Overview

overview

4

Static

static

1

file01.ps1

android-13-x64

file01.ps1

macos-10.15-amd64

4

Analysis

  • max time kernel
    29s
  • max time network
    30s
  • platform
    macos-10.15_amd64
  • resource
    macos-20240711.1-en
  • resource tags

    arch:amd64arch:i386image:macos-20240711.1-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    06-08-2024 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file01.ps1

  • Size

    1B

  • MD5

    0cc175b9c0f1b6a831c399e269772661

  • SHA1

    86f7e437faa5a7fce15d1ddcb9eaeaea377667b8

  • SHA256

    ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb

  • SHA512

    1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75

Score
4/10
evasionexecution

Malware Config

Signatures

  • JavaScript 1 TTPs 1 IoCs

    Adversaries may abuse various implementations of JavaScript for execution.

    execution
  • Resource Forking 1 TTPs 2 IoCs

    Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

    evasion

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"/Users/run/file01.ps1\""
    1⤵
      PID:476
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"/Users/run/file01.ps1\""
      1⤵
        PID:476
      • /usr/bin/sudo
        sudo /bin/zsh -c /Users/run/file01.ps1
        1⤵
          PID:476
          • /bin/zsh
            /bin/zsh -c /Users/run/file01.ps1
            2⤵
              PID:478
            • /Users/run/file01.ps1
              /Users/run/file01.ps1
              2⤵
                PID:478
              • /bin/sh
                sh /Users/run/file01.ps1
                2⤵
                  PID:478
                • /bin/bash
                  sh /Users/run/file01.ps1
                  2⤵
                    PID:478
                • /usr/libexec/xpcproxy
                  xpcproxy com.apple.quicklook.ui.helper
                  1⤵
                    PID:513
                  • /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
                    /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
                    1⤵
                      PID:513
                    • /usr/libexec/xpcproxy
                      xpcproxy com.apple.JarLauncher.2128
                      1⤵
                        PID:514
                      • /System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher
                        "/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher"
                        1⤵
                          PID:514
                          • /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java
                            "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar
                            2⤵
                              PID:516
                          • /usr/libexec/xpcproxy
                            xpcproxy com.apple.metadata.mdwrite
                            1⤵
                              PID:515
                            • /usr/libexec/xpcproxy
                              xpcproxy com.apple.quicklook.ui.helper
                              1⤵
                                PID:518
                              • /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
                                /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
                                1⤵
                                  PID:518
                                • /usr/libexec/xpcproxy
                                  xpcproxy "com.apple.xpc.launchd.oneshot.0x10000001.Microsoft Word"
                                  1⤵
                                    PID:519
                                  • /Applications/Microsoft Word.app/Contents/MacOS/Microsoft Word
                                    "/Applications/Microsoft Word.app/Contents/MacOS/Microsoft Word" -psn_0_172074
                                    1⤵
                                      PID:519
                                    • /usr/libexec/xpcproxy
                                      xpcproxy com.apple.XprotectFramework.AnalysisService 485
                                      1⤵
                                        PID:522
                                      • /System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService
                                        /System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService
                                        1⤵
                                          PID:522

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads