Malware Analysis Report

2025-08-10 12:04

Sample ID 240222-1ctptaff92
Target salinewin.zip
SHA256 b3020dd6c9ffceaba72c465c8d596cf04e2d7388b4fd58f10d78be6b91a7e99d
Tags
evasion
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

b3020dd6c9ffceaba72c465c8d596cf04e2d7388b4fd58f10d78be6b91a7e99d

Threat Level: Likely benign

The file salinewin.zip was found to be: Likely benign.

Malicious Activity Summary

evasion

Resource Forking

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 21:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 21:30

Reported

2024-02-22 21:32

Platform

macos-20240214-en

Max time kernel

68s

Max time network

74s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/salinewin-safety.exe"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/InputMethodKit.framework/Resources/imklaunchagent N/A N/A
N/A /System/Library/PrivateFrameworks/SystemAdministration.framework/Resources/activateSettings N/A N/A
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/salinewin-safety.exe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/salinewin-safety.exe"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/salinewin-safety.exe]

/bin/zsh

[/bin/zsh -c /Users/run/salinewin-safety.exe]

/Users/run/salinewin-safety.exe

[/Users/run/salinewin-safety.exe]

/usr/libexec/dmd

[/usr/libexec/dmd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.loginwindow.18497772-5327-4588-B167-57DF7EF79977]

/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow

[/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow console]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.imklaunchagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.UserEventAgent-LoginWindow]

/usr/libexec/xpcproxy

[xpcproxy com.apple.universalaccessd]

/System/Library/Frameworks/InputMethodKit.framework/Resources/imklaunchagent

[/System/Library/Frameworks/InputMethodKit.framework/Resources/imklaunchagent]

/usr/sbin/universalaccessd

[/usr/sbin/universalaccessd launchd -s]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump]

/usr/sbin/spindump

[/usr/sbin/spindump]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump_agent]

/usr/libexec/spindump_agent

[/usr/libexec/spindump_agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pluginkit.pkd]

/usr/libexec/pkd

[/usr/libexec/pkd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ViewBridgeAuxiliary]

/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary

[/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.agent.login.00000000-0000-0000-0000-0000000186BD]

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent

[/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.LoginUserService 284]

/System/Library/PrivateFrameworks/login.framework/Versions/A/XPCServices/LoginUserService.xpc/Contents/MacOS/LoginUserService

[/System/Library/PrivateFrameworks/login.framework/Versions/A/XPCServices/LoginUserService.xpc/Contents/MacOS/LoginUserService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.cfprefsd.xpc.agent]

/usr/sbin/cfprefsd

[/usr/sbin/cfprefsd agent]

/usr/libexec/UserEventAgent

[/usr/libexec/UserEventAgent (LoginWindow)]

/usr/libexec/xpcproxy

[xpcproxy com.apple.coremedia.videodecoder 583]

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService

[/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AccountPolicyHelper]

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper

[/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.CoreAuthentication.daemon]

/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd

[/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.CryptoTokenKit.ahp.agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.xpc.launchd.oneshot.0x10000002.activateSettings]

/System/Library/PrivateFrameworks/SystemAdministration.framework/Resources/activateSettings

[/System/Library/PrivateFrameworks/SystemAdministration.framework/Resources/activateSettings]

/System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle/Contents/MacOS/ctkahp

[/System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle/Contents/MacOS/ctkahp]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AmbientDisplayAgent]

/System/Library/PrivateFrameworks/AmbientDisplay.framework/Versions/A/XPCServices/com.apple.AmbientDisplayAgent.xpc/Contents/MacOS/com.apple.AmbientDisplayAgent

[/System/Library/PrivateFrameworks/AmbientDisplay.framework/Versions/A/XPCServices/com.apple.AmbientDisplayAgent.xpc/Contents/MacOS/com.apple.AmbientDisplayAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ctkd]

/System/Library/Frameworks/CryptoTokenKit.framework/ctkd

[/System/Library/Frameworks/CryptoTokenKit.framework/ctkd -tw]

/usr/libexec/xpcproxy

[xpcproxy com.apple.PackageKit.InstallStatus]

/System/Library/CoreServices/Install in Progress.app/Contents/MacOS/Install in Progress

[/System/Library/CoreServices/Install in Progress.app/Contents/MacOS/Install in Progress]

/usr/libexec/xpcproxy

[xpcproxy com.apple.warmd_agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.akd]

/usr/libexec/warmd_agent

[/usr/libexec/warmd_agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ctkd]

/System/Library/Frameworks/CryptoTokenKit.framework/ctkd

[/System/Library/Frameworks/CryptoTokenKit.framework/ctkd -tw]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd

[/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ctkd]

/System/Library/Frameworks/CryptoTokenKit.framework/ctkd

[/System/Library/Frameworks/CryptoTokenKit.framework/ctkd -s]

/usr/libexec/xpcproxy

[xpcproxy com.apple.CryptoTokenKit.setoken 599]

/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/setoken.appex/Contents/MacOS/setoken

[/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/setoken.appex/Contents/MacOS/setoken]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.authhost.00000000-0000-0000-0000-0000000186BD]

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost

[/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Kerberos.kcm]

/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kcm

[/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kcm --launchd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.GSSCred]

/System/Library/Frameworks/GSS.framework/Helpers/GSSCred

[/System/Library/Frameworks/GSS.framework/Helpers/GSSCred]

/usr/libexec/xpcproxy

[xpcproxy com.apple.iconservices.iconservicesagent]

/System/Library/CoreServices/iconservicesagent

[/System/Library/CoreServices/iconservicesagent runAsRoot]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.bird]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird

[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

Network

Country Destination Domain Proto
US 52.182.143.208:443 tcp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 17.137.170.10:443 tcp
US 17.137.170.34:443 tcp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 52.182.143.208:443 tcp
US 8.8.8.8:53 appleid.apple.com udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
GB 104.91.71.86:443 tcp
GB 104.91.71.71:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000bh00002w/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000bh00002w/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 a6ef4856e99c9d8e1d9bb762c5a8503a
SHA1 25d5405ad91791b716ae5a56b37aa2b393854967
SHA256 232441aa129d4f21999860b8bf31db4b8617df9f7d32ef5f25a383edff82d9fa
SHA512 582fa1ea60766a5a4e99b295a8ed98c94f6bab45e42b7e8db61e9ad645f531891082cd457bfd11d660195af86f02c4ed93589e6e6daded683cff2d8319bbc489

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1 ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA256 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512 db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 21:30

Reported

2024-02-22 21:32

Platform

macos-20240214-en

Max time kernel

54s

Max time network

62s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/salinewin.exe"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/salinewin.exe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/salinewin.exe"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/salinewin.exe]

/bin/zsh

[/bin/zsh -c /Users/run/salinewin.exe]

/Users/run/salinewin.exe

[/Users/run/salinewin.exe]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater6BDB2703/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.icloud.findmydeviced]

/usr/libexec/findmydeviced

[/usr/libexec/findmydeviced]

/usr/libexec/xpcproxy

[xpcproxy com.apple.tailspind]

/usr/libexec/tailspind

[/usr/libexec/tailspind]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ncplugin.stocks 324]

/usr/libexec/xpcproxy

[xpcproxy com.apple.notificationcenterui.WeatherSummary 324]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ncplugin.weather 324]

/System/Library/CoreServices/StocksWidget.app/Contents/PlugIns/com.apple.ncplugin.stocks.appex/Contents/MacOS/com.apple.ncplugin.stocks

[/System/Library/CoreServices/StocksWidget.app/Contents/PlugIns/com.apple.ncplugin.stocks.appex/Contents/MacOS/com.apple.ncplugin.stocks]

/usr/libexec/xpcproxy

[xpcproxy com.apple.iCal.CalendarNC 324]

/System/Library/CoreServices/Weather.app/Contents/PlugIns/com.apple.ncplugin.weather.appex/Contents/MacOS/com.apple.ncplugin.weather

[/System/Library/CoreServices/Weather.app/Contents/PlugIns/com.apple.ncplugin.weather.appex/Contents/MacOS/com.apple.ncplugin.weather]

/System/Applications/Calendar.app/Contents/PlugIns/com.apple.iCal.CalendarNC.appex/Contents/MacOS/com.apple.iCal.CalendarNC

[/System/Applications/Calendar.app/Contents/PlugIns/com.apple.iCal.CalendarNC.appex/Contents/MacOS/com.apple.iCal.CalendarNC]

/System/Library/CoreServices/NotificationCenter.app/Contents/XPCServices/com.apple.notificationcenterui.WeatherSummary.xpc/Contents/MacOS/com.apple.notificationcenterui.WeatherSummary

[/System/Library/CoreServices/NotificationCenter.app/Contents/XPCServices/com.apple.notificationcenterui.WeatherSummary.xpc/Contents/MacOS/com.apple.notificationcenterui.WeatherSummary]

/usr/libexec/xpcproxy

[xpcproxy com.apple.bird]

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird

[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]

Network

Country Destination Domain Proto
GB 17.253.29.204:80 tcp
US 8.8.8.8:53 0.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 29-courier.push.apple.com udp
US 8.8.8.8:53 apis.apple.map.fastly.net udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
FR 40.79.141.154:443 tcp
US 8.8.8.8:53 49-courier.push.apple.com udp
US 8.8.8.8:53 30-courier.push.apple.com udp
US 8.8.8.8:53 18.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 apple-finance.query.yahoo.com udp
IE 87.248.100.168:443 apple-finance.query.yahoo.com tcp
IE 87.248.100.168:443 apple-finance.query.yahoo.com tcp
IE 87.248.100.168:443 apple-finance.query.yahoo.com tcp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20