cc4f8800cb21f7ee11bd1a3bb59d9bd2d1d41182dc93334ac0584ffcfc4cfc4a

General

Target

photo_2024-07-28_01-40-32.jpg
Size

31KB
MD5

7d70c53c92d1640833dc9cef210a1e70
SHA1

33320d855db402dd787b52392d22752e8ca96860
SHA256

cc4f8800cb21f7ee11bd1a3bb59d9bd2d1d41182dc93334ac0584ffcfc4cfc4a
SHA512

e3d18bda6ed97da62d84cdc85f6da0b8a0be88f0eccf690e6f2f7e94e2bfa9880a31dcf3ec364c46265a34b455b3f376f77328505d2f1694bf49e15b0c64903b
SSDEEP

768:xEerFkzTBqlT+tYdg8YbZ6HfIRrkSMx3FuOxY8hllyrTbaBK:zKzT4lTkqg8YFZRbNClsrP9

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 2 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck	Process not Found
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer	Process not Found

/usr/libexec/xpcproxy
xpcproxy com.apple.var-db-dslocal-backup
1⤵
PID:482

/usr/bin/xar
/usr/bin/xar -c -f dslocal-backup.xar dslocal
1⤵
PID:482

/usr/libexec/xpcproxy
xpcproxy com.apple.gkreport
1⤵
PID:483

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/photo_2024-07-28_01-40-32.jpg\""
1⤵
PID:484

/usr/libexec/gkreport
/usr/libexec/gkreport
1⤵
PID:483

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/photo_2024-07-28_01-40-32.jpg\""
1⤵
PID:484

/usr/libexec/xpcproxy
xpcproxy com.apple.loginwindow.LWWeeklyMessageTracer
1⤵
PID:485

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/photo_2024-07-28_01-40-32.jpg
1⤵
PID:484
- /bin/zsh
  /bin/zsh -c /Users/run/photo_2024-07-28_01-40-32.jpg
  2⤵
  PID:490
- /Users/run/photo_2024-07-28_01-40-32.jpg
  /Users/run/photo_2024-07-28_01-40-32.jpg
  2⤵
  PID:490

/usr/libexec/xpcproxy
xpcproxy com.apple.systemstats.daily
1⤵
PID:486

/usr/libexec/xpcproxy
xpcproxy com.oracle.java.Java-Updater
1⤵
PID:487

/usr/libexec/xpcproxy
xpcproxy com.apple.newsyslog
1⤵
PID:489

/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
1⤵
PID:478

/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged
"/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"
1⤵
PID:475

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
1⤵
PID:485

/usr/libexec/pkreporter
/usr/libexec/pkreporter
1⤵
PID:481

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
1⤵
PID:487

/usr/sbin/newsyslog
/usr/sbin/newsyslog
1⤵
PID:489

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:519

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:519

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:520

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:520

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:524

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:524

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:525

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:525

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.D27E56C6-D54F-4D50-A74B-ED0BC506151E 524
1⤵
PID:526

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:526

/usr/libexec/xpcproxy
xpcproxy com.apple.SafariLaunchAgent
1⤵
PID:531

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.B469BE66-F534-44A6-BF41-B0B826B280F5 524
1⤵
PID:532

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:532

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:537

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:538

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:542

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SearchHelper 524
1⤵
PID:543

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
1⤵
PID:543

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:542

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:544

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:544

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.BD3D93A0-0031-4470-8E9A-A5F6FEBB3C88 524
1⤵
PID:548

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:548

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:549

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.27D1795C-2F1A-45BF-A1CC-F4E96C5E3478 524
1⤵
PID:550

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:550

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.89B0587D-3265-4F6F-9E5D-548441EF3A6F 524
1⤵
PID:559

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:559

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Safari/Favicon Cache/favicons/2529545429CE075A4E64DE7DAA3D4C27

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/86AF3AFE98D216681705A1D845180751

Filesize
5KB

MD5
adf790c60f471210b271caa856fd9a11

SHA1
dd99d0e0bce2e44df6b9be335cb145ba9f2f3de2

SHA256
34ee6487b22cb7c16cc32ac324ee93cc3022db0960be40b1052b1c51ed5c49a5

SHA512
8aa894508368174f3abb257fd351058131d50ecb188cc5e8a8e4951bde504dca8da23c48577a13d9c752e54ca20ca89c49dedd9814f07ade67313d473bcae4d9

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

Filesize
216KB

MD5
a98996fec3643f5217981af347585192

SHA1
42496850cb8a146a6535dfc5f3310538983af3ea

SHA256
3dd241f8c591a5f148c9fd515d949415e2d4af3715d48741d29514265c6aaba4

SHA512
0c2429c7e6f47ac38234ea0b1d715e87163ae107277d607d953a40aaf122e74586e589945423e1575cc8a8fb6c905f072381cc17f28c651c31a59045d4f8506d

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

Filesize
21.8MB

MD5
0aa2572a86143d9c8d7144abbae2946c

SHA1
14bb51a09693eb3b1b8cf9381ba36da79fbf1517

SHA256
dc5fcecab33d79aacec1c666be616cad885f8acf03fc8731966a5a8234686150

SHA512
d5cf15832c77174df9cdf7a98f10fdf465a3ff2a8ef59c9a5f3298285978c2f7dfb98dfc17fd61d09c1ccca218fa78a8a23971e3bac06ac175ecee7632037de1

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

Filesize
131KB

MD5
2320318d90cab21626510c0af7c21348

SHA1
b8bd3a19130ea1397c64ffeada89b3ba0173ad09

SHA256
15fae85db7a27c78f0270d69fb445c70d0cce8cee7681034bccc6b128bcdaf54

SHA512
453ac17e4b3cf3f58e15db3bca7eece2cbe676909c2ad48386bf55b0ffc0a94a2266a1fc8d52279772906f7891e3fe47d876cd389f0c5d4a7c628fb5e2a89333

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit

Analysis

Sharing