eb68f25cb25c92f8e006eb0a00650326e9e25974fabb61daf50500829a37e2d9

General

Target

Matsuoka Shuzo Never Give Up.gif
Size

2.0MB
MD5

ab38a328c11dfa3f902ceb8a9ee272b9
SHA1

42ca477b325a0846cba3a203830e3b5fd26e44d6
SHA256

eb68f25cb25c92f8e006eb0a00650326e9e25974fabb61daf50500829a37e2d9
SHA512

d6b0a718128d617d2f9b78fc6f3c7d4c1c1e8ae984dd7f49c038657ec3757646c3001f36d541c498c587582b65ab82557a5fb75bef8afdea7ca24406bb67d338
SSDEEP

49152:OgKBwtF3cPHv/EvQfqCBUA0vLzA8r5SUMP0uRXYFfwpOZ:OgKY3cvvALCyrX1SDXcIQ

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 6 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool	Process not Found
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck	Process not Found
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref	Process not Found
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool	Process not Found
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid	Process not Found
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Matsuoka Shuzo Never Give Up.gif\""
1⤵
PID:484

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Matsuoka Shuzo Never Give Up.gif\""
1⤵
PID:484

/usr/bin/sudo
sudo /bin/zsh -c "/Users/run/Matsuoka Shuzo Never Give Up.gif"
1⤵
PID:484
- /bin/zsh
  /bin/zsh -c "/Users/run/Matsuoka Shuzo Never Give Up.gif"
  2⤵
  PID:485
- /Users/run/Matsuoka
  /Users/run/Matsuoka Shuzo Never Give Up.gif
  2⤵
  PID:485

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:525

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:526

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:531

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy com.apple.systempreferences.2140
1⤵
PID:541

/System/Applications/System Preferences.app/Contents/MacOS/System Preferences
"/System/Applications/System Preferences.app/Contents/MacOS/System Preferences"
1⤵
PID:541

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountProfileRemoteViewService 541
1⤵
PID:542

/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
1⤵
PID:542

/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
1⤵
PID:543

/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
1⤵
PID:544

/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
1⤵
PID:545

/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
1⤵
PID:546

/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
1⤵
PID:547

/usr/libexec/xpcproxy
xpcproxy com.apple.nfcd
1⤵
PID:549

/usr/libexec/nfcd
/usr/libexec/nfcd
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.studentd
1⤵
PID:551

/usr/libexec/studentd
/usr/libexec/studentd
1⤵
PID:551

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:552

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:552

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:553

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:553

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:554

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:554

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.9EE74ED5-D301-4175-83BE-C9CBA9B07CFB 553
1⤵
PID:555

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.apple.SafariLaunchAgent
1⤵
PID:560

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
1⤵
PID:560

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.353EAB30-9311-40EE-A4D9-8D8624A99B76 553
1⤵
PID:561

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:561

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SearchHelper 553
1⤵
PID:562

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
1⤵
PID:562

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:563

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:563

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:565

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
1⤵
PID:565

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.SandboxHelper 561
1⤵
PID:566

/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
1⤵
PID:566

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.42940CCC-2A8B-481E-B010-072663CF5247 553
1⤵
PID:567

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:567

/usr/libexec/xpcproxy
xpcproxy com.apple.accessibility.mediaaccessibilityd
1⤵
PID:568

/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
1⤵
PID:568

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.C9F6B98B-F34B-4AA7-8717-C005810EF47B 553
1⤵
PID:569

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:569

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.AA215D32-52EE-45B2-AFC3-598F929F14E3 553
1⤵
PID:570

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:570

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.46BFCA14-B815-4C47-A728-03B92CE80EE2 553
1⤵
PID:574

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:574

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:575

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:575

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.A9D1BFC0-2D02-4C77-A851-180C92245E4D 553
1⤵
PID:578

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:578

/usr/libexec/xpcproxy
xpcproxy com.apple.AppStore.1900
1⤵
PID:579

/System/Applications/App Store.app/Contents/MacOS/App Store
"/System/Applications/App Store.app/Contents/MacOS/App Store"
1⤵
PID:579

/usr/libexec/xpcproxy
xpcproxy com.apple.storeuid
1⤵
PID:580

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
1⤵
PID:580

/usr/libexec/xpcproxy
xpcproxy com.apple.coremedia.videodecoder 579
1⤵
PID:582

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
1⤵
PID:582

/usr/libexec/xpcproxy
xpcproxy com.apple.systemprofiler
1⤵
PID:585

/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information
"/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information"
1⤵
PID:585

/usr/bin/csrutil
/usr/bin/csrutil status
1⤵
PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Safari/Favicon Cache/favicons/6BB7492835C1199B6DC43D7B4C7AAF78

Filesize
5KB

MD5
f00ffb858024f95fbde9c8ef2a62c4bc

SHA1
ca0fc41d59a2d8bd769f2376d1fd828912bb3c76

SHA256
0a3ba6c9348a3d6a485cb00c88ad6b04be11e61d9c0150558003e9f8502939c3

SHA512
1a666cbd95a5c09f30c862dbabe6784ca87856d23ef0d2a289bc94eb991aea268b39d423fc317bd00b7e9816a45f8bd5df2ca75b24361a203f64a7bf0ff51fbf

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/E01D54D38490DD9F622772CD61212B1E

Filesize
5KB

MD5
80f7367cb52983d2b58c2570460a9e9b

SHA1
8b1020b84f2c57bc43c0b0e504529fbd176fc694

SHA256
d7dd223f488a3dc314edecff758abc774093909d8cdaabb5c6b3f5a84a6f4be7

SHA512
ec16f486883b31551597eaa82406989c159a5e186ec33fcc8fbc85093d1ac758bfab065a9a8f91ef3087456cc2a0b2b097dbb074f567280f5ccf8f3838eaceb3

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

Filesize
216KB

MD5
ca9f8b489c5c65254809e2d608730f35

SHA1
97c3c3c3589d9215560b6a130b196bbb56e356f5

SHA256
17bfe7f7894e7fdb3390c728daa31957f2381145b677f21e99271d86362eec76

SHA512
49155e832faa48f3f604144f0356945610059a85f3b0ed5caeefeb044d61f10d86bb6e28a9e9bbbcadac55ab75ae5f5807c8de2b4cfb7a6c1a14b31eb2fc7789

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

Filesize
21.8MB

MD5
ca5a2c21c3c39fe5e3ad475e0d4faaf4

SHA1
bdd9679f62a3edb226bcf69714a18a5d038eaf38

SHA256
a53bdc2c5115c1569dd06c965a48c146a44d907bf9b80d489ebb3155c07d734a

SHA512
ef95e471d1e39a6994ada80a48c877133b6bfd39de0be05573c6b22824787e130ac9ac082bb9ff7bd43c30c7a2814ffa6ab78f6169464f3482c782d572db6c3c

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

Filesize
129KB

MD5
918930c8d313269d25a03d907133222a

SHA1
cbae5cbb7b810c1d5c740a32fb192883986e704f

SHA256
82c06bdf2ec5e73ae6b869c788c7e725306f352fb867318eebc87ed657bfe6fa

SHA512
dad0a97a722217c10839df07d5b952c24911923ff2e54e58aedcf135f664033c2c24f1a5ba787737f5099afec25c21e138590ce7744a54b2f6785d11303085e1

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit

Analysis

Sharing