Overview

overview

4

Static

static

1

WhatsApp I...9).jpg

windows10-1703-x64

3

WhatsApp I...9).jpg

windows7-x64

1

WhatsApp I...9).jpg

windows10-1703-x64

3

WhatsApp I...9).jpg

windows10-2004-x64

3

WhatsApp I...9).jpg

windows11-21h2-x64

3

WhatsApp I...9).jpg

android-9-x86

WhatsApp I...9).jpg

android-10-x64

WhatsApp I...9).jpg

android-11-x64

WhatsApp I...9).jpg

android-13-x64

WhatsApp I...9).jpg

android-9-x86

WhatsApp I...9).jpg

macos-10.15-amd64

4

WhatsApp I...9).jpg

macos-10.15-amd64

4

WhatsApp I...9).jpg

ubuntu-22.04-amd64

WhatsApp I...9).jpg

debian-12-armhf

WhatsApp I...9).jpg

debian-12-mipsel

WhatsApp I...9).jpg

debian-9-armhf

WhatsApp I...9).jpg

debian-9-mips

WhatsApp I...9).jpg

debian-9-mipsel

WhatsApp I...9).jpg

ubuntu-18.04-amd64

WhatsApp I...9).jpg

ubuntu-20.04-amd64

WhatsApp I...9).jpg

ubuntu-22.04-amd64

WhatsApp I...9).jpg

ubuntu-24.04-amd64

Analysis

  • max time kernel
    21s
  • max time network
    31s
  • platform
    macos-10.15_amd64
  • resource
    macos-20240611-en
  • resource tags

    arch:amd64arch:i386image:macos-20240611-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    02-07-2024 13:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WhatsApp Image 2024-05-30 at 17.44.58 (9).jpg

  • Size

    109KB

  • MD5

    64aebef4ada8faa361c8f92c6adbed06

  • SHA1

    d0f2d53495d579d458ffb3ea65370e5220c1a312

  • SHA256

    a1fecd1a1acfdf08faea4ada1bf36cef146156de4392491311cf0497ba66e7a1

  • SHA512

    f757524bf5f02aad5ad7673ad78a12f3bdc5791d996de83e723a8ee0eee7d3b0bf7648faa76670fed8f28625eb303765803e10db50e8bc548c177b0d2d9ae9ac

  • SSDEEP

    1536:YhoA7G2nknPsNpore8rz+UI08hF5x2Xm+haACANiOnXdbs53niyBAYA:YFRk3jXW0iTLOaAviOnS53nilB

Score
4/10
evasion

Malware Config

Signatures

  • Resource Forking 1 TTPs 2 IoCs

    Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

    evasion

Processes

  • /usr/libexec/xpcproxy
    xpcproxy com.apple.gkreport
    1⤵
      PID:525
    • /usr/libexec/gkreport
      /usr/libexec/gkreport
      1⤵
        PID:525
      • /usr/libexec/xpcproxy
        xpcproxy com.apple.loginwindow.LWWeeklyMessageTracer
        1⤵
          PID:527
        • /bin/sh
          sh -c "sudo /bin/zsh -c \"/Users/run/WhatsApp Image 2024-05-30 at 17.44.58 (9).jpg\""
          1⤵
            PID:528
          • /bin/bash
            sh -c "sudo /bin/zsh -c \"/Users/run/WhatsApp Image 2024-05-30 at 17.44.58 (9).jpg\""
            1⤵
              PID:528
            • /usr/bin/sudo
              sudo /bin/zsh -c "/Users/run/WhatsApp Image 2024-05-30 at 17.44.58 (9).jpg"
              1⤵
                PID:528
                • /bin/zsh
                  /bin/zsh -c "/Users/run/WhatsApp Image 2024-05-30 at 17.44.58 (9).jpg"
                  2⤵
                    PID:531
                • /usr/libexec/xpcproxy
                  xpcproxy com.apple.systemstats.daily
                  1⤵
                    PID:530
                  • /System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
                    /System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
                    1⤵
                      PID:527
                    • /usr/libexec/xpcproxy
                      xpcproxy com.oracle.java.Java-Updater
                      1⤵
                        PID:532
                      • /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
                        "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
                        1⤵
                          PID:532
                        • /usr/bin/pluginkit
                          /usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync
                          1⤵
                            PID:566
                          • /usr/sbin/spctl
                            /usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterBCBF2C69/OneDrive.app
                            1⤵
                              PID:567

                            Network

                            MITRE ATT&CK Matrix ATT&CK v13

                            Initial Access

                            Execution

                            Persistence

                            Privilege Escalation

                            Defense Evasion

                            Hide Artifacts

                            1
                            T1564

                            Resource Forking

                            1
                            T1564.009

                            Credential Access

                            Discovery

                            Lateral Movement

                            Collection

                            Exfiltration

                            Command and Control

                            Impact

                            Resource Development

                            Reconnaissance

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads