Analysis
-
max time kernel
270s -
max time network
280s -
platform
macos-10.15_amd64 -
resource
macos-20240711.1-en -
resource tags
arch:amd64arch:i386image:macos-20240711.1-enkernel:19b77alocale:en-usos:macos-10.15-amd64system -
submitted
01-11-2024 17:24
Static task
static1
Behavioral task
behavioral1
Sample
sample.js
Resource
macos-20240711.1-en
General
-
Target
sample.js
-
Size
66KB
-
MD5
7b45c2b8a57ce854286aafa24638bfac
-
SHA1
a98285e1f6156c9aae51558bf3cc2b2778441a92
-
SHA256
24de4fbc0c682a8e8c41cac17a4d591662fe66ed10cc30a3ce7a0acd423d74be
-
SHA512
c66107e56d215dafede7049848857f764773d917fe296fbd4c064ba157e2882bb3308fd359487b44062cd8e3d0c6393825a8f4945c9894f5f3a4de12e90f17a2
-
SSDEEP
1536:u69UFLCCwNieu/6ehNFZuSuWtWWxUqio1HSAkSEjNcp2WSqII6ZsnJVrY5uvef+d:J9UFLhws0qio1HSAkSEjNcp2WSqII6Z2
Malware Config
Signatures
-
Resource Forking 1 TTPs 2 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
ioc Process /System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer Process not Found "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck Process not Found
Processes
-
/usr/bin/xar/usr/bin/xar -c -f dslocal-backup.xar dslocal1⤵PID:481
-
/usr/libexec/xpcproxyxpcproxy com.apple.gkreport1⤵PID:483
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/sample.js\""1⤵PID:484
-
/usr/libexec/gkreport/usr/libexec/gkreport1⤵PID:483
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/sample.js\""1⤵PID:484
-
/usr/libexec/xpcproxyxpcproxy com.apple.loginwindow.LWWeeklyMessageTracer1⤵PID:485
-
/usr/libexec/xpcproxyxpcproxy com.apple.systemstats.daily1⤵PID:486
-
/usr/libexec/xpcproxyxpcproxy com.oracle.java.Java-Updater1⤵PID:487
-
/usr/libexec/xpcproxyxpcproxy com.apple.newsyslog1⤵PID:488
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/sample.js1⤵PID:484
-
/bin/zsh/bin/zsh -c /Users/run/sample.js2⤵PID:493
-
-
/Users/run/sample.js/Users/run/sample.js2⤵PID:493
-
-
/bin/shsh /Users/run/sample.js2⤵PID:493
-
-
/bin/bashsh /Users/run/sample.js2⤵PID:493
-
-
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd1⤵PID:479
-
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer1⤵PID:485
-
/usr/libexec/pkreporter/usr/libexec/pkreporter1⤵PID:482
-
/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"1⤵PID:476
-
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck1⤵PID:487
-
/usr/sbin/newsyslog/usr/sbin/newsyslog1⤵PID:488
-
/usr/libexec/xpcproxyxpcproxy com.apple.sysmond1⤵PID:518
-
/usr/libexec/sysmond/usr/libexec/sysmond1⤵PID:518
-
/usr/libexec/xpcproxyxpcproxy com.apple.audio.AudioComponentRegistrar1⤵PID:521
-
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon1⤵PID:521
-
/bin/launchctl/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon1⤵PID:528
-
/bin/launchctl/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon1⤵PID:529
-
/usr/libexec/xpcproxyxpcproxy com.apple.Safari.20281⤵PID:532
-
/Applications/Safari.app/Contents/MacOS/Safari/Applications/Safari.app/Contents/MacOS/Safari1⤵PID:532
-
/usr/libexec/xpcproxyxpcproxy com.apple.Safari.History1⤵PID:533
-
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History1⤵PID:533
-
/usr/libexec/xpcproxyxpcproxy com.apple.WebKit.WebContent.C993C4D9-84AC-4C0D-AA40-D2EAC954308D 5321⤵PID:534
-
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent1⤵PID:534
-
/usr/libexec/xpcproxyxpcproxy com.apple.SafariLaunchAgent1⤵PID:540
-
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent1⤵PID:540
-
/usr/libexec/xpcproxyxpcproxy com.apple.WebKit.WebContent.434171AB-D867-494F-BB09-EC7DF54ED99A 5321⤵PID:541
-
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent1⤵PID:541
-
/usr/libexec/xpcproxyxpcproxy com.apple.Safari.SearchHelper 5321⤵PID:546
-
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper1⤵PID:546
-
/usr/libexec/xpcproxyxpcproxy com.apple.Safari.SafeBrowsing.Service1⤵PID:547
-
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service1⤵PID:547
-
/usr/libexec/xpcproxyxpcproxy com.apple.WebKit.WebContent.DA462C5A-A842-4942-BEC0-CA766C74C7DD 5321⤵PID:548
-
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent1⤵PID:548
-
/usr/libexec/xpcproxyxpcproxy com.apple.WebKit.WebContent.79D640D3-B268-476E-8F1F-6653B5CC2E72 5321⤵PID:549
-
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent1⤵PID:549
-
/usr/libexec/xpcproxyxpcproxy com.apple.WebKit.WebContent.212BCC01-1CF6-4D87-B1C1-FD36FC080D59 5321⤵PID:551
-
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent1⤵PID:551
-
/usr/libexec/xpcproxyxpcproxy com.apple.WebKit.WebContent.08FED617-A83C-47C3-8526-D5723C139A23 5321⤵PID:553
-
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent1⤵PID:553
-
/usr/libexec/xpcproxyxpcproxy com.apple.WebKit.WebContent.6D669D8C-C972-4588-B38B-864589C14BDA 5321⤵PID:554
-
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent1⤵PID:554
-
/usr/libexec/xpcproxyxpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E1⤵PID:555
-
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService1⤵PID:555
-
/usr/libexec/xpcproxyxpcproxy com.apple.WebKit.WebContent.7386617C-22F8-411E-9A7D-00C1BEB6378F 5321⤵PID:559
-
/usr/libexec/xpcproxyxpcproxy com.apple.WebKit.WebContent.F36F045D-91EF-4042-B9FC-F3E0D0AE9526 5321⤵PID:560
-
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent1⤵PID:559
-
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent1⤵PID:560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
Filesize
5KB
MD52d3e5066bcb75492fedf50cb98bf6cd8
SHA1f7be051222559ab1489aa4b81eee4c7f4f2ee442
SHA256671c6e8467a3d64d495c9fb36989d164c165d5053dc324d7e43d84abcc62478d
SHA5126778993f098b5fad411777494f503a3c128e3f24b87e195d9eb7193b3ace06278a15809162620674ba862ce4bf29b89eec3b35168a06a9185637579d131f1381
-
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression
Filesize299KB
MD5d9fec51ee4cefdcc7d2b1b8e9270343f
SHA169e83b5257afdf66942dfb8f14df8fc183b6b2ab
SHA256e25669ef363f156265616e644248c578dccf0b76fd2a0318bbdff4725be6b48f
SHA512c826a8980350b95217c611aa066e06dfdf43fdd52af2e6941d2d163e45e32f5b06d6baef9e9bd07ab14385002c94abcaa4e220be1071020f3856d43b111dc3cd
-
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression
Filesize17.1MB
MD5c359727a0a8e2e4215841dbc00e4d914
SHA147da7118737eb68328b3915c3c27a8f143f7e4a6
SHA256b676c07fd3dc592f67843c7fcde90563072297a953159e83209b0d87386d798e
SHA51208d15f47831e588c1db44ba07b1f7439fb25360b1ceb580b3e4e732b864cf5b6023d4cac13a5cb53250d46319c7d988bb52167513fd42b03f5131edffb016fb9
-
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression
Filesize122KB
MD54764e8c0b8d337bbbcdc2167b6277fa6
SHA1531cfbff1e8b86e6fffd17f6d0af732102056a80
SHA25615164f34befc21c949cf4ce35c1c610aaa9cee08ee0063e75118810b2ded9315
SHA512a82528374db49bb8dec5ca103a1e0ee6afc30d089c8b09d836beeab4c72e99466ebc8aa141ec429699131b95726070fcfc86c685789c76a128cab5fe0fe583ba
-
Filesize
47KB
MD50e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA5121dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20
-
Filesize
4KB
MD5d3a1859e6ec593505cc882e6def48fc8
SHA1f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA2563ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818