2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f

General

Target

2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr
Size

713KB
MD5

23699799f496b8e872d05f19d2b397f8
SHA1

fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8
SHA256

2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f
SHA512

f347c47afe06ed7ef2a71b7e40ac0103f4f33e26250661173775b349bba7452ea458e5d4137a57b34801556959bca14093a9f693d59c147061f63f2b78614288

Score

1^/10

Malware Config

Signatures

/usr/sbin/spctl
/usr/sbin/spctl --status
1⤵
PID:600

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr\""
1⤵
PID:601

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr\""
1⤵
PID:601

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr\""
1⤵
PID:601

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr
1⤵
PID:601

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr
1⤵
PID:601
- /bin/zsh
  /bin/zsh -c /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr
  2⤵
  PID:605
- /bin/zsh
  /bin/zsh -c /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr
  2⤵
  PID:605
- /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr
  /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr
  2⤵
  PID:605
- /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr
  /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr
  2⤵
  PID:605

/usr/sbin/spctl
/usr/sbin/spctl --test-devid-status
1⤵
PID:602

/usr/bin/syslog
/usr/bin/syslog -s -k com.apple.message.domain com.apple.security.assessment.current_state com.apple.message.signature "assessments enabled" com.apple.message.signature2 "devid enabled" Message "Gatekeeper state assessments enabled/devid enabled"
1⤵
PID:604

/bin/sh
sh -c "ps -ef |grep CorelDRAW |grep -v /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr |grep -v 'CorelDRAW\\s*Graphics\\s*Suite' |awk '{print \$2}' |xargs kill -9"
1⤵
PID:606

/bin/bash
sh -c "ps -ef |grep CorelDRAW |grep -v /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr |grep -v 'CorelDRAW\\s*Graphics\\s*Suite' |awk '{print \$2}' |xargs kill -9"
1⤵
PID:606

/bin/bash
sh -c "ps -ef |grep CorelDRAW |grep -v /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr |grep -v 'CorelDRAW\\s*Graphics\\s*Suite' |awk '{print \$2}' |xargs kill -9"
1⤵
PID:606
- /bin/ps
  ps -ef
  2⤵
  PID:607
- /bin/ps
  ps -ef
  2⤵
  PID:607
- /usr/bin/grep
  grep -v /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr
  2⤵
  PID:609
- /usr/bin/grep
  grep -v /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr
  2⤵
  PID:609
- /usr/bin/grep
  grep -v "CorelDRAW\\s*Graphics\\s*Suite"
  2⤵
  PID:610
- /usr/bin/grep
  grep -v "CorelDRAW\\s*Graphics\\s*Suite"
  2⤵
  PID:610
- /usr/bin/grep
  grep CorelDRAW
  2⤵
  PID:608
- /usr/bin/grep
  grep CorelDRAW
  2⤵
  PID:608
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:611
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:611
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:612
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:612

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" "-Djdk.disableLastUsageTracking=true" "-Djava.awt.headless=true " -cp "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deploy.jar" com.sun.deploy.panel.ControlPanel -getSecurityLevel
1⤵
PID:634

/usr/bin/kill
kill -9 608 610
1⤵
PID:636

/usr/bin/kill
kill -9 608 610
1⤵
PID:636

/bin/kill
kill -9 608 610
1⤵
PID:636

/bin/kill
kill -9 608 610
1⤵
PID:636

/bin/sh
sh -c "ps -ef |grep CorelDRAW |grep -v /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr |grep -v 'CorelDRAW\\s*Graphics\\s*Suite' |awk '{print \$2}' |xargs kill -9"
1⤵
PID:637

/bin/bash
sh -c "ps -ef |grep CorelDRAW |grep -v /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr |grep -v 'CorelDRAW\\s*Graphics\\s*Suite' |awk '{print \$2}' |xargs kill -9"
1⤵
PID:637

/bin/bash
sh -c "ps -ef |grep CorelDRAW |grep -v /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr |grep -v 'CorelDRAW\\s*Graphics\\s*Suite' |awk '{print \$2}' |xargs kill -9"
1⤵
PID:637
- /bin/ps
  ps -ef
  2⤵
  PID:638
- /bin/ps
  ps -ef
  2⤵
  PID:638
- /usr/bin/grep
  grep CorelDRAW
  2⤵
  PID:639
- /usr/bin/grep
  grep CorelDRAW
  2⤵
  PID:639
- /usr/bin/grep
  grep -v /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr
  2⤵
  PID:640
- /usr/bin/grep
  grep -v /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr
  2⤵
  PID:640
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:642
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:642
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:643
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:643
- /usr/bin/grep
  grep -v "CorelDRAW\\s*Graphics\\s*Suite"
  2⤵
  PID:641
- /usr/bin/grep
  grep -v "CorelDRAW\\s*Graphics\\s*Suite"
  2⤵
  PID:641

/usr/bin/kill
kill -9 639 641
1⤵
PID:644

/usr/bin/kill
kill -9 639 641
1⤵
PID:644

/bin/kill
kill -9 639 641
1⤵
PID:644

/bin/kill
kill -9 639 641
1⤵
PID:644

/bin/sh
sh -c "cp /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr /var/root/Library/Preferences/CorelDRAW/CorelDRAW"
1⤵
PID:645

/bin/bash
sh -c "cp /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr /var/root/Library/Preferences/CorelDRAW/CorelDRAW"
1⤵
PID:645

/bin/bash
sh -c "cp /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr /var/root/Library/Preferences/CorelDRAW/CorelDRAW"
1⤵
PID:645

/bin/cp
cp /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr /var/root/Library/Preferences/CorelDRAW/CorelDRAW
1⤵
PID:645

/bin/cp
cp /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr /var/root/Library/Preferences/CorelDRAW/CorelDRAW
1⤵
PID:645

/bin/sh
sh -c "launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist"
1⤵
PID:646

/bin/bash
sh -c "launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist"
1⤵
PID:646

/bin/bash
sh -c "launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist"
1⤵
PID:646

/bin/launchctl
launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
1⤵
PID:646

/bin/launchctl
launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
1⤵
PID:646

/bin/sh
sh -c "launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist"
1⤵
PID:647

/bin/bash
sh -c "launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist"
1⤵
PID:647

/bin/bash
sh -c "launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist"
1⤵
PID:647

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
1⤵
PID:647

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
1⤵
PID:647

/usr/libexec/xpcproxy
xpcproxy com.CorelDRAW.va.plist
1⤵
PID:648

/var/root/Library/Preferences/CorelDRAW/CorelDRAW
/var/root/Library/Preferences/CorelDRAW/CorelDRAW
1⤵
PID:648

/bin/ls
ls
1⤵
PID:660

/bin/ls
ls
1⤵
PID:660

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:663

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:663

/bin/ls
ls /Volumes
1⤵
PID:664

/bin/ls
ls /Volumes
1⤵
PID:664

/bin/ls
ls /Volumes/new
1⤵
PID:666

/bin/ls
ls /Volumes/new
1⤵
PID:666

/bin/ls
ls /Volumes/kekje
1⤵
PID:667

/bin/ls
ls /Volumes/kekje
1⤵
PID:667

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads