Malware Analysis Report

2024-10-16 06:34

Sample ID 240608-ww622afa92
Target SolaraB.zip
SHA256 2510be907ec476e8375ac7b5431536ae9a32bf99fe77ab695a5100852b111b96
Tags
evasion
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

2510be907ec476e8375ac7b5431536ae9a32bf99fe77ab695a5100852b111b96

Threat Level: Likely benign

The file SolaraB.zip was found to be: Likely benign.

Malicious Activity Summary

evasion

Resource Forking

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-08 18:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 18:17

Reported

2024-06-08 18:20

Platform

macos-20240410-en

Max time kernel

147s

Max time network

150s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/SolaraB/Solara/SolaraBootstrapper.exe"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/PrivateFrameworks/SystemAdministration.framework/Resources/activateSettings N/A N/A
N/A /System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/usbmuxd -launchd N/A N/A
N/A /System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd N/A N/A
N/A /System/Library/Frameworks/InputMethodKit.framework/Resources/imklaunchagent N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/SolaraB/Solara/SolaraBootstrapper.exe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/SolaraB/Solara/SolaraBootstrapper.exe"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/SolaraB/Solara/SolaraBootstrapper.exe]

/bin/zsh

[/bin/zsh -c /Users/run/SolaraB/Solara/SolaraBootstrapper.exe]

/Users/run/SolaraB/Solara/SolaraBootstrapper.exe

[/Users/run/SolaraB/Solara/SolaraBootstrapper.exe]

/usr/libexec/xpcproxy

[xpcproxy com.apple.warmd_agent]

/usr/libexec/warmd_agent

[/usr/libexec/warmd_agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.rtcreportingd]

/usr/libexec/rtcreportingd

[/usr/libexec/rtcreportingd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ViewBridgeAuxiliary]

/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary

[/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sessionlogoutd]

/System/Library/CoreServices/sessionlogoutd

[/System/Library/CoreServices/sessionlogoutd]

/usr/bin/sudo

[/usr/bin/sudo -k]

/usr/libexec/xpcproxy

[xpcproxy com.apple.loginwindow.76F09C75-FFD6-46DF-824C-1BEA3999CDA6]

/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow

[/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow console]

/usr/libexec/xpcproxy

[xpcproxy com.apple.imklaunchagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.UserEventAgent-LoginWindow]

/usr/libexec/xpcproxy

[xpcproxy com.apple.universalaccessd]

/System/Library/Frameworks/InputMethodKit.framework/Resources/imklaunchagent

[/System/Library/Frameworks/InputMethodKit.framework/Resources/imklaunchagent]

/usr/sbin/universalaccessd

[/usr/sbin/universalaccessd launchd -s]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pluginkit.pkd]

/usr/libexec/pkd

[/usr/libexec/pkd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ViewBridgeAuxiliary]

/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary

[/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.agent.login.00000000-0000-0000-0000-0000000186BC]

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent

[/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent]

/usr/libexec/UserEventAgent

[/usr/libexec/UserEventAgent (LoginWindow)]

/usr/libexec/xpcproxy

[xpcproxy com.apple.coremedia.videodecoder 531]

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService

[/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.CryptoTokenKit.ahp.agent]

/System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle/Contents/MacOS/ctkahp

[/System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle/Contents/MacOS/ctkahp]

/usr/libexec/xpcproxy

[xpcproxy com.apple.xpc.launchd.oneshot.0x10000001.activateSettings]

/System/Library/PrivateFrameworks/SystemAdministration.framework/Resources/activateSettings

[/System/Library/PrivateFrameworks/SystemAdministration.framework/Resources/activateSettings]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AmbientDisplayAgent]

/System/Library/PrivateFrameworks/AmbientDisplay.framework/Versions/A/XPCServices/com.apple.AmbientDisplayAgent.xpc/Contents/MacOS/com.apple.AmbientDisplayAgent

[/System/Library/PrivateFrameworks/AmbientDisplay.framework/Versions/A/XPCServices/com.apple.AmbientDisplayAgent.xpc/Contents/MacOS/com.apple.AmbientDisplayAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ctkd]

/System/Library/Frameworks/CryptoTokenKit.framework/ctkd

[/System/Library/Frameworks/CryptoTokenKit.framework/ctkd -tw]

/usr/libexec/xpcproxy

[xpcproxy com.apple.CryptoTokenKit.setoken 542]

/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/setoken.appex/Contents/MacOS/setoken

[/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/setoken.appex/Contents/MacOS/setoken]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.authhost.00000000-0000-0000-0000-0000000186BC]

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost

[/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Kerberos.kcm]

/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kcm

[/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kcm --launchd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.iconservices.iconservicesagent]

/System/Library/CoreServices/iconservicesagent

[/System/Library/CoreServices/iconservicesagent runAsRoot]

/usr/libexec/xpcproxy

[xpcproxy com.apple.usbmuxd]

/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/usbmuxd

[/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/usbmuxd -launchd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.akd]

/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd

[/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.storagekitd]

/System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd

[/System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd]

Network

Country Destination Domain Proto
GB 17.253.77.201:80 tcp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 appleid.apple.com udp
US 8.8.8.8:53 23.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 23.0.127.10.in-addr.arpa udp
GB 17.253.77.201:80 pancake.apple.com tcp
IE 17.57.146.88:5223 tcp
US 8.8.8.8:53 29-courier.push.apple.com udp
GB 17.57.146.10:5223 29-courier.push.apple.com tcp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000bh00002w/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000bh00002w/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/var/root/Library/Caches/rtcreportingd/events/NRM_Events_2024-06-08-18-18-24.event

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e