Indicator (IOC)
Essential information
- Value / Name
2c2d5167f156f4afb77dffcec0ad2869a095ee74- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 22/06/2023 20:56
- Valid until
- 24/09/2024 20:56
- Pattern type
- yara
- Published
- 20/12/2025 19:39
- Modified
- 21/12/2025 00:45
- Author / Source
- AlienVault
Description
No description.
Pattern
rule Macos_Hacktool_JokerSpy {
meta:
author = "Elastic Security"
creation_date = "2023-06-19"
last_modified = "2023-06-19"
os = "MacOS"
arch = "x86"
category_type = "Hacktool"
family = "JokerSpy"
threat_name = "Macos.Hacktool.JokerSpy"
reference_sample = "d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8"
license = "Elastic License v2"
strings:
$str1 = "ScreenRecording: NO" fullword
$str2 = "Accessibility: NO" fullword
$str3 = "Accessibility: YES" fullword
$str4 = "eck13XProtectCheck"
$str5 = "Accessibility: NO" fullword
$str6 = "kMDItemDisplayName = *TCC.db" fullword
condition:
5 of them
}
Labels / Tags
Marking (TLP)
TLP:CLEAR
Related entities
No linked attack reports or intrusion sets yet.