2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

Analysis

max time kernel
149s
max time network
152s
platform
macos-10.15_amd64
resource
macos-20240711.1-en
resource tags

arch:amd64arch:i386image:macos-20240711.1-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
10-08-2024 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HorionInjector.exe
Size

147KB
MD5

6b5b6e625de774e5c285712b7c4a0da7
SHA1

317099aef530afbe3a0c5d6a2743d51e04805267
SHA256

2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d
SHA512

104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08
SSDEEP

3072:ckgHqUGSCoEslON/q178+oO3BAE4T/DvueX:cNHqUGSCPBh+7VST/Ke

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 9 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

Processes:

ioc	process
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
"/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated"
"/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd"
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
/System/Library/PrivateFrameworks/SoftwareUpdate.framework/Resources/SoftwareUpdateNotificationManager.app/Contents/MacOS/SoftwareUpdateNotificationManager

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/HorionInjector.exe\""
1⤵
PID:483

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/HorionInjector.exe\""
1⤵
PID:483

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/HorionInjector.exe
1⤵
PID:483

/bin/zsh
/bin/zsh -c /Users/run/HorionInjector.exe
2⤵
PID:485

/Users/run/HorionInjector.exe
/Users/run/HorionInjector.exe
2⤵
PID:485

/usr/libexec/xpcproxy
xpcproxy com.apple.ncplugin.weather 318
1⤵
PID:517

/usr/libexec/xpcproxy
xpcproxy com.apple.ncplugin.stocks 318
1⤵
PID:518

/usr/libexec/xpcproxy
xpcproxy com.apple.iCal.CalendarNC 318
1⤵
PID:519

/System/Library/CoreServices/Weather.app/Contents/PlugIns/com.apple.ncplugin.weather.appex/Contents/MacOS/com.apple.ncplugin.weather
/System/Library/CoreServices/Weather.app/Contents/PlugIns/com.apple.ncplugin.weather.appex/Contents/MacOS/com.apple.ncplugin.weather
1⤵
PID:517

/System/Library/CoreServices/StocksWidget.app/Contents/PlugIns/com.apple.ncplugin.stocks.appex/Contents/MacOS/com.apple.ncplugin.stocks
/System/Library/CoreServices/StocksWidget.app/Contents/PlugIns/com.apple.ncplugin.stocks.appex/Contents/MacOS/com.apple.ncplugin.stocks
1⤵
PID:518

/System/Applications/Calendar.app/Contents/PlugIns/com.apple.iCal.CalendarNC.appex/Contents/MacOS/com.apple.iCal.CalendarNC
/System/Applications/Calendar.app/Contents/PlugIns/com.apple.iCal.CalendarNC.appex/Contents/MacOS/com.apple.iCal.CalendarNC
1⤵
PID:519

/usr/libexec/xpcproxy
xpcproxy com.apple.systempreferences.2140
1⤵
PID:522

/System/Applications/System Preferences.app/Contents/MacOS/System Preferences
"/System/Applications/System Preferences.app/Contents/MacOS/System Preferences"
1⤵
PID:522

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountProfileRemoteViewService 522
1⤵
PID:523

/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
1⤵
PID:523

/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
1⤵
PID:525

/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
1⤵
PID:526

/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
1⤵
PID:527

/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
1⤵
PID:528

/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
1⤵
PID:529

/usr/libexec/xpcproxy
xpcproxy com.apple.nfcd
1⤵
PID:531

/usr/libexec/nfcd
/usr/libexec/nfcd
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy com.apple.studentd
1⤵
PID:532

/usr/libexec/studentd
/usr/libexec/studentd
1⤵
PID:532

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:536

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:537

/usr/libexec/xpcproxy
xpcproxy com.apple.preferences.softwareupdate.remoteservice 522
1⤵
PID:538

/System/Library/PreferencePanes/SoftwareUpdate.prefPane/Contents/XPCServices/com.apple.preferences.softwareupdate.remoteservice.xpc/Contents/MacOS/com.apple.preferences.softwareupdate.remoteservice
/System/Library/PreferencePanes/SoftwareUpdate.prefPane/Contents/XPCServices/com.apple.preferences.softwareupdate.remoteservice.xpc/Contents/MacOS/com.apple.preferences.softwareupdate.remoteservice
1⤵
PID:538

/usr/libexec/xpcproxy
xpcproxy com.apple.softwareupdated
1⤵
PID:539

/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated
"/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated"
1⤵
PID:539

/usr/libexec/xpcproxy
xpcproxy com.apple.suhelperd
1⤵
PID:540

/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd
"/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd"
1⤵
PID:540

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:544

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:544

/usr/libexec/xpcproxy
xpcproxy com.apple.SoftwareUpdateNotificationManager
1⤵
PID:545

/System/Library/PrivateFrameworks/SoftwareUpdate.framework/Resources/SoftwareUpdateNotificationManager.app/Contents/MacOS/SoftwareUpdateNotificationManager
/System/Library/PrivateFrameworks/SoftwareUpdate.framework/Resources/SoftwareUpdateNotificationManager.app/Contents/MacOS/SoftwareUpdateNotificationManager
1⤵
PID:545

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:546

/System/Library/SystemConfiguration/PrinterNotifications.bundle/Contents/MacOS/makequeues
/System/Library/SystemConfiguration/PrinterNotifications.bundle/Contents/MacOS/makequeues -z
1⤵
PID:547

/usr/libexec/xpcproxy
xpcproxy com.apple.system_installd
1⤵
PID:549

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:552

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:552

/System/Library/SystemConfiguration/PrinterNotifications.bundle/Contents/MacOS/makequeues
/System/Library/SystemConfiguration/PrinterNotifications.bundle/Contents/MacOS/makequeues -z
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.apple.preferences.users.remoteservice 522
1⤵
PID:558

/System/Library/PreferencePanes/Accounts.prefPane/Contents/XPCServices/com.apple.preferences.users.remoteservice.xpc/Contents/MacOS/com.apple.preferences.users.remoteservice
/System/Library/PreferencePanes/Accounts.prefPane/Contents/XPCServices/com.apple.preferences.users.remoteservice.xpc/Contents/MacOS/com.apple.preferences.users.remoteservice
1⤵
PID:558

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:559

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:559

/usr/libexec/xpcproxy
xpcproxy com.apple.warmd_agent
1⤵
PID:574

/usr/libexec/warmd_agent
/usr/libexec/warmd_agent
1⤵
PID:574

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/Printers/InstalledPrinters.plist
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/Library/Printers/InstalledPrinters.plist
Filesize
495B

MD5
3439dcb6d4ce19d3ea022b8bb17cba7a

SHA1
e412c16548b6fcc5fd488315cd70b324ca4d782e

SHA256
aec405d7619e28da751fafd97782015affebdb36e863c58eea2b658551a59e7b

SHA512
8ca944a1a157f6933a5efeea35aa7626d0dd5f6fd4b5d9fe08c3760b39b6f54289e502923ca7616110c468173f0389f2ce1e35899d171bd08873678759aba93b

Download Submit
/Users/run/Library/Saved Application State/com.apple.systempreferences.savedState/data.data
Filesize
3KB

MD5
cbc885a1c06aaccd711e48c06c63f56b

SHA1
a5dec5fd894509f12cfdcfbbe27164b160d3d120

SHA256
07528e55c226a8b8880a67a8214d1b3b785096cd14a0f939e7eff29b28376fad

SHA512
d6eb9b217d724df096eaa17600ad38feca00cb5f756b73f9137ffa88baf487ca86f17af29abe8e1fe7ecb2e1b49f45ac23b8c17f67611f681fd1e71c2440d279

Download Submit
/Users/run/Library/Saved Application State/com.apple.systempreferences.savedState/data.data
Filesize
5KB

MD5
bb8a5f4d03ca703c3ee7d07a5fab0c2d

SHA1
abc40be9c4e08b2b62fd9ca642c96f0f9856a482

SHA256
1851d2dcdc957c525db6579bd60e8d04387c0fe0b9a9ba9e9678446f309ab6e8

SHA512
c154803227fede4a03d58ea63b74b0a2388c7834734af495e1ca566dd291a3d00411ffb7f0809656f3ab25b67c329a593b0f3870a203a1141cc3382da8e21e06

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000s0000068/C/softwareupdated//mds/mdsDirectory.db
Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000s0000068/C/softwareupdated//mds/mdsObject.db
Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000s0000068/C/softwareupdated/com.apple.SoftwareUpdate.SUCatalogDataManager/j/062-42315/062-42315.English.dist
Filesize
2KB

MD5
1c56afb87a438ea20ff9ea018e76b36d

SHA1
88cdd0bce1cb176ae7ba5b08117243a827c510e8

SHA256
9f3051adb4d3bad0e929421e10448f1c905344bc44397e464657a3977d37518e

SHA512
8ca9ab3f78056def45f4f303c4331062de25f48715d3620c07e3af2f419e4b69a94b0c22f33af132cb67b767f474c186b0db9fd60be52600d6b1dcc62a0e7e91

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000s0000068/C/softwareupdated/com.apple.SoftwareUpdate.SUCatalogDataManager/s/062-53776/062-53776.English.dist
Filesize
2KB

MD5
368063efbf5f85924ab05c96eda41941

SHA1
22849484774b6570943215704d9f5404c380e4c3

SHA256
de8be5257244cdba9b124ddc2e2eeaf641e1950eb44a771fa90c33c8845b5775

SHA512
277ba472975fec6e9fce45429e9bf1aa275a95131a175488d3ad3f2d09b970feada0f84ea0810da2eeea6feebac8878f66f9671521719be0daf0c7d2468ea286

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000s0000068/C/softwareupdated/com.apple.SoftwareUpdate/swcdn.apple.com/content/downloads/56/23/062-28254-A_OXFTM8606F/ilbeqmgoj14pd2p9o74uoy1n9qpofda5pa/InstallAssistant.pkg.partialState
Filesize
436B

MD5
1e69a4fed597a6c2ef2dcbd195a7482f

SHA1
0e9a81dc2a50449fa57691438c2ca7b6a6773794

SHA256
0401d658387639fdfe34f57df14c2c3427bf1e2c4c7c95ca5a9dcc678babca85

SHA512
05ba186d418d4bdf8e5fa323e20b384fddb9dc600881c0d815d9402c28e0f6c2cee89cf77a79de3cd6a9152c285e79cb6677ed61b6fba94bbd3eba8674ccb961

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000s0000068/T/softwareupdated/062-45761_3D71B9AB-92DB-4606-BF3F-47470CA66FC5/MajorOSInfo.pkg
Filesize
1.2MB

MD5
0a68a5c5da0d8992adb3236e30481ac7

SHA1
10809711d1cf2d8dd94c7a5691fb5cc4d2a3d81e

SHA256
131e7b7475ff306ca2f30a021581b7f2ab649294aa9116b648ff889efd2eb379

SHA512
05826cd92acd9a7f73f8cdfe566474d98a10b0cbf1d3248b5dcc7065bd5862419f76ff13a97c33badf578e97d441f9e1013e6e28c0d158ce124e43c093225c60

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000s0000068/T/softwareupdated/062-45761_3D71B9AB-92DB-4606-BF3F-47470CA66FC5/Payload/System/Library/CoreServices/MajorOSInfo.bundle/Contents/Info.plist
Filesize
863B

MD5
8797904ca5283bfd732e50c0a9f9b9d9

SHA1
f89123187e7533f944515c43f61d349cb092289b

SHA256
d572679860abe8cc8ca163774406a5a67aa9b5c2af22d7029caa684b7815be1a

SHA512
65be603f8c334e8db4d7406fe11c3b393c7a8e65f043258c299db5e662ba28b2283e577b5055a4e26824a9478b256f7e6123380b6682d16b573badb08fbc0f8c

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000s0000068/T/softwareupdated/062-45761_3D71B9AB-92DB-4606-BF3F-47470CA66FC5/Payload/System/Library/CoreServices/MajorOSInfo.bundle/Contents/Resources/OSBadge.icns
Filesize
1.3MB

MD5
84a52b22f460032e7da3b48d33d59ff8

SHA1
adaee5ad5a40de3c853f22beb0ee721ba51248a5

SHA256
8718b54792b537c53be8bc34a046b08ae6df5e55afb5d048fa2a277b596310f5

SHA512
a024abc73d9a0f132d423c5643842fefcf10b3b6f4b45f2d77fb540fadd41c38dabe31a53bd63fd2edb05866622e10b1d7efcd0e353258f42be07e659d1d330b

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000s0000068/T/softwareupdated/062-45761_3D71B9AB-92DB-4606-BF3F-47470CA66FC5/Payload/System/Library/CoreServices/MajorOSInfo.bundle/Contents/Resources/en.lproj/Localizable.strings
Filesize
155B

MD5
63ce136b60c67afcd837e1a387b576ff

SHA1
17493a07f2ac52ffbe0769a013ee6c1afb3a1f96

SHA256
b86c08f715f38c1c6268a7cf60e6548d6eeb252db1698abb81b55b54569e13e4

SHA512
68d077aa6fe71242a248246d0ead0bf58c505e4b01895a1c53779ec129bb9216ffc11f2c9bb50000f7013787f16771d7cac313d05d63a8d4f759b301b6d8244c

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000s0000068/T/softwareupdated/ProductMetadata.plist
Filesize
1.1MB

MD5
6a75f603537d30eaa8608f5fd6dfeb99

SHA1
006673c9d416a1fd1af778009ceaa113280a62a1

SHA256
5ecb7f1c36a7af4e27224aeb337b47ffcebb32a8d058d669c25ca1edf68df1f4

SHA512
9ad85dc147ec9fd035253866ca71907986adf9e85d32d6fe08e57dcd5225df3ce9acfb0f487bcf232fcacb79b48fd95dce47e7bd39def4939dbbbe49e753ed04

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000s0000068/T/softwareupdated/ProductMetadata.plist
Filesize
425B

MD5
9ac377316f06c6a6fd99ee3e07593b87

SHA1
1dbea8980aff3e7d370a7d5599897d8ae0809da2

SHA256
0694f19b95b76c8cf749a539321a09c173543f9d5a0b12140ebe8e84c53248b7

SHA512
b9284cb2dfc836ccb6f5c5b4badbf2ca454c3da16a30030ea0b671213e7f31387046b834f9c14b6122bce94b78611e620cdea24107625ab7a3aa2e8bcd398432

Download Submit