ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb

General

Target

a.js
Size

1B
MD5

0cc175b9c0f1b6a831c399e269772661
SHA1

86f7e437faa5a7fce15d1ddcb9eaeaea377667b8
SHA256

ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb
SHA512

1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 8 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

Processes:

ioc	process
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/a.js\""
1⤵
PID:486

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/a.js\""
1⤵
PID:486

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/a.js
1⤵
PID:486
- /bin/zsh
  /bin/zsh -c /Users/run/a.js
  2⤵
  PID:487
- /Users/run/a.js
  /Users/run/a.js
  2⤵
  PID:487
- /bin/sh
  sh /Users/run/a.js
  2⤵
  PID:487
- /bin/bash
  sh /Users/run/a.js
  2⤵
  PID:487

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:515

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:515

/usr/libexec/xpcproxy
xpcproxy com.apple.systempreferences.2140
1⤵
PID:531

/System/Applications/System Preferences.app/Contents/MacOS/System Preferences
"/System/Applications/System Preferences.app/Contents/MacOS/System Preferences"
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountProfileRemoteViewService 531
1⤵
PID:532

/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
1⤵
PID:532

/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
1⤵
PID:534

/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
1⤵
PID:535

/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
1⤵
PID:536

/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
1⤵
PID:537

/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
1⤵
PID:538

/usr/libexec/xpcproxy
xpcproxy com.apple.nfcd
1⤵
PID:539

/usr/libexec/nfcd
/usr/libexec/nfcd
1⤵
PID:539

/usr/libexec/xpcproxy
xpcproxy com.apple.studentd
1⤵
PID:540

/usr/libexec/studentd
/usr/libexec/studentd
1⤵
PID:540

/usr/libexec/xpcproxy
xpcproxy com.apple.preference.general.remoteservice 531
1⤵
PID:541

/System/Library/PreferencePanes/Appearance.prefPane/Contents/XPCServices/com.apple.preference.general.remoteservice.xpc/Contents/MacOS/com.apple.preference.general.remoteservice
/System/Library/PreferencePanes/Appearance.prefPane/Contents/XPCServices/com.apple.preference.general.remoteservice.xpc/Contents/MacOS/com.apple.preference.general.remoteservice
1⤵
PID:541

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:542

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:543

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:543

/usr/libexec/xpcproxy
xpcproxy com.apple.preference.speech.remoteservice 531
1⤵
PID:545

/System/Library/PreferencePanes/Speech.prefPane/Contents/XPCServices/com.apple.preference.speech.remoteservice.xpc/Contents/MacOS/com.apple.preference.speech.remoteservice
/System/Library/PreferencePanes/Speech.prefPane/Contents/XPCServices/com.apple.preference.speech.remoteservice.xpc/Contents/MacOS/com.apple.preference.speech.remoteservice
1⤵
PID:545

/usr/libexec/xpcproxy
xpcproxy com.apple.siriknowledged
1⤵
PID:547

/usr/libexec/xpcproxy
xpcproxy com.apple.Siri.agent
1⤵
PID:548

/usr/libexec/xpcproxy
xpcproxy com.apple.speech.speechdatainstallerd
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.SiriUI.SiriUISetupXPC 545
1⤵
PID:550

/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
1⤵
PID:549

/System/Library/PrivateFrameworks/SiriUI.framework/Versions/A/XPCServices/SiriUISetupXPC.xpc/Contents/MacOS/SiriUISetupXPC
/System/Library/PrivateFrameworks/SiriUI.framework/Versions/A/XPCServices/SiriUISetupXPC.xpc/Contents/MacOS/SiriUISetupXPC
1⤵
PID:550

/System/Library/CoreServices/Siri.app/Contents/MacOS/Siri
/System/Library/CoreServices/Siri.app/Contents/MacOS/Siri launchd
1⤵
PID:548

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:553

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
1⤵
PID:553

/System/Applications/TV.app/Contents/MacOS/TV
/System/Applications/TV.app/Contents/MacOS/TV
1⤵
PID:554

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.SandboxHelper 390
1⤵
PID:555

/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
1⤵
PID:555

/usr/libexec/siriknowledged
/usr/libexec/siriknowledged
1⤵
PID:547

/usr/libexec/xpcproxy
xpcproxy com.apple.accessibility.mediaaccessibilityd
1⤵
PID:556

/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
1⤵
PID:556

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.793D4DF8-CDF5-4AE3-9461-1161BAAEECA9 554
1⤵
PID:558

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:558

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:560

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:560

/usr/libexec/xpcproxy
xpcproxy com.apple.systemprofiler
1⤵
PID:566

/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information
"/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information"
1⤵
PID:566

/usr/libexec/xpcproxy
xpcproxy com.apple.replayd
1⤵
PID:569

/usr/libexec/replayd
/usr/libexec/replayd
1⤵
PID:569

/usr/libexec/xpcproxy
xpcproxy com.apple.storedownloadd
1⤵
PID:571

/usr/libexec/xpcproxy
xpcproxy com.apple.installd
1⤵
PID:572

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
1⤵
PID:572

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
1⤵
PID:571

/usr/libexec/xpcproxy
xpcproxy com.apple.system_installd
1⤵
PID:573

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
1⤵
PID:573

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.CacheDeleteExtension 567
1⤵
PID:575

/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
1⤵
PID:575

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:578

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:578

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:579

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:579

/usr/libexec/xpcproxy
xpcproxy com.apple.tailspind
1⤵
PID:580

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:581

/usr/libexec/tailspind
/usr/libexec/tailspind
1⤵
PID:580

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:581

/usr/libexec/xpcproxy
xpcproxy com.apple.FaceTime.1860
1⤵
PID:582

/System/Applications/FaceTime.app/Contents/MacOS/FaceTime
/System/Applications/FaceTime.app/Contents/MacOS/FaceTime
1⤵
PID:582

/usr/libexec/xpcproxy
xpcproxy com.apple.videoconference.camera
1⤵
PID:583

/usr/libexec/avconferenced
/usr/libexec/avconferenced
1⤵
PID:583

/usr/libexec/xpcproxy
xpcproxy com.apple.FaceTime.FaceTimeNotificationCenterService 582
1⤵
PID:585

/System/Applications/FaceTime.app/Contents/XPCServices/FaceTimeNotificationCenterService.xpc/Contents/MacOS/FaceTimeNotificationCenterService
/System/Applications/FaceTime.app/Contents/XPCServices/FaceTimeNotificationCenterService.xpc/Contents/MacOS/FaceTimeNotificationCenterService
1⤵
PID:585

/usr/libexec/xpcproxy
xpcproxy com.apple.imfoundation.IMRemoteURLConnectionAgent 582
1⤵
PID:587

/System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteURLConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent
/System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteURLConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent
1⤵
PID:587

/usr/libexec/xpcproxy
xpcproxy com.apple.imfoundation.IMRemoteURLConnectionAgent 583
1⤵
PID:588

/System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteURLConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent
/System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteURLConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent
1⤵
PID:588

/usr/libexec/xpcproxy
xpcproxy com.apple.SiriNCService 548
1⤵
PID:589

/System/Library/CoreServices/Siri.app/Contents/XPCServices/SiriNCService.xpc/Contents/MacOS/SiriNCService
/System/Library/CoreServices/Siri.app/Contents/XPCServices/SiriNCService.xpc/Contents/MacOS/SiriNCService
1⤵
PID:589

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:592

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.CacheDeleteExtension 567
1⤵
PID:595

/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
1⤵
PID:595

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Containers/com.apple.FaceTime/Data/Library/Caches/com.apple.FaceTime/HSTS.plist

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/Users/run/Library/Containers/com.apple.FaceTime/Data/Library/Caches/com.apple.FaceTime/HSTS.plist

Filesize
298B

MD5
1c68f92d5c8d7a2bf3bf8129a58cf9eb

SHA1
bbeb3cd6ecae335261f474b5381b77919c10ff20

SHA256
13a2bbc0395b94355210e0ae353af083ff5a0813b50a8a9f6ea194d6e7c22f54

SHA512
efe5b407beba7ae3f0d55f7caadc028b989b81ce48365db41a61437d2b05ed9bc2c877f7ac2876ef57afd0cf1cac452b7a4b8b3b6481833d5ef0c59bdc68e711

Download Submit
/Users/run/Library/Containers/com.apple.FaceTime/Data/Library/Caches/com.apple.FaceTime/HSTS.plist

Filesize
298B

MD5
310b642323f032692c90369c984b8e31

SHA1
a1a06afab88a0b9eedd10964a086e3108655a425

SHA256
3ae830bf0916930200e5c7bb713daee23dd1018264532114027c77b5d2863488

SHA512
e05f550e80747a36dc4aefe28593e32c81c36cd805eff884f603c19d6f90d0ca82ec5bbb6e13c37ed4ab866fffc27f152606c5213bfa35960d69849071565bdc

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

Filesize
215KB

MD5
7c874b05758b6ab28a03016db03d4d69

SHA1
a1850cbdfb577f7c53dce5b64b80b14e2ff412d7

SHA256
cdc74a35e0ccac666ea766cd535d6a16cab054c693e3570e629cb5fc67327037

SHA512
2ad7e9d95a997d33505f4b8debe682c458f54695ed7036de856891c740502604fca012d00f9825ec0d99b0e244cdd84feb909aac882c78814f7e8ea0c4a09aec

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

Filesize
21.7MB

MD5
520605208c0ab42275ce8e468bb3da39

SHA1
a221bdaeef7a9fabc0c3e0b307f97412ef72ff35

SHA256
e6360979947c9ad700850b0e3292f5e01555eef443a8c571cba3437125abfebe

SHA512
0034e7ea4b896005a1b8cfdc1c3107d71859ee3e21351cc12e36ad8b3702f096ae7c6c6dd8aa94e82d051646a4bf0359a7138178c3520293a96726cabe28a4bd

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

Filesize
127KB

MD5
55cb198632b487b6e667de106a82a04d

SHA1
883a19ac570d46a4d3d97e254fae6c91f3b2f5d6

SHA256
c4e899a8397918df5f3bb0058038b0b4f240434b41706dee9217e9c54bd2a011

SHA512
372ad4900fb9dc3855ee2dd3904de6d115e69b5929fc8311cd81d96330729bb99bee12c939964153678c57413ae372c8fc56616694cc2d0d5d0088a585bb52ba

Download Submit

Analysis

Sharing