b0152fe7f71a05b858f903eac3b3ca8c8c74c898cc5ae4144a841e4301eb8a62

General

Target

goofy-ahh-ringtone.mp3
Size

131KB
MD5

2cd1abd212d7226cc56fa38f57b24d7d
SHA1

e738863d7667f3babaa2ae55a446ec078034d613
SHA256

b0152fe7f71a05b858f903eac3b3ca8c8c74c898cc5ae4144a841e4301eb8a62
SHA512

9a7de3863a59c03dd776c94053a0071ae2534abf39aa5b69eb6b4994108cf12cc859df97100856d7c43b2d66d9c87613389aba9cbb5b29f4ddb010d33e3cc37a
SSDEEP

3072:kkl0Z6LPk7dNS50wATKDS1G0IrOSuWF/wuDvH1cD:kkl0Z6Ls7d6AxG0Ovd/nDvCD

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 2 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

Processes:

ioc	process
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/goofy-ahh-ringtone.mp3\""
1⤵
PID:463

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/goofy-ahh-ringtone.mp3\""
1⤵
PID:463

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/goofy-ahh-ringtone.mp3
1⤵
PID:463
- /bin/zsh
  /bin/zsh -c /Users/run/goofy-ahh-ringtone.mp3
  2⤵
  PID:464
- /Users/run/goofy-ahh-ringtone.mp3
  /Users/run/goofy-ahh-ringtone.mp3
  2⤵
  PID:464

/usr/bin/bzip2
/usr/bin/bzip2 -f /var/log/wifi.log.0
1⤵
PID:489

/usr/libexec/xpcproxy
xpcproxy com.apple.Photos.1876
1⤵
PID:492

/System/Applications/Photos.app/Contents/MacOS/Photos
/System/Applications/Photos.app/Contents/MacOS/Photos
1⤵
PID:492

/usr/libexec/xpcproxy
xpcproxy com.apple.colorsync.useragent
1⤵
PID:494

/System/Library/Frameworks/ColorSync.framework/Support/colorsync.useragent
/System/Library/Frameworks/ColorSync.framework/Support/colorsync.useragent
1⤵
PID:494

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:506

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:506

/usr/libexec/xpcproxy
xpcproxy com.apple.AppStore.1900
1⤵
PID:507

/System/Applications/App Store.app/Contents/MacOS/App Store
"/System/Applications/App Store.app/Contents/MacOS/App Store"
1⤵
PID:507

/usr/libexec/xpcproxy
xpcproxy com.apple.storeuid
1⤵
PID:508

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
1⤵
PID:508

/usr/libexec/xpcproxy
xpcproxy com.apple.accessibility.mediaaccessibilityd
1⤵
PID:509

/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
1⤵
PID:509

/usr/libexec/xpcproxy
xpcproxy com.apple.coremedia.videodecoder 507
1⤵
PID:510

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
1⤵
PID:510

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:514

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:514

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:515

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:515

/usr/libexec/xpcproxy
xpcproxy com.apple.storedownloadd
1⤵
PID:516

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
1⤵
PID:516

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:517

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:517

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Photos//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Photos//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.colorsync.profiles.502

Filesize
21KB

MD5
9db518bda66915fe72a26868a4fd835c

SHA1
be437587315888e6f4ce2d686e4b2137d00600f1

SHA256
369d4051ed7358f1ab8f717200fc836d28fb6ad238fa9468d4fb8610633355aa

SHA512
0990b34adc0e700c8930cd622348c5012e624bfc5708a6ba539c86955b7f5d77395e669f8131a8d0a75e7001d0360673dd973354a9afc4ca2e3de9802ac90f3b

Download Submit

Analysis

Sharing