Antivirus scan for 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793 at 2018-03-28 06:05:22 UTC

Antivirus	Result	Update
Ad-Aware	Trojan.MAC.Proton.A	20180328
AhnLab-V3	BinImage/Proton	20180328
ALYac	Trojan.OSX.Proton	20180328
Antiy-AVL	Trojan[Backdoor]/OSX.Proton	20180327
Arcabit	Trojan.MAC.Proton.A	20180328
Avast	MacOS:Proton-A [Trj]	20180328
AVG	MacOS:Proton-A [Trj]	20180328
Avira (no cloud)	OSX/Proton.uoopm	20180328
BitDefender	Trojan.MAC.Proton.A	20180328
ClamAV	Osx.Trojan.Proton-6316148-0	20180328
Comodo	UnclassifiedMalware	20180328
Cyren	Trojan.INJM-7	20180328
DrWeb	Mac.BackDoor.Proton.1	20180328
Emsisoft	Trojan.MAC.Proton.A (B)	20180328
ESET-NOD32	OSX/Proton.A	20180328
F-Secure	Backdoor:OSX/Proton.A	20180328
GData	Trojan.MAC.Proton.A	20180328
Ikarus	Trojan.OSX.Proton.A	20180327
Kaspersky	HEUR:Backdoor.OSX.Proton.b	20180328
MAX	malware (ai score=86)	20180328
McAfee	OSX/Generics.p	20180328
McAfee-GW-Edition	OSX/Generics.p	20180328
eScan	Trojan.MAC.Proton.A	20180328
NANO-Antivirus	Trojan.Mac.Proton.eokpjt	20180328
Sophos AV	OSX/Proton-A	20180328
Symantec	OSX.Dropper	20180328
TrendMicro	OSX_PROTON.A	20180328
TrendMicro-HouseCall	OSX_PROTON.A	20180328
Zillya	Backdoor.Proton.OSX.8	20180327
ZoneAlarm by Check Point	HEUR:Backdoor.OSX.Proton.b	20180328
AegisLab		20180328
Alibaba		20180328
Avast-Mobile		20180327
AVware		20180328
Baidu		20180328
Bkav		20180327
CAT-QuickHeal		20180327
CMC		20180327
CrowdStrike Falcon (ML)		20170201
Cybereason		None
Cylance		20180328
eGambit		20180328
Endgame		20180316
F-Prot		20180328
Fortinet		20180328
Sophos ML		20180121
Jiangmin		20180328
K7AntiVirus		20180328
K7GW		20180328
Kingsoft		20180328
Malwarebytes		20180328
Microsoft		20180328
nProtect		20180328
Palo Alto Networks (Known Signatures)		20180328
Panda		20180327
Qihoo-360		20180328
Rising		20180328
SentinelOne (Static ML)		20180225
SUPERAntiSpyware		20180328
Symantec Mobile Insight		20180311
Tencent		20180328
TheHacker		20180327
Trustlook		20180328
VBA32		20180327
VIPRE		20180328
ViRobot		20180328
WhiteArmor		20180324
Yandex		20180327
Zoner		20180327

The file being studied is an Apple Disk Image! More specifically it follows the Universal Disk Image Format, commonly found with the DMG extension.

Main executable

Package path /HandBrake.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate

SHA256 4183f16cdfbff526501e3dce384fe14de7b53b0eca15b3d25857e8bdea9c4fc8

Detection ratio 0 / 57 when this report was generated

File size 166964 Bytes

HFS File ID 80

DMG HFS Property List

SUFeedURL

https://handbrake.fr/appcast.x86_64.xml

CFBundleInfoDictionaryVersion

6.0

NSHumanReadableCopyright

CFBundleGetInfoString

2017042800

CFBundleIdentifier

fr.handbrake.HandBrake

CFBundleDocumentTypes

{u'CFBundleTypeName': u'All files', u'CFBundleTypeRole': u'Viewer', u'CFBundleTypeExtensions': [u'*']}
{u'CFBundleTypeRole': u'Viewer', u'LSItemContentTypes': [u'public.movie']}

SUAllowsAutomaticUpdates

False

CFBundleShortVersionString

1.0.7

CFBundleDisplayName

HandBrake

BuildMachineOSBuild

15F34

CFBundleExecutable

HandBrake

LSMinimumSystemVersion

10.7

CFBundleVersion

2017042800

SUPublicDSAKeyFile

dsa_pub.pem

CFBundleIconFile

HandBrake

NSMainNibFile

MainMenu

CFBundleDevelopmentRegion

CFBundleSupportedPlatforms

MacOSX

CFBundleSignature

????

CFBundleName

HandBrake

CFBundlePackageType

APPL

NSPrincipalClass

HBApplication

Contained Mac OS X executables

This DMG contains a hierarchical file system that stores the following Mac OS X executables.

[+] /HandBrake.app/Contents/MacOS/HandBrake 753024 Bytes

[+] /HandBrake.app/Contents/Frameworks/Growl.framework/Growl 1093888 Bytes

[+] /HandBrake.app/Contents/Frameworks/Growl.framework/Versio... 1093888 Bytes

[+] /HandBrake.app/Contents/Frameworks/HandBrakeKit.framework... 29402692 Bytes

[+] /HandBrake.app/Contents/Frameworks/Sparkle.framework/Sparkle 373484 Bytes

[+] /HandBrake.app/Contents/Frameworks/Sparkle.framework/Vers... 166964 Bytes

[+] /HandBrake.app/Contents/Frameworks/Sparkle.framework/Vers... 373484 Bytes

Contained file bundles

This DMG contains a hierarchical file system that stores the following file bundles.

[+] /HandBrake.app/Contents/Resources/HBPlayerHUDMainControll... 1599128 Bytes

BLKX Table

Entry Attributes

Protective Master Boot Record (MBR : 0) 0x0050

GPT Header (Primary GPT Header : 1) 0x0050

GPT Partition Data (Primary GPT Table : 2) 0x0050

(Apple_Free : 3) 0x0050

disk image (Apple_HFS : 4) 0x0050

(Apple_Free : 5) 0x0050

GPT Partition Data (Backup GPT Table : 6) 0x0050

GPT Header (Backup GPT Header : 7) 0x0050

DMG XML Property List

Entry Attributes

ID:0 0x0050

DMG structural properties

DMG version

Data fork offset

0x0

Data fork length

16581841

Resource fork offset

0x0

Resource fork length

Resource fork keys

blkx, plst

Running data fork offset

0x0

XML offset

0x16581841

XML length

10759

PLST keys

resource-fork

Compressed bundles

This file was also submitted to VirusTotal in the following compressed file bundles.

1a5a16cec2cd578c1df37b01a9acce63e17ca726bb61383e3c11b2974b56b127

284e859268a8f7fecec997f7aa6c87433a70e8285ed48f0da821bae60f4367d1

c57ae6bd6a7a99aa8039c713dec95826d41ef899a017f51a44afd6c0753e904d

File identification

MD5 e420a2dfb206c8777002583637037d29

SHA1 0935a43ca90c6c419a49e4f8f1d75e68cd70b274

SHA256 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

ssdeep

393216:Sgr4rKkDy6ZThgZzDw/i0X71Oxf3pi0SZH+x96:JrEK3+hgN2BsMeD6

File size 15.8 MB ( 16593112 bytes )

File type Macintosh Disk Image

Magic literal

x86 boot sector

TrID	Macintosh Disk image (BZlib compressed) (97.6%) ZLIB compressed data (var. 1) (2.3%) Master Boot Record dump (0.0%)

VirusTotal metadata

First submission 2017-05-03 19:01:45 UTC ( 1 year, 3 months ago )

Last submission 2018-03-28 06:05:22 UTC ( 5 months ago )

File names

HandBrake-1.0.7.dmg
Handbrake.dmg
e420a2dfb206c8777002583637037d29.virus
Handbrake.dmg.exe
HandBrake-1.0.7-2.dmg

Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.

Opened files

[HandBrake] //System/Library/CoreServices/SystemVersion.plist (successful)

[HandBrake] /Library/Caches/com.apple.iconservices.store/017EFAAE-7B2A-664B-17EC-05042F62C788.isdata (successful)

[HandBrake] /Library/Caches/com.apple.iconservices.store/18173251-C09C-DCCA-483B-8A10FAA9CF26.isdata (successful)

[HandBrake] /Library/Caches/com.apple.iconservices.store/55C3EF8E-5284-DE72-168F-B902B608E65D.isdata (successful)

[HandBrake] /Library/Caches/com.apple.iconservices.store/5DAB1D3D-C192-24AE-7E5F-A426877790D3.isdata (successful)

[HandBrake] /Library/Caches/com.apple.iconservices.store/6147281C-5093-C6F3-3E4B-8E3CFDBB0682.isdata (successful)

[HandBrake] /Library/Caches/com.apple.iconservices.store/66211636-7F2A-9904-4192-11D8B5344D12.isdata (successful)

[HandBrake] /Library/Caches/com.apple.iconservices.store/C40C7478-9905-E1EA-B6F4-AFCC4706A3B1.isdata (successful)

[HandBrake] /Library/Caches/com.apple.iconservices.store/C510D7A3-F1DB-5C29-9E41-CF2A30E4D5A6.isdata (successful)

[HandBrake] /Library/Caches/com.apple.iconservices.store/C7E71A85-CEC5-5B57-1675-81CDD6F48E33.isdata (successful)

Read files

[HandBrake] /System/Library/ColorSync/Profiles/Generic Gray Gamma 2.2 Profile.icc (successful)

[HandBrake] /System/Library/ColorSync/Profiles/Generic Gray Profile.icc (successful)

[HandBrake] /System/Library/ColorSync/Profiles/Generic RGB Profile.icc (successful)

[HandBrake] /System/Library/ColorSync/Profiles/sRGB Profile.icc (successful)

[HandBrake] /System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle/Exceptions.plist (successful)

[HandBrake] /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Exceptions.plist (successful)

[HandBrake] /System/Library/CoreServices/Finder.app/Contents/PkgInfo (successful)

[HandBrake] /System/Library/CoreServices/Finder.app/Contents/Resources/English.lproj/InfoPlist.strings (successful)

[HandBrake] /System/Library/CoreServices/Finder.app/Contents/Resources/MyLibraries/myDocuments.cannedSearch/Resources/English.lproj/InfoPlist.strings (successful)

[HandBrake] /System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/Assets.car (successful)

Written files

[HandBrake] /Users/user1/Library/Application Support/HandBrake/.dat.nosync02c0.977cJQ (successful)

[HandBrake] /Users/user1/Library/Application Support/HandBrake/.dat.nosync02c0.KlyyoZ (successful)

[curl] /var/folders/h7/q_jbkm8d2wv_ltw_6w72cx740000gn/C/mds/mdsDirectory.db_ (successful)

[curl] /var/folders/h7/q_jbkm8d2wv_ltw_6w72cx740000gn/C/mds/mdsObject.db_ (successful)

[unknown] /Users/user1/Library/Saved Application State/fr.handbrake.HandBrake.savedState/window_1.data (successful)

[unknown] /tmp (successful)

[unknown] /var/folders/h7/q_jbkm8d2wv_ltw_6w72cx740000gn/C/mds/mdsDirectory.db (successful)

[unknown] /var/folders/h7/q_jbkm8d2wv_ltw_6w72cx740000gn/C/mds/mdsObject.db (successful)

[HandBrake] /Users/user1/Library/Application Support/HandBrake/HandBrake-activitylog.txt (successful)

[HandBrake] /Users/user1/Library/Saved Application State/fr.handbrake.HandBrake.savedState/data.data (successful)

Moved files

SRC: /Users/user1/Library/Application Support/HandBrake/.dat.nosync02c0.977cJQ
DST: /Users/user1/Library/Application Support/HandBrake/Queue.hbqueue (successful)
PS: HandBrake

SRC: /Users/user1/Library/Application Support/HandBrake/.dat.nosync02c0.KlyyoZ
DST: /Users/user1/Library/Application Support/HandBrake/Queue.hbqueue (successful)
PS: HandBrake

SRC: /var/folders/h7/q_jbkm8d2wv_ltw_6w72cx740000gn/C//mds/mdsObject.db_
DST: /var/folders/h7/q_jbkm8d2wv_ltw_6w72cx740000gn/C//mds/mdsObject.db (successful)
PS: curl

SRC: /var/folders/h7/q_jbkm8d2wv_ltw_6w72cx740000gn/C//mds/mdsDirectory.db_
DST: /var/folders/h7/q_jbkm8d2wv_ltw_6w72cx740000gn/C//mds/mdsDirectory.db (successful)
PS: curl

SRC: /Users/user1/Library/Application Support/HandBrake/.dat.nosync02c0.977cJQ
DST: /Users/user1/Library/Application Support/HandBrake/Queue.hbqueue (successful)
PS: HandBrake

SRC: /Users/user1/Library/Application Support/HandBrake/.dat.nosync02c0.KlyyoZ
DST: /Users/user1/Library/Application Support/HandBrake/Queue.hbqueue (successful)
PS: HandBrake

SRC: /var/folders/h7/q_jbkm8d2wv_ltw_6w72cx740000gn/C//mds/mdsObject.db_
DST: /var/folders/h7/q_jbkm8d2wv_ltw_6w72cx740000gn/C//mds/mdsObject.db (successful)
PS: curl

SRC: /var/folders/h7/q_jbkm8d2wv_ltw_6w72cx740000gn/C//mds/mdsDirectory.db_
DST: /var/folders/h7/q_jbkm8d2wv_ltw_6w72cx740000gn/C//mds/mdsDirectory.db (successful)
PS: curl

Created processes

/usr/bin/python /usr/bin/xattr-2.7 -c /tmp/HandBrake.app (successful)

/Volumes/HandBrake/HandBrake.app/Contents/MacOS/HandBrake (successful)

sh (successful)

pgrep -x activity_agent (successful)

sh (successful)

unzip -P qzyuzacCELFEYiJ52mhjEC7HYl4eUPAR1EEf63oQ5iTkuNIhzRk2JUKF4IXTRdiQ /Volumes/HandBrake/HandBrake.app/Contents/Resources/HBPlayerHUDMainController.nib -d /tmp (successful)

/tmp/HandBrake.app/Contents/MacOS/HandBrake (successful)

sh (successful)

openssl rsautl -verify -in /tmp/HandBrake.app/Contents/Resources/.tmpdata -pubin -inkey /tmp/public.pem (successful)

sh (successful)

HTTP requests

URL: http://s2.symcb.com/MFYwVKADAgEAME0wSzBJMAkGBSsOAwIaBQAEFLnpsocChQP47KX7QuE%2BD0nHJCbiBBR%2F02Wnwt3su%2FAwCfNDOfoCrzMxMwIQfuFKb2%2Fv8tN%2FP61lTTratA%3D%3D
TYPE: GET
USER AGENT: ocspd/1.0.3

URL: http://gspe21.ls.apple.com/stylesheet/default-10412@2x.styl?sid=0962350089787099331810106107266601061176&accessKey=1493842257_Bkei1zmy2hm1OyRS_bIdob25taxmjtcWFVm5%2FdeUyrpv5CjQs60Pq8pwIZMQhbtMREBEkuqhNo%2B1Uo%2F3ny33mKkUP%2FggsgMT1DIsFzdQ71lnvKX238NbC81D8da7Wd1f9%2B7WDNwH2Wj4cY84oSG9DcNsd97v%2BqNhoyHfX2w%3D%3D
TYPE: GET
USER AGENT: com.apple.geod/1151.2.13.1 CFNetwork/760.0.5 Darwin/15.0.0 (x86_64)

URL: http://gspe21.ls.apple.com/stylesheet/default-8871.styl?sid=0962350089787099331810106107266601061176&accessKey=1493842257_CopzDg2j4a5cKTAV_VgSP5tEf3KaP5LJyHCXQV6UHJEOSKmW6et0NGhh7pgRU8CxRd8VnE90VlWqkvEjhW4Lj5jGQoZM33cZvIA08%2BxAuaoiIoyH0XEUk8neow92duZ6s3ltOib5obqyz1PwY8E%2BKtDedD2GaQjKxzBQxPw%3D%3D
TYPE: GET
USER AGENT: com.apple.geod/1151.2.13.1 CFNetwork/760.0.5 Darwin/15.0.0 (x86_64)

URL: http://gspe21.ls.apple.com/stylesheet/default-search-2977.styl?sid=0962350089787099331810106107266601061176&accessKey=1493842257_6gcuodGiProgA8ZG_rFvgULRjM4we4J%2Fw40xMpYoM1uyZSGw3iNH8nRHkfsi9MIRpehLdDdvZs%2FdcT9665RGfjYQA5uXTPUvbHeHIpUNRENTbeJ6YVW2s8uuNW7PmhaLRZfFYYZvJu7%2FOncv7O2NY9sqd8mHF3SGoyE4TUw%3D%3D
TYPE: GET
USER AGENT: com.apple.geod/1151.2.13.1 CFNetwork/760.0.5 Darwin/15.0.0 (x86_64)

URL: http://gspe21.ls.apple.com/stylesheet/default-search-3329@2x.styl?sid=0962350089787099331810106107266601061176&accessKey=1493842257_k4mH5p1aFoDV7nVP_PfRvz46dv8lpaeCSYXr9A20bC6xFUULHGw3rmAN%2F3QCezloPA39GTDMRR8KW3u0n4Qs4mIMmlTftjtSggyxaT1oyEwXJtW9DYP3nxfU10cIYyjWMWKFJsgXF6SX61MsvK5rWbT0kgK20TJUysh0EIQ%3D%3D
TYPE: GET
USER AGENT: com.apple.geod/1151.2.13.1 CFNetwork/760.0.5 Darwin/15.0.0 (x86_64)

URL: http://gspe21.ls.apple.com/stylesheet/globe-default-1018.styl?sid=0962350089787099331810106107266601061176&accessKey=1493842257_Gu95CKl0OKPHuf6E_r7KJu7rWqX4uoOmeL1RpirBpmvD7NGMnKtnD%2F06ltSuZ2G9A35WlbXbdNP8%2BYDpsSSZezvuuGucoBN0XGSA4KfRG%2FuTO8Fi4LBt5e8oq7A0iAL1x8ZyjfIg2tlt%2BnOipmBXococFstMIopscFlOUog%3D%3D
TYPE: GET
USER AGENT: com.apple.geod/1151.2.13.1 CFNetwork/760.0.5 Darwin/15.0.0 (x86_64)

URL: http://gspe21.ls.apple.com/stylesheet/globe-default-1023@2x.styl?sid=0962350089787099331810106107266601061176&accessKey=1493842257_cPnzEsH6lTHhWb6x_S2%2FzPtPth%2FzsJ%2BQuaSedYNc10WvuT0CneYbQVpEnwvhKrGfeogn%2FntgisaEGixxfJEXhJV%2BBNqFo0YGew9QiZQshl8nn2A5QNQE0VgJl%2FZuWPyR0nnBYxoOd11VmDdQ24YOz8SqjLH4WwfjdEXcINA%3D%3D
TYPE: GET
USER AGENT: com.apple.geod/1151.2.13.1 CFNetwork/760.0.5 Darwin/15.0.0 (x86_64)

URL: http://gspe21.ls.apple.com/stylesheet/hybrid-941.styl?sid=0962350089787099331810106107266601061176&accessKey=1493842257_eofiIucl1mYq4V94_7eOhlE7RSmZUwNR8RGry4cEeO5a%2BlIqA4WKFXBqC7v6Do8k8wEaB15wQyvTU3AW911jzdQJuWbfi9DHbfJY5bc0oC81CYEXLKeqE%2FY2n9IEWXsAqMjUGq1qBAi%2F3FyqwBQmBJB2Cp42WvyzpxCbF%2Fw%3D%3D
TYPE: GET
USER AGENT: com.apple.geod/1151.2.13.1 CFNetwork/760.0.5 Darwin/15.0.0 (x86_64)

URL: http://gspe21.ls.apple.com/stylesheet/hybrid-941@2x.styl?sid=0962350089787099331810106107266601061176&accessKey=1493842257_ZQPLCenMJd2rEvEM_%2F3KZnWanO%2FgbjKr9qxPxFqqWiJxsYzEzEzK2Oi4P7BSEd06QPiMjPZ2FQfCEbx9eL9bi90adTQ1eGAfTtw9kuKefvjbICSJIZ8MxjJJYI7AMifT1JyPPe9s5yFjNWIxMXQhYc9ZwWwCExvWwX6qL6g%3D%3D
TYPE: GET
USER AGENT: com.apple.geod/1151.2.13.1 CFNetwork/760.0.5 Darwin/15.0.0 (x86_64)

URL: http://gspe21.ls.apple.com/icon/17-23-6-Rest-of-NY-transit-icons-3.iconpack?sid=0962350089787099331810106107266601061176&accessKey=1493842257_5Kl053tS7w45LXA0_ZwgvvD4Ghx%2F2bZkqH260RBzAN9RxTe9fCZu5fWwCjOeEQ2BQe12RheceRaTl1lLDH9w47DDuyqlCqV10rzwtlkUgKw%2F%2F%2F5jmscwK%2F1OZYZbxh7Fl2E6oOZqpUagdgRsanT9r1ApTNsl7LOx5jMg0D2jWZ%2Bv1JwMOa%2FYwWOook4c%3D
TYPE: GET
USER AGENT: com.apple.geod/1151.2.13.1 CFNetwork/760.0.5 Darwin/15.0.0 (x86_64)

DNS requests

www.apple.com (23.0.28.14)

TCP connections

23.196.93.226:443

SHA256:	013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793
File name:	Handbrake.dmg.exe
Detection ratio:	30 / 58
Analysis date:	2018-03-28 06:05:22 UTC ( 5 months ago )

Ciphered bundle

Main executable

DMG HFS Property List

Contained Mac OS X executables

Contained file bundles

BLKX Table

DMG XML Property List

DMG structural properties

Compressed bundles

File identification

VirusTotal metadata

Leave your comment...

Opened files

Read files

Written files

Moved files

Created processes

HTTP requests

DNS requests

TCP connections

Recover your password

Join VirusTotal Community

Sign in