Analysis
-
max time kernel
336s -
max time network
1565s -
platform
macos-10.15_amd64 -
resource
macos-20240410-en -
resource tags
-
submitted
02/05/2024, 19:24
General
-
Target
sample.html
-
Size
19KB
-
MD5
254a49b8e340c86d345b3613bc6427b1
-
SHA1
881475b7753f560b181e3a02072af552d257e3c0
-
SHA256
a635bcbe92a0ce6e34d87e8e8685b2b193a5f9f9ef57d52380464add95d511f3
-
SHA512
6ab6fa4994a7b46c3f09aabab4c62960e1abe1ad3efbf627a33b1e4822a2c187d8021508e8f8e07936d0d5f4b15cac12a74679852ba2584554de3ca1304b2cd0
-
SSDEEP
384:raN579vDpmReVoOs4ni9ylKeGMpU8Hhhb1DM7DS2LjMrSA+xzIJCgMmVn:raD9vBVoOs4nmyI1M9BhbJ6TMrSfsJ2Y
Score
4/10
Malware Config
Signatures
-
Resource Forking 1 TTPs 1 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
Processes
-
/usr/libexec/xpcproxyxpcproxy com.apple.var-db-dslocal-backup1⤵
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/sample.html\""1⤵
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/sample.html\""1⤵
-
/usr/bin/xar/usr/bin/xar -c -f dslocal-backup.xar dslocal1⤵
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/sample.html1⤵
-
/bin/zsh/bin/zsh -c /Users/run/sample.html2⤵
-
-
/Users/run/sample.html/Users/run/sample.html2⤵
-
-
/bin/shsh /Users/run/sample.html2⤵
-
-
/bin/bashsh /Users/run/sample.html2⤵
-
-
/usr/libexec/xpcproxyxpcproxy com.apple.gkreport1⤵
-
/usr/libexec/gkreport/usr/libexec/gkreport1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.systemstats.daily1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.newsyslog1⤵
-
/usr/sbin/newsyslog/usr/sbin/newsyslog1⤵
-
/usr/bin/pluginkit/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync1⤵
-
/usr/sbin/spctl/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterB516C108/OneDrive.app1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.sysmond1⤵
-
/usr/libexec/sysmond/usr/libexec/sysmond1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E1⤵
-
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.newsyslog1⤵
-
/usr/sbin/newsyslog/usr/sbin/newsyslog1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.security.cloudkeychainproxy31⤵
-
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.AccountPolicyHelper1⤵
-
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.spindump1⤵
-
/usr/sbin/spindump/usr/sbin/spindump1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.diagnosticd1⤵
-
/usr/libexec/diagnosticd/usr/libexec/diagnosticd1⤵