2e8a6d8e3f5e6fe16ba30fade1d097383fd8a408bd87220ed386ac61b3b7e79e

Resubmissions

28/02/2025, 07:53

250228-jq9jrawmv9 10

28/02/2025, 07:46

250228-jl5p1awlw9 10

Analysis

max time kernel
853s
max time network
1779s
platform
macos-10.15_amd64
resource
macos-20241101-en
resource tags

arch:amd64arch:i386image:macos-20241101-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
28/02/2025, 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3293e67122b2a0f8bcdfb4bbc6576ac2.dll
Size

107KB
MD5

3293e67122b2a0f8bcdfb4bbc6576ac2
SHA1

bf3b11eca3ef68b591755febec08b189a27cf691
SHA256

2e8a6d8e3f5e6fe16ba30fade1d097383fd8a408bd87220ed386ac61b3b7e79e
SHA512

67d7b102077fe0f20ba502d45da7ec428322b9d0829e278483bd36ddfad925a2903c25c1bcc008954a4cd9b0eda68d7d1987edd2c1e022dbf1c7e813cce56c14
SSDEEP

1536:DbAJjSaBsyZ++i5FyV6pxPpzUsLSpc6P2fcOi1jToKAoSwzkK8:DbAJjS4lUZga5SppPgcOidToKAoSwQK8

Score

5^/10

defense_evasion execution persistence

Malware Config

Signatures

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001

Resource Forking 1 TTPs 6 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

defense_evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid	Process not Found
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd	Process not Found
/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd	Process not Found
/System/Library/PrivateFrameworks/TCC.framework/Resources/tccd	Process not Found
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy	Process not Found

Launchctl 1 TTPs 1 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

ioc	Process
/bin/launchctl load /Library/LaunchAgents/com.microsoft.update.agent.plist	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/JaffaCakes118_3293e67122b2a0f8bcdfb4bbc6576ac2.dll\""
1⤵
PID:464

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/JaffaCakes118_3293e67122b2a0f8bcdfb4bbc6576ac2.dll\""
1⤵
PID:464

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/JaffaCakes118_3293e67122b2a0f8bcdfb4bbc6576ac2.dll
1⤵
PID:464
- /bin/zsh
  /bin/zsh -c /Users/run/JaffaCakes118_3293e67122b2a0f8bcdfb4bbc6576ac2.dll
  2⤵
  PID:465
- /Users/run/JaffaCakes118_3293e67122b2a0f8bcdfb4bbc6576ac2.dll
  /Users/run/JaffaCakes118_3293e67122b2a0f8bcdfb4bbc6576ac2.dll
  2⤵
  PID:465

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:500

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:500

/usr/libexec/xpcproxy
xpcproxy "com.apple.xpc.launchd.oneshot.0x10000001.Microsoft Word"
1⤵
PID:501

/Applications/Microsoft Word.app/Contents/MacOS/Microsoft Word
"/Applications/Microsoft Word.app/Contents/MacOS/Microsoft Word" -psn_0_159783
1⤵
PID:501

/usr/libexec/xpcproxy
xpcproxy com.apple.XprotectFramework.AnalysisService 410
1⤵
PID:503

/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService
/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService
1⤵
PID:503

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:504

/usr/libexec/xpcproxy
xpcproxy com.apple.storeuid
1⤵
PID:507

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
1⤵
PID:507

/usr/libexec/xpcproxy
xpcproxy com.apple.storedownloadd
1⤵
PID:509

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
1⤵
PID:509

/usr/libexec/xpcproxy
xpcproxy com.microsoft.autoupdate.fba.2660
1⤵
PID:510

/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant
"/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant"
1⤵
PID:510

/bin/launchctl
/bin/launchctl list
1⤵
PID:511

/usr/libexec/xpcproxy
xpcproxy com.microsoft.autoupdate.helper
1⤵
PID:512

/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper
/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper
1⤵
PID:512

/bin/launchctl
/bin/launchctl load /Library/LaunchAgents/com.microsoft.update.agent.plist
1⤵
PID:513

/usr/bin/codesign
/usr/bin/codesign -v /Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper
1⤵
PID:514

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:518

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:518

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:519

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:519

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:521

/usr/libexec/xpcproxy
xpcproxy com.apple.siri.launcher.1708
1⤵
PID:527

/System/Applications/Siri.app/Contents/MacOS/Siri
/System/Applications/Siri.app/Contents/MacOS/Siri
1⤵
PID:527

/usr/libexec/xpcproxy
xpcproxy com.apple.Siri.2292
1⤵
PID:528

/System/Library/CoreServices/Siri.app/Contents/MacOS/Siri
/System/Library/CoreServices/Siri.app/Contents/MacOS/Siri
1⤵
PID:528

/usr/libexec/xpcproxy
xpcproxy com.apple.SiriUI.SiriUISetupXPC 528
1⤵
PID:529

/System/Library/PrivateFrameworks/SiriUI.framework/Versions/A/XPCServices/SiriUISetupXPC.xpc/Contents/MacOS/SiriUISetupXPC
/System/Library/PrivateFrameworks/SiriUI.framework/Versions/A/XPCServices/SiriUISetupXPC.xpc/Contents/MacOS/SiriUISetupXPC
1⤵
PID:529

/usr/libexec/xpcproxy
xpcproxy com.apple.Siri.agent
1⤵
PID:530

/System/Library/CoreServices/Siri.app/Contents/MacOS/Siri
/System/Library/CoreServices/Siri.app/Contents/MacOS/Siri launchd
1⤵
PID:530

/usr/libexec/xpcproxy
xpcproxy com.apple.siriknowledged
1⤵
PID:532

/usr/libexec/xpcproxy
xpcproxy com.apple.SiriUI.SiriUISetupXPC 530
1⤵
PID:533

/System/Library/PrivateFrameworks/SiriUI.framework/Versions/A/XPCServices/SiriUISetupXPC.xpc/Contents/MacOS/SiriUISetupXPC
/System/Library/PrivateFrameworks/SiriUI.framework/Versions/A/XPCServices/SiriUISetupXPC.xpc/Contents/MacOS/SiriUISetupXPC
1⤵
PID:533

/usr/libexec/siriknowledged
/usr/libexec/siriknowledged
1⤵
PID:532

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:535

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
1⤵
PID:535

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:536

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:536

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.SandboxHelper 386
1⤵
PID:538

/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
1⤵
PID:538

/usr/libexec/xpcproxy
xpcproxy com.apple.SiriNCService 530
1⤵
PID:539

/System/Library/CoreServices/Siri.app/Contents/XPCServices/SiriNCService.xpc/Contents/MacOS/SiriNCService
/System/Library/CoreServices/Siri.app/Contents/XPCServices/SiriNCService.xpc/Contents/MacOS/SiriNCService
1⤵
PID:539

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.SandboxHelper 304
1⤵
PID:540

/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
1⤵
PID:540

/usr/libexec/xpcproxy
xpcproxy com.apple.speech.speechsynthesisd
1⤵
PID:541

/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd
/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd
1⤵
PID:541

/usr/libexec/xpcproxy
xpcproxy com.apple.siri.ClientFlow.ClientScripter 386
1⤵
PID:542

/usr/libexec/xpcproxy
xpcproxy com.apple.assistant_service
1⤵
PID:543

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/XPCServices/com.apple.siri.ClientFlow.ClientScripter.xpc/Contents/MacOS/com.apple.siri.ClientFlow.ClientScripter
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/XPCServices/com.apple.siri.ClientFlow.ClientScripter.xpc/Contents/MacOS/com.apple.siri.ClientFlow.ClientScripter
1⤵
PID:542

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistant_service
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistant_service
1⤵
PID:543

/usr/libexec/xpcproxy
xpcproxy com.apple.speech.speechdatainstallerd
1⤵
PID:545

/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
1⤵
PID:545

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.AssistantService
1⤵
PID:546

/System/Library/Frameworks/AddressBook.framework/Versions/A/Helpers/ABAssistantService.app/Contents/MacOS/ABAssistantService
/System/Library/Frameworks/AddressBook.framework/Versions/A/Helpers/ABAssistantService.app/Contents/MacOS/ABAssistantService
1⤵
PID:546

/usr/libexec/xpcproxy
xpcproxy com.apple.StreamingUnzipService 185
1⤵
PID:550

/System/Library/PrivateFrameworks/StreamingZip.framework/Versions/A/XPCServices/com.apple.StreamingUnzipService.xpc/Contents/MacOS/com.apple.StreamingUnzipService
/System/Library/PrivateFrameworks/StreamingZip.framework/Versions/A/XPCServices/com.apple.StreamingUnzipService.xpc/Contents/MacOS/com.apple.StreamingUnzipService
1⤵
PID:550

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:551

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:551

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:552

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:552

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.0F4ED668-B1CB-41FD-98C9-4216EA31BD5C 551
1⤵
PID:553

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:553

/usr/libexec/xpcproxy
xpcproxy com.apple.SafariLaunchAgent
1⤵
PID:557

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
1⤵
PID:557

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.296C8D1A-7A09-4D38-B3AB-FF1B9E4F9763 551
1⤵
PID:558

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:558

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:560

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:560

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:561

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:561

/usr/libexec/xpcproxy
xpcproxy com.apple.accessibility.mediaaccessibilityd
1⤵
PID:562

/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
1⤵
PID:562

/usr/libexec/xpcproxy
xpcproxy com.apple.coremedia.videodecoder 558
1⤵
PID:563

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
1⤵
PID:563

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.EC7A4F45-6C04-4362-AF40-B12EECE1CBF6 551
1⤵
PID:564

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:564

/usr/libexec/xpcproxy
xpcproxy com.apple.icloud.FMIPClientXPCService 543
1⤵
PID:565

/System/Library/PrivateFrameworks/FMClient.framework/Versions/A/XPCServices/FMIPClientXPCService.xpc/Contents/MacOS/FMIPClientXPCService
/System/Library/PrivateFrameworks/FMClient.framework/Versions/A/XPCServices/FMIPClientXPCService.xpc/Contents/MacOS/FMIPClientXPCService
1⤵
PID:565

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.AssistantService
1⤵
PID:567

/System/Library/Frameworks/AddressBook.framework/Versions/A/Helpers/ABAssistantService.app/Contents/MacOS/ABAssistantService
/System/Library/Frameworks/AddressBook.framework/Versions/A/Helpers/ABAssistantService.app/Contents/MacOS/ABAssistantService
1⤵
PID:567

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:569

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:569

/usr/libexec/xpcproxy
xpcproxy com.apple.mobile.keybagd
1⤵
PID:570

/usr/libexec/keybagd
/usr/libexec/keybagd -t 15
1⤵
PID:570

/usr/libexec/xpcproxy
xpcproxy com.apple.ViewBridgeAuxiliary
1⤵
PID:571

/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
1⤵
PID:571

/usr/libexec/xpcproxy
xpcproxy com.apple.mobileassetd
1⤵
PID:572

/usr/libexec/mobileassetd
/usr/libexec/mobileassetd
1⤵
PID:572

/usr/libexec/xpcproxy
xpcproxy com.apple.ScreenTimeAgent
1⤵
PID:573

/System/Library/PrivateFrameworks/ScreenTimeCore.framework/Versions/A/ScreenTimeAgent
/System/Library/PrivateFrameworks/ScreenTimeCore.framework/Versions/A/ScreenTimeAgent
1⤵
PID:573

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:574

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:574

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:579

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:579

/usr/libexec/xpcproxy
xpcproxy com.apple.tccd
1⤵
PID:581

/System/Library/PrivateFrameworks/TCC.framework/Resources/tccd
/System/Library/PrivateFrameworks/TCC.framework/Resources/tccd
1⤵
PID:581

/usr/libexec/xpcproxy
xpcproxy com.apple.sandboxd
1⤵
PID:582

/usr/libexec/sandboxd
/usr/libexec/sandboxd
1⤵
PID:582

/usr/libexec/xpcproxy
xpcproxy com.apple.bird
1⤵
PID:583

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
1⤵
PID:583

/usr/libexec/xpcproxy
xpcproxy com.apple.secd
1⤵
PID:584

/usr/libexec/secd
/usr/libexec/secd
1⤵
PID:584

/usr/libexec/xpcproxy
xpcproxy com.apple.iconservices.iconservicesagent
1⤵
PID:586

/System/Library/CoreServices/iconservicesagent
/System/Library/CoreServices/iconservicesagent
1⤵
PID:586

/usr/libexec/xpcproxy
xpcproxy com.apple.iconservices.iconservicesd
1⤵
PID:587

/System/Library/CoreServices/iconservicesd
/System/Library/CoreServices/iconservicesd
1⤵
PID:587

/usr/libexec/xpcproxy
xpcproxy com.apple.diagnosticd
1⤵
PID:590

/usr/libexec/diagnosticd
/usr/libexec/diagnosticd
1⤵
PID:590

/usr/libexec/xpcproxy
xpcproxy com.apple.security.cloudkeychainproxy3
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:593

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
1⤵
PID:592

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:593

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:595

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:595

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:596

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:596

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:597

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:597

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:598

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:598

/usr/libexec/xpcproxy
xpcproxy com.apple.cfprefsd.xpc.agent
1⤵
PID:599

/usr/sbin/cfprefsd
/usr/sbin/cfprefsd agent
1⤵
PID:599

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:602

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:602

/usr/libexec/xpcproxy
xpcproxy com.apple.nehelper
1⤵
PID:603

/usr/libexec/nehelper
/usr/libexec/nehelper
1⤵
PID:603

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:604

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:604

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:605

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:605

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Launchctl

T1569.001

Persistence

Create or Modify System Process

T1543

Launch Agent

T1543.001

Privilege Escalation

Create or Modify System Process

T1543

Launch Agent

T1543.001

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
203B

MD5
8f101d826eb887e9dc92e0830c370102

SHA1
5b4cb03d808be1376e157855cfeab05e25a9aee3

SHA256
3184a330a335afc6a3facc5b8687266dcd4a9fbacb01b1c3fece9b4b5a107d2a

SHA512
0103096e154ec3b08de12c4a72032ccd9434a80dd0f494d20a57b390f93d01cb68e5fd9f301377bfba16a1be8d20a0c0c5205b012142286afc0732d3c1131077

Download Submit
/Users/run/Library/Application Support/AddressBook/Metadata/.info

Filesize
341B

MD5
afea2f7e2d03857c05e59c8585ebc80c

SHA1
3edf27cf3873320c75d7eefd44cff1b28e31e89a

SHA256
3fc68bee5c0f4b62db7a817ec91a894be429b70cb2617d5b6d1af2d9e1b8c676

SHA512
18270a088149f35b66f18bb32587847fd3fe5823a89b04bded707851b89ca937e78e8d6bbf37a9171e51e51b3d6a01c392adaebe31ea9892dddefe909e3786bf

Download Submit
/Users/run/Library/Application Support/AddressBook/Metadata/.info

Filesize
341B

MD5
365fd4cba360ec7549dc7bc899c28fcd

SHA1
47fb870cee2f4705f5af17c4cd2eec336b198a84

SHA256
4b539a9e6a299ff267a248d01b96fd45489f1a549d0105e3e5093f62fffc70bb

SHA512
b3afb6b57493734c9edc58054ef365587de56af102a0be78a99c08c888a704cd597572c769cda35c1c8e30ad3f8b9a0808c46656f2da9f48d202c89f4a94e453

Download Submit
/Users/run/Library/Containers/com.microsoft.Word/Data/Library/Application Support/Microsoft/Office/16.0/microsoft word_Rules.xml

Filesize
258KB

MD5
5a33211bed7be6cc385ae7fbef44e01a

SHA1
a0b3b3ed558bb4efec995b2173645123667a9945

SHA256
fae19f0f726a3973bd8e7ae5b3fe7afaedacda3cbe0f9642526e710c58a485d4

SHA512
e469ce16cbc7ba515a0b2d9e2785d186b7ed30b88c1546f655182d85578a9df7e13c174eeb9ccfa0f971676fb39e35e0621dabdb34ad848da8e6552c9654aa97

Download Submit
/Users/run/Library/Group Containers/UBF8T346G9.Office/FontCache/4/PreviewFont/hier_officeFontsPreview_4_40.ttf

Filesize
1.9MB

MD5
8c638d09eea80c9b1963af8cc35870a5

SHA1
f67fc7503e05b99f232945bc1bbb7d50bc70f88d

SHA256
4bcfa32557e0bfffd5766cf6057b9e04ac9af9c101033fd305fba7190305a385

SHA512
b1cee1f2e0f2cdd2611c1af18d5cd3b481da6c7c761cc74f2fc9c99025215a8c03f117bd1f8cdd3fa01210c542ba9e1c7246954e43ce100c84b1ea4082000c07

Download Submit
/Users/run/Library/Keychains/metadata.keychain-db

Filesize
23KB

MD5
bf09fbb0d8e6788e78735f60f2c428e5

SHA1
f33b87a45de81da281301923c4ccab965d49d64e

SHA256
afc2f1744309402b460db7535d9697cdeb3013b2659c4ca5ff1f826f1149e2cc

SHA512
e41bdaa78c20367676c86f4d0d2dce7a18313519c9b38f3c1bfa4d40ce290e01a4d7562d35c04e53fb214876bb80263ce33fd225ace3d653aeba57b14dc3efa7

Download Submit
/Users/run/Library/Keychains/metadata.keychain-db

Filesize
23KB

MD5
ac83eaff6e8479bcdec0d95676e7ebd3

SHA1
a910b32b158ac5877e9e979c55fbd6ca74272147

SHA256
502b76d02571f2b779477a4db9cd1942950f389e4b4de90e48f74663cd20a5a6

SHA512
c003fa891a6866e54f1d5c4da8322d83ce5f4a9ebfa7fee585f3171d45a99e58fd4bf4f1a9af81948188aa59a08a41d3833411cbe4b613aa9b57a70d1cbfca4e

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/AAAC62FB4DA700C4656A1918349BA767

Filesize
21KB

MD5
38cfdb248210ffd12a6e774119609de8

SHA1
d10a44e5d06c8a95e4c61ae770cc8f0c8d372253

SHA256
5493c61cf725cf3a1d63cd9d07de75b0d6faa5564e772f7d0a6074f341442938

SHA512
7d0ae6125e5c10d52847ac10e5200f2aaa84932ea5d10af54440c0abc27af19285cb760f0e8dad0bac4371e4b384ffaddcf235f9f1ba29e6dc41ef29deac4fba

Download Submit
/Users/run/tmp/asd.docx

Filesize
11KB

MD5
5362975f0e0112e5984c3ae49460782e

SHA1
c7328dde242906c5ea41371e2e151fe09e957068

SHA256
3886c77e7f9c11e0b49380667095c44d229b2aa20c51ce3a7c6e80dee6cfe104

SHA512
3102fd6438f63fcefe7b0bd6dad2fce2e8f34a0135abf945f62f766ad4689a1751c2b60796bd9f78710980f7d115aadfc3ed8990514d78b038a187bd9a7af15e

Download Submit
/var/db/locationd/Library/Caches/GeoServices/Resources/altitude-1373.xml

Filesize
193KB

MD5
bab28c4619ac11dee883a95ea7c9570c

SHA1
6a89df546d7b61806bbd48edfa86d9eda1f51d74

SHA256
1ccf4a4ab457e540fad0b23a376e5eaae0626f3aa3bee27dd603a90bc1f62c27

SHA512
7609254c5902cd18f049d8def3bcfe1f36b18c99237e830ec50841dd1c5308d72f471519763755954a94032ee103ee0ea9d919937cca7fec96671e558125dd7f

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

Filesize
230KB

MD5
3220e2a6b77da493333de9dce0e1f700

SHA1
e3b08ef1a3e5ef386b2ff4e02952dabe66c24239

SHA256
a130b45da730aa5733b903f77f5df00784780f6378aa8aec505e3e605e57ce0a

SHA512
fa5f5981040eb33a8abbfd8808ffd0bb2c12294da334797046e61b3a979f18ecf107677071bd80c452cd640b55b4d01e3b1b45dd3248fea67cfd1af02d96ad3c

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

Filesize
17.9MB

MD5
48f49af80fe165e8ba3d01254868762d

SHA1
9788b324f41a5211d84dfbfe8daa9ef6bdda148c

SHA256
936da4f688246a17382a980821401022ed8ad085cf3a5a7baefa808feb88c1ed

SHA512
716b251d9abe05b4fc575424b7121791648464b8e39496997283d23cb617e17cb292b7120b015f64215745afcbb18bb1765881cadcd8838cad23a6c2e1601232

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

Filesize
147KB

MD5
10c0a44e8604fffa2f962b112695f4d1

SHA1
097f56c98bdd0600a84c13136cb6cb2c72e3ed55

SHA256
7c8d81810fa86ec8549ae1245171a64a0d0031ded1f789f6115c13832d6713ed

SHA512
6404fa40bacbbf5a211f3d765a781d92c1c71f8a32039c724cff5e95f5a2d52ee78487a95f7d2f9f05f0ced64a3495567ea4c655bae166aa6f0832d5941d55b5

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.microsoft.Word//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.microsoft.Word//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit