95699b4df332139d1782520df7f136a413313d5b1dc05be131ab53acf355909a

Resubmissions

01/01/2025, 19:47

250101-yhhtds1kcy 10

01/01/2025, 19:45

17/11/2024, 16:46

17/11/2024, 16:36

17/11/2024, 16:34

17/11/2024, 16:15

Analysis

max time kernel
226s
max time network
223s
platform
macos-10.15_amd64
resource
macos-20241106-en
resource tags

arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
17/11/2024, 16:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

95699b4df332139d1782520df7f136a413313d5b1dc05be131ab53acf355909a.exe
Size

1.1MB
MD5

5d657a482624350e8676e7f0f902d217
SHA1

0182985fa2ac0a698c2af40c87f1b6cfaceb72cf
SHA256

95699b4df332139d1782520df7f136a413313d5b1dc05be131ab53acf355909a
SHA512

93c75caa8b543877638c20a902765b7eaa4edd6b3c1fd4a89ad6db7355d7e62e2b671efc0c418ea81b777eeddce8fbbb9628116e7be42ac85e3d989a983668f8
SSDEEP

12288:ALkcoxg7v3qnC11ErwIhh0F4qwUgUny5QbF4vBUJ2pzfXw7CSMoDrdwhBDH5wJcF:WfmMv6Ckr7Mny5QbFilfroDZCDH5wJcF

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 7 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer	Process not Found
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck	Process not Found
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool	Process not Found
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool	Process not Found
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck	Process not Found
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref	Process not Found
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/95699b4df332139d1782520df7f136a413313d5b1dc05be131ab53acf355909a.exe\""
1⤵
PID:456

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/95699b4df332139d1782520df7f136a413313d5b1dc05be131ab53acf355909a.exe\""
1⤵
PID:456

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/95699b4df332139d1782520df7f136a413313d5b1dc05be131ab53acf355909a.exe
1⤵
PID:456
- /bin/zsh
  /bin/zsh -c /Users/run/95699b4df332139d1782520df7f136a413313d5b1dc05be131ab53acf355909a.exe
  2⤵
  PID:460
- /Users/run/95699b4df332139d1782520df7f136a413313d5b1dc05be131ab53acf355909a.exe
  /Users/run/95699b4df332139d1782520df7f136a413313d5b1dc05be131ab53acf355909a.exe
  2⤵
  PID:460

/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
1⤵
PID:446

/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged
"/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"
1⤵
PID:444

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
1⤵
PID:453

/usr/libexec/pkreporter
/usr/libexec/pkreporter
1⤵
PID:449

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
1⤵
PID:454

/usr/libexec/xpcproxy
xpcproxy com.apple.nsurlstoraged
1⤵
PID:489

/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged --privileged
1⤵
PID:489

/usr/libexec/xpcproxy
xpcproxy com.apple.systempreferences.2140
1⤵
PID:492

/System/Applications/System Preferences.app/Contents/MacOS/System Preferences
"/System/Applications/System Preferences.app/Contents/MacOS/System Preferences"
1⤵
PID:492

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountProfileRemoteViewService 492
1⤵
PID:493

/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
1⤵
PID:493

/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
1⤵
PID:495

/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
1⤵
PID:496

/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
1⤵
PID:497

/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
1⤵
PID:498

/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
1⤵
PID:499

/usr/libexec/xpcproxy
xpcproxy com.apple.nfcd
1⤵
PID:500

/usr/libexec/nfcd
/usr/libexec/nfcd
1⤵
PID:500

/usr/libexec/xpcproxy
xpcproxy com.apple.studentd
1⤵
PID:501

/usr/libexec/studentd
/usr/libexec/studentd
1⤵
PID:501

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:505

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:505

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:506

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:506

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.5AFF3C3C-4EA6-448C-9507-996C4ADCFA2E 505
1⤵
PID:507

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:507

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:509

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:509

/usr/libexec/xpcproxy
xpcproxy com.apple.SafariLaunchAgent
1⤵
PID:513

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
1⤵
PID:513

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.4C8389ED-47CB-4899-8E34-6F004A125891 505
1⤵
PID:514

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:514

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.BrowserDataImportingService 505
1⤵
PID:516

/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService
/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService
1⤵
PID:516

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:517

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:517

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.B4282202-96DD-42F1-A6BB-20BE8019E626 505
1⤵
PID:518

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:518

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.6E9BB39E-6486-4400-90A6-256BA79B91AE 505
1⤵
PID:519

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:519

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.B4057932-7013-4565-8122-58C28B739077 505
1⤵
PID:520

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:520

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:522

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:522

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:523

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:523

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:524

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:524

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:527

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:527

/usr/libexec/xpcproxy
xpcproxy com.apple.preference.speech.remoteservice 492
1⤵
PID:529

/System/Library/PreferencePanes/Speech.prefPane/Contents/XPCServices/com.apple.preference.speech.remoteservice.xpc/Contents/MacOS/com.apple.preference.speech.remoteservice
/System/Library/PreferencePanes/Speech.prefPane/Contents/XPCServices/com.apple.preference.speech.remoteservice.xpc/Contents/MacOS/com.apple.preference.speech.remoteservice
1⤵
PID:529

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:530

/usr/libexec/xpcproxy
xpcproxy com.apple.PackageKit.InstallStatus
1⤵
PID:531

/System/Library/CoreServices/Install in Progress.app/Contents/MacOS/Install in Progress
"/System/Library/CoreServices/Install in Progress.app/Contents/MacOS/Install in Progress"
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy com.apple.warmd_agent
1⤵
PID:532

/usr/libexec/warmd_agent
/usr/libexec/warmd_agent
1⤵
PID:532

/usr/libexec/xpcproxy
xpcproxy com.apple.passd
1⤵
PID:533

/System/Library/PrivateFrameworks/PassKitCore.framework/passd
/System/Library/PrivateFrameworks/PassKitCore.framework/passd
1⤵
PID:533

/usr/libexec/xpcproxy
xpcproxy com.apple.studentd
1⤵
PID:534

/usr/libexec/studentd
/usr/libexec/studentd
1⤵
PID:534

/usr/libexec/xpcproxy
xpcproxy com.apple.sessionlogoutd
1⤵
PID:535

/System/Library/CoreServices/sessionlogoutd
/System/Library/CoreServices/sessionlogoutd
1⤵
PID:535

/sbin/shutdown
/sbin/shutdown -h now
1⤵
PID:0
- /bin/sh
  sh -c "/usr/bin/wall -n"
  2⤵
  PID:537
- /bin/bash
  sh -c "/usr/bin/wall -n"
  2⤵
  PID:537
- /usr/bin/wall
  /usr/bin/wall -n
  2⤵
  PID:537
- /System/Library/Extensions/IOGraphicsFamily.kext/iogdiagnose
  iogdiagnose -b /var/log/displaypolicy/iogdiagnose-last.bin
  2⤵
  PID:0
- - /usr/sbin/spindump
    spindump -shutdownstall 2 -timelimit 5
    3⤵
    PID:539
- - /bin/sh
    sh -c /usr/sbin/kextstat
    3⤵
    PID:540
- - /bin/bash
    sh -c /usr/sbin/kextstat
    3⤵
    PID:540
- - /usr/sbin/kextstat
    /usr/sbin/kextstat
    3⤵
    PID:540
- - /bin/bash
    bash /private/var/install/shutdown_installer_tasks
    3⤵
    PID:541
- - /bin/bash
    bash /private/var/install/deferred_install
    3⤵
    PID:542

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Safari/Favicon Cache/favicons/077B2DF860DE9B635B41ACE75518BEAE

Filesize
21KB

MD5
38cfdb248210ffd12a6e774119609de8

SHA1
d10a44e5d06c8a95e4c61ae770cc8f0c8d372253

SHA256
5493c61cf725cf3a1d63cd9d07de75b0d6faa5564e772f7d0a6074f341442938

SHA512
7d0ae6125e5c10d52847ac10e5200f2aaa84932ea5d10af54440c0abc27af19285cb760f0e8dad0bac4371e4b384ffaddcf235f9f1ba29e6dc41ef29deac4fba

Download Submit
/Users/run/Library/Saved Application State/com.apple.safari.savedState/data.data

Filesize
12KB

MD5
301fd2ca7decc7060107365b3f0d4bba

SHA1
8a720c3875a7d649219b3212bd52e425a652913a

SHA256
3802a28a2cc94f7628376cb350357d2ed7ea570e0c2b60f6b48549fa4116288e

SHA512
fc2252a1f4e1eaa2a77b3d4733568c61143a076c5bbda5234e858512119869bfb01fa52e160e19a154f92e91eec1afcb08671d4b6e028a20a8933e58a0ab0774

Download Submit
/Users/run/Library/Saved Application State/com.apple.systempreferences.savedState/data.data

Filesize
1KB

MD5
0db7f27b2d73bcb18ce2f2fb30eccc09

SHA1
8111b74dc90fd66aec26ffe8a2147c3a2f3680ea

SHA256
b904404f3e997edf59f8488aadc5b7f10bce7da23fd478b3ccc5fd003c4bf149

SHA512
3a3d31f01f983b11025dc9b65ccb42dd0f61e7ea7e2cd24fca96ba368eca9ca1d6961d31853c599ab16bf736530142e64881882febc9fc637325a359a694c8f0

Download Submit
/var/db/nsurlstoraged/dafsaData.bin

Filesize
54KB

MD5
64f469698e53d0c828b7f90acd306082

SHA1
bcc041b3849e1b0b4104ffeb46002207eeac54f3

SHA256
d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd

SHA512
a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

Filesize
366KB

MD5
d22028b10b374583969294fbd6c9599b

SHA1
5ea1d6a9a20954e1acf95a7655c5c2ed47f97ec5

SHA256
d045672476308ba389d65ceaf5b89946f1f1f2b3daf89d6a002e833e86a53ded

SHA512
d6522ef852953e0dd196d3e5c0d471285c42bef0ce0489d13c6fb317f68b01469743e7952a54419dcbe6c0f0550dd2b998ad9a9d2c137c6bd0e24e2e25fcffa9

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

Filesize
17.3MB

MD5
450fa48b109ea3c2894e7cd0cba2bb8d

SHA1
6cfad2917a859cb7702f8d777e297bcaf8fc9b0e

SHA256
19d89be8a19c05af9c073c43ff9fe337cd09a9297deb8b5acc3ce892bffc0d48

SHA512
a7282e6ca41fc4ddc02c29515386eac0d2b7f27742b33e631f737f4481cb1cdcefe533c7301087b7eadc25d537021b682fbb43bb570050fc3deb4608b38d03d8

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

Filesize
123KB

MD5
652908d6189f0b1e6461636a00c3448a

SHA1
3ecbcb235159a35b62a7c22f80f8c0c707e56187

SHA256
2e3c1f902daa0ce103d9695df328b7f75c28f4f6ed7558bd38a4641d18057f1a

SHA512
9c7b4a98b59c68860325aa80bca1af3efa8a0aef640835a265cafb710e6e9a8359f5061e40b6e6d60bcce946ba596992a0ace91182ecefe96972285e07be2475

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//spindump.txt

Filesize
148KB

MD5
6e116fafaec519a2c2d34338ed463cda

SHA1
9f25878958c98226a2bbff39286bef9880d08a42

SHA256
7e53a79ac37fc67fd06ab833523e1c027eef16620fdd3889a4b732d8beda99aa

SHA512
b3f85eaff5a284d67268114c623a5bd991b104e2d4f6b87a1140ce0041d8169ad444e9982aa7d09e65c3ad103142d2ad75232a95d42558ce6affd1c4d38ea899

Download Submit