Malware Analysis Report

2024-10-16 06:32

Sample ID 240609-s2wayacf97
Target login
SHA256 dda2b3a7a8a9c6ec4b2041adc9c8a810ae396eb1c998c7517e172e094d7fe74f
Tags
evasion
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

dda2b3a7a8a9c6ec4b2041adc9c8a810ae396eb1c998c7517e172e094d7fe74f

Threat Level: Likely benign

The file login was found to be: Likely benign.

Malicious Activity Summary

evasion

Resource Forking

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 15:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 15:37

Reported

2024-06-09 15:40

Platform

macos-20240410-en

Max time kernel

132s

Max time network

119s

Command Line

[xpcproxy com.apple.systemstats.daily]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper N/A N/A
N/A /System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer N/A N/A
N/A "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck N/A N/A
N/A /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper N/A N/A
N/A /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper N/A N/A

Processes

/usr/libexec/xpcproxy

[xpcproxy com.apple.systemstats.daily]

/usr/libexec/xpcproxy

[xpcproxy com.apple.loginwindow.LWWeeklyMessageTracer]

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/login.html"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/login.html"]

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer

[/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer]

/usr/libexec/xpcproxy

[xpcproxy com.oracle.java.Java-Updater]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/login.html]

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater

[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck]

/bin/zsh

[/bin/zsh -c /Users/run/login.html]

/Users/run/login.html

[/Users/run/login.html]

/bin/sh

[sh /Users/run/login.html]

/bin/bash

[sh /Users/run/login.html]

/usr/libexec/xpcproxy

[xpcproxy com.apple.PerformanceAnalysis.animationperfd]

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd

[/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.quicklook.ui.helper]

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper

[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.xpc.launchd.oneshot.0x10000001.Archive Utility]

/System/Library/CoreServices/Applications/Archive Utility.app/Contents/MacOS/Archive Utility

[/System/Library/CoreServices/Applications/Archive Utility.app/Contents/MacOS/Archive Utility -psn_0_167977]

/usr/libexec/xpcproxy

[xpcproxy com.apple.XprotectFramework.AnalysisService 503]

/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService

[/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService]

/usr/bin/macbinary

[/usr/bin/macbinary probe --verbose /Users/run/Desktop/payload.zip]

/usr/bin/file

[/usr/bin/file -b /Users/run/Desktop/payload.zip]

/usr/libexec/xpcproxy

[xpcproxy com.apple.archiveutility.auhelperservice 522]

/System/Library/CoreServices/Applications/Archive Utility.app/Contents/XPCServices/AUHelperService.xpc/Contents/MacOS/AUHelperService

[/System/Library/CoreServices/Applications/Archive Utility.app/Contents/XPCServices/AUHelperService.xpc/Contents/MacOS/AUHelperService]

/System/Library/Frameworks/FileProvider.framework/XPCServices/ArchiveService.xpc/Contents/MacOS/ArchiveService

[/System/Library/Frameworks/FileProvider.framework/XPCServices/ArchiveService.xpc/Contents/MacOS/ArchiveService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.appkit.xpc.sandboxedServiceRunner 522]

/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedServiceRunner.xpc/Contents/MacOS/SandboxedServiceRunner

[/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedServiceRunner.xpc/Contents/MacOS/SandboxedServiceRunner]

/usr/libexec/xpcproxy

[xpcproxy com.apple.quicklook.satellite.87447F4C-F392-4FE4-94D5-8C70F66444DE 534]

/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite

[/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite]

/usr/libexec/xpcproxy

[xpcproxy com.apple.appkit.xpc.openAndSavePanelService 288]

/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/com.apple.appkit.xpc.openAndSavePanelService.xpc/Contents/MacOS/com.apple.appkit.xpc.openAndSavePanelService

[/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/com.apple.appkit.xpc.openAndSavePanelService.xpc/Contents/MacOS/com.apple.appkit.xpc.openAndSavePanelService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.quicklook.QuickLookUIService 539]

/System/Library/Frameworks/Quartz.framework/Versions/A/Frameworks/QuickLookUI.framework/Versions/A/XPCServices/QuickLookUIService.xpc/Contents/MacOS/QuickLookUIService

[/System/Library/Frameworks/Quartz.framework/Versions/A/Frameworks/QuickLookUI.framework/Versions/A/XPCServices/QuickLookUIService.xpc/Contents/MacOS/QuickLookUIService]

/usr/libexec/od_user_homes

[/usr/libexec/od_user_homes .localized]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump]

/usr/sbin/spindump

[/usr/sbin/spindump]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump_agent]

/usr/libexec/spindump_agent

[/usr/libexec/spindump_agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ReportMemoryException]

/usr/libexec/ReportMemoryException

[/usr/libexec/ReportMemoryException]

/bin/sh

[sh -c /usr/sbin/kextstat]

/bin/bash

[sh -c /usr/sbin/kextstat]

/usr/sbin/kextstat

[/usr/sbin/kextstat]

/usr/libexec/xpcproxy

[xpcproxy com.apple.quicklook.ui.helper]

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper

[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.quicklook.ui.helper]

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper

[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.xpc.launchd.oneshot.0x10000002.TextEdit]

/System/Applications/TextEdit.app/Contents/MacOS/TextEdit

[/System/Applications/TextEdit.app/Contents/MacOS/TextEdit -psn_0_188462]

Network

Country Destination Domain Proto
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 e6858.dscx.akamaiedge.net udp

Files

/Users/run/Desktop/payload/settings.json

MD5 b35182a5d0722d6f81654bbf9755bb77
SHA1 05203798855cfdf6f32161189ee340efe27386fb
SHA256 f9169b9b0d3706f8622513a6be8a722cdcef97826f1e71476439cb387792416c
SHA512 584f5d1afd86c2492a344447039c34b2239903af5b27590371226a13bc8668afa106af8bbefcfd75ed61a247ab251c93c51ce8192347b6d5ac53bf2b44bf89f9

/private/var/db/spindump/tailspin-trace.2024-06-09_15-38-37.tailspin

MD5 791989fe6f58fac0592fe29d3e1b9eb0
SHA1 cbc928445b51bd3680d147cb4e84171a724ae538
SHA256 704a9468b96252f64955c9c4ff169794fd5c9a88c4f0ab1964955eaea8b22a26
SHA512 c4ae57551ac591bd86fc29283e1233a53ce6c0261b1da2103ebd7b24ff2a4484ceebc907a58b202681c6ffe20d43828045ef4beb92300513a1247e2c8fd7ad1f

/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//spindump.txt

MD5 e229d7465acb19e8c7ffad46da563f8c
SHA1 b513e31d56a71cb65dc2b424290f3e37f59cd54b
SHA256 5a348643e3b737677fd5f7847e2ec38ec63a4e32fe915787b20ce3295b37620e
SHA512 ee6c92aa6e014b331d4a157bf5df6bc35bad8e7895891ea7166a8d4ec63d7e469cc59bf1c5fdbe91102c6ffd8d1c570b62ac2ffc10a677500b2771fe6fcf5d5b

/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//spindump.txt

MD5 83f6bd3b55c6e4bac7c19a85d28884b4
SHA1 10de7c66d51bfcc6eb90a7a605b6c2b85001697b
SHA256 7e2859bb3be0ef5af14dd624fc2b1ea97505d9db741be1f44f2e0da1ab1e8181
SHA512 3fc7fa17587bb93a105f904fd1aba025a44b1c4572201f8dfedfb73cac8d4b9ac418f9949962f631d2b2569514446b6da8295d39ff0193eed61a27c914346125

/Users/run/Desktop/payload/happymeal

MD5 176fd682841c1bf121d5d31ed4e79ff6
SHA1 4cef56665caa85e9ea0c6cea82b1bd7fb3c93392
SHA256 9660253445f7637d98d663c855a9c18a59e921de127df607e1781d2b57486431
SHA512 34bcdc43bf91af165df72f49f73cbdaedf0e02daa272ce4e19cbf2db00ad203879c02f90626d75299d4d87628bf8a8d3c5ea8ffb013e43f1a8070e107c16e068