Analysis

  • max time kernel
    134s
  • max time network
    154s
  • platform
    macos-10.15_amd64
  • resource
    macos-20240611-en
  • resource tags

    arch:amd64arch:i386image:macos-20240611-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    16-06-2024 11:05

General

  • Target

    Flash Player/Install Adobe Flash Player.app/Contents/Resources/Adobe Flash Player.pkg

  • Size

    15.1MB

  • MD5

    d875bdbb67b175367c8f060ece89c3ef

  • SHA1

    be9d05cfe8f27b6d25ce25822c6755e5773799cd

  • SHA256

    01b176a62aa29550e62eeab6545f01f11d05c1f1f2d7666a063aa198522f64eb

  • SHA512

    2760327fd224cf684252644910ad5eea1aa3f0018dfc507b8dc9e06c9ed99a8c81ee38cba6b07210ea00aa7ffb3821867185ddca0dc887ea303b905e2a589817

  • SSDEEP

    196608:wA3Paf2wK86Nr2nqfxoQNmMSFUOBs0MdvG5V2Ul6F0mDeK0WNnQkSeNkRvLVfR6h:8lK86pfxdSe0MMh6GWlNGjV5sTvtlN

Malware Config

Signatures

  • Installer Packages 1 TTPs 2 IoCs

    Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system.

  • File and Directory Discovery. 1 TTPs 1 IoCs

    Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

  • Resource Forking 1 TTPs 5 IoCs

    Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

  • Launchctl 1 TTPs 1 IoCs

    Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""
    1⤵
      PID:537
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""
      1⤵
        PID:537
      • /usr/bin/sudo
        sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
        1⤵
          PID:537
          • /bin/zsh
            /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
            2⤵
              PID:539
            • /usr/sbin/installer
              installer -pkg /Users/run/setup.pkg -target /
              2⤵
                PID:539
            • /usr/libexec/xpcproxy
              xpcproxy com.apple.installd
              1⤵
                PID:559
              • /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
                /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
                1⤵
                  PID:559
                • /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update
                  /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update "/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root/Applications/Utilities/Adobe Flash Player Install Manager.app"
                  1⤵
                    PID:560
                  • /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor
                    /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid
                    1⤵
                      PID:561
                    • /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove
                      /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root /
                      1⤵
                        PID:562
                      • /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall
                        /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall /Users/run/setup.pkg / / /
                        1⤵
                          PID:563
                        • /bin/bash
                          /bin/sh /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall /Users/run/setup.pkg / / /
                          1⤵
                            PID:563
                            • /usr/bin/logger
                              /usr/bin/logger "Flash Player Install: Launching SAU Daemon..."
                              2⤵
                                PID:564
                              • /bin/launchctl
                                /bin/launchctl load //Library/LaunchDaemons/com.adobe.fpsaud.plist
                                2⤵
                                  PID:565
                                • /usr/bin/logger
                                  /usr/bin/logger "Flash Player Install: Finalizing Plugin installation..."
                                  2⤵
                                    PID:567
                                  • /usr/bin/dirname
                                    dirname /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall
                                    2⤵
                                      PID:568
                                    • /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/finalize
                                      /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/finalize /
                                      2⤵
                                        PID:569
                                    • /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update
                                      /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c
                                      1⤵
                                        PID:570
                                      • /usr/bin/pluginkit
                                        /usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync
                                        1⤵
                                          PID:587
                                        • /usr/sbin/spctl
                                          /usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterBCBF2C69/OneDrive.app
                                          1⤵
                                            PID:588
                                          • /usr/libexec/xpcproxy
                                            xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
                                            1⤵
                                              PID:603
                                            • /System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
                                              /System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
                                              1⤵
                                                PID:603

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Boms/com.adobe.pkg.FlashPlayer.bom
                                                Filesize

                                                57KB

                                                MD5

                                                4dc632a89e380b9cb1fe7ede80f0c329

                                                SHA1

                                                8a8dedc55e35c706e015cfd1b0be8b0d4895dc65

                                                SHA256

                                                3e7e8280049ed9e5de13cf26607e1283e236587628056efb2710bccd0248e6a1

                                                SHA512

                                                ff6eb360dba11a703e72bda1ddfc56b52cc5a6fb22723ebb1a6d7e76647f9bdb6f6f221e70fbc723cfd2401398f64e86c7526e60b3d751bcc6082b716cf55b16

                                              • /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/._Adobe Flash Player Install Manager.app__
                                                Filesize

                                                82B

                                                MD5

                                                4fdc66c51f562ecd3216b95e3ad9d66b

                                                SHA1

                                                3849197ece111c2bdf89980b83f790a6da0f33b7

                                                SHA256

                                                6137481ad820f9cd0a0218da709fe719edc7f163009f7631eca7aa33c04fa038

                                                SHA512

                                                a876587bdcbf73768bb26ce2b28764fc3f5ac09f8f495c9a9f6a402e45475402b109b89a18a08e92bfd1808fcd5375dfeea109e597678836ed38014cf8c1e7e2

                                              • /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/._Contents__
                                                Filesize

                                                82B

                                                MD5

                                                a226d8977cc8358c0e819f8fc9591297

                                                SHA1

                                                458bde93d3f75f1fd4da8ae06991675262c41097

                                                SHA256

                                                e7e7aba9aafcb062bd0aea7b24ef6cfc42efc8b8cf53644255f007965d437f0f

                                                SHA512

                                                d194bf062360e4b500618a5918cffd0d49859ebbfcaf0ef50cc78b379998056a3944e46ae858002ae03c6c17a455f430279eb730ecc4c8f9fa4e71e33aced0db

                                              • /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/._Helpers__
                                                Filesize

                                                82B

                                                MD5

                                                a067e3cc0f1a970ba994a2b4a6446cc2

                                                SHA1

                                                510dba90c0b58483daeb4dbc5c11524f254dc554

                                                SHA256

                                                af1c677bf6b6e99680580fc5225c7e1bda16cdf8c01e3a79d54b0958efb8012f

                                                SHA512

                                                29acebe38de4704ac4437a3a5e6068ed3d9542798ea72d8fd328deffd6ae5e02219970b465c968b889813c3fa3d3eda353e38e0758f045388ffbf7d5ebe1353f

                                              • /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/._Resources__
                                                Filesize

                                                82B

                                                MD5

                                                b66d7236b966764ee3540dc355162f26

                                                SHA1

                                                fb1319893789a9881a82f12be0d0ba4aeec04f47

                                                SHA256

                                                8eb639ec765513d9090e412c025c4d8133b31be86e21e0cfe483442451a16310

                                                SHA512

                                                970a3bd158370db9ea6172e259af27971bd39597cbee7c634471884c16c9c015835ac2086ee55f867870b6114eb156050a90d947a76cda65829dd5aceaf71619

                                              • /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/MacOS/._Adobe Flash Player Install Manager__
                                                Filesize

                                                82B

                                                MD5

                                                44553a79fa4b006c5a4a55b88ff93ff6

                                                SHA1

                                                90764d741d80c2a5fbb10fab7e1aaf761267c1c6

                                                SHA256

                                                eee7d55b3663ad41ab9be32c6a642c07ded1c9c1eee27d55cef6ec470b68bb38

                                                SHA512

                                                1d9f72ec023b3c40fab6b4522083f1b75454d8c0765fdcc92e3b1ebce7419fd8836e6813c96fabeeae64d2aa46615b7398dc1b1abc6e9161a71c6f8a2fcaeb28

                                              • /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/Resources/._English.lproj__
                                                Filesize

                                                82B

                                                MD5

                                                b857d79f769e70b1660d45cdfbe4647a

                                                SHA1

                                                0507b9ec7f9d5bf2e0d2ca1062509b86deefbe4b

                                                SHA256

                                                5151cde3d1d95dcafebf27fe875ee2aad727fcb71febbe987ae1c17d8a033b51

                                                SHA512

                                                e4fd7c9b46cc45d1b2e95fa159c49355e39c5f96edda13dcefae5a454062205af1a4ee23adc06f8b242b3972c8b7e4adf608cf365020c841d774939f3e019264

                                              • /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/_CodeSignature/._CodeResources__
                                                Filesize

                                                82B

                                                MD5

                                                9462cbe481a48e13312ef26462c183cc

                                                SHA1

                                                562358edeb448cf880230dcdb66b6260f7d47297

                                                SHA256

                                                3abf7cd6e1a4a9ffc70badeb027ddd36c07ba218f9f38f5203d66c93890c290e

                                                SHA512

                                                781de912e55401a5ce997dcfa1d162ec893bfab54bc2e801d0ef2d40020347cc47cb5e8a2247b2563f4c8f3920f1337d3db88d873f20d2f70cdaf2d512f3f2ad

                                              • /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root/Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/Info.plist
                                                Filesize

                                                1KB

                                                MD5

                                                42ddaa22596dd0c864100c46880e918c

                                                SHA1

                                                8347603d23c8c5d4fe462f8148b6f241ed4c2492

                                                SHA256

                                                716cb97525d313d4725f3641ec38a7d9b8f72a0fd90fabab0b8e1ae5790615a8

                                                SHA512

                                                366864222b016783eef9bd2bd5e4cb9e608188b61d6620249e87685676da67bb49b5c700f52c5d46ce5de3269d2d5a1eab49b27882caac07a9c781365a16374f

                                              • /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root/Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/Resources/English.lproj/InfoPlist.strings
                                                Filesize

                                                298B

                                                MD5

                                                112182c72eca910844e6d45cdd2cca87

                                                SHA1

                                                7e45feb848736d28be9bc64e361452fa51950ca5

                                                SHA256

                                                8ef60f3215f7e417fc7563ca9240ab0df298e7873fd4a80a29a01fe35098ea7d

                                                SHA512

                                                6bdd72df1a8b983abe823ac446a90101f46a39647db1058609f2c2db2d52ae06d405a11cb0db49ad19bcbe1cfd1207f56915254b140b5d046be38c1321b3e2d7

                                              • /private/var/run/installd.commit.pid
                                                Filesize

                                                3B

                                                MD5

                                                3a0772443a0739141292a5429b952fe6

                                                SHA1

                                                2473f01571bf0dcb7d2b16d67da6dd031769947d

                                                SHA256

                                                0d6f9709edaeba4bebf576d6b886b8c7083374f521f5256bf571add42fc7465c

                                                SHA512

                                                81ca6a07d5f4f941b52a01afbc0b608c3e0344e1c1644b716d09cd1f3420e4da8d98576af61a0337f470c2b8ea2492af4fc7dddb5865ddae8e52dbf29784ec92

                                              • /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/finalize
                                                Filesize

                                                90KB

                                                MD5

                                                280e0f3ffb5a78e24835f9f7e1370eff

                                                SHA1

                                                1daf0275d6fff3ae5145435e40d8007d00ec54d0

                                                SHA256

                                                f0281ad22738d65ce61e72987d5900665bfb8abe13257905ddb0ba4362bcc47a

                                                SHA512

                                                9f99c5e3b1490321157ad032e0afded5c9ce456f3788a27f1cd88bcb7ae3609be6224b01108e6aeabe942fac04e92893a4cf31c5ae02399dcc7ff35a8b5196b7

                                              • /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall
                                                Filesize

                                                1KB

                                                MD5

                                                ef3020256bd669e8529e6e4aed1c24b2

                                                SHA1

                                                37fc45f29c6a6a7962b23b3195517ada211091a9

                                                SHA256

                                                486573d2e273734fb25e8faaa542a0654cf81f0e09eeb088a839ff82d8ffecf7

                                                SHA512

                                                751d9b03fe01ddd78901b66fd6a0fb5b07385793a73e6c45d44003691c79b3e1099f218237114716a81660f16632c0a1d3bb9d728b1d6738dd24e333fbc3a3f9