Analysis
-
max time kernel
134s -
max time network
154s -
platform
macos-10.15_amd64 -
resource
macos-20240611-en -
resource tags
arch:amd64arch:i386image:macos-20240611-enkernel:19b77alocale:en-usos:macos-10.15-amd64system -
submitted
16-06-2024 11:05
Static task
static1
Behavioral task
behavioral1
Sample
b32da496039560f42411578535dd04db_JaffaCakes118
Resource
macos-20240611-en
Behavioral task
behavioral2
Sample
Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPInstallHelper
Resource
macos-20240611-en
Behavioral task
behavioral3
Sample
Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPUninstallHelper
Resource
macos-20240611-en
Behavioral task
behavioral4
Sample
Flash Player/Install Adobe Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager
Resource
macos-20240611-en
Behavioral task
behavioral5
Sample
Flash Player/Install Adobe Flash Player.app/Contents/Resources/Adobe Flash Player.pkg
Resource
macos-20240611-en
General
-
Target
Flash Player/Install Adobe Flash Player.app/Contents/Resources/Adobe Flash Player.pkg
-
Size
15.1MB
-
MD5
d875bdbb67b175367c8f060ece89c3ef
-
SHA1
be9d05cfe8f27b6d25ce25822c6755e5773799cd
-
SHA256
01b176a62aa29550e62eeab6545f01f11d05c1f1f2d7666a063aa198522f64eb
-
SHA512
2760327fd224cf684252644910ad5eea1aa3f0018dfc507b8dc9e06c9ed99a8c81ee38cba6b07210ea00aa7ffb3821867185ddca0dc887ea303b905e2a589817
-
SSDEEP
196608:wA3Paf2wK86Nr2nqfxoQNmMSFUOBs0MdvG5V2Ul6F0mDeK0WNnQkSeNkRvLVfR6h:8lK86pfxdSe0MMh6GWlNGjV5sTvtlN
Malware Config
Signatures
-
Installer Packages 1 TTPs 2 IoCs
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system.
Processes:
ioc process /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall /Users/run/setup.pkg / / / /bin/sh /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall /Users/run/setup.pkg / / / -
File and Directory Discovery. 1 TTPs 1 IoCs
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Processes:
ioc process dirname /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall -
Resource Forking 1 TTPs 5 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
Processes:
ioc process /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update "/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root/Applications/Utilities/Adobe Flash Player Install Manager.app" /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root / /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd -
Launchctl 1 TTPs 1 IoCs
Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.
Processes:
ioc process /bin/launchctl load //Library/LaunchDaemons/com.adobe.fpsaud.plist
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""1⤵PID:537
-
/bin/bashsh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""1⤵PID:537
-
/usr/bin/sudosudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"1⤵PID:537
-
/bin/zsh/bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"2⤵PID:539
-
/usr/sbin/installerinstaller -pkg /Users/run/setup.pkg -target /2⤵PID:539
-
/usr/libexec/xpcproxyxpcproxy com.apple.installd1⤵PID:559
-
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd1⤵PID:559
-
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update "/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root/Applications/Utilities/Adobe Flash Player Install Manager.app"1⤵PID:560
-
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid1⤵PID:561
-
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root /1⤵PID:562
-
/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall /Users/run/setup.pkg / / /1⤵PID:563
-
/bin/bash/bin/sh /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall /Users/run/setup.pkg / / /1⤵PID:563
-
/usr/bin/logger/usr/bin/logger "Flash Player Install: Launching SAU Daemon..."2⤵PID:564
-
/bin/launchctl/bin/launchctl load //Library/LaunchDaemons/com.adobe.fpsaud.plist2⤵PID:565
-
/usr/bin/logger/usr/bin/logger "Flash Player Install: Finalizing Plugin installation..."2⤵PID:567
-
/usr/bin/dirnamedirname /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall2⤵PID:568
-
/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/finalize/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/finalize /2⤵PID:569
-
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c1⤵PID:570
-
/usr/bin/pluginkit/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync1⤵PID:587
-
/usr/sbin/spctl/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterBCBF2C69/OneDrive.app1⤵PID:588
-
/usr/libexec/xpcproxyxpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E1⤵PID:603
-
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService1⤵PID:603
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Boms/com.adobe.pkg.FlashPlayer.bomFilesize
57KB
MD54dc632a89e380b9cb1fe7ede80f0c329
SHA18a8dedc55e35c706e015cfd1b0be8b0d4895dc65
SHA2563e7e8280049ed9e5de13cf26607e1283e236587628056efb2710bccd0248e6a1
SHA512ff6eb360dba11a703e72bda1ddfc56b52cc5a6fb22723ebb1a6d7e76647f9bdb6f6f221e70fbc723cfd2401398f64e86c7526e60b3d751bcc6082b716cf55b16
-
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/._Adobe Flash Player Install Manager.app__Filesize
82B
MD54fdc66c51f562ecd3216b95e3ad9d66b
SHA13849197ece111c2bdf89980b83f790a6da0f33b7
SHA2566137481ad820f9cd0a0218da709fe719edc7f163009f7631eca7aa33c04fa038
SHA512a876587bdcbf73768bb26ce2b28764fc3f5ac09f8f495c9a9f6a402e45475402b109b89a18a08e92bfd1808fcd5375dfeea109e597678836ed38014cf8c1e7e2
-
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/._Contents__Filesize
82B
MD5a226d8977cc8358c0e819f8fc9591297
SHA1458bde93d3f75f1fd4da8ae06991675262c41097
SHA256e7e7aba9aafcb062bd0aea7b24ef6cfc42efc8b8cf53644255f007965d437f0f
SHA512d194bf062360e4b500618a5918cffd0d49859ebbfcaf0ef50cc78b379998056a3944e46ae858002ae03c6c17a455f430279eb730ecc4c8f9fa4e71e33aced0db
-
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/._Helpers__Filesize
82B
MD5a067e3cc0f1a970ba994a2b4a6446cc2
SHA1510dba90c0b58483daeb4dbc5c11524f254dc554
SHA256af1c677bf6b6e99680580fc5225c7e1bda16cdf8c01e3a79d54b0958efb8012f
SHA51229acebe38de4704ac4437a3a5e6068ed3d9542798ea72d8fd328deffd6ae5e02219970b465c968b889813c3fa3d3eda353e38e0758f045388ffbf7d5ebe1353f
-
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/._Resources__Filesize
82B
MD5b66d7236b966764ee3540dc355162f26
SHA1fb1319893789a9881a82f12be0d0ba4aeec04f47
SHA2568eb639ec765513d9090e412c025c4d8133b31be86e21e0cfe483442451a16310
SHA512970a3bd158370db9ea6172e259af27971bd39597cbee7c634471884c16c9c015835ac2086ee55f867870b6114eb156050a90d947a76cda65829dd5aceaf71619
-
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/MacOS/._Adobe Flash Player Install Manager__Filesize
82B
MD544553a79fa4b006c5a4a55b88ff93ff6
SHA190764d741d80c2a5fbb10fab7e1aaf761267c1c6
SHA256eee7d55b3663ad41ab9be32c6a642c07ded1c9c1eee27d55cef6ec470b68bb38
SHA5121d9f72ec023b3c40fab6b4522083f1b75454d8c0765fdcc92e3b1ebce7419fd8836e6813c96fabeeae64d2aa46615b7398dc1b1abc6e9161a71c6f8a2fcaeb28
-
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/Resources/._English.lproj__Filesize
82B
MD5b857d79f769e70b1660d45cdfbe4647a
SHA10507b9ec7f9d5bf2e0d2ca1062509b86deefbe4b
SHA2565151cde3d1d95dcafebf27fe875ee2aad727fcb71febbe987ae1c17d8a033b51
SHA512e4fd7c9b46cc45d1b2e95fa159c49355e39c5f96edda13dcefae5a454062205af1a4ee23adc06f8b242b3972c8b7e4adf608cf365020c841d774939f3e019264
-
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/_CodeSignature/._CodeResources__Filesize
82B
MD59462cbe481a48e13312ef26462c183cc
SHA1562358edeb448cf880230dcdb66b6260f7d47297
SHA2563abf7cd6e1a4a9ffc70badeb027ddd36c07ba218f9f38f5203d66c93890c290e
SHA512781de912e55401a5ce997dcfa1d162ec893bfab54bc2e801d0ef2d40020347cc47cb5e8a2247b2563f4c8f3920f1337d3db88d873f20d2f70cdaf2d512f3f2ad
-
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root/Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/Info.plistFilesize
1KB
MD542ddaa22596dd0c864100c46880e918c
SHA18347603d23c8c5d4fe462f8148b6f241ed4c2492
SHA256716cb97525d313d4725f3641ec38a7d9b8f72a0fd90fabab0b8e1ae5790615a8
SHA512366864222b016783eef9bd2bd5e4cb9e608188b61d6620249e87685676da67bb49b5c700f52c5d46ce5de3269d2d5a1eab49b27882caac07a9c781365a16374f
-
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root/Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/Resources/English.lproj/InfoPlist.stringsFilesize
298B
MD5112182c72eca910844e6d45cdd2cca87
SHA17e45feb848736d28be9bc64e361452fa51950ca5
SHA2568ef60f3215f7e417fc7563ca9240ab0df298e7873fd4a80a29a01fe35098ea7d
SHA5126bdd72df1a8b983abe823ac446a90101f46a39647db1058609f2c2db2d52ae06d405a11cb0db49ad19bcbe1cfd1207f56915254b140b5d046be38c1321b3e2d7
-
/private/var/run/installd.commit.pidFilesize
3B
MD53a0772443a0739141292a5429b952fe6
SHA12473f01571bf0dcb7d2b16d67da6dd031769947d
SHA2560d6f9709edaeba4bebf576d6b886b8c7083374f521f5256bf571add42fc7465c
SHA51281ca6a07d5f4f941b52a01afbc0b608c3e0344e1c1644b716d09cd1f3420e4da8d98576af61a0337f470c2b8ea2492af4fc7dddb5865ddae8e52dbf29784ec92
-
/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/finalizeFilesize
90KB
MD5280e0f3ffb5a78e24835f9f7e1370eff
SHA11daf0275d6fff3ae5145435e40d8007d00ec54d0
SHA256f0281ad22738d65ce61e72987d5900665bfb8abe13257905ddb0ba4362bcc47a
SHA5129f99c5e3b1490321157ad032e0afded5c9ce456f3788a27f1cd88bcb7ae3609be6224b01108e6aeabe942fac04e92893a4cf31c5ae02399dcc7ff35a8b5196b7
-
/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstallFilesize
1KB
MD5ef3020256bd669e8529e6e4aed1c24b2
SHA137fc45f29c6a6a7962b23b3195517ada211091a9
SHA256486573d2e273734fb25e8faaa542a0654cf81f0e09eeb088a839ff82d8ffecf7
SHA512751d9b03fe01ddd78901b66fd6a0fb5b07385793a73e6c45d44003691c79b3e1099f218237114716a81660f16632c0a1d3bb9d728b1d6738dd24e333fbc3a3f9