186892503330970c8e8d561adf9b71bd15cd93589306ec00fa60009ebf611ee6

General

Target

VBCABLE_Setup_x64.exe
Size

901KB
MD5

aad9093bc9182081a386325d9c931f90
SHA1

1d06ad447b60b147c05369e6e761e1aa8ba7a54d
SHA256

186892503330970c8e8d561adf9b71bd15cd93589306ec00fa60009ebf611ee6
SHA512

cd56bf05b32df0314e9f70e5808813c78a0b687e55426d2f333c835412e1631befc84af72fb31d00eff41e180aea021b719f57033f92474063a9629ceca54225
SSDEEP

6144:9sQl2TpetmQ8jiiVS6tQkyKdibdK2UTmPLagFOdhufzlmZeT7UmQBCDyUtHKwwo5:WzxnhTZUI6HKhgS9APmGKRH8MYmmBHf

Score

4^/10

evasion execution

Malware Config

Signatures

JavaScript 1 TTPs 1 IoCs

Adversaries may abuse various implementations of JavaScript for execution.

execution

JavaScript

T1059.007

ioc	Process
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar	Process not Found

Resource Forking 1 TTPs 6 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool	Process not Found
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool	Process not Found
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck	Process not Found
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref	Process not Found
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool	Process not Found
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/VBCABLE_Setup_x64.exe\""
1⤵
PID:486

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/VBCABLE_Setup_x64.exe\""
1⤵
PID:486

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/VBCABLE_Setup_x64.exe
1⤵
PID:486
- /bin/zsh
  /bin/zsh -c /Users/run/VBCABLE_Setup_x64.exe
  2⤵
  PID:487
- /Users/run/VBCABLE_Setup_x64.exe
  /Users/run/VBCABLE_Setup_x64.exe
  2⤵
  PID:487

/usr/libexec/xpcproxy
xpcproxy com.apple.systempreferences.2140
1⤵
PID:518

/System/Applications/System Preferences.app/Contents/MacOS/System Preferences
"/System/Applications/System Preferences.app/Contents/MacOS/System Preferences"
1⤵
PID:518

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountProfileRemoteViewService 518
1⤵
PID:519

/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
1⤵
PID:519

/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
1⤵
PID:521

/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
1⤵
PID:522

/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
1⤵
PID:523

/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
1⤵
PID:524

/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
1⤵
PID:525

/usr/libexec/xpcproxy
xpcproxy com.apple.nfcd
1⤵
PID:527

/usr/libexec/nfcd
/usr/libexec/nfcd
1⤵
PID:527

/usr/libexec/xpcproxy
xpcproxy com.apple.studentd
1⤵
PID:528

/usr/libexec/studentd
/usr/libexec/studentd
1⤵
PID:528

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:529

/usr/libexec/xpcproxy
xpcproxy com.apple.preferences.sharing.remoteservice 518
1⤵
PID:532

/System/Library/PreferencePanes/SharingPref.prefPane/Contents/XPCServices/com.apple.preferences.sharing.remoteservice.xpc/Contents/MacOS/com.apple.preferences.sharing.remoteservice
/System/Library/PreferencePanes/SharingPref.prefPane/Contents/XPCServices/com.apple.preferences.sharing.remoteservice.xpc/Contents/MacOS/com.apple.preferences.sharing.remoteservice
1⤵
PID:532

/usr/libexec/xpcproxy
xpcproxy com.apple.systemadministration.writeconfig
1⤵
PID:533

/System/Library/PrivateFrameworks/SystemAdministration.framework/XPCServices/writeconfig.xpc/Contents/MacOS/writeconfig
/System/Library/PrivateFrameworks/SystemAdministration.framework/XPCServices/writeconfig.xpc/Contents/MacOS/writeconfig
1⤵
PID:533

/usr/libexec/xpcproxy
xpcproxy com.apple.AssetCacheManagerService
1⤵
PID:534

/System/Library/PrivateFrameworks/AssetCacheServicesExtensions.framework/XPCServices/AssetCacheManagerService.xpc/Contents/MacOS/AssetCacheManagerService
/System/Library/PrivateFrameworks/AssetCacheServicesExtensions.framework/XPCServices/AssetCacheManagerService.xpc/Contents/MacOS/AssetCacheManagerService
1⤵
PID:534

/usr/libexec/xpcproxy
xpcproxy com.apple.preferences.sharing.SharingBluetoothService 532
1⤵
PID:535

/usr/libexec/xpcproxy
xpcproxy com.apple.preferences.sharing.SharingPrefsExtension 532
1⤵
PID:536

/System/Library/PrivateFrameworks/PreferencePanesSupport.framework/PlugIns/SharingBluetoothService.appex/Contents/MacOS/SharingBluetoothService
/System/Library/PrivateFrameworks/PreferencePanesSupport.framework/PlugIns/SharingBluetoothService.appex/Contents/MacOS/SharingBluetoothService
1⤵
PID:535

/System/Library/PrivateFrameworks/AMPSharing.framework/Versions/A/PlugIns/SharingPrefsExtension.appex/Contents/MacOS/SharingPrefsExtension
/System/Library/PrivateFrameworks/AMPSharing.framework/Versions/A/PlugIns/SharingPrefsExtension.appex/Contents/MacOS/SharingPrefsExtension
1⤵
PID:536

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:538

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:538

/usr/libexec/xpcproxy
xpcproxy com.apple.preference.startupdisk.remoteservice 518
1⤵
PID:543

/System/Library/PreferencePanes/StartupDisk.prefPane/Contents/XPCServices/com.apple.preference.startupdisk.remoteservice.xpc/Contents/MacOS/com.apple.preference.startupdisk.remoteservice
/System/Library/PreferencePanes/StartupDisk.prefPane/Contents/XPCServices/com.apple.preference.startupdisk.remoteservice.xpc/Contents/MacOS/com.apple.preference.startupdisk.remoteservice
1⤵
PID:543

/usr/sbin/bless
/usr/sbin/bless -getBoot
1⤵
PID:548

/usr/sbin/bless
/usr/sbin/bless -getBoot
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.startupdiskhelper
1⤵
PID:550

/usr/libexec/startupdiskhelper
/usr/libexec/startupdiskhelper
1⤵
PID:550

/usr/sbin/bless
/usr/sbin/bless -getBoot
1⤵
PID:551

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:552

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:553

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:556

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:556

/usr/libexec/xpcproxy
xpcproxy com.apple.JarLauncher.2128
1⤵
PID:557

/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher
"/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher"
1⤵
PID:557
- /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java
  "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar
  2⤵
  PID:558

/bin/sh
sh -c /usr/sbin/kextstat
1⤵
PID:561

/bin/bash
sh -c /usr/sbin/kextstat
1⤵
PID:561

/usr/sbin/kextstat
/usr/sbin/kextstat
1⤵
PID:561

/bin/sh
sh -c /usr/sbin/kextstat
1⤵
PID:562

/bin/bash
sh -c /usr/sbin/kextstat
1⤵
PID:562

/usr/sbin/kextstat
/usr/sbin/kextstat
1⤵
PID:562

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:563

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:563