Malware Analysis Report

2024-10-18 23:09

Sample ID 240522-rtlwvsed7t
Target 852a0d477d29d18d5b7c419e4d64a90761e04c908fc7171e2faab5ad40021fbc.jar
SHA256 852a0d477d29d18d5b7c419e4d64a90761e04c908fc7171e2faab5ad40021fbc
Tags
guloader downloader evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

852a0d477d29d18d5b7c419e4d64a90761e04c908fc7171e2faab5ad40021fbc

Threat Level: Known bad

The file 852a0d477d29d18d5b7c419e4d64a90761e04c908fc7171e2faab5ad40021fbc.jar was found to be: Known bad.

Malicious Activity Summary

guloader downloader evasion

Guloader,Cloudeye

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Resource Forking

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 14:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 14:29

Reported

2024-05-22 14:31

Platform

win10v2004-20240508-en

Max time kernel

96s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe

"C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 512 -ip 512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 1060

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsd67B4.tmp\BgImage.dll

MD5 9436196007f65f0ae96f64b1c8b2572e
SHA1 4b004b5c2865c9450876be83faa8cc96e1d12c01
SHA256 286f246ee18bf91c4a80fa2cdb61077a4bcf0a3fd6582be4b4ab6a5cb3de44c9
SHA512 5c172675fbbea214471ac35eebaa6ab9bd1306268144085adbad3bba4a815430ed028cac169e8b5a6fd00818684f65d7bdd32f11773bc6152e62ef80f895d35e

C:\Users\Admin\AppData\Local\Temp\nsd67B4.tmp\nsDialogs.dll

MD5 82c3f38cd34739872af07443c65d0bd8
SHA1 1f4ee2d394404a291eda6419f856adaf4b960237
SHA256 59cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311
SHA512 3a81c0613b1ea906ad4f103b02620217de69a8676dbb7ec41cf31f342a0a74562815a8d4f2efe9866fc16365f58524ac71652e99920acea355f020028775743d

C:\Users\Admin\AppData\Local\Temp\nsd67B4.tmp\System.dll

MD5 8b3830b9dbf87f84ddd3b26645fed3a0
SHA1 223bef1f19e644a610a0877d01eadc9e28299509
SHA256 f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512 d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Krydsrevisionernes.lnk

MD5 d574991a4df6d0d76d59b5c65ab0423f
SHA1 ebac8847ca2fb8610bfff14c315761ef5870b1e6
SHA256 3ded11541e82aa7b94e2dd827b63f2de4db589ee5914b906085d4ddfbbadb695
SHA512 89ab4ca99730bfedd36802281fe4f723d1b9cbca2acae999b7b5d5672567d94b00294d1e1a94acba135a750d2b267d46e01356b0dae89e553a9da34defc68925

memory/512-45-0x0000000004320000-0x0000000005F9B000-memory.dmp

memory/512-46-0x0000000077191000-0x00000000772B1000-memory.dmp

memory/512-47-0x0000000004320000-0x0000000005F9B000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-22 14:29

Reported

2024-05-22 14:31

Platform

win7-20240508-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 224

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-22 14:29

Reported

2024-05-22 14:31

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 244

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-22 14:29

Reported

2024-05-22 14:31

Platform

win10v2004-20240426-en

Max time kernel

133s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 396 wrote to memory of 3248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 396 wrote to memory of 3248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 396 wrote to memory of 3248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3248 -ip 3248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 14:29

Reported

2024-05-22 14:31

Platform

win7-20240215-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe

"C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst1F64.tmp\BgImage.dll

MD5 9436196007f65f0ae96f64b1c8b2572e
SHA1 4b004b5c2865c9450876be83faa8cc96e1d12c01
SHA256 286f246ee18bf91c4a80fa2cdb61077a4bcf0a3fd6582be4b4ab6a5cb3de44c9
SHA512 5c172675fbbea214471ac35eebaa6ab9bd1306268144085adbad3bba4a815430ed028cac169e8b5a6fd00818684f65d7bdd32f11773bc6152e62ef80f895d35e

\Users\Admin\AppData\Local\Temp\nst1F64.tmp\nsDialogs.dll

MD5 82c3f38cd34739872af07443c65d0bd8
SHA1 1f4ee2d394404a291eda6419f856adaf4b960237
SHA256 59cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311
SHA512 3a81c0613b1ea906ad4f103b02620217de69a8676dbb7ec41cf31f342a0a74562815a8d4f2efe9866fc16365f58524ac71652e99920acea355f020028775743d

\Users\Admin\AppData\Local\Temp\nst1F64.tmp\System.dll

MD5 8b3830b9dbf87f84ddd3b26645fed3a0
SHA1 223bef1f19e644a610a0877d01eadc9e28299509
SHA256 f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512 d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Krydsrevisionernes.lnk

MD5 51fa4aa550487f844278f2d4214cbd70
SHA1 57c9cd1cea75d4b446cdd4e14e6f8069bfb0ba85
SHA256 f459f9a9fb45277c316e410f16dc15e8eda27a8ee31d200135efffaf50726024
SHA512 948a2d95ec2f78e8a206d1d3340c50f692d9f7d62a95ae5bb17eef6fdbe45d44bab12e4e4d65b3417b01586c68bed678678babb8f2106843571706d897482b02

memory/2932-48-0x0000000003880000-0x00000000054FB000-memory.dmp

memory/2932-49-0x0000000077061000-0x0000000077162000-memory.dmp

memory/2932-50-0x0000000077060000-0x0000000077209000-memory.dmp

memory/2932-51-0x0000000003880000-0x00000000054FB000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 14:29

Reported

2024-05-22 14:31

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1508 wrote to memory of 1596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1508 wrote to memory of 1596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1508 wrote to memory of 1596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1508 wrote to memory of 1596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1508 wrote to memory of 1596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1508 wrote to memory of 1596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1508 wrote to memory of 1596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 14:29

Reported

2024-05-22 14:31

Platform

win10v2004-20240508-en

Max time kernel

138s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 4924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1716 wrote to memory of 4924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1716 wrote to memory of 4924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-22 14:29

Reported

2024-05-22 14:31

Platform

win7-20240215-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-22 14:29

Reported

2024-05-22 14:31

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2004 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2004 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-22 14:29

Reported

2024-05-22 14:31

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3352 wrote to memory of 4356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3352 wrote to memory of 4356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3352 wrote to memory of 4356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4356 -ip 4356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-22 14:29

Reported

2024-05-22 14:31

Platform

macos-20240410-en

Max time kernel

136s

Max time network

142s

Command Line

[sh -c sudo /bin/zsh -c "open /Users/run/Duramen/Sabbatters.app"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "open /Users/run/Duramen/Sabbatters.app"]

/bin/bash

[sh -c sudo /bin/zsh -c "open /Users/run/Duramen/Sabbatters.app"]

/usr/bin/sudo

[sudo /bin/zsh -c open /Users/run/Duramen/Sabbatters.app]

/bin/zsh

[/bin/zsh -c open /Users/run/Duramen/Sabbatters.app]

/usr/bin/open

[open /Users/run/Duramen/Sabbatters.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.suggestd]

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd

[/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.knowledge-agent]

/usr/libexec/knowledge-agent

[/usr/libexec/knowledge-agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.siri.context.service]

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService

[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.newsyslog]

/usr/sbin/newsyslog

[/usr/sbin/newsyslog]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

Network

Country Destination Domain Proto
US 20.189.173.2:443 tcp
US 8.8.8.8:53 onedscolprdeus06.eastus.cloudapp.azure.com udp
US 20.42.73.25:443 onedscolprdeus06.eastus.cloudapp.azure.com tcp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
NL 23.209.125.28:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
NL 72.246.172.153:443 tcp
US 8.8.8.8:53 a479.dscg4.akamai.net udp
NL 23.209.125.22:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
SE 104.73.93.106:443 help.apple.com tcp
SE 104.73.93.106:443 help.apple.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 gsp-ssl.ls.apple.com udp
GB 17.253.77.203:443 gsp-ssl.ls.apple.com tcp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/var/db/locationd/Library/Caches/GeoServices/Resources/altitude-1285.xml

MD5 9a43af57707d2fb460832049d1f217d1
SHA1 056d813f8cb5198ca82072f7e3484f38ea5267f8
SHA256 7224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c
SHA512 1f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 0efb23b182562b87d329e5c0a0a4a900
SHA1 9f9fe1123ff227e6233ec7566577fe27b4322aaa
SHA256 b407147e7986ea47649ba6ec039fba535672ef27e41e5ed80738520fd669419a
SHA512 4cbc46b8624a32a4ed29ff52e9942b0e0316979d49bdc200678dcbbb345ba8427fa90129addbad0df064a369ad3bf124179a07072b2ba00da415689b8fce9d7b

/Users/run/Library/Caches/GeoServices/Experiments.pbd

MD5 50a0460fbc95d20eea145cb248565cae
SHA1 20fe5f7424ca831d165254ab6a849fa034f442d7
SHA256 42ed3730a63216925f8e9a0c65f66726e823c065604f90bad62ac2184928a800
SHA512 d5c64cce25ee865ff4bb36ae127a518dd313c23b64453d1e3aac0e26da6a50e1f503aaa319bc195a5c202dd61c168c00ca69cf8f4a2134905d3ad70e5224e9dc