4561907c4d52e2f52e955f1ba4550a0e73f9c6174a5c770f9d2c2d15c05e645a

Analysis

max time kernel
52s
max time network
57s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
24/05/2024, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-0329
Size

7.0MB
MD5

a87e79e79359ba2e7e8a11f40e7c1792
SHA1

0658b880542d99fd409a1ef80bdfde54b408b143
SHA256

4561907c4d52e2f52e955f1ba4550a0e73f9c6174a5c770f9d2c2d15c05e645a
SHA512

c5e1bf80f03b75c249a17e64fecd6eb4afdbb51299ba13f75245bec94e2f827131a260eeab50f0de3fbe7cf5b79a3639ee4f1fa5d630147a0034134df05b91aa
SSDEEP

98304:GWISbfjj3NwjEiLZleEL8Uxfs5Zi51VSkrdb7TsEdbD3yakfdxQMfRt:DiwUltL3r1UkrFtxit

Score

4^/10

evasion execution

Malware Config

Signatures

JavaScript 1 TTPs 1 IoCs

Adversaries may abuse various implementations of JavaScript for execution.

execution

JavaScript

T1059.007

ioc	Process
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar	Process not Found

Resource Forking 1 TTPs 1 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/2024-0329\""
1⤵
PID:482

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/2024-0329\""
1⤵
PID:482

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/2024-0329
1⤵
PID:482
- /bin/zsh
  /bin/zsh -c /Users/run/2024-0329
  2⤵
  PID:484
- /Users/run/2024-0329
  /Users/run/2024-0329
  2⤵
  PID:484

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:521

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:521
- /usr/bin/login
  login -pf run
  2⤵
  PID:523
- - /bin/zsh
    -zsh
    3⤵
    PID:524
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:525
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:526

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:529

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:529

/usr/libexec/xpcproxy
xpcproxy com.apple.JarLauncher.2128
1⤵
PID:530

/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher
"/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher"
1⤵
PID:530
- /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java
  "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar
  2⤵
  PID:532

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:531

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads