Malware Analysis Report

2024-10-10 07:17

Sample ID 240611-1ltfeasgrq
Target Xiaomi_Pro_Tool_v3.8.rar
SHA256 9c13cde9c884d4632662fc108d67a11740e75897f227d7b438294d8b20871396
Tags
evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9c13cde9c884d4632662fc108d67a11740e75897f227d7b438294d8b20871396

Threat Level: Shows suspicious behavior

The file Xiaomi_Pro_Tool_v3.8.rar was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion

Loads dropped DLL

Resource Forking

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 21:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 21:44

Reported

2024-06-11 21:47

Platform

debian12-armhf-20240418-en

Max time network

148s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-armhf-20240418-en-2 udp
US 1.1.1.1:53 debian12-armhf-20240418-en-2 udp
US 1.1.1.1:53 debian12-armhf-20240418-en-2 udp
US 1.1.1.1:53 debian12-armhf-20240418-en-2 udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 21:44

Reported

2024-06-11 21:47

Platform

macos-20240611-en

Max time kernel

139s

Max time network

154s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/gpt_main0.bin"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/gpt_main0.bin"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/gpt_main0.bin"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/gpt_main0.bin]

/bin/zsh

[/bin/zsh -c /Users/run/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/gpt_main0.bin]

/Users/run/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/gpt_main0.bin

[/Users/run/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/gpt_main0.bin]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

Network

Country Destination Domain Proto
GB 51.132.193.104:443 tcp
GB 17.250.81.67:443 tcp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
GB 104.77.118.121:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 a479.dscg4.akamai.net udp
GB 23.59.171.27:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.17:443 tcp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
SE 23.34.233.79:443 help.apple.com tcp
SE 23.34.233.79:443 help.apple.com tcp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Users/run/Library/Caches/GeoServices/Resources/altitude-1285.xml

MD5 9a43af57707d2fb460832049d1f217d1
SHA1 056d813f8cb5198ca82072f7e3484f38ea5267f8
SHA256 7224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c
SHA512 1f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 f3cdcb26e15d4a9572d24482b77c3c35
SHA1 1bc68d091952cb96bf13970d249ffb792d87924f
SHA256 07cf81ec0521b6c5d77b57611af5bc045684ba3cbecd52b18654ad92bc433029
SHA512 c50ed35a326d0880e7acdd97203c314416278791b2967c6055e7f94ef02461e8c6baf5502ad3bb38aedf341d90d75f2317b0b834fe45496042dc53b59d445a00

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 95d1f6a479ea836bed553646ebef85c1
SHA1 19da469018294e373c788d888e5c55e0bb18695e
SHA256 fc78047a7293b7fba3abe949497f397804f86e2ff04c29c4a549df60aa877aa2
SHA512 3f9b8aa7efc6cbbcf6672e0d08a630178c653894d800e9125ed18774de105bc564b097120e98b5711cec5d05d95b41fe822019bc10038055eabf341b0c12845d

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 b5ed1a4aa9f5eb7122af5b836de7cefc
SHA1 50f9e5dbb61125650245824f2bc6b466ede59bf6
SHA256 c81bb42621fd0e666a3863f06db96ab6f5f2631cf135d41e2916c25d973c1056
SHA512 3986a6f6457f3f794a04034f6d905cdb7ab37e67fd3d266a1aa7bf5deaeb544097d0c8668642288f2a6dfb33f343147241d2130abbff33f20140c6608f4a1211

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1 ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA256 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512 db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-11 21:44

Reported

2024-06-11 21:45

Platform

debian9-armhf-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-11 21:44

Reported

2024-06-11 21:45

Platform

debian9-mipsel-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-11 21:44

Reported

2024-06-11 21:47

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8.exe

"C:\Users\Admin\AppData\Local\Temp\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8.exe"

Network

N/A

Files

memory/2028-7-0x00000000003C0000-0x00000000003D2000-memory.dmp

memory/2028-6-0x00000000003C0000-0x00000000003D2000-memory.dmp

memory/2028-3-0x00000000003A0000-0x00000000003BB000-memory.dmp

memory/2028-2-0x00000000003A0000-0x00000000003BB000-memory.dmp

memory/2028-8-0x0000000000400000-0x000000000149D000-memory.dmp

memory/2028-11-0x00000000003C0000-0x00000000003D2000-memory.dmp

memory/2028-10-0x00000000003A0000-0x00000000003BB000-memory.dmp

memory/2028-9-0x0000000077360000-0x0000000077361000-memory.dmp

memory/2028-16-0x00000000003C0000-0x00000000003D2000-memory.dmp

memory/2028-15-0x00000000003A0000-0x00000000003BB000-memory.dmp

memory/2028-17-0x0000000000400000-0x000000000149D000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-11 21:44

Reported

2024-06-11 21:45

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Command Line

[/tmp/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/hyp.mbn]

Signatures

N/A

Processes

/tmp/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/hyp.mbn

[/tmp/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/hyp.mbn]

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-11 21:44

Reported

2024-06-11 21:45

Platform

debian9-mipsbe-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-11 21:44

Reported

2024-06-11 21:47

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8.exe

"C:\Users\Admin\AppData\Local\Temp\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8.exe"

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

memory/3248-4-0x0000000001730000-0x000000000174B000-memory.dmp

memory/3248-3-0x0000000001730000-0x000000000174B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\evb68AE.tmp

MD5 70f0a349f0d28cbfe011ec6be17b24c7
SHA1 c8b7df21ca89ce02ff67b43c5c5d1b2b6f0600f1
SHA256 fa7aed239c6e1e48a3bb70723adbc632dcf2792c6ae50790d50fe41910602e9e
SHA512 7c6ef336d41e6628e05b3228ccea03e437a16c1f2cfe9bae0186e67e90a0867ec0e190d63537241e6e2baa32c0b33a80d2acf8ee25f13114de0f7f29fe6d8911

memory/3248-9-0x0000000001750000-0x0000000001762000-memory.dmp

memory/3248-8-0x0000000001750000-0x0000000001762000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\evb68BE.tmp

MD5 49279bad944e3ed7006b772c4dff8dbb
SHA1 00eeed253b7bfe3b66e248299f056dba5faed22e
SHA256 a6d07d954727b3edfbab7036094bc010b3b0ece307ff8400e185624d53a8955d
SHA512 f72be6d22ddbf84b40e79c8839039106736ace1ce5556ac047fc9cab51790a0222f4cc5f01e38e93988c273bdf421cd2dc21c9f2f4181a24d55283154c4e7433

memory/3248-10-0x0000000000400000-0x000000000149D000-memory.dmp

memory/3248-12-0x0000000077053000-0x0000000077054000-memory.dmp

memory/3248-14-0x0000000001750000-0x0000000001762000-memory.dmp

memory/3248-13-0x0000000001730000-0x000000000174B000-memory.dmp

memory/3248-11-0x0000000077052000-0x0000000077053000-memory.dmp

memory/3248-15-0x0000000000400000-0x000000000149D000-memory.dmp

memory/3248-19-0x0000000001750000-0x0000000001762000-memory.dmp

memory/3248-18-0x0000000001730000-0x000000000174B000-memory.dmp