Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
CalendlyApp
|
Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|WEAK_DEFINES|BINDS_TO_WEAK|PIE>]
[arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>]
|
initial sample
|
 |
|
|
/Users/bernard/565464935/Sysinfo.txt
|
ASCII text
|
dropped
|
||
|
/private/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data
|
data
|
dropped
|
||
|
/private/var/root/Library/Saved Application State/com.apple.osascript.savedState/restorecount.plist
|
Apple binary property list
|
dropped
|
||
|
/private/var/root/Library/Saved Application State/com.apple.osascript.savedState/windows.plist
|
Apple binary property list
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/usr/libexec/xpcproxy
|
-
|
||
|
/usr/libexec/nsurlstoraged
|
/usr/libexec/nsurlstoraged --privileged
|
||
|
/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
|
-
|
||
|
/Users/bernard/Desktop/CalendlyApp
|
/Users/bernard/Desktop/CalendlyApp
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/osascript
|
osascript -e tell application 'Terminal' to set visible of front window to false
|
||
|
/bin/sh
|
-
|
||
|
/bin/mkdir
|
mkdir /Users/root/565464935
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/sw_vers
|
sw_vers
|
||
|
/bin/sh
|
-
|
||
|
/usr/sbin/system_profiler
|
system_profiler SPHardwareDataType
|
||
|
/usr/sbin/system_profiler
|
-
|
||
|
/bin/sh
|
-
|
||
|
/usr/sbin/system_profiler
|
system_profiler SPDisplaysDataType
|
||
|
/usr/sbin/system_profiler
|
-
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/dscl
|
dscl /Local/Default -authonly root
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/osascript
|
osascript -e display dialog 'To launch the application, you need to update the system settings \n\nPlease enter your password.'
with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/osascript
|
osascript -e display dialog 'To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease
enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer
|
||
|
/usr/libexec/xpcproxy
|
-
|
||
|
/usr/libexec/dirhelper
|
/usr/libexec/dirhelper
|
||
|
/usr/libexec/xpcproxy
|
-
|
||
|
/usr/libexec/firmwarecheckers/eficheck/eficheck
|
/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon
|
There are 16 hidden processes, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
appledownload.map.fastly.net
|
151.101.131.8
|
||
|
h3.apis.apple.map.fastly.net
|
151.101.195.6
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
151.101.3.6
|
unknown
|
United States
|
||
|
192.229.211.108
|
unknown
|
United States
|
||
|
151.101.195.6
|
h3.apis.apple.map.fastly.net
|
United States
|
||
|
23.46.224.247
|
unknown
|
United States
|
||
|
151.101.131.8
|
appledownload.map.fastly.net
|
United States
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
103c3b000
|
page read and write
|
|||
|
103c3c000
|
page readonly
|
|||
|
1059e0000
|
page readonly
|
|||
|
103c48000
|
page read and write
|
|||
|
103c3a000
|
page read and write
|
|||
|
1059ac000
|
page read and write
|
|||
|
103c13000
|
page execute read
|
|||
|
1059a7000
|
page read and write
|
|||
|
105928000
|
page execute read
|