35aafa54f74d51268c1c99389dbafb2ff5835a30e5dec0bb6e8c239608e4c194

Analysis

max time kernel
124s
max time network
133s
platform
macos-10.15_amd64
resource
macos-20240711.1-en
resource tags

arch:amd64arch:i386image:macos-20240711.1-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
12-10-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Executor.zip
Size

3.4MB
MD5

c54aa5e8517df29f759d118731ef6289
SHA1

ddcc3931d474ebb341f7732c13096d20d0cd4a01
SHA256

35aafa54f74d51268c1c99389dbafb2ff5835a30e5dec0bb6e8c239608e4c194
SHA512

f0999c0306f7e2c1dc588acbc7cb5e47bdda3be80b6616d196da846953405b568f94161bc14a8ddc52fdfc1b2201a844270ed9d79e35475d31e5ce4867198587
SSDEEP

98304:OjHn2Htb9EG4lcvzBHdnpsi8BRb1hXf7/xlufgdrySIpWFW:OjHAROWzB9iPR5hLzdr6b

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 7 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool	Process not Found
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck	Process not Found
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref	Process not Found
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool	Process not Found
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer	Process not Found
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck	Process not Found
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Executor.zip\""
1⤵
PID:486

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Executor.zip\""
1⤵
PID:486

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/Executor.zip
1⤵
PID:486
- /bin/zsh
  /bin/zsh -c /Users/run/Executor.zip
  2⤵
  PID:489
- /Users/run/Executor.zip
  /Users/run/Executor.zip
  2⤵
  PID:489

/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
1⤵
PID:474

/usr/libexec/pkreporter
/usr/libexec/pkreporter
1⤵
PID:477

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
1⤵
PID:480

/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged
"/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"
1⤵
PID:472

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
1⤵
PID:482

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:493

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:493

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:494

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:494

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.E7357DDB-510B-46AF-BBF7-F3B270C15C38 493
1⤵
PID:496

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:496

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:499

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:499

/usr/libexec/xpcproxy
xpcproxy com.apple.tailspind
1⤵
PID:500

/usr/libexec/tailspind
/usr/libexec/tailspind
1⤵
PID:500

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:501

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:501

/usr/libexec/xpcproxy
xpcproxy com.apple.SafariLaunchAgent
1⤵
PID:524

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
1⤵
PID:524

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.3C66EDC4-B224-4E7F-8730-95D3B312C825 493
1⤵
PID:527

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:527

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SearchHelper 493
1⤵
PID:528

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
1⤵
PID:528

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:529

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:529

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.6429F6FD-A0A8-485C-B36C-EF50ADA46F7D 493
1⤵
PID:530

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:530

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:531

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy com.apple.systempreferences.2140
1⤵
PID:535

/System/Applications/System Preferences.app/Contents/MacOS/System Preferences
"/System/Applications/System Preferences.app/Contents/MacOS/System Preferences"
1⤵
PID:535

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountProfileRemoteViewService 535
1⤵
PID:536

/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
1⤵
PID:536

/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
1⤵
PID:538

/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
1⤵
PID:539

/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
1⤵
PID:540

/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
1⤵
PID:541

/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
1⤵
PID:542

/usr/libexec/xpcproxy
xpcproxy com.apple.nfcd
1⤵
PID:544

/usr/libexec/nfcd
/usr/libexec/nfcd
1⤵
PID:544

/usr/libexec/xpcproxy
xpcproxy com.apple.studentd
1⤵
PID:545

/usr/libexec/studentd
/usr/libexec/studentd
1⤵
PID:545

/usr/libexec/xpcproxy
xpcproxy com.apple.preference.screentime.remoteservice 535
1⤵
PID:547

/System/Library/PreferencePanes/ScreenTime.prefPane/Contents/XPCServices/com.apple.preference.screentime.remoteservice.xpc/Contents/MacOS/com.apple.preference.screentime.remoteservice
/System/Library/PreferencePanes/ScreenTime.prefPane/Contents/XPCServices/com.apple.preference.screentime.remoteservice.xpc/Contents/MacOS/com.apple.preference.screentime.remoteservice
1⤵
PID:547

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:548

/usr/libexec/xpcproxy
xpcproxy com.apple.colorsync.useragent
1⤵
PID:550

/System/Library/Frameworks/ColorSync.framework/Support/colorsync.useragent
/System/Library/Frameworks/ColorSync.framework/Support/colorsync.useragent
1⤵
PID:550

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:553

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
1⤵
PID:553

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.SandboxHelper 530
1⤵
PID:554

/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
1⤵
PID:554

/usr/libexec/xpcproxy
xpcproxy com.apple.accessibility.mediaaccessibilityd
1⤵
PID:555

/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:559

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:559

/usr/libexec/xpcproxy
xpcproxy com.apple.coremedia.videodecoder 530
1⤵
PID:560

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
1⤵
PID:560

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.B2917967-CA7A-4B57-B662-1F5A92A606B9 493
1⤵
PID:561

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:561

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.D86B9F12-B374-490D-A8E8-03C81E3380CF 493
1⤵
PID:562

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:562

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.5ED271FF-DD4F-400D-B664-0EEDACE9190D 493
1⤵
PID:563

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:563

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Safari/Favicon Cache/favicons/108DBE4D9730AAC1B0EA64BD997655A3

Filesize
5KB

MD5
9909227b6fd2415ccb9a276d99632243

SHA1
c21dfda1e925054b0d6c882e43f87dbe1222a933

SHA256
af7282a5f1a3c7a62bda5f2265b1254d420ba7b5aab58023df705dd6064d2ac9

SHA512
9705d6811e00ee5f616ead194484f00df7fd5033e6bbea784c02438b87774a3e60ece7e2fb6e23486eec43743d642a105a16a615b3a5d5ee32d49b8f77814e5c

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/2529545429CE075A4E64DE7DAA3D4C27

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/DF4282348DB5BEB70B13CC2EFCD3D5F6

Filesize
5KB

MD5
80f7367cb52983d2b58c2570460a9e9b

SHA1
8b1020b84f2c57bc43c0b0e504529fbd176fc694

SHA256
d7dd223f488a3dc314edecff758abc774093909d8cdaabb5c6b3f5a84a6f4be7

SHA512
ec16f486883b31551597eaa82406989c159a5e186ec33fcc8fbc85093d1ac758bfab065a9a8f91ef3087456cc2a0b2b097dbb074f567280f5ccf8f3838eaceb3

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

Filesize
263KB

MD5
b5f9e8d41df5dbae129a0682d6688aa2

SHA1
0d876dcc92dd0de17d39a18ddb3a43bb85a0784a

SHA256
c0efcbdd9a78f3a9fd5bb986adb180334a2c0bbfadc25409a66acd8d7a89d7f0

SHA512
447f918b09b70a24e925403663cb938ad1126108b7a692757d49c673afc56a293628c3baf2a8fbef0cee4ee467e8872c972e4eab8aa952269521c4377d620276

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.colorsync.profiles.502

Filesize
21KB

MD5
1f8f4a587e2306e5f55d10a788b6c2af

SHA1
60fb84e53021bd93a0c357f840b65109513d4a80

SHA256
d941861804da4a5eff4dbeb666345272c6619075be449fb7097b31abf1d5bcf4

SHA512
45523e8404728d30f2f9e54ec0df9d81d9942f1a32ffa4d8e296a62f4c9445f7ccc6957d6e67a5d3518926f2fadf9d3a962acf46b6487f3e05a906f68c84453d

Download Submit