21d9a8a8a9cb07b13bd2c8508d7a826d716c3411bea9ed6fcd160a18198cbd3a

Reason

Machine shutdown

General

Target

NotLockBit/22
Size

9.3MB
MD5

37ec80fbc2302d5893cb6984cb1a43e2
SHA1

6c19a41d033ccc39bd42bc2f2e830e1f5808ca15
SHA256

aca17ec46730f5677d0d0a995b65504e97dce65da699fac1765db1933c97c7ec
SHA512

cfb4a5d2a6db39c8c2e48a558164dacef2e59b341a2247870e7fd80cc39ad04e650708065b8c9ef7e139e2e16b8234a45716935b7b86f9314377968389e56d61
SSDEEP

98304:WXt8x60r9yht38/1l6OFjrEaa9cGRXG0WqxEirA+oL2:Yt0cht38T6ospeEUn+d

Score

6^/10

defense_evasion

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
112	raw.githubusercontent.com
111	raw.githubusercontent.com

Resource Forking 1 TTPs 6 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

defense_evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref	Process not Found
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool	Process not Found
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool	Process not Found
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool	Process not Found
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/NotLockBit/22\""
1⤵
PID:479

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/NotLockBit/22\""
1⤵
PID:479

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/NotLockBit/22
1⤵
PID:479
- /bin/zsh
  /bin/zsh -c /Users/run/NotLockBit/22
  2⤵
  PID:481
- /Users/run/NotLockBit/22
  /Users/run/NotLockBit/22
  2⤵
  PID:481

/usr/libexec/xpcproxy
xpcproxy com.apple.diagnosticd
1⤵
PID:504

/usr/libexec/diagnosticd
/usr/libexec/diagnosticd
1⤵
PID:504

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:507

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:507

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:508

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:508

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.BE6BDE3B-356E-4CF3-84A9-D4646F51418A 507
1⤵
PID:509

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:509

/usr/libexec/xpcproxy
xpcproxy com.apple.SafariLaunchAgent
1⤵
PID:514

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
1⤵
PID:514

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.F5A6D50F-8334-4F96-A0C0-BAA9D5F2BA8E 507
1⤵
PID:515

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:515

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SearchHelper 507
1⤵
PID:516

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
1⤵
PID:516

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:519

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:519

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.9F729D4A-EDE2-4664-BFBA-CB1B997440E3 507
1⤵
PID:521

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:521

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.1F43E2B8-CAF8-4A93-8CB7-8517EA6B5209 507
1⤵
PID:522

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:522

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:527

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:527

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SandboxBroker 507
1⤵
PID:528

/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker
/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker
1⤵
PID:528

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:529

/usr/libexec/xpcproxy
xpcproxy "com.apple.xpc.launchd.oneshot.0x10000001.Archive Utility"
1⤵
PID:532

/System/Library/CoreServices/Applications/Archive Utility.app/Contents/MacOS/Archive Utility
"/System/Library/CoreServices/Applications/Archive Utility.app/Contents/MacOS/Archive Utility" -psn_0_188462
1⤵
PID:532

/usr/libexec/xpcproxy
xpcproxy com.apple.XprotectFramework.AnalysisService 415
1⤵
PID:533

/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService
/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService
1⤵
PID:533

/usr/bin/macbinary
/usr/bin/macbinary probe --verbose /Users/run/Downloads/true.zip
1⤵
PID:534

/usr/bin/file
/usr/bin/file -b /Users/run/Downloads/true.zip
1⤵
PID:535

/usr/libexec/xpcproxy
xpcproxy com.apple.archiveutility.auhelperservice 532
1⤵
PID:536

/System/Library/CoreServices/Applications/Archive Utility.app/Contents/XPCServices/AUHelperService.xpc/Contents/MacOS/AUHelperService
"/System/Library/CoreServices/Applications/Archive Utility.app/Contents/XPCServices/AUHelperService.xpc/Contents/MacOS/AUHelperService"
1⤵
PID:536

/System/Library/Frameworks/FileProvider.framework/XPCServices/ArchiveService.xpc/Contents/MacOS/ArchiveService
/System/Library/Frameworks/FileProvider.framework/XPCServices/ArchiveService.xpc/Contents/MacOS/ArchiveService
1⤵
PID:537

/usr/libexec/xpcproxy
xpcproxy com.apple.appkit.xpc.sandboxedServiceRunner 532
1⤵
PID:538

/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedServiceRunner.xpc/Contents/MacOS/SandboxedServiceRunner
/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedServiceRunner.xpc/Contents/MacOS/SandboxedServiceRunner
1⤵
PID:538

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:541

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:541

/usr/libexec/xpcproxy
xpcproxy com.apple.xpc.launchd.oneshot.0x10000002.TextEdit
1⤵
PID:542

/System/Applications/TextEdit.app/Contents/MacOS/TextEdit
/System/Applications/TextEdit.app/Contents/MacOS/TextEdit -psn_0_196656
1⤵
PID:542

/usr/libexec/xpcproxy
xpcproxy com.apple.systempreferences.2140
1⤵
PID:543

/System/Applications/System Preferences.app/Contents/MacOS/System Preferences
"/System/Applications/System Preferences.app/Contents/MacOS/System Preferences"
1⤵
PID:543

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountProfileRemoteViewService 543
1⤵
PID:544

/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
1⤵
PID:544

/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
1⤵
PID:545

/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
1⤵
PID:546

/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
1⤵
PID:547

/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
1⤵
PID:548

/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.nfcd
1⤵
PID:551

/usr/libexec/nfcd
/usr/libexec/nfcd
1⤵
PID:551

/usr/libexec/xpcproxy
xpcproxy com.apple.studentd
1⤵
PID:552

/usr/libexec/studentd
/usr/libexec/studentd
1⤵
PID:552

/usr/libexec/xpcproxy
xpcproxy com.apple.preference.security.remoteservice 543
1⤵
PID:553

/System/Library/PreferencePanes/Security.prefPane/Contents/XPCServices/com.apple.preference.security.remoteservice.xpc/Contents/MacOS/com.apple.preference.security.remoteservice
/System/Library/PreferencePanes/Security.prefPane/Contents/XPCServices/com.apple.preference.security.remoteservice.xpc/Contents/MacOS/com.apple.preference.security.remoteservice
1⤵
PID:553

/usr/libexec/xpcproxy
xpcproxy com.apple.sysextd
1⤵
PID:554

/System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd
/System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd
1⤵
PID:554

/usr/libexec/xpcproxy
xpcproxy com.apple.preferencepane.security.AdvertisingExtension 553
1⤵
PID:555

/System/Library/PrivateFrameworks/PreferencePanesSupport.framework/PlugIns/AdvertisingExtension.appex/Contents/MacOS/AdvertisingExtension
/System/Library/PrivateFrameworks/PreferencePanesSupport.framework/PlugIns/AdvertisingExtension.appex/Contents/MacOS/AdvertisingExtension
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.apple.preferencepane.security.PrivacyAnalytics 553
1⤵
PID:556

/System/Library/PrivateFrameworks/PreferencePanesSupport.framework/PlugIns/PrivacyAnalytics.appex/Contents/MacOS/PrivacyAnalytics
/System/Library/PrivateFrameworks/PreferencePanesSupport.framework/PlugIns/PrivacyAnalytics.appex/Contents/MacOS/PrivacyAnalytics
1⤵
PID:556

/usr/libexec/xpcproxy
xpcproxy com.apple.xpc.launchd.oneshot.0x10000003.TextEdit
1⤵
PID:557

/System/Applications/TextEdit.app/Contents/MacOS/TextEdit
/System/Applications/TextEdit.app/Contents/MacOS/TextEdit -psn_0_225335
1⤵
PID:557

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Downloads/NotLockBit/22

Filesize
9.3MB

MD5
37ec80fbc2302d5893cb6984cb1a43e2

SHA1
6c19a41d033ccc39bd42bc2f2e830e1f5808ca15

SHA256
aca17ec46730f5677d0d0a995b65504e97dce65da699fac1765db1933c97c7ec

SHA512
cfb4a5d2a6db39c8c2e48a558164dacef2e59b341a2247870e7fd80cc39ad04e650708065b8c9ef7e139e2e16b8234a45716935b7b86f9314377968389e56d61

Download Submit
/Users/run/Downloads/true.zip

Filesize
8.7MB

MD5
ac5f961f0869cc3e3f83085d9d4211aa

SHA1
78907647c468627cc7b9ec6165c51d298d0a686b

SHA256
21d9a8a8a9cb07b13bd2c8508d7a826d716c3411bea9ed6fcd160a18198cbd3a

SHA512
8661cf8c1b6c86e81af5a13b1e57e2f8585a294199b92db5153be820043ea3b33965d143d9f7863b73f526b353fa18e9589363a39b9b56acf4d280381b135ec7

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/44504B292E2FDDD8A36155F83B3EB6EF

Filesize
5KB

MD5
a383ed48037cd6d23aba4d9ca5e922a3

SHA1
90adf56648791d2577a20b7a2f9df371ed78a8ba

SHA256
9f9079dda64edfb00e12b02fa9cdb993aaece202b42430a8e8b03860bdf7552c

SHA512
e7b1384ab70d046bd6e6132035668df67f4263bbc066ee4c08915ec8638bb677f8e6635312e086f369e03b462f432bdf63ef7a0aa33cabf1790c762b775d1535

Download Submit
/var/db/.LastGKReject

Filesize
181B

MD5
2de6a04cdba79ed13580c47dfd70cc5f

SHA1
bcefe0558555914d731c16b1778c49e77fe06b99

SHA256
97704a8960b4facceef54397a08fb5d0a456247c3627359215aa2a27df22656c

SHA512
605dc81b28c530fc8ebcf3c5a28486af8bbd3303ee5df53b5424e492e5dbe01baa0468fa4da1398451a62dff4d45067a2bf765f7def9ca0890883484de38a13b

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

Filesize
294KB

MD5
9af7e3f545ceea98835de1389d6c1156

SHA1
4c0629f221f2c1b00f7a714b9de7b362f0af626a

SHA256
172dfb8af08b61c7a6b5f36ab3991008671eba418cd7ab851c9235e733e80cfa

SHA512
1514effcef65146575d90355635c77948b5b264887287f8b341243807ef6bbb0d4896f7e12fb94e2f6b7b47f1d8e757852cf1b55308d0f219875fe352b963885

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

Filesize
17.2MB

MD5
eee774841d296e99de8282c9fc80b4e9

SHA1
a638c8ad0186654a659025b232daf54200032e0b

SHA256
48659f4ac0d085455cd5e55f78843a4fe08d8144a9cf1fbe8680cb592af68070

SHA512
03b2b5394a5ce9627a9655367eaf6e29149f2512def38edea497f1547f939872f85f6c87ce95ed87b2060f7b8d1e9eebab087c39fdc3714f9a82180bcd670296

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

Filesize
133KB

MD5
8211c27002b0072190ebead22f72978f

SHA1
249c2d44b2bc350cddc20debf1666b1b347c95f9

SHA256
2be6e3d790a9bfa523d9a9c0af062b604d9590651971f69309acd9e780bfe29d

SHA512
be140a681c3d6bd2f5ddb29f4094e06baf1fa9c3531a8273768b735d73e26753cfe9179dbb48d2783ae124a642ddf4a322cca23e55871337235e1e6ff30e3f2f

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit

Resubmissions

Analysis

Sharing

Errors