Analysis
-
max time kernel
146s -
max time network
145s -
platform
macos-10.15_amd64 -
resource
macos-20240410-en -
resource tags
-
submitted
10-04-2024 10:04
General
-
Target
2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f
-
Size
713KB
-
MD5
23699799f496b8e872d05f19d2b397f8
-
SHA1
fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8
-
SHA256
2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f
-
SHA512
f347c47afe06ed7ef2a71b7e40ac0103f4f33e26250661173775b349bba7452ea458e5d4137a57b34801556959bca14093a9f693d59c147061f63f2b78614288
-
SSDEEP
6144:0RDkTCDC628O+i5Npv56/SfQ7WXIRPeTqiKjBAaIeuLkN04b1Z2O/a0csN2oGA8s:q5o657MOPhKCuo64b//nPpA/OGg2Y5
Malware Config
Signatures
-
Gimmick
Gimmick family.
-
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
-
Launchctl 1 TTPs 4 IoCs
Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f\""1⤵
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f\""1⤵
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f1⤵
-
/bin/zsh/bin/zsh -c /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f2⤵
-
-
/Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f/Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f2⤵
-
-
/bin/shsh -c "ps -ef |grep CorelDRAW |grep -v /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f |grep -v 'CorelDRAW\\s*Graphics\\s*Suite' |awk '{print \$2}' |xargs kill -9"1⤵
-
/bin/bashsh -c "ps -ef |grep CorelDRAW |grep -v /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f |grep -v 'CorelDRAW\\s*Graphics\\s*Suite' |awk '{print \$2}' |xargs kill -9"1⤵
-
/bin/psps -ef2⤵
-
-
/usr/bin/grepgrep CorelDRAW2⤵
-
-
/usr/bin/grepgrep -v "CorelDRAW\\s*Graphics\\s*Suite"2⤵
-
-
/usr/bin/grepgrep -v /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f2⤵
-
-
/usr/bin/awkawk "{print \$2}"2⤵
-
-
/usr/bin/xargsxargs kill -92⤵
-
-
/usr/bin/killkill -9 480 4821⤵
-
/bin/killkill -9 480 4821⤵
-
/bin/shsh -c "ps -ef |grep CorelDRAW |grep -v /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f |grep -v 'CorelDRAW\\s*Graphics\\s*Suite' |awk '{print \$2}' |xargs kill -9"1⤵
-
/bin/bashsh -c "ps -ef |grep CorelDRAW |grep -v /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f |grep -v 'CorelDRAW\\s*Graphics\\s*Suite' |awk '{print \$2}' |xargs kill -9"1⤵
-
/bin/psps -ef2⤵
-
-
/usr/bin/grepgrep CorelDRAW2⤵
-
-
/usr/bin/grepgrep -v /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f2⤵
-
-
/usr/bin/grepgrep -v "CorelDRAW\\s*Graphics\\s*Suite"2⤵
-
-
/usr/bin/awkawk "{print \$2}"2⤵
-
-
/usr/bin/xargsxargs kill -92⤵
-
-
/usr/bin/killkill -9 488 4901⤵
-
/bin/killkill -9 488 4901⤵
-
/bin/shsh -c "cp /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f /var/root/Library/Preferences/CorelDRAW/CorelDRAW"1⤵
-
/bin/bashsh -c "cp /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f /var/root/Library/Preferences/CorelDRAW/CorelDRAW"1⤵
-
/bin/cpcp /Users/run/2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f /var/root/Library/Preferences/CorelDRAW/CorelDRAW1⤵
-
/bin/shsh -c "launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist"1⤵
-
/bin/bashsh -c "launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist"1⤵
-
/bin/launchctllaunchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist1⤵
-
/bin/shsh -c "launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist"1⤵
-
/bin/bashsh -c "launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist"1⤵
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist1⤵
-
/usr/libexec/xpcproxyxpcproxy com.CorelDRAW.va.plist1⤵
-
/var/root/Library/Preferences/CorelDRAW/CorelDRAW/var/root/Library/Preferences/CorelDRAW/CorelDRAW1⤵
-
/usr/bin/pluginkit/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync1⤵
-
/usr/sbin/spctl/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterB516C108/OneDrive.app1⤵
-
/usr/sbin/spctl/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.pbs1⤵
-
/System/Library/CoreServices/pbs/System/Library/CoreServices/pbs1⤵
-
/bin/launchctl/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon1⤵
-
/bin/launchctl/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
713KB
MD523699799f496b8e872d05f19d2b397f8
SHA1fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8
SHA2562a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f
SHA512f347c47afe06ed7ef2a71b7e40ac0103f4f33e26250661173775b349bba7452ea458e5d4137a57b34801556959bca14093a9f693d59c147061f63f2b78614288