Overview

overview

4

Static

static

3

Graillon-F...de.pdf

windows7-x64

1

Graillon-F...de.pdf

windows10-2004-x64

1

Graillon-F...et.pdf

windows7-x64

1

Graillon-F...et.pdf

windows10-2004-x64

1

Graillon-F...on2.so

ubuntu-18.04-amd64

1

Graillon-F...n 2.so

ubuntu-20.04-amd64

1

Graillon-F...n 2.so

ubuntu-20.04-amd64

1

Graillon-F....0.pkg

macos-10.15-amd64

4

Graillon-F....0.exe

windows7-x64

3

Graillon-F....0.exe

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PROGRAMFI... 2.dll

windows7-x64

1

$PROGRAMFI... 2.dll

windows10-2004-x64

1

$PROGRAMFI... 2.dll

windows7-x64

1

$PROGRAMFI... 2.dll

windows10-2004-x64

1

$PROGRAMFI...64.dll

windows7-x64

1

$PROGRAMFI...64.dll

windows10-2004-x64

1

$_26_/Aubu...64.dll

windows7-x64

1

$_26_/Aubu...64.dll

windows10-2004-x64

1

$_27_/Aubu... 2.dll

windows7-x64

3

$_27_/Aubu... 2.dll

windows10-2004-x64

3

$_28_/Grai...64.dll

windows7-x64

1

$_28_/Grai...64.dll

windows10-2004-x64

Graillon-F...e.html

windows7-x64

1

Graillon-F...e.html

windows10-2004-x64

1

Analysis

  • max time kernel
    130s
  • max time network
    143s
  • platform
    macos-10.15_amd64
  • resource
    macos-20240410-en
  • resource tags

    arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    20-04-2024 11:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Graillon-FREE-2.8/Mac/Graillon-2-FREE-2.8.0.pkg

  • Size

    12.7MB

  • MD5

    35e28833d89c33c03ca54bffde68f0c5

  • SHA1

    504c2b44bd7f275eba21e38436b33fa00523a809

  • SHA256

    13b38d812daf62bb83c51104d79a3af63722b01a3828a949b23e1d72d6da6934

  • SHA512

    117c0c5d01d570d948411d90d8ffadab273259520cb697c6ce9925dbd271cdd82f42637e90597e5d2707ff883c5070003cc5c4fe23d53b8b87d0a497a0108018

  • SSDEEP

    393216:EgpL3mSU/XqWitXzCs4X+kIliCYjd1q3C4Ay9yv:DLltDK2l4jdKC4/u

Score
4/10
evasion

Malware Config

Signatures

  • Resource Forking 1 TTPs 4 IoCs

    Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

    evasion

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""
    1⤵
      PID:495
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""
      1⤵
        PID:495
      • /usr/bin/sudo
        sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
        1⤵
          PID:495
          • /bin/zsh
            /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
            2⤵
              PID:496
            • /usr/sbin/installer
              installer -pkg /Users/run/setup.pkg -target /
              2⤵
                PID:496
            • /usr/libexec/xpcproxy
              xpcproxy com.apple.installd
              1⤵
                PID:498
              • /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
                /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
                1⤵
                  PID:498
                • /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor
                  /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid
                  1⤵
                    PID:518
                  • /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove
                    /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/F6C3FECB-4999-4976-B4BC-8032788054D5.activeSandbox/Root /
                    1⤵
                      PID:519
                    • /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update
                      /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c
                      1⤵
                        PID:520
                      • /usr/libexec/xpcproxy
                        xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
                        1⤵
                          PID:555
                        • /System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
                          /System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
                          1⤵
                            PID:555

                          Network

                          MITRE ATT&CK Matrix ATT&CK v13

                          Initial Access

                          Execution

                          Persistence

                          Privilege Escalation

                          Defense Evasion

                          Hide Artifacts

                          1
                          T1564

                          Resource Forking

                          1
                          T1564.009

                          Credential Access

                          Discovery

                          Lateral Movement

                          Collection

                          Exfiltration

                          Command and Control

                          Impact

                          Resource Development

                          Reconnaissance

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • /Library/InstallerSandboxes/.PKInstallSandboxManager/F6C3FECB-4999-4976-B4BC-8032788054D5.activeSandbox/Boms/com.auburnsounds.Graillon---aax.pkg.bom
                            Filesize

                            43KB

                            MD5

                            79883576eceb12e5dc73fff143e48b86

                            SHA1

                            6bf4b4f3e9143dcb9100e5b88011fdaad1f37321

                            SHA256

                            4fe65c64d79663fde622a0c16e28068d378997517c39361df5991605649902ab

                            SHA512

                            2f5920f0fecba8fdfae93b764055e2aced49c54c2ec1f616f1c501fbde039bebe01f7b9c9de8964400ba9fee87bcab5414685f2be4584e0708aa0ebbc2006439

                            Download Submit
                          • /Library/InstallerSandboxes/.PKInstallSandboxManager/F6C3FECB-4999-4976-B4BC-8032788054D5.activeSandbox/Boms/com.auburnsounds.Graillon---au.pkg.bom
                            Filesize

                            35KB

                            MD5

                            69ea6c31c03f221bc85f39ae8512f593

                            SHA1

                            80bb3a211db275eae29a8f5e13992ed1b85e9dd6

                            SHA256

                            bf4c4d64a0e9f113a78f2ae811f2ea51587d19f21a975919b5f4e34ab60047d6

                            SHA512

                            b766d12d039913b0d12e2d894dc15b33ffbc5ca6d91a55bc1d13bf4e0e510a14980c9664845e8aaffc16aa79205dc23819e7c05014133fc22440bf77999defa0

                            Download Submit
                          • /Library/InstallerSandboxes/.PKInstallSandboxManager/F6C3FECB-4999-4976-B4BC-8032788054D5.activeSandbox/Boms/com.auburnsounds.Graillon---vst-.pkg.bom
                            Filesize

                            35KB

                            MD5

                            9adfe818cd58382c7e98fe89a49c5f5e

                            SHA1

                            0007a289edbd53e8a22c057a02e9507b58781c9f

                            SHA256

                            28ad1ec97bd9efa872f91aef0c0b5ff26a4a3ab8a5001155cdc09ef0cd2e961d

                            SHA512

                            a66592956b900bbb3b0f76fdbc4ea8bdf51e988f3415d7c5eac0946183a494eb0d783a806e8484efe761d12408acd76ec9d66f613c02c1a0bf2cec4a65b3b03a

                            Download Submit
                          • /Library/InstallerSandboxes/.PKInstallSandboxManager/F6C3FECB-4999-4976-B4BC-8032788054D5.activeSandbox/Boms/com.auburnsounds.Graillon---vst.pkg.bom
                            Filesize

                            35KB

                            MD5

                            053a9ef9b7a2ef776d5064edf77a98b9

                            SHA1

                            c38abcb69aff58bd5f592edb91f1b74177c39ae8

                            SHA256

                            238da7c4615d2336a01ba02fff88a976dae7ffc7138508f6d1020e2d6ba6ed9d

                            SHA512

                            506d8d078028fb7f0c0f404b56aba267f9dad77375d655e1cea8d2b015dd3f7b80d8eab7bdb78b5c268cf2bc95edbb25dcb79c0daca30a9976ac6d3b29d2d786

                            Download Submit
                          • /private/var/run/installd.commit.pid
                            Filesize

                            3B

                            MD5

                            05f971b5ec196b8c65b75d2ef8267331

                            SHA1

                            d049c44e2fd67b6eb19a1c18c93110c0b52cab63

                            SHA256

                            f138665c5aa6600801452ebb40df70c46e73f2c51f4cb72f66b438139c5ec3f6

                            SHA512

                            ba0b0519f2361a988db0251db3c93f813080bf9f95df721e08bae096d8c926bf9aaf8744a380d1453c7664c9fb191d960ae5f95bb207cc3c5f1239c7e9a2ca1e

                            Download Submit