macOS Analysis Report
CalendlyApp

Overview

General Information

Sample name:	CalendlyApp
Analysis ID:	1541758
MD5:	55c70b5d0cebb28d0ba3e21a6b065884
SHA1:	15e4f1227b9c76400dc15f39a22c553065c62fd6
SHA256:	a697503c8d77ad21f30eb9e5efbbb50b2fa20237931072bc66101292c4eb6d4b
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Executes Apple scripts that request for passwords (for privilege escalation or leakage)

Executes the "dscl" command with authonly argument (probably to verify the login password)

Uses Apple scripts to hide Terminal windows

Contains symbols with suspicious names likely related to networking

Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'

Executes commands using a shell command-line interpreter

Executes the "mkdir" command used to create folders

Executes the "system_profiler" command used to collect detailed system hardware and software information

Queries OS software version with shell command 'sw_vers'

Reads file resource fork extended attributes

Reads hardware related sysctl values

Reads the saved state of applications

Reads the sysctl hardware model value (potentially used for VM-detection)

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Reads the systems OS release and/or type

Reads the systems hostname

Sample is a FAT Mach-O sample containing binaries for multiple architectures

Sample is code signed by an ad-hoc signature

Uses AppleScript framework/components containing Apple Script related functionalities

Uses AppleScript scripting additions containing additional functionalities for Apple Scripts

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: CalendlyApp	ReversingLabs: Detection: 31%
Source: CalendlyApp	Virustotal: Detection: 47%			Perma Link

Contains symbols with suspicious names likely related to networking

Source: submission: CalendlyApp	Mach-O symbol: _send
Source: submission: CalendlyApp	Mach-O symbol: _socket
Source: submission: CalendlyApp	Mach-O symbol: _connect
Source: submission: CalendlyApp	Mach-O symbol: _inet_addr
Source: submission: CalendlyApp	Mach-O symbol: _send
Source: submission: CalendlyApp	Mach-O symbol: _socket
Source: submission: CalendlyApp	Mach-O symbol: _connect
Source: submission: CalendlyApp	Mach-O symbol: _inet_addr

Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.224.247
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.224.247
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /2024/patches/052-54451/D609556E-69B1-482E-9C33-B2E3510A1311/com_apple_MobileAsset_TimeZoneUpdate/c5a4d0df08e8faecf4faebbbadc4d96a07d9d990.zip HTTP/1.1Host: updates.cdn-apple.comAccept: /Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)
Source: global traffic	HTTP traffic detected: GET /2024/patches/062-08173/234EE7F7-CC33-4CD3-85FC-60590A103560/com_apple_MobileAsset_CoreSuggestions/84f6102e2a09dd10dd694d795792a7771b6014fc.zip HTTP/1.1Host: updates.cdn-apple.comAccept: /Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)
Source: global traffic	HTTP traffic detected: GET /2021/mobileassets/041-40471/B96AF6E1-5FF6-4786-9956-944A1AFE086A/com_apple_MobileAsset_KextDenyList/404087a7302927411b6ea0e05114d2c68355185e.zip HTTP/1.1Host: updates.cdn-apple.comAccept: /Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)

Source: global traffic

DNS traffic detected: DNS query: h3.apis.apple.map.fastly.net

Source: CalendlyApp, 00000618.00000255.1.00000001059e0000.0000000105a09000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: CalendlyApp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: CalendlyApp, 00000618.00000255.1.00000001059e0000.0000000105a09000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: CalendlyApp, 00000618.00000255.1.00000001059e0000.0000000105a09000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: CalendlyApp, 00000618.00000255.1.00000001059e0000.0000000105a09000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0

Source: unknown	Network traffic detected: HTTP traffic on port 49351 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49399 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49368
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49401
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49345
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49400
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49366
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49387
Source: unknown	Network traffic detected: HTTP traffic on port 49395 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49378 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49401 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49346 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49375 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49352 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49378
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49399
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49375
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49352
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49396
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49351
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49373
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49395
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49350
Source: unknown	Network traffic detected: HTTP traffic on port 49394 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49394
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49371
Source: unknown	Network traffic detected: HTTP traffic on port 49396 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49371 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49373 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49387 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49400 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49345 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49368 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49366 -> 443

Source: classification engine

Classification label: mal60.spyw.evad.mac@0/6@1/0

Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'

Source: /bin/sh (PID: 619)	Osascript command executed: osascript -e tell application 'Terminal' to set visible of front window to false	Jump to behavior
Source: /bin/sh (PID: 627)	Osascript command executed: osascript -e display dialog 'To launch the application, you need to update the system settings \n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer	Jump to behavior
Source: /bin/sh (PID: 648)	Osascript command executed: osascript -e display dialog 'To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /Users/bernard/Desktop/CalendlyApp (PID: 618)	Shell command executed: sh -c osascript -e 'tell application 'Terminal' to set visible of front window to false'	Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 618)	Shell command executed: sh -c mkdir /Users/root/565464935	Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 618)	Shell command executed: sh -c sw_vers	Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 618)	Shell command executed: sh -c system_profiler SPHardwareDataType	Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 618)	Shell command executed: sh -c system_profiler SPDisplaysDataType	Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 618)	Shell command executed: sh -c dscl /Local/Default -authonly root ''	Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 618)	Shell command executed: sh -c osascript -e 'display dialog 'To launch the application, you need to update the system settings \n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer'	Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 618)	Shell command executed: sh -c osascript -e 'display dialog 'To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer'	Jump to behavior

Executes the "mkdir" command used to create folders

Source: /bin/sh (PID: 620)

Mkdir executable: /bin/mkdir -> mkdir /Users/root/565464935

Jump to behavior

Reads the saved state of applications

Source: /usr/bin/osascript (PID: 648)

Saved state directory opened: /private/var/root/Library/Saved Application State/com.apple.osascript.savedState

Jump to behavior

Sample is a FAT Mach-O sample containing binaries for multiple architectures

Source: submission

Sample is code signed by an ad-hoc signature

Source: submission

Code Signing Info: Signature=adhoc

Uses AppleScript framework/components containing Apple Script related functionalities

Source: /usr/bin/osascript (PID: 619)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 619)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist	Jump to behavior

Uses AppleScript scripting additions containing additional functionalities for Apple Scripts

Source: /usr/bin/osascript (PID: 619)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 619)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior

Source: submission

Source: /usr/bin/osascript (PID: 619)	Random device file read: /dev/random	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	Random device file read: /dev/random	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	Random device file read: /dev/random	Jump to behavior
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 650)	Random device file read: /dev/random	Jump to behavior

Source: /usr/bin/osascript (PID: 619)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior

Source: /usr/bin/osascript (PID: 627)	Binary plist file created: /private/var/root/Library/Saved Application State/com.apple.osascript.savedState/windows.plist
Source: /usr/bin/osascript (PID: 648)	Binary plist file created: /private/var/root/Library/Saved Application State/com.apple.osascript.savedState/restorecount.plist	Jump to dropped file
Source: /usr/bin/osascript (PID: 648)	Binary plist file created: /private/var/root/Library/Saved Application State/com.apple.osascript.savedState/windows.plist	Jump to dropped file

Source: submission

CodeSign Info: Executable=/Users/bernard/Desktop/CalendlyApp

Hooking and other Techniques for Hiding and Protection

Uses Apple scripts to hide Terminal windows

Source: /bin/sh (PID: 619)

Osascript command executed: osascript -e tell application 'Terminal' to set visible of front window to false

Jump to behavior

Reads file resource fork extended attributes

Source: /usr/bin/osascript (PID: 619)	Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc	Jump to behavior

Reads the sysctl hardware model value (potentially used for VM-detection)

Source: /usr/sbin/system_profiler (PID: 623)

Sysctl read request: hw.model (6.2)

Jump to behavior

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Source: /usr/bin/osascript (PID: 627)	Sysctl read request: kern.safeboot (1.66)			Jump to behavior
Source: /usr/bin/osascript (PID: 648)	Sysctl read request: kern.safeboot (1.66)			Jump to behavior

Queries OS software version with shell command 'sw_vers'

Source: /bin/sh (PID: 621)

sw_vers executed: sw_vers

Jump to behavior

Reads hardware related sysctl values

Source: /usr/sbin/system_profiler (PID: 623)	Sysctl read request: hw.cpu_freq (6.15)	Jump to behavior
Source: /usr/sbin/system_profiler (PID: 623)	Sysctl read request: hw.memsize (6.24)	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	Sysctl read request: hw.availcpu (6.25)	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	Sysctl read request: hw.availcpu (6.25)	Jump to behavior

Reads the systems OS release and/or type

Source: /usr/bin/osascript (PID: 627)	Sysctl requested: kern.ostype (1.1)	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	Sysctl requested: kern.osrelease (1.2)	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	Sysctl requested: kern.ostype (1.1)	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	Sysctl requested: kern.osrelease (1.2)	Jump to behavior

Reads the systems hostname

Source: /bin/sh (PID: 619)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 620)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 621)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 622)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 624)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 626)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 627)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 648)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	Sysctl requested: kern.hostname (1.10)	Jump to behavior

Source: /usr/bin/osascript (PID: 619)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /usr/bin/sw_vers (PID: 621)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior

Stealing of Sensitive Information

Executes Apple scripts that request for passwords (for privilege escalation or leakage)

Source: /bin/sh (PID: 627)	Osascript requesting password: osascript -e display dialog 'To launch the application, you need to update the system settings \n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer			Jump to behavior
Source: /bin/sh (PID: 648)	Osascript requesting password: osascript -e display dialog 'To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer			Jump to behavior

Executes the "dscl" command with authonly argument (probably to verify the login password)

Source: /bin/sh (PID: 626)

Security executable: /usr/bin/dscl dscl /Local/Default -authonly root

Jump to behavior

Executes the "system_profiler" command used to collect detailed system hardware and software information

Source: /bin/sh (PID: 622)	System_profiler executable: /usr/sbin/system_profiler system_profiler SPHardwareDataType	Jump to behavior
Source: /usr/sbin/system_profiler (PID: 622)	System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full	Jump to behavior
Source: /bin/sh (PID: 624)	System_profiler executable: /usr/sbin/system_profiler system_profiler SPDisplaysDataType	Jump to behavior
Source: /usr/sbin/system_profiler (PID: 624)	System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPDisplaysDataType -detailLevel full	Jump to behavior

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.3.6	unknown	United States	54113	FASTLYUS	false
192.229.211.108	unknown	United States	15133	EDGECASTUS	false
151.101.195.6	h3.apis.apple.map.fastly.net	United States	54113	FASTLYUS	false
23.46.224.247	unknown	United States	16625	AKAMAI-ASUS	false
151.101.131.8	appledownload.map.fastly.net	United States	54113	FASTLYUS	false

Contacted Domains

Name	IP	Active
appledownload.map.fastly.net	151.101.131.8	true
h3.apis.apple.map.fastly.net	151.101.195.6	true

Name	Type	MD5	SHA1	SHA256
/Users/bernard/565464935/Sysinfo.txt	ASCII text	E0100AB89A518CC123D0524C33EB5A90	6981836F0BF3612A80D68A1FA658A6F3035D73D2	493A5BDA58BE80F80F1F71C2AD3340448239C041BB42FDA880C6DBF9C373C37B
/private/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data	data	D0E698E3AA6AB49C3A0BFC2B3B2194D9	70708CD708D85F9B579F4EF85430E70CFBA0F0AC	096A9A80B0D95102F5CB938DD25EE180FC5CC633E380C4BBEC90705AB74C950F
/private/var/root/Library/Saved Application State/com.apple.osascript.savedState/restorecount.plist	Apple binary property list	47FA43ACB8EABBCA10E3398A6BBE111A	DEF2DC2A8A7142DF0D453938C4895F113B2BCF40	F8EEBDB667A9D357096029BB323AC779C2781EA077DE6EDF37FE189CB6B7C0AF
/private/var/root/Library/Saved Application State/com.apple.osascript.savedState/windows.plist	Apple binary property list	BF32E54307763C3BB1E07565DD4752D0	15F25C05D37382D7F8D98A5EEF997B903A7A1872	D0D79A8EADA9E6287CAD7B67C02C4D493DB3293CFF2010C5EDA5A77B9E36D710

AV Detection

Multi AV Scanner detection for submitted file

Source: CalendlyApp	ReversingLabs: Detection: 31%
Source: CalendlyApp	Virustotal: Detection: 47%			Perma Link

Contains symbols with suspicious names likely related to networking

Source: submission: CalendlyApp	Mach-O symbol: _send
Source: submission: CalendlyApp	Mach-O symbol: _socket
Source: submission: CalendlyApp	Mach-O symbol: _connect
Source: submission: CalendlyApp	Mach-O symbol: _inet_addr
Source: submission: CalendlyApp	Mach-O symbol: _send
Source: submission: CalendlyApp	Mach-O symbol: _socket
Source: submission: CalendlyApp	Mach-O symbol: _connect
Source: submission: CalendlyApp	Mach-O symbol: _inet_addr

Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.68
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.224.247
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.224.247
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /2024/patches/052-54451/D609556E-69B1-482E-9C33-B2E3510A1311/com_apple_MobileAsset_TimeZoneUpdate/c5a4d0df08e8faecf4faebbbadc4d96a07d9d990.zip HTTP/1.1Host: updates.cdn-apple.comAccept: /Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)
Source: global traffic	HTTP traffic detected: GET /2024/patches/062-08173/234EE7F7-CC33-4CD3-85FC-60590A103560/com_apple_MobileAsset_CoreSuggestions/84f6102e2a09dd10dd694d795792a7771b6014fc.zip HTTP/1.1Host: updates.cdn-apple.comAccept: /Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)
Source: global traffic	HTTP traffic detected: GET /2021/mobileassets/041-40471/B96AF6E1-5FF6-4786-9956-944A1AFE086A/com_apple_MobileAsset_KextDenyList/404087a7302927411b6ea0e05114d2c68355185e.zip HTTP/1.1Host: updates.cdn-apple.comAccept: /Accept-Language: en-usConnection: keep-aliveAccept-Encoding: br, gzip, deflateUser-Agent: mobileassetd (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)

Source: global traffic

DNS traffic detected: DNS query: h3.apis.apple.map.fastly.net

Source: CalendlyApp, 00000618.00000255.1.00000001059e0000.0000000105a09000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: CalendlyApp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: CalendlyApp, 00000618.00000255.1.00000001059e0000.0000000105a09000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: CalendlyApp, 00000618.00000255.1.00000001059e0000.0000000105a09000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: CalendlyApp, 00000618.00000255.1.00000001059e0000.0000000105a09000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0

Source: unknown	Network traffic detected: HTTP traffic on port 49351 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49399 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49368
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49401
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49345
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49400
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49366
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49387
Source: unknown	Network traffic detected: HTTP traffic on port 49395 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49378 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49401 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49346 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49375 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49352 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49378
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49399
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49375
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49352
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49396
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49351
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49373
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49395
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49350
Source: unknown	Network traffic detected: HTTP traffic on port 49394 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49394
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49371
Source: unknown	Network traffic detected: HTTP traffic on port 49396 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49371 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49373 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49387 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49400 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49345 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49368 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49366 -> 443

Source: classification engine

Classification label: mal60.spyw.evad.mac@0/6@1/0

Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'

Source: /bin/sh (PID: 619)	Osascript command executed: osascript -e tell application 'Terminal' to set visible of front window to false	Jump to behavior
Source: /bin/sh (PID: 627)	Osascript command executed: osascript -e display dialog 'To launch the application, you need to update the system settings \n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer	Jump to behavior
Source: /bin/sh (PID: 648)	Osascript command executed: osascript -e display dialog 'To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /Users/bernard/Desktop/CalendlyApp (PID: 618)	Shell command executed: sh -c osascript -e 'tell application 'Terminal' to set visible of front window to false'	Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 618)	Shell command executed: sh -c mkdir /Users/root/565464935	Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 618)	Shell command executed: sh -c sw_vers	Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 618)	Shell command executed: sh -c system_profiler SPHardwareDataType	Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 618)	Shell command executed: sh -c system_profiler SPDisplaysDataType	Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 618)	Shell command executed: sh -c dscl /Local/Default -authonly root ''	Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 618)	Shell command executed: sh -c osascript -e 'display dialog 'To launch the application, you need to update the system settings \n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer'	Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 618)	Shell command executed: sh -c osascript -e 'display dialog 'To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer'	Jump to behavior

Executes the "mkdir" command used to create folders

Source: /bin/sh (PID: 620)

Mkdir executable: /bin/mkdir -> mkdir /Users/root/565464935

Jump to behavior

Reads the saved state of applications

Source: /usr/bin/osascript (PID: 648)

Saved state directory opened: /private/var/root/Library/Saved Application State/com.apple.osascript.savedState

Jump to behavior

Sample is a FAT Mach-O sample containing binaries for multiple architectures

Source: submission

Sample is code signed by an ad-hoc signature

Source: submission

Code Signing Info: Signature=adhoc

Uses AppleScript framework/components containing Apple Script related functionalities

Source: /usr/bin/osascript (PID: 619)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 619)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist	Jump to behavior

Uses AppleScript scripting additions containing additional functionalities for Apple Scripts

Source: /usr/bin/osascript (PID: 619)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 619)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior

Source: submission

Source: /usr/bin/osascript (PID: 619)	Random device file read: /dev/random	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	Random device file read: /dev/random	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	Random device file read: /dev/random	Jump to behavior
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 650)	Random device file read: /dev/random	Jump to behavior

Source: /usr/bin/osascript (PID: 619)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior

Source: /usr/bin/osascript (PID: 627)	Binary plist file created: /private/var/root/Library/Saved Application State/com.apple.osascript.savedState/windows.plist
Source: /usr/bin/osascript (PID: 648)	Binary plist file created: /private/var/root/Library/Saved Application State/com.apple.osascript.savedState/restorecount.plist	Jump to dropped file
Source: /usr/bin/osascript (PID: 648)	Binary plist file created: /private/var/root/Library/Saved Application State/com.apple.osascript.savedState/windows.plist	Jump to dropped file

Source: submission

CodeSign Info: Executable=/Users/bernard/Desktop/CalendlyApp

Hooking and other Techniques for Hiding and Protection

Uses Apple scripts to hide Terminal windows

Source: /bin/sh (PID: 619)

Osascript command executed: osascript -e tell application 'Terminal' to set visible of front window to false

Jump to behavior

Reads file resource fork extended attributes

Source: /usr/bin/osascript (PID: 619)	Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc	Jump to behavior

Reads the sysctl hardware model value (potentially used for VM-detection)

Source: /usr/sbin/system_profiler (PID: 623)

Sysctl read request: hw.model (6.2)

Jump to behavior

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Source: /usr/bin/osascript (PID: 627)	Sysctl read request: kern.safeboot (1.66)			Jump to behavior
Source: /usr/bin/osascript (PID: 648)	Sysctl read request: kern.safeboot (1.66)			Jump to behavior

Queries OS software version with shell command 'sw_vers'

Source: /bin/sh (PID: 621)

sw_vers executed: sw_vers

Jump to behavior

Reads hardware related sysctl values

Source: /usr/sbin/system_profiler (PID: 623)	Sysctl read request: hw.cpu_freq (6.15)	Jump to behavior
Source: /usr/sbin/system_profiler (PID: 623)	Sysctl read request: hw.memsize (6.24)	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	Sysctl read request: hw.availcpu (6.25)	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	Sysctl read request: hw.availcpu (6.25)	Jump to behavior

Reads the systems OS release and/or type

Source: /usr/bin/osascript (PID: 627)	Sysctl requested: kern.ostype (1.1)	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	Sysctl requested: kern.osrelease (1.2)	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	Sysctl requested: kern.ostype (1.1)	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	Sysctl requested: kern.osrelease (1.2)	Jump to behavior

Reads the systems hostname

Source: /bin/sh (PID: 619)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 620)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 621)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 622)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 624)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 626)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 627)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 648)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	Sysctl requested: kern.hostname (1.10)	Jump to behavior

Source: /usr/bin/osascript (PID: 619)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /usr/bin/sw_vers (PID: 621)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 627)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 648)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior

Stealing of Sensitive Information

Executes Apple scripts that request for passwords (for privilege escalation or leakage)

Source: /bin/sh (PID: 627)	Osascript requesting password: osascript -e display dialog 'To launch the application, you need to update the system settings \n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer			Jump to behavior
Source: /bin/sh (PID: 648)	Osascript requesting password: osascript -e display dialog 'To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer			Jump to behavior

Executes the "dscl" command with authonly argument (probably to verify the login password)

Source: /bin/sh (PID: 626)

Security executable: /usr/bin/dscl dscl /Local/Default -authonly root

Jump to behavior

Executes the "system_profiler" command used to collect detailed system hardware and software information

Source: /bin/sh (PID: 622)	System_profiler executable: /usr/sbin/system_profiler system_profiler SPHardwareDataType	Jump to behavior
Source: /usr/sbin/system_profiler (PID: 622)	System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full	Jump to behavior
Source: /bin/sh (PID: 624)	System_profiler executable: /usr/sbin/system_profiler system_profiler SPDisplaysDataType	Jump to behavior
Source: /usr/sbin/system_profiler (PID: 624)	System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPDisplaysDataType -detailLevel full	Jump to behavior

ID:	1541758
Product:	CloudBasic
Start time:	05:25:35
Start date:	25.10.2024
Sample:	CalendlyApp
Cookbook:	defaultmacfilecookbook.jbs
System description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Architecture:	MAC
MD5:	55c70b5d0cebb28d0ba3e21a6b065884
SHA1:	15e4f1227b9c76400dc15f39a22c553065c62fd6
SHA256:	a697503c8d77ad21f30eb9e5efbbb50b2fa20237931072bc66101292c4eb6d4b
Filetype:	Mac OS X Universal Binary executable (4004/1) 75.96%

macOS Analysis Report
CalendlyApp

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

macOS Analysis Report CalendlyApp

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

macOS Analysis Report
CalendlyApp