cb8f04dd17d4e6e30051b78742cb51ead4cf4a4803f6db263b6b666ff31199cf

General

Target

Installer_v.1.16.dmg
Size

3.9MB
MD5

c2ced43ec548dc7501741e0a02b6cbce
SHA1

f77b350bdf3adfb1ac5a26fd395c341d06efd905
SHA256

cb8f04dd17d4e6e30051b78742cb51ead4cf4a4803f6db263b6b666ff31199cf
SHA512

30c83ca0dc526fd06e60d8bf716264eeff817423473704e46cd0f3dfd321e19eb1f59387f05a30a39e427c6bf9733c35154943fa5278a930575187305d95115f
SSDEEP

98304:r0WP0NUGpe4+bqWz/O9nnG2BPnj8uQL6WnZWnhkUe9:zc5/+bqWz/inG2BPNQ+SZShkh

Score

4^/10

Malware Config

Signatures

AppleScript 1 TTPs 6 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
sh -c "osascript -e 'set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then do shell script \"exit 42\" else do shell script \"exit 0\" end if'"	Process not Found
osascript -e "set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then do shell script \"exit 42\" else do shell script \"exit 0\" end if"	Process not Found
sh -c "osascript -e 'set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then do shell script \"exit 42\" else do shell script \"exit 0\" end if'"	Process not Found
osascript -e "set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then do shell script \"exit 42\" else do shell script \"exit 0\" end if"	Process not Found
sh -c "osascript -e 'set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then do shell script \"exit 42\" else do shell script \"exit 0\" end if'"	Process not Found
osascript -e "set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then do shell script \"exit 42\" else do shell script \"exit 0\" end if"	Process not Found

Resource Forking 1 TTPs 2 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

defense_evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"open /Volumes/Installer\""
1⤵
PID:500

/bin/bash
sh -c "sudo /bin/zsh -c \"open /Volumes/Installer\""
1⤵
PID:500

/usr/bin/sudo
sudo /bin/zsh -c "open /Volumes/Installer"
1⤵
PID:500
- /bin/zsh
  /bin/zsh -c "open /Volumes/Installer"
  2⤵
  PID:501
- /usr/bin/open
  open /Volumes/Installer
  2⤵
  PID:501

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:502

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:502

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:503

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:503

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:507

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:507

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:508

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:508

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:509

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:509
- /usr/bin/login
  login -pf run
  2⤵
  PID:512
- - /bin/zsh
    -zsh
    3⤵
    PID:513
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:514
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:515
- /usr/bin/login
  login -pf run
  2⤵
  PID:516
- - /bin/zsh
    -zsh
    3⤵
    PID:517
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:518
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:519
  - - /Volumes/Installer/Installer
      /Volumes/Installer/Installer
      4⤵
      PID:520
- /usr/bin/login
  login -pf run
  2⤵
  PID:533
- - /bin/zsh
    -zsh
    3⤵
    PID:534
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:535
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:536
  - - /Volumes/Installer/Installer
      /Volumes/Installer/Installer
      4⤵
      PID:537
- /usr/bin/login
  login -pf run
  2⤵
  PID:542
- - /bin/zsh
    -zsh
    3⤵
    PID:543
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:544
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:545
  - - /Volumes/Installer/Installer
      /Volumes/Installer/Installer
      4⤵
      PID:546

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:510

/bin/sh
sh -c "osascript -e 'set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then do shell script \"exit 42\" else do shell script \"exit 0\" end if'"
1⤵
PID:521

/bin/bash
sh -c "osascript -e 'set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then do shell script \"exit 42\" else do shell script \"exit 0\" end if'"
1⤵
PID:521

/usr/bin/osascript
osascript -e "set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then do shell script \"exit 42\" else do shell script \"exit 0\" end if"
1⤵
PID:521

/bin/sh
sh -c "system_profiler SPMemoryDataType"
1⤵
PID:522

/bin/bash
sh -c "system_profiler SPMemoryDataType"
1⤵
PID:522

/usr/sbin/system_profiler
system_profiler SPMemoryDataType
1⤵
PID:522

/bin/sh
sh -c "exit 42"
1⤵
PID:524

/bin/bash
sh -c "exit 42"
1⤵
PID:524

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:527

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:527

/bin/sh
sh -c /usr/sbin/kextstat
1⤵
PID:528

/bin/bash
sh -c /usr/sbin/kextstat
1⤵
PID:528

/usr/sbin/kextstat
/usr/sbin/kextstat
1⤵
PID:528

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:532

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:532

/bin/sh
sh -c "osascript -e 'set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then do shell script \"exit 42\" else do shell script \"exit 0\" end if'"
1⤵
PID:538

/bin/bash
sh -c "osascript -e 'set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then do shell script \"exit 42\" else do shell script \"exit 0\" end if'"
1⤵
PID:538

/usr/bin/osascript
osascript -e "set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then do shell script \"exit 42\" else do shell script \"exit 0\" end if"
1⤵
PID:538

/bin/sh
sh -c "system_profiler SPMemoryDataType"
1⤵
PID:539

/bin/bash
sh -c "system_profiler SPMemoryDataType"
1⤵
PID:539

/usr/sbin/system_profiler
system_profiler SPMemoryDataType
1⤵
PID:539

/bin/sh
sh -c "exit 42"
1⤵
PID:541

/bin/bash
sh -c "exit 42"
1⤵
PID:541

/bin/sh
sh -c "osascript -e 'set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then do shell script \"exit 42\" else do shell script \"exit 0\" end if'"
1⤵
PID:547

/bin/bash
sh -c "osascript -e 'set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then do shell script \"exit 42\" else do shell script \"exit 0\" end if'"
1⤵
PID:547

/usr/bin/osascript
osascript -e "set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then do shell script \"exit 42\" else do shell script \"exit 0\" end if"
1⤵
PID:547

/bin/sh
sh -c "system_profiler SPMemoryDataType"
1⤵
PID:548

/bin/bash
sh -c "system_profiler SPMemoryDataType"
1⤵
PID:548

/usr/sbin/system_profiler
system_profiler SPMemoryDataType
1⤵
PID:548

/bin/sh
sh -c "exit 42"
1⤵
PID:550

/bin/bash
sh -c "exit 42"
1⤵
PID:550

/usr/libexec/xpcproxy
xpcproxy com.apple.newsyslog
1⤵
PID:554

/usr/sbin/newsyslog
/usr/sbin/newsyslog
1⤵
PID:554

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

AppleScript

1

T1059.002

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/.zsh_history

Filesize
565B

MD5
2793ab27cab33281cce7286e7d7b25e2

SHA1
3e5b0ea97cefc9193da70cbac7c06b1cc204ca91

SHA256
e29f0f586336b99bdfb696bd8b212f487454f175b3936a70c08ba4a005ea2933

SHA512
e9a45e1e609ca7bf6c7d0f7496f892fb0eed05448042c0455cc98acd3ec5c08a83de5cfaef33ea044c9d8a0a2ac69a3790d3aebbd182d86d335714fd753b5586

Download Submit
/Users/run/.zsh_history

Filesize
602B

MD5
c3fd0516cd012585041af1887b63ac55

SHA1
5174ee3ccb2a47ff877e78117d902cf00bae3e9d

SHA256
044f820552ee2075517cbe3de0b88f463236a051d4004f18c9bef784ee79166c

SHA512
0a1806178bd5d181fb14d2a9b89cfdb8591848a709150c21ba2a036bc7314daa2f7e3ebfb5a066b42ddcd7d5ff8b09ab6884cbb2368c431e3b5fd6ad0a2d2bac

Download Submit
/private/var/db/spindump/tailspin-trace.2025-03-28_16-28-21.tailspin

Filesize
15.8MB

MD5
acb35412d28428f92c82d42ebfa181d1

SHA1
2cade9e6b9222c81d9fb56604956bda5ca0b5cb4

SHA256
2562aad165247b131669f3244aabd6ead47c68c9cec7d84c6c632637da4f4c24

SHA512
a009ac06829ae6cbccf09e452dbae9ba2bc642dc6f5e5205a8d0292cbfb90fd7b4cfa9b5356bcb1f5f1c5f9b76ee418bd3fe89c0ecc9ce118b688bf8fbd37ead

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//spindump.txt

Filesize
1.9MB

MD5
7d57b99b48c8b737d2a691ce28f45636

SHA1
ebeb9c126f28508b40374d90ab744adabe40a5de

SHA256
1687b128eb06c8a5b30711d96872c1df80bd41fe882fb31dca69a241267de1c8

SHA512
d16d1a0308608c82ca554c350cc1c53e67ead5fbb9010e84cc6063eec287a822ae84f67f40dca0c0b716dca898b7f92fbcd9dc331112405a54876517fe29e2d2

Download Submit

Analysis

Sharing