Analysis Overview
SHA256
2510be907ec476e8375ac7b5431536ae9a32bf99fe77ab695a5100852b111b96
Threat Level: Likely benign
The file SolaraB.zip was found to be: Likely benign.
Malicious Activity Summary
Resource Forking
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-08 18:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 18:17
Reported
2024-06-08 18:20
Platform
macos-20240410-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/PrivateFrameworks/SystemAdministration.framework/Resources/activateSettings | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/usbmuxd -launchd | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd | N/A | N/A |
| N/A | /System/Library/Frameworks/InputMethodKit.framework/Resources/imklaunchagent | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/SolaraB/Solara/SolaraBootstrapper.exe"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/SolaraB/Solara/SolaraBootstrapper.exe"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/SolaraB/Solara/SolaraBootstrapper.exe]
/bin/zsh
[/bin/zsh -c /Users/run/SolaraB/Solara/SolaraBootstrapper.exe]
/Users/run/SolaraB/Solara/SolaraBootstrapper.exe
[/Users/run/SolaraB/Solara/SolaraBootstrapper.exe]
/usr/libexec/xpcproxy
[xpcproxy com.apple.warmd_agent]
/usr/libexec/warmd_agent
[/usr/libexec/warmd_agent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.rtcreportingd]
/usr/libexec/rtcreportingd
[/usr/libexec/rtcreportingd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ViewBridgeAuxiliary]
/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
[/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sessionlogoutd]
/System/Library/CoreServices/sessionlogoutd
[/System/Library/CoreServices/sessionlogoutd]
/usr/bin/sudo
[/usr/bin/sudo -k]
/usr/libexec/xpcproxy
[xpcproxy com.apple.loginwindow.76F09C75-FFD6-46DF-824C-1BEA3999CDA6]
/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow
[/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow console]
/usr/libexec/xpcproxy
[xpcproxy com.apple.imklaunchagent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.UserEventAgent-LoginWindow]
/usr/libexec/xpcproxy
[xpcproxy com.apple.universalaccessd]
/System/Library/Frameworks/InputMethodKit.framework/Resources/imklaunchagent
[/System/Library/Frameworks/InputMethodKit.framework/Resources/imklaunchagent]
/usr/sbin/universalaccessd
[/usr/sbin/universalaccessd launchd -s]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pluginkit.pkd]
/usr/libexec/pkd
[/usr/libexec/pkd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ViewBridgeAuxiliary]
/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
[/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.agent.login.00000000-0000-0000-0000-0000000186BC]
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
[/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent]
/usr/libexec/UserEventAgent
[/usr/libexec/UserEventAgent (LoginWindow)]
/usr/libexec/xpcproxy
[xpcproxy com.apple.coremedia.videodecoder 531]
/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
[/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.CryptoTokenKit.ahp.agent]
/System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle/Contents/MacOS/ctkahp
[/System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle/Contents/MacOS/ctkahp]
/usr/libexec/xpcproxy
[xpcproxy com.apple.xpc.launchd.oneshot.0x10000001.activateSettings]
/System/Library/PrivateFrameworks/SystemAdministration.framework/Resources/activateSettings
[/System/Library/PrivateFrameworks/SystemAdministration.framework/Resources/activateSettings]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AmbientDisplayAgent]
/System/Library/PrivateFrameworks/AmbientDisplay.framework/Versions/A/XPCServices/com.apple.AmbientDisplayAgent.xpc/Contents/MacOS/com.apple.AmbientDisplayAgent
[/System/Library/PrivateFrameworks/AmbientDisplay.framework/Versions/A/XPCServices/com.apple.AmbientDisplayAgent.xpc/Contents/MacOS/com.apple.AmbientDisplayAgent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ctkd]
/System/Library/Frameworks/CryptoTokenKit.framework/ctkd
[/System/Library/Frameworks/CryptoTokenKit.framework/ctkd -tw]
/usr/libexec/xpcproxy
[xpcproxy com.apple.CryptoTokenKit.setoken 542]
/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/setoken.appex/Contents/MacOS/setoken
[/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/setoken.appex/Contents/MacOS/setoken]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.authhost.00000000-0000-0000-0000-0000000186BC]
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost
[/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Kerberos.kcm]
/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kcm
[/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kcm --launchd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.iconservices.iconservicesagent]
/System/Library/CoreServices/iconservicesagent
[/System/Library/CoreServices/iconservicesagent runAsRoot]
/usr/libexec/xpcproxy
[xpcproxy com.apple.usbmuxd]
/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/usbmuxd
[/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/usbmuxd -launchd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.akd]
/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd
[/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.storagekitd]
/System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd
[/System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd]
Network
| Country | Destination | Domain | Proto |
| GB | 17.253.77.201:80 | tcp | |
| US | 8.8.8.8:53 | bag-cdn-lb.itunes-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | appleid.apple.com | udp |
| US | 8.8.8.8:53 | 23.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.0.127.10.in-addr.arpa | udp |
| GB | 17.253.77.201:80 | pancake.apple.com | tcp |
| IE | 17.57.146.88:5223 | tcp | |
| US | 8.8.8.8:53 | 29-courier.push.apple.com | udp |
| GB | 17.57.146.10:5223 | 29-courier.push.apple.com | tcp |
Files
/var/folders/zz/zyxvpxvq6csfxvn_n00000bh00002w/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/zz/zyxvpxvq6csfxvn_n00000bh00002w/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/var/root/Library/Caches/rtcreportingd/events/NRM_Events_2024-06-08-18-18-24.event
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |