d48efd01edafd3918de137a5a0c394be3fa743569e7f84928efc33c2fa4f11bd

General

Target

Loom/Loom
Size

482KB
MD5

4550787d14b2b8f1e719d0b9d2133aee
SHA1

bfc27126477e8bce14faa143c111e39b24633235
SHA256

508029c49cd063e5381d61a8d8a6d641a6a8076b31ce31cd5f15e377510bd184
SHA512

0f54fce2537ff17d8f5b729832bd2b4d8e741d41086da70d7f65c531daec70d24e0a156a81c0afce3df48210b6353399002179be473259bd4f0cebc57d16d8c4
SSDEEP

12288:La77+7rA23+YLj/l0vhmY1o2IXFG3HOz64jG63:agM+Vz6i

Score

4^/10

execution

Malware Config

Signatures

AppleScript 1 TTPs 14 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
osascript -e "tell application \"Terminal\" to set visible of front window to false"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Loom/Loom\""
1⤵
PID:479

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Loom/Loom\""
1⤵
PID:479

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/Loom/Loom
1⤵
PID:479
- /bin/zsh
  /bin/zsh -c /Users/run/Loom/Loom
  2⤵
  PID:480
- /Users/run/Loom/Loom
  /Users/run/Loom/Loom
  2⤵
  PID:480

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
1⤵
PID:505

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
1⤵
PID:505

/usr/bin/osascript
osascript -e "tell application \"Terminal\" to set visible of front window to false"
1⤵
PID:505

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.1804
1⤵
PID:506

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:506
- /usr/bin/login
  login -pf run
  2⤵
  PID:509
- - /bin/zsh
    -zsh
    3⤵
    PID:510
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:511
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:512

/bin/sh
sh -c "mkdir /Users/root/1213466582"
1⤵
PID:517

/bin/bash
sh -c "mkdir /Users/root/1213466582"
1⤵
PID:517

/bin/mkdir
mkdir /Users/root/1213466582
1⤵
PID:517

/bin/sh
sh -c "dscl /Local/Default -authonly root \"\""
1⤵
PID:518

/bin/bash
sh -c "dscl /Local/Default -authonly root \"\""
1⤵
PID:518

/usr/bin/dscl
dscl /Local/Default -authonly root
1⤵
PID:518

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:519

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:519

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:519

/usr/sbin/kextcache
/usr/sbin/kextcache -F -system-prelinked-kernel
1⤵
PID:521

/bin/sh
sh -c "dscl /Local/Default -authonly root bobdole"
1⤵
PID:522

/bin/bash
sh -c "dscl /Local/Default -authonly root bobdole"
1⤵
PID:522

/usr/bin/dscl
dscl /Local/Default -authonly root bobdole
1⤵
PID:522

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:524

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:524

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:524

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:529

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:529

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:529

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:531

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:531

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:535

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:535

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:535

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:536

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:536

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:536

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:540

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:540

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

AppleScript

1

T1059.002

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
c1bac5bdb72edc66945860afed460e52

SHA1
9886be32ed2e4769af56626275ac598c0f81dc75

SHA256
c9653a3df815fc900417dea9aba89bef1a0db9accaac03d63ee5a4c4b10950ac

SHA512
6f0326b4ab65a31ffc0f7f0086fe656f039cf4482b12ee1d9214b02e6e4857904f0c3c1661966798fd1b7ff5b9d47dc0005a1c25d4ffcb5ffd43ad8f1df55108

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
26660808e8291f9fce1afc569d036228

SHA1
3c22b42ba3bc46aea7c5676788705888db87c3b3

SHA256
acc1a04673f9c908191fef726e6d9c19e293fbac7fab5819dd347336e3b29c9a

SHA512
eb93c40a97c338437483d79d72fa635b66c661176cd3238bc31363295a4038e6eb5afb2647b5e8282bfca98c63c03d4c87b1f869f9a8f18246b7131553c876d8

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
f7fbd2dc78b793cebccc60f42f2600ee

SHA1
97a6935301973b55e5182d2a749e6a2c09e55069

SHA256
17cec7a0604115ccc3a73357c542d2d9b49356097a930bd08869ca4527d507a6

SHA512
02023efd70bd23c948fc8d3820cbe1a6e8b677b0979e4e17b33f151d7a168667bad5d1ee3e2169c57784121e042be2dce1b0863d3b703db9ea2630cbf6985091

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
6bc205fe68b0ac5bee65edff5cce3bde

SHA1
eb920dc752ab66c703959eecdfd2164652bffa5c

SHA256
5d65e67b1ffc45c10b3cfe675d6731794b0535479d9a5a141151a8d82d50c075

SHA512
08b719dbfd5447df810a5505296422cc2d01aa5b13d3efda043e6167f163e79c0ab94cb4f81f68f8e12f97e7ac9b72a2f16cd9600435753825c340b246a7b353

Download Submit

Analysis

Sharing