558c66e7283fed4e16cfbd7889f3d5500e89f637cc48968bed0450852083dbf1

General

Target

Notion/Notion
Size

10.5MB
MD5

7c81f07861646ecd35eb5956e811372b
SHA1

d05e54c17bcc56ef3f44cd78f41339aac327d650
SHA256

34053a4fcddc5c3553eb9d988b32bc7bddae2ac63fdfc5b00a8270047706bd24
SHA512

ead8c71b23a0fc6df46f5ba5ff5dda993b3dd3e0a2daf3a5ac944402ce8356c29bf2dad4f681b251c9cb319d807be27e3dd3ca856ba9e817f64443aa00424bc8
SSDEEP

49152:DBg1bzmuJV6pyOMheYGLOQxixevx7OBLv0yyRD3VFl8kPJeBg1bzmuJV6pyOMhe1:3

Score

7^/10

evasion execution

Malware Config

Signatures

File Permission 1 TTPs
Adversaries may modify file permissions/attributes to evade access control lists (ACLs) and access protected files.
evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

AppleScript 1 TTPs 15 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
osascript -e "tell application \"Terminal\" to close first window"	Process not Found
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"	Process not Found
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"	Process not Found
osascript -e "tell application \"Terminal\" to close first window"	Process not Found
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"	Process not Found
osascript -e "display dialog \"Required Application Helper. Please enter password:\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"	Process not Found
osascript -e "tell application \"Terminal\" to close first window"	Process not Found
osascript -e "tell application \"Terminal\" to close first window"	Process not Found
osascript -e "display dialog \"Required Application Helper. Please enter password:\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"	Process not Found
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"	Process not Found
osascript -e "tell application \"Terminal\" to close first window"	Process not Found
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"	Process not Found
osascript -e "display dialog \"Required Application Helper. Please enter password:\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"	Process not Found
osascript -e "display dialog \"Required Application Helper. Please enter password:\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"	Process not Found
osascript -e "display dialog \"Required Application Helper. Please enter password:\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"	Process not Found

Resource Forking 1 TTPs 4 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found

Command and Scripting Interpreter 1 TTPs
Adversaries may abuse Unix shell commands and scripts for execution.
execution

Unix Shell
T1059.004

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Notion/Notion\""
1⤵
PID:489

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Notion/Notion\""
1⤵
PID:489

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/Notion/Notion
1⤵
PID:489
- /bin/zsh
  /bin/zsh -c /Users/run/Notion/Notion
  2⤵
  PID:491
- /Users/run/Notion/Notion
  /Users/run/Notion/Notion
  2⤵
  PID:491

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:493

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:493
- /usr/bin/osascript
  osascript -e "tell application \"Terminal\" to close first window"
  2⤵
  PID:494

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.1804
1⤵
PID:495

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:495
- /usr/bin/login
  login -pf run
  2⤵
  PID:501
- - /bin/zsh
    -zsh
    3⤵
    PID:503
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:504
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:505
- /usr/bin/login
  login -pf run
  2⤵
  PID:542
- - /bin/zsh
    -zsh
    3⤵
    PID:543
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:544
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:545
  - - /usr/bin/open
      open Notion
      4⤵
      PID:550
- /usr/bin/login
  login -pf run
  2⤵
  PID:554
- - /bin/zsh
    -zsh
    3⤵
    PID:555
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:556
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:557
  - - /Users/run/Notion/Notion
      /Users/run/Notion/Notion
      4⤵
      PID:558
- /usr/bin/login
  login -pf run
  2⤵
  PID:574
- - /bin/zsh
    -zsh
    3⤵
    PID:575
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:576
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:577
  - - /Users/run/Notion/Notion
      /Users/run/Notion/Notion
      4⤵
      PID:578

/bin/sh
sh -c "chmod +x /tmp/binary"
1⤵
PID:496

/bin/bash
sh -c "chmod +x /tmp/binary"
1⤵
PID:496

/bin/chmod
chmod +x /tmp/binary
1⤵
PID:496

/bin/sh
sh -c /tmp/binary
1⤵
PID:497

/bin/bash
sh -c /tmp/binary
1⤵
PID:497

/tmp/binary
/tmp/binary
1⤵
PID:497
- /usr/bin/dscl
  dscl . authonly root
  2⤵
  PID:498
- /usr/bin/osascript
  osascript -e "display dialog \"Required Application Helper. Please enter password:\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
  2⤵
  PID:499
- /usr/bin/dscl
  dscl . authonly root root
  2⤵
  PID:540
- /usr/bin/osascript
  osascript -e "display dialog \"Required Application Helper. Please enter password:\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
  2⤵
  PID:541
- /usr/bin/dscl
  dscl . authonly root root
  2⤵
  PID:582
- /usr/bin/osascript
  osascript -e "display dialog \"Required Application Helper. Please enter password:\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
  2⤵
  PID:583
- /usr/bin/dscl
  dscl . authonly root root
  2⤵
  PID:584
- /usr/bin/osascript
  osascript -e "display dialog \"Required Application Helper. Please enter password:\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
  2⤵
  PID:585
- /usr/bin/dscl
  dscl . authonly root root
  2⤵
  PID:596
- /usr/bin/osascript
  osascript -e "display dialog \"Required Application Helper. Please enter password:\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"Application wants to install helper\" with hidden answer"
  2⤵
  PID:597

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:510

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:510

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:511

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:511

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:546

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:546

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:551

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:551

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:552

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:552

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:553

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:560

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:560
- /usr/bin/osascript
  osascript -e "tell application \"Terminal\" to close first window"
  2⤵
  PID:561

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:572

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:572

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:573

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:573

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:580

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:580
- /usr/bin/osascript
  osascript -e "tell application \"Terminal\" to close first window"
  2⤵
  PID:581

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:586

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:586

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:587

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:587
- /usr/bin/login
  login -pf run
  2⤵
  PID:588
- - /bin/zsh
    -zsh
    3⤵
    PID:589
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:590
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:591
  - - /Users/run/Notion/Notion
      /Users/run/Notion/Notion
      4⤵
      PID:592

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:594

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:594
- /usr/bin/osascript
  osascript -e "tell application \"Terminal\" to close first window"
  2⤵
  PID:595

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:598

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:598

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:599

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:599
- /usr/bin/login
  login -pf run
  2⤵
  PID:600
- - /bin/zsh
    -zsh
    3⤵
    PID:601
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:602
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:603
  - - /Users/run/Notion/Notion
      /Users/run/Notion/Notion
      4⤵
      PID:604

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:606

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to close first window' & exit"
1⤵
PID:606
- /usr/bin/osascript
  osascript -e "tell application \"Terminal\" to close first window"
  2⤵
  PID:607

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

AppleScript

1

T1059.002

Unix Shell

1

T1059.004

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/.zsh_history

Filesize
561B

MD5
ad567a32de73605ff25fba37ec26ff64

SHA1
d1d262442e05abb206c4e71655e96919ea2d18d6

SHA256
7a85ddc76dd44a3e9e5f97de383a42e5c371bc0a3cc75d4aa4d4d8f15ea7f853

SHA512
a7602fed590fc51d5258952744f61ae4002096eaa2ae284a620fc1c2873d9394d38a2f72e0619163b1b8b338781bc330cf0ce00b5a0671d66b7c0ed573056f4b

Download Submit
/Users/run/.zsh_history

Filesize
594B

MD5
baad3f3d954f9effb3e7f0e7d150f27d

SHA1
76c44adc4612f7a7b471ab318e6c2d85dcd6a46a

SHA256
22beaf4350320ebac0df05aee090bff644fd6dc4372be220e0bb1b195e770e52

SHA512
07080f4d97df7b238d2f13cc109735b0800606dde707c90d8646321cb1e9b2d928a3ab819403c7cf7a5ca315088ba1eeeb506d8f057c922fe0292faeaaa1e3da

Download Submit
/Users/run/.zsh_history

Filesize
606B

MD5
aec315c1d97b445b4d69ce1c2b4eebe9

SHA1
277a31b2b85ffb5ee22b128b3d155a3ec5937228

SHA256
0d9fcd3020497deb80214c04a9e82a3c77ee70bcf0b34b2737fef994e4e8dad7

SHA512
0a67380ddec4951abce3e0e8dd2bd0e7520a841cd4070405e394ced22cbdf9dbede27b12a8a526964ef47b40e9e3776b0aec035343d1da10ebf95bf1c4c0cd8f

Download Submit
/Users/run/.zsh_history

Filesize
639B

MD5
3e490882aacd0066987817e164954c04

SHA1
9854cf74216a84482469b596de2ba1b34dcd46d0

SHA256
41d684b61576268d0d0b9206953f48e23ae936c9ddf2edc7ef7f3eaed276248c

SHA512
ee35646a2c427a94295f86e3d63ded3efcd4c84ff5099c1823a2a838393566c0aa4b1a937646d17e5eadac2d5f163cf9ff07bb26b2ba1617e3ea04a3831291a3

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
62c9358d48c143b2dc18be8d22374f1e

SHA1
e4373319ea4ee058abe0e03c5b69088dd4ee250c

SHA256
ca579fffc6c614a62a8d71fc89241b9c1713348d56a219afbbd6b6ccfcc393dd

SHA512
c143471ba070aee9191d76a6a9abc1c298294d586916f12b03eac562d8b0f1e94f2cb2b41b57ab574d4026471a37a49ed7bcdae662bf6505539cc4a5d9a8444e

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
2KB

MD5
f7eab91bcf7321e19b7567807b6ed9cc

SHA1
2f71d5d3c8e3ba4deec74f1b67191b6f3055365e

SHA256
dffe8544560e3c712ea095832f6171a63de6fb6ea221b66d3849b71cd4e229e7

SHA512
5f3a077c35f7abd20d2db678eb7bd6497f6495be90449ea93f20101165abb79d5684e73519ba55056592704fd789ba807129583ddb130357dfe4481820af287c

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
f47f24d245fa040143e6e89518db9b87

SHA1
7a2a65bf22a0431bf33035e198c24af5b9c1d4d2

SHA256
c020416a93e0a0a90ab58f2084b34ae8f9c6864302e8201b840d31749b69c45c

SHA512
06d1c12f27435208fb8296480d2abf224e7ece3bae50b815857556663825719711348fcc557691f76f0b15865ef59b159c7e607a003f5c9658e6bc39dcf6969d

Download Submit

Analysis

Sharing