14f30b9c005f28caca6798e9b430a39595c60a245c38dbc253c8408495e0adb5

General

Target

Launcher_v.1.82.dmg
Size

3.8MB
MD5

97a30830c052c5151a49f880ce9548ac
SHA1

ea02cdf98aa9aeb6ab8e0396493c13c08a4eb3bb
SHA256

14f30b9c005f28caca6798e9b430a39595c60a245c38dbc253c8408495e0adb5
SHA512

cf7e0e5c772f3176c25c1f3428e824e7ef8792cfb8a421a9ddfd67c33da769da1b368778bb763b77f01765ccdca5fb1ceaeab9c8432fd9f1101cbc3941587acb
SSDEEP

24576:9KxZfFNDY0gyrDgnagt7gwGUhgb9NDYC5rEBSQ9RJzWET+bQWVx7EYzBf7vAtlf0:9ufFvDPU7zG

Score

7^/10

Malware Config

Signatures

Queries the macOS version information. 1 TTPs 2 IoCs

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

discovery

System Information Discovery

T1082

ioc	Process
sh -c sw_vers	Process not Found
sw_vers	Process not Found

System Checks 1 TTPs 2 IoCs

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox.

evasion

System Checks

T1497.001

ioc	Process
sh -c "system_profiler SPHardwareDataType"	Process not Found
system_profiler SPHardwareDataType	Process not Found

AppleScript 1 TTPs 12 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"	Process not Found
osascript -e "tell application \"Terminal\" to set visible of front window to false"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found

Resource Forking 1 TTPs 2 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy	Process not Found
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"open /Volumes/Setup\""
1⤵
PID:600

/bin/bash
sh -c "sudo /bin/zsh -c \"open /Volumes/Setup\""
1⤵
PID:600

/usr/bin/sudo
sudo /bin/zsh -c "open /Volumes/Setup"
1⤵
PID:600
- /bin/zsh
  /bin/zsh -c "open /Volumes/Setup"
  2⤵
  PID:601
- /usr/bin/open
  open /Volumes/Setup
  2⤵
  PID:601

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater66017B75/OneDrive.app
1⤵
PID:602

/usr/libexec/xpcproxy
xpcproxy com.apple.security.cloudkeychainproxy3
1⤵
PID:604

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
1⤵
PID:604

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:611

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:611

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:612

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:612
- /usr/bin/login
  login -pf run
  2⤵
  PID:616
- - /bin/zsh
    -zsh
    3⤵
    PID:618
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:619
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:620
- /usr/bin/login
  login -pf run
  2⤵
  PID:621
- - /bin/zsh
    -zsh
    3⤵
    PID:622
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:623
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:624
  - - /Volumes/Setup/Setup
      /Volumes/Setup/Setup
      4⤵
      PID:625

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:613

/usr/libexec/xpcproxy
xpcproxy com.apple.siri.context.service
1⤵
PID:615

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
1⤵
PID:615

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:617

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:617

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
1⤵
PID:626

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
1⤵
PID:626

/usr/bin/osascript
osascript -e "tell application \"Terminal\" to set visible of front window to false"
1⤵
PID:626

/bin/sh
sh -c "mkdir /tmp/1491866865"
1⤵
PID:627

/bin/bash
sh -c "mkdir /tmp/1491866865"
1⤵
PID:627

/bin/mkdir
mkdir /tmp/1491866865
1⤵
PID:627

/bin/sh
sh -c sw_vers
1⤵
PID:628

/bin/bash
sh -c sw_vers
1⤵
PID:628

/usr/bin/sw_vers
sw_vers
1⤵
PID:628

/bin/sh
sh -c "system_profiler SPHardwareDataType"
1⤵
PID:629

/bin/bash
sh -c "system_profiler SPHardwareDataType"
1⤵
PID:629

/usr/sbin/system_profiler
system_profiler SPHardwareDataType
1⤵
PID:629

/usr/libexec/xpcproxy
xpcproxy com.apple.icloud.findmydeviced
1⤵
PID:631

/usr/libexec/findmydeviced
/usr/libexec/findmydeviced
1⤵
PID:631

/bin/sh
sh -c "system_profiler SPDisplaysDataType"
1⤵
PID:632

/bin/bash
sh -c "system_profiler SPDisplaysDataType"
1⤵
PID:632

/usr/sbin/system_profiler
system_profiler SPDisplaysDataType
1⤵
PID:632

/bin/sh
sh -c "dscl /Local/Default -authonly run \"\""
1⤵
PID:634

/bin/bash
sh -c "dscl /Local/Default -authonly run \"\""
1⤵
PID:634

/usr/bin/dscl
dscl /Local/Default -authonly run
1⤵
PID:634

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:635

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:635

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:635

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:636

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:636

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:637

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:637

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:638

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:638

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:640

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:640

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:641

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:641

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:643

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:643

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:644

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:644

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:650

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:650

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:650

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash
1⤵
PID:651

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash agent
1⤵
PID:651

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:652

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:652

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:657

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:657

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:657

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:658

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:658

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:659

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:659

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:659

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:668

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:668

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

AppleScript

1

T1059.002

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Credential Access

Discovery

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

Filesize
124KB

MD5
e7eb3df2338bbc845d97925836a3ebac

SHA1
945e4adba0740b2f0e972ed02d7cc99bb5b68227

SHA256
d5f0263ce4c6a4160e2d9a23a19f293b0dadb73b4de3299ad7a52cbc649c4f94

SHA512
750ffac3f1df32327465f1f77a002d02268c84884c10bae2454c675c68a6fc064cfaeae1f42c631e6b922014c34f0b196f5336b3a6baf43fa6d77b458d91cd5e

Download Submit
/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
6affe0ddf6a97a1c63da90cfbc0bb770

SHA1
4250249d8fecce13b5f6e1971241f821cc45cf50

SHA256
be8d7486ee24acfdb7d849fb90275928c31ff22cbcda08430814b1681e585090

SHA512
ad805412c45b4c971f9ed8c159d97ae9b38e7afaa3f57ccafb8d7912583105ed3e84dbbdc2416063e61d3ddb9bae8d035ed406e5cc074721f4aa7643e0b52936

Download Submit
/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
2f3ff9bb6dc44d2638131397e4d59373

SHA1
2cadc2d0ad460f30d205a4fb483a1bc895339049

SHA256
20088efed86377c399546413187a6fe28e46e60d66ae51b45e707226337853e1

SHA512
2002cc18c37273e626b24a3c2684f28398b7e41397ad3af8954be8d63377ce7c9dc22de92ad58e952d01416a9141526f0814de0c3b49925fed748c7919da6b05

Download Submit
/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
37a2f40b92b881b30ade5ee060a25f0b

SHA1
f5911c3df12a014c5b7e7f66d359529c862c9386

SHA256
647a96d631c5b76a26b5bc137e6faa7cde15726641c946bb8945ef969fe47eae

SHA512
fc0d01d3eb197c9c802925810c09bea4ea1aaf8172f1dd1427475c46b3b53a0aea9eaf5df36e5c4eeeeeba5d54047685b31245ce9aafc3917db7de48e9ae1b8c

Download Submit
/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
21dc565467ae6ca4f7a63107ecc29dab

SHA1
0d350dfed0a5e257d4bb647445731be07678e041

SHA256
dc2ea53d9c42d588cf211924299996b6c4a14d58a95adf87a7721f3edc746233

SHA512
565db55d5a00a452336a0cd176f45917753cbe9d012e0d22766b1ee5265bb3761aa2ee7ef8c147eeb9d4be1b0e67740abd713e6eef1947a7c6c39d680d7b9ec5

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads