ceada3e15e754b484a4ea728ddf0649b84fa0998021277aca46033ddc39b89ac

General

Target

2021 Printing Installer.pkg
Size

56.1MB
MD5

f23947d26bc59b8b3c519a865e7d4cd0
SHA1

a34624ee536fa18b5edde432d718058e6b9f512c
SHA256

ceada3e15e754b484a4ea728ddf0649b84fa0998021277aca46033ddc39b89ac
SHA512

54377b3a514381bea401cb02572640c3b417da86ed9be488104d04a07e2a5c11296396c4b976addbaf73aa53dc7a930e5c350fb0b5ac5c6e4ae5c57d1545d39c
SSDEEP

1572864:E+f1yCv4409+gC115rbilj2pIitEcne44CiIDEVneN86T/LY:Xf1bv4f9+gQilj2pv6uKCiy2w86T/8

Score

7^/10

evasion persistence

Malware Config

Signatures

Installer Packages 1 TTPs 2 IoCs

persistence

Installer Packages

T1546.016

ioc	Process
/bin/sh /tmp/PKInstallSandbox.Cauo9f/Scripts/com.christscollgecom.pkg.printing2021.Hx11jA/postinstall /Users/run/setup.pkg / / /	Process not Found
/tmp/PKInstallSandbox.Cauo9f/Scripts/com.christscollgecom.pkg.printing2021.Hx11jA/postinstall /Users/run/setup.pkg / / /	Process not Found

Resource Forking 1 TTPs 5 IoCs

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid	Process not Found
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/A211A439-42D1-4A70-827C-1F5E65ECAC01.activeSandbox/Root /	Process not Found
lpadmin -p followme -v ipp://172.16.12.230/printers/followme -D Followme -L "Follow me Printer" -P /Library/Printers/PPDs/Contents/Resources/KONICAMINOLTAC658.gz -o "SelectColor=Grayscale" -o "ColorModel=Gray" -o "KMDuplex=Single" -o "finisher=FS537SDJS_ZeusSZ" -E	Process not Found
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c	Process not Found
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""
1⤵
PID:538

/bin/bash
sh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""
1⤵
PID:538

/usr/bin/sudo
sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
1⤵
PID:538
- /bin/zsh
  /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
  2⤵
  PID:559
- /usr/sbin/installer
  installer -pkg /Users/run/setup.pkg -target /
  2⤵
  PID:559

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:561

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:561

/usr/libexec/xpcproxy
xpcproxy com.apple.installd
1⤵
PID:562

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
1⤵
PID:562

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid
1⤵
PID:563

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/A211A439-42D1-4A70-827C-1F5E65ECAC01.activeSandbox/Root /
1⤵
PID:564

/tmp/PKInstallSandbox.Cauo9f/Scripts/com.christscollgecom.pkg.printing2021.Hx11jA/postinstall
/tmp/PKInstallSandbox.Cauo9f/Scripts/com.christscollgecom.pkg.printing2021.Hx11jA/postinstall /Users/run/setup.pkg / / /
1⤵
PID:565

/bin/bash
/bin/sh /tmp/PKInstallSandbox.Cauo9f/Scripts/com.christscollgecom.pkg.printing2021.Hx11jA/postinstall /Users/run/setup.pkg / / /
1⤵
PID:565
- /bin/sleep
  sleep 3
  2⤵
  PID:571
- /usr/sbin/lpadmin
  lpadmin -p followme -v ipp://172.16.12.230/printers/followme -D Followme -L "Follow me Printer" -P /Library/Printers/PPDs/Contents/Resources/KONICAMINOLTAC658.gz -o "SelectColor=Grayscale" -o "ColorModel=Gray" -o "KMDuplex=Single" -o "finisher=FS537SDJS_ZeusSZ" -E
  2⤵
  PID:573

/usr/bin/lpstat
lpstat -a
1⤵
PID:568

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:569

/usr/libexec/xpcproxy
xpcproxy com.apple.nehelper
1⤵
PID:572

/usr/libexec/nehelper
/usr/libexec/nehelper
1⤵
PID:572

/usr/libexec/xpcproxy
xpcproxy com.apple.colorsyncd
1⤵
PID:574

/usr/libexec/colorsyncd
/usr/libexec/colorsyncd
1⤵
PID:574

/usr/libexec/xpcproxy
xpcproxy com.apple.colorsync.useragent
1⤵
PID:575

/System/Library/Frameworks/ColorSync.framework/Support/colorsync.useragent
/System/Library/Frameworks/ColorSync.framework/Support/colorsync.useragent
1⤵
PID:575

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c
1⤵
PID:579

/usr/libexec/xpcproxy
xpcproxy com.apple.assistantd
1⤵
PID:585

/usr/libexec/xpcproxy
xpcproxy com.apple.bird
1⤵
PID:586

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
1⤵
PID:586

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
1⤵
PID:585

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:587

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:587

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Privilege Escalation

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/InstallerSandboxes/.PKInstallSandboxManager/A211A439-42D1-4A70-827C-1F5E65ECAC01.activeSandbox/Boms/com.christscollgecom.pkg.printing2021.bom

Filesize
145KB

MD5
488643d90b830b96369a84ec25a82a02

SHA1
cc61bada020ab2d156e17382c5e69163b10f14a6

SHA256
eda729f08ec4363c98d286028dc633457eb2d1387b9b733feb919038030d8dc9

SHA512
48d531b5540f807c3451ed57de61da55b1942ccf4f11d57989033e5848a6b2d1cb0905e4d46135569f6eebe19353812def24b016062740ccc9a9b2c08795b663

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
42B

MD5
ce7f5b3d4bfc7b4b0da6a06dccc515f2

SHA1
ce657a52a052a3aaf534ecfbf7cbdde4ee334c10

SHA256
9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1

SHA512
db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

Download Submit
/Library/Printers/PPDs/Contents/Resources/KONICAMINOLTAC658.gz

Filesize
80KB

MD5
7cd766dcc4614b5a96d1d5333ca28571

SHA1
422d9c35a8b2c8f0f25d37d809540ac46dc28498

SHA256
ea2aeac9b2458c169e48f36ddf6bad5a8ab6bd9b18e5f1346db19d17c36c56dd

SHA512
c0b6e5842a90c41084772e447e20d1407b1a721824612f596e326c0016e6de7dedf767cc86b7d930af96c4711772a48c9f4474ee7282032ecbaee74dc92ca955

Download Submit
/private/tmp/PKInstallSandbox.Cauo9f/tmp/0023d65dd7008

Filesize
553KB

MD5
ad8b1f979999c240b147572a22a3df8e

SHA1
b1740950b709a9d3c8bb0221f6a626a687e1070c

SHA256
a79576023dd194c1211b8c84ce3fd102ce6e4e4a2e50ecbeb1e096bca79fef86

SHA512
ff291f53d22f07dc7dcfb5722bb4e17a289dfae66057b8c2f2450f93eb3cb8b63200b934b30be1f568872ad273d7db40ff84ecfde8d9a7e568945fbb750287b6

Download Submit
/private/var/run/installd.commit.pid

Filesize
3B

MD5
4e4b5fbbbb602b6d35bea8460aa8f8e5

SHA1
904f2cc1c3677bb35876e91f4716341c06769cc6

SHA256
4eef24c6b8248c2271f6663f44ec0de3c2535ca396a22cf60051137d71721309

SHA512
2c27317cba2603d724870f2087a9588d30d430a4ca38a39e7c950f38cf205926273b97d605d936be38f96582f5e1d712a014f496321c4d843496c20493f4a2c6

Download Submit
/tmp/PKInstallSandbox.Cauo9f/Scripts/com.christscollgecom.pkg.printing2021.Hx11jA/postinstall

Filesize
626B

MD5
8a9ed8da33c2461e559c4ed627d69683

SHA1
7fa80acbdd05fc7a3129a3151e9b2f476102fa3f

SHA256
1a590865bf8428b8de993ce56b885790d59860188d89ffe504d56d0f6ceb2c8b

SHA512
cd8d9e321666cef6ce07a2c107159b51b1eb63b99da07d5dbaea11bdbb608014754f35b1e09b060b652d3d0ce36f5b9fa5a94d296e490cac07aa8b4278d8c838

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads