Overview

overview

1

Static

static

shove

macos-10.15-amd64

1

Analysis

  • max time kernel
    652s
  • max time network
    655s
  • platform
    macos_amd64
  • resource
    macos-20220504-en
  • resource tags

    arch:amd64arch:i386image:macos-20220504-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    09/09/2022, 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    shove

  • Size

    165KB

  • MD5

    dab92acede35ff12eed3dc40a3753292

  • SHA1

    423c4dc619caa7562229c8d47cdc5a9452ac10d3

  • SHA256

    52db54ef62291a6b75d8d023ede466956b11e74ff8ed31aaaa3e87b88003e491

  • SHA512

    bc2a751ca088f9735f4029cb738bac8ec540f21286a6f7fc604edca8c19cfcc0ab0dc63f8606e6c2ba7079adb2f2c839b2029dc53c037a68b40320624a7d3881

  • SSDEEP

    768:JMyd8MlbL7x3TUi/1eVYI8lZxMDr9Q+srhkI8:hGK3Qi/QVz2xmr9Fstf

Score
1/10

Malware Config

Signatures

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"/Users/run/shove\""
    1⤵
      PID:489
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"/Users/run/shove\""
      1⤵
        PID:489
      • /bin/bash
        sh -c "sudo /bin/zsh -c \"/Users/run/shove\""
        1⤵
          PID:489
        • /usr/bin/sudo
          sudo /bin/zsh -c /Users/run/shove
          1⤵
            PID:489
          • /usr/bin/sudo
            sudo /bin/zsh -c /Users/run/shove
            1⤵
              PID:489
              • /bin/zsh
                /bin/zsh -c /Users/run/shove
                2⤵
                  PID:492
                • /bin/zsh
                  /bin/zsh -c /Users/run/shove
                  2⤵
                    PID:492
                  • /Users/run/shove
                    /Users/run/shove
                    2⤵
                      PID:492
                    • /Users/run/shove
                      /Users/run/shove
                      2⤵
                        PID:492
                    • /usr/sbin/spctl
                      /usr/sbin/spctl --status
                      1⤵
                        PID:490
                      • /usr/sbin/spctl
                        /usr/sbin/spctl --test-devid-status
                        1⤵
                          PID:493
                        • /usr/bin/syslog
                          /usr/bin/syslog -s -k com.apple.message.domain com.apple.security.assessment.current_state com.apple.message.signature "assessments enabled" com.apple.message.signature2 "devid enabled" Message "Gatekeeper state assessments enabled/devid enabled"
                          1⤵
                            PID:494
                          • /usr/libexec/xpcproxy
                            xpcproxy com.apple.tailspind
                            1⤵
                              PID:519
                            • /usr/libexec/tailspind
                              /usr/libexec/tailspind
                              1⤵
                                PID:519
                              • /bin/ls
                                ls
                                1⤵
                                  PID:537
                                • /bin/ls
                                  ls
                                  1⤵
                                    PID:537
                                  • /usr/local/bin/shove
                                    shove
                                    1⤵
                                      PID:539
                                    • /usr/local/bin/shove
                                      shove
                                      1⤵
                                        PID:539
                                      • /usr/bin/shove
                                        shove
                                        1⤵
                                          PID:539
                                        • /usr/bin/shove
                                          shove
                                          1⤵
                                            PID:539
                                          • /bin/shove
                                            shove
                                            1⤵
                                              PID:539
                                            • /bin/shove
                                              shove
                                              1⤵
                                                PID:539
                                              • /usr/sbin/shove
                                                shove
                                                1⤵
                                                  PID:539
                                                • /usr/sbin/shove
                                                  shove
                                                  1⤵
                                                    PID:539
                                                  • /sbin/shove
                                                    shove
                                                    1⤵
                                                      PID:539
                                                    • /sbin/shove
                                                      shove
                                                      1⤵
                                                        PID:539
                                                      • /usr/libexec/xpcproxy
                                                        xpcproxy com.apple.spindump
                                                        1⤵
                                                          PID:540
                                                        • /usr/sbin/spindump
                                                          /usr/sbin/spindump
                                                          1⤵
                                                            PID:540
                                                          • /usr/libexec/xpcproxy
                                                            xpcproxy com.apple.spindump_agent
                                                            1⤵
                                                              PID:542
                                                            • /usr/libexec/spindump_agent
                                                              /usr/libexec/spindump_agent
                                                              1⤵
                                                                PID:542
                                                              • shove./
                                                                shove./
                                                                1⤵
                                                                  PID:547
                                                                • shove./
                                                                  shove./
                                                                  1⤵
                                                                    PID:547
                                                                  • ./shove
                                                                    ./shove
                                                                    1⤵
                                                                      PID:548
                                                                    • ./shove
                                                                      ./shove
                                                                      1⤵
                                                                        PID:548
                                                                      • /usr/libexec/xpcproxy
                                                                        xpcproxy com.apple.newsyslog
                                                                        1⤵
                                                                          PID:549
                                                                        • /usr/sbin/newsyslog
                                                                          /usr/sbin/newsyslog
                                                                          1⤵
                                                                            PID:549

                                                                          Network

                                                                          MITRE ATT&CK Matrix

                                                                          Replay Monitor

                                                                          Loading Replay Monitor...

                                                                          Downloads