630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

Resubmissions

26/02/2025, 22:29

250226-2eejcavyf1 4

26/02/2025, 22:23

250226-2arm4swmw5 10

Analysis

max time kernel
732s
max time network
970s
platform
macos-10.15_amd64
resource
macos-20241106-en
resource tags

arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
26/02/2025, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

431KB
MD5

fbbdc39af1139aebba4da004475e8839
SHA1

de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512

74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
SSDEEP

12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score

4^/10

defense_evasion

Malware Config

Signatures

Resource Forking 1 TTPs 7 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

defense_evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref	Process not Found
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool	Process not Found
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer	Process not Found
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck	Process not Found
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool	Process not Found
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool	Process not Found
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/[email protected]\""
1⤵
PID:458

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/[email protected]\""
1⤵
PID:458

/usr/bin/sudo
sudo /bin/zsh -c "/Users/run/[email protected]"
1⤵
PID:458
- /bin/zsh
  /bin/zsh -c "/Users/run/[email protected]"
  2⤵
  PID:460
- /Users/run/[email protected]
  "/Users/run/[email protected]"
  2⤵
  PID:460

/usr/libexec/pkreporter
/usr/libexec/pkreporter
1⤵
PID:447

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
1⤵
PID:450

/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
1⤵
PID:444

/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged
"/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"
1⤵
PID:442

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
1⤵
PID:453

/usr/libexec/xpcproxy
xpcproxy com.apple.systempreferences.2140
1⤵
PID:488

/System/Applications/System Preferences.app/Contents/MacOS/System Preferences
"/System/Applications/System Preferences.app/Contents/MacOS/System Preferences"
1⤵
PID:488

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountProfileRemoteViewService 488
1⤵
PID:489

/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
1⤵
PID:489

/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
1⤵
PID:491

/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
1⤵
PID:492

/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
1⤵
PID:493

/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
1⤵
PID:494

/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
1⤵
PID:495

/usr/libexec/xpcproxy
xpcproxy com.apple.nfcd
1⤵
PID:497

/usr/libexec/nfcd
/usr/libexec/nfcd
1⤵
PID:497

/usr/libexec/xpcproxy
xpcproxy com.apple.studentd
1⤵
PID:498

/usr/libexec/studentd
/usr/libexec/studentd
1⤵
PID:498

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:500

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:501

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:501

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:502

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:502

/usr/libexec/xpcproxy
xpcproxy com.apple.nsurlstoraged
1⤵
PID:503

/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged --privileged
1⤵
PID:503

/usr/libexec/xpcproxy
xpcproxy com.apple.newsyslog
1⤵
PID:506

/usr/sbin/newsyslog
/usr/sbin/newsyslog
1⤵
PID:506

/usr/libexec/xpcproxy
xpcproxy com.apple.diagnosticd
1⤵
PID:510

/usr/libexec/diagnosticd
/usr/libexec/diagnosticd
1⤵
PID:510

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/db/nsurlstoraged/dafsaData.bin

Filesize
54KB

MD5
64f469698e53d0c828b7f90acd306082

SHA1
bcc041b3849e1b0b4104ffeb46002207eeac54f3

SHA256
d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd

SHA512
a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f

Download Submit