deb558a04d790219073f11e7102a6c7c0464dd4412cc47f626c9020cadadb2ba

General

Target

sample.html
Size

205KB
MD5

d7303dbd0c6a82834184800ecf1a84f8
SHA1

0f45b5c5c6d20709d4d6291dfea229aaae02f03e
SHA256

deb558a04d790219073f11e7102a6c7c0464dd4412cc47f626c9020cadadb2ba
SHA512

6f8c63329245cb67e4e3c46636d62f741b44a7c29506607ff16e29d30ac7294f5c53939eb80c48d87ed4821943e0105eb1520bb7c4b6c473b150d78c0397380d
SSDEEP

3072:LZeJMTk2u5SOV+UQ37410kTd3Z3Pl3fJt9R7/:7Tk2u5SOV+UQ37410kTFZZfT9p/

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 1 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/sample.html\""
1⤵
PID:487

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/sample.html\""
1⤵
PID:487

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/sample.html
1⤵
PID:487
- /bin/zsh
  /bin/zsh -c /Users/run/sample.html
  2⤵
  PID:488
- /Users/run/sample.html
  /Users/run/sample.html
  2⤵
  PID:488
- /bin/sh
  sh /Users/run/sample.html
  2⤵
  PID:488
- /bin/bash
  sh /Users/run/sample.html
  2⤵
  PID:488

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:517

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:517

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:518

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:518

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.6C54ABD7-272A-4FF8-94C7-0781DCF4DCB0 517
1⤵
PID:520

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:520

/usr/libexec/xpcproxy
xpcproxy com.apple.SafariLaunchAgent
1⤵
PID:525

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
1⤵
PID:525

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.AE976811-E463-4740-937D-5F16C2A36D87 517
1⤵
PID:526

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:526

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SearchHelper 517
1⤵
PID:528

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
1⤵
PID:528

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:529

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:529

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.8FB5C4F4-E9E7-4E8F-AD4C-989F7E7EAB3C 517
1⤵
PID:530

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:530

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.F423A465-FA35-4E10-83AF-3597C2E299B3 517
1⤵
PID:535

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:535

/usr/libexec/xpcproxy
xpcproxy com.apple.speech.speechsynthesisd
1⤵
PID:541

/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd
/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd
1⤵
PID:541

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:544

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
1⤵
PID:544

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.SandboxHelper 530
1⤵
PID:545

/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
1⤵
PID:545

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Safari/Favicon Cache/favicons/2529545429CE075A4E64DE7DAA3D4C27

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/8EA8CC1BA0DFA355F5B4117ECDB8EAE6

Filesize
5KB

MD5
32abd922a16aea6a2b963cd08b502a8f

SHA1
cd229ae39fe75aed006d65ef1455b43e8138fb1f

SHA256
cd25b4c13a70527a60b7636ab074c934eafc2a1d121e7618f62817421fe0f6d7

SHA512
c82c6308ad1b4c00acb0c061f3ef7091b766f22d8f930c336afa8cbf1ba47d626b5a293861d3d00823856380e21e2b0114af2ae3d7c13a11eaef0cfe2f0af76d

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

Filesize
222KB

MD5
8716c8c741d2c56fb3920c1f9d54aac2

SHA1
a8474f652a406c06c9181af1023005fa30ca0c2e

SHA256
a0c5cf78c6d33c84629fcc1065ab232486f4abd75197453d4dfe37ca9ffd2e04

SHA512
61336030c141e6c62a8585b70a5232f023d84e7498d88d2bb518ade9e3e5cb7bf649e3cc2495f23b4887c191e6f09b9d1dfdedee52c2d404c33088e00fb4250f

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

Filesize
21.9MB

MD5
5b6e56d7f78cd9b3643f7eb899e6bf27

SHA1
7e5559ac643e00f84248d44855c3efaa10041014

SHA256
749f640be1666308517d2e32897c3a19eb6aa8cd75420f76164dc64da733a13a

SHA512
88823f3daf64d572cf16b56bddd5c39973bacac757dadc16dd9933dc19df22ee5a2992e7a5f55c98ca2f58abcc5fe0ebc34de2a52147f796e0a362f022975021

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

Filesize
127KB

MD5
9a290d4aa24b23b445c79a1fd469a5c2

SHA1
2c2a9e6eb29a44eada276e29c53614b7e2409d80

SHA256
2e5939e92f9a74d44cf6b82f1a44480164a053db61e41295898323422e19ae97

SHA512
0652aef10d26121659b2ceb6a51b1ca62ad0d35f865db104f1a0aa95ff04c09fbbd11b2c8ae2b4c31a427d11e91b65b055ce9bb818db452aac93005be019428e

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit

Analysis

Sharing