Overview

overview

10

Static

static

8

rook1.exe

windows7_x64

10

rook1.exe

windows10_x64

10

rook1.exe

macos_amd64

1

rook1.exe

linux_amd64

Resubmissions

11-01-2022 18:27

220111-w33m7agfg9 10

20-12-2021 20:51

211220-zm6xfsbge6 10

Analysis

  • max time kernel
    7s
  • max time network
    9s
  • platform
    macos_amd64
  • resource
    macos
  • submitted
    11-01-2022 18:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rook1.exe

  • Size

    5.4MB

  • MD5

    4f7adc32ec67c1a55853ef828fe58707

  • SHA1

    36de7997949ac3b9b456023fb072b9a8cd84ade8

  • SHA256

    96f7df1c984c1753289600f7f373f3a98a4f09f82acc1be8ecfd5790763a355b

  • SHA512

    a45e4a20133c842037789157c3ed845afdefbb0d2fe3958d75f0cb3cdfeee106262f9de0e0aca92ac84a0211432cd19773e0f769b970ddb8a80e5f7855676f74

Score
1/10

Malware Config

Signatures

Processes

  • /usr/sbin/spctl
    /usr/sbin/spctl --test-devid-status
    1⤵
      PID:610
    • /usr/bin/syslog
      /usr/bin/syslog -s -k com.apple.message.domain com.apple.security.assessment.current_state com.apple.message.signature "assessments enabled" com.apple.message.signature2 "devid enabled" Message "Gatekeeper state assessments enabled/devid enabled"
      1⤵
        PID:611
      • /bin/sh
        sh -c "sudo /bin/zsh -c \"/Users/run/rook1.exe\""
        1⤵
          PID:612
        • /bin/bash
          sh -c "sudo /bin/zsh -c \"/Users/run/rook1.exe\""
          1⤵
            PID:612
          • /bin/bash
            sh -c "sudo /bin/zsh -c \"/Users/run/rook1.exe\""
            1⤵
              PID:612
            • /usr/bin/sudo
              sudo /bin/zsh -c /Users/run/rook1.exe
              1⤵
                PID:612
              • /usr/bin/sudo
                sudo /bin/zsh -c /Users/run/rook1.exe
                1⤵
                  PID:612
                  • /bin/zsh
                    /bin/zsh -c /Users/run/rook1.exe
                    2⤵
                      PID:613
                    • /bin/zsh
                      /bin/zsh -c /Users/run/rook1.exe
                      2⤵
                        PID:613
                      • /Users/run/rook1.exe
                        /Users/run/rook1.exe
                        2⤵
                          PID:613
                        • /Users/run/rook1.exe
                          /Users/run/rook1.exe
                          2⤵
                            PID:613
                        • /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java
                          "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" "-Djdk.disableLastUsageTracking=true" "-Djava.awt.headless=true " -cp "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deploy.jar" com.sun.deploy.panel.ControlPanel -getSecurityLevel
                          1⤵
                            PID:635
                          • /usr/libexec/xpcproxy
                            xpcproxy com.apple.sysmond
                            1⤵
                              PID:640
                            • /usr/libexec/sysmond
                              /usr/libexec/sysmond
                              1⤵
                                PID:640
                              • /usr/libexec/xpcproxy
                                xpcproxy com.apple.audio.systemsoundserverd
                                1⤵
                                  PID:641
                                • /usr/sbin/systemsoundserverd
                                  /usr/sbin/systemsoundserverd
                                  1⤵
                                    PID:641
                                  • /usr/libexec/xpcproxy
                                    xpcproxy com.apple.audio.AudioComponentRegistrar
                                    1⤵
                                      PID:642
                                    • /System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
                                      /System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
                                      1⤵
                                        PID:642

                                      Network

                                      MITRE ATT&CK Matrix

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads