37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8

General

Target

37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Size

1.8MB
MD5

8480b3439f6f2fe71ff8136c8475a0e1
SHA1

8f787c424f7a1ac854d26b723008ea29d9f1b1aa
SHA256

37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8
SHA512

2b72c1f30549156dcf42aff32d2967580147a1cc499ca93f7a3e2b773e814bd9c368772d6ed02031c086b2c8376b405d30c7a43abff0729732232ad008e97958
SSDEEP

49152:fyPxPnQHIr7nIXvPvwrARGSLEUBLEffrLrr90+:6PxfQoTIXvPYlSLEWgXrLrr

Score

4^/10

Malware Config

Signatures

Resource Forking 1 TTPs 6 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

defense_evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd	Process not Found
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd	Process not Found
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd	Process not Found
/System/Library/PrivateFrameworks/SystemMigration.framework/Resources/systemmigrationd	Process not Found
/System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd	Process not Found
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe\""
1⤵
PID:471

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe\""
1⤵
PID:471

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
1⤵
PID:471
- /bin/zsh
  /bin/zsh -c /Users/run/37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
  2⤵
  PID:473
- /Users/run/37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
  /Users/run/37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
  2⤵
  PID:473

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:497

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:497

/usr/libexec/xpcproxy
xpcproxy com.apple.nsurlstoraged
1⤵
PID:505

/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged --privileged
1⤵
PID:505

/usr/libexec/xpcproxy
xpcproxy com.apple.newsyslog
1⤵
PID:512

/usr/sbin/newsyslog
/usr/sbin/newsyslog
1⤵
PID:512

/System/Applications/TV.app/Contents/MacOS/TV
/System/Applications/TV.app/Contents/MacOS/TV
1⤵
PID:513

/usr/libexec/xpcproxy
xpcproxy com.apple.accessibility.mediaaccessibilityd
1⤵
PID:516

/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd
1⤵
PID:516

/usr/libexec/xpcproxy
xpcproxy com.apple.adid
1⤵
PID:519

/System/Library/PrivateFrameworks/CoreADI.framework/adid
/System/Library/PrivateFrameworks/CoreADI.framework/adid
1⤵
PID:519

/usr/libexec/xpcproxy
xpcproxy com.apple.TextInputMenuAgent
1⤵
PID:521

/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
1⤵
PID:521

/usr/libexec/xpcproxy
xpcproxy com.apple.TextInputSwitcher
1⤵
PID:522

/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
1⤵
PID:522

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:523

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:523

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.DD2860CF-DD36-4FC2-9D51-8D1C125AF613 513
1⤵
PID:524

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:524

/usr/libexec/xpcproxy
xpcproxy com.apple.tailspind
1⤵
PID:526

/usr/libexec/tailspind
/usr/libexec/tailspind
1⤵
PID:526

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:527

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:527

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:528

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:528

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:529

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:529

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:531

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy com.apple.systemprofiler
1⤵
PID:534

/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information
"/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information"
1⤵
PID:534

/usr/libexec/xpcproxy
xpcproxy com.apple.replayd
1⤵
PID:537

/usr/libexec/replayd
/usr/libexec/replayd
1⤵
PID:537

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:538

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:538

/usr/libexec/xpcproxy
xpcproxy com.apple.installd
1⤵
PID:540

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
1⤵
PID:540

/usr/libexec/xpcproxy
xpcproxy com.apple.storedownloadd
1⤵
PID:541

/usr/libexec/xpcproxy
xpcproxy com.apple.system_installd
1⤵
PID:542

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
1⤵
PID:542

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
1⤵
PID:541

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.CacheDeleteExtension 535
1⤵
PID:548

/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
1⤵
PID:548

/System/Applications/TV.app/Contents/PlugIns/TVStorageExtension.appex/Contents/MacOS/TVStorageExtension
/System/Applications/TV.app/Contents/PlugIns/TVStorageExtension.appex/Contents/MacOS/TVStorageExtension
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.Photos.StorageManagementExtension 534
1⤵
PID:550

/usr/libexec/xpcproxy
xpcproxy com.apple.STMExtension.Mail 534
1⤵
PID:551

/usr/libexec/xpcproxy
xpcproxy com.apple.messages.StorageManagementExtension 534
1⤵
PID:552

/System/Applications/Photos.app/Contents/PlugIns/PhotosStorageExtension.appex/Contents/MacOS/PhotosStorageExtension
/System/Applications/Photos.app/Contents/PlugIns/PhotosStorageExtension.appex/Contents/MacOS/PhotosStorageExtension
1⤵
PID:550

/System/Applications/Messages.app/Contents/PlugIns/Messages Storage Management Extension.appex/Contents/MacOS/Messages Storage Management Extension
"/System/Applications/Messages.app/Contents/PlugIns/Messages Storage Management Extension.appex/Contents/MacOS/Messages Storage Management Extension"
1⤵
PID:552

/System/Applications/Mail.app/Contents/PlugIns/MailStorageManagement.appex/Contents/MacOS/MailStorageManagement
/System/Applications/Mail.app/Contents/PlugIns/MailStorageManagement.appex/Contents/MacOS/MailStorageManagement
1⤵
PID:551

/usr/libexec/xpcproxy
xpcproxy com.apple.STMExtension.Trash 534
1⤵
PID:553

/usr/libexec/xpcproxy
xpcproxy com.apple.STMExtension.iOSFiles 534
1⤵
PID:554

/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/TrashStorageExtension.appex/Contents/MacOS/TrashStorageExtension
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/TrashStorageExtension.appex/Contents/MacOS/TrashStorageExtension
1⤵
PID:553

/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/iOSFilesStorageExtension.appex/Contents/MacOS/iOSFilesStorageExtension
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/iOSFilesStorageExtension.appex/Contents/MacOS/iOSFilesStorageExtension
1⤵
PID:554

/usr/libexec/xpcproxy
xpcproxy com.apple.iBooksX.DiskSpaceEfficiency
1⤵
PID:557

/System/Applications/Music.app/Contents/PlugIns/MusicStorageExtension.appex/Contents/MacOS/MusicStorageExtension
/System/Applications/Music.app/Contents/PlugIns/MusicStorageExtension.appex/Contents/MacOS/MusicStorageExtension
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.apple.STMExtension.CloudFiles 534
1⤵
PID:558

/System/Applications/Podcasts.app/Contents/PlugIns/MacPodcastsStorageExtension.appex/Contents/MacOS/MacPodcastsStorageExtension
/System/Applications/Podcasts.app/Contents/PlugIns/MacPodcastsStorageExtension.appex/Contents/MacOS/MacPodcastsStorageExtension
1⤵
PID:556

/System/Applications/Books.app/Contents/PlugIns/DiskSpaceEfficiency.appex/Contents/MacOS/DiskSpaceEfficiency
/System/Applications/Books.app/Contents/PlugIns/DiskSpaceEfficiency.appex/Contents/MacOS/DiskSpaceEfficiency
1⤵
PID:557

/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/CloudFilesStorageExtension.appex/Contents/MacOS/CloudFilesStorageExtension
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/CloudFilesStorageExtension.appex/Contents/MacOS/CloudFilesStorageExtension
1⤵
PID:558

/usr/libexec/xpcproxy
xpcproxy com.apple.STMExtension.OtherUsers 534
1⤵
PID:559

/usr/libexec/xpcproxy
xpcproxy com.apple.STMExtension.Applications 534
1⤵
PID:560

/usr/libexec/xpcproxy
xpcproxy com.apple.STMExtension.GarageBand 534
1⤵
PID:561

/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/OtherUsersStorageExtension.appex/Contents/MacOS/OtherUsersStorageExtension
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/OtherUsersStorageExtension.appex/Contents/MacOS/OtherUsersStorageExtension
1⤵
PID:559

/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/GarageBandStorageExtension.appex/Contents/MacOS/GarageBandStorageExtension
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/GarageBandStorageExtension.appex/Contents/MacOS/GarageBandStorageExtension
1⤵
PID:561

/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/ApplicationsStorageExtension.appex/Contents/MacOS/ApplicationsStorageExtension
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/ApplicationsStorageExtension.appex/Contents/MacOS/ApplicationsStorageExtension
1⤵
PID:560

/usr/libexec/xpcproxy
xpcproxy com.apple.CloudDocsDaemon.StorageManagement 534
1⤵
PID:562

/usr/libexec/xpcproxy
xpcproxy com.apple.STMExtension.AppleInternal 534
1⤵
PID:563

/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/AppleInternalStorageExtension.appex/Contents/MacOS/AppleInternalStorageExtension
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/AppleInternalStorageExtension.appex/Contents/MacOS/AppleInternalStorageExtension
1⤵
PID:563

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/PlugIns/CloudDocsStorageManagement.appex/Contents/MacOS/CloudDocsStorageManagement
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/PlugIns/CloudDocsStorageManagement.appex/Contents/MacOS/CloudDocsStorageManagement
1⤵
PID:562

/usr/libexec/xpcproxy
xpcproxy com.apple.CloudPhotosConfiguration
1⤵
PID:566

/System/Library/PrivateFrameworks/CloudPhotoServices.framework/Versions/A/XPCServices/com.apple.CloudPhotosConfiguration.xpc/Contents/MacOS/com.apple.CloudPhotosConfiguration
/System/Library/PrivateFrameworks/CloudPhotoServices.framework/Versions/A/XPCServices/com.apple.CloudPhotosConfiguration.xpc/Contents/MacOS/com.apple.CloudPhotosConfiguration
1⤵
PID:566

/usr/libexec/xpcproxy
xpcproxy com.apple.automountd
1⤵
PID:567

/usr/libexec/automountd
automountd
1⤵
PID:567
- /usr/libexec/od_user_homes
  /usr/libexec/od_user_homes .localized
  2⤵
  PID:568

/usr/libexec/xpcproxy
xpcproxy com.apple.installandsetup.systemmigrationd
1⤵
PID:569

/System/Library/PrivateFrameworks/SystemMigration.framework/Resources/systemmigrationd
/System/Library/PrivateFrameworks/SystemMigration.framework/Resources/systemmigrationd
1⤵
PID:569

/usr/libexec/xpcproxy
xpcproxy com.apple.storagekitd
1⤵
PID:570

/System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd
/System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd
1⤵
PID:570

/usr/libexec/xpcproxy
xpcproxy com.apple.iconservices.iconservicesagent
1⤵
PID:571

/System/Library/CoreServices/iconservicesagent
/System/Library/CoreServices/iconservicesagent runAsRoot
1⤵
PID:571

/usr/libexec/xpcproxy
xpcproxy com.apple.mobile.keybagd
1⤵
PID:572

/usr/libexec/keybagd
/usr/libexec/keybagd -t 15
1⤵
PID:572

/usr/libexec/xpcproxy
xpcproxy com.apple.diagnosticd
1⤵
PID:580

/usr/libexec/diagnosticd
/usr/libexec/diagnosticd
1⤵
PID:580

/usr/libexec/xpcproxy
xpcproxy com.apple.security.cloudkeychainproxy3
1⤵
PID:581

/usr/libexec/xpcproxy
xpcproxy com.apple.CoreAuthentication.agent
1⤵
PID:582

/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd
/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd
1⤵
PID:582

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
1⤵
PID:581

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:583

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:583

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

Filesize
303KB

MD5
72cfbd69fb9d2bada87185bb7d51458d

SHA1
ab4c390976f6375beb14ce4d7a82088d9ea3791e

SHA256
8a6d9f3a188bdd0ecba3d0ddc0a3b39b3a853564427603a5752a99989ec4c242

SHA512
f6f21c1daad03323288ec8089bd73a1bdba0e7d3a18d1bc7f225e77cebb22d752e5b356c4962ff16b31becc45915aaf05c7226d4cbf7c639a6ae9089a1aa1974

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

Filesize
17.2MB

MD5
2eff5e5081a80f373e63941bbb1e16dd

SHA1
5e3de685eca7380084b881cd79c7e39ce357203c

SHA256
8f10b28653ff3a8b2ddd9a44e4585dd8c19ffcbc76f2b0f51572bc22f5e71a9a

SHA512
8c5edb2f42f768e3318b1c1be8359126e5cbfb0a286c58f63f6e7b887f399318d111c6bdefa3c1285ef2f4088e6b3a08f7e061c8fbbdc64da4bee05c43cac0f0

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

Filesize
133KB

MD5
cdd51b59843943a372def4cf344ae6e2

SHA1
d7e8fc4110881d9390f18f8fb5dedce4a70fb13a

SHA256
bbdad225d29e1ab2f615b4be08ed62194a548a2d523e0a7fdcab825bb5f80a23

SHA512
4c01fff20b3f9256245e69142be21ecd7714f6d43208a8b32203d45963907d204c6c8d801e521ed4fe948a047e4e53bed8d2c6f0fb446e7b7e032e6d48967e4b

Download Submit

Resubmissions

Analysis

Sharing