Overview

overview

7

Static

static

1

d11b7ecab7...kes118

macos-10.15-amd64

4

FreeWiFiHo...ot.pkg

macos-10.15-amd64

7

Analysis

  • max time kernel
    90s
  • max time network
    153s
  • platform
    macos-10.15_amd64
  • resource
    macos-20240711.1-en
  • resource tags

    arch:amd64arch:i386image:macos-20240711.1-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    07/09/2024, 04:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FreeWiFiHotspot/FreeWiFiHotspot.pkg

  • Size

    3.5MB

  • MD5

    253db02c5f3b0109999f2fe8b821ee86

  • SHA1

    adaa7946e563643ddddaf7ee911007cb09b06217

  • SHA256

    efcc350cbff78e97385e0f25b4989e6e77950554dd0d0e31d5ff9309447a4e2f

  • SHA512

    59038a0ee9f20cb94ee9d0396cac75c5d27385f927d0f6c58c0fd317071fb237e608bc30a233eba823a43e962cd7a534705711c67544211d4db8f95c7a035da7

  • SSDEEP

    98304:2avHTQxOHAEJYPg9b3bgzuIztTvo42uG4r:2avzQwH9r9Lbgfdg4t

Score
7/10
evasionpersistence

Malware Config

Signatures

  • Installer Packages 1 TTPs 2 IoCs

    Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system.

    persistence
  • File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur.

    evasion
  • Resource Forking 1 TTPs 4 IoCs

    Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

    evasion

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""
    1⤵
      PID:491
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""
      1⤵
        PID:491
      • /usr/bin/sudo
        sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
        1⤵
          PID:491
          • /bin/zsh
            /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
            2⤵
              PID:492
            • /usr/sbin/installer
              installer -pkg /Users/run/setup.pkg -target /
              2⤵
                PID:492
            • /usr/libexec/xpcproxy
              xpcproxy com.apple.installd
              1⤵
                PID:495
              • /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
                /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
                1⤵
                  PID:495
                • /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor
                  /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid
                  1⤵
                    PID:519
                  • /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove
                    /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/A2803119-2828-4ECB-9C8E-768A3C7A9A4B.activeSandbox/Root /
                    1⤵
                      PID:520
                    • /tmp/PKInstallSandbox.1GpKc0/Scripts/FreeWiFiHotspot.iHtw3V/postinstall
                      /tmp/PKInstallSandbox.1GpKc0/Scripts/FreeWiFiHotspot.iHtw3V/postinstall /Users/run/setup.pkg / / /
                      1⤵
                        PID:521
                      • /bin/bash
                        /bin/sh /tmp/PKInstallSandbox.1GpKc0/Scripts/FreeWiFiHotspot.iHtw3V/postinstall /Users/run/setup.pkg / / /
                        1⤵
                          PID:521
                          • /bin/rm
                            rm -rf /private/tmp/PoPathxD/
                            2⤵
                              PID:522
                          • /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update
                            /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c
                            1⤵
                              PID:523
                            • /bin/launchctl
                              /bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
                              1⤵
                                PID:533
                              • /bin/launchctl
                                /bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
                                1⤵
                                  PID:534

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • /Library/InstallerSandboxes/.PKInstallSandboxManager/A2803119-2828-4ECB-9C8E-768A3C7A9A4B.activeSandbox/Boms/FreeWiFiHotspot.bom
                                  Filesize

                                  34KB

                                  MD5

                                  4b41cc692cb3648a973474018c02fbe7

                                  SHA1

                                  8387a7d873f30b1542c4e576e19cb16bf4c6968e

                                  SHA256

                                  a6d3fc682bb7b6a0854515dfcadcfc084d8ddf191dc3d994521b6f2a6a1c15b0

                                  SHA512

                                  a844c19257541f8b1672730e357af613b43da93dffd329e7415fdf85c557f54ca9804b1d8493240f75d941ec018a0e17dc908ae42471dbb2edff466ab22c7f1c

                                  Download Submit

                                • /private/var/run/installd.commit.pid
                                  Filesize

                                  3B

                                  MD5

                                  35051070e572e47d2c26c241ab88307f

                                  SHA1

                                  f1e75747bc4c6d0b16f0d429b76d23f1c06153a9

                                  SHA256

                                  ac1270c5058af65025e5b2a3e3014cea69460e7d9f159ae667028e1b6eab433e

                                  SHA512

                                  700ad1ab118adba5d6a5b19cf19f492530d5ba5e6a51038f9d5874d8aa3ba33afa2c4653a61201edcd6d02e149617a2651442749f23be5a4663a5b53062d9923

                                  Download Submit

                                • /tmp/PKInstallSandbox.1GpKc0/Scripts/FreeWiFiHotspot.iHtw3V/postinstall
                                  Filesize

                                  1KB

                                  MD5

                                  da8c69ea8c45800ce419e3cd1a592f2f

                                  SHA1

                                  7135e6b01c198fc5bb77e7ab12112d635b4d9f30

                                  SHA256

                                  725f2d0bbd07c4fff12f817ca746b020fd95c4537e0d90eff79181613e1ae507

                                  SHA512

                                  ea1f5444c7cc70c6824266657bf0a93c7b46c1fc09d3b574c60653d97e045b2f54d95e174bf29f3b9e2f444b87008405d2908cf636066bffcbfc9c2a1b103e08

                                  Download Submit