Skip to content

Hide Navigation Hide TOC

Payload Decoded and Decrypted via Built-in Utilities (234dc5df-40b5-49d1-bf53-0d44ce778eca)

Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.

Cluster A Galaxy A Cluster B Galaxy B Level
Payload Decoded and Decrypted via Built-in Utilities (234dc5df-40b5-49d1-bf53-0d44ce778eca) Sigma-Rules User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 1
Payload Decoded and Decrypted via Built-in Utilities (234dc5df-40b5-49d1-bf53-0d44ce778eca) Sigma-Rules Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
Payload Decoded and Decrypted via Built-in Utilities (234dc5df-40b5-49d1-bf53-0d44ce778eca) Sigma-Rules Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1