Overview

overview

7

Static

static

3

2594790310...ae.exe

windows7-x64

7

2594790310...ae.exe

windows10-2004-x64

7

$PLUGINSDI...ID.dll

windows7-x64

3

$PLUGINSDI...ID.dll

windows10-2004-x64

3

$PLUGINSDI...nu.dll

windows7-x64

3

$PLUGINSDI...nu.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$TEMP/Micr...up.exe

windows7-x64

6

$TEMP/Micr...up.exe

windows10-2004-x64

6

OpenAI Translator.exe

windows7-x64

1

OpenAI Translator.exe

windows10-2004-x64

6

resources/..._apple

macos-10.15-amd64

4

resources/..._intel

macos-10.15-amd64

4

resources/copy.vbs

windows7-x64

1

resources/copy.vbs

windows10-2004-x64

1

resources/...xt.vbs

windows7-x64

1

resources/...xt.vbs

windows10-2004-x64

1

resources/paste.vbs

windows7-x64

1

resources/paste.vbs

windows10-2004-x64

1

resources/...ll.vbs

windows7-x64

1

resources/...ll.vbs

windows10-2004-x64

1

uninstall.exe

windows7-x64

7

uninstall.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    118s
  • max time network
    147s
  • platform
    macos-10.15_amd64
  • resource
    macos-20240410-en
  • resource tags

    arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    28-04-2024 07:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    resources/bin/ocr_apple

  • Size

    454KB

  • MD5

    182c85589d21f23a1fbd5dda4e313041

  • SHA1

    408669738826fe618c6c18b5a1eb4eb6016222a8

  • SHA256

    b8fa71cb8647f3a462876945cdca8c4fded764ef6b7888e1cf0fc0bce377493c

  • SHA512

    9ab9a2d92b976a8ee4155a3f05468f1cd3b00450c84a444a048f956bd219c20213751c955fa5fab19f47f9ccf561be425288d01efe9d63f06d9dd3849fdb2805

  • SSDEEP

    6144:wQmDQ+AsZbI+Fd750poC3eC6b2ViOxPUcw0tlNrOhJaN9A+wL7CE4DhSNOW/0Ldh:wWsNgHChoN9AtLz4DhSNQ

Score
4/10
evasion

Malware Config

Signatures

  • Application makes screenshots during execution. Possible data exfiltration. 1 IoCs
  • Resource Forking 1 TTPs 5 IoCs

    Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

    evasion

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"/Users/run/resources/bin/ocr_apple\""
    1⤵
      PID:494
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"/Users/run/resources/bin/ocr_apple\""
      1⤵
        PID:494
      • /usr/bin/sudo
        sudo /bin/zsh -c /Users/run/resources/bin/ocr_apple
        1⤵
          PID:494
          • /bin/zsh
            /bin/zsh -c /Users/run/resources/bin/ocr_apple
            2⤵
              PID:495
            • /Users/run/resources/bin/ocr_apple
              /Users/run/resources/bin/ocr_apple
              2⤵
                PID:495
            • /usr/sbin/screencapture
              /usr/sbin/screencapture -i -r /tmp/ocr.png
              1⤵
                PID:496
              • /usr/libexec/xpcproxy
                xpcproxy com.apple.sysmond
                1⤵
                  PID:517
                • /usr/libexec/sysmond
                  /usr/libexec/sysmond
                  1⤵
                    PID:517
                  • /usr/libexec/xpcproxy
                    xpcproxy com.apple.audio.systemsoundserverd
                    1⤵
                      PID:518
                    • /usr/sbin/systemsoundserverd
                      /usr/sbin/systemsoundserverd
                      1⤵
                        PID:518
                      • /usr/libexec/xpcproxy
                        xpcproxy com.apple.pbs
                        1⤵
                          PID:519
                        • /System/Library/CoreServices/pbs
                          /System/Library/CoreServices/pbs
                          1⤵
                            PID:519
                          • /usr/libexec/xpcproxy
                            xpcproxy com.apple.audio.AudioComponentRegistrar
                            1⤵
                              PID:520
                            • /System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
                              /System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
                              1⤵
                                PID:520
                              • /usr/libexec/xpcproxy
                                xpcproxy com.oracle.java.Java-Updater
                                1⤵
                                  PID:542
                                • /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
                                  "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
                                  1⤵
                                    PID:542
                                  • /usr/libexec/xpcproxy
                                    xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
                                    1⤵
                                      PID:543
                                    • /System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
                                      /System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
                                      1⤵
                                        PID:543

                                      Network

                                      MITRE ATT&CK Matrix ATT&CK v13

                                      Initial Access

                                      Execution

                                      Persistence

                                      Privilege Escalation

                                      Defense Evasion

                                      Hide Artifacts

                                      1
                                      T1564

                                      Resource Forking

                                      1
                                      T1564.009

                                      Credential Access

                                      Discovery

                                      Lateral Movement

                                      Collection

                                      Exfiltration

                                      Command and Control

                                      Impact

                                      Resource Development

                                      Reconnaissance

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads