Malware Analysis Report

2024-10-10 07:26

Sample ID 240611-nqfnwsvgng
Target sample
SHA256 f91d32810260f25e95f93341f8ed47d6ca2d554ce9dbca78ab553a66117aedf6
Tags
evasion execution
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

f91d32810260f25e95f93341f8ed47d6ca2d554ce9dbca78ab553a66117aedf6

Threat Level: Likely benign

The file sample was found to be: Likely benign.

Malicious Activity Summary

evasion execution

JavaScript

Resource Forking

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 11:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 11:35

Reported

2024-06-11 11:37

Platform

macos-20240410-en

Max time kernel

91s

Max time network

89s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/sample.html"]

Signatures

JavaScript

execution
Description Indicator Process Target
N/A "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar N/A N/A

Resource Forking

evasion
Description Indicator Process Target
N/A "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck N/A N/A
N/A /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper N/A N/A
N/A /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/sample.html"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/sample.html"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/sample.html]

/usr/libexec/xpcproxy

[xpcproxy com.oracle.java.Java-Updater]

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater

[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck]

/usr/libexec/xpcproxy

[xpcproxy com.apple.newsyslog]

/bin/zsh

[/bin/zsh -c /Users/run/sample.html]

/Users/run/sample.html

[/Users/run/sample.html]

/bin/sh

[sh /Users/run/sample.html]

/bin/bash

[sh /Users/run/sample.html]

/usr/sbin/newsyslog

[/usr/sbin/newsyslog]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater0BF23177/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.2028]

/Applications/Safari.app/Contents/MacOS/Safari

[/Applications/Safari.app/Contents/MacOS/Safari]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.History]

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History

[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.B5235A83-5CD5-4918-8D92-3059AE478019 513]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.SafariLaunchAgent]

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent

[/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.9EEDBD60-BCCB-4DE5-B6F5-85301447B5E0 513]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.iCal.CalendarNC 328]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ncplugin.stocks 328]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ncplugin.weather 328]

/System/Library/CoreServices/StocksWidget.app/Contents/PlugIns/com.apple.ncplugin.stocks.appex/Contents/MacOS/com.apple.ncplugin.stocks

[/System/Library/CoreServices/StocksWidget.app/Contents/PlugIns/com.apple.ncplugin.stocks.appex/Contents/MacOS/com.apple.ncplugin.stocks]

/System/Applications/Calendar.app/Contents/PlugIns/com.apple.iCal.CalendarNC.appex/Contents/MacOS/com.apple.iCal.CalendarNC

[/System/Applications/Calendar.app/Contents/PlugIns/com.apple.iCal.CalendarNC.appex/Contents/MacOS/com.apple.iCal.CalendarNC]

/System/Library/CoreServices/Weather.app/Contents/PlugIns/com.apple.ncplugin.weather.appex/Contents/MacOS/com.apple.ncplugin.weather

[/System/Library/CoreServices/Weather.app/Contents/PlugIns/com.apple.ncplugin.weather.appex/Contents/MacOS/com.apple.ncplugin.weather]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.1E49506F-23F9-4E80-A074-6F1450D3A809 513]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.SafeBrowsing.Service]

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service

[/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.AB31BDBB-D333-476E-8A90-670D91D516B2 513]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.0F1A01BC-FF67-4AD7-86ED-F4B77B16E2A7 513]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.4DDEA55D-7EEB-4F5F-9733-08FF5595B7D4 513]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.SearchHelper 513]

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper

[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.quicklook.ui.helper]

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper

[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.JarLauncher.2128]

/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher

[/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher]

/usr/libexec/xpcproxy

[xpcproxy com.apple.metadata.mdwrite]

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java

[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -jar /Users/run/tmp/hello.jar]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AppStore.1900]

/System/Applications/App Store.app/Contents/MacOS/App Store

[/System/Applications/App Store.app/Contents/MacOS/App Store]

/usr/libexec/xpcproxy

[xpcproxy com.apple.storeuid]

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid

[/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid]

/usr/libexec/xpcproxy

[xpcproxy com.apple.rtcreportingd]

/usr/libexec/rtcreportingd

[/usr/libexec/rtcreportingd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.coremedia.videodecoder 561]

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService

[/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.accessibility.mediaaccessibilityd]

/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd

[/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

Network

Country Destination Domain Proto
US 151.101.67.6:443 tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.42.73.27:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 api-glb-aeuw3b.smoot.apple.com udp
FR 15.237.18.235:443 api-glb-aeuw3b.smoot.apple.com tcp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 apple-finance.query.yahoo.com udp
IE 87.248.100.168:443 apple-finance.query.yahoo.com tcp
IE 87.248.100.168:443 apple-finance.query.yahoo.com tcp
IE 87.248.100.168:443 apple-finance.query.yahoo.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 safebrowsing.googleapis.com udp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 clients1.google.com udp
GB 142.250.187.206:443 clients1.google.com tcp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 ogs.google.com udp
GB 172.217.16.238:443 apis.google.com tcp
GB 142.250.187.238:443 ogs.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 172.217.169.46:443 play.google.com tcp
GB 172.217.169.46:443 play.google.com tcp
US 8.8.8.8:53 doodles.google udp
GB 216.58.212.241:443 doodles.google tcp
US 8.8.8.8:53 csp.withgoogle.com udp
GB 216.58.212.241:443 csp.withgoogle.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com tcp
GB 216.58.213.14:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 cdn2.smoot.apple.com udp
US 8.8.8.8:53 cdn.smoot.apple.com udp
US 8.8.8.8:53 id.google.com udp
GB 142.250.180.3:443 id.google.com tcp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 e6858.dscx.akamaiedge.net udp
US 8.8.8.8:53 e673.dsce9.akamaiedge.net udp
US 8.8.8.8:53 itunes.apple.com udp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 apps.mzstatic.com udp
US 8.8.8.8:53 s.mzstatic.com udp
US 8.8.8.8:53 buy.itunes.apple.com udp
US 17.156.128.10:443 buy.itunes.apple.com tcp
US 8.8.8.8:53 play.itunes.apple.com udp
BE 2.17.107.186:443 play.itunes.apple.com tcp
US 8.8.8.8:53 sf-api-token-service.itunes.apple.com udp
BE 23.55.96.25:443 sf-api-token-service.itunes.apple.com tcp
US 8.8.8.8:53 amp-api-edge.apps.apple.com udp
BE 2.17.107.155:443 amp-api-edge.apps.apple.com tcp
US 8.8.8.8:53 is1-ssl.mzstatic.com udp
US 8.8.8.8:53 apptrailers.itunes.apple.com udp
US 8.8.8.8:53 amp-api.apps.apple.com udp
BE 23.55.96.123:443 amp-api.apps.apple.com tcp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Users/run/Library/Safari/Favicon Cache/favicons/2529545429CE075A4E64DE7DAA3D4C27

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

MD5 cff401c364970f8137b0c41e57d549ef
SHA1 a4c5b49e92361e0c3587ee106b11b143585e3b0b
SHA256 899ab34c300b83f0631f9dbd3dda28104cd4b52d689690e99e62e51d141f0e26
SHA512 fae8308884f7539d61b5e0efbb70ba4106c19169b04d4ac51dad468f850e2ede79bb26f62a1da9a0c82d42023c250cc4d0fd49e37013582728d4edce49686d5c

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

MD5 1434d9567aafded7678dd6adeb2a3e94
SHA1 b3119a748b6abae286cef944212ad11d897c5ea0
SHA256 ef45d0028c4275031c03b3e00e29ecdbe28a8f9084fe3cf25b4e61e120d58232
SHA512 41860dce24ea22a1716b5920dd770544907583fda6e824df640693e8c03af5d15f24a01cb0631244844ff1fc23186b8f984312b6127a51504375e3507e93ce67

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

MD5 b87a28c42a8c3c901bd53520fa00a568
SHA1 22c133c950b99affaf5f2f0da20bc8f390ec90a9
SHA256 1a075f16e0b0aaac3612bdf39118329489e573406325f2e651ef32ee0091e0ec
SHA512 8ac67ec44ebb0cfac79135112d1837bbd9a64643b6aae9068483c9c72abc15a2046b8092fb82d13b35968408d368c8bdbd5cd8a1c09dc77fb36a27545c9f5b4b

/Users/run/Library/Safari/Favicon Cache/favicons/937D62F6A84284E4EDF46E5F016D186A

MD5 919a16ae2de3bc543f19d3c8ceede9c4
SHA1 31d41b3e184cbb7effe7a475b7ed3bba376ea9d3
SHA256 b6150bf94bf356fbca8639490fec589e19e896ffcd3ec3c651605b5733ef03e9
SHA512 e62023e2a88d088612f25ca508021aa79d3e43c81efcf4740d6825ae92be0b83161d84cbc6b562662e851f3e912323b704fe287f50e4202f2ba451a07358c1c2

/Users/run/Library/Safari/Favicon Cache/favicons/067EC0DCF7EB00AECEAAE5EAD338A875

MD5 4f72663012543ad7cfa1dd5d78dc5af0
SHA1 069001eaaa436c30a43a0c6073c3d31ad4a7d21a
SHA256 133e23f3ccf9be03dbd128bb941c6042b66f3ea331650c79f992ea88ee1a7d77
SHA512 d112f52124d0a70a36c0f0fd30dcf0b2b597f079c07aa7d772025bf5e1286b35846fc9bcfe99ca07d62ceb342c9ce84651d17dc69c8871b297bfe140a791c0e6

/Users/run/Library/Safari/Favicon Cache/favicons/C44B2F96CCF24BBBA3F1AF3899A740D7

MD5 12ce3ae25e7d9c8f79686f4d7beb5e64
SHA1 83963532b5fcdf1c152bd85e29f7f38abe6d63bf
SHA256 9e84d0f4aeb91bda595238a825824cb672a1f78915788229f3d34fefa4f4d7f4
SHA512 b31465a626630ba32c8cd131148eebe6a9078d4814a9a265bf12746558509fdd2c7abfc58cb8233b87cb3ba236615b16cffb67a5ebe9885a7f42beea3d487999

/Users/run/Library/Safari/lock/details.plist

MD5 44402a84ee5c6c6a51f7669c3b72c096
SHA1 27232bf2f4805c71f2cf588b773ad2d0b5bc11fd
SHA256 63b59b8cff0b95cf55bfbf4205b525c5d53bc6963db467e2ffef513329d661e7
SHA512 2406c76230ae859c106ad27c30d7ab9d8ebcbba4b063e69c6b14c4afa02e0d1dda3367048c0c978ca385444d220369d4b567038c2680439eb45c0755e8f73a45

/System/Volumes/Data/Users/run/Library/Safari/Bookmarks.plist

MD5 2ef2280f7ca19262cc8298f29a37a223
SHA1 9cbc7f87d4e90ab89e5965cb55b7671c8c57dc05
SHA256 ed94b4091044e756fdddb7b0f32765b1039571562023a1b2aefadd1033e2b570
SHA512 97e59c90dec02a700c3ed82d4d14d83718f2d9b35e9e6e26242dc8cbf9b01a45fe789ec5c5f12d88470b6c1da09eb716c094aa6ae6924aded78a2a71bd046658

/Users/run/Library/Safari/lock/details.plist

MD5 521c586e9d1ad99b2c165ca98c5a7584
SHA1 be62b7779ef18447349e0e9236d2f9a3fe414dec
SHA256 be5a7654f8978d02446ec079b592ec3e85b5c47c70d1d994c15e00d90020f96c
SHA512 f7deb4c2928463dc840b517cd783d456776187e4a8ab3e98755765872dab98462897b17b7e1b5af174febf2c11b67274ba52b94564c87fa34647344e59d742a0

/Users/run/Library/Safari/Bookmarks.plist

MD5 291105f91192709b54688b5a22e69695
SHA1 8d65efbf91fc6e0836cff1e37e6d959144b8e214
SHA256 63b64979d0388306ee87dbc5b42ed0a363e67d7b71f87c491ef583a7cc87d09c
SHA512 ac2745041a6d91cbb703e164a6fe4f420a29bf36ff667b2c0ce2ba32e74023c8843efa047a7f784e14f65b0e0f46b95ef18723a4a61f9b0b5a0c34d09e9f53c5