9960c49e9e2b4d98c0b3ae2da97f17daf7bf5dd19b974f5d2bdfbece8e888b3b

Analysis

max time kernel
149s
max time network
138s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
23-04-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk/AnyDesk.app/Contents/MacOS/AnyDesk
Size

18.1MB
MD5

96038326b646094a2e0cef816d3a0be7
SHA1

2e9abc025061c18690ee1ecb4faf8397ab7b3ca9
SHA256

adf0e7a3124ea007ead87b270572096c7495ff03512f67689f311d42180e16ec
SHA512

a575ddddf1e3d42d31034e493abd92385cb6db4121cb673b20c223823bde7173f71ac432da3c33da3c5b54237d6e3c244c3efb30e24120b29b54d4da9be9afca
SSDEEP

196608:QPI/hWEq7pr+fdq+d6bCeWnvZ8uqn6WzVJVUeaEL3y1v:Qyv8r+fdq+gbovZ8rn6W

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 1 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/AnyDesk/AnyDesk.app/Contents/MacOS/AnyDesk\""
1⤵
PID:529

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/AnyDesk/AnyDesk.app/Contents/MacOS/AnyDesk\""
1⤵
PID:529

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/AnyDesk/AnyDesk.app/Contents/MacOS/AnyDesk
1⤵
PID:529
- /bin/zsh
  /bin/zsh -c /Users/run/AnyDesk/AnyDesk.app/Contents/MacOS/AnyDesk
  2⤵
  PID:538
- /Users/run/AnyDesk/AnyDesk.app/Contents/MacOS/AnyDesk
  /Users/run/AnyDesk/AnyDesk.app/Contents/MacOS/AnyDesk
  2⤵
  PID:538

/usr/libexec/xpcproxy
xpcproxy com.apple.assistantd
1⤵
PID:547

/usr/libexec/xpcproxy
xpcproxy com.apple.nehelper
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.siri.context.service
1⤵
PID:550

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
1⤵
PID:550

/usr/libexec/nehelper
/usr/libexec/nehelper
1⤵
PID:549

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
1⤵
PID:547

/Users/run/AnyDesk/AnyDesk.app/Contents/MacOS/AnyDesk
/Users/run/AnyDesk/AnyDesk.app/Contents/MacOS/AnyDesk --local-service
1⤵
PID:551

/usr/libexec/xpcproxy
xpcproxy com.apple.knowledge-agent
1⤵
PID:552

/usr/libexec/knowledge-agent
/usr/libexec/knowledge-agent
1⤵
PID:552

/usr/libexec/xpcproxy
xpcproxy com.apple.colorsync.useragent
1⤵
PID:553

/bin/sh
sh -c "lsb_release -d"
1⤵
PID:554

/bin/bash
sh -c "lsb_release -d"
1⤵
PID:554

/System/Library/Frameworks/ColorSync.framework/Support/colorsync.useragent
/System/Library/Frameworks/ColorSync.framework/Support/colorsync.useragent
1⤵
PID:553

/usr/libexec/xpcproxy
xpcproxy com.apple.colorsyncd
1⤵
PID:555

/usr/libexec/colorsyncd
/usr/libexec/colorsyncd
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:556

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:556

/usr/libexec/xpcproxy
xpcproxy com.apple.tailspind
1⤵
PID:557

/usr/libexec/tailspind
/usr/libexec/tailspind
1⤵
PID:557

/usr/libexec/xpcproxy
xpcproxy com.apple.ViewBridgeAuxiliary
1⤵
PID:559

/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
1⤵
PID:559

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:561

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:561

/usr/libexec/xpcproxy
xpcproxy com.apple.security.cloudkeychainproxy3
1⤵
PID:563

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
1⤵
PID:563

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:564

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:564

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:574

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:574

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:576

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:576

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:577

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:577

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app
1⤵
PID:587

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:591

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:591

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:592

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:593

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:593

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:596

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:596

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:600

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:601

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:602

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:602

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
42B

MD5
ce7f5b3d4bfc7b4b0da6a06dccc515f2

SHA1
ce657a52a052a3aaf534ecfbf7cbdde4ee334c10

SHA256
9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1

SHA512
db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
106B

MD5
a60a7bcfc47eacaa66e5e3d701d3ba80

SHA1
7093ffc5beca33187c18461c7ff3259a1781ae35

SHA256
17e96efaf7f2e45e407a3c68fb57b78f09dea6fc1edf3732b888be4a4eadd468

SHA512
58736bd680d6c7a25b8d7db08fd4a258cf761dbaa44a5ece0c2b813ab12c20dc213ab40844dfc780687945cf2459f549f1a38bf3da16c5c332756f3b53e1c3a5

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
81B

MD5
520bb9b65b89f03050030e5a985b9cd1

SHA1
91defba6d4540d4c8ede177730d104d747e8f57b

SHA256
6bb23965fd46b9ffe67a1cdb2144943543894e063c05db3a4de54e94b84968a0

SHA512
81eebb3eda761a9ecc94aa9564deab4d476522d94025ec19e002e91b12b7fbf2bffda23e7c393c09cb91b6ecd953ec1bf39ef5f787058b70289a5a5d777f0cf6

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
122B

MD5
16a15c7222b5f487f9e47219bec96c9e

SHA1
47bb4748ff46c6365fb2bf5b22ca60387b4f42bb

SHA256
9ae1d6f1888fc41b8d9c6315df10394ef187eb1f57ac0abe48c5606b3277463c

SHA512
41595eb4b33c09cf1d087977c2a49c14a2894083a4d73dc88a0c9532e6c6b546f872c7cec14a16f674ebd0137c04e690124b777e197677cb964eb9336745d919

Download Submit
/Users/run/.anydesk/service.conf

Filesize
1KB

MD5
dc4458cd3d43cfc7723f376ba9a582f7

SHA1
dcf4b9d5a5a99cf5f4d1deb63dfb6cf63605d3e6

SHA256
1a546335d3cbe2ba7de1456403c075d70dfd421cf27956c35404ab86a56c8f12

SHA512
a5c637cd5bd28de353f4c94b7d0894c646473129b1fe7b3124def3e8977e6bca4ef9622adbb1f7a500097ff0f2e41e29d8caa836e994d46e8a565f464be313d8

Download Submit
/Users/run/.anydesk/service.conf

Filesize
2KB

MD5
c36822769ba4eda0c2a1c72d23341e73

SHA1
9df570fa4e7367a10a83606f08a11bc575259dd8

SHA256
f2f7b3bf917fc77af67c8b678340d13af822e4565936941715d33526806587a3

SHA512
3741ca925219762d6f612ac76c6d4952655f7f7098dbbe145617bc93ffceabb9c54cd69e62853cb625cb53ae5ebc11f630b11deac265e9f741605eaf5893721f

Download Submit
/Users/run/.anydesk/system.conf

Filesize
367B

MD5
578d2f639e8dccec7a52cf3c2178bab6

SHA1
51d6575a5cea73efc4fe342ded32f4783a5fa04f

SHA256
495783439b59b27c41676ae8fa7485fe767b4516fa04ebc14bff8a0543cb5b93

SHA512
75f093e60fd8f1e24371e764ad04dbf6db07d4bf6f9ef9fda2ba97271f573eaddcc7322294c7b411040f6bd2dada59ad2360fbd3f41c61cae7eb1f0d92e50a8d

Download Submit
/Users/run/.anydesk/system.conf

Filesize
391B

MD5
e81f9da6582527e04e23060a554087fa

SHA1
271aac7696ca831cb67a08a5d0765567c2b5eda9

SHA256
d08d1c69f8b5b85a70998515f2555cc57e16a303d59e006e35d9ea2566ce85e7

SHA512
9c048a2ef3f4d68271280f28efb420e973da1f4969ddbefb65fed5ed22baa6426e7ac1b5c26758c196a08a9583512a5f4e9956bf881375ea28d45dfe88d5afe3

Download Submit
/Users/run/.anydesk/system.conf

Filesize
424B

MD5
0f0e85a93d53e0faba4eab07f825f3d3

SHA1
e58b039ac65f3b0c79b08cb26f660582bbabaf4c

SHA256
93fd3f4077229f9d423bba0f5e978f0c6c1e4d090b40a9378557cb9110693c2f

SHA512
5b3b2f2c09f2008cb8bf10d0d4c80e5b922b5e76ae671b303b2aacd8c6ad1742ca54ec5a9c054f10b34e245d99283bee5dc8828c52c9a3f066916d0d5cc575b8

Download Submit
/Users/run/.anydesk/system.conf

Filesize
424B

MD5
80ef0607b279a58e81a8cf4fc37dd642

SHA1
3ebad43cc025516d52d66c0b3ea0b4931737a39f

SHA256
30b0d500604a83737907be5ed4741672dedfb8373f4f44434672f985815a15e7

SHA512
2c256d804ddc2e6cfa5563776db4c80e193cf3d60020a9322655d043e74d9d5cf3b236739dc1cd043a2495899e642286438c386ca15242026b5b794b2f3aa4c2

Download Submit
/Users/run/.anydesk/system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
/Users/run/.anydesk/user.conf

Filesize
128B

MD5
8d1e5ee88a0a70ecac2254ee21897ae6

SHA1
6636a977e9068360e27bf0a49c112ae9073587ab

SHA256
7f1290c669115ed1085959ee6e84ee4f9c64b045cf1077735ba9d3eb397a5d69

SHA512
c5f530ea9f6cf394cf3d5e867dfd6c1d72b4b2a085e4f8e3ea0a37988a179cdb623830b72d74906d1f952b155599cce8a93f067ae930dcf4252cf1c71ac27743

Download Submit
/Users/run/.anydesk/user.conf

Filesize
161B

MD5
208d0ada108694ff7ead0f9206e058fb

SHA1
6fe62b113f8f8d47090ea6aaac163abbf910bcc8

SHA256
6ebc5599167e1b0f845a27f41927d400e62192117a5333624891597b5b828764

SHA512
616da278f3ec42bf7c34e6eda6aa8e78b29ccd821ca8446ee0d3af7e1e6ac748455327aaf90b1bcdcc2f07fc16692fa4f9fa2ebacd8f80905b4eab1852a1180f

Download Submit
/Users/run/.anydesk/user.conf

Filesize
41B

MD5
a787c308bd30d6d844e711d7579be552

SHA1
473520be4ea56333d11a7a3ff339ddcadfe77791

SHA256
8a395011a6a877d3bdd53cc8688ef146160dab9d42140eb4a70716ad4293a440

SHA512
da4fcf3a3653ed02ee776cfa786f0e75b264131240a6a3e538c412e98c9af52c8f1e1179d68ed0dd44b13b261dc941319d182a16a4e4b03c087585b9a8286973

Download Submit
/Users/run/.anydesk/user.conf

Filesize
55B

MD5
c8a841061294ea55fdecc38bf146d3eb

SHA1
04d399d1dbb5abc75fe30c51620073d1d5488e95

SHA256
092a32d6b155ab8b5aaac22079646a7614f0c71643256f93d5c5fd1f2c73a36d

SHA512
a1a0c5072de41be3f95bd8c9e5ec0162e490b7ea07b191fa9a4936b8a47d08e13788991a05a2b5ebc54cf3b39db79aba9ce1e2a74d89b444cc2b183f4be53d94

Download Submit
/Users/run/.anydesk/user.conf

Filesize
91B

MD5
52dee31ea721ad7c874b0bf10ddb333b

SHA1
6896de76a6402f00305c79996fe73284f142f67f

SHA256
dac9f489284cb5589a9e4607ef8095ded34908164149034b3bd33fa0f45c8bcb

SHA512
4791e0c5cc46c77d37197f35b03bf35362aa63ea4eb7800698a566c01c8663a2518e38e162517f8407365f5cb8d0fc5478c23ef973d2baa59543e77e34ee8d97

Download Submit
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

Filesize
124KB

MD5
0c8ea84adc6849143eec55e728e38be5

SHA1
516986d0ac2b673fd0a74fb8bd350bcd0f804a41

SHA256
721be550c44ead326a6661e3e7992f1698f325096b0aef7418e3ca1ce56ebe50

SHA512
d963cf3c06533bb5cd3e89075f3b0ce668e3ca7322089e1b2f761cd41efd8b492457bfe45b04139c49a94b0fc58efc34aa475e59f406d870f25fe72c28b23ff2

Download Submit
/Users/run/Library/Caches/GeoServices/Resources/altitude-1269.xml

Filesize
167KB

MD5
a645869f7bf432953f0292ca5fd17ad8

SHA1
9063c8541f8d4d81d301df8b359a30071d42b119

SHA256
04daf260c11cd34cd84f42fb5a47f1d5717d0b2f62b236826d7c3a6f0a1c9db9

SHA512
6449c45cd990750cf88cbf75b3320e6d972ba1b10dd8bb23835e1d298efb0b5d50399ad2c4be9d3d068619d645e544afc3245c66630da1878c8688811e76fca4

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.colorsync.profiles.502

Filesize
21KB

MD5
dd2d2b2cd9a8ac6624c7be4f50f63c9c

SHA1
56881e11f9256fc70c2893909e73ada9e23d34b7

SHA256
7d02f5941af28782d777a5fdb7e10dd58a660a4855de64e1ba29fc8d0ce1406e

SHA512
27910c4bbd4898db6da5095dfda42a09a3f7261a55059182e11447c3c3f6691bbee898bf8c880f7de6cb65df3df4f4f6293257a0f7441a47917465761ef4dedc

Download Submit
/var/log/anydesk.trace

Filesize
2KB

MD5
8a9e4b7eab30015d3ec9053b958b98f7

SHA1
48b8b0269df6574c80e1f45a2297b146354befe8

SHA256
ffa4ecebf6b9796173588fc9f4928e35a983a3b1af76fbdc51349c734a1a03e6

SHA512
99a71b11df11ad666379004bc036513abf3ef47ad505f4d959a25df4b1000798cb106d83294ba7898b213d3dcc5ea01194ab35a8c4fbd92ddbf484fbdb57f984

Download Submit