5ae7c1cbaf31c684c1b0c40740d7aa8196e63a1a712b8be907004d36b6cc70c8

Resubmissions

15-05-2024 14:54

240515-r943daef53 1

15-05-2024 14:53

240515-r9rgaaec81 3

15-05-2024 14:50

240515-r73frsec3z 1

15-05-2024 14:48

240515-r6enbaed55 4

Analysis

max time kernel
149s
max time network
154s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
15-05-2024 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KizakiStudio's.png
Size

6KB
MD5

a7530bd2c0f68c87efb7b732c6d82355
SHA1

1e5493e89de46ae6d8085792fcab44afb23feb87
SHA256

5ae7c1cbaf31c684c1b0c40740d7aa8196e63a1a712b8be907004d36b6cc70c8
SHA512

cc7408b8d67b6d5902d297d8fb2ff95e4207c69596c8f1bec26c3c46c1a23313d556b301c3a0ddb09f80a0f66030e0808a82750f2634fee2a01f6de67fd63fe9
SSDEEP

192:Zd/S4E4Q8eOo9Id2K3NGB4VXPPZqKxO/l1dbDUb:ZdS4LdeOo2dT3Ny4Vf7nb

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 2 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer	Process not Found
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck	Process not Found

/usr/bin/xar
/usr/bin/xar -c -f dslocal-backup.xar dslocal
1⤵
PID:478

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/KizakiStudio's.png\""
1⤵
PID:479

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/KizakiStudio's.png\""
1⤵
PID:479

/usr/bin/sudo
sudo /bin/zsh -c "/Users/run/KizakiStudio's.png"
1⤵
PID:479
- /bin/zsh
  /bin/zsh -c "/Users/run/KizakiStudio's.png"
  2⤵
  PID:486

/usr/libexec/xpcproxy
xpcproxy com.apple.gkreport
1⤵
PID:480

/usr/libexec/gkreport
/usr/libexec/gkreport
1⤵
PID:480

/usr/libexec/xpcproxy
xpcproxy com.apple.loginwindow.LWWeeklyMessageTracer
1⤵
PID:482

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
1⤵
PID:482

/usr/libexec/xpcproxy
xpcproxy com.apple.systemstats.daily
1⤵
PID:483

/usr/libexec/xpcproxy
xpcproxy com.oracle.java.Java-Updater
1⤵
PID:484

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
1⤵
PID:484

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:487

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:487

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:488

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:488

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.9AD69B63-212C-4E40-8974-DA6AA955E161 487
1⤵
PID:490

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:490

/usr/libexec/xpcproxy
xpcproxy com.apple.SafariLaunchAgent
1⤵
PID:496

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
1⤵
PID:496

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.D9D62D61-A293-4922-9A01-6B66507F9446 487
1⤵
PID:497

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:497

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SearchHelper 487
1⤵
PID:499

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
1⤵
PID:499

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:523

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:523

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.50F5420B-A9FD-440E-BF6F-A2BE2CA4C8EF 487
1⤵
PID:524

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:524

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.69B8B3B1-CA71-4EE5-9A0D-FFAADB4D29A0 487
1⤵
PID:525

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:525

/usr/libexec/xpcproxy
xpcproxy com.apple.accessibility.mediaaccessibilityd
1⤵
PID:528

/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
1⤵
PID:528

/usr/libexec/xpcproxy
xpcproxy com.apple.coremedia.videodecoder 497
1⤵
PID:530

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
1⤵
PID:530

/usr/libexec/xpcproxy
xpcproxy com.apple.passd
1⤵
PID:542

/System/Library/PrivateFrameworks/PassKitCore.framework/passd
/System/Library/PrivateFrameworks/PassKitCore.framework/passd
1⤵
PID:542

/usr/libexec/xpcproxy
xpcproxy com.apple.nfcd
1⤵
PID:543

/usr/libexec/nfcd
/usr/libexec/nfcd
1⤵
PID:543

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Caches/PassKit/cache.plist

Filesize
488B

MD5
983afa02ac9bd03474cbd0754dfec41e

SHA1
696bf72962cb4a3f8872e4cca621f08657986dcb

SHA256
6d90fccdd6c7756e9bc28f85f4d38ae54481e32ed1748ff4ff2fbda5ba2097a8

SHA512
398b3b2d86db3e2f6f3d9cf22d12562c89b263629eadf3cc5863ad275b5ab2980a60308883df3992be0d64cca0260216ce36c0d16270e53c5d2b710f215a3116

Download Submit
/Users/run/Library/Passes/PaymentWebServiceContext.archive

Filesize
49KB

MD5
64e4d9268881191499fa6939a1d668d0

SHA1
b677ec68a2f4711fc232accca6dc5894515985a3

SHA256
56c31be904afe56a4ebd3fb6108a826e14b703dd50e16361695ccb7059dd2bdf

SHA512
d4090762de309ff00672b0aa1246a16625273b259f9d7eecf3530e8e99f368250d9b314ed329e30cdae3afca366ecfae428bb61c8a9c643a9c487888e1fbcadf

Download Submit
/Users/run/Library/Passes/PaymentWebServiceContext.archive

Filesize
65KB

MD5
8c20670e596c71a91273c74a335d2dfa

SHA1
34d83ddf131a349b76195926c383b06f39794ccc

SHA256
e0dd61124a712440d665dda99e96bc72f6c3db7abf8bad515ac76e3f0ab8dddd

SHA512
27692bf6e3d4d1780bab85a6ec4f409d6bd20733893371cbc7abd3a81776e2b8375999b8d983a9b96c0c18df6693f981f03460eb4dfb471fd18ec144c2b48e69

Download Submit
/Users/run/Library/Passes/PeerPaymentWebServiceContext.archive

Filesize
550B

MD5
5ff0c715e0f5205ac052f03274063b8d

SHA1
c84549884b8e795da348c974fa2ce4a12b343c9f

SHA256
e71b160425feb94e0116816c6ddad196937b0d6c875ae807761faefa97a408c3

SHA512
5678ab40a6867cbc19aaf8a3a12f4a7305ef7e6bc49ac4d6289853f8dda4cb5b6a998ea1665ca763b8a5a63acf5d7f0b6b580fd9174f0b271da40602f47ee1c2

Download Submit
/Users/run/Library/Passes/ScheduledActivities.archive

Filesize
1KB

MD5
000d11f0a896f9c0d559f8f8e273c229

SHA1
f0a8f34d20730160ab94c3439f1fe07169b94b5c

SHA256
a7c40bcdfd688a3c37705191aa7d9a21e9b860ead4d429f98835cd97796f74d6

SHA512
6185a4324a0746ed7b10b9f6ed0c8bcf062d528d30bfdc16435baaed75588392b17cb14aa1db5c87ffeb2999953c76232605f47eba73c598dcd76e795b7f724d

Download Submit
/Users/run/Library/Passes/ScheduledActivities.archive

Filesize
1KB

MD5
39dc7c8ee7088f31f558ebacacab6e76

SHA1
c15c6f7b1ec95046b7397f87c03fbe814f9f3df0

SHA256
feecab8cb10098090a2c05b651281b6180785f850d82602d1de8db5d8ce8c9ff

SHA512
bf32e71317cb340f64bf61bba8de56bee6e4cceea1b80a33eb7488d953511cf2bcb586b3670c6ce198db62fc93cf5d5d8e5b306af4c6b866c0ac9382fdd822f1

Download Submit
/Users/run/Library/Passes/WebServiceTasks_v6.archive

Filesize
251B

MD5
09dfdae412e2ce9c6666f52f76002c1a

SHA1
d175b94d9dbbc3980c77cbd1da8fa7b853cf0783

SHA256
c620ab626d4350382bd8d7c999e0f3f765e7414a02264987cc38aa428ea03260

SHA512
54bfe4cf51f958dcec06b6bf81df0000d8b4cf464d7c1eadb22450fd0f86d42558f68acfc5e6806557cb1c76b2cd9b1c310c7c1e6fcbef018579e5789e183969

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/4972C76650B82C3C6489DFD6BB0D9CB4

Filesize
5KB

MD5
fbdcc92883587f7a5796784e771b2644

SHA1
7f149b1eb036c2de77e9f5d88166e98d6ccf6cb4

SHA256
aaa3dee76ef9db79aa640a6ce556c041b674ad5d3b59d22d8b4da195c4f24971

SHA512
aa236baabb5b48cb47135f577ef285118519827f4de9461e335d6dc3a03a10641242810ac9bee24828a70503bb19a604557ca65ebeca7b72fa62e790fc760018

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

Filesize
222KB

MD5
79cdbd255191311fd63ff280ccd0f1ec

SHA1
6e29530647f2a08fb744e732fbf0d174cc61cd18

SHA256
1e17bea325a51ab9dd7f0c9276dd149ed0f4ad0f5e51eeac8cf9bceaa9501a85

SHA512
877c876e48f19d562450f8d17d81de135c1a618492a0d509919e518c0386eac68cfb2d1e0655be2beed665af0d7098898d6a06fb9da99b033e17afcdfef895c4

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

Filesize
22.2MB

MD5
940e3cc60dfef4f7084a741bdf62c68f

SHA1
33d3601614b8e73ce2e0332bfbdbd2fbbc012af2

SHA256
dcca35836f750a5b99d6c4466327c578f55b1a2143b1ca6d3bf5988b784ec996

SHA512
9f31c076f59de2d51d5e98e0f955b00687c80f55b36ce1085aedb291cae25ee7c21b6aaebfd98ccb5265044a08475919c2a986518102faa5765cb43db29a8cc1

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

Filesize
127KB

MD5
5db8b8284c3520d7597890ab682a212c

SHA1
ec6f50437b9e19b152f5fbb0c1da1f577d27df91

SHA256
18620be49d194b9d29a94aeb1fd9ed2c5ec7779aa0de850256eb3b71326fdbfc

SHA512
66fde67594cb89eb51e0f847a7aae4bb721f64d91d8cff955e28fcd9ae1598f91ec1b0b58204a888197136cd8e184d373b09b7180b5bbdaeaeef1f04dbc39b9b

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit