558c66e7283fed4e16cfbd7889f3d5500e89f637cc48968bed0450852083dbf1

General

Target

Notion.dmg
Size

4.2MB
MD5

50ea75b971ec961867377b45b29bf356
SHA1

d68faef1b80f376cdf1524e14f8baa49f0074b9d
SHA256

558c66e7283fed4e16cfbd7889f3d5500e89f637cc48968bed0450852083dbf1
SHA512

647831bf84212d71e6829d7531e55ef94239150152e35068ab416108bd68c641b0088ca242c0d275a26c5e0f362f7f1bb02268a731be3a91f53e831fefb44528
SSDEEP

98304:U/SA+ELoHf3EpQioKSHejUSOuairOrLBzvKkYc0nhBaMEcRaBDywa:U/SA+EkHfyn3ISOupO3pvG/nhBaMxRiD

Score

8^/10

Malware Config

Signatures

Identifies hardware specifics through system_profiler 2 IoCs

ioc	Process
bash -c "system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType"	Process not Found
system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType	Process not Found

File Permission 1 TTPs
Adversaries may modify file permissions/attributes to evade access control lists (ACLs) and access protected files.
evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

AppleScript 1 TTPs 3 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
osascript -e "display dialog \"Required Application Helper. Please enter password:\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"	Process not Found
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"	Process not Found
osascript -e "tell application \"Terminal\" to close first window"	Process not Found

Resource Forking 1 TTPs 1 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found

Command and Scripting Interpreter 1 TTPs
Adversaries may abuse Unix shell commands and scripts for execution.
execution

Unix Shell
T1059.004

/bin/sh
sh -c "sudo /bin/zsh -c \"open /Volumes/Notion\""
1⤵
PID:528

/bin/bash
sh -c "sudo /bin/zsh -c \"open /Volumes/Notion\""
1⤵
PID:528

/usr/bin/sudo
sudo /bin/zsh -c "open /Volumes/Notion"
1⤵
PID:528
- /bin/zsh
  /bin/zsh -c "open /Volumes/Notion"
  2⤵
  PID:529
- /usr/bin/open
  open /Volumes/Notion
  2⤵
  PID:529

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:530

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:530

/usr/libexec/xpcproxy
xpcproxy com.apple.tailspind
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:532

/usr/libexec/tailspind
/usr/libexec/tailspind
1⤵
PID:531

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:532

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:547

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:547

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:548

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:548

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:549

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:549
- /usr/bin/login
  login -pf run
  2⤵
  PID:551
- - /bin/zsh
    -zsh
    3⤵
    PID:555
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:556
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:557
- /usr/bin/login
  login -pf run
  2⤵
  PID:558
- - /bin/zsh
    -zsh
    3⤵
    PID:559
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:560
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:561
  - - /Volumes/Notion/Notion
      /Volumes/Notion/Notion
      4⤵
      PID:562

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:550

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.systemsoundserverd
1⤵
PID:552

/usr/sbin/systemsoundserverd
/usr/sbin/systemsoundserverd
1⤵
PID:552

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:553

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:553

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:554

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:554

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:564

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:564
- /usr/bin/osascript
  osascript -e "tell application \"Terminal\" to close first window"
  2⤵
  PID:565

/bin/sh
sh -c "chmod +x /tmp/binary"
1⤵
PID:566

/bin/bash
sh -c "chmod +x /tmp/binary"
1⤵
PID:566

/bin/chmod
chmod +x /tmp/binary
1⤵
PID:566

/bin/sh
sh -c /tmp/binary
1⤵
PID:567

/bin/bash
sh -c /tmp/binary
1⤵
PID:567

/tmp/binary
/tmp/binary
1⤵
PID:567
- /usr/bin/dscl
  dscl . authonly run
  2⤵
  PID:568
- /usr/bin/osascript
  osascript -e "display dialog \"Required Application Helper. Please enter password:\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
  2⤵
  PID:569
- /usr/bin/dscl
  dscl . authonly run root
  2⤵
  PID:571
- /bin/bash
  bash -c "system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType"
  2⤵
  PID:572
- /usr/sbin/system_profiler
  system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType
  2⤵
  PID:572
- /bin/bash
  bash -c "ditto -c -k --sequesterRsrc /tmp/xuyna /tmp/out.zip"
  2⤵
  PID:577
- /usr/bin/ditto
  ditto -c -k --sequesterRsrc /tmp/xuyna /tmp/out.zip
  2⤵
  PID:577

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:570

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:570

/usr/bin/csrutil
/usr/bin/csrutil status
1⤵
PID:574

/bin/sh
sh -c "rm /tmp/binary"
1⤵
PID:578

/bin/bash
sh -c "rm /tmp/binary"
1⤵
PID:578

/bin/rm
rm /tmp/binary
1⤵
PID:578

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

AppleScript

1

T1059.002

Unix Shell

1

T1059.004

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/private/tmp/xuyna/./Chromium/Chrome_Default/Cookies

Filesize
20KB

MD5
2a3fa78b5f55b529a2698ad187c80204

SHA1
cbbda35512038de511ac23b0aed12e9e86bcc796

SHA256
d52ad17cc5096119732f06311ef2e25005c2a00f551c9684e2d655cbc846455b

SHA512
e9b113ec0c6a888e059cf625b0bfb128d11a55970fed12df30848c9f836c5f36b2660abb4e2a820e7dedd6f0ead312edec1c6cd645f14091d98b42f696bda9ab

Download Submit
/private/tmp/xuyna/./Chromium/Chrome_Default/Login Data

Filesize
40KB

MD5
b6914d8e5cb470236eceed8d6f8b4fb7

SHA1
cdff8880e9fa7630fc8d57af4669365b5ab29b60

SHA256
45bda2415419c24d2526ae60cae5ee1d66bc8d2cc986bb9e94c0f3c414af06c1

SHA512
1c491cfeb2b883ed20a43e16d7bf620520f4b770c8727ffb83e02554aa6aa54def4732460bcff82014050f7a1fba38e01f5570cacfbfcef6da6f2f795dc56ee7

Download Submit
/private/tmp/xuyna/./Chromium/Chrome_Default/Web Data

Filesize
90KB

MD5
4e9060f76c1cb5b54005dc6640a58f0d

SHA1
04a1e6791ae55612d9b63f23ccb37eec398b3d27

SHA256
5b6dd3116e1d3ecbf6d07ecfc03f1537ab00ce91336cc7c6cddda6df0c9984d3

SHA512
be921e02bb810fb867c1de3e3c2a9c3b04c84188d6a9eae60b73558bd4748c1451161da8fba2c8e74f225be4b8a6f0e98276fe1e397b0083fcbbd4ebdf32e148

Download Submit
/private/tmp/xuyna/./keychain

Filesize
104KB

MD5
7dbb5949e33836d2f6bb38f650696776

SHA1
80f58a462a6b88cf122b82f1dc342cd29fcabf3a

SHA256
291dca9b3ef6fbdc989d6e581c1f9873c0b8b08e8540bd064e918aa3e8a2c59f

SHA512
97fae8c3f1f9c7ab7352871b25bc06ccad423c35afeca75f0ed31eb0c1015e5252b20d5326fe070bdbfb96bca378bd01152c8d1549ee3bbeb92dc8590084635c

Download Submit
/private/tmp/xuyna/./pwd

Filesize
4B

MD5
63a9f0ea7bb98050796b649e85481845

SHA1
dc76e9f0c0006e8f919e0c515c66dbba3982f785

SHA256
4813494d137e1631bba301d5acab6e7bb7aa74ce1185d456565ef51d737677b2

SHA512
99adc231b045331e514a516b4b7680f588e3823213abe901738bc3ad67b2f6fcb3c64efb93d18002588d3ccc1a49efbae1ce20cb43df36b38651f11fa75678e8

Download Submit
/private/tmp/xuyna/./user

Filesize
1KB

MD5
0867b34ea123abd5c949e009affdafb0

SHA1
4b25bc2760491d9474a911998b232dc56e0ab150

SHA256
e5adf28bf07f770835db53d73a232a9d6f6a51e5d3ad7ee1f4859e0b053d6993

SHA512
bb69299e1422b051c9791caa85c37bf47d2f34c33cec60b7e39c7e456a1d1236270427aec8e569d793d48b1ca138989850ee3b91697c5e2917ae9aac153db358

Download Submit
/private/tmp/xuyna/./username

Filesize
3B

MD5
a53108f7543b75adbb34afc035d4cdf6

SHA1
df6ad19037c97987c4ff9792810c0e145356717c

SHA256
acba25512100f80b56fc3ccd14c65be55d94800cda77585c5f41a887e398f9be

SHA512
755986f37193a6d8c1ef1f254ba68213f3477a48dc1acd78b551f82a54cf0e617b4aee2e85c575d6dc0159396b9ee95bfb9bfc81ff52258db13734959d92bb79

Download Submit
/tmp/out.zip

Filesize
34KB

MD5
71244ac6d5b0056641118006209f60ac

SHA1
9b7a5477b9e7137a5dbf1d6db4f70b4b9e7523a7

SHA256
934b432751dec1be2bbe4ca2bd8295e882b1b3b9a7b786d5ec08a68d1fa33906

SHA512
41b9c97afa661ceb43ae421a5062322ae78aa8b3c2cbdda97caaf5f37ac965e78bffcdb9bc21d576afbac00100960aef5041ee6a631fe9266c7a78814ab51407

Download Submit

Analysis

Sharing