Malware Analysis Report

2024-10-16 06:32

Sample ID 240609-xgl9raed78
Target m6zzva
SHA256 8ef0aa04db9fe87fe3e9d92103882dde1531a55f8c7fcbceda55f8ae4f501435
Tags
evasion
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

8ef0aa04db9fe87fe3e9d92103882dde1531a55f8c7fcbceda55f8ae4f501435

Threat Level: Likely benign

The file m6zzva was found to be: Likely benign.

Malicious Activity Summary

evasion

Resource Forking

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 18:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 18:49

Reported

2024-06-09 18:51

Platform

macos-20240410-en

Max time kernel

116s

Max time network

119s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/m6zzva.html"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd N/A N/A
N/A /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd N/A N/A
N/A /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/m6zzva.html"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/m6zzva.html"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/m6zzva.html]

/bin/zsh

[/bin/zsh -c /Users/run/m6zzva.html]

/Users/run/m6zzva.html

[/Users/run/m6zzva.html]

/bin/sh

[sh /Users/run/m6zzva.html]

/bin/bash

[sh /Users/run/m6zzva.html]

/usr/libexec/xpcproxy

[xpcproxy com.apple.systemprofiler]

/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information

[/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information]

/usr/libexec/xpcproxy

[xpcproxy com.apple.replayd]

/usr/libexec/replayd

[/usr/libexec/replayd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.installd]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.system_installd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.storedownloadd]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd]

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd

[/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ReportMemoryException]

/usr/libexec/ReportMemoryException

[/usr/libexec/ReportMemoryException]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.CacheDeleteExtension 518]

/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension

[/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AppStore.1900]

/System/Applications/App Store.app/Contents/MacOS/App Store

[/System/Applications/App Store.app/Contents/MacOS/App Store]

/usr/libexec/xpcproxy

[xpcproxy com.apple.storeuid]

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid

[/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid]

/usr/libexec/xpcproxy

[xpcproxy com.apple.coremedia.videodecoder 534]

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService

[/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.PerformanceAnalysis.animationperfd]

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd

[/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.94DA10F0-0B00-4C56-A11D-CF09581F1B45 534]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.SafeBrowsing.Service]

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service

[/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service]

/usr/libexec/xpcproxy

[xpcproxy com.apple.rtcreportingd]

/usr/libexec/rtcreportingd

[/usr/libexec/rtcreportingd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.quicklook.satellite.9D288875-529C-46E4-9C8B-537581A916FD 524]

/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite

[/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.2028]

/Applications/Safari.app/Contents/MacOS/Safari

[/Applications/Safari.app/Contents/MacOS/Safari]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.History]

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History

[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.1B5CC203-32E3-4DEF-901D-DD05D996DAF9 550]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.SafariLaunchAgent]

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent

[/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.13552E78-8050-45A9-B961-91AE0BA2871D 550]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.213FC3D3-3CBF-4FF9-A985-C526604DD107 550]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

Network

Country Destination Domain Proto
DE 20.52.64.201:443 tcp
US 8.8.8.8:53 apis.apple.map.fastly.net udp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 apps.mzstatic.com udp
US 8.8.8.8:53 s.mzstatic.com udp
GB 17.250.81.67:443 tcp
US 8.8.8.8:53 buy.itunes.apple.com udp
US 17.156.128.10:443 buy.itunes.apple.com tcp
US 8.8.8.8:53 play.itunes.apple.com udp
IE 2.18.24.17:443 play.itunes.apple.com tcp
US 8.8.8.8:53 sf-api-token-service.itunes.apple.com udp
BE 104.90.24.24:443 sf-api-token-service.itunes.apple.com tcp
US 8.8.8.8:53 amp-api-edge.apps.apple.com udp
BE 23.14.90.112:443 amp-api-edge.apps.apple.com tcp
US 8.8.8.8:53 is1-ssl.mzstatic.com udp
US 8.8.8.8:53 amp-api.apps.apple.com udp
BE 104.90.24.118:443 amp-api.apps.apple.com tcp
IE 2.18.24.18:443 play.itunes.apple.com tcp
US 17.156.128.10:443 buy.itunes.apple.com tcp
US 8.8.8.8:53 safebrowsing.googleapis.com udp
FR 172.217.20.202:443 safebrowsing.googleapis.com tcp
US 8.8.8.8:53 p70-buy.itunes.apple.com udp
US 17.23.112.10:443 p70-buy.itunes.apple.com tcp
US 8.8.8.8:53 finance-app.itunes.apple.com udp
SE 2.21.96.9:443 finance-app.itunes.apple.com tcp
US 8.8.8.8:53 itunes.apple.com udp
US 8.8.8.8:53 setup.fe2.apple-dns.net udp
US 17.156.128.10:443 buy.itunes.apple.com tcp
IE 2.18.24.17:443 play.itunes.apple.com tcp
SE 2.21.96.81:443 finance-app.itunes.apple.com tcp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 api-glb-aeuw3c.smoot.apple.com udp
US 8.8.8.8:53 gateway.fe2.apple-dns.net udp
US 8.8.8.8:53 a1806.dscw154.akamai.net udp
IE 2.18.24.17:443 play.itunes.apple.com tcp
US 8.8.8.8:53 e17437.dsct.akamaiedge.net udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:443 www.yahoo.com tcp
US 8.8.8.8:53 guce.yahoo.com udp
IE 54.247.63.60:443 guce.yahoo.com tcp
US 8.8.8.8:53 e673.dsce9.akamaiedge.net udp
US 8.8.8.8:53 consent.yahoo.com udp
IE 34.242.9.144:443 consent.yahoo.com tcp
US 8.8.8.8:53 s.yimg.com udp
IE 34.242.9.144:443 consent.yahoo.com tcp
GB 87.248.114.11:443 s.yimg.com tcp
GB 87.248.114.11:443 s.yimg.com tcp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.AppStore//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.AppStore//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/var/root/Library/Caches/rtcreportingd/events/NRM_Events_2024-06-09-18-49-52.event

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

MD5 791355a19c658d3e9758de99db8071e5
SHA1 cc6687bc424ec210def570dc23323449ceb60f97
SHA256 5a699e4a332b6daf8bc4d8b00e965235c67d87c841cb2907e1572c855c4db8b3
SHA512 cd83d277f710785a5cc15e1fafa842ad7a31acd89b3b7687395bf091796ec98623c44f4e5cfc31587d305b0c0cb12d53540712acf93c87f8fb5b79e69c88b199

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

MD5 092e3ab29cabf4d5c8a8d0714b44248d
SHA1 48ff1d9c18a30edc07ba7c07cf8e168c86b9917b
SHA256 0794260a9a54486775f52424f37276b1c3bd59fb9cc38d6169ea88fd26d2469a
SHA512 6c1bcaeb75e3939db0847ad105577eb0daaa0a678cb0dc311a0a5719eab80b1b5339d0d05a0efd4bbd7bf6b86db9fef9234cc972d091108f4a1a6b3f7ed9759b

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

MD5 8b1fa2e8fd835973266afed3e62cad06
SHA1 8af473c78fa75a649ab9f7bc968b270ae44bb16d
SHA256 bb4f563bcbfc8cf657b42de947a8ca9274ea5a250bc705857127eef113d1601d
SHA512 81181fdcf1ee77e019c3cc21bbe69f3f32de010bf02c5695ef4681adb310e8981c6d1399fd6c9b3ea6af7286b0674712e9e8de09ceb1f59c41ddf13c05521fd5

/Users/run/Library/Safari/Favicon Cache/favicons/C72ABEB60AB7C7D055702A2A17CE7D41

MD5 773911b6f97625172122a675f9f04ea8
SHA1 95d89caa3daea89c5a2a45a6d797b7c042bb7648
SHA256 33241765a277a38b17770a9088888ebd01d11cce424bf010c4075e26eb5c40bb
SHA512 2dc3d7f352ab04dd45cf477ca9c4ee351e988a0547d3400b38a41f70ec27c54577b923e338e714b4f07ed373b9bd3f631b4af7818e950b0bfd11461086b5a465