0849b85e16da3b4fc89ec373fd9f42dc6cfa61f5592792bf48991f1e8d544d3a

Resubmissions

14/04/2025, 14:30

250414-rt5nzaynz8 10

14/04/2025, 02:20

12/04/2025, 17:10

12/04/2025, 02:16

12/04/2025, 02:09

11/04/2025, 20:14

11/04/2025, 20:13

11/04/2025, 18:52

Analysis

max time kernel
56s
max time network
64s
platform
macos-10.15_amd64
resource
macos-20250410-en
resource tags

arch:amd64arch:i386image:macos-20250410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
11/04/2025, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cooker.exe
Size

16.9MB
MD5

80db6fcf8a589124f620ec27b3b7fb7b
SHA1

041e55bf6872fab5589f1262918cb2a3609a1838
SHA256

0849b85e16da3b4fc89ec373fd9f42dc6cfa61f5592792bf48991f1e8d544d3a
SHA512

86ed5a8be7b05d73101dd5d0e9ba1da49caf9ebc55ddcf3fb4a38fb7855169211403dfa00d27a180a7229b51692f3f1f7967b05e382d741a4146de5b637cf1c0
SSDEEP

393216:fCnSigft7o+XsyZKHHRVs50bie1wnb4wCRYr7GNGu:fC+f5zcTHxVpbiCsAs7g

Score

4^/10

defense_evasion

Malware Config

Signatures

Resource Forking 1 TTPs 1 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

defense_evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/cooker.exe\""
1⤵
PID:464

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/cooker.exe\""
1⤵
PID:464

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/cooker.exe
1⤵
PID:464
- /bin/zsh
  /bin/zsh -c /Users/run/cooker.exe
  2⤵
  PID:465
- /Users/run/cooker.exe
  /Users/run/cooker.exe
  2⤵
  PID:465

/usr/libexec/xpcproxy
xpcproxy com.apple.AppStore.1900
1⤵
PID:501

/System/Applications/App Store.app/Contents/MacOS/App Store
"/System/Applications/App Store.app/Contents/MacOS/App Store"
1⤵
PID:501

/usr/libexec/xpcproxy
xpcproxy com.apple.storeuid
1⤵
PID:502

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
1⤵
PID:502

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:506

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:506
- /usr/bin/login
  login -pf run
  2⤵
  PID:507
- - /bin/zsh
    -zsh
    3⤵
    PID:508
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:509
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:510

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads