Malware Analysis Report

2024-10-16 06:32

Sample ID 240609-144dbsgc49
Target https://best-links.org/s?4d4db6be89fbb5fd
Tags
evasion
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

Threat Level: Shows suspicious behavior

The file https://best-links.org/s?4d4db6be89fbb5fd was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Resource Forking

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 22:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 22:13

Reported

2024-06-09 22:15

Platform

macos-20240410-en

Max time kernel

145s

Max time network

148s

Command Line

[sh -c sudo /bin/zsh -c "/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --simulate-outdated-no-au='Tue, 31 Dec 2099' --new-window https://best-links.org/s?4d4db6be89fbb5fd"]

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Resource Forking

evasion
Description Indicator Process Target
N/A "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck N/A N/A
N/A /System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --simulate-outdated-no-au='Tue, 31 Dec 2099' --new-window https://best-links.org/s?4d4db6be89fbb5fd"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --simulate-outdated-no-au='Tue, 31 Dec 2099' --new-window https://best-links.org/s?4d4db6be89fbb5fd"]

/usr/bin/sudo

[sudo /bin/zsh -c /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --simulate-outdated-no-au='Tue, 31 Dec 2099' --new-window https://best-links.org/s?4d4db6be89fbb5fd]

/usr/libexec/xpcproxy

[xpcproxy com.oracle.java.Java-Updater]

/bin/zsh

[/bin/zsh -c /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --simulate-outdated-no-au='Tue, 31 Dec 2099' --new-window https://best-links.org/s?4d4db6be89fbb5fd]

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater

[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterB516C108/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.2028]

/Applications/Safari.app/Contents/MacOS/Safari

[/Applications/Safari.app/Contents/MacOS/Safari]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.History]

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History

[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.F5A989BB-D714-47EE-8F4C-2CD8154FA786 519]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.SafariLaunchAgent]

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent

[/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.7F945329-AADB-47AA-8B61-3D6A605137C6 519]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.SearchHelper 519]

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper

[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.SafeBrowsing.Service]

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service

[/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.044EEBE6-5F51-4A5F-A5FF-E86D8D582B4D 519]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.6FFFC9DE-03CF-40AA-A031-15DB7C9C99E6 519]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.76C2FA57-2D72-49BD-BC9B-C87D90C4EF0E 519]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.E64C8B5F-C49F-40E7-B728-C218F37ACA08 519]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.speech.speechsynthesisd]

/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd

[/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.23:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 api-glb-aeuw3b.smoot.apple.com udp
FR 15.237.18.235:443 api-glb-aeuw3b.smoot.apple.com tcp
US 8.8.8.8:53 gateway.fe2.apple-dns.net udp
US 8.8.8.8:53 apis.apple.map.fastly.net udp
US 8.8.8.8:53 clients1.google.com udp
FR 216.58.213.78:443 clients1.google.com tcp
US 8.8.8.8:53 drive.google.com udp
FR 142.250.179.78:443 drive.google.com tcp
US 8.8.8.8:53 safebrowsing.googleapis.com udp
FR 172.217.20.202:443 safebrowsing.googleapis.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.27.84:443 accounts.google.com tcp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 kstatic.googleusercontent.com udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
US 35.241.11.240:443 kstatic.googleusercontent.com tcp
FR 142.250.178.129:443 lh3.googleusercontent.com tcp
US 8.8.8.8:53 ajax.googleapis.com udp
FR 216.58.214.163:80 www.gstatic.com tcp
FR 142.250.201.170:443 ajax.googleapis.com tcp
FR 216.58.214.163:80 www.gstatic.com tcp
US 8.8.8.8:53 workspace.google.com udp
US 8.8.8.8:53 apps.google.com udp
US 8.8.8.8:53 one.google.com udp
US 8.8.8.8:53 acrobat.adobe.com udp
US 8.8.8.8:53 slack.com udp
US 8.8.8.8:53 services.google.com udp
US 8.8.8.8:53 help.salesforce.com udp
US 8.8.8.8:53 blogs.autodesk.com udp
US 8.8.8.8:53 www.docusign.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 about.google udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 support.google.com udp
US 8.8.8.8:53 cloud.google.com udp
US 8.8.8.8:53 marketplace.atlassian.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 policies.google.com udp
FR 216.58.214.163:80 www.gstatic.com tcp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
US 8.8.8.8:53 e6858.dscx.akamaiedge.net udp
US 8.8.8.8:53 e673.dsce9.akamaiedge.net udp
US 8.8.8.8:53 best-links.org udp
US 172.67.140.118:443 best-links.org tcp
US 8.8.8.8:53 pki-goog.l.google.com udp
FR 216.58.214.163:80 pki-goog.l.google.com tcp
US 8.8.8.8:53 dfdgfruitie.xyz udp
US 172.67.132.206:443 dfdgfruitie.xyz tcp
US 172.67.140.118:443 best-links.org tcp
US 8.8.8.8:53 dt3y1f1i1disy.cloudfront.net udp
FR 52.222.153.117:443 dt3y1f1i1disy.cloudfront.net tcp
US 8.8.8.8:53 pogothere.xyz udp
US 8.8.8.8:53 knowledconsideunden.info udp
US 8.8.8.8:53 gforanopportu.info udp
US 8.8.8.8:53 undefined udp
US 172.67.220.203:443 pogothere.xyz tcp
US 172.67.220.185:443 knowledconsideunden.info tcp
US 172.67.134.236:443 gforanopportu.info tcp
US 172.67.134.236:443 gforanopportu.info tcp
US 8.8.8.8:53 2.entlysearchin.info udp
US 104.21.19.208:443 2.entlysearchin.info tcp
US 104.21.19.208:443 2.entlysearchin.info tcp
US 8.8.8.8:53 curyrentattrib.info udp
GB 18.245.143.77:443 curyrentattrib.info tcp
US 8.8.8.8:53 www.msn.com udp
US 204.79.197.203:443 www.msn.com tcp
US 8.8.8.8:53 assets.msn.com udp
US 204.79.197.203:443 www.msn.com tcp
NL 95.100.96.19:443 assets.msn.com tcp
NL 95.100.96.19:443 assets.msn.com tcp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 c.bing.com udp
US 8.8.8.8:53 c.msn.com udp
SE 23.201.43.129:443 img-s-msn-com.akamaized.net tcp
FR 52.222.169.76:443 sb.scorecardresearch.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 204.79.197.237:443 c.bing.com tcp
IE 68.219.88.97:443 c.msn.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 itunes.apple.com udp
US 8.8.8.8:53 direct-link.net udp
US 172.67.217.63:443 direct-link.net tcp
US 8.8.8.8:53 linkvertise.com udp
US 172.67.69.167:443 linkvertise.com tcp
US 8.8.8.8:53 use.typekit.net udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 maxst.icons8.com udp
US 8.8.8.8:53 stackpath.bootstrapcdn.com udp
US 8.8.8.8:53 p.typekit.net udp
US 8.8.8.8:53 js.chargebee.com udp
US 8.8.8.8:53 contextual.media.net udp
NL 104.97.14.203:443 use.typekit.net tcp
US 172.67.69.167:443 linkvertise.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 104.18.10.207:443 stackpath.bootstrapcdn.com tcp
GB 195.181.164.17:443 maxst.icons8.com tcp
NL 104.97.14.227:443 p.typekit.net tcp
BE 23.55.96.24:443 contextual.media.net tcp
US 3.164.163.98:443 js.chargebee.com tcp
FR 216.58.214.163:80 pki-goog.l.google.com tcp
US 8.8.8.8:53 exmarketplace.com udp
US 8.8.8.8:53 cdn.exmarketplace.com udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
IT 95.110.206.108:443 cdn.exmarketplace.com tcp
FR 142.250.201.162:443 securepubads.g.doubleclick.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
FR 216.58.215.34:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 publisher.linkvertise.com udp
US 104.26.14.247:443 publisher.linkvertise.com tcp
US 8.8.8.8:53 www.clarity.ms udp
US 8.8.8.8:53 api.ipify.org udp
US 13.107.246.64:443 www.clarity.ms tcp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 lnk.thinksuggest.org udp
US 8.8.8.8:53 api.thinksuggest.org udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.thinksuggest.org udp
US 13.107.5.80:443 api.bing.com tcp
DE 176.9.175.232:443 www.thinksuggest.org tcp
DE 176.9.175.232:443 www.thinksuggest.org tcp
DE 176.9.175.232:443 www.thinksuggest.org tcp
US 8.8.8.8:53 x.clarity.ms udp
US 20.114.190.119:443 x.clarity.ms tcp
US 8.8.8.8:53 c.clarity.ms udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
FR 142.250.179.97:443 tpc.googlesyndication.com tcp
FR 216.58.214.163:80 pki-goog.l.google.com tcp
US 20.114.190.119:443 x.clarity.ms tcp
NL 104.97.15.50:443 use.typekit.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 imagedelivery.net udp
US 104.18.3.36:443 imagedelivery.net tcp
US 8.8.8.8:53 img.youtube.com udp
FR 216.58.214.78:443 img.youtube.com tcp
US 8.8.8.8:53 clarity-ingest-eus2-e-sc.eastus2.cloudapp.azure.com udp
US 20.114.190.119:443 clarity-ingest-eus2-e-sc.eastus2.cloudapp.azure.com tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.13:443 mobile.events.data.trafficmanager.net tcp
US 13.89.179.9:443 mobile.events.data.trafficmanager.net tcp
US 8.8.8.8:53 cds.apple.com udp
CZ 104.64.171.59:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
SE 23.34.233.79:443 help.apple.com tcp
SE 23.34.233.79:443 help.apple.com tcp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

MD5 81a52357caf2d5b3648db6af79b9939f
SHA1 642ab90f75cbc0587243a3640168e914108e5801
SHA256 4953ad4989efe0325bf463e69bfb78cfe385ca5fc7b7cd88a8c0727a05bb63bf
SHA512 bcb349f15f0ce252f1422072dc9d81bcbbbb5ab52b9c14390127597adbbfba976934401073e5554b2ea64b02887bb91e9b4c7d8fad877a1a009d508d728cf4ad

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

MD5 2e42f8858bea3510e97f1129ba2880a9
SHA1 f4e16d2283d0298b47eee6fe2640a55c75633353
SHA256 94648e3b3a4eb8a1097298ebca2c35b0445d4217abbc5bac907095b034e80948
SHA512 13425d1bc531b315e13334e47da86583795ea89106a75eef586c94973050ebacd34b1049be0899efa500c9301bc11c82dd123bebd972fca1afc0a889530f4bbf

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

MD5 41079b25fcff5df8fa9587dec6be73fb
SHA1 18c1a7fca2426191f90e7ab64837f24bcf2e49ec
SHA256 43dce516b98ad12f4a9e71208a1bbaddf8bdc654527fe6cb7fc3c160f229c680
SHA512 ae194209a5bdf78b303086fe69bfad4a8cce0c458ef4396bde1c2734a7407843f12ffe86b0d611028eabd851c2ee0b7939a6bdfbeb909e7b23cde380928d5a89

/Users/run/Library/Safari/Favicon Cache/favicons/C8F8DB667F0E5ADCE98ADE268FD28EFF

MD5 3ebd6a8f190a898d144e971f9b58aa7c
SHA1 9cb89d7275f10af725dc9f8d99071d51f390d7d8
SHA256 4fc55430f1800034e210d44ec6b823c5681dad035e29a8d697e3b0100ca509e6
SHA512 ba017d914ea3c74bd87a15ef62d24bc944cc20ee47342baad5a163c76b84048f719ad99bda77d398d4acf0cb0286f782f446b75bf9213075bca5c1b67e2bbc18

/Users/run/Library/Safari/Favicon Cache/favicons/1DFCB45DEAD717FE859984AF840F220F

MD5 001d31cb5e5f525afd0c5d5075343d1a
SHA1 1b3bffac73620804afbe2bb482a3b1cae6360db7
SHA256 1834f018dddca8fe71f313a94a1b038cfeebafa01170711b3315255f422edd8e
SHA512 8c5e4cbf5a695e340cd99e402a4b58fb5f61e1af3f9ff53639cbd8abd24b26cb1decf590419cf75326138a815420ec1923b869742444b89e99a7d25c747d1d91