bd8adfae24dc7a6b633d3b5342d11978e6b7418fa43be6eca0378f17d0bb7565

General

Target

Slack-Apps
Size

996KB
MD5

dd8aa38c7f06cb1c12a4d2c0927b6107
SHA1

863c0fbc1efccbef4c2df82920ded53181096d8e
SHA256

bd8adfae24dc7a6b633d3b5342d11978e6b7418fa43be6eca0378f17d0bb7565
SHA512

93ff5f4ab36a3341796522b6171d036ba19e7d7b0aa8ebae8741f0e20554d751689fb52d567d9f20d384449f07f72cee287aecc1583e86d46c8c2db2cd1b2527
SSDEEP

12288:uosrHerhntpItDeikXXJYsDUf8GhiK+oo3+ut:uo++tnXJYsq6oUVt

Score

1^/10

Malware Config

Signatures

/usr/sbin/spctl
/usr/sbin/spctl --test-devid-status
1⤵
PID:518

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Slack-Apps\""
1⤵
PID:520

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Slack-Apps\""
1⤵
PID:520

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Slack-Apps\""
1⤵
PID:520

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/Slack-Apps
1⤵
PID:520

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/Slack-Apps
1⤵
PID:520
- /bin/zsh
  /bin/zsh -c /Users/run/Slack-Apps
  2⤵
  PID:521
- /bin/zsh
  /bin/zsh -c /Users/run/Slack-Apps
  2⤵
  PID:521
- /Users/run/Slack-Apps
  /Users/run/Slack-Apps
  2⤵
  PID:521
- /Users/run/Slack-Apps
  /Users/run/Slack-Apps
  2⤵
  PID:521

/usr/bin/syslog
/usr/bin/syslog -s -k com.apple.message.domain com.apple.security.assessment.current_state com.apple.message.signature "assessments enabled" com.apple.message.signature2 "devid enabled" Message "Gatekeeper state assessments enabled/devid enabled"
1⤵
PID:519

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:523

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:523

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:523
- /usr/bin/osascript
  osascript -e "tell application \"Terminal\" to close first window"
  2⤵
  PID:524
- /usr/bin/osascript
  osascript -e "tell application \"Terminal\" to close first window"
  2⤵
  PID:524

/bin/sh
sh -c "dscl . authonly \"root\" \"\""
1⤵
PID:525

/bin/bash
sh -c "dscl . authonly \"root\" \"\""
1⤵
PID:525

/bin/bash
sh -c "dscl . authonly \"root\" \"\""
1⤵
PID:525

/usr/bin/dscl
dscl . authonly root
1⤵
PID:525

/usr/bin/dscl
dscl . authonly root
1⤵
PID:525

/bin/sh
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:526

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:526

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:526

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:526

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:526

/usr/libexec/xpcproxy
xpcproxy com.apple.ViewBridgeAuxiliary
1⤵
PID:530

/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
1⤵
PID:530

/usr/sbin/kextcache
/usr/sbin/kextcache -F -system-prelinked-kernel
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:534

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:534

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:535

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:535

/usr/bin/bzip2
/usr/bin/bzip2 -f /var/log/wifi.log.0
1⤵
PID:558

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.systemsoundserverd
1⤵
PID:559

/usr/sbin/systemsoundserverd
/usr/sbin/systemsoundserverd
1⤵
PID:559

/bin/sh
sh -c "dscl . authonly \"root\" \"root\""
1⤵
PID:560

/bin/bash
sh -c "dscl . authonly \"root\" \"root\""
1⤵
PID:560

/bin/bash
sh -c "dscl . authonly \"root\" \"root\""
1⤵
PID:560

/usr/bin/dscl
dscl . authonly root root
1⤵
PID:560

/usr/bin/dscl
dscl . authonly root root
1⤵
PID:560

/bin/sh
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:561

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:561

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:561

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:561

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:561

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash.Root
1⤵
PID:564

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash daemon
1⤵
PID:564

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:566

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:566

/bin/sh
sh -c "dscl . authonly \"root\" \"root\""
1⤵
PID:567

/bin/bash
sh -c "dscl . authonly \"root\" \"root\""
1⤵
PID:567

/bin/bash
sh -c "dscl . authonly \"root\" \"root\""
1⤵
PID:567

/usr/bin/dscl
dscl . authonly root root
1⤵
PID:567

/usr/bin/dscl
dscl . authonly root root
1⤵
PID:567

/bin/sh
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:568

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:568

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:568

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:568

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:568

/bin/sh
sh -c "dscl . authonly \"root\" \"1234\""
1⤵
PID:580

/bin/bash
sh -c "dscl . authonly \"root\" \"1234\""
1⤵
PID:580

/bin/bash
sh -c "dscl . authonly \"root\" \"1234\""
1⤵
PID:580

/usr/bin/dscl
dscl . authonly root 1234
1⤵
PID:580

/usr/bin/dscl
dscl . authonly root 1234
1⤵
PID:580

/bin/sh
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:581

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:581

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:581

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:581

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:581

/bin/sh
sh -c "dscl . authonly \"root\" \"root\""
1⤵
PID:582

/bin/bash
sh -c "dscl . authonly \"root\" \"root\""
1⤵
PID:582

/bin/bash
sh -c "dscl . authonly \"root\" \"root\""
1⤵
PID:582

/usr/bin/dscl
dscl . authonly root root
1⤵
PID:582

/usr/bin/dscl
dscl . authonly root root
1⤵
PID:582

/bin/sh
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:583

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:583

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:583

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:583

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:583

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:584

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:584

/bin/sh
sh -c "dscl . authonly \"root\" \"p:true \""
1⤵
PID:591

/bin/bash
sh -c "dscl . authonly \"root\" \"p:true \""
1⤵
PID:591

/bin/bash
sh -c "dscl . authonly \"root\" \"p:true \""
1⤵
PID:591

/usr/bin/dscl
dscl . authonly root "p:true "
1⤵
PID:591

/usr/bin/dscl
dscl . authonly root "p:true "
1⤵
PID:591

/bin/sh
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:592

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:592

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:592

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:592

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/private/var/log/wifi.log.0.bz2

Filesize
639B

MD5
da00c8e116a85811f5b72441eeabcfc7

SHA1
5baed10689a169b3318387ef574564d5d50841c4

SHA256
02e30d34ae9adef93b758a95ba523a658f9f98e988a0be2949b8d83b31474656

SHA512
4a3a0587f2fad25f105906ecb070d488b893172cdeb130aaf50ff5979a0780ae25d5cea5ed5e4e6e35de5a157a47cd8fad13fcd37b33456ec59cf55ba974372a

Download Submit
/private/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
828c755b9fa79b84be3b497da562d4a8

SHA1
29fab1bb7e3ae8cb2f61c5b8727dc55657f61527

SHA256
e8f58fd6e6563453a63707250ff072c4cc76abf1340ded1ab7bc8514fdc5a525

SHA512
6c1b8bc01694aebd497ddf7d6b61e7612413e3f554c3dcce367535a4f889b88ac687a29644fb2fc71b8c964b4bf1a6c996ba5f5902a862becc7e215e6e366595

Download Submit
/private/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
07360912bc1d4e059616754dc2719d32

SHA1
d7080b7c4da5096d31e33069af73b56ba22dd495

SHA256
692adca41c874646a7ca501310b984dbccb406ef0c746961bf7a7bcfc0746990

SHA512
206dacd9f840cb7761f8d73233bc775707c53514ebc387bd8967837a1e4cb93ac306f69f657828f96b37325ca949fe812b4c943d0c581cc90cbd853e895573b3

Download Submit
/private/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
fb115f7ef4777124c526dee94abd35d7

SHA1
a5f4a549016e1d9bfa9754a7edf9d9166a58f0aa

SHA256
505ce0d01714129300d4f29fbbc190e29de5a7fc4f434a708f44156d776b5cef

SHA512
96ed3bd2b3053cfee1083e327a78991300d677de08dc9a3003239a353fc97b7c3aae484486b2730b91d91f4be5e02d9eadd9350f03e79bda4fa525500df10611

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads