266a1aa46afd9ca1615b0a3e3455578732f0042c9093e0182796cb2e8fd9c359

Analysis

max time kernel
898s
max time network
1471s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
15/04/2024, 07:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cheat.zip
Size

1.2MB
MD5

78111d48001abce19b244a0e3a3ba946
SHA1

02638055467328d473a238508b50fe7c55dfa6ba
SHA256

266a1aa46afd9ca1615b0a3e3455578732f0042c9093e0182796cb2e8fd9c359
SHA512

3ae088d987d27f823b1382f184f55ebb759f6bf1844b6c9c07da41d13b5c365f9a9eb499a0e774196c97c05f79a7e21d4586f9a32b1992662221a0ef2cb58c5b
SSDEEP

24576:ksiGOLCWjjfu0oVS0O/tzrZE5e2/MydaUrCwij8WYbpcCer:ksT4jSZS0O/lrAbB959bpcCy

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 7 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref	Process not Found
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool	Process not Found
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid	Process not Found
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy	Process not Found
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool	Process not Found
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool	Process not Found
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/cheat.zip\""
1⤵
PID:517

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/cheat.zip\""
1⤵
PID:517

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/cheat.zip
1⤵
PID:517
- /bin/zsh
  /bin/zsh -c /Users/run/cheat.zip
  2⤵
  PID:518
- /Users/run/cheat.zip
  /Users/run/cheat.zip
  2⤵
  PID:518

/usr/libexec/xpcproxy
xpcproxy com.apple.AppStore.1900
1⤵
PID:522

/System/Applications/App Store.app/Contents/MacOS/App Store
"/System/Applications/App Store.app/Contents/MacOS/App Store"
1⤵
PID:522

/usr/libexec/xpcproxy
xpcproxy com.apple.siri.context.service
1⤵
PID:526

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
1⤵
PID:526

/usr/libexec/xpcproxy
xpcproxy com.apple.storeuid
1⤵
PID:527

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
1⤵
PID:527

/usr/libexec/xpcproxy
xpcproxy com.apple.adid
1⤵
PID:530

/System/Library/PrivateFrameworks/CoreADI.framework/adid
/System/Library/PrivateFrameworks/CoreADI.framework/adid
1⤵
PID:530

/usr/libexec/xpcproxy
xpcproxy com.apple.security.cloudkeychainproxy3
1⤵
PID:531

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy com.apple.nehelper
1⤵
PID:533

/usr/libexec/nehelper
/usr/libexec/nehelper
1⤵
PID:533

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:534

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:534

/usr/libexec/xpcproxy
xpcproxy com.apple.rtcreportingd
1⤵
PID:548

/usr/libexec/rtcreportingd
/usr/libexec/rtcreportingd
1⤵
PID:548

/usr/libexec/xpcproxy
xpcproxy com.apple.accessibility.mediaaccessibilityd
1⤵
PID:556

/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
1⤵
PID:556

/usr/libexec/xpcproxy
xpcproxy com.apple.coremedia.videodecoder 522
1⤵
PID:557

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
1⤵
PID:557

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:558

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:558

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:559

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:559

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:567

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:567

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:570

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:570

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:571

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:571

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:572

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:572

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:576

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:576

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:577

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:577

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:578

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:578

/usr/libexec/xpcproxy
xpcproxy com.apple.TextInputMenuAgent
1⤵
PID:579

/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
1⤵
PID:579

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:588

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:588

/usr/libexec/xpcproxy
xpcproxy com.apple.systempreferences.2140
1⤵
PID:593

/System/Applications/System Preferences.app/Contents/MacOS/System Preferences
"/System/Applications/System Preferences.app/Contents/MacOS/System Preferences"
1⤵
PID:593

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountProfileRemoteViewService 593
1⤵
PID:594

/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
1⤵
PID:594

/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
1⤵
PID:595

/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
1⤵
PID:596

/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
1⤵
PID:597

/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
1⤵
PID:598

/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
1⤵
PID:599

/usr/libexec/xpcproxy
xpcproxy com.apple.nfcd
1⤵
PID:600

/usr/libexec/nfcd
/usr/libexec/nfcd
1⤵
PID:600

/usr/libexec/xpcproxy
xpcproxy com.apple.CoreAuthentication.agent
1⤵
PID:601

/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd
/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd
1⤵
PID:601

/usr/libexec/xpcproxy
xpcproxy com.apple.studentd
1⤵
PID:603

/usr/libexec/studentd
/usr/libexec/studentd
1⤵
PID:603

/usr/libexec/xpcproxy
xpcproxy com.apple.assistantd
1⤵
PID:604

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
1⤵
PID:604

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:607

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:607

/usr/libexec/xpcproxy
xpcproxy com.apple.knowledge-agent
1⤵
PID:608

/usr/libexec/knowledge-agent
/usr/libexec/knowledge-agent
1⤵
PID:608

/usr/libexec/xpcproxy
xpcproxy com.apple.diagnosticd
1⤵
PID:610

/usr/libexec/diagnosticd
/usr/libexec/diagnosticd
1⤵
PID:610

/usr/libexec/xpcproxy
xpcproxy com.apple.akd
1⤵
PID:613

/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd
/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd
1⤵
PID:613

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:614

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:614

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
340B

MD5
113eea633e2675e48f760cdd038d40a8

SHA1
17298a586b7e226d6c9b7aced96beca6f8886a60

SHA256
22fea100b8c89a259b86dd721cf03d06aeb0442c6287018413c7b1fc3ad10bf5

SHA512
0bf38ea5374e476521318610f2c2cbae12b0b55d07c2aabacc1f58c3c64cc96024b29a984b1a4f6e2b0c1f77ed8a5aba4627b55b5c2e86a286293785d29f6431

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
340B

MD5
cdaf1bcdf3a47f36c5fabe0313f6d115

SHA1
77464878044e2abee42e051be09b36cbdd0789ce

SHA256
f39899a0ef7d2fc95003f149d19d60e2eb18da1668715158a9896d8916045a77

SHA512
a573cf8fecd45357dec0b27a7a03e5fbf6ed17e22ee9307c152fd736f1585fec7b2c6602897b558f718e49ee36472dc8dc26e56c18eb22001b687e11be0744c3

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
370B

MD5
efb9c6a67a9d8c36180b2556a8127e5e

SHA1
865ffb8ba25147ed6ca18e2a524d213586991e9c

SHA256
d734913dd8ee8d8ac65499424c02e5abd7bb32a687c4a55f8ddfe560c7a7ffc3

SHA512
93dd044ebc6751269678cb90e0fd1a83e8568900c958b3a7ab52b900a00d7af4ea6c0eb6c2c6830eb153dd20beca917d3a052d8b83fb9f5f109a049b71b5e8ad

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
418B

MD5
28511af68eaf37cbbe74c4dc25117892

SHA1
0448f9f38cc329e6c97a1d70d1051739ef3b67b7

SHA256
525b0beb5818764f3d2ddadfa4b6d1d5131f2722266fe24ebebab1322e83b3f7

SHA512
241ea214b2a841efbabcf3c02323bf4dfc10d56d2021a851f3727ff39350c2e2880c010a4b3cc3d7877a97f5b3abe20d1b3a96b4324654d694739b74d2148a85

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
418B

MD5
e833b15dbf6d27088b268e0538e25af9

SHA1
3b267a7759151ef1060c8cc167972134f3bfac9c

SHA256
f3aef47bbf4c76c76dbacaf56edefac8259195ea3e78369fe33b170a897df28f

SHA512
be9a42630bed9e0e0cbf4344ef4954fcd05276194235d6e4111086697fe03f06d0891b95029aea9404281569ea217d758cfe452457a4c18a6245aff56b9bdacc

Download Submit
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

Filesize
124KB

MD5
8abca171598c6684e69217db6d76a608

SHA1
32f99d893cdb228ec4763aed18e1981b04896473

SHA256
589b0b6a7645a007e0843f4a1b6f13c1d2f27b3970d183fc0e0afded8e60767e

SHA512
adca18aa93f1a26a833f3773da1920f4d512c40487b357f24cd10408e97689f0a6610130ec2f87775204a5aa1d1dddeea1dd20bad71926b4f8473f985b0dc159

Download Submit
/Users/run/Library/Caches/GeoServices/Experiments.pbd

Filesize
291B

MD5
413c92b16862a9c2193c4d22152eb72a

SHA1
72678bc71f89147c7c6c80016746a2c38218c515

SHA256
e0b4fdf6a6061fb9f1a143b4f6eb5397f44f18d07f34461b1e07a43451586896

SHA512
a1b0d26ed36cf8f208035e77a89544078e3c808cb6d0a83ce6497a859985a0dd16482fe9b19970931b4a9479fcb71721cdf1b29c96a231b412d8fd8b7e7cd322

Download Submit
/Users/run/Library/Caches/GeoServices/Resources/altitude-1267.xml

Filesize
166KB

MD5
03946fa932dfd5e98034347cd7345631

SHA1
fc0f883d7b1fcd51c5e077fb7c2ad85d2c19d49c

SHA256
e4adbf33cefd337457008dec2da37ddd59f3bb64a09702c9afcf8bc27711348c

SHA512
437de6174b754e6f97f74cd415d172435c83a78ca6944903349fc1b436eb52e43e1676717c6715f112c5a3f0b91779e4080ec9be71fa320f5a4bcb45bf8ee251

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.AppStore//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.AppStore//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit