Resubmissions
13/02/2025, 18:46
250213-xerfpa1qhl 813/02/2025, 17:15
250213-vs3d1azqgq 803/02/2025, 06:19
250203-g3pc8svlfl 320/12/2024, 21:06
241220-zxvl6stpcv 315/12/2024, 03:29
241215-d2ekvssngx 415/12/2024, 03:28
241215-d1lb1ssnft 406/12/2024, 20:12
241206-yy9baavnft 406/12/2024, 20:12
241206-yyyjsavnd1 306/12/2024, 20:02
241206-ysa7asvkfv 8Analysis
-
max time kernel
1320s -
max time network
1433s -
platform
macos-10.15_amd64 -
resource
macos-20241106-en -
resource tags
arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system -
submitted
15/12/2024, 03:29
Static task
static1
Behavioral task
behavioral1
Sample
ubuntu2404-amd64-20240523-uk.ps1
Resource
macos-20241106-en
General
-
Target
ubuntu2404-amd64-20240523-uk.ps1
-
Size
1B
-
MD5
f1290186a5d0b1ceab27f4e77c0c5d68
-
SHA1
aff024fe4ab0fece4091de044c58c9ae4233383a
-
SHA256
50e721e49c013f00c62cf59f2163542a9d8df02464efeb615d31051b0fddc326
-
SHA512
aa66509891ad28030349ba9581e8c92528faab6a34349061a44b6f8fcd8d6877a67b05508983f12f8610302d1783401a07ec41c7e9ebd656de34ec60d84d9511
Malware Config
Signatures
-
Resource Forking 1 TTPs 11 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
ioc Process /System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool Process not Found "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated" Process not Found "/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd" Process not Found /System/Library/PrivateFrameworks/SoftwareUpdate.framework/Resources/SoftwareUpdateNotificationManager.app/Contents/MacOS/SoftwareUpdateNotificationManager Process not Found /System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer Process not Found /System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool Process not Found /System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref Process not Found /System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool Process not Found /System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd Process not Found "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck Process not Found /System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck Process not Found
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/ubuntu2404-amd64-20240523-uk.ps1\""1⤵PID:457
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/ubuntu2404-amd64-20240523-uk.ps1\""1⤵PID:457
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/ubuntu2404-amd64-20240523-uk.ps11⤵PID:457
-
/bin/zsh/bin/zsh -c /Users/run/ubuntu2404-amd64-20240523-uk.ps12⤵PID:460
-
-
/Users/run/ubuntu2404-amd64-20240523-uk.ps1/Users/run/ubuntu2404-amd64-20240523-uk.ps12⤵PID:460
-
-
/bin/shsh /Users/run/ubuntu2404-amd64-20240523-uk.ps12⤵PID:460
-
-
/bin/bashsh /Users/run/ubuntu2404-amd64-20240523-uk.ps12⤵PID:460
-
/usr/bin/ww3⤵PID:461
-
-
-
/usr/libexec/pkreporter/usr/libexec/pkreporter1⤵PID:448
-
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer1⤵PID:450
-
/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"1⤵PID:442
-
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd1⤵PID:445
-
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck1⤵PID:452
-
/usr/libexec/xpcproxyxpcproxy com.apple.nsurlstoraged1⤵PID:488
-
/usr/libexec/nsurlstoraged/usr/libexec/nsurlstoraged --privileged1⤵PID:488
-
/usr/libexec/xpcproxyxpcproxy com.apple.systempreferences.21401⤵PID:489
-
/System/Applications/System Preferences.app/Contents/MacOS/System Preferences"/System/Applications/System Preferences.app/Contents/MacOS/System Preferences"1⤵PID:489
-
/usr/libexec/xpcproxyxpcproxy com.apple.AccountProfileRemoteViewService 4891⤵PID:490
-
/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService1⤵PID:490
-
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool1⤵PID:493
-
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool1⤵PID:494
-
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck1⤵PID:495
-
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref1⤵PID:496
-
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool1⤵PID:497
-
/usr/libexec/xpcproxyxpcproxy com.apple.nfcd1⤵PID:499
-
/usr/libexec/nfcd/usr/libexec/nfcd1⤵PID:499
-
/usr/libexec/xpcproxyxpcproxy com.apple.studentd1⤵PID:500
-
/usr/libexec/studentd/usr/libexec/studentd1⤵PID:500
-
/usr/libexec/xpcproxyxpcproxy com.apple.preferences.softwareupdate.remoteservice 4891⤵PID:502
-
/System/Library/PreferencePanes/SoftwareUpdate.prefPane/Contents/XPCServices/com.apple.preferences.softwareupdate.remoteservice.xpc/Contents/MacOS/com.apple.preferences.softwareupdate.remoteservice/System/Library/PreferencePanes/SoftwareUpdate.prefPane/Contents/XPCServices/com.apple.preferences.softwareupdate.remoteservice.xpc/Contents/MacOS/com.apple.preferences.softwareupdate.remoteservice1⤵PID:502
-
/usr/libexec/xpcproxyxpcproxy com.apple.softwareupdated1⤵PID:503
-
/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated"/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated"1⤵PID:503
-
/usr/libexec/xpcproxyxpcproxy com.apple.suhelperd1⤵PID:504
-
/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd"/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd"1⤵PID:504
-
/usr/libexec/xpcproxyxpcproxy com.apple.SoftwareUpdateNotificationManager1⤵PID:507
-
/System/Library/PrivateFrameworks/SoftwareUpdate.framework/Resources/SoftwareUpdateNotificationManager.app/Contents/MacOS/SoftwareUpdateNotificationManager/System/Library/PrivateFrameworks/SoftwareUpdate.framework/Resources/SoftwareUpdateNotificationManager.app/Contents/MacOS/SoftwareUpdateNotificationManager1⤵PID:507
-
/usr/libexec/xpcproxyxpcproxy com.apple.metadata.mdwrite1⤵PID:508
-
/System/Library/SystemConfiguration/PrinterNotifications.bundle/Contents/MacOS/makequeues/System/Library/SystemConfiguration/PrinterNotifications.bundle/Contents/MacOS/makequeues -z1⤵PID:509
-
/usr/libexec/xpcproxyxpcproxy com.apple.system_installd1⤵PID:512
-
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd1⤵PID:512
-
/usr/libexec/xpcproxyxpcproxy com.apple.security.agent1⤵PID:515
-
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent1⤵PID:515
-
/usr/libexec/xpcproxyxpcproxy com.apple.ReportMemoryException1⤵PID:516
-
/usr/libexec/ReportMemoryException/usr/libexec/ReportMemoryException1⤵PID:516
-
/usr/libexec/xpcproxyxpcproxy com.apple.spindump1⤵PID:517
-
/usr/sbin/spindump/usr/sbin/spindump1⤵PID:517
-
/usr/libexec/xpcproxyxpcproxy com.apple.spindump_agent1⤵PID:518
-
/usr/libexec/spindump_agent/usr/libexec/spindump_agent1⤵PID:518
-
/usr/libexec/xpcproxyxpcproxy com.apple.Safari.20281⤵PID:519
-
/Applications/Safari.app/Contents/MacOS/Safari/Applications/Safari.app/Contents/MacOS/Safari1⤵PID:519
-
/usr/libexec/xpcproxyxpcproxy com.apple.Safari.History1⤵PID:520
-
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History1⤵PID:520
-
/usr/libexec/xpcproxyxpcproxy com.apple.WebKit.WebContent.C269618D-647E-43A6-83FA-60D4863DEDB4 5191⤵PID:521
-
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent1⤵PID:521
-
/usr/libexec/xpcproxyxpcproxy com.apple.SafariLaunchAgent1⤵PID:526
-
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent1⤵PID:526
-
/usr/libexec/xpcproxyxpcproxy com.apple.WebKit.WebContent.E626C343-5F30-4F3A-B215-568728391B4F 5191⤵PID:527
-
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent1⤵PID:527
-
/usr/libexec/xpcproxyxpcproxy com.apple.Safari.SearchHelper 5191⤵PID:528
-
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper1⤵PID:528
-
/usr/libexec/xpcproxyxpcproxy com.apple.Safari.SafeBrowsing.Service1⤵PID:529
-
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service1⤵PID:529
-
/usr/libexec/xpcproxyxpcproxy com.apple.WebKit.WebContent.1918B83E-74DB-434C-97AD-A0C30BC2EC19 5191⤵PID:530
-
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent1⤵PID:530
-
/bin/shsh -c /usr/sbin/kextstat1⤵PID:537
-
/bin/bashsh -c /usr/sbin/kextstat1⤵PID:537
-
/usr/sbin/kextstat/usr/sbin/kextstat1⤵PID:537
-
/usr/libexec/xpcproxyxpcproxy com.apple.bsd.dirhelper1⤵PID:540
-
/usr/libexec/xpcproxyxpcproxy com.apple.gkreport1⤵PID:585
-
/usr/libexec/gkreport/usr/libexec/gkreport1⤵PID:585
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
495B
MD53439dcb6d4ce19d3ea022b8bb17cba7a
SHA1e412c16548b6fcc5fd488315cd70b324ca4d782e
SHA256aec405d7619e28da751fafd97782015affebdb36e863c58eea2b658551a59e7b
SHA5128ca944a1a157f6933a5efeea35aa7626d0dd5f6fd4b5d9fe08c3760b39b6f54289e502923ca7616110c468173f0389f2ce1e35899d171bd08873678759aba93b
-
Filesize
17.5MB
MD53d2a6f063676da3813dff196c9b9e625
SHA1ea8669106aa219d892044f8991a1bf223887b727
SHA256c107ae7a24af41b944ae548d3d34c68ff106bd23699df6145e73af2ff51bae63
SHA5129a3bc0eb4d160289ef2da4a189a30ae1526718a29c69412391a21005755cb2c2a1f05f9cad736110683a82c0b2bdac874eb0e04f61242e95056c1373f85a7472
-
Filesize
54KB
MD564f469698e53d0c828b7f90acd306082
SHA1bcc041b3849e1b0b4104ffeb46002207eeac54f3
SHA256d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd
SHA512a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f
-
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression
Filesize330KB
MD55334d0ab8877111c615294e638bc9440
SHA125d0e8502a442422325e07f5eed6d7e78b9b1a86
SHA256bf78e7992c36ba899791b3c4e32560ff5401c873897cf6c701f04e892ff159be
SHA5123fa676a417dd63a4f25210073958baacc4e2dea52bcbbc86c384e4f6c89da5fedcc376de8e665afa91f1d0d61cfe83321198bbc790ac0ac48a29058605cac26a
-
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression
Filesize17.3MB
MD5b266cbf17fdeed762ce05e48ce1bcf29
SHA178854f134e84bab70ac0abadef6e766487bacd71
SHA256d5832888bd6d27008961d89b068a16a7edd804f71c107fddebdbca1d37d333bf
SHA5122c2e1b8d2f26ebf341993e228427d169f23d59533781958577630bfdfa39b2741905514101cd5cd5602b9d7d962b8ec7d58bd07074e91679e8042eab2ddffe2c
-
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression
Filesize116KB
MD5127a3149e45f90d7b6a17e25289fa534
SHA1d76619b2eec45c9ca4f476ef220f27bce069e586
SHA256fc2d3826e51e8b1a1e3ecd689689381b22de98e813fda38990b353e16fb1296d
SHA512ca30032817c4331050a8d64d18ba76438702cda7e2b098f49181534ae0226e1f051f595a9ef889bcce07d3eb62b2284fa871e9844de606f90947d43186617b0f
-
Filesize
136KB
MD591b5fd85f75e5436a4d92b81a65c24cd
SHA1324205d94af10cbfe5a6097a49e556711fdbd2c6
SHA25693e3d7f4fceec5db0f09f47d4ddc177b606540dc0d22f13048d8201ca4595d3b
SHA512ab8fca4ae462f930c3ce5abf2562459fd4a942c0e5db0f092222c9905a7dd3fa28e41f0f4c44f1377189749c0fa2d971b31d05a7c5f4eebb8dda679bd3da79fe
-
Filesize
47KB
MD50e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA5121dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20
-
Filesize
4KB
MD5d3a1859e6ec593505cc882e6def48fc8
SHA1f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA2563ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818
-
/var/folders/zz/zyxvpxvq6csfxvn_n00000s0000068/T/softwareupdated/072-44286_5B7A23C3-9F84-44A9-850A-B33C61E7FA6E/MajorOSInfo.pkg
Filesize1.2MB
MD50c2689b6d145eea992ddf70c4cf58528
SHA188cebbc435de0397343ba0466a59a766f92da423
SHA256ff383900c4d354bc96c91e8c3dee1fb24f7b90b03bb18e9d4a5803dde025f9b7
SHA5120990b20c0ae15bf03b2dcee6c25ba0fd3a9ffa4715eee35be8ddafd1868e1bc95d5bb9c3275ad8a7e2212f99167449a410b8e559fd7be28fa17d937967965fcd
-
/var/folders/zz/zyxvpxvq6csfxvn_n00000s0000068/T/softwareupdated/072-44286_5B7A23C3-9F84-44A9-850A-B33C61E7FA6E/Payload/System/Library/CoreServices/MajorOSInfo.bundle/Contents/Info.plist
Filesize863B
MD58797904ca5283bfd732e50c0a9f9b9d9
SHA1f89123187e7533f944515c43f61d349cb092289b
SHA256d572679860abe8cc8ca163774406a5a67aa9b5c2af22d7029caa684b7815be1a
SHA51265be603f8c334e8db4d7406fe11c3b393c7a8e65f043258c299db5e662ba28b2283e577b5055a4e26824a9478b256f7e6123380b6682d16b573badb08fbc0f8c
-
/var/folders/zz/zyxvpxvq6csfxvn_n00000s0000068/T/softwareupdated/072-44286_5B7A23C3-9F84-44A9-850A-B33C61E7FA6E/Payload/System/Library/CoreServices/MajorOSInfo.bundle/Contents/Resources/OSBadge.icns
Filesize1.3MB
MD584a52b22f460032e7da3b48d33d59ff8
SHA1adaee5ad5a40de3c853f22beb0ee721ba51248a5
SHA2568718b54792b537c53be8bc34a046b08ae6df5e55afb5d048fa2a277b596310f5
SHA512a024abc73d9a0f132d423c5643842fefcf10b3b6f4b45f2d77fb540fadd41c38dabe31a53bd63fd2edb05866622e10b1d7efcd0e353258f42be07e659d1d330b
-
/var/folders/zz/zyxvpxvq6csfxvn_n00000s0000068/T/softwareupdated/072-44286_5B7A23C3-9F84-44A9-850A-B33C61E7FA6E/Payload/System/Library/CoreServices/MajorOSInfo.bundle/Contents/Resources/en.lproj/Localizable.strings
Filesize155B
MD563ce136b60c67afcd837e1a387b576ff
SHA117493a07f2ac52ffbe0769a013ee6c1afb3a1f96
SHA256b86c08f715f38c1c6268a7cf60e6548d6eeb252db1698abb81b55b54569e13e4
SHA51268d077aa6fe71242a248246d0ead0bf58c505e4b01895a1c53779ec129bb9216ffc11f2c9bb50000f7013787f16771d7cac313d05d63a8d4f759b301b6d8244c
-
Filesize
1.1MB
MD564f5fd002fa756fa6ef658c529ba654d
SHA152ae32881321e2ef26b621350b29de43249f74c1
SHA2569e0bb77fd67b518ea34cfca0956352ca1985676e6f15edffe8209f1b43ce93bf
SHA5124282d629941eee6a4682c609d9770ebc68673764e961d5ab3152ff6ed2c5b703da8c88af203e49804d41ea581efc4bce90540d57925b447768c545a056aad2f4