8193fd9d9222e93bf3710193515f783a0266589c2673d9f463424225d0446410

General

Target

android-sms-to-iphone-transfer-for-mac.dmg
Size

9.3MB
MD5

12e8407c492c080aa5bf6181abe28397
SHA1

a4d0843975a4c34cde0403cd634d2c0108d7f8b3
SHA256

8193fd9d9222e93bf3710193515f783a0266589c2673d9f463424225d0446410
SHA512

da9ef6354c41b360f2c4539eba24acffad90199d6bf4384578fc425901503968ea22c62494ece63ffaad6d94298c85a07e3036345fcd7097a764edee91d88469
SSDEEP

196608:2P9o4dH/G1fNDU6XwISLMgudA8jIZGIAJTbzQ:2P9o4dQTXnhjIYIh

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 3 IoCs

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd	Process not Found
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd	Process not Found
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"open /Volumes/android-sms-to-iphone-transfer-for-mac.install/android-sms-to-iphone-transfer-for-mac.pkg\""
1⤵
PID:545

/bin/bash
sh -c "sudo /bin/zsh -c \"open /Volumes/android-sms-to-iphone-transfer-for-mac.install/android-sms-to-iphone-transfer-for-mac.pkg\""
1⤵
PID:545

/usr/bin/sudo
sudo /bin/zsh -c "open /Volumes/android-sms-to-iphone-transfer-for-mac.install/android-sms-to-iphone-transfer-for-mac.pkg"
1⤵
PID:545
- /bin/zsh
  /bin/zsh -c "open /Volumes/android-sms-to-iphone-transfer-for-mac.install/android-sms-to-iphone-transfer-for-mac.pkg"
  2⤵
  PID:546
- /usr/bin/open
  open /Volumes/android-sms-to-iphone-transfer-for-mac.install/android-sms-to-iphone-transfer-for-mac.pkg
  2⤵
  PID:546

/usr/libexec/xpcproxy
xpcproxy com.apple.installer.1564
1⤵
PID:548

/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
1⤵
PID:548

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.siri.context.service
1⤵
PID:551

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
1⤵
PID:551

/usr/libexec/xpcproxy
xpcproxy com.apple.replayd
1⤵
PID:554

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.apple.bird
1⤵
PID:556

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:555

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
1⤵
PID:556

/usr/libexec/replayd
/usr/libexec/replayd
1⤵
PID:554

/usr/libexec/xpcproxy
xpcproxy com.apple.storedownloadd
1⤵
PID:558

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
1⤵
PID:558

/usr/libexec/xpcproxy
xpcproxy com.apple.installd
1⤵
PID:560

/usr/libexec/xpcproxy
xpcproxy com.apple.system_installd
1⤵
PID:562

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
1⤵
PID:560

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
1⤵
PID:562

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.CacheDeleteExtension 552
1⤵
PID:564

/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
1⤵
PID:564

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:566

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:566

/usr/libexec/xpcproxy
xpcproxy com.apple.security.agent
1⤵
PID:591

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
1⤵
PID:591

/usr/libexec/xpcproxy
xpcproxy com.apple.CoreAuthentication.daemon
1⤵
PID:592

/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd
/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:593

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:593

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:594

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:594

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:596

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:596

/usr/libexec/xpcproxy
xpcproxy com.apple.nehelper
1⤵
PID:597

/usr/libexec/nehelper
/usr/libexec/nehelper
1⤵
PID:597

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authhost.00000000-0000-0000-0000-0000000186A6
1⤵
PID:601

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost
1⤵
PID:601

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:602

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:602

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:604

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:604

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:605

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:605

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:606

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:606

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:609

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:609

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash.Root
1⤵
PID:612

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash daemon
1⤵
PID:612

/bin/sh
sh -c /usr/sbin/kextstat
1⤵
PID:615

/bin/bash
sh -c /usr/sbin/kextstat
1⤵
PID:615

/usr/sbin/kextstat
/usr/sbin/kextstat
1⤵
PID:615

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
355B

MD5
a6ef4856e99c9d8e1d9bb762c5a8503a

SHA1
25d5405ad91791b716ae5a56b37aa2b393854967

SHA256
232441aa129d4f21999860b8bf31db4b8617df9f7d32ef5f25a383edff82d9fa

SHA512
582fa1ea60766a5a4e99b295a8ed98c94f6bab45e42b7e8db61e9ad645f531891082cd457bfd11d660195af86f02c4ed93589e6e6daded683cff2d8319bbc489

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
355B

MD5
2f01f7a00c85e424f82b00b2bf794a7c

SHA1
c75cb52aa31012888dd7c65373d5faba6048c425

SHA256
23d6746cb1c1906c9cfb5c69f7377f7cb68965ac0708ed1d600bfd3d3c34ce32

SHA512
75131e0145182653cef2edbb968853c9cb3c26c37c5821f3cd69c3ecdde7979ae37e74ecea8ad333090a473177c6dad43bc34f94a8fd104cd4c9b16c8f7b54f8

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
385B

MD5
a85b3ee8b651babde7d0e0009d764f39

SHA1
d6d25bf473ec541331586bd7e2638bf62a251bd9

SHA256
b1646cdf5ee3f83aaa7cda7fc2ff53073096ba9e06280e62f2f94a35420221fb

SHA512
22f165fdd7e9e25520e4e3f233c608b436f04f34a64119f259f2e151717f9360b7610de3250b28ee50c72a5fd967a7e4d7c255beb5bade491918ff92907edd5c

Download Submit
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

Filesize
124KB

MD5
70c5b953e136efb3eb41bbedfe1e6d0a

SHA1
65e5b9e8182c373cd2cd2db21d9601a953ddc080

SHA256
6a8a1aabd475feee04bf47384fb9d925667a06d099d841443729c6a157bf286e

SHA512
987abda65d213cd1c4095c1c7cf0ed3a6267bd8ad9d03e635af60d53c0a6244cdd1d9beb55cfb94ff983443a6297f1b3fc990fe3ec694480077b4b4239571df0

Download Submit
/Users/run/Library/Caches/GeoServices/Resources/altitude-1168.xml

Filesize
150KB

MD5
76ebb0196d42a294b69ef118cbb301d5

SHA1
61e5ab752d351af1661716bc48c0520f66cd1d1b

SHA256
aaa9febe98e3a75220b4933d1f00f2bef276183491e7d171fa54d03259812759

SHA512
8dde09d72944e8925c5bd64dc3799a44d7c30191d5038939a24f8a45ccf4d66b84990e8be3e0f2ee1d42d1dd6e5ed3673c39f803874fb0840a3232cc1e533663

Download Submit
/private/var/db/spindump/tailspin-trace.2024-02-17_16-25-47.tailspin

Filesize
11.3MB

MD5
df5dfe67cf485fbfca327757a8537a75

SHA1
bc63b46266ed506adbd04370af212543349ecdbe

SHA256
2d44cf6d025112531318dba680a89542bcdd255f81d7cc108445817720b1f02c

SHA512
24deb4baf5bfa7b210de88f789ae9fa41cc7d586c091dac0181e4860a6c7f6842f2bba6e51b4652171ebdced45b185c4cd2c6de5bfa3bbd76dd02a35f826133a

Download Submit
/private/var/db/spindump/tailspin-trace.2024-02-17_16-25-47.tailspin

Filesize
17.5MB

MD5
35c3cf56aa2996b6f60a84c33d421eb8

SHA1
6da7aef783eb6e7bd1ea01e9b2feb831a3d69eff

SHA256
950cd34e90d6dce767c19151d799de6ce718fb1dfd0c3cd81da350f7a8678e3e

SHA512
0b0d5acbfca3df20a2d221de05f8a97563c7ec1946ee7064266f45cd71d2bce5f5cd37bf412b7c97d0fe5bd20742b2dbff2999180cf8f8699ab2b7dba3271bed

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//spindump.txt

Filesize
624KB

MD5
4c71527be88fe16e720b9954b064d99d

SHA1
e331b54d786806f871de5a0e64344c664e33ef4e

SHA256
35311433d8703d1349f1f5b46e0be80b0159609072b38d019d0352162a5c3872

SHA512
7dcca94466a0b95277f6f4b254ad268f6349401be02d05181052ff152f0e079a4e3e5f463fbfac07cc47b2f07bacfa7ded12d1d6987e23dd3ddd1d5eaa37d995

Download Submit

Analysis

Sharing