Overview

overview

1

Static

static

1

BadWin.zip

macos-10.15-amd64

1

BadWin.xfl

macos-10.15-amd64

1

DOMDocument.xml

macos-10.15-amd64

1

LIBRARY/Symbol 1.xml

macos-10.15-amd64

1

LIBRARY/Symbol 2.xml

macos-10.15-amd64

1

LIBRARY/Symbol 3.xml

macos-10.15-amd64

1

LIBRARY/Symbol 4.xml

macos-10.15-amd64

1

LIBRARY/Symbol 5.xml

macos-10.15-amd64

1

LIBRARY/Symbol 6.xml

macos-10.15-amd64

1

LIBRARY/Symbol 7.xml

macos-10.15-amd64

1

LIBRARY/Symbol 8.xml

macos-10.15-amd64

1

LIBRARY/Symbol 9.xml

macos-10.15-amd64

1

PublishSettings.xml

macos-10.15-amd64

1

bin/SymDepend.cache

macos-10.15-amd64

mimetype

macos-10.15-amd64

1

Analysis

  • max time kernel
    131s
  • max time network
    127s
  • platform
    macos_amd64
  • resource
    macos-20220504-en
  • resource tags

    arch:amd64arch:i386image:macos-20220504-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    15/08/2023, 22:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BadWin.xfl

  • Size

    9B

  • MD5

    e25cd3a43fe4cc8ef81230d136814570

  • SHA1

    7ffe91cfe0acb42e00d7fa05585c553b9f6bf3e7

  • SHA256

    29ac2e403620428ee4130686b456aefb0cc6d45e3be6e9c3191af906c1301f38

  • SHA512

    f218c49b71da48c0e6f0794dcb3176626f91e931a1505878dd38ad27d66c0271d0cbf6ac227dcdce48849cfb787b8f04c13bf96625c41ab7baa4c655bf87fe73

Score
1/10

Malware Config

Signatures

Processes

  • /usr/sbin/spctl
    /usr/sbin/spctl --status
    1⤵
      PID:488
    • /bin/sh
      sh -c "sudo /bin/zsh -c \"/Users/run/BadWin.xfl\""
      1⤵
        PID:489
      • /bin/bash
        sh -c "sudo /bin/zsh -c \"/Users/run/BadWin.xfl\""
        1⤵
          PID:489
        • /bin/bash
          sh -c "sudo /bin/zsh -c \"/Users/run/BadWin.xfl\""
          1⤵
            PID:489
          • /usr/sbin/spctl
            /usr/sbin/spctl --test-devid-status
            1⤵
              PID:490
            • /usr/bin/sudo
              sudo /bin/zsh -c /Users/run/BadWin.xfl
              1⤵
                PID:489
              • /usr/bin/sudo
                sudo /bin/zsh -c /Users/run/BadWin.xfl
                1⤵
                  PID:489
                  • /bin/zsh
                    /bin/zsh -c /Users/run/BadWin.xfl
                    2⤵
                      PID:492
                    • /bin/zsh
                      /bin/zsh -c /Users/run/BadWin.xfl
                      2⤵
                        PID:492
                      • /Users/run/BadWin.xfl
                        /Users/run/BadWin.xfl
                        2⤵
                          PID:492
                        • /Users/run/BadWin.xfl
                          /Users/run/BadWin.xfl
                          2⤵
                            PID:492
                          • /bin/sh
                            sh /Users/run/BadWin.xfl
                            2⤵
                              PID:492
                            • /bin/sh
                              sh /Users/run/BadWin.xfl
                              2⤵
                                PID:492
                              • /bin/bash
                                sh /Users/run/BadWin.xfl
                                2⤵
                                  PID:492
                                • /bin/bash
                                  sh /Users/run/BadWin.xfl
                                  2⤵
                                    PID:492
                                • /usr/bin/syslog
                                  /usr/bin/syslog -s -k com.apple.message.domain com.apple.security.assessment.current_state com.apple.message.signature "assessments enabled" com.apple.message.signature2 "devid enabled" Message "Gatekeeper state assessments enabled/devid enabled"
                                  1⤵
                                    PID:491
                                  • /usr/libexec/xpcproxy
                                    xpcproxy com.apple.tailspind
                                    1⤵
                                      PID:521
                                    • /usr/libexec/tailspind
                                      /usr/libexec/tailspind
                                      1⤵
                                        PID:521

                                      Network

                                      MITRE ATT&CK Matrix

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads