Analysis Overview
SHA256
2885a0b4037f92b73fae531687264ae74779ad1afae7ae5eb6f7256c9fc28fff
Threat Level: No (potentially) malicious behavior was detected
The file dPOS_EAS_Bundle.rbxm was found to be: No (potentially) malicious behavior was detected.
Malicious Activity Summary
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 15:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 15:41
Reported
2024-06-08 15:44
Platform
macos-20240410-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/dPOS_EAS_Bundle.rbxm"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/dPOS_EAS_Bundle.rbxm"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/dPOS_EAS_Bundle.rbxm]
/bin/zsh
[/bin/zsh -c /Users/run/dPOS_EAS_Bundle.rbxm]
/Users/run/dPOS_EAS_Bundle.rbxm
[/Users/run/dPOS_EAS_Bundle.rbxm]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Terminal.2100]
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
[/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal]
/usr/bin/login
[login -pf run]
/bin/zsh
[-zsh]
/usr/libexec/path_helper
[/usr/libexec/path_helper -s]
/usr/bin/locale
[locale LC_CTYPE]
/usr/bin/curl
[curl parrot.live]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Safari.2028]
/Applications/Safari.app/Contents/MacOS/Safari
[/Applications/Safari.app/Contents/MacOS/Safari]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Safari.History]
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History]
/usr/libexec/xpcproxy
[xpcproxy com.apple.WebKit.WebContent.42CAF03A-16F4-49B6-9725-C69D89886CCF 539]
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.SafariLaunchAgent]
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
[/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.WebKit.WebContent.38643FED-E3BE-46CB-86F4-1CFDB34ECD2E 539]
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Safari.SearchHelper 539]
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Safari.SafeBrowsing.Service]
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
[/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service]
/usr/libexec/xpcproxy
[xpcproxy com.apple.WebKit.WebContent.8B4AD5DD-FF5E-43CD-A8C3-B56F7F64C88E 539]
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.contacts.donation-agent]
/System/Library/PrivateFrameworks/ContactsDonation.framework/Versions/A/Support/contactsdonationagent
[/System/Library/PrivateFrameworks/ContactsDonation.framework/Versions/A/Support/contactsdonationagent]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bag-cdn-lb.itunes-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | parrot.live | udp |
| SG | 206.189.36.145:80 | parrot.live | tcp |
| US | 8.8.8.8:53 | api-glb-aeuw3b.smoot.apple.com | udp |
| FR | 15.237.18.235:443 | api-glb-aeuw3b.smoot.apple.com | tcp |
| US | 8.8.8.8:53 | clients1.google.com | udp |
| US | 8.8.8.8:53 | clients1.google.com | udp |
| FR | 216.58.213.78:443 | clients1.google.com | tcp |
| FR | 216.58.213.78:443 | clients1.google.com | tcp |
| FR | 216.58.213.78:443 | clients1.google.com | tcp |
| US | 8.8.8.8:53 | cdn2.smoot.apple.com | udp |
| US | 8.8.8.8:53 | cdn.smoot.apple.com | udp |
| US | 8.8.8.8:53 | www.roblox.ge | udp |
| US | 8.8.8.8:53 | safebrowsing.googleapis.com | udp |
| NL | 45.128.232.210:443 | www.roblox.ge | tcp |
| FR | 172.217.20.202:443 | safebrowsing.googleapis.com | tcp |
| NL | 45.128.232.210:443 | www.roblox.ge | tcp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| NL | 45.128.232.210:443 | www.roblox.ge | tcp |
| NL | 45.128.232.210:443 | www.roblox.ge | tcp |
| NL | 45.128.232.210:443 | www.roblox.ge | tcp |
| NL | 45.128.232.210:443 | www.roblox.ge | tcp |
| US | 8.8.8.8:53 | kit.fontawesome.com | udp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 172.64.147.188:443 | kit.fontawesome.com | tcp |
| US | 8.8.8.8:53 | ka-f.fontawesome.com | udp |
| US | 172.67.139.119:443 | ka-f.fontawesome.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.139.119:443 | ka-f.fontawesome.com | tcp |
| US | 8.8.8.8:53 | e6858.dscx.akamaiedge.net | udp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 45.128.232.210:443 | www.roblox.ge | tcp |
| NL | 45.128.232.210:443 | www.roblox.ge | tcp |
Files
/dev/ttys000
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression
| MD5 | c38e60f94892f48ec890f1f293121edb |
| SHA1 | db9b959ffc045cabe63b098fdf5271bba2ca09c6 |
| SHA256 | bd50c12837ecc0e1ebfff5bc7aeb29ec680fbf9b9d005b89c1368f81beb7e958 |
| SHA512 | 703f4e12f4568241ba1d91c3b10127dfa774690ea1a7225b40fb0926e5cfd09e981403328f1076c6147cf4d809030e9d6b82a9bf3fca8ab5bfa4f440e96f2bbb |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression
| MD5 | daf86001af31cc5721beee39a8a88da9 |
| SHA1 | ff8858aacbc289e43c0e4331f81f15f0b00dcefb |
| SHA256 | e33f5867389a931472d93813caf1397b79d81fb294c160e57be6a567f728f921 |
| SHA512 | 49c080733ec6154ef31fbce0ac8e2d60c7cde2d6b51512c0b2bfd5d4f0b56843f93af3184872fa33e5e09472f7ee425ffa3b6de23738b3197a3c78d088257a9c |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression
| MD5 | 679f2da10284c532f3b67f1e253cc9d7 |
| SHA1 | 172070074b602c83cadb42df806e89700ad8e8ca |
| SHA256 | cfa082db9578e305544f5e3a05202f398706f51407daa752ccb52866f83485fb |
| SHA512 | e8d308f88a40eb1a3f4810a422a54d9f202b22eb75f2da8dfe0a5fdc26bb547b2861ba479677a9ad6520339c609fd01d623ea18c1f040873071b86fea5663de7 |