a78fb5cab07c4fedd9dbdfa46f055ac4a2708769e45823b27fa839ee09e97347

Analysis

max time kernel
962s
max time network
1802s
platform
macos-10.15_amd64
resource
macos-20240711.1-en
resource tags

arch:amd64arch:i386image:macos-20240711.1-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
14-08-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mlk.png
Size

37KB
MD5

df41f6c673785be2c786138072079dab
SHA1

cf586d4a8529f8d446893ae752b94020e47d6d0e
SHA256

a78fb5cab07c4fedd9dbdfa46f055ac4a2708769e45823b27fa839ee09e97347
SHA512

cbe61426911df696ace324a54ce7a1f0d6dc0c612e2272d90388d26cc0ca45267abb146bc1281393649a4a06ea3d3b49f037e26eed68393b093ef654fef2905d
SSDEEP

768:Jg3EHduMHLvRtOVHxJBlP7d+sbmOGIrVgKS6Pm+Bn3cog17Bk8q:Jg3q/rpgVRHVR/64hPBs1drq

Score

4^/10

evasion execution

Malware Config

Signatures

JavaScript 1 TTPs 1 IoCs

Adversaries may abuse various implementations of JavaScript for execution.

execution

JavaScript

T1059.007

ioc	Process
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar	Process not Found

Resource Forking 1 TTPs 4 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer	Process not Found
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck	Process not Found
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy	Process not Found

/usr/libexec/xpcproxy
xpcproxy com.apple.gkreport
1⤵
PID:483

/usr/libexec/xpcproxy
xpcproxy com.apple.systemstats.daily
1⤵
PID:484

/usr/libexec/gkreport
/usr/libexec/gkreport
1⤵
PID:483

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/mlk.png\""
1⤵
PID:485

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/mlk.png\""
1⤵
PID:485

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/mlk.png
1⤵
PID:485
- /bin/zsh
  /bin/zsh -c /Users/run/mlk.png
  2⤵
  PID:488
- /Users/run/mlk.png
  /Users/run/mlk.png
  2⤵
  PID:488

/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged
"/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"
1⤵
PID:471

/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
1⤵
PID:473

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
1⤵
PID:475

/usr/libexec/pkreporter
/usr/libexec/pkreporter
1⤵
PID:474

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
1⤵
PID:476

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:513

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:513

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:539

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:539

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:540

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:540

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.E00956A5-15AE-42C6-B64E-7B4AF70914C5 539
1⤵
PID:541

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:541

/usr/libexec/xpcproxy
xpcproxy com.apple.SafariLaunchAgent
1⤵
PID:547

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
1⤵
PID:547

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.8DF4FD54-362A-4FA0-BF01-A138B83534B2 539
1⤵
PID:548

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:548

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SearchHelper 539
1⤵
PID:549

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:550

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:550

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.431996FE-2439-4656-9803-BFADA3CAC808 539
1⤵
PID:551

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:551

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.3FF51819-BF1D-4DC2-9720-6A242895E1DE 539
1⤵
PID:554

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:554

/usr/libexec/xpcproxy
xpcproxy com.apple.newsyslog
1⤵
PID:555

/usr/sbin/newsyslog
/usr/sbin/newsyslog
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:557

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:557

/usr/libexec/xpcproxy
xpcproxy com.apple.JarLauncher.2128
1⤵
PID:558

/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher
"/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher"
1⤵
PID:558
- /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java
  "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar
  2⤵
  PID:560

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:559

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.D5601D36-4BEE-492F-A0BF-D9050DDC0611 539
1⤵
PID:562

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:562

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.E58C45FB-C54A-48CA-B5DD-3CD9230B6022 539
1⤵
PID:563

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:563

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:566

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:566

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.6970E348-6D48-48E1-8BB4-4A70147E9165 539
1⤵
PID:567

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:567

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.8CB95972-374B-48BB-93D1-953385C87A1C 539
1⤵
PID:568

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:568

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.B2E31B35-556C-4BC4-A79C-D5102715BD39 539
1⤵
PID:570

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:570

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.D8FFA754-A095-4105-9460-0AC2BCC0D7D4 539
1⤵
PID:571

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:571

/usr/libexec/xpcproxy
xpcproxy com.apple.adid
1⤵
PID:574

/System/Library/PrivateFrameworks/CoreADI.framework/adid
/System/Library/PrivateFrameworks/CoreADI.framework/adid
1⤵
PID:574

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:576

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:576

/usr/libexec/xpcproxy
xpcproxy com.apple.diagnosticd
1⤵
PID:577

/usr/libexec/diagnosticd
/usr/libexec/diagnosticd
1⤵
PID:577

/usr/libexec/xpcproxy
xpcproxy com.apple.security.cloudkeychainproxy3
1⤵
PID:580

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:581

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:581

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
1⤵
PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Safari/Favicon Cache/favicons/28912F88CA17531EB6DF03972C478E38

Filesize
5KB

MD5
90581e06aca95c16fefe48246d005c63

SHA1
5d1cdf6ddd721d9321fb15e4be7d8bb8e61dd859

SHA256
f4ce82c010a412c4ad8579c7f2cc8bcf09d20e79015d151b5f04ed424b6f8bec

SHA512
e9497e19b434265f48542f538e645b0a5f1cac6a25defe819bf5651b5a691d6c4297b5c909a71816202ade51abe1a72c2759ece25263c62996683bccf46aa9e8

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/416172C376FF6A4B81261FD1EEF3A576

Filesize
20KB

MD5
f60e04a56e40062111d84a60f6bc9c97

SHA1
5fabb8682ce8768acac9b0d131b166e3b7c0fd26

SHA256
f71dff1ed2157d994e2656e9f0b8bed4b404616f0ab94ce8925d213d0173f937

SHA512
af4e75b59380401a2a2ffbead620158442812cf8bcf9d3fe24f238519fed335a9fe38451662c133f81e1c464ebc5245d7ef8c67c0b64d785667874950252ed2c

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/49C8F7F363D49C85153F83DCB5BBCF38

Filesize
5KB

MD5
9106acb8d16c96817d3e672dda25c6ed

SHA1
ad757b5643d306c56e40b17eaf491945011a7bac

SHA256
01a8f96829e3b5d6aa97f67a4f51f7ac5d304598cb4bd3673d0f90305b7f6828

SHA512
e80e79044894ab8e98e3d44601195f277eca31c78f9693e4a69f02b4ec7f8488695e148134a10cc3205b4186be7b9dd847440a056b34b1d22716a7d88f288021

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/72034A7E4A946305FC9A5420B3F0290E

Filesize
5KB

MD5
bfc4df279d1df3c6c8612d0886ccded6

SHA1
112057d7a830d2389e4361907d2ae4a4275f9096

SHA256
782696bef7aea6ebe50fca2104f807cd645c290474e6dda7ab894ab13ac857f8

SHA512
57c3c28e378c53924238fd29ef2d028e097a9ced29167e556aa4a22dd6e3c1f32ab4546b7148f705a6aa5fd8a8d69b135d0369a226ab943f6a8f17f0b24e67ac

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/B44B83B859F0D8B3584D24467761543A

Filesize
5KB

MD5
76b8c28bb51d49c49b0e21501182b237

SHA1
379662d22cbae8b2e0cf618d1eab3daf9e745761

SHA256
9e5020833dc48bba479a345dd92452bfc588b7ee7d530f639e3b6340875e568d

SHA512
45ef4249ef9d2976fbb782a203bc079e1a23aacc82c9d463701634b61c6541eabe930df6cef5f4c2b34762f368a892a2085d136c2c6f95388caa347b75aa6a3a

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/E647A6F7DA68A9E4C6EA144F422BEEEA

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/F171F900728090E3EB323AF503365C9B

Filesize
5KB

MD5
dbd2f9fc1096e1941d8d7b8764f45add

SHA1
dea28ddb4e8c79a8214fee87d7d2042ddee41e66

SHA256
3d91ac80e262eb1f66fcd21499d83bbb385b2f68085949c7be5f96b5248d51f2

SHA512
c7ff658a79ac179180790e02bf585db99b0106341f9a575ff6f38721408beacab80c27183f60ace8e2ad2a9c6c3b9ad7a5e1439b143c63b4ce7d201727695802

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

Filesize
214KB

MD5
988a4837245caa31837485f3656b356d

SHA1
b53d7d04ac9160cba8a2682e233f5151610835f0

SHA256
2dd020118c8b255ccce99db2bb019ed5e4f72006ffa4685341d6f6f69e8b2a83

SHA512
c4ed6a7672f09c67199a0067b4d286454c9db8df520b612bf666636a592934ff9e9a84a70bfbc344268624d51256efa1ce4d2c138045a10d04284c897688940a

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

Filesize
21.8MB

MD5
614464740ad97f46dc2e90bd0bea9afc

SHA1
88df2e44f522aebb8725d2cdc9ba99752cb4e3d5

SHA256
fad4c787f706088a299c3abf18db9083ef8c61e470081592ae30c3baf0706537

SHA512
4b12209f0869efab2632a0478709ba1b686cc47af7618f82611dfc7e771b4ccc04fd620e3b352a3150ee42b55bc7c657c37c6feb491a153a970f3dc693dac81b

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

Filesize
129KB

MD5
a2ac327bb5387c537da7374ac1da91e4

SHA1
e155c395a90fb971516eb2428ce690f844c0197e

SHA256
e934c0defdb811c14ffbbc575e8ea03211ede48dd2480fddfb6a67e3189c73b3

SHA512
3bda3480bd89b78040527dd81b6854421560007423e8d4fb505d718e305df59ceabe12079b753f42578e736fc1098877dc3f9fe67e39beb31e42e45e2da33377

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit