24de4fbc0c682a8e8c41cac17a4d591662fe66ed10cc30a3ce7a0acd423d74be

General

Target

sample.js
Size

66KB
MD5

7b45c2b8a57ce854286aafa24638bfac
SHA1

a98285e1f6156c9aae51558bf3cc2b2778441a92
SHA256

24de4fbc0c682a8e8c41cac17a4d591662fe66ed10cc30a3ce7a0acd423d74be
SHA512

c66107e56d215dafede7049848857f764773d917fe296fbd4c064ba157e2882bb3308fd359487b44062cd8e3d0c6393825a8f4945c9894f5f3a4de12e90f17a2
SSDEEP

1536:u69UFLCCwNieu/6ehNFZuSuWtWWxUqio1HSAkSEjNcp2WSqII6ZsnJVrY5uvef+d:J9UFLhws0qio1HSAkSEjNcp2WSqII6Z2

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 2 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

Processes:

ioc	process
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck

/usr/bin/xar
/usr/bin/xar -c -f dslocal-backup.xar dslocal
1⤵
PID:481

/usr/libexec/xpcproxy
xpcproxy com.apple.gkreport
1⤵
PID:483

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/sample.js\""
1⤵
PID:484

/usr/libexec/gkreport
/usr/libexec/gkreport
1⤵
PID:483

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/sample.js\""
1⤵
PID:484

/usr/libexec/xpcproxy
xpcproxy com.apple.loginwindow.LWWeeklyMessageTracer
1⤵
PID:485

/usr/libexec/xpcproxy
xpcproxy com.apple.systemstats.daily
1⤵
PID:486

/usr/libexec/xpcproxy
xpcproxy com.oracle.java.Java-Updater
1⤵
PID:487

/usr/libexec/xpcproxy
xpcproxy com.apple.newsyslog
1⤵
PID:488

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/sample.js
1⤵
PID:484

/bin/zsh
/bin/zsh -c /Users/run/sample.js
2⤵
PID:493

/Users/run/sample.js
/Users/run/sample.js
2⤵
PID:493

/bin/sh
sh /Users/run/sample.js
2⤵
PID:493

/bin/bash
sh /Users/run/sample.js
2⤵
PID:493

/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
1⤵
PID:479

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
1⤵
PID:485

/usr/libexec/pkreporter
/usr/libexec/pkreporter
1⤵
PID:482

/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged
"/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"
1⤵
PID:476

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
1⤵
PID:487

/usr/sbin/newsyslog
/usr/sbin/newsyslog
1⤵
PID:488

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:518

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:518

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:521

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:521

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:528

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:529

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:532

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:532

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:533

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:533

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.C993C4D9-84AC-4C0D-AA40-D2EAC954308D 532
1⤵
PID:534

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:534

/usr/libexec/xpcproxy
xpcproxy com.apple.SafariLaunchAgent
1⤵
PID:540

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
1⤵
PID:540

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.434171AB-D867-494F-BB09-EC7DF54ED99A 532
1⤵
PID:541

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:541

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SearchHelper 532
1⤵
PID:546

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
1⤵
PID:546

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:547

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:547

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.DA462C5A-A842-4942-BEC0-CA766C74C7DD 532
1⤵
PID:548

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:548

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.79D640D3-B268-476E-8F1F-6653B5CC2E72 532
1⤵
PID:549

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.212BCC01-1CF6-4D87-B1C1-FD36FC080D59 532
1⤵
PID:551

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:551

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.08FED617-A83C-47C3-8526-D5723C139A23 532
1⤵
PID:553

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:553

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.6D669D8C-C972-4588-B38B-864589C14BDA 532
1⤵
PID:554

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:554

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:555

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.7386617C-22F8-411E-9A7D-00C1BEB6378F 532
1⤵
PID:559

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.F36F045D-91EF-4042-B9FC-F3E0D0AE9526 532
1⤵
PID:560

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:559

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Safari/Favicon Cache/favicons/2529545429CE075A4E64DE7DAA3D4C27

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/5B1EF92CE5059F5D16D557B168B4276E

Filesize
5KB

MD5
2d3e5066bcb75492fedf50cb98bf6cd8

SHA1
f7be051222559ab1489aa4b81eee4c7f4f2ee442

SHA256
671c6e8467a3d64d495c9fb36989d164c165d5053dc324d7e43d84abcc62478d

SHA512
6778993f098b5fad411777494f503a3c128e3f24b87e195d9eb7193b3ace06278a15809162620674ba862ce4bf29b89eec3b35168a06a9185637579d131f1381

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

Filesize
299KB

MD5
d9fec51ee4cefdcc7d2b1b8e9270343f

SHA1
69e83b5257afdf66942dfb8f14df8fc183b6b2ab

SHA256
e25669ef363f156265616e644248c578dccf0b76fd2a0318bbdff4725be6b48f

SHA512
c826a8980350b95217c611aa066e06dfdf43fdd52af2e6941d2d163e45e32f5b06d6baef9e9bd07ab14385002c94abcaa4e220be1071020f3856d43b111dc3cd

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

Filesize
17.1MB

MD5
c359727a0a8e2e4215841dbc00e4d914

SHA1
47da7118737eb68328b3915c3c27a8f143f7e4a6

SHA256
b676c07fd3dc592f67843c7fcde90563072297a953159e83209b0d87386d798e

SHA512
08d15f47831e588c1db44ba07b1f7439fb25360b1ceb580b3e4e732b864cf5b6023d4cac13a5cb53250d46319c7d988bb52167513fd42b03f5131edffb016fb9

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

Filesize
122KB

MD5
4764e8c0b8d337bbbcdc2167b6277fa6

SHA1
531cfbff1e8b86e6fffd17f6d0af732102056a80

SHA256
15164f34befc21c949cf4ce35c1c610aaa9cee08ee0063e75118810b2ded9315

SHA512
a82528374db49bb8dec5ca103a1e0ee6afc30d089c8b09d836beeab4c72e99466ebc8aa141ec429699131b95726070fcfc86c685789c76a128cab5fe0fe583ba

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit

Analysis

Sharing