Analysis
-
max time kernel
134s -
max time network
157s -
platform
macos-10.15_amd64 -
resource
macos-20240214-en -
resource tags
arch:amd64arch:i386image:macos-20240214-enkernel:19b77alocale:en-usos:macos-10.15-amd64system -
submitted
03-04-2024 06:39
Static task
static1
General
-
Target
090
-
Size
5.8MB
-
MD5
a64e89866983fa9b60020bf38cfd3814
-
SHA1
95f71894eec20f9727ff1311ad078de38ae4e774
-
SHA256
27158886ab064880aa5d5196248f2ad4b20b38bbb1321f72bca17351165ea3e5
-
SHA512
5c79c63263b06bb407f57b0fd662194296372f9f88338b854216fecbd5ff0040ecac9efb59918183a4afb412d7411dcc6f2b7a82165528a8d7beb53cde9cc891
-
SSDEEP
49152:y54zOdrCXYrr7Nm2agKtILKGvArod8Dvlb9I0Q54zOdrCXYrr7Nm2agKtILKGvAT:
Malware Config
Signatures
-
File Permission 1 TTPs
Adversaries may modify file permissions/attributes to evade access control lists (ACLs) and access protected files.
-
File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur.
-
File and Directory Discovery. 1 TTPs 2 IoCs
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Processes:
ioc process basename /tmp/.4lXyMzau basename /tmp/.4lXyMzau/.9tNT8SgW -
Command and Scripting Interpreter 1 TTPs
Adversaries may abuse Unix shell commands and scripts for execution.
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/090\""1⤵PID:533
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/090\""1⤵PID:533
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/0901⤵PID:533
-
/bin/zsh/bin/zsh -c /Users/run/0902⤵PID:534
-
/Users/run/090/Users/run/0902⤵PID:534
-
/bin/shsh -c "chmod +x /tmp/LRFKqYUqfJ"1⤵PID:536
-
/bin/bashsh -c "chmod +x /tmp/LRFKqYUqfJ"1⤵PID:536
-
/bin/chmodchmod +x /tmp/LRFKqYUqfJ1⤵PID:536
-
/bin/shsh -c "/tmp/LRFKqYUqfJ &"1⤵PID:554
-
/bin/bashsh -c "/tmp/LRFKqYUqfJ &"1⤵PID:554
-
/tmp/LRFKqYUqfJ/tmp/LRFKqYUqfJ2⤵PID:555
-
/bin/bash/bin/sh /tmp/LRFKqYUqfJ2⤵PID:555
-
/usr/bin/mktempmktemp -d /tmp/.XXXXXXXX3⤵PID:558
-
/usr/bin/basenamebasename /tmp/.4lXyMzau3⤵PID:560
-
/usr/bin/mktempmktemp /tmp/.4lXyMzau/.XXXXXXXX3⤵PID:562
-
/usr/bin/basenamebasename /tmp/.4lXyMzau/.9tNT8SgW3⤵PID:563
-
/bin/mvmv /tmp/.4lXyMzau /Users/run3⤵PID:564
-
/usr/bin/mktempmktemp /tmp/.XXXXXXXX3⤵PID:565
-
/usr/bin/base64base64 -o /tmp/.DnXDADia -d3⤵PID:572
-
/usr/bin/tartar -xvf /tmp/.DnXDADia -O3⤵PID:574
-
/usr/bin/headhead -c 9824432 /dev/zero3⤵PID:575
-
/bin/rmrm -rf /tmp/.DnXDADia3⤵PID:576
-
/bin/chmodchmod +x /Users/run/.4lXyMzau/.9tNT8SgW3⤵PID:577
-
/Users/run/.4lXyMzau/.9tNT8SgW/Users/run/.4lXyMzau/.9tNT8SgW3⤵PID:578
-
/bin/shsh -c "sleep 3 && rm -rf /Users/run/090"1⤵PID:556
-
/bin/bashsh -c "sleep 3 && rm -rf /Users/run/090"1⤵PID:556
-
/bin/sleepsleep 32⤵PID:557
-
/bin/rmrm -rf /Users/run/0902⤵PID:582
-
/usr/libexec/xpcproxyxpcproxy com.apple.secd1⤵PID:568
-
/usr/libexec/secd/usr/libexec/secd1⤵PID:568
-
/usr/libexec/xpcproxyxpcproxy com.apple.nehelper1⤵PID:573
-
/usr/libexec/nehelper/usr/libexec/nehelper1⤵PID:573
-
/bin/shsh -c "[ -f /tmp/._power.log ] && APPBKPNAME=\$(cat /tmp/._power.log) && TRASHPATH=\"\$HOME/.Trash/._\$APPBKPNAME\" && [ ! -f \"\$TRASHPATH\" ] && cp \"/Users/run/.4lXyMzau/.9tNT8SgW\" \"\$TRASHPATH\" && head -c \$((\$RANDOM*\$((1 + RANDOM % 10)))) /dev/zero >> \"\$TRASHPATH\""1⤵PID:579
-
/bin/bashsh -c "[ -f /tmp/._power.log ] && APPBKPNAME=\$(cat /tmp/._power.log) && TRASHPATH=\"\$HOME/.Trash/._\$APPBKPNAME\" && [ ! -f \"\$TRASHPATH\" ] && cp \"/Users/run/.4lXyMzau/.9tNT8SgW\" \"\$TRASHPATH\" && head -c \$((\$RANDOM*\$((1 + RANDOM % 10)))) /dev/zero >> \"\$TRASHPATH\""1⤵PID:579
-
/bin/shsh -c "mkdir /tmp/i2pd"1⤵PID:580
-
/bin/bashsh -c "mkdir /tmp/i2pd"1⤵PID:580
-
/bin/mkdirmkdir /tmp/i2pd1⤵PID:580
-
/bin/shsh -c "mkdir /tmp/i2pd2"1⤵PID:581
-
/bin/bashsh -c "mkdir /tmp/i2pd2"1⤵PID:581
-
/bin/mkdirmkdir /tmp/i2pd21⤵PID:581
-
/usr/libexec/xpcproxyxpcproxy com.apple.sysmond1⤵PID:583
-
/usr/libexec/sysmond/usr/libexec/sysmond1⤵PID:583
-
/usr/libexec/xpcproxyxpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A1⤵PID:584
-
/usr/libexec/neagent/usr/libexec/neagent1⤵PID:584
-
/usr/libexec/xpcproxyxpcproxy com.apple.geod1⤵PID:592
-
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod1⤵PID:592
-
/usr/libexec/xpcproxyxpcproxy com.apple.geod1⤵PID:593
-
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod1⤵PID:593
-
/usr/libexec/xpcproxyxpcproxy com.apple.secinitd1⤵PID:594
-
/usr/libexec/secinitd/usr/libexec/secinitd1⤵PID:594
-
/usr/libexec/xpcproxyxpcproxy com.apple.cfprefsd.xpc.agent1⤵PID:595
-
/usr/sbin/cfprefsd/usr/sbin/cfprefsd agent1⤵PID:595
-
/usr/libexec/xpcproxyxpcproxy com.apple.AddressBook.ContactsAccountsService1⤵PID:600
-
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService1⤵PID:600
-
/usr/libexec/xpcproxyxpcproxy com.apple.routined1⤵PID:601
-
/usr/libexec/routined/usr/libexec/routined LAUNCHED_BY_LAUNCHD1⤵PID:601
-
/usr/libexec/xpcproxyxpcproxy com.apple.Maps.mapspushd1⤵PID:604
-
/System/Library/CoreServices/mapspushd/System/Library/CoreServices/mapspushd1⤵PID:604
-
/usr/sbin/spctl/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app1⤵PID:608
-
/usr/libexec/xpcproxyxpcproxy com.apple.assistantd1⤵PID:609
-
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd1⤵PID:609
-
/usr/libexec/xpcproxyxpcproxy com.apple.pbs1⤵PID:614
-
/System/Library/CoreServices/pbs/System/Library/CoreServices/pbs1⤵PID:614
-
/bin/shsh -c "chmod +x /tmp/nVHwxRcdzQ"1⤵PID:617
-
/bin/bashsh -c "chmod +x /tmp/nVHwxRcdzQ"1⤵PID:617
-
/bin/chmodchmod +x /tmp/nVHwxRcdzQ1⤵PID:617
-
/bin/shsh -c "/tmp/nVHwxRcdzQ &"1⤵PID:618
-
/bin/bashsh -c "/tmp/nVHwxRcdzQ &"1⤵PID:618
-
/tmp/nVHwxRcdzQ/tmp/nVHwxRcdzQ2⤵PID:619
-
/usr/bin/mktempmktemp /tmp/.XXXXXXXX3⤵PID:620
-
/usr/bin/mktempmktemp /tmp/.XXXXXXXX3⤵PID:621
-
/usr/bin/base64base64 -o /tmp/.jvWqz5At -d3⤵PID:623
-
/usr/bin/tartar -xvf /tmp/.jvWqz5At -O3⤵PID:624
-
/usr/bin/headhead -c 310464 /dev/zero3⤵PID:625
-
/bin/rmrm -rf /tmp/.jvWqz5At3⤵PID:626
-
/bin/chmodchmod +x /tmp/.0SLLu8EI3⤵PID:627
-
/bin/sleepsleep 33⤵PID:629
-
/tmp/.0SLLu8EI/tmp/.0SLLu8EI3⤵PID:628
-
/bin/rmrm -rf /tmp/.0SLLu8EI3⤵PID:630
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
439B
MD5c05b619361d2cac0288befbdef519546
SHA1634e507971e2bd2697df0cdbbe8772e6fbec276e
SHA2561b2c817978649cad70d67be41215a663790d97707b7512cfc156b488438cbec8
SHA51286308ab30375670ff5eb886d50e3b5be5f3b7d60e0de53458e0372c0c67cbfd1c58450acb201c7d21a5f351c2b0e796d1777dbaa1e2b83ef7f69a83dac26ba20
-
Filesize
487B
MD5e251c94fc14a772dbd695b0919d4f53a
SHA163c2eaa2aae3f097a6ad8952064d4764fe8295e0
SHA2562e8a5e8288abdb773269792173899a3261c3a04c2a4d07c119988542d1978b49
SHA51292222001d9e6f4bebf5abfc02f4a0b379b33c4f7dc4e9b27170e8b2d43f7c7e017632f893619d04f01eeaa48cfd79f77c7b910cc47d74d5b81f69ea83bd69a5d
-
Filesize
487B
MD57d3535f2750c80fb5549715a6eb18997
SHA1e4c3448aa704f5a1c3e3dc8c6362ec9238e38ef9
SHA256273fc7ecbe78aaf71d4692bc0c939735d1d6b02e48b9b7b503e9554bf54980b7
SHA512a3344e01a57099e812e88cd83577f43e0dc756a06460ceb3177dae23a15a09a77a6175d99f7704eef66dc0edbf3539afa7982686703d7a0f2cd0a729be59fe83
-
Filesize
42B
MD5ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA2569261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb
-
Filesize
5.5MB
MD58e6f29929b276139a5ddc4c330704ba9
SHA13ded983006e3682e7c4dc3d863781f35bea92165
SHA2561c34442c74b6f31c522c2901b364a8052d48031ad75b95f026c64e372a4fce3d
SHA512dd62ea9600a47dc2d62e6603dfd326d96ffc1c8265636549a52c5c025aeebecbc0d88178c3e1170cd27964b41c184449c456889bdc4e4270bd9c7ae577859be1
-
Filesize
124KB
MD57b14d94486512bb7b1f969c796be57e0
SHA1a16d75fafd6172ad0c91dfbb32ef3154d2aef100
SHA256b1080251c49aee31b521c4b547812ce0cce28bbfa35a2ff9f3cd1867d329608f
SHA512b7cabaebd970ab11d0d25794035e5dbfe06560a8fb494d55792869d20d2afa8a5a2e4dec5f9e14a49dbae6fc1fcd4dcb2c13662011b1390ca93ccc8556dd37d6
-
Filesize
11.9MB
MD5f75a1d3d2af286fcea84d5c0b6cc5f1b
SHA1359047653acfb32ea9a9bd2a3c160099e555cc5d
SHA256da2094a4d7e5041c4f44ee5a03b49c28a660b39498019d74f0637e3a6684ce2f
SHA512657dae9d255c376424fbbef54aa281e1e36056c770f80eaa06adfb42f29f19edaf621e0cc53a5840fa86782cd4b7f5845d2e9619a3cd3f805a0da99e27b8c132
-
Filesize
2.1MB
MD5cf909e123e7c9eb78f97a60dd6899466
SHA1e005f364790f156ce0f46ad07d82b17f0553acf7
SHA2569ccf955373af1cf7a39fad80cb1db46f54686cf33cf42163e7dcea1f358e299e
SHA512a7c0acc6ad31fc50105513a2a1adcd9100448cfab3e13599c47024c2cf3a7c4625e56c525e00940aa2ce3508ae086051c2805143bb58444f43c0090ce95c2f44
-
Filesize
2.0MB
MD5c5fcdc13b1d364fcc311dbeed6e8c777
SHA137a061e47012df4b82954b51d4b7edecf03fe500
SHA256cfa66b5b949d1c4bc5f161986f100dbdc3038db475808db22136b72272afd0c8
SHA51273609611a040a9cd91bfdb5b3ad637a93f8ed32a81be41e5ded244458408f44f9a8444fe3599d9dad739d134c45119e0d76b318a38fbced8a811fac0678cfac0
-
Filesize
2.8MB
MD5df7460f0309fc804063cc7d3e4dfb481
SHA13233939420211233487794e747cf0754627076d0
SHA2568779f37ae81896ca85ef0340175d2a6ca2f57cb137acf966c01af31c4623a388
SHA512756b06c5b5862e81bae95f8a00d71b50367746e7d824e49d0ede18610b0690deae8ab1b1b577069391049cab1b2ff71bd1e305d854c0032bfa3e5ccd839aa230
-
Filesize
2.7MB
MD509db9b665dae373cd4a8d17c9248369d
SHA13f12689aacf12d94f4a2fc1a9f75f4593e5138e6
SHA256c8565ff0cc68db61591e83e187f138700f22bcfcf54cd594f31bce3dca384a4b
SHA512581bc1370159e1a02feae90793a9a4fcb760f9df37192fca3e0671773a965967a8b141a5d3a8f0f2d4feb147b7934910139dd35285b03c62b39ea8a50831dd8b
-
Filesize
162KB
MD5461dcb8e6914ac8c3efadaa2ab3bfe82
SHA1bfb82d565114a505c0dc45a7b88c64fe24c2a96f
SHA256267aae1978c73f986ab32623d3edd0415e24888226d266bb42943765fbf12904
SHA512b6e500d7c269c1fa7fe796ded05d3489d2c773f1e02ddc87b99a777cb89f5837b527bfcf4a1ec01a155ed8c07bc4fe9b8ff8c7d3672bc9ee89be09c71bac13d2
-
Filesize
47KB
MD50e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA5121dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20
-
Filesize
4KB
MD5d3a1859e6ec593505cc882e6def48fc8
SHA1f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA2563ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818