IOC Report
CapCut_7376205375613272081_installer.dmg

loading gif

Files

File Path
Type
Category
Malicious
CapCut_7376205375613272081_installer.dmg
zlib compressed data
initial sample
 malicious
/Users/bernard/Library/Application Support/app_shell_cache_562354/app_package_447fdc9fc7.zip
zlib compressed data
dropped
/Users/bernard/Library/Keychains/login.keychain-db.sb-07d82885-4gJ2WD
DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 963362762505407623593984.000000, slope 303834226087943251262072422400.000000
dropped
/dev/null
ASCII text
dropped
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/mds/mdsDirectory.db_
Mac OS X Keychain File
dropped
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/mds/mdsObject.db_
Mac OS X Keychain File
dropped
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/automatic_scaling_en.png
PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced
dropped
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/chroma_keying_en.png
PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced
dropped
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/intelligent_subtitles_en.png
PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced
dropped
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/keyframe_en.png
PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced
dropped
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/speech_synthesis_en.png
PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced
dropped
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/text_style_en.png
PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced
dropped
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/visual_effects_en.png
PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced
dropped
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/water_world_en.png
PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced
dropped
There are 4 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
-
/usr/bin/open
/usr/bin/open /Volumes/CapCut Downloader/CapCut-Downloader.app
/usr/libexec/xpcproxy
-
/Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader
/Volumes/CapCut Downloader/CapCut-Downloader.app/Contents/MacOS/CapCut-Downloader
/usr/bin/hdiutil
-
/usr/bin/security
-
/usr/bin/security
-
/bin/sh
-
/usr/bin/hdiutil
-
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper
-
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper
-
/usr/libexec/xpcproxy
-
/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged --privileged
There are 3 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://curl.se/docs/hsts.html
unknown
https://lf16-capcut.faceulv.com/obj/capcutpc-packages-us/packages/CapCut_2_6_0_834_capcutpc_0_creato
unknown
https://editor-api-sg.capcut.com
unknown
https://sgali-mcs.byteoversea.com
unknown
https://curl.se/docs/http-cookies.html
unknown
https://editor-api.capcutapi.com/service/2/app_alert_check/
unknown
https://sgali-mcs.byteoversea.com/v1/json
unknown
https://mcs.byteoversea.net/v1/json_test
unknown
https://editor-api.capcutapi.com/service/2/desktop/device_register/https://editor-api.capcutapi.com/
unknown
https://curl.se/docs/alt-svc.html
unknown
https://editor-api-sg.capcut.com/service/2/desktop/device_register/
unknown
https://maliva-mcs.byteoversea.com
unknown
https://editor-api-sg.capcut.com/service/2/app_alert_check/
unknown
https://editor-api.capcutapi.com/service/2/desktop/device_register/
unknown
There are 4 hidden URLs, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
105034000
page readonly
1112c6000
page read and write
1112c1000
page read and write
102a1d000
page read and write
1027d9000
page read and write
1063f0000
page execute read
10b1a8000
page read and write
104c47000
page readonly
1112fa000
page readonly
10278c000
page readonly
105571000
page readonly
1027f3000
page execute read
1062b7000
page readonly
102aa4000
page readonly
102a3f000
page readonly
1063e8000
page execute read
111242000
page execute read
102760000
page execute read
1027ed000
page read and write
1027b9000
page execute read
1027dd000
page read and write
104827000
page readonly
1063ec000
page readonly
1062b6000
page execute read
102780000
page read and write
1045e0000
page readonly
1063f7000
page readonly
10630e000
page readonly
1027e1000
page readonly
1058c3000
page read and write
102a42000
page readonly
There are 21 hidden memdumps, click here to show them.