Resubmissions
23/02/2024, 12:50
240223-p2341aga6v 7Analysis
-
max time kernel
143s -
max time network
162s -
platform
macos-10.15_amd64 -
resource
macos-20240214-en -
resource tags
arch:amd64arch:i386image:macos-20240214-enkernel:19b77alocale:en-usos:macos-10.15-amd64system -
submitted
23/02/2024, 12:50
Static task
static1
Behavioral task
behavioral1
Sample
Slack_mac.dmg
Resource
macos-20240214-en
Behavioral task
behavioral2
Sample
Slack_mac/Slack_mac
Resource
macos-20240214-en
General
-
Target
Slack_mac.dmg
-
Size
527KB
-
MD5
3b927bc865267cdc3b125597fc3805f5
-
SHA1
0e1587d74b953b794f32c54d805c450be12d4535
-
SHA256
361a1afce4df0787df73f1d3dc1beb8917d7f0f943806bff27219db611d56b9f
-
SHA512
4e4c1a8a73b1c9172c8c61ff323aed56b25691a6071e8bae0cf0603e587eb6a78b9c59a08526c825359631a7e61c969bea6840d41c941b74dec375eadded10dd
-
SSDEEP
12288:5Gfqyd/S2QsWh1kQ6G5LruXTC20BdGMJNRC+JjwkFh4BHZSjOk4:5q1JS9sWh1iG5LK2x7bCiFhC
Malware Config
Signatures
-
Queries the macOS version information. 1 TTPs 2 IoCs
ioc Process sh -c sw_vers Process not Found sw_vers Process not Found -
System Checks 1 TTPs 2 IoCs
ioc Process system_profiler SPHardwareDataType Process not Found sh -c "system_profiler SPHardwareDataType" Process not Found -
AppleScript 1 TTPs 10 IoCs
ioc Process sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" Process not Found sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'" Process not Found sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" Process not Found osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" Process not Found sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" Process not Found osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" Process not Found osascript -e "tell application \"Terminal\" to set visible of front window to false" Process not Found osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" Process not Found sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" Process not Found osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" Process not Found -
Resource Forking 1 TTPs 1 IoCs
ioc Process /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper Process not Found
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"open /Volumes/Slack_mac\""1⤵PID:577
-
/bin/bashsh -c "sudo /bin/zsh -c \"open /Volumes/Slack_mac\""1⤵PID:577
-
/usr/bin/sudosudo /bin/zsh -c "open /Volumes/Slack_mac"1⤵PID:577
-
/bin/zsh/bin/zsh -c "open /Volumes/Slack_mac"2⤵PID:578
-
-
/usr/bin/openopen /Volumes/Slack_mac2⤵PID:578
-
-
/usr/libexec/xpcproxyxpcproxy com.apple.nehelper1⤵PID:582
-
/usr/libexec/nehelper/usr/libexec/nehelper1⤵PID:582
-
/usr/libexec/xpcproxyxpcproxy com.apple.spindump1⤵PID:587
-
/usr/sbin/spindump/usr/sbin/spindump1⤵PID:587
-
/usr/libexec/xpcproxyxpcproxy com.apple.tailspind1⤵PID:588
-
/usr/libexec/xpcproxyxpcproxy com.apple.spindump_agent1⤵PID:589
-
/usr/libexec/tailspind/usr/libexec/tailspind1⤵PID:588
-
/usr/libexec/spindump_agent/usr/libexec/spindump_agent1⤵PID:589
-
/usr/libexec/xpcproxyxpcproxy com.apple.TextInputMenuAgent1⤵PID:590
-
/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent1⤵PID:590
-
/usr/libexec/xpcproxyxpcproxy com.apple.TextInputSwitcher1⤵PID:591
-
/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher1⤵PID:591
-
/usr/libexec/xpcproxyxpcproxy com.apple.quicklook.ui.helper1⤵PID:592
-
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper1⤵PID:592
-
/usr/libexec/xpcproxyxpcproxy com.apple.metadata.mdwrite1⤵PID:593
-
/usr/bin/loginlogin -pf run1⤵PID:594
-
/bin/zsh-zsh2⤵PID:596
-
/usr/libexec/path_helper/usr/libexec/path_helper -s3⤵PID:597
-
-
/usr/bin/localelocale LC_CTYPE3⤵PID:598
-
-
/Volumes/Slack_mac/Slack_mac/Volumes/Slack_mac/Slack_mac3⤵PID:599
-
-
-
/usr/libexec/xpcproxyxpcproxy com.apple.AccountPolicyHelper1⤵PID:595
-
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper1⤵PID:595
-
/bin/shsh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"1⤵PID:600
-
/bin/bashsh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"1⤵PID:600
-
/usr/bin/osascriptosascript -e "tell application \"Terminal\" to set visible of front window to false"1⤵PID:600
-
/bin/shsh -c "mkdir /Users/run/182481170"1⤵PID:601
-
/bin/bashsh -c "mkdir /Users/run/182481170"1⤵PID:601
-
/bin/mkdirmkdir /Users/run/1824811701⤵PID:601
-
/bin/shsh -c "system_profiler SPHardwareDataType"1⤵PID:602
-
/bin/bashsh -c "system_profiler SPHardwareDataType"1⤵PID:602
-
/usr/sbin/system_profilersystem_profiler SPHardwareDataType1⤵PID:602
-
/bin/shsh -c "system_profiler SPDisplaysDataType"1⤵PID:604
-
/bin/bashsh -c "system_profiler SPDisplaysDataType"1⤵PID:604
-
/usr/sbin/system_profilersystem_profiler SPDisplaysDataType1⤵PID:604
-
/bin/shsh -c sw_vers1⤵PID:606
-
/bin/bashsh -c sw_vers1⤵PID:606
-
/usr/bin/sw_verssw_vers1⤵PID:606
-
/bin/shsh -c "dscl /Local/Default -authonly run \"\""1⤵PID:607
-
/bin/bashsh -c "dscl /Local/Default -authonly run \"\""1⤵PID:607
-
/usr/bin/dscldscl /Local/Default -authonly run1⤵PID:607
-
/bin/shsh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"1⤵PID:608
-
/bin/bashsh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"1⤵PID:608
-
/usr/bin/osascriptosascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"1⤵PID:608
-
/usr/libexec/xpcproxyxpcproxy com.apple.geod1⤵PID:611
-
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod1⤵PID:611
-
/usr/libexec/xpcproxyxpcproxy com.apple.geod1⤵PID:612
-
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod1⤵PID:612
-
/usr/libexec/xpcproxyxpcproxy com.apple.secinitd1⤵PID:613
-
/usr/libexec/secinitd/usr/libexec/secinitd1⤵PID:613
-
/usr/libexec/xpcproxyxpcproxy com.apple.cfprefsd.xpc.agent1⤵PID:614
-
/usr/sbin/cfprefsd/usr/sbin/cfprefsd agent1⤵PID:614
-
/usr/libexec/xpcproxyxpcproxy com.apple.AddressBook.ContactsAccountsService1⤵PID:619
-
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService1⤵PID:619
-
/usr/libexec/xpcproxyxpcproxy com.apple.routined1⤵PID:620
-
/usr/libexec/routined/usr/libexec/routined LAUNCHED_BY_LAUNCHD1⤵PID:620
-
/usr/libexec/xpcproxyxpcproxy com.apple.Maps.mapspushd1⤵PID:621
-
/System/Library/CoreServices/mapspushd/System/Library/CoreServices/mapspushd1⤵PID:621
-
/usr/libexec/xpcproxyxpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A1⤵PID:623
-
/usr/libexec/neagent/usr/libexec/neagent1⤵PID:623
-
/usr/libexec/xpcproxyxpcproxy com.apple.akd1⤵PID:624
-
/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd1⤵PID:624
-
/bin/shsh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"1⤵PID:627
-
/bin/bashsh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"1⤵PID:627
-
/usr/bin/osascriptosascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"1⤵PID:627
-
/usr/libexec/xpcproxyxpcproxy com.apple.assistantd1⤵PID:630
-
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd1⤵PID:630
-
/usr/sbin/spctl/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app1⤵PID:631
-
/bin/shsh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"1⤵PID:643
-
/bin/bashsh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"1⤵PID:643
-
/usr/bin/osascriptosascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"1⤵PID:643
-
/usr/libexec/xpcproxyxpcproxy com.apple.ReportMemoryException1⤵PID:644
-
/usr/libexec/ReportMemoryException/usr/libexec/ReportMemoryException1⤵PID:644
-
/usr/libexec/xpcproxyxpcproxy com.apple.ReportCrash.Root1⤵PID:649
-
/System/Library/CoreServices/ReportCrash/System/Library/CoreServices/ReportCrash daemon1⤵PID:649
-
/bin/shsh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"1⤵PID:650
-
/bin/bashsh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"1⤵PID:650
-
/usr/bin/osascriptosascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"1⤵PID:650
-
/bin/launchctl/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon1⤵PID:651
-
/bin/launchctl/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon1⤵PID:652
-
/bin/shsh -c /usr/sbin/kextstat1⤵PID:653
-
/bin/bashsh -c /usr/sbin/kextstat1⤵PID:653
-
/usr/sbin/kextstat/usr/sbin/kextstat1⤵PID:653
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
355B
MD5a6ef4856e99c9d8e1d9bb762c5a8503a
SHA125d5405ad91791b716ae5a56b37aa2b393854967
SHA256232441aa129d4f21999860b8bf31db4b8617df9f7d32ef5f25a383edff82d9fa
SHA512582fa1ea60766a5a4e99b295a8ed98c94f6bab45e42b7e8db61e9ad645f531891082cd457bfd11d660195af86f02c4ed93589e6e6daded683cff2d8319bbc489
-
Filesize
355B
MD52f01f7a00c85e424f82b00b2bf794a7c
SHA1c75cb52aa31012888dd7c65373d5faba6048c425
SHA25623d6746cb1c1906c9cfb5c69f7377f7cb68965ac0708ed1d600bfd3d3c34ce32
SHA51275131e0145182653cef2edbb968853c9cb3c26c37c5821f3cd69c3ecdde7979ae37e74ecea8ad333090a473177c6dad43bc34f94a8fd104cd4c9b16c8f7b54f8
-
Filesize
42B
MD5ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA2569261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb
-
Filesize
124KB
MD53787ae55247ef0a97cd8d31d20db2311
SHA111a0ec4bc37c1c46160499ed1afa5a42185d0c54
SHA25650782ea8f6df98e0170125b6112be40ab4cafcc24fab69d1dcddfc0587ddbb43
SHA512ea9dd363975710b48a43e4c548ee8f9b2c17f83d48a45199d6eaf704708712e2d3ba1a3be94af86bd57a2d51182085462de0ba45652ee957cd3428774f796f39
-
Filesize
150KB
MD576ebb0196d42a294b69ef118cbb301d5
SHA161e5ab752d351af1661716bc48c0520f66cd1d1b
SHA256aaa9febe98e3a75220b4933d1f00f2bef276183491e7d171fa54d03259812759
SHA5128dde09d72944e8925c5bd64dc3799a44d7c30191d5038939a24f8a45ccf4d66b84990e8be3e0f2ee1d42d1dd6e5ed3673c39f803874fb0840a3232cc1e533663
-
Filesize
1KB
MD5bb55e27ee415cb9fa7a2442e0b049c80
SHA112b08a0ff728ed9e03ec963a648b2d6314c58151
SHA256078e1c2fbb659dd049de3d018ffa1739689769d6a2fe198ea77c02b65bd3d9f3
SHA512da10e77eb98dc478af1ecbe4e429ab77b8d1f7bb60e003a06ff05f783c5910c8b7998add639747f2337808503d7c65cf079200b330b7873d2b0e18101d8e0bd2
-
Filesize
1KB
MD50f931ace03b6cc51a3aae8d476886d1b
SHA1dc5b13667d0fab85c59588caffb8990d3d474ab1
SHA2569f2d809b4ebb4c8b777a544dfb8b8e518c4d9fa19befae99b7bf52b138597d30
SHA5129cb52e42fcf2484afac2fe46a009050555a2d0eefa45ba43ef61f8e864e64cde9e16d4febb5763782ae141d6b62d16395a74eb6728f61bcc4b292bfff5eb327e
-
Filesize
1KB
MD560d8b91ad68dd3d08790e980b85772b1
SHA1b21a026c47907c00b5aee3768e877c779095ea0d
SHA25698c18d65bc3d4e49fdcebf39dffec2dd99c04ff6993fdcf15760276e0ad3d581
SHA51238b074d7542867efba289f362589ac1bb026887027d6f379c5f49462ba39fc2a7014e8a5af28674ef330a752455f990dc0a07e1fbc554b26ee0c6c718282c17a
-
Filesize
2.5MB
MD59f2097b6f1692426535f4676ec855863
SHA1a18e00a5b8bd0587e22ff3cf096e246d6ad46366
SHA2569b093d5780117b627342e3b39f738a778e2784fdfb58a5586d31c266ed6340aa
SHA51299f271f6eff4047784e56184b6a1858d5a7f2f3cf066b3099325c4dc80a3c80b68ce241c66cda0d7373ca2ec656617fbc87acc65d516fa8873541ddd2288b7af
-
Filesize
260KB
MD590ac42bec4141dfd816c1e6d97478a2c
SHA1ca87727865a87fc6c640ebd30090baa17937ffee
SHA256762f13ca175aad1a7e5ccbc4c377e88890b67ea1a025866527cdf01354f8bb19
SHA512250d9198e49f0fb5403f5e3fed9b52cb9e2ba5e840949359e4febaaabb4ff82bca55e0e40635ee6287cef9e8469cdb3563851246bc92d3c1b6d49f35a0853e0f
-
Filesize
47KB
MD50e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA5121dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20
-
Filesize
4KB
MD5d3a1859e6ec593505cc882e6def48fc8
SHA1f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA2563ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818