d48efd01edafd3918de137a5a0c394be3fa743569e7f84928efc33c2fa4f11bd

General

Target

LoomTool_8.9.9_build_2266.dmg
Size

9.4MB
MD5

d57190873472248c3f73f78092982a5d
SHA1

1291f2339a51450012a69af1139c1271c9a617cf
SHA256

5a31c8ee2f76fadc9d9900f02573d809ff8fc01c066331928533d74afa3be02c
SHA512

b34d438d07a7b2e519629190940e9e70168e4878b5cdb5de4709737c51b4a1195551aba49d2569b1a873d1c635405c0f99ff98902d3d43d3d28545ac57cdfef2
SSDEEP

49152:gWqeVQ0zyHthEkzaH6ciyGc2KOw/CVP8wHaTwB0NjRKwrL6ZYi26:gW/Q02HvDeH69cEOCVP8upB0SAL4YiR

Score

7^/10

Malware Config

Signatures

Queries the macOS version information. 1 TTPs 2 IoCs

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

discovery

System Information Discovery

T1082

ioc	Process
sh -c sw_vers	Process not Found
sw_vers	Process not Found

System Checks 1 TTPs 2 IoCs

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox.

evasion

System Checks

T1497.001

ioc	Process
sh -c "system_profiler SPHardwareDataType"	Process not Found
system_profiler SPHardwareDataType	Process not Found

AppleScript 1 TTPs 14 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"	Process not Found
osascript -e "tell application \"Terminal\" to set visible of front window to false"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found

Resource Forking 1 TTPs 1 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"open /Volumes/Loom\""
1⤵
PID:527

/bin/bash
sh -c "sudo /bin/zsh -c \"open /Volumes/Loom\""
1⤵
PID:527

/usr/bin/sudo
sudo /bin/zsh -c "open /Volumes/Loom"
1⤵
PID:527
- /bin/zsh
  /bin/zsh -c "open /Volumes/Loom"
  2⤵
  PID:528
- /usr/bin/open
  open /Volumes/Loom
  2⤵
  PID:528

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:530

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:530

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:531

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:537

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:537

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:538

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:538
- /usr/bin/login
  login -pf run
  2⤵
  PID:540
- - /bin/zsh
    -zsh
    3⤵
    PID:541
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:542
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:543
- /usr/bin/login
  login -pf run
  2⤵
  PID:544
- - /bin/zsh
    -zsh
    3⤵
    PID:545
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:546
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:547
  - - /Volumes/Loom/Loom
      /Volumes/Loom/Loom
      4⤵
      PID:548

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:539

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
1⤵
PID:549

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
1⤵
PID:549

/usr/bin/osascript
osascript -e "tell application \"Terminal\" to set visible of front window to false"
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:550

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:550

/bin/sh
sh -c "mkdir /Users/run/1214475002"
1⤵
PID:551

/bin/bash
sh -c "mkdir /Users/run/1214475002"
1⤵
PID:551

/bin/mkdir
mkdir /Users/run/1214475002
1⤵
PID:551

/bin/sh
sh -c sw_vers
1⤵
PID:552

/bin/bash
sh -c sw_vers
1⤵
PID:552

/usr/bin/sw_vers
sw_vers
1⤵
PID:552

/bin/sh
sh -c "system_profiler SPHardwareDataType"
1⤵
PID:553

/bin/bash
sh -c "system_profiler SPHardwareDataType"
1⤵
PID:553

/usr/sbin/system_profiler
system_profiler SPHardwareDataType
1⤵
PID:553

/bin/sh
sh -c "system_profiler SPDisplaysDataType"
1⤵
PID:555

/bin/bash
sh -c "system_profiler SPDisplaysDataType"
1⤵
PID:555

/usr/sbin/system_profiler
system_profiler SPDisplaysDataType
1⤵
PID:555

/bin/sh
sh -c "dscl /Local/Default -authonly run \"\""
1⤵
PID:557

/bin/bash
sh -c "dscl /Local/Default -authonly run \"\""
1⤵
PID:557

/usr/bin/dscl
dscl /Local/Default -authonly run
1⤵
PID:557

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:558

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:558

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:558

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:559

/bin/sh
sh -c "dscl /Local/Default -authonly run bobdole"
1⤵
PID:561

/bin/bash
sh -c "dscl /Local/Default -authonly run bobdole"
1⤵
PID:561

/usr/bin/dscl
dscl /Local/Default -authonly run bobdole
1⤵
PID:561

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:563

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:563

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:563

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:559

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:567

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:567

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:571

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:572

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:573

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:573

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:573

/bin/sh
sh -c /usr/sbin/kextstat
1⤵
PID:576

/bin/bash
sh -c /usr/sbin/kextstat
1⤵
PID:576

/usr/sbin/kextstat
/usr/sbin/kextstat
1⤵
PID:576

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:577

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:577

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:577

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:579

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:579

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:579

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:580

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:580

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

AppleScript

1

T1059.002

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Credential Access

Discovery

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
7edaf716978a844ad96218032cfbc2f9

SHA1
42aca2d3150723fee11253903bf3df0f4812142f

SHA256
c65fed3ab853cb049092b18c9813da45283681fccda49a7f0f2731097d71d4a2

SHA512
774c4234f8b16accf8a12bf8c44d846710c8a44ba26db0ac010b28ba276220a097769bd09090a13218552c218d7ebc5345acf4889079f5f12bb1975f5edd8c90

Download Submit
/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
08300aaa8bf3f92a7513f1ffbdc575ad

SHA1
d8420723533fb79397785ab8d2321aaf9b012a17

SHA256
788b9a87487cac15dd1b25ca0c4d3c5f5d2ba2436bd31bfca6d0fcc673499b37

SHA512
2a40bf82b7a347f0df31ba1b1fbeff740baabedb996499ab18d2b358c3db96a7d89efe41bd5518b01b4bc18347633f34044a40abaf81ad45d329b1dc6ffe15fe

Download Submit
/private/var/db/spindump/tailspin-trace.2024-07-25_14-38-34.tailspin

Filesize
18.4MB

MD5
6ea9a8042cc17cd08ef49d04a7c06a1e

SHA1
55d111cbcdfaed1e61e05aeaece3c858f0e2a3a8

SHA256
30baad500d836b47c59ebb64a4ad7112ac931de017f8e9fe91b2ba7405cbdc94

SHA512
198d15ce6969ce25476f1ef717e4fd599c315ca0cfa690fad8e2a01384b8b39ea0c3e29c45655bd33d236751eff9676dcb4926a492c9ddd47eed9f1f4a81411c

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//spindump.txt

Filesize
600KB

MD5
e7840a8036fcc4e0506fc741306d4375

SHA1
84c93bc399aca0f7c960da8249df8d3dc91aeabe

SHA256
ee69d286ff2875672c68a587da29a29e7a72f192e454f9459d74beacd58739bd

SHA512
3755df59f75c677998894c962f81c3f6a6cfd072b8ac9aa254aef5b9416c94ba24863c637cab08f8671f6ab675a76867ce454a0c1ac98d10d862a46a96421683

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads