de405e80d59503bf1ac724e65aea61f0c6849311338fa120c9a01354228d0ef9

General

Target

32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe
Size

469KB
MD5

991e707e324731f86a43900e34070808
SHA1

5b5afd8cecb865de3341510f38d217f47490eead
SHA256

32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153
SHA512

07411dffbc6beff08a901afa8db3af4bc7d214407f7b20a8570e16b3900f512ad8ee2d04e31bb9d870585b9825e9102078f6c40eb6df292f09fffe57eea37f79
SSDEEP

12288:wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQScn9:wiLJbpI7I2WhQqZ7c9

Score

4^/10

evasion execution

Malware Config

Signatures

JavaScript 1 TTPs 1 IoCs

Adversaries may abuse various implementations of JavaScript for execution.

execution

JavaScript

T1059.007

ioc	Process
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar	Process not Found

Resource Forking 1 TTPs 2 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found
/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe\""
1⤵
PID:476

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe\""
1⤵
PID:476

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe
1⤵
PID:476
- /bin/zsh
  /bin/zsh -c /Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe
  2⤵
  PID:478
- /Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe
  /Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe
  2⤵
  PID:478

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:503

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:503

/usr/libexec/xpcproxy
xpcproxy com.apple.JarLauncher.2128
1⤵
PID:504

/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher
"/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher"
1⤵
PID:504
- /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java
  "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar
  2⤵
  PID:506

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:505

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:508

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:508

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:509

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:509

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:510

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:510

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.4709AF76-6CE6-46D2-A32A-F943EE928724 509
1⤵
PID:511

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:511

/usr/libexec/xpcproxy
xpcproxy com.apple.SafariLaunchAgent
1⤵
PID:516

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
1⤵
PID:516

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.A26C9200-2E37-4DCA-A657-F832D7921F88 509
1⤵
PID:517

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:517

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SearchHelper 509
1⤵
PID:518

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
1⤵
PID:518

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:519

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:519

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.41A69C53-F8C9-4037-AE24-0B730E1422DD 509
1⤵
PID:520

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:520

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.D74ABA28-78B1-4B07-8AAD-975396DCFEA3 509
1⤵
PID:521

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:521

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.B9F8B33D-D99B-440A-8791-2DE294B96F80 509
1⤵
PID:523

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:523

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.FF6D06C4-1C37-48A7-842C-7B2B0BD15ACF 509
1⤵
PID:529

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:529

/usr/libexec/xpcproxy
xpcproxy com.apple.speech.speechsynthesisd
1⤵
PID:530

/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd
/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd
1⤵
PID:530

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.85573A37-B2FD-418B-A243-76AC95857100 509
1⤵
PID:531

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:531

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Safari/Favicon Cache/favicons/6950D9EFC03B8A4F37B6F5FB7B694716

Filesize
5KB

MD5
0b038a7a7498d6c62f4256cd5ea649f6

SHA1
efdbd7999d20108c44de32a661eb504b9d6cfdf1

SHA256
1013ffd709cd7e1922ad2b1058d65efc9bcbd603e327aa7ea7cdb512b253768f

SHA512
9ddc9527752d8fe1ed06345e96f7e346f78ae4870a2d760212d59676b964bf30faf491fde7517ec6e69a9e76fde58ea1a58948051a8b88f845ab355dc7657126

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/C24061FC89C3E7772447F7E5E42C765E

Filesize
5KB

MD5
9c06c9ce51e994786a3d6e5f6a754aec

SHA1
ae0ab8050b676a9f8ea905582f547538a866c50e

SHA256
3be07b8d96589e989f9a7aa18f08d9add4936a25c6aab9b4b5c9d7e8e951e1d1

SHA512
1569dc06acb5afe1a076c5276674f0c088f61b248c7912bb9a282db56a81fa3d6a956c3230b85e2c1d6e5c14c1c3f9cc0fd94d92aee74a0405563b8eeeea1b3c

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

Filesize
264KB

MD5
24e88ed9a00987c2ab4dd494588daee2

SHA1
c49fb5719365551cbb1d2f8b4b8107dab79c0713

SHA256
399f71fd9592ea8935e3c84c36085c8fb791b6f6e02895bdb67d29abd269ca9d

SHA512
775832e29251e8b7786a0f416e2c565f1bd19cae376c9ae057552b4e2807d4a030d43e68abf2aaca3c5a5caf975a776ecdcd081f6c3a17239c58cb23766d0a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

Filesize
17.5MB

MD5
16d2a210564cc2b113f58d6a639c0434

SHA1
a22072b91eaa391993583365a7e677be655a613d

SHA256
d4c4fba396fd80ccf0dfd34861448f06e55d9985f6eb5c7fcf63ecd858f77187

SHA512
bece807f3141f2cf0f6658ef038ecb5b147c8716bec46067194d82feaaa38d63c99b484cb2666335f803ab1038f52d19a377aabc94df64b95c45bfd0505cb543

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

Filesize
107KB

MD5
400263614b7258f72cc2ec563f74f7e5

SHA1
e3fa8f2548390a8f246ccb58034407f5ffbd4c42

SHA256
1bcb6074c146ae79247045a89bedb0e15b3feb02ddd308a83564ddea6a091d96

SHA512
b8319f525d238d7c78e9ddf609329622f691bb652b57159285b3eaeae3cd9c21b191650c5bfa6d9f4cb1794cf6f26ce152f78b93f0631718082bfb24100e699d

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit

Resubmissions

Analysis

Sharing