Analysis
-
max time kernel
126s -
max time network
123s -
platform
macos-10.15_amd64 -
resource
macos-20241101-en -
resource tags
arch:amd64arch:i386image:macos-20241101-enkernel:19b77alocale:en-usos:macos-10.15-amd64system -
submitted
13-11-2024 21:48
Static task
static1
Behavioral task
behavioral1
Sample
5c998852ec3bbb7438f101a511c2c4ed52e51d90.jpg
Resource
macos-20241101-en
Errors
General
-
Target
5c998852ec3bbb7438f101a511c2c4ed52e51d90.jpg
-
Size
217KB
-
MD5
66834b48616c010509e9d216e220ed23
-
SHA1
5c998852ec3bbb7438f101a511c2c4ed52e51d90
-
SHA256
8d9f4a8b68d142878192f3c7b81b1c0722b1cfda9cceeab9e4e758876ea39fff
-
SHA512
f21b598bb8f5871b5db9ff4e1eb308ec12a8383092bf0459c488c8e226e7a157280e60d79ea4295338f10cb2adc53c078221489a81d936274b21dc3fc1c3bb47
-
SSDEEP
6144:p6H+6xu8/kwoqD+a7xhQydDj3foKEQadEDXVt:p4xu8RDpFhQy53foVRqDX3
Malware Config
Signatures
-
File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur.
-
Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
-
JavaScript 1 TTPs 1 IoCs
Adversaries may abuse various implementations of JavaScript for execution.
Processes:
ioc Process "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar -
Resource Forking 1 TTPs 6 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
Processes:
ioc Process /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd /System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper -
Launchctl 1 TTPs 1 IoCs
Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.
Processes:
ioc Process /bin/launchctl load /Library/LaunchAgents/com.microsoft.update.agent.plist
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/5c998852ec3bbb7438f101a511c2c4ed52e51d90.jpg\""1⤵PID:457
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/5c998852ec3bbb7438f101a511c2c4ed52e51d90.jpg\""1⤵PID:457
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/5c998852ec3bbb7438f101a511c2c4ed52e51d90.jpg1⤵PID:457
-
/bin/zsh/bin/zsh -c /Users/run/5c998852ec3bbb7438f101a511c2c4ed52e51d90.jpg2⤵PID:459
-
-
/Users/run/5c998852ec3bbb7438f101a511c2c4ed52e51d90.jpg/Users/run/5c998852ec3bbb7438f101a511c2c4ed52e51d90.jpg2⤵PID:459
-
-
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer1⤵PID:451
-
/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"1⤵PID:443
-
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd1⤵PID:445
-
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck1⤵PID:453
-
/usr/libexec/pkreporter/usr/libexec/pkreporter1⤵PID:448
-
/usr/libexec/xpcproxyxpcproxy com.apple.iCal.CalendarNC 3131⤵PID:483
-
/usr/libexec/xpcproxyxpcproxy com.apple.ncplugin.weather 3131⤵PID:484
-
/usr/libexec/xpcproxyxpcproxy com.apple.ncplugin.stocks 3131⤵PID:485
-
/System/Applications/Calendar.app/Contents/PlugIns/com.apple.iCal.CalendarNC.appex/Contents/MacOS/com.apple.iCal.CalendarNC/System/Applications/Calendar.app/Contents/PlugIns/com.apple.iCal.CalendarNC.appex/Contents/MacOS/com.apple.iCal.CalendarNC1⤵PID:483
-
/System/Library/CoreServices/Weather.app/Contents/PlugIns/com.apple.ncplugin.weather.appex/Contents/MacOS/com.apple.ncplugin.weather/System/Library/CoreServices/Weather.app/Contents/PlugIns/com.apple.ncplugin.weather.appex/Contents/MacOS/com.apple.ncplugin.weather1⤵PID:484
-
/System/Library/CoreServices/StocksWidget.app/Contents/PlugIns/com.apple.ncplugin.stocks.appex/Contents/MacOS/com.apple.ncplugin.stocks/System/Library/CoreServices/StocksWidget.app/Contents/PlugIns/com.apple.ncplugin.stocks.appex/Contents/MacOS/com.apple.ncplugin.stocks1⤵PID:485
-
/usr/libexec/xpcproxyxpcproxy com.apple.Terminal.21001⤵PID:489
-
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal1⤵PID:489
-
/usr/bin/loginlogin -pf run2⤵PID:490
-
/bin/zsh-zsh3⤵PID:491
-
/usr/libexec/path_helper/usr/libexec/path_helper -s4⤵PID:492
-
-
/usr/bin/localelocale LC_CTYPE4⤵PID:493
-
-
/usr/bin/sudosudo4⤵PID:497
-
-
/usr/bin/sudosudo rm -rf4⤵PID:503
-
-
-
-
/usr/bin/loginlogin -pf run2⤵PID:508
-
/bin/zsh-zsh3⤵PID:509
-
/usr/libexec/path_helper/usr/libexec/path_helper -s4⤵PID:510
-
-
/usr/bin/localelocale LC_CTYPE4⤵PID:511
-
-
-
-
/usr/libexec/xpcproxyxpcproxy com.apple.nsurlstoraged1⤵PID:502
-
/usr/libexec/nsurlstoraged/usr/libexec/nsurlstoraged --privileged1⤵PID:502
-
/usr/libexec/xpcproxyxpcproxy com.apple.quicklook.ui.helper1⤵PID:513
-
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper1⤵PID:513
-
/usr/libexec/xpcproxyxpcproxy com.apple.JarLauncher.21281⤵PID:514
-
/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher"/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher"1⤵PID:514
-
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar2⤵PID:516
-
-
/usr/libexec/xpcproxyxpcproxy com.apple.metadata.mdwrite1⤵PID:515
-
/usr/libexec/xpcproxyxpcproxy com.apple.spindump1⤵PID:518
-
/usr/sbin/spindump/usr/sbin/spindump1⤵PID:518
-
/usr/libexec/xpcproxyxpcproxy com.apple.spindump_agent1⤵PID:519
-
/usr/libexec/spindump_agent/usr/libexec/spindump_agent1⤵PID:519
-
/usr/libexec/xpcproxyxpcproxy com.apple.quicklook.ui.helper1⤵PID:522
-
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper1⤵PID:522
-
/usr/libexec/xpcproxyxpcproxy "com.apple.xpc.launchd.oneshot.0x10000001.Microsoft Word"1⤵PID:523
-
/Applications/Microsoft Word.app/Contents/MacOS/Microsoft Word"/Applications/Microsoft Word.app/Contents/MacOS/Microsoft Word" -psn_0_1843651⤵PID:523
-
/usr/libexec/xpcproxyxpcproxy com.apple.XprotectFramework.AnalysisService 4021⤵PID:525
-
/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService1⤵PID:525
-
/usr/libexec/xpcproxyxpcproxy com.apple.storeuid1⤵PID:528
-
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid1⤵PID:528
-
/usr/libexec/xpcproxyxpcproxy com.apple.storedownloadd1⤵PID:529
-
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd1⤵PID:529
-
/usr/libexec/xpcproxyxpcproxy com.microsoft.autoupdate.fba.26601⤵PID:531
-
/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant"/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant"1⤵PID:531
-
/bin/launchctl/bin/launchctl list1⤵PID:532
-
/usr/libexec/xpcproxyxpcproxy com.microsoft.autoupdate.helper1⤵PID:533
-
/bin/launchctl/bin/launchctl load /Library/LaunchAgents/com.microsoft.update.agent.plist1⤵PID:534
-
/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper1⤵PID:533
-
/usr/bin/codesign/usr/bin/codesign -v /Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper1⤵PID:535
-
/usr/libexec/xpcproxyxpcproxy com.apple.PackageKit.InstallStatus1⤵PID:547
-
/usr/libexec/xpcproxyxpcproxy com.apple.warmd_agent1⤵PID:548
-
/usr/libexec/warmd_agent/usr/libexec/warmd_agent1⤵PID:548
-
/System/Library/CoreServices/Install in Progress.app/Contents/MacOS/Install in Progress"/System/Library/CoreServices/Install in Progress.app/Contents/MacOS/Install in Progress"1⤵PID:547
-
/usr/libexec/xpcproxyxpcproxy com.apple.ReportMemoryException1⤵PID:549
-
/usr/libexec/ReportMemoryException/usr/libexec/ReportMemoryException1⤵PID:549
-
/usr/libexec/xpcproxyxpcproxy com.apple.coremedia.videodecoder 1241⤵PID:550
-
/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService1⤵PID:550
-
/usr/libexec/xpcproxyxpcproxy com.apple.rtcreportingd1⤵PID:551
-
/usr/libexec/rtcreportingd/usr/libexec/rtcreportingd1⤵PID:551
-
/usr/libexec/xpcproxyxpcproxy com.apple.sessionlogoutd1⤵PID:552
-
/System/Library/CoreServices/sessionlogoutd/System/Library/CoreServices/sessionlogoutd1⤵PID:552
-
/sbin/shutdown/sbin/shutdown -h now1⤵PID:1.8446744073709552e+19
-
/bin/shsh -c "/usr/bin/wall -n"1⤵PID:554
-
/bin/bashsh -c "/usr/bin/wall -n"1⤵PID:554
-
/usr/bin/wall/usr/bin/wall -n1⤵PID:554
-
/System/Library/Extensions/IOGraphicsFamily.kext/iogdiagnoseiogdiagnose -b /var/log/displaypolicy/iogdiagnose-last.bin1⤵PID:0
-
/usr/sbin/spindumpspindump -shutdownstall 2 -timelimit 52⤵PID:556
-
-
/bin/shsh -c /usr/sbin/kextstat2⤵PID:557
-
-
/bin/bashsh -c /usr/sbin/kextstat2⤵PID:557
-
-
/usr/sbin/kextstat/usr/sbin/kextstat2⤵PID:557
-
-
/bin/bashbash /private/var/install/shutdown_installer_tasks2⤵PID:558
-
-
/bin/bashbash /private/var/install/deferred_install2⤵PID:559
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
545B
MD59975278f76f30ad087bced32e6f5ea2d
SHA1d2619a5d202a42393f398361a516bb24bc41371f
SHA256de488143aa2ccbaa9ee06a03d4684e1716dcd77e186a0e3b37d5f1a1b6629942
SHA5127167578b79e5674c2a4c08b693d128d7bea1ffef78d0a173b3007f25ccda862590a43f6b0f9f07ae5982f479a55546e28f3119214efd05eefb43ce11e67860f4
-
/Users/run/Library/Containers/com.microsoft.Word/Data/Library/Application Support/Microsoft/Office/16.0/Floodgate/SurveyEventActivityStats.json
Filesize14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
/Users/run/Library/Containers/com.microsoft.Word/Data/Library/Application Support/Microsoft/Office/16.0/Floodgate/Word.CampaignStates.json
Filesize1KB
MD5da7b321936a4650a446dc9236c1894ce
SHA14950cd50437470597303a7451ae4e8b1d98af034
SHA2565d468a964d6ad8e3ce0e0078b7955977545c2083cdb1c8929b1bf1c40f074c1c
SHA512e27efae91b4622e0c4838daf0752ba20cf1f21e88dbd2251adf20dc0df4859876a3d29be0a5adae8b7f5bbcbc02b9ea0f583d786a6d6b7902a55cb66fa8cb3bf
-
/Users/run/Library/Containers/com.microsoft.Word/Data/Library/Application Support/Microsoft/Office/16.0/Floodgate/Word.Settings.json
Filesize87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
/Users/run/Library/Containers/com.microsoft.Word/Data/Library/Application Support/Microsoft/Office/16.0/microsoft word_Rules.xml
Filesize258KB
MD55a33211bed7be6cc385ae7fbef44e01a
SHA1a0b3b3ed558bb4efec995b2173645123667a9945
SHA256fae19f0f726a3973bd8e7ae5b3fe7afaedacda3cbe0f9642526e710c58a485d4
SHA512e469ce16cbc7ba515a0b2d9e2785d186b7ed30b88c1546f655182d85578a9df7e13c174eeb9ccfa0f971676fb39e35e0621dabdb34ad848da8e6552c9654aa97
-
/Users/run/Library/Group Containers/UBF8T346G9.Office/FontCache/4/PreviewFont/hier_officeFontsPreview_4_40.ttf
Filesize1.9MB
MD58c638d09eea80c9b1963af8cc35870a5
SHA1f67fc7503e05b99f232945bc1bbb7d50bc70f88d
SHA2564bcfa32557e0bfffd5766cf6057b9e04ac9af9c101033fd305fba7190305a385
SHA512b1cee1f2e0f2cdd2611c1af18d5cd3b481da6c7c761cc74f2fc9c99025215a8c03f117bd1f8cdd3fa01210c542ba9e1c7246954e43ce100c84b1ea4082000c07
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
54KB
MD564f469698e53d0c828b7f90acd306082
SHA1bcc041b3849e1b0b4104ffeb46002207eeac54f3
SHA256d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd
SHA512a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f
-
Filesize
47KB
MD50e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA5121dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20
-
Filesize
4KB
MD5d3a1859e6ec593505cc882e6def48fc8
SHA1f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA2563ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818
-
Filesize
166KB
MD5dba1ddd9eca02e5aa4fb6a65784c5a30
SHA1a41992bf59a92d84b6afc4afba23650b4bf74513
SHA2560dccad1896b0fb72b9e258cf017a052d258ecd06595afc5f1c5f0f18557cf791
SHA512008d66812d7abafe2c42609532db7b5f0df13121e43f8aa38a32e609e8813aa99007939cfee72e9f3531e19c5b9893c3fa688701f3ad96f5f986ccf3ae130069