBar/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/MultiLangViewController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/InitPageViewController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/InstallPageViewController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/MainWindowController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/MainWindowViewController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/MsgBoxController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/MsgBoxViewController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/MultiLangBoxController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/MultiLangItemView.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/DownloadPageViewController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/PageIndicatorView.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/RFOverlayScrollView.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/RFOverlayScroller.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/ShellDownloader.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTBanner.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTBannerItem.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTBannerItemView.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTButton.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/MutiLangListItem.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/PageIndicatorController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTNoScrollBannerItem.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTProgressBar.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/main.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTFakeNSAlertController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTFakeNSAlertViewController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTNoScrollBanner.o

Queries for attached disk images with shell command 'hdiutil'

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)

Hdiutil command executed: /usr/bin/hdiutil info

Uses Security framework containing interfaces for system-level user authentication and authorization

Source: /usr/bin/security (PID: 634)

Security framework info plist opened: /System/Library/Frameworks/Security.framework/Resources/Info.plist

Source: extracted file from DMG submission

CodeResources XML file: CapCut-Downloader.app/Contents/_CodeSignature/CodeResources

Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader

Mach-O header: load_dylib -> /System/Library/Frameworks/AVFoundation.framework/Versions/A/AVFoundation

Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader

Mach-O header: load_dylib -> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Jump to behavior

Source: CapCut-Downloader, 00000631.00000278.1.0000000102aa4000.0000000102aaa000.r--.sdmp	Binary or memory string: framework.vmnet
Source: app_package_447fdc9fc7.zip.278.dr	Binary or memory string: PhgFs
Source: CapCut-Downloader, 00000631.00000278.1.0000000102aa4000.0000000102aaa000.r--.sdmp	Binary or memory string: framework.vmnet$
Source: app_package_447fdc9fc7.zip.278.dr	Binary or memory string: 7tQeMU
Source: app_package_447fdc9fc7.zip.278.dr	Binary or memory string: y0FhGfS

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)

Sysctl read request: kern.safeboot (1.66)

Reads hardware related sysctl values

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)	Sysctl read request: hw.ncpu (6.3)
Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)	Sysctl read request: hw.availcpu (6.25)

Reads the systems OS release and/or type

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)	Sysctl requested: kern.ostype (1.1)
Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)	Sysctl requested: kern.osrelease (1.2)

Reads the systems hostname

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)

Sysctl requested: kern.hostname (1.10)

Source: /usr/bin/open (PID: 630)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Stealing of Sensitive Information

Searches for passwords in macOS's keychain

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)

Security executable: /usr/bin/security /usr/bin/security find-generic-password -s CapCutWebInfoId -a WebInfoId

Executes the "security" command used to access the keychain

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)	Security executable: /usr/bin/security /usr/bin/security find-generic-password -s CapCutWebInfoId -a WebInfoId
Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)	Security executable: /usr/bin/security /usr/bin/security add-generic-password -a WebInfoId -s CapCutWebInfoId -w CapCut_7376205375613272081_installer -U -T /usr/bin/security

Screenshots

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
/Users/bernard/Library/Application Support/app_shell_cache_562354/app_package_447fdc9fc7.zip	zlib compressed data	86C505B2ADF6AD886D8D0E7FFAB9EBBA	7DEEDA80A8BA37EA9DD00BDD5EAADF00E0E41369	87F544A37A11EA572B6843DA6B576F77D31F4B5935F8CF4C9502A1844153CD50
/Users/bernard/Library/Keychains/login.keychain-db.sb-07d82885-4gJ2WD	DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 963362762505407623593984.000000, slope 303834226087943251262072422400.000000	F3534B67689D89889D67FB7A5530C8AE	572B5ADD5DD1B6396C2BD0C3183882A324F5E44A	6C5FB79BC8589CC45F0703464FB8F74F35ECBF108FA9F0FACFA108A354D3E8B2
/dev/null	ASCII text	FC17A400C15FEC0E368D952A88B07F0C	6D6F6FC5D89C56E675750B51A1FE51FDD9608454	E40A1FE7D9847086F46C8B7C70CDB52DFD92B292F0E8A4A08AD38053C31DC091
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/mds/mdsDirectory.db_	Mac OS X Keychain File	0E4A0D1CEB2AF6F0F8D0167CE77BE2D3	414BA4C1DC5FC8BF53D550E296FD6F5AD669918C	CCA093BCFC65E25DD77C849866E110DF72526DFFBE29D76E11E29C7D888A4030
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/mds/mdsObject.db_	Mac OS X Keychain File	D3A1859E6EC593505CC882E6DEF48FC8	F8E6728E3E9DE477A75706FAA95CEAD9CE13CB32	3EBAFA97782204A4A1D75CFEC22E15FCDEAB45B65BAB3B3E65508707E034A16C
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/automatic_scaling_en.png	PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced	F55D2B8FDFD4F476C0D4829FB663C69B	AC3CA7EA4100FFC6E24BC25D536C4FF4846CC1EF	6EB8B5F62E6763598C2FA9D3182F2D091E6247D88D51475EE4694B76722205EB
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/chroma_keying_en.png	PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced	42FEAD072026913A69E7C96BAC8456B0	F563A8680AFD0F912C932D5D9D0EAE7F079A4C88	FC330E6CFE8B356B214CC5FFD3A7B8E88618373BE46A763DA205AD6228788A38
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/intelligent_subtitles_en.png	PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced	C51D1976F87828C0DCA46EF4D0243614	5DB8DDCC5E358D1DA6FB4F79E36C1547DDA6069F	463A0C124A0925FBB341855685B2B58525B100108D271679F2F95398D5F6C618
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/keyframe_en.png	PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced	950E97619B630F384CB2EC5C8DD271C2	BB8251280369A583E0F8BFE27A3A370F3F93A876	620CFFEECF59C90DB73B0CD81F8F4378AEAD22AF98791111EEE877A07344DC55
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/speech_synthesis_en.png	PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced	7E0FCA9AFBA9A7FBC15D378B8E550BAA	163AED4FD049F3981E88ECAA22966949F233A567	49D5FA943BCEC39D1244E6C69801F20B5F9D01FC89D6F260236A3C1255B5FC98
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/text_style_en.png	PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced	03680B27E2CD41C23DDA448C1EE7B1BB	2EBA3FFB31D116D35B22AA0132F51DB732F5432E	06599F52F75C8E9F3B0A1476CAA97AB7BB0D61DF6A6FEBFB8CCE14706AF64E6B
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/visual_effects_en.png	PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced	8EA92C4B9D936D485757D19391F45043	17DDA2A287A49BF23DA9DA09D20062E2DD7A4601	3A5E1EF48BD852386D5B155306F6B4098B53242C282B9BC54A2C2203301D90BA
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/water_world_en.png	PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced	601BBE214313CA48CA8F333161AC62AF	6799BE82B01711A0821DF1321FCF5D14DE0ADD6C	56A9920B94732C54604A6AB3CE0072D30E0EB1A2F4F835661FECBC0C448D8965

Contains symbols with suspicious names likely related to networking

Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader27ReportClickLanguageSpecificEP8NSStringl
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader24ReportPopInstalledWindowE24PopInstalledWindowAction
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader27ReportClickLanguageSpecificEP8NSStringl
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader24ReportPopInstalledWindowE24PopInstalledWindowAction
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader21ReportPopCancelWindowE23PopuCancelWindowpActionii
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader21ReportPopCancelWindowE23PopuCancelWindowpActionii
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader20ReportInstallsStatusE16DownloaderStatusiiP8NSString
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader20ReportInstallsStatusE16DownloaderStatusiiP8NSString
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader17ReportInstallTimeEi
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN15ShellDownloader17ReportInstallTimeEi
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN12_GLOBAL__N_135g_destory_shell_event_reporter_funcE
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN12_GLOBAL__N_135g_destory_shell_event_reporter_funcE
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN12_GLOBAL__N_119g_reporter_test_urlE
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN12_GLOBAL__N_119g_reporter_test_urlE
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN12_GLOBAL__N_114g_reporter_urlE
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: __ZN12_GLOBAL__N_114g_reporter_urlE

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)

Reads from socket in process: data

Source: CapCut-Downloader	String found in binary or memory: http://certs.apple.com/devidg2.der02
Source: CapCut_7376205375613272081_installer.dmg	String found in binary or memory: http://crl.apple.com/applerootcag3.crl0
Source: CapCut-Downloader, 00000631.00000278.1.00000001112fa000.0000000111323000.r--.sdmp, CapCut-Downloader, 00000631.00000278.1.00000001063ec000.00000001063ef000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: CapCut-Downloader	String found in binary or memory: http://crl.apple.com/root.crl0
Source: CapCut-Downloader	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: CapCut-Downloader	String found in binary or memory: http://ocsp.apple.com/ocsp03-applerootca0.
Source: CapCut_7376205375613272081_installer.dmg	String found in binary or memory: http://ocsp.apple.com/ocsp03-applerootcag307
Source: CapCut_7376205375613272081_installer.dmg	String found in binary or memory: http://ocsp.apple.com/ocsp03-asica4020
Source: CapCut-Downloader	String found in binary or memory: http://ocsp.apple.com/ocsp03-devidg2010
Source: CapCut-Downloader, CodeResources	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: CapCut-Downloader, 00000631.00000278.1.00000001112fa000.0000000111323000.r--.sdmp, CapCut-Downloader, 00000631.00000278.1.00000001063ec000.00000001063ef000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: CapCut-Downloader	String found in binary or memory: http://www.apple.com/appleca0
Source: CapCut-Downloader, 00000631.00000278.1.00000001112fa000.0000000111323000.r--.sdmp, CapCut-Downloader, 00000631.00000278.1.00000001063ec000.00000001063ef000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: CapCut-Downloader, 00000631.00000278.1.00000001045e0000.0000000104797000.r--.sdmp	String found in binary or memory: http://www.apple.com/http://www.apple.com/Copyright
Source: CapCut-Downloader, 00000631.00000278.1.00000001027f3000.0000000102a1d000.r-x.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: CapCut-Downloader, 00000631.00000278.1.00000001027f3000.0000000102a1d000.r-x.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: CapCut-Downloader, 00000631.00000278.1.00000001027f3000.0000000102a1d000.r-x.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: CapCut-Downloader, 00000631.00000278.1.00000001027f3000.0000000102a1d000.r-x.sdmp	String found in binary or memory: https://editor-api-sg.capcut.com
Source: CapCut-Downloader, 00000631.00000278.1.00000001027f3000.0000000102a1d000.r-x.sdmp	String found in binary or memory: https://editor-api-sg.capcut.com/service/2/app_alert_check/
Source: CapCut-Downloader, 00000631.00000278.1.00000001027f3000.0000000102a1d000.r-x.sdmp	String found in binary or memory: https://editor-api-sg.capcut.com/service/2/desktop/device_register/
Source: CapCut-Downloader	String found in binary or memory: https://editor-api.capcutapi.com/service/2/app_alert_check/
Source: CapCut-Downloader	String found in binary or memory: https://editor-api.capcutapi.com/service/2/desktop/device_register/
Source: CapCut-Downloader	String found in binary or memory: https://editor-api.capcutapi.com/service/2/desktop/device_register/https://editor-api.capcutapi.com/
Source: CapCut-Downloader	String found in binary or memory: https://lf16-capcut.faceulv.com/obj/capcutpc-packages-us/packages/CapCut_2_6_0_834_capcutpc_0_creato
Source: CapCut-Downloader, 00000631.00000278.1.00000001027f3000.0000000102a1d000.r-x.sdmp	String found in binary or memory: https://maliva-mcs.byteoversea.com
Source: CapCut-Downloader	String found in binary or memory: https://mcs.byteoversea.net/v1/json_test
Source: CapCut-Downloader, 00000631.00000278.1.00000001027f3000.0000000102a1d000.r-x.sdmp	String found in binary or memory: https://sgali-mcs.byteoversea.com
Source: CapCut-Downloader	String found in binary or memory: https://sgali-mcs.byteoversea.com/v1/json
Source: CapCut-Downloader	String found in binary or memory: https://www.apple.com/appleca/0
Source: CapCut-Downloader	String found in binary or memory: https://www.apple.com/certificateauthority/0

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)

Writes from socket in process: data

Source: classification engine

Classification label: mal52.spyw.macDMG@0/16@0/0

Contains symbols with paths

Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MainWindow/MainWindowPages/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/Downloader/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/FlatButton/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MainWindow/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MainWindow/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MainWindow/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MainWindow/MainWindowPages/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MainWindow/MainWindowPages/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MessageBox/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/RFOverlayScrollView/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/RFOverlayScrollView/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MessageBox/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MessageBox/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MessageBox/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MessageBox/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MessageBox/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MessageBox/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/MessageBox/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/AppDelegate.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/BorderlessWindow.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/TTBanner/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/TTBanner/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/TTBanner/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/TTBanner/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/TTBanner/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/TTBanner/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/TTBanner/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/appdownloader/TTProgressBar/
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/MultiLangViewController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/InitPageViewController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/InstallPageViewController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/MainWindowController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/MainWindowViewController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/MsgBoxController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/MsgBoxViewController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/MultiLangBoxController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/MultiLangItemView.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/DownloadPageViewController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/PageIndicatorView.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/RFOverlayScrollView.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/RFOverlayScroller.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/ShellDownloader.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTBanner.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTBannerItem.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTBannerItemView.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTButton.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/MutiLangListItem.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/PageIndicatorController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTNoScrollBannerItem.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTProgressBar.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/main.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTFakeNSAlertController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTFakeNSAlertViewController.o
Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader	Mach-O symbol: /Users/iOS_2_6_hyva_bbcrj_qnqka/38814/mac_installer_downlaoder/build/Build/Intermediates.noindex/appdownloader.build/Release/appdownloader.build/Objects-normal/x86_64/TTNoScrollBanner.o

Queries for attached disk images with shell command 'hdiutil'

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)

Hdiutil command executed: /usr/bin/hdiutil info

Uses Security framework containing interfaces for system-level user authentication and authorization

Source: /usr/bin/security (PID: 634)

Security framework info plist opened: /System/Library/Frameworks/Security.framework/Resources/Info.plist

Source: extracted file from DMG submission

CodeResources XML file: CapCut-Downloader.app/Contents/_CodeSignature/CodeResources

Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader

Mach-O header: load_dylib -> /System/Library/Frameworks/AVFoundation.framework/Versions/A/AVFoundation

Source: extracted file from submission: CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader

Mach-O header: load_dylib -> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Jump to behavior

Source: CapCut-Downloader, 00000631.00000278.1.0000000102aa4000.0000000102aaa000.r--.sdmp	Binary or memory string: framework.vmnet
Source: app_package_447fdc9fc7.zip.278.dr	Binary or memory string: PhgFs
Source: CapCut-Downloader, 00000631.00000278.1.0000000102aa4000.0000000102aaa000.r--.sdmp	Binary or memory string: framework.vmnet$
Source: app_package_447fdc9fc7.zip.278.dr	Binary or memory string: 7tQeMU
Source: app_package_447fdc9fc7.zip.278.dr	Binary or memory string: y0FhGfS

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)

Sysctl read request: kern.safeboot (1.66)

Reads hardware related sysctl values

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)	Sysctl read request: hw.ncpu (6.3)
Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)	Sysctl read request: hw.availcpu (6.25)

Reads the systems OS release and/or type

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)	Sysctl requested: kern.ostype (1.1)
Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)	Sysctl requested: kern.osrelease (1.2)

Reads the systems hostname

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)

Sysctl requested: kern.hostname (1.10)

Source: /usr/bin/open (PID: 630)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Stealing of Sensitive Information

Searches for passwords in macOS's keychain

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)

Security executable: /usr/bin/security /usr/bin/security find-generic-password -s CapCutWebInfoId -a WebInfoId

Executes the "security" command used to access the keychain

Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)	Security executable: /usr/bin/security /usr/bin/security find-generic-password -s CapCutWebInfoId -a WebInfoId
Source: /Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader (PID: 631)	Security executable: /usr/bin/security /usr/bin/security add-generic-password -a WebInfoId -s CapCutWebInfoId -w CapCut_7376205375613272081_installer -U -T /usr/bin/security

ID:	1466526
Product:	CloudBasic
Start time:	01:40:36
Start date:	03.07.2024
Sample:	CapCut_7376205375613272081_installer.dmg
Cookbook:	defaultmacfilecookbook.jbs
System description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Architecture:	MAC
MD5:	1fce5d25462b93618fc8fabee0349021
SHA1:	26895b70fa6911ce088f93c9bb15e3a84f8a77e2
SHA256:	f3569a8226b3ec687da41ed5710fae7043f824f29ad1c9cde58a36190c25e541
Filetype:	Disk Image (Macintosh), zlib, GPT (10001/1) 76.91%

macOS Analysis Report
CapCut_7376205375613272081_installer.dmg

Overview

General Information

Detection

Signatures

Classification

Signatures

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Network Map

macOS Analysis Report CapCut_7376205375613272081_installer.dmg

Overview

General Information

Detection

Signatures

Classification

Signatures

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Network Map

macOS Analysis Report
CapCut_7376205375613272081_installer.dmg