Malware Analysis Report

2024-10-10 07:24

Sample ID 240610-1wh3esscnb
Target sample
SHA256 59ac23b8b56f28020cb59eac6176ff138a145709d89049e067a795da0aaab5dd
Tags
evasion
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

59ac23b8b56f28020cb59eac6176ff138a145709d89049e067a795da0aaab5dd

Threat Level: Likely benign

The file sample was found to be: Likely benign.

Malicious Activity Summary

evasion

Resource Forking

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 21:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 21:59

Reported

2024-06-10 22:01

Platform

macos-20240410-en

Max time kernel

46s

Max time network

52s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/sample.html"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool N/A N/A
N/A /System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool N/A N/A
N/A /System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck N/A N/A
N/A /System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref N/A N/A
N/A /System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool N/A N/A
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/sample.html"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/sample.html"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/sample.html]

/bin/zsh

[/bin/zsh -c /Users/run/sample.html]

/Users/run/sample.html

[/Users/run/sample.html]

/bin/sh

[sh /Users/run/sample.html]

/bin/bash

[sh /Users/run/sample.html]

/usr/libexec/dmd

[/usr/libexec/dmd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.2028]

/Applications/Safari.app/Contents/MacOS/Safari

[/Applications/Safari.app/Contents/MacOS/Safari]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.History]

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History

[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.70D550E2-9124-4832-B768-5295CF23A223 529]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.siri.context.service]

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService

[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.SafariLaunchAgent]

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent

[/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.akd]

/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd

[/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.A2525A61-F116-4A67-B53C-D1D7D5FD3A6E 529]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.CoreAuthentication.agent]

/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd

[/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.systempreferences.2140]

/System/Applications/System Preferences.app/Contents/MacOS/System Preferences

[/System/Applications/System Preferences.app/Contents/MacOS/System Preferences]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AccountProfileRemoteViewService 570]

/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService

[/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService]

/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool

[/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool]

/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool

[/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool]

/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck

[/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck]

/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref

[/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref]

/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool

[/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool]

/usr/libexec/xpcproxy

[xpcproxy com.apple.studentd]

/usr/libexec/studentd

[/usr/libexec/studentd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nfcd]

/usr/libexec/nfcd

[/usr/libexec/nfcd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.preferences.AppleIDPrefPane.remoteservice 570]

/System/Library/PreferencePanes/AppleIDPrefPane.prefPane/Contents/XPCServices/com.apple.preferences.AppleIDPrefPane.remoteservice.xpc/Contents/MacOS/com.apple.preferences.AppleIDPrefPane.remoteservice

[/System/Library/PreferencePanes/AppleIDPrefPane.prefPane/Contents/XPCServices/com.apple.preferences.AppleIDPrefPane.remoteservice.xpc/Contents/MacOS/com.apple.preferences.AppleIDPrefPane.remoteservice]

/usr/libexec/xpcproxy

[xpcproxy com.apple.metadata.mdwrite]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ReportMemoryException]

/usr/libexec/ReportMemoryException

[/usr/libexec/ReportMemoryException]

/usr/libexec/xpcproxy

[xpcproxy com.apple.adid]

/System/Library/PrivateFrameworks/CoreADI.framework/adid

[/System/Library/PrivateFrameworks/CoreADI.framework/adid]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AccountPolicyHelper]

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper

[/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

Network

Country Destination Domain Proto
AU 40.79.173.41:443 tcp
DE 17.253.79.202:80 tcp
US 8.8.8.8:53 e10499.dsce9.akamaiedge.net udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
GB 23.200.147.27:443 tcp
US 8.8.8.8:53 gspe35-ssl.ls-apple.com.akadns.net udp
NL 72.246.172.153:443 tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
IE 20.50.80.210:443 tcp
US 8.8.8.8:53 gspe21-ssl.ls-apple.com.akadns.net udp
US 8.8.8.8:53 api-glb-aeuw3b.smoot.apple.com udp
US 8.8.8.8:53 bag-cdn.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 e6858.dscx.akamaiedge.net udp
BE 23.55.96.225:443 e6858.dscx.akamaiedge.net tcp
NL 23.209.125.27:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
US 8.8.8.8:53 setup.fe2.apple-dns.net udp
US 8.8.8.8:53 configuration.apple.com.akadns.net udp
US 8.8.8.8:53 gsp64-ssl.ls-apple.com.akadns.net udp
US 8.8.8.8:53 e10499.dsce9.akamaiedge.net udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Users/run/Library/Caches/GeoServices/Resources/altitude-1285.xml

MD5 9a43af57707d2fb460832049d1f217d1
SHA1 056d813f8cb5198ca82072f7e3484f38ea5267f8
SHA256 7224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c
SHA512 1f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 90d8ac6b9328f8e785b3f68dbffb86a6
SHA1 919a0ab0896a4078f90e1aed665851661aac9018
SHA256 37e1e9d0fd2756cbbd9c88881fc4772b2dc5c3c29569a76ff78aecc6abce13fc
SHA512 88189d7c591d02e0a5339e4ed52b90f3c46abc9249b726e0e840bc93631a8a1df6aeb49566e54553ab20e52a7a5e63582562342f45379f0ed38d9192d35f7a37

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 5419e383deaf9fc8f15539f4050ac2ee
SHA1 148d3d075f38bca7468fff7c7f7166d6b5e82141
SHA256 391ce0124439a9d42f0067ecb4f48cb1a2d6210259ec37faac71f7894fa7bbf4
SHA512 318977018bd74810ee8cebff7ac91950ff1156bcdc01b44568dc1dfab43127aa8e6571463c01d962b18e76341a55d72455ae96169c8f5d35fdc5a8500ef51121

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 22fe2f00c5eb6a633938b7b3d5d94ffa
SHA1 a5ade6d013cd1e915066241d76851a67cfcf4d79
SHA256 e04ca4356e026f499f7fd3ee8737f3c44527930121e073559c96a9610b6a8be0
SHA512 cc7d54773f0702a60b833bf13450be22ac60f1fb231625e8e20725cf3a21215a45e53a64c66affd97bffb7199ba9aae7f8ea2d3eccf59d14a79fd211c28f1184

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 f8064febf9e82937a539ffd38687e034
SHA1 897196cce331c30ac601972fac808cbb44c98bdd
SHA256 5cd0e7cec68c4a8bd8e25ccbe764cb80e2fe4c107cf39239b5142863a4d38cf1
SHA512 fcad821f31bf56d8869c0a70e0b3979c27a4a224facb8ae1265f2119811b2eb52db4e8f1db357e3facb9848a1da43812660448525348b82d3bff7e6aabe5cce3