30c99015f9c432604d8a8206ce8dcb4fba7866b062e5bd1a8f0adb88fba8807c

Analysis

max time kernel
138s
max time network
126s
platform
macos-10.15_amd64
resource
macos-20240711.1-en
resource tags

arch:amd64arch:i386image:macos-20240711.1-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
09/10/2024, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30c99015f9c432604d8a8206ce8dcb4fba7866b062e5bd1a8f0adb88fba8807c.macho
Size

221KB
MD5

d18e44b2765713ce4b5dc1186d1aa75a
SHA1

2d49854160394cb3e4483558e544e32b097afe50
SHA256

30c99015f9c432604d8a8206ce8dcb4fba7866b062e5bd1a8f0adb88fba8807c
SHA512

d0e70b4338aa0da69c3ac6466b4465332a83bd33d03afc3f19c79883f69a53be8d30627a0840c31c97a51b60f4c04c049b0c558c325fba63580e739ba6af5dab
SSDEEP

1536:8Mxd+7GWmjnyt5cPcIocfUHj1VS1pppHrTwbQz21VSIOkRjYb0MIT:8edz3jnY5cPcPcfUepL4QzuOk1oIT

Score

7^/10

evasion execution

Malware Config

Signatures

File Permission 1 TTPs
Adversaries may modify file permissions/attributes to evade access control lists (ACLs) and access protected files.
evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

AppleScript 1 TTPs 2 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
sh -c "osascript -e 'tell application \"Terminal\" to close first window'& exit"	Process not Found
osascript -e "tell application \"Terminal\" to close first window"	Process not Found

Command and Scripting Interpreter 1 TTPs
Adversaries may abuse Unix shell commands and scripts for execution.
execution

Unix Shell
T1059.004

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/30c99015f9c432604d8a8206ce8dcb4fba7866b062e5bd1a8f0adb88fba8807c.macho\""
1⤵
PID:487

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/30c99015f9c432604d8a8206ce8dcb4fba7866b062e5bd1a8f0adb88fba8807c.macho\""
1⤵
PID:487

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/30c99015f9c432604d8a8206ce8dcb4fba7866b062e5bd1a8f0adb88fba8807c.macho
1⤵
PID:487
- /bin/zsh
  /bin/zsh -c /Users/run/30c99015f9c432604d8a8206ce8dcb4fba7866b062e5bd1a8f0adb88fba8807c.macho
  2⤵
  PID:488
- /Users/run/30c99015f9c432604d8a8206ce8dcb4fba7866b062e5bd1a8f0adb88fba8807c.macho
  /Users/run/30c99015f9c432604d8a8206ce8dcb4fba7866b062e5bd1a8f0adb88fba8807c.macho
  2⤵
  PID:488

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to close first window'& exit"
1⤵
PID:491

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to close first window'& exit"
1⤵
PID:491
- /usr/bin/osascript
  osascript -e "tell application \"Terminal\" to close first window"
  2⤵
  PID:492

/bin/sh
sh -c "chmod +x /var/tmp/exe"
1⤵
PID:493

/bin/bash
sh -c "chmod +x /var/tmp/exe"
1⤵
PID:493

/bin/chmod
chmod +x /var/tmp/exe
1⤵
PID:493

/bin/sh
sh -c /var/tmp/exe
1⤵
PID:494

/bin/bash
sh -c /var/tmp/exe
1⤵
PID:494

/var/tmp/exe
/var/tmp/exe
1⤵
PID:494

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.1804
1⤵
PID:496

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:496
- /usr/bin/login
  login -pf run
  2⤵
  PID:498
- - /bin/zsh
    -zsh
    3⤵
    PID:499
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:500
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:501

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:520

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:520

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:521

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:521

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:542

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:542

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:543

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:544

/bin/sh
sh -c "rm /var/tmp/exe"
1⤵
PID:545

/bin/bash
sh -c "rm /var/tmp/exe"
1⤵
PID:545

/bin/rm
rm /var/tmp/exe
1⤵
PID:545

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

Unix Shell

T1059.004

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...