283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

max time kernel
247s
max time network
240s
platform
macos-10.15_amd64
resource
macos-20241101-en
resource tags

arch:amd64arch:i386image:macos-20241101-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
05/04/2025, 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCrypt0r.zip
Size

3.3MB
MD5

e58fdd8b0ce47bcb8ffd89f4499d186d
SHA1

b7e2334ac6e1ad75e3744661bb590a2d1da98b03
SHA256

283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a
SHA512

95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c
SSDEEP

49152:0x8KJHkctwJdVlgBq+q1vqtWdhQIajy4AsOLgVv+L3QXz+B7m1qyapDgJmeiTLW:0x8KJX+dVHvtzaj3xWgw79icXW

Score

4^/10

defense_evasion

Malware Config

Signatures

Resource Forking 1 TTPs 5 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

defense_evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref	Process not Found
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool	Process not Found
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool	Process not Found
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool	Process not Found
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/WannaCrypt0r.zip\""
1⤵
PID:469

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/WannaCrypt0r.zip\""
1⤵
PID:469

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/WannaCrypt0r.zip
1⤵
PID:469
- /bin/zsh
  /bin/zsh -c /Users/run/WannaCrypt0r.zip
  2⤵
  PID:470
- /Users/run/WannaCrypt0r.zip
  /Users/run/WannaCrypt0r.zip
  2⤵
  PID:470

/usr/libexec/xpcproxy
xpcproxy com.apple.systempreferences.2140
1⤵
PID:498

/System/Applications/System Preferences.app/Contents/MacOS/System Preferences
"/System/Applications/System Preferences.app/Contents/MacOS/System Preferences"
1⤵
PID:498

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountProfileRemoteViewService 498
1⤵
PID:499

/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
1⤵
PID:499

/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
1⤵
PID:500

/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
1⤵
PID:501

/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
1⤵
PID:502

/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
1⤵
PID:503

/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
1⤵
PID:504

/usr/libexec/xpcproxy
xpcproxy com.apple.nfcd
1⤵
PID:506

/usr/libexec/nfcd
/usr/libexec/nfcd
1⤵
PID:506

/usr/libexec/xpcproxy
xpcproxy com.apple.studentd
1⤵
PID:507

/usr/libexec/studentd
/usr/libexec/studentd
1⤵
PID:507

/usr/libexec/xpcproxy
xpcproxy com.apple.preference.keyboard.remoteservice 498
1⤵
PID:508

/System/Library/PreferencePanes/Keyboard.prefPane/Contents/XPCServices/Keyboard.remoteservice.xpc/Contents/MacOS/Keyboard.remoteservice
/System/Library/PreferencePanes/Keyboard.prefPane/Contents/XPCServices/Keyboard.remoteservice.xpc/Contents/MacOS/Keyboard.remoteservice
1⤵
PID:508

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:509

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:510

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:510

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:512

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:512
- /usr/bin/login
  login -pf run
  2⤵
  PID:513
- - /bin/zsh
    -zsh
    3⤵
    PID:514
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:515
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:516
  - - /usr/local/bin/run
      run WannaCry.exe
      4⤵
      PID:518
  - - /usr/bin/run
      run WannaCry.exe
      4⤵
      PID:518
  - - /bin/run
      run WannaCry.exe
      4⤵
      PID:518
  - - /usr/sbin/run
      run WannaCry.exe
      4⤵
      PID:518
  - - /sbin/run
      run WannaCry.exe
      4⤵
      PID:518

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:519

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:519

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:520

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:520

/usr/libexec/xpcproxy
xpcproxy com.apple.archiveutility.2568
1⤵
PID:524

/System/Library/CoreServices/Applications/Archive Utility.app/Contents/MacOS/Archive Utility
"/System/Library/CoreServices/Applications/Archive Utility.app/Contents/MacOS/Archive Utility"
1⤵
PID:524

/usr/bin/macbinary
/usr/bin/macbinary probe --verbose /Users/run/WannaCrypt0r.zip
1⤵
PID:525

/usr/bin/file
/usr/bin/file -b /Users/run/WannaCrypt0r.zip
1⤵
PID:526

/usr/libexec/xpcproxy
xpcproxy com.apple.archiveutility.auhelperservice 524
1⤵
PID:527

/System/Library/CoreServices/Applications/Archive Utility.app/Contents/XPCServices/AUHelperService.xpc/Contents/MacOS/AUHelperService
"/System/Library/CoreServices/Applications/Archive Utility.app/Contents/XPCServices/AUHelperService.xpc/Contents/MacOS/AUHelperService"
1⤵
PID:527

/System/Library/Frameworks/FileProvider.framework/XPCServices/ArchiveService.xpc/Contents/MacOS/ArchiveService
/System/Library/Frameworks/FileProvider.framework/XPCServices/ArchiveService.xpc/Contents/MacOS/ArchiveService
1⤵
PID:529

/usr/libexec/xpcproxy
xpcproxy com.apple.DictionaryServiceHelper
1⤵
PID:530

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/DictionaryServices.framework/Versions/A/XPCServices/com.apple.DictionaryServiceHelper.xpc/Contents/MacOS/com.apple.DictionaryServiceHelper
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/DictionaryServices.framework/Versions/A/XPCServices/com.apple.DictionaryServiceHelper.xpc/Contents/MacOS/com.apple.DictionaryServiceHelper
1⤵
PID:530

/usr/libexec/xpcproxy
xpcproxy com.apple.nsurlstoraged
1⤵
PID:531

/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged --privileged
1⤵
PID:531

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/db/nsurlstoraged/dafsaData.bin

Filesize
54KB

MD5
64f469698e53d0c828b7f90acd306082

SHA1
bcc041b3849e1b0b4104ffeb46002207eeac54f3

SHA256
d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd

SHA512
a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f

Download Submit

Resubmissions

Analysis