Analysis Overview
SHA256
dda2b3a7a8a9c6ec4b2041adc9c8a810ae396eb1c998c7517e172e094d7fe74f
Threat Level: Likely benign
The file login was found to be: Likely benign.
Malicious Activity Summary
Resource Forking
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-09 15:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 15:37
Reported
2024-06-09 15:40
Platform
macos-20240410-en
Max time kernel
132s
Max time network
119s
Command Line
Signatures
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper | N/A | N/A |
| N/A | /System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer | N/A | N/A |
| N/A | "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck | N/A | N/A |
| N/A | /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper | N/A | N/A |
| N/A | /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper | N/A | N/A |
Processes
/usr/libexec/xpcproxy
[xpcproxy com.apple.systemstats.daily]
/usr/libexec/xpcproxy
[xpcproxy com.apple.loginwindow.LWWeeklyMessageTracer]
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/login.html"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/login.html"]
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
[/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer]
/usr/libexec/xpcproxy
[xpcproxy com.oracle.java.Java-Updater]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/login.html]
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck]
/bin/zsh
[/bin/zsh -c /Users/run/login.html]
/Users/run/login.html
[/Users/run/login.html]
/bin/sh
[sh /Users/run/login.html]
/bin/bash
[sh /Users/run/login.html]
/usr/libexec/xpcproxy
[xpcproxy com.apple.PerformanceAnalysis.animationperfd]
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
[/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.quicklook.ui.helper]
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.xpc.launchd.oneshot.0x10000001.Archive Utility]
/System/Library/CoreServices/Applications/Archive Utility.app/Contents/MacOS/Archive Utility
[/System/Library/CoreServices/Applications/Archive Utility.app/Contents/MacOS/Archive Utility -psn_0_167977]
/usr/libexec/xpcproxy
[xpcproxy com.apple.XprotectFramework.AnalysisService 503]
/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService
[/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService]
/usr/bin/macbinary
[/usr/bin/macbinary probe --verbose /Users/run/Desktop/payload.zip]
/usr/bin/file
[/usr/bin/file -b /Users/run/Desktop/payload.zip]
/usr/libexec/xpcproxy
[xpcproxy com.apple.archiveutility.auhelperservice 522]
/System/Library/CoreServices/Applications/Archive Utility.app/Contents/XPCServices/AUHelperService.xpc/Contents/MacOS/AUHelperService
[/System/Library/CoreServices/Applications/Archive Utility.app/Contents/XPCServices/AUHelperService.xpc/Contents/MacOS/AUHelperService]
/System/Library/Frameworks/FileProvider.framework/XPCServices/ArchiveService.xpc/Contents/MacOS/ArchiveService
[/System/Library/Frameworks/FileProvider.framework/XPCServices/ArchiveService.xpc/Contents/MacOS/ArchiveService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.appkit.xpc.sandboxedServiceRunner 522]
/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedServiceRunner.xpc/Contents/MacOS/SandboxedServiceRunner
[/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedServiceRunner.xpc/Contents/MacOS/SandboxedServiceRunner]
/usr/libexec/xpcproxy
[xpcproxy com.apple.quicklook.satellite.87447F4C-F392-4FE4-94D5-8C70F66444DE 534]
/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite
[/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite]
/usr/libexec/xpcproxy
[xpcproxy com.apple.appkit.xpc.openAndSavePanelService 288]
/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/com.apple.appkit.xpc.openAndSavePanelService.xpc/Contents/MacOS/com.apple.appkit.xpc.openAndSavePanelService
[/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/com.apple.appkit.xpc.openAndSavePanelService.xpc/Contents/MacOS/com.apple.appkit.xpc.openAndSavePanelService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.quicklook.QuickLookUIService 539]
/System/Library/Frameworks/Quartz.framework/Versions/A/Frameworks/QuickLookUI.framework/Versions/A/XPCServices/QuickLookUIService.xpc/Contents/MacOS/QuickLookUIService
[/System/Library/Frameworks/Quartz.framework/Versions/A/Frameworks/QuickLookUI.framework/Versions/A/XPCServices/QuickLookUIService.xpc/Contents/MacOS/QuickLookUIService]
/usr/libexec/od_user_homes
[/usr/libexec/od_user_homes .localized]
/usr/libexec/xpcproxy
[xpcproxy com.apple.spindump]
/usr/sbin/spindump
[/usr/sbin/spindump]
/usr/libexec/xpcproxy
[xpcproxy com.apple.spindump_agent]
/usr/libexec/spindump_agent
[/usr/libexec/spindump_agent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ReportMemoryException]
/usr/libexec/ReportMemoryException
[/usr/libexec/ReportMemoryException]
/bin/sh
[sh -c /usr/sbin/kextstat]
/bin/bash
[sh -c /usr/sbin/kextstat]
/usr/sbin/kextstat
[/usr/sbin/kextstat]
/usr/libexec/xpcproxy
[xpcproxy com.apple.quicklook.ui.helper]
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.quicklook.ui.helper]
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.xpc.launchd.oneshot.0x10000002.TextEdit]
/System/Applications/TextEdit.app/Contents/MacOS/TextEdit
[/System/Applications/TextEdit.app/Contents/MacOS/TextEdit -psn_0_188462]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bag-cdn-lb.itunes-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | b._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | db._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | b._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | db._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | e6858.dscx.akamaiedge.net | udp |
Files
/Users/run/Desktop/payload/settings.json
| MD5 | b35182a5d0722d6f81654bbf9755bb77 |
| SHA1 | 05203798855cfdf6f32161189ee340efe27386fb |
| SHA256 | f9169b9b0d3706f8622513a6be8a722cdcef97826f1e71476439cb387792416c |
| SHA512 | 584f5d1afd86c2492a344447039c34b2239903af5b27590371226a13bc8668afa106af8bbefcfd75ed61a247ab251c93c51ce8192347b6d5ac53bf2b44bf89f9 |
/private/var/db/spindump/tailspin-trace.2024-06-09_15-38-37.tailspin
| MD5 | 791989fe6f58fac0592fe29d3e1b9eb0 |
| SHA1 | cbc928445b51bd3680d147cb4e84171a724ae538 |
| SHA256 | 704a9468b96252f64955c9c4ff169794fd5c9a88c4f0ab1964955eaea8b22a26 |
| SHA512 | c4ae57551ac591bd86fc29283e1233a53ce6c0261b1da2103ebd7b24ff2a4484ceebc907a58b202681c6ffe20d43828045ef4beb92300513a1247e2c8fd7ad1f |
/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//spindump.txt
| MD5 | e229d7465acb19e8c7ffad46da563f8c |
| SHA1 | b513e31d56a71cb65dc2b424290f3e37f59cd54b |
| SHA256 | 5a348643e3b737677fd5f7847e2ec38ec63a4e32fe915787b20ce3295b37620e |
| SHA512 | ee6c92aa6e014b331d4a157bf5df6bc35bad8e7895891ea7166a8d4ec63d7e469cc59bf1c5fdbe91102c6ffd8d1c570b62ac2ffc10a677500b2771fe6fcf5d5b |
/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//spindump.txt
| MD5 | 83f6bd3b55c6e4bac7c19a85d28884b4 |
| SHA1 | 10de7c66d51bfcc6eb90a7a605b6c2b85001697b |
| SHA256 | 7e2859bb3be0ef5af14dd624fc2b1ea97505d9db741be1f44f2e0da1ab1e8181 |
| SHA512 | 3fc7fa17587bb93a105f904fd1aba025a44b1c4572201f8dfedfb73cac8d4b9ac418f9949962f631d2b2569514446b6da8295d39ff0193eed61a27c914346125 |
/Users/run/Desktop/payload/happymeal
| MD5 | 176fd682841c1bf121d5d31ed4e79ff6 |
| SHA1 | 4cef56665caa85e9ea0c6cea82b1bd7fb3c93392 |
| SHA256 | 9660253445f7637d98d663c855a9c18a59e921de127df607e1781d2b57486431 |
| SHA512 | 34bcdc43bf91af165df72f49f73cbdaedf0e02daa272ce4e19cbf2db00ad203879c02f90626d75299d4d87628bf8a8d3c5ea8ffb013e43f1a8070e107c16e068 |