Malware Analysis Report

2024-10-16 06:33

Sample ID 240608-s4y5lsdh34
Target dPOS_EAS_Bundle.rbxm
SHA256 2885a0b4037f92b73fae531687264ae74779ad1afae7ae5eb6f7256c9fc28fff
Tags
score
1/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
1/10

SHA256

2885a0b4037f92b73fae531687264ae74779ad1afae7ae5eb6f7256c9fc28fff

Threat Level: No (potentially) malicious behavior was detected

The file dPOS_EAS_Bundle.rbxm was found to be: No (potentially) malicious behavior was detected.

Malicious Activity Summary

N/A

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 15:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 15:41

Reported

2024-06-08 15:44

Platform

macos-20240410-en

Max time kernel

135s

Max time network

145s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/dPOS_EAS_Bundle.rbxm"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/dPOS_EAS_Bundle.rbxm"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/dPOS_EAS_Bundle.rbxm"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/dPOS_EAS_Bundle.rbxm]

/bin/zsh

[/bin/zsh -c /Users/run/dPOS_EAS_Bundle.rbxm]

/Users/run/dPOS_EAS_Bundle.rbxm

[/Users/run/dPOS_EAS_Bundle.rbxm]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Terminal.2100]

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal

[/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal]

/usr/bin/login

[login -pf run]

/bin/zsh

[-zsh]

/usr/libexec/path_helper

[/usr/libexec/path_helper -s]

/usr/bin/locale

[locale LC_CTYPE]

/usr/bin/curl

[curl parrot.live]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.2028]

/Applications/Safari.app/Contents/MacOS/Safari

[/Applications/Safari.app/Contents/MacOS/Safari]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.History]

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History

[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.42CAF03A-16F4-49B6-9725-C69D89886CCF 539]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.SafariLaunchAgent]

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent

[/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.38643FED-E3BE-46CB-86F4-1CFDB34ECD2E 539]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.SearchHelper 539]

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper

[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.SafeBrowsing.Service]

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service

[/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.8B4AD5DD-FF5E-43CD-A8C3-B56F7F64C88E 539]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.contacts.donation-agent]

/System/Library/PrivateFrameworks/ContactsDonation.framework/Versions/A/Support/contactsdonationagent

[/System/Library/PrivateFrameworks/ContactsDonation.framework/Versions/A/Support/contactsdonationagent]

Network

Country Destination Domain Proto
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 parrot.live udp
SG 206.189.36.145:80 parrot.live tcp
US 8.8.8.8:53 api-glb-aeuw3b.smoot.apple.com udp
FR 15.237.18.235:443 api-glb-aeuw3b.smoot.apple.com tcp
US 8.8.8.8:53 clients1.google.com udp
US 8.8.8.8:53 clients1.google.com udp
FR 216.58.213.78:443 clients1.google.com tcp
FR 216.58.213.78:443 clients1.google.com tcp
FR 216.58.213.78:443 clients1.google.com tcp
US 8.8.8.8:53 cdn2.smoot.apple.com udp
US 8.8.8.8:53 cdn.smoot.apple.com udp
US 8.8.8.8:53 www.roblox.ge udp
US 8.8.8.8:53 safebrowsing.googleapis.com udp
NL 45.128.232.210:443 www.roblox.ge tcp
FR 172.217.20.202:443 safebrowsing.googleapis.com tcp
NL 45.128.232.210:443 www.roblox.ge tcp
US 8.8.8.8:53 cdn.jsdelivr.net udp
NL 45.128.232.210:443 www.roblox.ge tcp
NL 45.128.232.210:443 www.roblox.ge tcp
NL 45.128.232.210:443 www.roblox.ge tcp
NL 45.128.232.210:443 www.roblox.ge tcp
US 8.8.8.8:53 kit.fontawesome.com udp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 172.64.147.188:443 kit.fontawesome.com tcp
US 8.8.8.8:53 ka-f.fontawesome.com udp
US 172.67.139.119:443 ka-f.fontawesome.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 172.67.139.119:443 ka-f.fontawesome.com tcp
US 8.8.8.8:53 e6858.dscx.akamaiedge.net udp
N/A 224.0.0.251:5353 udp
NL 45.128.232.210:443 www.roblox.ge tcp
NL 45.128.232.210:443 www.roblox.ge tcp

Files

/dev/ttys000

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

MD5 c38e60f94892f48ec890f1f293121edb
SHA1 db9b959ffc045cabe63b098fdf5271bba2ca09c6
SHA256 bd50c12837ecc0e1ebfff5bc7aeb29ec680fbf9b9d005b89c1368f81beb7e958
SHA512 703f4e12f4568241ba1d91c3b10127dfa774690ea1a7225b40fb0926e5cfd09e981403328f1076c6147cf4d809030e9d6b82a9bf3fca8ab5bfa4f440e96f2bbb

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

MD5 daf86001af31cc5721beee39a8a88da9
SHA1 ff8858aacbc289e43c0e4331f81f15f0b00dcefb
SHA256 e33f5867389a931472d93813caf1397b79d81fb294c160e57be6a567f728f921
SHA512 49c080733ec6154ef31fbce0ac8e2d60c7cde2d6b51512c0b2bfd5d4f0b56843f93af3184872fa33e5e09472f7ee425ffa3b6de23738b3197a3c78d088257a9c

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

MD5 679f2da10284c532f3b67f1e253cc9d7
SHA1 172070074b602c83cadb42df806e89700ad8e8ca
SHA256 cfa082db9578e305544f5e3a05202f398706f51407daa752ccb52866f83485fb
SHA512 e8d308f88a40eb1a3f4810a422a54d9f202b22eb75f2da8dfe0a5fdc26bb547b2861ba479677a9ad6520339c609fd01d623ea18c1f040873071b86fea5663de7