cef2e62993951b11b10aecd28d294e0426a7987058c4f1a49705712ea0402689

Analysis

max time kernel
63s
max time network
70s
platform
macos-10.15_amd64
resource
macos-20241106-en
resource tags

arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
28/03/2025, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Swinsian 3.0 Preview 5 (1).dmg
Size

15.7MB
MD5

a3faa77e6ce14c0b8b596c19d39a5631
SHA1

4c4ac3d8f7cae0b3cc0542b6cc8a12527573dd1f
SHA256

cef2e62993951b11b10aecd28d294e0426a7987058c4f1a49705712ea0402689
SHA512

e0045f7775e735b8e36fc789f4c5fee578a31a54ee7778c14464a745ea1e11f0302f3b9ea01d65f5a2460966c469071b54e980ee8649a9684a0d1203ae4c9a78
SSDEEP

393216:yeHR2p0wfnSc/PKpY0BsEamAgVTDWxyzyn:yeHQrbKhrUA2j

Score

5^/10

defense_evasion discovery

Malware Config

Signatures

File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur.
defense_evasion

File Deletion
T1070.004

File and Directory Discovery. 1 TTPs 1 IoCs

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

discovery

File and Directory Discovery

T1083

ioc	Process
dirname "/Volumes/Swinsian 3.0 Preview 5/Open Gatekeeper friendly"	Process not Found

Resource Forking 1 TTPs 9 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

defense_evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/Filesystems/hfs.fs/Contents/Resources/./fsck_hfs -q /dev/rdisk4s1	Process not Found
/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -p disk4s1 removable readonly	Process not Found
/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -k disk4s1	Process not Found
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper -uuid 757518F6-A0AF-4DD6-BDD8-4B55BEBE5379 -post-exec 4	Process not Found
/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -k disk4s1	Process not Found
/System/Library/Filesystems/hfs.fs/Contents/Resources/./fsck_hfs -q /dev/rdisk4s1	Process not Found
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper -uuid 757518F6-A0AF-4DD6-BDD8-4B55BEBE5379	Process not Found
/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -p disk4s1 removable readonly	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"open /Volumes/Swinsian\\ 3.0\\ Preview\\ 5\""
1⤵
PID:498

/bin/bash
sh -c "sudo /bin/zsh -c \"open /Volumes/Swinsian\\ 3.0\\ Preview\\ 5\""
1⤵
PID:498

/usr/bin/sudo
sudo /bin/zsh -c "open /Volumes/Swinsian\\ 3.0\\ Preview\\ 5"
1⤵
PID:498
- /bin/zsh
  /bin/zsh -c "open /Volumes/Swinsian\\ 3.0\\ Preview\\ 5"
  2⤵
  PID:499
- /usr/bin/open
  open "/Volumes/Swinsian 3.0 Preview 5"
  2⤵
  PID:499

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:501

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:501

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:502

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:502

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:503

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:503
- /usr/bin/login
  login -pf run
  2⤵
  PID:505
- - /bin/zsh
    -zsh
    3⤵
    PID:506
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:507
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:508
- /usr/bin/login
  login -pf run
  2⤵
  PID:509
- - /bin/zsh
    -zsh
    3⤵
    PID:510
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:511
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:512
  - - /Volumes/Swinsian 3.0 Preview 5/Open Gatekeeper friendly
      "/Volumes/Swinsian 3.0 Preview 5/Open Gatekeeper friendly"
      4⤵
      PID:513
    - - /usr/bin/clear
        
        clear
        5⤵
        
        PID:514
    - - /usr/bin/dirname
        
        dirname "/Volumes/Swinsian 3.0 Preview 5/Open Gatekeeper friendly"
        5⤵
        
        PID:515
    - - /bin/rm
        
        rm -rf /tmp/tnt15013
        5⤵
        
        PID:516
    - - /bin/mkdir
        
        mkdir -p /tmp/tnt15013
        5⤵
        
        PID:517
    - - /bin/cp
        
        cp "/Volumes/Swinsian 3.0 Preview 5/Manual install/Swinsian 3.0 Preview 5 [TNT].dmg" /tmp/tnt15013
        5⤵
        
        PID:518
    - - /usr/bin/xattr
        
        xattr -r -d com.apple.quarantine "/tmp/tnt15013/Swinsian 3.0 Preview 5 [TNT].dmg"
        5⤵
        
        PID:522
    - - /bin/mkdir
        
        mkdir -p /tmp/tnt15013/mount
        5⤵
        
        PID:523
    - - /usr/bin/hdiutil
        
        hdiutil attach -owners on -quiet -noverify -mountpoint /tmp/tnt15013/mount "/tmp/tnt15013/Swinsian 3.0 Preview 5 [TNT].dmg" -shadow /tmp/tnt15013/shadow
        5⤵
        
        PID:524
    - - /usr/bin/find
        
        find /tmp/tnt15013/mount -maxdepth 1 "!" -type l "!" -path /tmp/tnt15013/mount -exec xattr -r -d com.apple.quarantine "{}" ";"
        5⤵
        
        PID:536
      - /usr/local/bin/xattr
        
        xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/.background
        6⤵
        
        PID:537
      - /usr/bin/xattr
        
        xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/.background
        6⤵
        
        PID:537
      - /usr/local/bin/xattr
        
        xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/.DS_Store
        6⤵
        
        PID:538
      - /usr/bin/xattr
        
        xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/.DS_Store
        6⤵
        
        PID:538
      - /usr/local/bin/xattr
        
        xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/.fseventsd
        6⤵
        
        PID:541
      - /usr/bin/xattr
        
        xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/.fseventsd
        6⤵
        
        PID:541
      - /usr/local/bin/xattr
        
        xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/.VolumeIcon.icns
        6⤵
        
        PID:542
      - /usr/bin/xattr
        
        xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/.VolumeIcon.icns
        6⤵
        
        PID:542
      - /usr/local/bin/xattr
        
        xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/Extra
        6⤵
        
        PID:543
      - /usr/bin/xattr
        
        xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/Extra
        6⤵
        
        PID:543
      - /usr/local/bin/xattr
        
        xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/Swinsian.app
        6⤵
        
        PID:544
      - /usr/bin/xattr
        
        xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/Swinsian.app
        6⤵
        
        PID:544

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:504

/usr/libexec/xpcproxy
xpcproxy com.apple.nsurlstoraged
1⤵
PID:519

/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged --privileged
1⤵
PID:519

/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper -uuid 757518F6-A0AF-4DD6-BDD8-4B55BEBE5379
1⤵
PID:525

/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper -uuid 757518F6-A0AF-4DD6-BDD8-4B55BEBE5379 -post-exec 4
1⤵
PID:526

/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util
/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -p disk4s1 removable readonly
1⤵
PID:527

/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util
/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -k disk4s1
1⤵
PID:528

/System/Library/Filesystems/hfs.fs/Contents/Resources/./fsck_hfs
/System/Library/Filesystems/hfs.fs/Contents/Resources/./fsck_hfs -q /dev/rdisk4s1
1⤵
PID:529

/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util
/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -p disk4s1 removable readonly
1⤵
PID:530

/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util
/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -k disk4s1
1⤵
PID:531

/System/Library/Filesystems/hfs.fs/Contents/Resources/./fsck_hfs
/System/Library/Filesystems/hfs.fs/Contents/Resources/./fsck_hfs -q /dev/rdisk4s1
1⤵
PID:532

/sbin/mount
/sbin/mount -t hfs -o "-u=502,-g=20,-m=755,nodev,noowners,nosuid,owners" /dev/disk4s1 /private/tmp/tnt15013/mount
1⤵
PID:533
- /sbin/mount_hfs
  /sbin/mount_hfs -u 502 -g 20 -m 755 -o nodev -o noowners -o nosuid -o owners /dev/disk4s1 /private/tmp/tnt15013/mount
  2⤵
  PID:534

/bin/sleep
sleep 5
1⤵
PID:546

/usr/bin/hdiutil
hdiutil detach -force "/Volumes/Swinsian 3.0 Preview 5"
1⤵
PID:547

/sbin/umount
/sbin/umount -f "/Volumes/Swinsian 3.0 Preview 5"
1⤵
PID:548

/usr/libexec/xpcproxy
xpcproxy com.apple.security.DiskUnmountWatcher
1⤵
PID:551

/System/Library/PrivateFrameworks/KerberosHelper/Helpers/DiskUnmountWatcher
/System/Library/PrivateFrameworks/KerberosHelper/Helpers/DiskUnmountWatcher
1⤵
PID:551

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

File and Directory Discovery

T1083

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/tnt15013/Swinsian 3.0 Preview 5 [TNT].dmg

Filesize
13.6MB

MD5
7e042f8ffb279c4d7651d7f6de064a9f

SHA1
bd3bb6103717aa0c054998db60141b538407b2dc

SHA256
72eb760e5c6cf2daef2155c784381467f6a4c5c1b81dd422b92f1da3adc7a8d7

SHA512
e9767f6a0d64dc4705fa05b6f085f827f9d3d792da1f63fdbc61cf91640a90cd09c45ce51a3d8698eb94fb0fc62a9c9a5a70b2b60d1546c5828480b5d3e7cddd

Download Submit
/var/db/nsurlstoraged/dafsaData.bin

Filesize
54KB

MD5
64f469698e53d0c828b7f90acd306082

SHA1
bcc041b3849e1b0b4104ffeb46002207eeac54f3

SHA256
d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd

SHA512
a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f

Download Submit
/var/log/fsck_hfs.log

Filesize
16KB

MD5
22868511bbc9eb7ef06c8813761b7cce

SHA1
5a3fdb31da97a9a74e7f2c7b04f4fd571dfcd887

SHA256
eb45a6f6d3e54e8d909c6c00867cd3b32adef62e6ac4258bae96b9e643d14ab1

SHA512
d72227e0a9afae007a8193867b672aa5326aca896b2004043802f206e57432f3e6ce9993256664af436435a157a42fedd2c87bff544a7b81ec05566be6983f3b

Download Submit