7d30dad6bc7c79e0ee043bdc8dfd2b64d8b1ea19687b332683ed57bb55331118

max time kernel
943s
max time network
1542s
platform
macos-10.15_amd64
resource
macos-20240611-en
resource tags

arch:amd64arch:i386image:macos-20240611-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
28-06-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxStudioInstaller (2).exe
Size

4.5MB
MD5

34b2fd7c0a35ee46a8fc3a38ac18d489
SHA1

f0b1446847d05f8a28c98f1d0204d632644f5721
SHA256

7d30dad6bc7c79e0ee043bdc8dfd2b64d8b1ea19687b332683ed57bb55331118
SHA512

2d126018df5c0bdbf9e6906431a3fe988593080d6ce3077e7d7f85f564ad24f4c1a081bc0709900623604c76ed1f6037bf8f670e0334d2b0b146eea13196ffbb
SSDEEP

98304:n5vhdKHivtGeJKrsS3wA6RgN0VbTbcXC8I42nSbhh/A:1hSivEStS3ogN26InS4

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 1 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
evasion

Resource Forking
T1564.009

Processes:

ioc process

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

ioc	process
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/RobloxStudioInstaller (2).exe\""
1⤵
PID:550

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/RobloxStudioInstaller (2).exe\""
1⤵
PID:550

/usr/bin/sudo
sudo /bin/zsh -c "/Users/run/RobloxStudioInstaller (2).exe"
1⤵
PID:550

/bin/zsh
/bin/zsh -c "/Users/run/RobloxStudioInstaller (2).exe"
2⤵
PID:551

/usr/libexec/xpcproxy
xpcproxy com.apple.nsurlstoraged
1⤵
PID:552

/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged
1⤵
PID:552

/usr/libexec/dmd
/usr/libexec/dmd
1⤵
PID:540

/usr/libexec/xpcproxy
xpcproxy com.apple.pluginkit.pkd
1⤵
PID:555

/usr/libexec/pkd
/usr/libexec/pkd
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:559

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:559

/usr/bin/pluginkit
/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync
1⤵
PID:580

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater2E18A62F/OneDrive.app
1⤵
PID:581

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:589

/usr/libexec/xpcproxy
xpcproxy com.apple.security.cloudkeychainproxy3
1⤵
PID:590

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
1⤵
PID:590

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:589

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:592

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy com.apple.suggestd
1⤵
PID:593

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
1⤵
PID:593

/usr/libexec/xpcproxy
xpcproxy com.apple.knowledge-agent
1⤵
PID:594

/usr/libexec/knowledge-agent
/usr/libexec/knowledge-agent
1⤵
PID:594

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:596

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:596

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:597

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:597

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:599

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:599

/usr/libexec/xpcproxy
xpcproxy com.apple.siri.context.service
1⤵
PID:600

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
1⤵
PID:600

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:617

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:617

/usr/libexec/xpcproxy
xpcproxy com.apple.CoreAuthentication.agent
1⤵
PID:619

/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd
/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd
1⤵
PID:619

/usr/libexec/xpcproxy
xpcproxy com.apple.akd
1⤵
PID:620

/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd
/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd
1⤵
PID:620

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:621

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:621

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:622

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:622

/usr/libexec/xpcproxy
xpcproxy com.apple.diagnosticd
1⤵
PID:623

/usr/libexec/diagnosticd
/usr/libexec/diagnosticd
1⤵
PID:623

/usr/libexec/xpcproxy
xpcproxy com.apple.newsyslog
1⤵
PID:624

/usr/sbin/newsyslog
/usr/sbin/newsyslog
1⤵
PID:624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
Filesize
124KB

MD5
5e75c629cf451f240a2ad997ce92ed3d

SHA1
24da2b713d55e6cad45da41663134acd89278af2

SHA256
1a3e132a7b624419c0f1514014fab29662eeccd520e49c622e4968e448b991a5

SHA512
c44040c005231080af33fd84e0d2acf7c1149da382701efb08ed6cbf2ba05e136c723a63d452154ac8e156671163cb9761206829719aaa74581835d04458d9c7

Download Submit
/Users/run/Library/Cookies/HSTS.plist
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Resubmissions

Analysis