8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

max time kernel
74s
max time network
90s
platform
macos-10.15_amd64
resource
macos-20240214-en
resource tags

arch:amd64arch:i386image:macos-20240214-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
26-02-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Compressed (zipped) Folder.zip
Size

22B
MD5

76cdb2bad9582d23c1f6f4d868218d6c
SHA1

b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256

8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512

5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 2 IoCs

evasion

Resource Forking

T1564.009

Processes:

ioc	process
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

/usr/libexec/xpcproxy
xpcproxy com.apple.pluginkit.pkd
1⤵
PID:569

/usr/libexec/pkd
/usr/libexec/pkd
1⤵
PID:569

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/New Compressed (zipped) Folder.zip\""
1⤵
PID:572

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/New Compressed (zipped) Folder.zip\""
1⤵
PID:572

/usr/bin/sudo
sudo /bin/zsh -c "/Users/run/New Compressed (zipped) Folder.zip"
1⤵
PID:572

/bin/zsh
/bin/zsh -c "/Users/run/New Compressed (zipped) Folder.zip"
2⤵
PID:573

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:574

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:574

/usr/bin/pluginkit
/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync
1⤵
PID:596

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater2481EFE7/OneDrive.app
1⤵
PID:597

/usr/libexec/xpcproxy
xpcproxy com.apple.icloud.findmydeviced
1⤵
PID:599

/usr/libexec/findmydeviced
/usr/libexec/findmydeviced
1⤵
PID:599

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:609

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:609

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:610

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:610

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:611

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:611

/usr/libexec/xpcproxy
xpcproxy com.apple.cfprefsd.xpc.agent
1⤵
PID:613

/usr/sbin/cfprefsd
/usr/sbin/cfprefsd agent
1⤵
PID:613

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:616

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:616

/usr/libexec/xpcproxy
xpcproxy com.apple.suggestd
1⤵
PID:617

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
1⤵
PID:617

/usr/libexec/xpcproxy
xpcproxy com.apple.AppStore.1900
1⤵
PID:618

/System/Applications/App Store.app/Contents/MacOS/App Store
"/System/Applications/App Store.app/Contents/MacOS/App Store"
1⤵
PID:618

/usr/libexec/xpcproxy
xpcproxy com.apple.siri.context.service
1⤵
PID:620

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
1⤵
PID:620

/usr/libexec/xpcproxy
xpcproxy com.apple.storeuid
1⤵
PID:621

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
1⤵
PID:621

/usr/libexec/xpcproxy
xpcproxy com.apple.adid
1⤵
PID:626

/System/Library/PrivateFrameworks/CoreADI.framework/adid
/System/Library/PrivateFrameworks/CoreADI.framework/adid
1⤵
PID:626

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:627

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:627

/usr/libexec/xpcproxy
xpcproxy com.apple.security.cloudkeychainproxy3
1⤵
PID:629

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
1⤵
PID:629

/usr/libexec/xpcproxy
xpcproxy com.apple.knowledge-agent
1⤵
PID:632

/usr/libexec/knowledge-agent
/usr/libexec/knowledge-agent
1⤵
PID:632

/usr/libexec/xpcproxy
xpcproxy com.apple.coremedia.videodecoder 618
1⤵
PID:633

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
1⤵
PID:633

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:634

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:634

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:635

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:635

/usr/libexec/xpcproxy
xpcproxy com.apple.FaceTime.1860
1⤵
PID:636

/System/Applications/FaceTime.app/Contents/MacOS/FaceTime
/System/Applications/FaceTime.app/Contents/MacOS/FaceTime
1⤵
PID:636

/usr/libexec/xpcproxy
xpcproxy com.apple.videoconference.camera
1⤵
PID:637

/usr/libexec/avconferenced
/usr/libexec/avconferenced
1⤵
PID:637

/usr/libexec/xpcproxy
xpcproxy com.apple.FaceTime.FaceTimeNotificationCenterService 636
1⤵
PID:638

/System/Applications/FaceTime.app/Contents/XPCServices/FaceTimeNotificationCenterService.xpc/Contents/MacOS/FaceTimeNotificationCenterService
/System/Applications/FaceTime.app/Contents/XPCServices/FaceTimeNotificationCenterService.xpc/Contents/MacOS/FaceTimeNotificationCenterService
1⤵
PID:638

/usr/libexec/xpcproxy
xpcproxy com.apple.mediaremoted
1⤵
PID:639

/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted
/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted
1⤵
PID:639

/usr/libexec/xpcproxy
xpcproxy com.apple.imfoundation.IMRemoteURLConnectionAgent 636
1⤵
PID:641

/System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteURLConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent
/System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteURLConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent
1⤵
PID:641

/usr/libexec/xpcproxy
xpcproxy com.apple.imfoundation.IMRemoteURLConnectionAgent 637
1⤵
PID:643

/System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteURLConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent
/System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteURLConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent
1⤵
PID:643

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:645

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:645

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:651

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:651

/usr/libexec/xpcproxy
xpcproxy com.apple.TextInputMenuAgent
1⤵
PID:653

/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
1⤵
PID:653

/usr/libexec/xpcproxy
xpcproxy com.apple.TextInputSwitcher
1⤵
PID:654

/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
1⤵
PID:654

/usr/local/bin/help
help
1⤵
PID:656

/usr/bin/help
help
1⤵
PID:656

/bin/help
help
1⤵
PID:656

/usr/sbin/help
help
1⤵
PID:656

/sbin/help
help
1⤵
PID:656

/usr/libexec/xpcproxy
xpcproxy com.apple.tailspind
1⤵
PID:666

/usr/libexec/tailspind
/usr/libexec/tailspind
1⤵
PID:666

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
Filesize
124KB

MD5
a8571c3c39d72043b4c76c06892b5754

SHA1
58cc5ec1953933a25db1b17f412ed320149c1840

SHA256
b4b70d22836c52dddab342a41988bad305854e27cd1bbf9dac670d8f7a5ba7f8

SHA512
2f408972ef089cb9cff3b3c4129938878dbb368d4346efbb40932e878d97e895b88425b0a6e0e02dd04fc5229481ff22a6f2e5fb47fd7f7f3b0694a7468e8bc2

Download Submit
/Users/run/Library/Caches/GeoServices/Resources/altitude-1184.xml
Filesize
157KB

MD5
de0d1de3897d152e34fad38ac8384188

SHA1
8783a7701c14576789a2316e0f3f9c3d5acd660a

SHA256
fd449596e4bb21c338a5102cd749ba1c87debfe62d1c161deb0cc7d8d74e8226

SHA512
5fd1734e6289fa80752c4c583875577e87d7f58b01c5d14445d7888c172acd94ab0c4d3332660e1d92706678e1611515393c7c3d28be0d0e735028e1f5d16de5

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db
Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db
Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit