Analysis

  • max time kernel
    69s
  • max time network
    75s
  • platform
    macos-10.15_amd64
  • resource
    macos-20240611-en
  • resource tags

    arch:amd64arch:i386image:macos-20240611-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    19-06-2024 13:36

Errors

Reason
Machine shutdown

General

  • Target

    Super Mario Advance 2 - Super Mario World (U) [!].gba

  • Size

    4.0MB

  • MD5

    2f660377581b7e48c06131f56c791b72

  • SHA1

    5101ddf223d1d918928fe1f306b63a42ada14a5e

  • SHA256

    63d9fff04c635990a5c205a99ea64bfa698aa5cb9ec1333360063bbee949a4f3

  • SHA512

    7c6983def1bdab7213120caf9dce27f0d78792cd55e4fbbf8566c9404025be64658e52b525a578565648de1df6080af3505a1e2cfb840e5ca2e968083cd04be9

  • SSDEEP

    49152:H7vUMPtChO6l5qfsqW14FbM6bzjRodx7:H4MPqO6l6bmK6d

Score
4/10

Malware Config

Signatures

  • Resource Forking 1 TTPs 2 IoCs

    Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"/Users/run/Super Mario Advance 2 - Super Mario World (U) [!].gba\""
    1⤵
      PID:552
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"/Users/run/Super Mario Advance 2 - Super Mario World (U) [!].gba\""
      1⤵
        PID:552
      • /usr/bin/sudo
        sudo /bin/zsh -c "/Users/run/Super Mario Advance 2 - Super Mario World (U) [!].gba"
        1⤵
          PID:552
          • /bin/zsh
            /bin/zsh -c "/Users/run/Super Mario Advance 2 - Super Mario World (U) [!].gba"
            2⤵
              PID:554
          • /usr/libexec/xpcproxy
            xpcproxy com.apple.pluginkit.pkd
            1⤵
              PID:553
            • /usr/libexec/pkd
              /usr/libexec/pkd
              1⤵
                PID:553
              • /usr/libexec/xpcproxy
                xpcproxy com.apple.sysmond
                1⤵
                  PID:578
                • /usr/libexec/sysmond
                  /usr/libexec/sysmond
                  1⤵
                    PID:578
                  • /usr/libexec/xpcproxy
                    xpcproxy com.apple.PerformanceAnalysis.animationperfd
                    1⤵
                      PID:581
                    • /System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
                      /System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
                      1⤵
                        PID:581
                      • /usr/libexec/xpcproxy
                        xpcproxy com.apple.audio.systemsoundserverd
                        1⤵
                          PID:582
                        • /usr/sbin/systemsoundserverd
                          /usr/sbin/systemsoundserverd
                          1⤵
                            PID:582
                          • /usr/libexec/xpcproxy
                            xpcproxy com.apple.audio.AudioComponentRegistrar
                            1⤵
                              PID:583
                            • /System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
                              /System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
                              1⤵
                                PID:583
                              • /usr/bin/pluginkit
                                /usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync
                                1⤵
                                  PID:584
                                • /usr/sbin/spctl
                                  /usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater2E18A62F/OneDrive.app
                                  1⤵
                                    PID:585
                                  • /usr/libexec/xpcproxy
                                    xpcproxy com.apple.security.cloudkeychainproxy3
                                    1⤵
                                      PID:588
                                    • /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
                                      /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
                                      1⤵
                                        PID:588
                                      • /usr/libexec/xpcproxy
                                        xpcproxy com.apple.TextInputMenuAgent
                                        1⤵
                                          PID:596
                                        • /System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
                                          /System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
                                          1⤵
                                            PID:596
                                          • /usr/libexec/xpcproxy
                                            xpcproxy com.apple.TextInputSwitcher
                                            1⤵
                                              PID:597
                                            • /System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
                                              /System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
                                              1⤵
                                                PID:597
                                              • /usr/libexec/xpcproxy
                                                xpcproxy com.apple.geod
                                                1⤵
                                                  PID:599
                                                • /System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
                                                  /System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
                                                  1⤵
                                                    PID:599
                                                  • /usr/libexec/xpcproxy
                                                    xpcproxy com.apple.Terminal.2100
                                                    1⤵
                                                      PID:600
                                                    • /System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
                                                      /System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
                                                      1⤵
                                                        PID:600
                                                        • /usr/bin/login
                                                          login -pf run
                                                          2⤵
                                                            PID:603
                                                            • /bin/zsh
                                                              -zsh
                                                              3⤵
                                                                PID:605
                                                                • /usr/libexec/path_helper
                                                                  /usr/libexec/path_helper -s
                                                                  4⤵
                                                                    PID:606
                                                                  • /usr/bin/locale
                                                                    locale LC_CTYPE
                                                                    4⤵
                                                                      PID:607
                                                              • /usr/libexec/xpcproxy
                                                                xpcproxy com.apple.siri.context.service
                                                                1⤵
                                                                  PID:602
                                                                • /System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
                                                                  /System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
                                                                  1⤵
                                                                    PID:602
                                                                  • /usr/libexec/xpcproxy
                                                                    xpcproxy com.apple.AccountPolicyHelper
                                                                    1⤵
                                                                      PID:604
                                                                    • /System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
                                                                      /System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
                                                                      1⤵
                                                                        PID:604
                                                                      • /usr/libexec/xpcproxy
                                                                        xpcproxy com.apple.AddressBook.ContactsAccountsService
                                                                        1⤵
                                                                          PID:609
                                                                        • /System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
                                                                          /System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
                                                                          1⤵
                                                                            PID:609
                                                                          • /usr/libexec/xpcproxy
                                                                            xpcproxy com.apple.suggestd
                                                                            1⤵
                                                                              PID:610
                                                                            • /System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
                                                                              /System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
                                                                              1⤵
                                                                                PID:610
                                                                              • /usr/libexec/xpcproxy
                                                                                xpcproxy com.apple.knowledge-agent
                                                                                1⤵
                                                                                  PID:611
                                                                                • /usr/libexec/knowledge-agent
                                                                                  /usr/libexec/knowledge-agent
                                                                                  1⤵
                                                                                    PID:611
                                                                                  • /usr/libexec/xpcproxy
                                                                                    xpcproxy com.apple.routined
                                                                                    1⤵
                                                                                      PID:612
                                                                                    • /usr/libexec/routined
                                                                                      /usr/libexec/routined LAUNCHED_BY_LAUNCHD
                                                                                      1⤵
                                                                                        PID:612
                                                                                      • /usr/libexec/xpcproxy
                                                                                        xpcproxy com.apple.Maps.mapspushd
                                                                                        1⤵
                                                                                          PID:613
                                                                                        • /System/Library/CoreServices/mapspushd
                                                                                          /System/Library/CoreServices/mapspushd
                                                                                          1⤵
                                                                                            PID:613
                                                                                          • /usr/libexec/xpcproxy
                                                                                            xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
                                                                                            1⤵
                                                                                              PID:614
                                                                                            • /usr/libexec/neagent
                                                                                              /usr/libexec/neagent
                                                                                              1⤵
                                                                                                PID:614
                                                                                              • /usr/libexec/xpcproxy
                                                                                                xpcproxy com.apple.PackageKit.InstallStatus
                                                                                                1⤵
                                                                                                  PID:619
                                                                                                • /System/Library/CoreServices/Install in Progress.app/Contents/MacOS/Install in Progress
                                                                                                  "/System/Library/CoreServices/Install in Progress.app/Contents/MacOS/Install in Progress"
                                                                                                  1⤵
                                                                                                    PID:619
                                                                                                  • /usr/libexec/xpcproxy
                                                                                                    xpcproxy com.apple.warmd_agent
                                                                                                    1⤵
                                                                                                      PID:620
                                                                                                    • /usr/libexec/warmd_agent
                                                                                                      /usr/libexec/warmd_agent
                                                                                                      1⤵
                                                                                                        PID:620
                                                                                                      • /usr/libexec/xpcproxy
                                                                                                        xpcproxy com.apple.rtcreportingd
                                                                                                        1⤵
                                                                                                          PID:621
                                                                                                        • /usr/libexec/xpcproxy
                                                                                                          xpcproxy com.apple.coremedia.videodecoder 124
                                                                                                          1⤵
                                                                                                            PID:622
                                                                                                          • /usr/libexec/rtcreportingd
                                                                                                            /usr/libexec/rtcreportingd
                                                                                                            1⤵
                                                                                                              PID:621
                                                                                                            • /System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
                                                                                                              /System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
                                                                                                              1⤵
                                                                                                                PID:622
                                                                                                              • /usr/libexec/xpcproxy
                                                                                                                xpcproxy com.apple.ReportCrash
                                                                                                                1⤵
                                                                                                                  PID:623
                                                                                                                • /usr/libexec/xpcproxy
                                                                                                                  xpcproxy com.apple.akd
                                                                                                                  1⤵
                                                                                                                    PID:626
                                                                                                                  • /usr/libexec/xpcproxy
                                                                                                                    xpcproxy com.apple.sessionlogoutd
                                                                                                                    1⤵
                                                                                                                      PID:627
                                                                                                                    • /System/Library/CoreServices/sessionlogoutd
                                                                                                                      /System/Library/CoreServices/sessionlogoutd
                                                                                                                      1⤵
                                                                                                                        PID:627
                                                                                                                      • /usr/libexec/xpcproxy
                                                                                                                        xpcproxy com.apple.mobile.keybagd
                                                                                                                        1⤵
                                                                                                                          PID:629
                                                                                                                        • /usr/libexec/keybagd
                                                                                                                          /usr/libexec/keybagd -t 15
                                                                                                                          1⤵
                                                                                                                            PID:629
                                                                                                                          • /usr/libexec/xpcproxy
                                                                                                                            xpcproxy com.apple.TextInputMenuAgent
                                                                                                                            1⤵
                                                                                                                              PID:630
                                                                                                                            • /usr/libexec/xpcproxy
                                                                                                                              xpcproxy com.apple.imklaunchagent
                                                                                                                              1⤵
                                                                                                                                PID:631
                                                                                                                              • /System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
                                                                                                                                /System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
                                                                                                                                1⤵
                                                                                                                                  PID:630
                                                                                                                                • /System/Library/Frameworks/InputMethodKit.framework/Resources/imklaunchagent
                                                                                                                                  /System/Library/Frameworks/InputMethodKit.framework/Resources/imklaunchagent
                                                                                                                                  1⤵
                                                                                                                                    PID:631
                                                                                                                                  • /System/Library/CoreServices/ReportCrash
                                                                                                                                    /System/Library/CoreServices/ReportCrash agent
                                                                                                                                    1⤵
                                                                                                                                      PID:623
                                                                                                                                    • /usr/libexec/xpcproxy
                                                                                                                                      xpcproxy com.apple.PressAndHold 631
                                                                                                                                      1⤵
                                                                                                                                        PID:632
                                                                                                                                      • /usr/libexec/xpcproxy
                                                                                                                                        xpcproxy com.apple.spindump
                                                                                                                                        1⤵
                                                                                                                                          PID:633
                                                                                                                                        • /System/Library/Input Methods/PressAndHold.app/Contents/PlugIns/PAH_Extension.appex/Contents/MacOS/PAH_Extension
                                                                                                                                          "/System/Library/Input Methods/PressAndHold.app/Contents/PlugIns/PAH_Extension.appex/Contents/MacOS/PAH_Extension"
                                                                                                                                          1⤵
                                                                                                                                            PID:632
                                                                                                                                          • /usr/sbin/spindump
                                                                                                                                            /usr/sbin/spindump
                                                                                                                                            1⤵
                                                                                                                                              PID:633
                                                                                                                                            • /usr/libexec/xpcproxy
                                                                                                                                              xpcproxy com.apple.tailspind
                                                                                                                                              1⤵
                                                                                                                                                PID:634
                                                                                                                                              • /usr/libexec/tailspind
                                                                                                                                                /usr/libexec/tailspind
                                                                                                                                                1⤵
                                                                                                                                                  PID:634
                                                                                                                                                • /usr/libexec/xpcproxy
                                                                                                                                                  xpcproxy com.apple.spindump_agent
                                                                                                                                                  1⤵
                                                                                                                                                    PID:635
                                                                                                                                                  • /usr/libexec/xpcproxy
                                                                                                                                                    xpcproxy com.apple.ViewBridgeAuxiliary
                                                                                                                                                    1⤵
                                                                                                                                                      PID:636
                                                                                                                                                    • /usr/libexec/spindump_agent
                                                                                                                                                      /usr/libexec/spindump_agent
                                                                                                                                                      1⤵
                                                                                                                                                        PID:635
                                                                                                                                                      • /System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
                                                                                                                                                        /System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
                                                                                                                                                        1⤵
                                                                                                                                                          PID:636
                                                                                                                                                        • /usr/libexec/xpcproxy
                                                                                                                                                          xpcproxy com.apple.TextInputSwitcher
                                                                                                                                                          1⤵
                                                                                                                                                            PID:637
                                                                                                                                                          • /System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
                                                                                                                                                            /System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
                                                                                                                                                            1⤵
                                                                                                                                                              PID:637
                                                                                                                                                            • /sbin/shutdown
                                                                                                                                                              /sbin/shutdown -h now
                                                                                                                                                              1⤵
                                                                                                                                                                PID:0
                                                                                                                                                                • /bin/sh
                                                                                                                                                                  sh -c "/usr/bin/wall -n"
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:639
                                                                                                                                                                  • /bin/bash
                                                                                                                                                                    sh -c "/usr/bin/wall -n"
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:639
                                                                                                                                                                    • /usr/bin/wall
                                                                                                                                                                      /usr/bin/wall -n
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:639
                                                                                                                                                                      • /System/Library/Extensions/IOGraphicsFamily.kext/iogdiagnose
                                                                                                                                                                        iogdiagnose -b /var/log/displaypolicy/iogdiagnose-last.bin
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:1.8446744073709552e+19
                                                                                                                                                                        • /usr/sbin/spindump
                                                                                                                                                                          spindump -shutdownstall 2 -timelimit 5
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:641
                                                                                                                                                                          • /bin/sh
                                                                                                                                                                            sh -c /usr/sbin/kextstat
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:642
                                                                                                                                                                            • /bin/bash
                                                                                                                                                                              sh -c /usr/sbin/kextstat
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:642
                                                                                                                                                                              • /usr/sbin/kextstat
                                                                                                                                                                                /usr/sbin/kextstat
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:642
                                                                                                                                                                                • /bin/bash
                                                                                                                                                                                  bash /private/var/install/shutdown_installer_tasks
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:643
                                                                                                                                                                                  • /bin/bash
                                                                                                                                                                                    bash /private/var/install/deferred_install
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:644

                                                                                                                                                                                  Network

                                                                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                  Downloads

                                                                                                                                                                                  • /Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    124KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    e528863522ec78e22d41392c18c81054

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    09689eb0fc8e0e2f2f6c1bae2c0fac7d24983f62

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    d5beb39e6137d1fbe62dcfaa559174116c5400e3b2786f174ce21b33bcd2322c

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    20a3298fe4b09e1c606c24807e40f15a4d8694b31796a0dd276b63586c4f56563e95fec1e121b85a288a2d8c270e8fafad4f2d66908af25202f05bf051b7ac26

                                                                                                                                                                                  • /dev/ttys000

                                                                                                                                                                                    MD5

                                                                                                                                                                                    d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                                  • /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//spindump.txt

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    132KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    d9550b618a515f696f3d19f9d6c15fa3

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    da91955d2df2f913bfb8eb23fcba63ff8ab005a1

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    14e99bf12db261d03c51a09bcb40df4c1666f282e464172e5ea24acc5c51f544

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    3b28b2d6ff3b38ddedc9a3d5e3af178fa846e97a13a10a2199c24ad76617f3a87c3e72c57a6801f4a650c4221797dc40a7868f5f03b54d3729cc68a4cc9c477b