2832dc4466e9ba6b25ddfc061250c2d6a28e8dc49b71e4f25af79810a9d6c75b

Analysis

max time kernel
97s
max time network
162s
platform
macos-10.15_amd64
resource
macos-20240711.1-en
resource tags

arch:amd64arch:i386image:macos-20240711.1-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
12/08/2024, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

resources/app.asar.unpacked/node_modules/electron-sudo/dist/bin/applet.app/Contents/Resources/Scripts/main.scpt
Size

526B
MD5

35aaeb5ecdda5864920916f04d2ec307
SHA1

266ee05dd4a3e1869e318825c97c3290ae4439e5
SHA256

21ff89939fd03764301b1ab1cef0baa277bd2245fc5b9b4b5aed08c1efedfff3
SHA512

00a609155a776cdfdb0a0cf4c6ea43e0dcb9a8ca2d3b842dacb426a83b835c053700388912b4f1575150167167aab442fcc5b436e1326d81c6bb8e10ac3a1520

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 4 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
sh -c "sudo /bin/zsh -c \"osascript /Users/run/resources/app.asar.unpacked/node_modules/electron-sudo/dist/bin/applet.app/Contents/Resources/Scripts/main.scpt\""	Process not Found
sudo /bin/zsh -c "osascript /Users/run/resources/app.asar.unpacked/node_modules/electron-sudo/dist/bin/applet.app/Contents/Resources/Scripts/main.scpt"	Process not Found
/bin/zsh -c "osascript /Users/run/resources/app.asar.unpacked/node_modules/electron-sudo/dist/bin/applet.app/Contents/Resources/Scripts/main.scpt"	Process not Found
osascript /Users/run/resources/app.asar.unpacked/node_modules/electron-sudo/dist/bin/applet.app/Contents/Resources/Scripts/main.scpt	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"osascript /Users/run/resources/app.asar.unpacked/node_modules/electron-sudo/dist/bin/applet.app/Contents/Resources/Scripts/main.scpt\""
1⤵
PID:516

/bin/bash
sh -c "sudo /bin/zsh -c \"osascript /Users/run/resources/app.asar.unpacked/node_modules/electron-sudo/dist/bin/applet.app/Contents/Resources/Scripts/main.scpt\""
1⤵
PID:516

/usr/bin/sudo
sudo /bin/zsh -c "osascript /Users/run/resources/app.asar.unpacked/node_modules/electron-sudo/dist/bin/applet.app/Contents/Resources/Scripts/main.scpt"
1⤵
PID:516
- /bin/zsh
  /bin/zsh -c "osascript /Users/run/resources/app.asar.unpacked/node_modules/electron-sudo/dist/bin/applet.app/Contents/Resources/Scripts/main.scpt"
  2⤵
  PID:517
- /usr/bin/osascript
  osascript /Users/run/resources/app.asar.unpacked/node_modules/electron-sudo/dist/bin/applet.app/Contents/Resources/Scripts/main.scpt
  2⤵
  PID:517

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:518

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:518

/bin/sh
/bin/sh -c "mkdir -p /var/db/sudo/\$USER; touch /var/db/sudo/\$USER"
1⤵
PID:519

/bin/bash
/bin/sh -c "mkdir -p /var/db/sudo/\$USER; touch /var/db/sudo/\$USER"
1⤵
PID:519
- /bin/mkdir
  mkdir -p /var/db/sudo/root
  2⤵
  PID:520
- /usr/bin/touch
  touch /var/db/sudo/root
  2⤵
  PID:521

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:522

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:522

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads