78e311b047470803b5e71f8202412ad2ed9bc57189c39e583dce02e819e74552

Resubmissions

20-11-2024 18:23

241120-w1xzxs1gmk 4

20-11-2024 18:20

241120-wy1b9s1frr 4

Analysis

max time kernel
60s
max time network
138s
platform
macos-10.15_amd64
resource
macos-20241101-en
resource tags

arch:amd64arch:i386image:macos-20241101-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
20-11-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VoxiumApp_v.1.59.dmg
Size

526KB
MD5

c79d424831f68ab2d33af08bdce437a3
SHA1

ef2c0e97954c3aad0447dac89a09b7a866a170c3
SHA256

78e311b047470803b5e71f8202412ad2ed9bc57189c39e583dce02e819e74552
SHA512

f396ce76c7a98e0fe45ea46237f797aacfc1b01b0f95c82fc628049d3e15e0e30e8e1bf363e92de69348e5884cd577ad25627a8cf2cf8f0ecc5874827c15bab0
SSDEEP

12288:iqTjf1NeBFbushXon1G13nyNglisRn98XtkEh6/K7Wm2:iqTjyBosZ4Inggli4nuh6Sq

Score

4^/10

evasion execution

Malware Config

Signatures

AppleScript 1 TTPs 2 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

Processes:

ioc	process
sh -c "osascript -e 'display dialog \"idi nahui dolbaeb.\" buttons {\"OK\"} default button 1 with icon stop'"
osascript -e "display dialog \"idi nahui dolbaeb.\" buttons {\"OK\"} default button 1 with icon stop"

Resource Forking 1 TTPs 1 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

Processes:

ioc	process
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper

/bin/sh
sh -c "sudo /bin/zsh -c \"open /Volumes/VoxiumApp\""
1⤵
PID:487

/bin/bash
sh -c "sudo /bin/zsh -c \"open /Volumes/VoxiumApp\""
1⤵
PID:487

/usr/bin/sudo
sudo /bin/zsh -c "open /Volumes/VoxiumApp"
1⤵
PID:487
- /bin/zsh
  /bin/zsh -c "open /Volumes/VoxiumApp"
  2⤵
  PID:488
- /usr/bin/open
  open /Volumes/VoxiumApp
  2⤵
  PID:488

/usr/libexec/xpcproxy
xpcproxy com.apple.nsurlstoraged
1⤵
PID:490

/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged --privileged
1⤵
PID:490

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:493

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:494

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:493

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:494

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:495

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:495

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:496

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:496
- /usr/bin/login
  login -pf run
  2⤵
  PID:498
- - /bin/zsh
    -zsh
    3⤵
    PID:499
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:500
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:501
- /usr/bin/login
  login -pf run
  2⤵
  PID:502
- - /bin/zsh
    -zsh
    3⤵
    PID:503
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:504
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:505
  - - /Volumes/VoxiumApp/VoxiumApp
      /Volumes/VoxiumApp/VoxiumApp
      4⤵
      PID:506

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:497

/bin/sh
sh -c "osascript -e 'display dialog \"idi nahui dolbaeb.\" buttons {\"OK\"} default button 1 with icon stop'"
1⤵
PID:507

/bin/bash
sh -c "osascript -e 'display dialog \"idi nahui dolbaeb.\" buttons {\"OK\"} default button 1 with icon stop'"
1⤵
PID:507

/usr/bin/osascript
osascript -e "display dialog \"idi nahui dolbaeb.\" buttons {\"OK\"} default button 1 with icon stop"
1⤵
PID:507

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:509

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:509

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:512

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/dev/ttys000

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit