f91d32810260f25e95f93341f8ed47d6ca2d554ce9dbca78ab553a66117aedf6

Resubmissions

11/06/2024, 11:37

240611-nrfqaavgrf 1

11/06/2024, 11:35

11/06/2024, 11:35

11/06/2024, 11:34

11/06/2024, 11:33

11/06/2024, 11:29

Analysis

max time kernel
91s
max time network
89s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
11/06/2024, 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

486KB
MD5

b771c6cf5605dc82cddbf24a6724538c
SHA1

ac963e73327b376a4870a1f49964dea65869ae46
SHA256

f91d32810260f25e95f93341f8ed47d6ca2d554ce9dbca78ab553a66117aedf6
SHA512

bdc0cacaa1b7137c0aaa33cbf0b29e74f677f1de224e44c13505ba824d442f601171482337d7287483a9f2fae00f5115a14f74edee8946b1014b0d8c42058e5c
SSDEEP

6144:Y90LZNLZtLZoLZhLZKLZYLZqLZ1LZnLZHRx:YyLDLHLmL3LkLaLALfLtL1Rx

Score

4^/10

evasion execution

Malware Config

Signatures

JavaScript 1 TTPs 1 IoCs

Adversaries may abuse various implementations of JavaScript for execution.

execution

JavaScript

T1059.007

ioc	Process
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar	Process not Found

Resource Forking 1 TTPs 3 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck	Process not Found
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/sample.html\""
1⤵
PID:483

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/sample.html\""
1⤵
PID:483

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/sample.html
1⤵
PID:483
- /bin/zsh
  /bin/zsh -c /Users/run/sample.html
  2⤵
  PID:486
- /Users/run/sample.html
  /Users/run/sample.html
  2⤵
  PID:486
- /bin/sh
  sh /Users/run/sample.html
  2⤵
  PID:486
- /bin/bash
  sh /Users/run/sample.html
  2⤵
  PID:486

/usr/libexec/xpcproxy
xpcproxy com.oracle.java.Java-Updater
1⤵
PID:484

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
1⤵
PID:484

/usr/libexec/xpcproxy
xpcproxy com.apple.newsyslog
1⤵
PID:485

/usr/sbin/newsyslog
/usr/sbin/newsyslog
1⤵
PID:485

/usr/bin/pluginkit
/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync
1⤵
PID:489

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater0BF23177/OneDrive.app
1⤵
PID:490

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:513

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:513

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:514

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:514

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.B5235A83-5CD5-4918-8D92-3059AE478019 513
1⤵
PID:515

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:515

/usr/libexec/xpcproxy
xpcproxy com.apple.SafariLaunchAgent
1⤵
PID:521

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
1⤵
PID:521

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.9EEDBD60-BCCB-4DE5-B6F5-85301447B5E0 513
1⤵
PID:522

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:522

/usr/libexec/xpcproxy
xpcproxy com.apple.iCal.CalendarNC 328
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy com.apple.ncplugin.stocks 328
1⤵
PID:532

/usr/libexec/xpcproxy
xpcproxy com.apple.ncplugin.weather 328
1⤵
PID:533

/System/Library/CoreServices/StocksWidget.app/Contents/PlugIns/com.apple.ncplugin.stocks.appex/Contents/MacOS/com.apple.ncplugin.stocks
/System/Library/CoreServices/StocksWidget.app/Contents/PlugIns/com.apple.ncplugin.stocks.appex/Contents/MacOS/com.apple.ncplugin.stocks
1⤵
PID:532

/System/Applications/Calendar.app/Contents/PlugIns/com.apple.iCal.CalendarNC.appex/Contents/MacOS/com.apple.iCal.CalendarNC
/System/Applications/Calendar.app/Contents/PlugIns/com.apple.iCal.CalendarNC.appex/Contents/MacOS/com.apple.iCal.CalendarNC
1⤵
PID:531

/System/Library/CoreServices/Weather.app/Contents/PlugIns/com.apple.ncplugin.weather.appex/Contents/MacOS/com.apple.ncplugin.weather
/System/Library/CoreServices/Weather.app/Contents/PlugIns/com.apple.ncplugin.weather.appex/Contents/MacOS/com.apple.ncplugin.weather
1⤵
PID:533

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.1E49506F-23F9-4E80-A074-6F1450D3A809 513
1⤵
PID:539

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:539

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:541

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:541

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.AB31BDBB-D333-476E-8A90-670D91D516B2 513
1⤵
PID:542

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:542

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.0F1A01BC-FF67-4AD7-86ED-F4B77B16E2A7 513
1⤵
PID:544

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:544

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.4DDEA55D-7EEB-4F5F-9733-08FF5595B7D4 513
1⤵
PID:545

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:545

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SearchHelper 513
1⤵
PID:546

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
1⤵
PID:546

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:553

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:553

/usr/libexec/xpcproxy
xpcproxy com.apple.JarLauncher.2128
1⤵
PID:554

/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher
"/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher"
1⤵
PID:554
- /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java
  "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar
  2⤵
  PID:556

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.apple.AppStore.1900
1⤵
PID:561

/System/Applications/App Store.app/Contents/MacOS/App Store
"/System/Applications/App Store.app/Contents/MacOS/App Store"
1⤵
PID:561

/usr/libexec/xpcproxy
xpcproxy com.apple.storeuid
1⤵
PID:562

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
1⤵
PID:562

/usr/libexec/xpcproxy
xpcproxy com.apple.rtcreportingd
1⤵
PID:563

/usr/libexec/rtcreportingd
/usr/libexec/rtcreportingd
1⤵
PID:563

/usr/libexec/xpcproxy
xpcproxy com.apple.coremedia.videodecoder 561
1⤵
PID:564

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
1⤵
PID:564

/usr/libexec/xpcproxy
xpcproxy com.apple.accessibility.mediaaccessibilityd
1⤵
PID:565

/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
1⤵
PID:565

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app
1⤵
PID:567

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/System/Volumes/Data/Users/run/Library/Safari/Bookmarks.plist

Filesize
2KB

MD5
2ef2280f7ca19262cc8298f29a37a223

SHA1
9cbc7f87d4e90ab89e5965cb55b7671c8c57dc05

SHA256
ed94b4091044e756fdddb7b0f32765b1039571562023a1b2aefadd1033e2b570

SHA512
97e59c90dec02a700c3ed82d4d14d83718f2d9b35e9e6e26242dc8cbf9b01a45fe789ec5c5f12d88470b6c1da09eb716c094aa6ae6924aded78a2a71bd046658

Download Submit
/Users/run/Library/Safari/Bookmarks.plist

Filesize
2KB

MD5
291105f91192709b54688b5a22e69695

SHA1
8d65efbf91fc6e0836cff1e37e6d959144b8e214

SHA256
63b64979d0388306ee87dbc5b42ed0a363e67d7b71f87c491ef583a7cc87d09c

SHA512
ac2745041a6d91cbb703e164a6fe4f420a29bf36ff667b2c0ce2ba32e74023c8843efa047a7f784e14f65b0e0f46b95ef18723a4a61f9b0b5a0c34d09e9f53c5

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/067EC0DCF7EB00AECEAAE5EAD338A875

Filesize
5KB

MD5
4f72663012543ad7cfa1dd5d78dc5af0

SHA1
069001eaaa436c30a43a0c6073c3d31ad4a7d21a

SHA256
133e23f3ccf9be03dbd128bb941c6042b66f3ea331650c79f992ea88ee1a7d77

SHA512
d112f52124d0a70a36c0f0fd30dcf0b2b597f079c07aa7d772025bf5e1286b35846fc9bcfe99ca07d62ceb342c9ce84651d17dc69c8871b297bfe140a791c0e6

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/2529545429CE075A4E64DE7DAA3D4C27

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/937D62F6A84284E4EDF46E5F016D186A

Filesize
5KB

MD5
919a16ae2de3bc543f19d3c8ceede9c4

SHA1
31d41b3e184cbb7effe7a475b7ed3bba376ea9d3

SHA256
b6150bf94bf356fbca8639490fec589e19e896ffcd3ec3c651605b5733ef03e9

SHA512
e62023e2a88d088612f25ca508021aa79d3e43c81efcf4740d6825ae92be0b83161d84cbc6b562662e851f3e912323b704fe287f50e4202f2ba451a07358c1c2

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/C44B2F96CCF24BBBA3F1AF3899A740D7

Filesize
31KB

MD5
12ce3ae25e7d9c8f79686f4d7beb5e64

SHA1
83963532b5fcdf1c152bd85e29f7f38abe6d63bf

SHA256
9e84d0f4aeb91bda595238a825824cb672a1f78915788229f3d34fefa4f4d7f4

SHA512
b31465a626630ba32c8cd131148eebe6a9078d4814a9a265bf12746558509fdd2c7abfc58cb8233b87cb3ba236615b16cffb67a5ebe9885a7f42beea3d487999

Download Submit
/Users/run/Library/Safari/lock/details.plist

Filesize
217B

MD5
44402a84ee5c6c6a51f7669c3b72c096

SHA1
27232bf2f4805c71f2cf588b773ad2d0b5bc11fd

SHA256
63b59b8cff0b95cf55bfbf4205b525c5d53bc6963db467e2ffef513329d661e7

SHA512
2406c76230ae859c106ad27c30d7ab9d8ebcbba4b063e69c6b14c4afa02e0d1dda3367048c0c978ca385444d220369d4b567038c2680439eb45c0755e8f73a45

Download Submit
/Users/run/Library/Safari/lock/details.plist

Filesize
217B

MD5
521c586e9d1ad99b2c165ca98c5a7584

SHA1
be62b7779ef18447349e0e9236d2f9a3fe414dec

SHA256
be5a7654f8978d02446ec079b592ec3e85b5c47c70d1d994c15e00d90020f96c

SHA512
f7deb4c2928463dc840b517cd783d456776187e4a8ab3e98755765872dab98462897b17b7e1b5af174febf2c11b67274ba52b94564c87fa34647344e59d742a0

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

Filesize
218KB

MD5
cff401c364970f8137b0c41e57d549ef

SHA1
a4c5b49e92361e0c3587ee106b11b143585e3b0b

SHA256
899ab34c300b83f0631f9dbd3dda28104cd4b52d689690e99e62e51d141f0e26

SHA512
fae8308884f7539d61b5e0efbb70ba4106c19169b04d4ac51dad468f850e2ede79bb26f62a1da9a0c82d42023c250cc4d0fd49e37013582728d4edce49686d5c

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

Filesize
21.9MB

MD5
1434d9567aafded7678dd6adeb2a3e94

SHA1
b3119a748b6abae286cef944212ad11d897c5ea0

SHA256
ef45d0028c4275031c03b3e00e29ecdbe28a8f9084fe3cf25b4e61e120d58232

SHA512
41860dce24ea22a1716b5920dd770544907583fda6e824df640693e8c03af5d15f24a01cb0631244844ff1fc23186b8f984312b6127a51504375e3507e93ce67

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

Filesize
125KB

MD5
b87a28c42a8c3c901bd53520fa00a568

SHA1
22c133c950b99affaf5f2f0da20bc8f390ec90a9

SHA256
1a075f16e0b0aaac3612bdf39118329489e573406325f2e651ef32ee0091e0ec

SHA512
8ac67ec44ebb0cfac79135112d1837bbd9a64643b6aae9068483c9c72abc15a2046b8092fb82d13b35968408d368c8bdbd5cd8a1c09dc77fb36a27545c9f5b4b

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit