7db2cc7acd9b1290074a884f0330d6e81424f293615a5ae1351d7e7423ab1e46

General

Target

Loader.exe
Size

1000KB
MD5

3ffbe199d4e0680bf7bdfec27366f4fd
SHA1

1c30d82e4971f7e4c7b5e41242fe7bb789d766cc
SHA256

7db2cc7acd9b1290074a884f0330d6e81424f293615a5ae1351d7e7423ab1e46
SHA512

311fa1f048afb458bdb6112711e9c3f6f7a0f6436aa59670406c36a6e534b62e37de5b2d03e6e30ea9d161adc5840bf899f42ab83007548391f92d928bd1e1e6
SSDEEP

24576:ylD6hmlIxWB1ky+BZbvolIOFmAQrav0dJQhln:ysN0BKy+BZro21AQOv0oln

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 2 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

Processes:

ioc	process
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck

/usr/libexec/xpcproxy
xpcproxy com.apple.var-db-dslocal-backup
1⤵
PID:479

/usr/libexec/xpcproxy
xpcproxy com.apple.loginwindow.LWWeeklyMessageTracer
1⤵
PID:480

/usr/bin/xar
/usr/bin/xar -c -f dslocal-backup.xar dslocal
1⤵
PID:479

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Loader.exe\""
1⤵
PID:481

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Loader.exe\""
1⤵
PID:481

/usr/libexec/xpcproxy
xpcproxy com.apple.gkreport
1⤵
PID:482

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/Loader.exe
1⤵
PID:481
- /bin/zsh
  /bin/zsh -c /Users/run/Loader.exe
  2⤵
  PID:485
- /Users/run/Loader.exe
  /Users/run/Loader.exe
  2⤵
  PID:485

/usr/libexec/gkreport
/usr/libexec/gkreport
1⤵
PID:482

/usr/libexec/xpcproxy
xpcproxy com.oracle.java.Java-Updater
1⤵
PID:483

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
1⤵
PID:480

/usr/libexec/xpcproxy
xpcproxy com.apple.systemstats.daily
1⤵
PID:484

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
1⤵
PID:483

/System/Applications/Music.app/Contents/MacOS/Music
/System/Applications/Music.app/Contents/MacOS/Music
1⤵
PID:519

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:521

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
1⤵
PID:521

/System/Applications/Music.app/Contents/XPCServices/VisualizerService.xpc/Contents/MacOS/VisualizerService
/System/Applications/Music.app/Contents/XPCServices/VisualizerService.xpc/Contents/MacOS/VisualizerService
1⤵
PID:524

/usr/libexec/xpcproxy
xpcproxy com.apple.rtcreportingd
1⤵
PID:526

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.D3B91AAA-B4E4-4581-B98C-E6A4916A7436 519
1⤵
PID:528

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:528

/usr/libexec/rtcreportingd
/usr/libexec/rtcreportingd
1⤵
PID:526

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:529

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:529

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:531

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:532

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:532

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.7F1F032E-C15D-4395-9C83-C4DB29CB55C5 531
1⤵
PID:533

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:533

/usr/libexec/xpcproxy
xpcproxy com.apple.SafariLaunchAgent
1⤵
PID:539

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
1⤵
PID:539

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.3397E631-4282-49F8-9698-17C3E6403E99 531
1⤵
PID:540

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:540

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SearchHelper 531
1⤵
PID:544

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
1⤵
PID:544

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.35DD3365-FC43-46B0-A383-1BEFA4F310F7 531
1⤵
PID:545

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:545

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.6F3E8AAD-174F-4A99-BD0F-2B95341AE246 531
1⤵
PID:546

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:546

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.AD6F9566-EBB4-4D79-AF01-CE1FFC405DFC 531
1⤵
PID:547

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:547

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.82C2A20F-267C-4186-8351-0E047F2E1B19 531
1⤵
PID:548

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Safari/Favicon Cache/favicons/2529545429CE075A4E64DE7DAA3D4C27

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

Filesize
222KB

MD5
9258d445d5f0613d48d5f05e3930c3fc

SHA1
3fccec58e6be2a0ee9edabf5396dae806b75adbf

SHA256
7f3d8129ee1ffe87126befde9b14b7dc645a87c13582d1fd457f9f04aa781c21

SHA512
1764b8cf83e461257335a8e09dd27cc0559f63d505906a1899f09ade14397935cd817d45e502e8d869bc509c64fc489d27c0eda2af3a299c0e445cdd48c8907a

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

Filesize
21.9MB

MD5
ba00cef4d6131fb5ef9ef1349173635c

SHA1
84909da1589047b45e02e045da34c83be4f71c15

SHA256
5efc6c3650d0f252806912e5a8539026a9674693c5994e3418ef6f22bc79f11e

SHA512
efea356635c4377b280802d0d71a039282323d95ce1035b9cdd4d15ef942852d3649d17821cd6eda1e7d33646c79cdff1b432ed32ddc56ec4a8ae5d7d747e732

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

Filesize
126KB

MD5
79503471c040e0cc25a2f701d8ec7495

SHA1
703f6202675b93118ed0bee0ce370e4e22cd8e45

SHA256
674412ca3af8c45eff060bf61c9407430666206d20285b71bc1737346e708021

SHA512
02bf794fa6cf5debaf92e21f2d3ec0331ccfb166e1d708e5d274bf1642c6bc4a3fe222d5dd753d1b942a543d26cf0551924347d4a6872f4854f99de88e19acc7

Download Submit
/var/root/Library/Caches/rtcreportingd/events/NRM_Events_2024-05-24-02-51-18.event

Filesize
3KB

MD5
20b5a86919a71750cf5452f0355b4fce

SHA1
97a3f17201cca5b1ebe0a3a848f902133d31b032

SHA256
22b36584306a535ad25b1b2e9aa46c1db4b37e23aa26f07ff7e2b23a9b9c4dfd

SHA512
1042fac6014d951755f52e741275b64fecdc1785a6eeca277a35a3426749f1f52f1eec64af9afc6671ef3b0e5734c0e15b59efc0e27762911797fa052acc5fea

Download Submit

Analysis

Sharing