9ef3604a3ac4cd3f25794c6578938dcbe54ce1df7e5aa780c6695865d636e2dc

Analysis

max time kernel
124s
max time network
135s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
25-04-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

watch.html
Size

849KB
MD5

a515415ea58d351c022a45e4041fbaa3
SHA1

59a01c20ed7fd08fb4b10c9df7b089f28362fb2c
SHA256

9ef3604a3ac4cd3f25794c6578938dcbe54ce1df7e5aa780c6695865d636e2dc
SHA512

c364fcd9e29e344ba62cca3bed02b856e4c58d99828e6c4aae748deb2549ff9727caac3bf7f3fb8e446af92ab627dfea86840c5dd179e495822086370e9a5f75
SSDEEP

12288:ZWcUcic7cycnctcZcKc0c+2guqrqNlUK331T:ZW2g6

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 2 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

Processes:

ioc	process
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/watch.html\""
1⤵
PID:476

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/watch.html\""
1⤵
PID:476

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/watch.html
1⤵
PID:476

/bin/zsh
/bin/zsh -c /Users/run/watch.html
2⤵
PID:483

/Users/run/watch.html
/Users/run/watch.html
2⤵
PID:483

/bin/sh
sh /Users/run/watch.html
2⤵
PID:483

/bin/bash
sh /Users/run/watch.html
2⤵
PID:483

/usr/libexec/xpcproxy
xpcproxy com.apple.var-db-dslocal-backup
1⤵
PID:477

/usr/bin/xar
/usr/bin/xar -c -f dslocal-backup.xar dslocal
1⤵
PID:477

/usr/libexec/xpcproxy
xpcproxy com.apple.loginwindow.LWWeeklyMessageTracer
1⤵
PID:478

/usr/libexec/xpcproxy
xpcproxy com.apple.gkreport
1⤵
PID:480

/usr/libexec/gkreport
/usr/libexec/gkreport
1⤵
PID:480

/usr/libexec/xpcproxy
xpcproxy com.oracle.java.Java-Updater
1⤵
PID:481

/usr/libexec/xpcproxy
xpcproxy com.apple.systemstats.daily
1⤵
PID:482

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
1⤵
PID:478

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
1⤵
PID:481

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:527

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:527

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads