05ae2f0dd61ef10019b94c200e8df192b767bb4cc24a7e7b329ab43cc9c74caf

Resubmissions

24/06/2024, 16:32 UTC

240624-t2d74avfpj 7

24/06/2024, 16:31 UTC

240624-t1p8zasakb 4

Analysis

max time kernel
337s
max time network
1406s
platform
macos-10.15_amd64
resource
macos-20240611-en
resource tags

arch:amd64arch:i386image:macos-20240611-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
24/06/2024, 16:31 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SKlauncher-3.2.exe
Size

1.6MB
MD5

b63468dd118dfbca5ef7967ba344e0e3
SHA1

2ba4f0df5f3bd284bf2a89aba320e4440d8b8355
SHA256

05ae2f0dd61ef10019b94c200e8df192b767bb4cc24a7e7b329ab43cc9c74caf
SHA512

007ecb7445dc0c01a802b5a2c91313aae59f9dc96e27455dd85e7a92a4e649d683fbc2ada5f48925d9ab3b4fdaea20aa89eeb442fde079902aecb5ca3454a548
SSDEEP

49152:HIBc3n9dRvwVlzhFAQ/ggUTPQjYEiim7V:oBaO/FAqMQjYEXm

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 1 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/SKlauncher-3.2.exe\""
1⤵
PID:493

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/SKlauncher-3.2.exe\""
1⤵
PID:493

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/SKlauncher-3.2.exe
1⤵
PID:493
- /bin/zsh
  /bin/zsh -c /Users/run/SKlauncher-3.2.exe
  2⤵
  PID:497
- /Users/run/SKlauncher-3.2.exe
  /Users/run/SKlauncher-3.2.exe
  2⤵
  PID:497

/usr/libexec/xpcproxy
xpcproxy com.apple.pluginkit.pkd
1⤵
PID:498

/usr/libexec/pkd
/usr/libexec/pkd
1⤵
PID:498

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:501

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:501

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:502

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:502

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.systemsoundserverd
1⤵
PID:522

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:523

/usr/sbin/systemsoundserverd
/usr/sbin/systemsoundserverd
1⤵
PID:522

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:523

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:524

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:524

/usr/bin/pluginkit
/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync
1⤵
PID:525

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater0B4C966A/OneDrive.app
1⤵
PID:526

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:551

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:551

/usr/libexec/xpcproxy
xpcproxy com.apple.security.cloudkeychainproxy3
1⤵
PID:553

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
1⤵
PID:553

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:554

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:554

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:556

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:556

/usr/libexec/xpcproxy
xpcproxy com.apple.diagnosticd
1⤵
PID:557

/usr/libexec/diagnosticd
/usr/libexec/diagnosticd
1⤵
PID:557

Network

DNS

h3.apis.apple.map.fastly.net

Remote address:

8.8.8.8:53

Request

h3.apis.apple.map.fastly.net

IN A

Response

h3.apis.apple.map.fastly.net

IN A

151.101.67.6

h3.apis.apple.map.fastly.net

IN A

151.101.3.6

h3.apis.apple.map.fastly.net

IN A

151.101.131.6

h3.apis.apple.map.fastly.net

IN A

151.101.195.6
DNS

mobile.events.data.trafficmanager.net

Remote address:

8.8.8.8:53

Request

mobile.events.data.trafficmanager.net

IN A

Response

mobile.events.data.trafficmanager.net

IN CNAME

onedscolprdeus05.eastus.cloudapp.azure.com

onedscolprdeus05.eastus.cloudapp.azure.com

IN A

20.42.65.85
DNS

api.apple-cloudkit.fe2.apple-dns.net

Remote address:

8.8.8.8:53

Request

api.apple-cloudkit.fe2.apple-dns.net

IN A

Response

api.apple-cloudkit.fe2.apple-dns.net

IN A

17.250.81.70

api.apple-cloudkit.fe2.apple-dns.net

IN A

17.250.81.68

api.apple-cloudkit.fe2.apple-dns.net

IN A

17.250.81.69

api.apple-cloudkit.fe2.apple-dns.net

IN A

17.250.81.66

api.apple-cloudkit.fe2.apple-dns.net

IN A

17.250.81.67

api.apple-cloudkit.fe2.apple-dns.net

IN A

17.250.81.64
DNS

cds.apple.com

Remote address:

8.8.8.8:53

Request

cds.apple.com

IN A

Response

cds.apple.com

IN CNAME

cds-cdn.v.aaplimg.com

cds-cdn.v.aaplimg.com

IN CNAME

cds.apple.com.akadns.net

cds.apple.com.akadns.net

IN CNAME

cds.apple.com.edgekey.net

cds.apple.com.edgekey.net

IN CNAME

e14768.dscb.akamaiedge.net

e14768.dscb.akamaiedge.net

IN A

23.219.244.63
DNS

help.apple.com

Remote address:

8.8.8.8:53

Request

help.apple.com

IN A

Response

help.apple.com

IN CNAME

help.origin-apple.com.akadns.net

help.origin-apple.com.akadns.net

IN CNAME

help-ar.apple.com.edgekey.net

help-ar.apple.com.edgekey.net

IN CNAME

e11408.d.akamaiedge.net

e11408.d.akamaiedge.net

IN A

2.21.189.171
DNS

40-courier.push.apple.com

Remote address:

8.8.8.8:53

Request

40-courier.push.apple.com

IN A

Response

40-courier.push.apple.com

IN CNAME

40.courier-push-apple.com.akadns.net

40.courier-push-apple.com.akadns.net

IN CNAME

gb-courier-4.push-apple.com.akadns.net

gb-courier-4.push-apple.com.akadns.net

IN A

17.57.146.11

gb-courier-4.push-apple.com.akadns.net

IN A

17.57.146.12

gb-courier-4.push-apple.com.akadns.net

IN A

17.57.146.13

gb-courier-4.push-apple.com.akadns.net

IN A

17.57.146.8

gb-courier-4.push-apple.com.akadns.net

IN A

17.57.146.10

gb-courier-4.push-apple.com.akadns.net

IN A

17.57.146.9

gb-courier-4.push-apple.com.akadns.net

IN A

17.57.146.7
DNS

lb._dns-sd._udp.0.0.127.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

lb._dns-sd._udp.0.0.127.10.in-addr.arpa

IN PTR

Response
DNS

lb._dns-sd._udp.0.0.127.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

lb._dns-sd._udp.0.0.127.10.in-addr.arpa

IN PTR

Response

151.101.3.6:443

tls, https

167 B
40 B
2
1
151.101.195.6:443

tls, https

91 B
40 B
1
1
20.189.173.6:443

mobile.pipe.aria.microsoft.com

tls

31.7kB
10.4kB
63
49
23.219.244.63:443

cds.apple.com

tls

18.6kB
161.6kB
210
205
2.21.189.171:443

help.apple.com

tls

29.8kB
110.8kB
168
127
2.21.189.171:443

help.apple.com

tls

1.6kB
2.4kB
11
8
17.57.146.12:5223

tls

226 B
40 B
2
1
17.57.146.11:5223

40-courier.push.apple.com

64 B
1
17.57.146.8:5223

40-courier.push.apple.com

104 B
60 B
2
1

8.8.8.8:53

h3.apis.apple.map.fastly.net

dns

74 B
138 B
1
1

DNS Request

h3.apis.apple.map.fastly.net

DNS Response

151.101.67.6

151.101.3.6

151.101.131.6

151.101.195.6
8.8.8.8:53

mobile.events.data.trafficmanager.net

dns

83 B
155 B
1
1

DNS Request

mobile.events.data.trafficmanager.net

DNS Response

20.42.65.85
8.8.8.8:53

api.apple-cloudkit.fe2.apple-dns.net

dns

82 B
178 B
1
1

DNS Request

api.apple-cloudkit.fe2.apple-dns.net

DNS Response

17.250.81.70

17.250.81.68

17.250.81.69

17.250.81.66

17.250.81.67

17.250.81.64
8.8.8.8:53

cds.apple.com

dns

59 B
218 B
1
1

DNS Request

cds.apple.com

DNS Response

23.219.244.63
8.8.8.8:53

help.apple.com

dns

60 B
196 B
1
1

DNS Request

help.apple.com

DNS Response

2.21.189.171
224.0.0.251:5353

587 B
2
8.8.8.8:53

40-courier.push.apple.com

dns

71 B
271 B
1
1

DNS Request

40-courier.push.apple.com

DNS Response

17.57.146.11

17.57.146.12

17.57.146.13

17.57.146.8

17.57.146.10

17.57.146.9

17.57.146.7
8.8.8.8:53

lb._dns-sd._udp.0.0.127.10.in-addr.arpa

dns

170 B
170 B
2
2

DNS Request

lb._dns-sd._udp.0.0.127.10.in-addr.arpa

DNS Request

lb._dns-sd._udp.0.0.127.10.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.