Antivirus scan for bec7bfc5375dd1c4bac23121c8d83b80f484cd53261f0d3f9f3f64177e4b7caf at 2018-04-11 00:39:59 UTC

Antivirus	Result	Update
Ad-Aware	Trojan.MAC.Proton.A	20180410
ALYac	Trojan.MAC.Proton.A	20180410
Avast	MacOS:Proton-B [Trj]	20180410
AVG	MacOS:Proton-B [Trj]	20180410
Avira (no cloud)	OSX/Proton.AB	20180410
BitDefender	Trojan.MAC.Proton.A	20180410
ClamAV	Osx.Malware.Proton-6399553-0	20180410
Comodo	.UnclassifiedMalware	20180410
DrWeb	Mac.BackDoor.Proton.2	20180410
Emsisoft	Trojan.MAC.Proton.A (B)	20180410
Endgame	malicious (high confidence)	20180403
ESET-NOD32	OSX/Proton.A	20180410
F-Secure	Trojan.MAC.Proton.A	20180410
GData	Trojan.MAC.Proton.A	20180410
Ikarus	Trojan.OSX.Proton.A	20180410
K7GW	Trojan ( 3ac077771 )	20180410
Kaspersky	HEUR:Backdoor.OSX.Proton.b	20180410
MAX	malware (ai score=82)	20180411
McAfee	OSX/Proton.a	20180410
McAfee-GW-Edition	OSX/Proton.a	20180410
eScan	Trojan.MAC.Proton.A	20180410
NANO-Antivirus	Trojan.Mac.Proton.eojkaz	20180410
Panda	OSX/BHT.O	20180410
Sophos AV	OSX/Proton-A	20180411
Symantec	OSX.Trojan.Gen	20180411
Tencent	Win32.Backdoor.Proton.Wogj	20180411
TrendMicro-HouseCall	Suspicious_GEN.F47V0328	20180411
ZoneAlarm by Check Point	HEUR:Backdoor.OSX.Proton.b	20180410
AegisLab		20180410
AhnLab-V3		20180410
Alibaba		20180410
Antiy-AVL		20180410
Arcabit		20180410
Avast-Mobile		20180410
AVware		20180410
Baidu		20180410
Bkav		20180410
CAT-QuickHeal		20180410
CMC		20180410
CrowdStrike Falcon (ML)		20170201
Cybereason		20180225
Cylance		20180411
Cyren		20180410
eGambit		20180411
F-Prot		20180410
Fortinet		20180410
Sophos ML		20180121
Jiangmin		20180410
K7AntiVirus		20180410
Kingsoft		20180411
Malwarebytes		20180410
Microsoft		20180410
nProtect		20180410
Palo Alto Networks (Known Signatures)		20180411
Qihoo-360		20180411
Rising		20180411
SentinelOne (Static ML)		20180225
SUPERAntiSpyware		20180411
Symantec Mobile Insight		20180406
TheHacker		20180410
TotalDefense		20180411
TrendMicro		20180411
Trustlook		20180411
VBA32		20180410
VIPRE		20180411
ViRobot		20180410
Webroot		20180411
WhiteArmor		20180408
Yandex		20180410
Zillya		20180410
Zoner		20180410

The file being studied is a Mac OS X executable! More specifically it is a executable file Mach-O for x86_64 based machines.

File header

File type executable file

Magic 0xfeedfacf

Required architecture x86_64

Sub-architecture X86_64_ALL

Entry point 0x100001180

Reserved 0x0

Load commands 24

Load commands size 4312

Flags

DYLDLINK
NOUNDEFS
TWOLEVEL

File segments

Name vmaddr vmsize offset size

[0] __PAGEZERO 0x0 0x100000000 0x0 0x0

[+] __TEXT 0x100000000 0x5e000 0x0 0x5e000

[+] __DATA 0x10005e000 0xf000 0x5e000 0xf000

[0] __LINKEDIT 0x10006d000 0x565c 0x6d000 0x565c

Shared libraries

/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit

/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices

/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices

/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation

/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore

/System/Library/Frameworks/Security.framework/Versions/A/Security

/usr/lib/libSystem.B.dylib

/usr/lib/libobjc.A.dylib

Load commands

LC_DYLD_INFO_ONLY

LC_SYMTAB

LC_DYSYMTAB

LC_LOAD_DYLINKER

LC_UUID

LC_VERSION_MIN_MACOSX

LC_UNIXTHREAD

LC_LOAD_DYLIB

Execution parents

This file was created during the sandboxed execution of the following files.

7744593eec8e5d6b5c749c3fc5382f6494cc06df57f7eb60a0a82c1e1e39baeb

2a8ae452aeec9086640cf0c4f88c0eac41de02f6448b720d1f75b66234b2555b

3b33d950ce045630a2c6a57122fa3c424cced2c57240cadc43f4e7d5f3dfed7c

Compressed bundles

This file was also submitted to VirusTotal in the following compressed file bundles.

1111c769b04f3efc201531496fa5255e18ee960f2f625ba375a919c440fe22fb

1a5a16cec2cd578c1df37b01a9acce63e17ca726bb61383e3c11b2974b56b127

1e0d570ade31ae0c36c86497e6e46e32b46bdac16a58c58028bd422647c19d7c

284e859268a8f7fecec997f7aa6c87433a70e8285ed48f0da821bae60f4367d1

2a8ae452aeec9086640cf0c4f88c0eac41de02f6448b720d1f75b66234b2555b

3b33d950ce045630a2c6a57122fa3c424cced2c57240cadc43f4e7d5f3dfed7c

467a8139ac73022ad45994f53b4ac31ebba32d5f0f79040396ce1bf059f235f5

726e038c03ceb644afab9a5616e99c59d0c86ce18d3dcee23355ab7ec93787d5

746a5ede4b1ef268af48d3bc8b976ad5d3b6a3a6c57483fc935fdd37c3918eed

7744593eec8e5d6b5c749c3fc5382f6494cc06df57f7eb60a0a82c1e1e39baeb

File identification

MD5 6a2d0c8b20efc3fa283176a4bc76d6fd

SHA1 a1d23706522fcc5be456e45a9a64ef6d1275cea1

SHA256 bec7bfc5375dd1c4bac23121c8d83b80f484cd53261f0d3f9f3f64177e4b7caf

ssdeep

6144:38kae8WUmYKNU3d99FRPJ7k7EGtlqzYcdde7DLFdI0ZhAfvoYCMnnmB:ueedzFxGtlqxmLwQhMvo9Mni

File size 457.6 KB ( 468572 bytes )

File type Mach-O

Magic literal

Mach-O 64-bit executable

TrID	Mac OS X Mach-O 64bit Intel executable (100.0%)

VirusTotal metadata

First submission 2017-05-05 17:45:12 UTC ( 1 year, 3 months ago )

Last submission 2018-03-28 05:59:16 UTC ( 5 months ago )

File names

activity_agent
activity_agent
HandBrake
HandBrake
activity_agent
activity_agent
activity_agent
6a2d0c8b20efc3fa283176a4bc76d6fd.bin
activity_agent
activity_agent

Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.

Output

2017-05-05 18:47:45.884 _Users_user1_Library_RenderFiles_activity_agent.app_Contents_MacOS_activity_agent[697:7690] *** Terminating app due to uncaught exception 'NSRangeException', reason: '*** -[__NSArrayI objectAtIndex:]: index 81 beyond bounds [0 .. 0]'
*** First throw call stack:
(
	0   CoreFoundation                      0x00007fff97c58bd2 __exceptionPreprocess + 178
	1   libobjc.A.dylib                     0x00007fff9989edd4 objc_exception_throw + 48
	2   CoreFoundation                      0x00007fff97b789c4 -[__NSArrayI objectAtIndex:] + 164
	3   _Users_user1_Library_RenderFiles_activity_agent.app_Contents_MacOS_activity_agent 0x000000010001e8a7 _Users_user1_Library_RenderFiles_activity_agent.app_Contents_MacOS_activity_agent + 125095
	4   _Users_user1_Library_RenderFiles_activity_agent.app_Contents_MacOS_activity_agent 0x00000001000011b4 _Users_user1_Library_RenderFiles_activity_agent.app_Contents_MacOS_activity_agent + 4532
	5   ???                                 0x0000000000000001 0x0 + 1
)
libc+

Opened files

[_Users_user1_Lib] /Users/user1/client/tmp/bec7bfc5375dd1c4bac23121c8d83b80f484cd53261f0d3f9f3f64177e4b7caf (successful)

[_Users_user1_Lib] /Users/user1/client/tmp/bec7bfc5375dd1c4bac23121c8d83b80f484cd53261f0d3f9f3f64177e4b7caf/_Users_user1_Library_RenderFiles_activity_agent.app_Contents_MacOS_activity_agent (successful)

[appstoreupdateag] /System/Library/CoreServices/ServerVersion.plist (failed)

[appstoreupdateag] /System/Library/CoreServices/SystemVersion.bundle (successful)

[appstoreupdateag] /System/Library/CoreServices/SystemVersion.bundle/Base.lproj (failed)

[appstoreupdateag] /System/Library/CoreServices/SystemVersion.bundle/English.lproj (successful)

[appstoreupdateag] /System/Library/CoreServices/SystemVersion.bundle/English.lproj/SystemVersion.strings (successful)

[appstoreupdateag] /System/Library/CoreServices/SystemVersion.plist (successful)

[appstoreupdateag] /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources (successful)

[appstoreupdateag] /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/Base.lproj (successful)

Read files

[appstoreupdateag] /System/Library/CoreServices/SystemVersion.bundle/English.lproj/SystemVersion.strings (successful)

[appstoreupdateag] /Users/user1/.CFUserTextEncoding (successful)

[appstoreupdateag] /System/Library/CoreServices/SystemVersion.plist (successful)

[appstoreupdateag] /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/appstoreupdateagent (successful)

Written files

[unknown] /Users/user1/client/tmp/bec7bfc5375dd1c4bac23121c8d83b80f484cd53261f0d3f9f3f64177e4b7caf (successful)

Created processes

/Users/user1/client/tmp/bec7bfc5375dd1c4bac23121c8d83b80f484cd53261f0d3f9f3f64177e4b7caf/_Users_user1_Library_RenderFiles_activity_agent.app_Contents_MacOS_activity_agent (successful)

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/appstoreupdateagent (successful)

SHA256:	bec7bfc5375dd1c4bac23121c8d83b80f484cd53261f0d3f9f3f64177e4b7caf
File name:	activity_agent
Detection ratio:	28 / 61
Analysis date:	2018-04-11 00:39:59 UTC ( 4 months, 2 weeks ago )

Ciphered bundle