2e697828d0bb36a4aa0085997b62a9cc6a83e13afe94c299e4a707f3282b2a66

Analysis

max time kernel
147s
max time network
148s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
24/04/2024, 12:14 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Install Parallels Desktop/Install Parallels Desktop.app/Contents/Resources/pt-BR.lproj/License.rtf
Size

155KB
MD5

13ef2b2caf4f6dbc77b79ff2450cb236
SHA1

533a09b5ee07a1c7b6e57db6ea06bd5841a14d1f
SHA256

d506f239fcc4ba2e4430c2059a43ad9a8ca4b07736fe560297bc0eea9f990947
SHA512

7b19f8c34bb8488595610038fb67617fb33bca9c881d18aaf3d80a563a0171f767878afce30db6b6e1c4685379d2b37e71492830b1fe32985aff98eb95a872a5
SSDEEP

1536:l0d4JQZ4RD6ibfSK5mQWqdS5FLHcePasnXeNtrK/gjz1c23wN1vpbc:lWCM4RD6gKmmrz3LHcePjY1/y2cc

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 4 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
sudo /bin/zsh -c "/Users/run/Install Parallels Desktop/Install Parallels Desktop.app/Contents/Resources/pt-BR.lproj/License.rtf"	Process not Found
/bin/zsh -c "/Users/run/Install Parallels Desktop/Install Parallels Desktop.app/Contents/Resources/pt-BR.lproj/License.rtf"	Process not Found
/Users/run/Install Parallels Desktop/Install Parallels Desktop.app/Contents/Resources/pt-BR.lproj/License.rtf	Process not Found
sh -c "sudo /bin/zsh -c \"/Users/run/Install Parallels Desktop/Install Parallels Desktop.app/Contents/Resources/pt-BR.lproj/License.rtf\""	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Install Parallels Desktop/Install Parallels Desktop.app/Contents/Resources/pt-BR.lproj/License.rtf\""
1⤵
PID:487

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Install Parallels Desktop/Install Parallels Desktop.app/Contents/Resources/pt-BR.lproj/License.rtf\""
1⤵
PID:487

/usr/bin/sudo
sudo /bin/zsh -c "/Users/run/Install Parallels Desktop/Install Parallels Desktop.app/Contents/Resources/pt-BR.lproj/License.rtf"
1⤵
PID:487
- /bin/zsh
  /bin/zsh -c "/Users/run/Install Parallels Desktop/Install Parallels Desktop.app/Contents/Resources/pt-BR.lproj/License.rtf"
  2⤵
  PID:488
- /Users/run/Install
  /Users/run/Install Parallels Desktop/Install Parallels Desktop.app/Contents/Resources/pt-BR.lproj/License.rtf
  2⤵
  PID:488

/usr/bin/pluginkit
/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync
1⤵
PID:491

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater0BF23177/OneDrive.app
1⤵
PID:492

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:536

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:536

Network

DNS

mobile.events.data.trafficmanager.net

Remote address:

8.8.8.8:53

Request

mobile.events.data.trafficmanager.net

IN A

Response

mobile.events.data.trafficmanager.net

IN CNAME

onedscolprdcus20.centralus.cloudapp.azure.com

onedscolprdcus20.centralus.cloudapp.azure.com

IN A

104.208.16.95
DNS

api.apple-cloudkit.fe2.apple-dns.net

Remote address:

8.8.8.8:53

Request

api.apple-cloudkit.fe2.apple-dns.net

IN A

Response

api.apple-cloudkit.fe2.apple-dns.net

IN A

17.250.81.69

api.apple-cloudkit.fe2.apple-dns.net

IN A

17.250.81.64

api.apple-cloudkit.fe2.apple-dns.net

IN A

17.250.81.68

api.apple-cloudkit.fe2.apple-dns.net

IN A

17.250.81.70
DNS

bag-cdn-lb.itunes-apple.com.akadns.net

Remote address:

8.8.8.8:53

Request

bag-cdn-lb.itunes-apple.com.akadns.net

IN A

Response

bag-cdn-lb.itunes-apple.com.akadns.net

IN CNAME

h3.apis.apple.map.fastly.net

h3.apis.apple.map.fastly.net

IN A

151.101.3.6

h3.apis.apple.map.fastly.net

IN A

151.101.67.6

h3.apis.apple.map.fastly.net

IN A

151.101.131.6

h3.apis.apple.map.fastly.net

IN A

151.101.195.6
DNS

cds.apple.com

Remote address:

8.8.8.8:53

Request

cds.apple.com

IN A

Response

cds.apple.com

IN CNAME

cds-cdn.v.aaplimg.com

cds-cdn.v.aaplimg.com

IN CNAME

cds.apple.com.akadns.net

cds.apple.com.akadns.net

IN CNAME

cds.apple.com.edgekey.net

cds.apple.com.edgekey.net

IN CNAME

e14768.dscb.akamaiedge.net

e14768.dscb.akamaiedge.net

IN A

104.68.86.71
GET

http://ocsp.apple.com/ocsp03-apsrsaca11g1/MFYwVKADAgEAME0wSzBJMAkGBSsOAwIaBQAEFK2rIf4cXfO50li4D4I209Ic4w84BBRQArgTLBWD0UHDEYqLQjsBI0OpVgIQEYPz5D0GDx%2BPyz8PONYPuQ%3D%3D

Remote address:

17.253.77.201:80

Request

GET /ocsp03-apsrsaca11g1/MFYwVKADAgEAME0wSzBJMAkGBSsOAwIaBQAEFK2rIf4cXfO50li4D4I209Ic4w84BBRQArgTLBWD0UHDEYqLQjsBI0OpVgIQEYPz5D0GDx%2BPyz8PONYPuQ%3D%3D HTTP/1.1
Host: ocsp.apple.com
Accept: */*
Accept-Language: en-us
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: com.apple.trustd/2.0

Response

HTTP/1.1 200 OK

Server: Apple
Date: Wed, 24 Apr 2024 06:14:45 GMT
Content-Type: application/ocsp-response
Content-Length: 1476
Last-Modified: Wed, 24 Apr 2024 06:14:45 GMT
Expires: Wed, 24 Apr 2024 14:14:45 GMT
Etag: "13de0dc202fac9606df154b23f70adae8b15af4f"
Age: 22995
Via: http/1.1 uklon5-vp-vst-013.ts.apple.com (acdn/153.14426), http/1.1 uklon5-vp-vfe-019.ts.apple.com (acdn/153.14426), http/1.1 gbmnc1-edge-lx-010.ts.apple.com (acdn/153.14426), http/1.1 gbmnc1-edge-bx-007.ts.apple.com (acdn/153.14426)
X-Cache: hit-fresh, hit-stale, hit-fresh, hit-fresh
CDNUUID: 8a23ff6d-f9ca-4003-ba46-2534859bf2e4-4522929496
Connection: keep-alive
GET

http://ocsp.apple.com/ocsp03-asi2ca02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDpjNYC91gD%2BzsNfJ0wP9wrPSi8lBBQSdXxHkv2D474u%2FFl%2FZ0OBNRBF7AIIR5uTR%2BogEsU%3D

Remote address:

17.253.77.202:80

Request

GET /ocsp03-asi2ca02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDpjNYC91gD%2BzsNfJ0wP9wrPSi8lBBQSdXxHkv2D474u%2FFl%2FZ0OBNRBF7AIIR5uTR%2BogEsU%3D HTTP/1.1
Host: ocsp.apple.com
Accept: */*
Accept-Language: en-us
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: com.apple.trustd/2.0

Response

HTTP/1.1 200 OK

Server: Apple
Date: Wed, 24 Apr 2024 04:09:31 GMT
Content-Type: application/ocsp-response
Content-Length: 2559
Expires: Wed, 24 Apr 2024 15:09:31 GMT
ETag: "3e472e4ede7f8392272983ddcca2e39aa3194d5a"
Last-Modified: Wed, 24 Apr 2024 04:09:31 GMT
Age: 30516
Via: http/1.1 uklon5-vp-vst-015.ts.apple.com (acdn/153.14426), http/1.1 uklon5-vp-vfe-003.ts.apple.com (acdn/153.14426), http/1.1 gbmnc1-edge-lx-001.ts.apple.com (acdn/153.14426), http/1.1 gbmnc1-edge-bx-008.ts.apple.com (acdn/153.14426)
X-Cache: hit-stale, hit-fresh, hit-fresh, hit-fresh
CDNUUID: cc84642c-d989-4e79-8c9b-925370af694c-4093442846
Connection: keep-alive
DNS

help.apple.com

Remote address:

8.8.8.8:53

Request

help.apple.com

IN A

Response

help.apple.com

IN CNAME

help.origin-apple.com.akadns.net

help.origin-apple.com.akadns.net

IN CNAME

help-ar.apple.com.edgekey.net

help-ar.apple.com.edgekey.net

IN CNAME

e11408.d.akamaiedge.net

e11408.d.akamaiedge.net

IN A

184.30.157.247
GET

http://ocsp.apple.com/ocsp04-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIGMqpvo33p8A%3D

Remote address:

17.253.77.202:80

Request

GET /ocsp04-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIGMqpvo33p8A%3D HTTP/1.1
Host: ocsp.apple.com
Accept: */*
Accept-Language: en-us
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: com.apple.trustd/2.0

Response

HTTP/1.1 200 OK

Server: Apple
Date: Wed, 24 Apr 2024 12:30:47 GMT
Content-Type: application/ocsp-response
Content-Length: 2515
Last-Modified: Wed, 24 Apr 2024 12:30:47 GMT
Expires: Wed, 24 Apr 2024 12:45:47 GMT
Etag: "6419e04ce6c3852452c3ce2ae7a3b8ebea184ae0"
Age: 452
Via: http/1.1 uklon5-vp-vst-013.ts.apple.com (acdn/153.14426), http/1.1 uklon5-vp-vfe-010.ts.apple.com (acdn/153.14426), http/1.1 gbmnc1-edge-lx-005.ts.apple.com (acdn/153.14426), http/1.1 gbmnc1-edge-bx-008.ts.apple.com (acdn/153.14426)
X-Cache: hit-fresh, hit-stale, hit-fresh, hit-fresh
CDNUUID: cc84642c-d989-4e79-8c9b-925370af694c-4093538533
Connection: keep-alive
GET

http://ocsp.apple.com/ocsp04-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIGMqpvo33p8A%3D

Remote address:

17.253.77.201:80

Request

GET /ocsp04-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIGMqpvo33p8A%3D HTTP/1.1
Host: ocsp.apple.com
Accept: */*
Accept-Language: en-us
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: com.apple.trustd/2.0

Response

HTTP/1.1 200 OK

Server: Apple
Date: Wed, 24 Apr 2024 12:30:47 GMT
Content-Type: application/ocsp-response
Content-Length: 2515
Last-Modified: Wed, 24 Apr 2024 12:30:47 GMT
Expires: Wed, 24 Apr 2024 12:45:47 GMT
Etag: "6419e04ce6c3852452c3ce2ae7a3b8ebea184ae0"
Age: 451
Via: http/1.1 uklon5-vp-vst-013.ts.apple.com (acdn/153.14426), http/1.1 uklon5-vp-vfe-010.ts.apple.com (acdn/153.14426), http/1.1 gbmnc1-edge-lx-005.ts.apple.com (acdn/153.14426), http/1.1 gbmnc1-edge-bx-001.ts.apple.com (acdn/153.14426)
X-Cache: hit-fresh, hit-stale, hit-fresh, hit-fresh
CDNUUID: cdb9bcd7-c3c2-4596-a5aa-a1a68ec9699b-4523254845
Connection: keep-alive
GET

http://ocsp.apple.com/ocsp04-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIGMqpvo33p8A%3D

Remote address:

17.253.77.202:80

Request

GET /ocsp04-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIGMqpvo33p8A%3D HTTP/1.1
Host: ocsp.apple.com
Accept: */*
Accept-Language: en-us
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: com.apple.trustd/2.0

Response

HTTP/1.1 200 OK

Server: Apple
Date: Wed, 24 Apr 2024 12:30:47 GMT
Content-Type: application/ocsp-response
Content-Length: 2515
Last-Modified: Wed, 24 Apr 2024 12:30:47 GMT
Expires: Wed, 24 Apr 2024 12:45:47 GMT
Etag: "6419e04ce6c3852452c3ce2ae7a3b8ebea184ae0"
Age: 454
Via: http/1.1 uklon5-vp-vst-013.ts.apple.com (acdn/153.14426), http/1.1 uklon5-vp-vfe-010.ts.apple.com (acdn/153.14426), http/1.1 gbmnc1-edge-lx-005.ts.apple.com (acdn/153.14426), http/1.1 gbmnc1-edge-bx-002.ts.apple.com (acdn/153.14426)
X-Cache: hit-fresh, hit-stale, hit-fresh, hit-fresh
CDNUUID: b9407e4e-ea28-47d1-bebc-1608fa4714f4-4094262019
Connection: keep-alive

151.101.67.6:443

tls, https

91 B
40 B
1
1
20.42.73.27:443

mobile.pipe.aria.microsoft.com

tls

29.6kB
9.9kB
65
42
104.68.86.71:443

cds.apple.com

tls

23.0kB
158.3kB
238
194
17.253.77.202:80

valid.apple.com

64 B
1
17.253.77.201:80

http://ocsp.apple.com/ocsp03-apsrsaca11g1/MFYwVKADAgEAME0wSzBJMAkGBSsOAwIaBQAEFK2rIf4cXfO50li4D4I209Ic4w84BBRQArgTLBWD0UHDEYqLQjsBI0OpVgIQEYPz5D0GDx%2BPyz8PONYPuQ%3D%3D

http

637 B
2.4kB
6
5

HTTP Request

GET http://ocsp.apple.com/ocsp03-apsrsaca11g1/MFYwVKADAgEAME0wSzBJMAkGBSsOAwIaBQAEFK2rIf4cXfO50li4D4I209Ic4w84BBRQArgTLBWD0UHDEYqLQjsBI0OpVgIQEYPz5D0GDx%2BPyz8PONYPuQ%3D%3D

HTTP Response

200
17.253.77.202:80

http://ocsp.apple.com/ocsp03-asi2ca02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDpjNYC91gD%2BzsNfJ0wP9wrPSi8lBBQSdXxHkv2D474u%2FFl%2FZ0OBNRBF7AIIR5uTR%2BogEsU%3D

http

753 B
3.5kB
8
6

HTTP Request

GET http://ocsp.apple.com/ocsp03-asi2ca02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDpjNYC91gD%2BzsNfJ0wP9wrPSi8lBBQSdXxHkv2D474u%2FFl%2FZ0OBNRBF7AIIR5uTR%2BogEsU%3D

HTTP Response

200
184.30.157.247:443

help.apple.com

tls

37.4kB
110.5kB
192
126
184.30.157.247:443

help.apple.com

tls

2.8kB
2.5kB
16
10
17.253.77.202:80

valid.apple.com

64 B
1
17.253.77.202:80

http://ocsp.apple.com/ocsp04-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIGMqpvo33p8A%3D

http

1.2kB
3.6kB
11
9

HTTP Request

GET http://ocsp.apple.com/ocsp04-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIGMqpvo33p8A%3D

HTTP Response

200
17.253.77.201:80

http://ocsp.apple.com/ocsp04-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIGMqpvo33p8A%3D

http

688 B
3.5kB
7
6

HTTP Request

GET http://ocsp.apple.com/ocsp04-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIGMqpvo33p8A%3D

HTTP Response

200
17.253.77.202:80

http://ocsp.apple.com/ocsp04-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIGMqpvo33p8A%3D

http

676 B
3.5kB
7
6

HTTP Request

GET http://ocsp.apple.com/ocsp04-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIGMqpvo33p8A%3D

HTTP Response

200

8.8.8.8:53

mobile.events.data.trafficmanager.net

dns

83 B
158 B
1
1

DNS Request

mobile.events.data.trafficmanager.net

DNS Response

104.208.16.95
8.8.8.8:53

api.apple-cloudkit.fe2.apple-dns.net

dns

82 B
146 B
1
1

DNS Request

api.apple-cloudkit.fe2.apple-dns.net

DNS Response

17.250.81.69

17.250.81.64

17.250.81.68

17.250.81.70
8.8.8.8:53

bag-cdn-lb.itunes-apple.com.akadns.net

dns

84 B
187 B
1
1

DNS Request

bag-cdn-lb.itunes-apple.com.akadns.net

DNS Response

151.101.3.6

151.101.67.6

151.101.131.6

151.101.195.6
8.8.8.8:53

cds.apple.com

dns

59 B
218 B
1
1

DNS Request

cds.apple.com

DNS Response

104.68.86.71
8.8.8.8:53

help.apple.com

dns

60 B
196 B
1
1

DNS Request

help.apple.com

DNS Response

184.30.157.247
224.0.0.251:5353

332 B
1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.