bf34bf193efbcd368516e657dcc44edc9612c65da32e91c617dd70cb0009c563

General

Target

GeometryDash.exe
Size

10.0MB
MD5

374d3decf19e7f96735110d670fd143e
SHA1

c59ce2dd422b06cdeff43a20ef6ae1b51327ca38
SHA256

bf34bf193efbcd368516e657dcc44edc9612c65da32e91c617dd70cb0009c563
SHA512

783db9a0dea5359a5d3922f4dde420aaf597a362d794f53d1c1c02ce81f7a956d7e7c8423fe63d7edd20d2f8bf913ebe9b61f992c0fbd16306eb2902bfd4ca07
SSDEEP

98304:RICK7rcFo+UNKCkS6urhhdi1VlxFZVxfS+VxfS:RICK74y+UNKHS6urfdi1Vl5LfL

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 5 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool	Process not Found
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool	Process not Found
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool	Process not Found
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck	Process not Found
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/GeometryDash.exe\""
1⤵
PID:488

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/GeometryDash.exe\""
1⤵
PID:488

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/GeometryDash.exe
1⤵
PID:488
- /bin/zsh
  /bin/zsh -c /Users/run/GeometryDash.exe
  2⤵
  PID:491
- /Users/run/GeometryDash.exe
  /Users/run/GeometryDash.exe
  2⤵
  PID:491

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:524

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:525

/System/Applications/TV.app/Contents/MacOS/TV
/System/Applications/TV.app/Contents/MacOS/TV
1⤵
PID:532

/usr/libexec/xpcproxy
xpcproxy com.apple.accessibility.mediaaccessibilityd
1⤵
PID:534

/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
1⤵
PID:534

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:537

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:537

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:538

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:538

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.4F79F76A-5676-4559-B032-BB752CDBF60D 532
1⤵
PID:539

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:539

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:541

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:541

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:546

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:546

/usr/libexec/xpcproxy
xpcproxy com.apple.FaceTime.1860
1⤵
PID:549

/System/Applications/FaceTime.app/Contents/MacOS/FaceTime
/System/Applications/FaceTime.app/Contents/MacOS/FaceTime
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.videoconference.camera
1⤵
PID:550

/usr/libexec/avconferenced
/usr/libexec/avconferenced
1⤵
PID:550

/usr/libexec/xpcproxy
xpcproxy com.apple.FaceTime.FaceTimeNotificationCenterService 549
1⤵
PID:552

/System/Applications/FaceTime.app/Contents/XPCServices/FaceTimeNotificationCenterService.xpc/Contents/MacOS/FaceTimeNotificationCenterService
/System/Applications/FaceTime.app/Contents/XPCServices/FaceTimeNotificationCenterService.xpc/Contents/MacOS/FaceTimeNotificationCenterService
1⤵
PID:552

/usr/libexec/xpcproxy
xpcproxy com.apple.imfoundation.IMRemoteURLConnectionAgent 549
1⤵
PID:554

/System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteURLConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent
/System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteURLConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent
1⤵
PID:554

/usr/libexec/xpcproxy
xpcproxy com.apple.imfoundation.IMRemoteURLConnectionAgent 550
1⤵
PID:555

/System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteURLConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent
/System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteURLConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.satellite.269AB462-4C8D-48FC-89AA-B2B64B03F6F9 521
1⤵
PID:556

/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite
/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite
1⤵
PID:556

/usr/libexec/xpcproxy
xpcproxy com.apple.systempreferences.2140
1⤵
PID:557

/System/Applications/System Preferences.app/Contents/MacOS/System Preferences
"/System/Applications/System Preferences.app/Contents/MacOS/System Preferences"
1⤵
PID:557

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountProfileRemoteViewService 557
1⤵
PID:558

/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
1⤵
PID:558

/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
1⤵
PID:559

/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
1⤵
PID:560

/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
1⤵
PID:561

/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
1⤵
PID:562

/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
1⤵
PID:563

/usr/libexec/xpcproxy
xpcproxy com.apple.nfcd
1⤵
PID:565

/usr/libexec/nfcd
/usr/libexec/nfcd
1⤵
PID:565

/usr/libexec/xpcproxy
xpcproxy com.apple.studentd
1⤵
PID:566

/usr/libexec/studentd
/usr/libexec/studentd
1⤵
PID:566

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:567

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:567

/usr/libexec/xpcproxy
xpcproxy com.apple.preference.sound.remoteservice 557
1⤵
PID:569

/System/Library/PreferencePanes/Sound.prefPane/Contents/XPCServices/com.apple.preference.sound.remoteservice.xpc/Contents/MacOS/com.apple.preference.sound.remoteservice
/System/Library/PreferencePanes/Sound.prefPane/Contents/XPCServices/com.apple.preference.sound.remoteservice.xpc/Contents/MacOS/com.apple.preference.sound.remoteservice
1⤵
PID:569

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:570

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:571

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:571

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:572

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:572

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.BD8D6F84-71D4-411D-96BF-A5CBA0B5ADBF 571
1⤵
PID:573

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:573

/usr/libexec/xpcproxy
xpcproxy com.apple.SafariLaunchAgent
1⤵
PID:577

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
1⤵
PID:577

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.F60B392A-2F36-4287-ADDF-0F8CD80A6592 571
1⤵
PID:578

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:578

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SearchHelper 571
1⤵
PID:579

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
1⤵
PID:579

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.4EE7F367-6883-4F8E-943B-85B88EA74664 571
1⤵
PID:580

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:580

/usr/libexec/xpcproxy
xpcproxy com.apple.newsyslog
1⤵
PID:591

/usr/sbin/newsyslog
/usr/sbin/newsyslog
1⤵
PID:591

/usr/libexec/xpcproxy
xpcproxy com.apple.diagnosticd
1⤵
PID:592

/usr/libexec/diagnosticd
/usr/libexec/diagnosticd
1⤵
PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Safari/Favicon Cache/favicons/2529545429CE075A4E64DE7DAA3D4C27

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

Filesize
243KB

MD5
dc565c25dd16a94c2f4e5025a05792a7

SHA1
8053ead4f5ac23e852f9e902eec73e6b1e86c7af

SHA256
b9704543b745a4fd2c63724fdcb284e646e270d6c22334476a7625c43399fc40

SHA512
14dfafab10e85102fea2a76d1dbe5ddefc785141168f5b84bbff4529894e6a6023c165f61d28fb330b175f93da485217a3b2c458227eff384c10168f9d3fa47d

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

Filesize
16.7MB

MD5
0466b3c95e43b40c31676f04d9fbbc6c

SHA1
82e7b10c1a0bddbd842de30b132bb13ffa462b5c

SHA256
367d3af79c23dbc43ee6747f5f8cdca5f3ccf8cc1745e234bf44908bc18571d5

SHA512
cdaa7b058c7c56918e3f3247062b43d9e71ae181ff5e6d2ca1adadbed69c800e40d5846ab3132d0af5a53228edf5a788767f1eba4242762ffbf50025822f70b5

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

Filesize
126KB

MD5
4bfbfd89df364a9e125ee603998ddbe1

SHA1
6805586a401db57a103c4d5d6c57935f2341ddf6

SHA256
562d670809b24bf75469e8742e70a7a3f17aa712456a82b26cf2a7a1df199893

SHA512
a43350f4f8d00ff795571666f2ed5650fb011073e0e4d63b3cb61743916f90b9d5ee027e92d32be0da79b38a1db60a68ce90eca036aa2bf940772638aec73114

Download Submit

Resubmissions

Analysis

Sharing