a997d2e17a012e432d92db0de69ef7780413f9d8c5125e13b161506a19382cda

Resubmissions

28/12/2024, 10:20

241228-mdf88axqhm 10

28/12/2024, 10:17

241228-mbmm8axqgp 10

Analysis

max time kernel
147s
max time network
142s
platform
macos-10.15_amd64
resource
macos-20241101-en
resource tags

arch:amd64arch:i386image:macos-20241101-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
28/12/2024, 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac
Size

3.0MB
MD5

8b26b29569c5d912d1d46e0de6a84edc
SHA1

367362b4ab6384833752b6936c296f3746859b82
SHA256

e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac
SHA512

66d31cb407e9b784cef915fdb5ca9d10d1e071b94708f5f09966fb2b2f829f85bcc6fe760693bddd5485169016adf172910c77df27b99709422f1f060712ba56
SSDEEP

49152:ZguJx3jLj7BBmM5EW6djOp7b9rZpgcMiw04Z:px3LEfjA9NHwZZ

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 2 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac\""
1⤵
PID:463

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac\""
1⤵
PID:463

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac
1⤵
PID:463
- /bin/zsh
  /bin/zsh -c /Users/run/e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac
  2⤵
  PID:465
- /Users/run/e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac
  /Users/run/e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac
  2⤵
  PID:465

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.satellite.FBB89F63-0451-42D9-8E85-A82FB62A25E5 467
1⤵
PID:469

/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite
/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite
1⤵
PID:469

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:485

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:485

/usr/libexec/xpcproxy
xpcproxy com.apple.TextEdit.2092
1⤵
PID:486

/System/Applications/TextEdit.app/Contents/MacOS/TextEdit
/System/Applications/TextEdit.app/Contents/MacOS/TextEdit
1⤵
PID:486

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:487

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:491

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:491

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:492

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:492

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:493

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:493

/usr/libexec/xpcproxy
xpcproxy com.apple.colorsync.useragent
1⤵
PID:519

/System/Library/Frameworks/ColorSync.framework/Support/colorsync.useragent
/System/Library/Frameworks/ColorSync.framework/Support/colorsync.useragent
1⤵
PID:519

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Desktop/encrypted_master_key.txt

Filesize
693B

MD5
9729389e587bbc826f7686407fb33b3a

SHA1
ccd2267bdcd62e17348f35ab2e7696190a15060b

SHA256
608444a6935cf3d7a9f56c25e61b59bcb6a7f546dade8ffe3c7cb3ccbcf5cc11

SHA512
d9cba02ffe4830f608cb62c03b77248b9759d597e83f8a0c251e2ca3646cb8a3c9f4277c88be9d7c32c584e00f55cf1c639725c77e3b99e7ad29302b3a949eb4

Download Submit