macOS Analysis Report
CalendlyApp

Overview

General Information

Sample name: CalendlyApp
Analysis ID: 1541759
MD5: 55c70b5d0cebb28d0ba3e21a6b065884
SHA1: 15e4f1227b9c76400dc15f39a22c553065c62fd6
SHA256: a697503c8d77ad21f30eb9e5efbbb50b2fa20237931072bc66101292c4eb6d4b
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Executes Apple scripts that request for passwords (for privilege escalation or leakage)
Executes the "dscl" command with authonly argument (probably to verify the login password)
Uses Apple scripts to hide Terminal windows
Contains symbols with suspicious names likely related to networking
Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'
Executes commands using a shell command-line interpreter
Executes the "mkdir" command used to create folders
Executes the "system_profiler" command used to collect detailed system hardware and software information
Queries OS software version with shell command 'sw_vers'
Reads file resource fork extended attributes
Reads hardware related sysctl values
Reads the saved state of applications
Reads the sysctl hardware model value (potentially used for VM-detection)
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)
Reads the systems OS release and/or type
Reads the systems hostname
Sample is a FAT Mach-O sample containing binaries for multiple architectures
Sample is code signed by an ad-hoc signature
Uses AppleScript framework/components containing Apple Script related functionalities
Uses AppleScript scripting additions containing additional functionalities for Apple Scripts

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: CalendlyApp ReversingLabs: Detection: 31%
Source: CalendlyApp Virustotal: Detection: 47% Perma Link
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49351 version: TLS 1.2
Source: unknown HTTPS traffic detected: 17.253.97.206:443 -> 192.168.11.12:49352 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49381 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49382 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49383 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49384 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49385 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49386 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49390 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49400 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49401 version: TLS 1.2
Contains symbols with suspicious names likely related to networking
Source: submission: CalendlyApp Mach-O symbol: _send
Source: submission: CalendlyApp Mach-O symbol: _socket
Source: submission: CalendlyApp Mach-O symbol: _connect
Source: submission: CalendlyApp Mach-O symbol: _inet_addr
Source: submission: CalendlyApp Mach-O symbol: _send
Source: submission: CalendlyApp Mach-O symbol: _socket
Source: submission: CalendlyApp Mach-O symbol: _connect
Source: submission: CalendlyApp Mach-O symbol: _inet_addr
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.199.64
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown TCP traffic detected without corresponding DNS query: 17.253.97.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.46.224.247
Source: unknown TCP traffic detected without corresponding DNS query: 23.46.224.247
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: h3.apis.apple.map.fastly.net
Source: CalendlyApp, 00000621.00000258.1.000000010cbd1000.000000010cbfa000.r--.sdmp String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: CalendlyApp String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: CalendlyApp, 00000621.00000258.1.000000010cbd1000.000000010cbfa000.r--.sdmp String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: CalendlyApp, 00000621.00000258.1.000000010cbd1000.000000010cbfa000.r--.sdmp String found in binary or memory: http://www.apple.com/certificateauthority0
Source: CalendlyApp, 00000621.00000258.1.000000010cbd1000.000000010cbfa000.r--.sdmp String found in binary or memory: https://www.apple.com/appleca/0
Source: unknown Network traffic detected: HTTP traffic on port 49351 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49348
Source: unknown Network traffic detected: HTTP traffic on port 49399 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49401
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49400
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49386
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49385
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49384
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49383
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49382
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49381
Source: unknown Network traffic detected: HTTP traffic on port 49386 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49401 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49384 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49348 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49382 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49352 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49399
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49352
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49351
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49390
Source: unknown Network traffic detected: HTTP traffic on port 49390 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49400 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49385 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49383 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49381 -> 443
Source: unknown HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49351 version: TLS 1.2
Source: unknown HTTPS traffic detected: 17.253.97.206:443 -> 192.168.11.12:49352 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49381 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49382 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49383 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49384 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49385 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49386 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49390 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49400 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49401 version: TLS 1.2
Source: classification engine Classification label: mal60.spyw.evad.mac@0/6@1/0
Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'
Source: /bin/sh (PID: 622) Osascript command executed: osascript -e tell application 'Terminal' to set visible of front window to false Jump to behavior
Source: /bin/sh (PID: 630) Osascript command executed: osascript -e display dialog 'To launch the application, you need to update the system settings \n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer Jump to behavior
Source: /bin/sh (PID: 652) Osascript command executed: osascript -e display dialog 'To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer Jump to behavior
Executes commands using a shell command-line interpreter
Source: /Users/bernard/Desktop/CalendlyApp (PID: 621) Shell command executed: sh -c osascript -e 'tell application 'Terminal' to set visible of front window to false' Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 621) Shell command executed: sh -c mkdir /Users/root/570944017 Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 621) Shell command executed: sh -c sw_vers Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 621) Shell command executed: sh -c system_profiler SPHardwareDataType Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 621) Shell command executed: sh -c system_profiler SPDisplaysDataType Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 621) Shell command executed: sh -c dscl /Local/Default -authonly root '' Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 621) Shell command executed: sh -c osascript -e 'display dialog 'To launch the application, you need to update the system settings \n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer' Jump to behavior
Source: /Users/bernard/Desktop/CalendlyApp (PID: 621) Shell command executed: sh -c osascript -e 'display dialog 'To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer' Jump to behavior
Executes the "mkdir" command used to create folders
Source: /bin/sh (PID: 623) Mkdir executable: /bin/mkdir -> mkdir /Users/root/570944017 Jump to behavior
Reads the saved state of applications
Source: /usr/bin/osascript (PID: 652) Saved state directory opened: /private/var/root/Library/Saved Application State/com.apple.osascript.savedState Jump to behavior
Sample is a FAT Mach-O sample containing binaries for multiple architectures
Source: submission File header: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|WEAK_DEFINES|BINDS_TO_WEAK|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>]
Sample is code signed by an ad-hoc signature
Source: submission Code Signing Info: Signature=adhoc
Uses AppleScript framework/components containing Apple Script related functionalities
Source: /usr/bin/osascript (PID: 622) AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist Jump to behavior
Source: /usr/bin/osascript (PID: 622) AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist Jump to behavior
Source: /usr/bin/osascript (PID: 630) AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist Jump to behavior
Source: /usr/bin/osascript (PID: 630) AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist Jump to behavior
Source: /usr/bin/osascript (PID: 652) AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist Jump to behavior
Source: /usr/bin/osascript (PID: 652) AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist Jump to behavior
Uses AppleScript scripting additions containing additional functionalities for Apple Scripts
Source: /usr/bin/osascript (PID: 622) AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist Jump to behavior
Source: /usr/bin/osascript (PID: 622) AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist Jump to behavior
Source: /usr/bin/osascript (PID: 630) AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist Jump to behavior
Source: /usr/bin/osascript (PID: 630) AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist Jump to behavior
Source: /usr/bin/osascript (PID: 652) AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist Jump to behavior
Source: /usr/bin/osascript (PID: 652) AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist Jump to behavior
Source: submission Mach-O header: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|WEAK_DEFINES|BINDS_TO_WEAK|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>]
Source: /usr/bin/osascript (PID: 622) Random device file read: /dev/random Jump to behavior
Source: /usr/bin/osascript (PID: 630) Random device file read: /dev/random Jump to behavior
Source: /usr/bin/osascript (PID: 652) Random device file read: /dev/random Jump to behavior
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 654) Random device file read: /dev/random Jump to behavior
Source: /usr/bin/osascript (PID: 622) AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist Jump to behavior
Source: /usr/bin/osascript (PID: 630) AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist Jump to behavior
Source: /usr/bin/osascript (PID: 652) AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist Jump to behavior
Source: /usr/bin/osascript (PID: 630) Binary plist file created: /private/var/root/Library/Saved Application State/com.apple.osascript.savedState/windows.plist
Source: /usr/bin/osascript (PID: 652) Binary plist file created: /private/var/root/Library/Saved Application State/com.apple.osascript.savedState/restorecount.plist Jump to dropped file
Source: /usr/bin/osascript (PID: 652) Binary plist file created: /private/var/root/Library/Saved Application State/com.apple.osascript.savedState/windows.plist Jump to dropped file
Source: submission CodeSign Info: Executable=/Users/bernard/Desktop/CalendlyApp

Hooking and other Techniques for Hiding and Protection
barindex
Uses Apple scripts to hide Terminal windows
Source: /bin/sh (PID: 622) Osascript command executed: osascript -e tell application 'Terminal' to set visible of front window to false Jump to behavior
Reads file resource fork extended attributes
Source: /usr/bin/osascript (PID: 622) Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc Jump to behavior
Source: /usr/bin/osascript (PID: 630) Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc Jump to behavior
Source: /usr/bin/osascript (PID: 652) Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc Jump to behavior
Reads the sysctl hardware model value (potentially used for VM-detection)
Source: /usr/sbin/system_profiler (PID: 626) Sysctl read request: hw.model (6.2) Jump to behavior
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)
Source: /usr/bin/osascript (PID: 630) Sysctl read request: kern.safeboot (1.66) Jump to behavior
Source: /usr/bin/osascript (PID: 652) Sysctl read request: kern.safeboot (1.66) Jump to behavior
Queries OS software version with shell command 'sw_vers'
Source: /bin/sh (PID: 624) sw_vers executed: sw_vers Jump to behavior
Reads hardware related sysctl values
Source: /usr/sbin/system_profiler (PID: 626) Sysctl read request: hw.cpu_freq (6.15) Jump to behavior
Source: /usr/sbin/system_profiler (PID: 626) Sysctl read request: hw.memsize (6.24) Jump to behavior
Source: /usr/bin/osascript (PID: 630) Sysctl read request: hw.availcpu (6.25) Jump to behavior
Source: /usr/bin/osascript (PID: 652) Sysctl read request: hw.availcpu (6.25) Jump to behavior
Reads the systems OS release and/or type
Source: /usr/bin/osascript (PID: 630) Sysctl requested: kern.ostype (1.1) Jump to behavior
Source: /usr/bin/osascript (PID: 630) Sysctl requested: kern.osrelease (1.2) Jump to behavior
Source: /usr/bin/osascript (PID: 652) Sysctl requested: kern.ostype (1.1) Jump to behavior
Source: /usr/bin/osascript (PID: 652) Sysctl requested: kern.osrelease (1.2) Jump to behavior
Reads the systems hostname
Source: /bin/sh (PID: 622) Sysctl requested: kern.hostname (1.10) Jump to behavior
Source: /bin/sh (PID: 623) Sysctl requested: kern.hostname (1.10) Jump to behavior
Source: /bin/sh (PID: 624) Sysctl requested: kern.hostname (1.10) Jump to behavior
Source: /bin/sh (PID: 625) Sysctl requested: kern.hostname (1.10) Jump to behavior
Source: /bin/sh (PID: 627) Sysctl requested: kern.hostname (1.10) Jump to behavior
Source: /bin/sh (PID: 629) Sysctl requested: kern.hostname (1.10) Jump to behavior
Source: /bin/sh (PID: 630) Sysctl requested: kern.hostname (1.10) Jump to behavior
Source: /usr/bin/osascript (PID: 630) Sysctl requested: kern.hostname (1.10) Jump to behavior
Source: /bin/sh (PID: 652) Sysctl requested: kern.hostname (1.10) Jump to behavior
Source: /usr/bin/osascript (PID: 652) Sysctl requested: kern.hostname (1.10) Jump to behavior
Source: /usr/bin/osascript (PID: 622) System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist Jump to behavior
Source: /usr/bin/sw_vers (PID: 624) System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist Jump to behavior
Source: /usr/bin/osascript (PID: 630) System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist Jump to behavior
Source: /usr/bin/osascript (PID: 652) System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist Jump to behavior

Stealing of Sensitive Information
barindex
Executes Apple scripts that request for passwords (for privilege escalation or leakage)
Source: /bin/sh (PID: 630) Osascript requesting password: osascript -e display dialog 'To launch the application, you need to update the system settings \n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer Jump to behavior
Source: /bin/sh (PID: 652) Osascript requesting password: osascript -e display dialog 'To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer Jump to behavior
Executes the "dscl" command with authonly argument (probably to verify the login password)
Source: /bin/sh (PID: 629) Security executable: /usr/bin/dscl dscl /Local/Default -authonly root Jump to behavior
Executes the "system_profiler" command used to collect detailed system hardware and software information
Source: /bin/sh (PID: 625) System_profiler executable: /usr/sbin/system_profiler system_profiler SPHardwareDataType Jump to behavior
Source: /usr/sbin/system_profiler (PID: 625) System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full Jump to behavior
Source: /bin/sh (PID: 627) System_profiler executable: /usr/sbin/system_profiler system_profiler SPDisplaysDataType Jump to behavior
Source: /usr/sbin/system_profiler (PID: 627) System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPDisplaysDataType -detailLevel full Jump to behavior
cam-macmac-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
151.101.131.6
 h3.apis.apple.map.fastly.net United States
54113 FASTLYUS false
151.101.195.6
 unknown United States
54113 FASTLYUS false
23.46.224.247
 unknown United States
16625 AKAMAI-ASUS false
151.101.67.6
 unknown United States
54113 FASTLYUS false

Contacted Domains

Name IP Active
h3.apis.apple.map.fastly.net 151.101.131.6 true