4573c56a8f47833799e841bc255f0ab3433260f741cb5ada2b0c43fd07f588b6

General

Target

made_for_lynx.png
Size

121KB
MD5

24c458fef6c12270d8ffd38764404eb2
SHA1

a9a9d75f242c9731472b0473486118485ef4fc95
SHA256

4573c56a8f47833799e841bc255f0ab3433260f741cb5ada2b0c43fd07f588b6
SHA512

623b500e9d04214d62faec855a529c7cca0b8756ab4fe72a1ff0d693fd51910f7b04a46997bc49e91f53fdc55d4e1c091d442514111163941fb8d54cc2027355
SSDEEP

3072:cRiV/GAsdHSgSs4CByVPB80Fvpy3Vdc8pyK7aa80ghn+Btf:kiV/Gpdygb448y0xpyTTpVzAn+Btf

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 1 IoCs

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/made_for_lynx.png\""
1⤵
PID:509

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/made_for_lynx.png\""
1⤵
PID:509

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/made_for_lynx.png
1⤵
PID:509
- /bin/zsh
  /bin/zsh -c /Users/run/made_for_lynx.png
  2⤵
  PID:510
- /Users/run/made_for_lynx.png
  /Users/run/made_for_lynx.png
  2⤵
  PID:510

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:512

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:512

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:525

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:525

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.systemsoundserverd
1⤵
PID:531

/usr/sbin/systemsoundserverd
/usr/sbin/systemsoundserverd
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:535

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:535

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:536

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:536

/usr/libexec/xpcproxy
xpcproxy com.apple.AppStore.1900
1⤵
PID:549

/System/Applications/App Store.app/Contents/MacOS/App Store
"/System/Applications/App Store.app/Contents/MacOS/App Store"
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.storeuid
1⤵
PID:551

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
1⤵
PID:551

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:553

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:553

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:561

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:561

/usr/bin/login
login -pf run
1⤵
PID:562
- /bin/zsh
  -zsh
  2⤵
  PID:564
- - /usr/libexec/path_helper
    /usr/libexec/path_helper -s
    3⤵
    PID:565
- - /usr/bin/locale
    locale LC_CTYPE
    3⤵
    PID:566

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:563

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:563

/usr/libexec/xpcproxy
xpcproxy com.apple.TextEdit.2092
1⤵
PID:567

/System/Applications/TextEdit.app/Contents/MacOS/TextEdit
/System/Applications/TextEdit.app/Contents/MacOS/TextEdit
1⤵
PID:567

/usr/libexec/xpcproxy
xpcproxy com.apple.bird
1⤵
PID:568

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
1⤵
PID:568

/usr/libexec/xpcproxy
xpcproxy com.apple.appkit.xpc.documentPopoverViewService 567
1⤵
PID:571

/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/DocumentPopoverViewService.xpc/Contents/MacOS/DocumentPopoverViewService
/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/DocumentPopoverViewService.xpc/Contents/MacOS/DocumentPopoverViewService
1⤵
PID:571

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.QuickLookUIService 571
1⤵
PID:572

/System/Library/Frameworks/Quartz.framework/Versions/A/Frameworks/QuickLookUI.framework/Versions/A/XPCServices/QuickLookUIService.xpc/Contents/MacOS/QuickLookUIService
/System/Library/Frameworks/Quartz.framework/Versions/A/Frameworks/QuickLookUI.framework/Versions/A/XPCServices/QuickLookUIService.xpc/Contents/MacOS/QuickLookUIService
1⤵
PID:572

/usr/libexec/xpcproxy
xpcproxy com.apple.automountd
1⤵
PID:573

/usr/libexec/automountd
automountd
1⤵
PID:573
- /usr/libexec/od_user_homes
  /usr/libexec/od_user_homes .localized
  2⤵
  PID:574
- /usr/libexec/od_user_homes
  /usr/libexec/od_user_homes .localized
  2⤵
  PID:580

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:575

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:575

/usr/libexec/xpcproxy
xpcproxy com.apple.tailspind
1⤵
PID:576

/usr/libexec/tailspind
/usr/libexec/tailspind
1⤵
PID:576

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:577

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:577

/usr/libexec/xpcproxy
xpcproxy com.apple.appkit.xpc.openAndSavePanelService 567
1⤵
PID:578

/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/com.apple.appkit.xpc.openAndSavePanelService.xpc/Contents/MacOS/com.apple.appkit.xpc.openAndSavePanelService
/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/com.apple.appkit.xpc.openAndSavePanelService.xpc/Contents/MacOS/com.apple.appkit.xpc.openAndSavePanelService
1⤵
PID:578

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.QuickLookUIService 578
1⤵
PID:579

/System/Library/Frameworks/Quartz.framework/Versions/A/Frameworks/QuickLookUI.framework/Versions/A/XPCServices/QuickLookUIService.xpc/Contents/MacOS/QuickLookUIService
/System/Library/Frameworks/Quartz.framework/Versions/A/Frameworks/QuickLookUI.framework/Versions/A/XPCServices/QuickLookUIService.xpc/Contents/MacOS/QuickLookUIService
1⤵
PID:579

/usr/libexec/xpcproxy
xpcproxy com.apple.printtool.agent
1⤵
PID:581

/System/Library/Frameworks/ApplicationServices.framework/Frameworks/PrintCore.framework/Versions/A/printtool
/System/Library/Frameworks/ApplicationServices.framework/Frameworks/PrintCore.framework/Versions/A/printtool
1⤵
PID:581

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:583

/usr/libexec/xpcproxy
xpcproxy com.apple.warmd_agent
1⤵
PID:585

/usr/libexec/warmd_agent
/usr/libexec/warmd_agent
1⤵
PID:585

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:586

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:586

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/com.apple.TextEdit/TemporaryItems/(A Document Being Saved By TextEdit)/Untitled.rtf

Filesize
424B

MD5
1c7dec455b811b9e6ab082313f8f8488

SHA1
c7c81e6e01641e000062e2d158014737ad92aaa0

SHA256
4784b6a5ad6257e8d1d51cf5385db44e61d879fa8283c77c914b96485629850c

SHA512
b41d9464107824c556a6e624249b11894454043c4cfc7e2cb11bdf09426f28a03139df95a91be213bacd02064a9a559a503034fd2173134eda2760abe8f223b0

Download Submit

Analysis

Sharing