Malware Analysis Report

2024-10-10 07:26

Sample ID 240611-pwlmrsxbna
Target https://www.youtube.com/watch?v=1JBjTvn4QY8
Tags
evasion
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

Threat Level: Likely benign

The file https://www.youtube.com/watch?v=1JBjTvn4QY8 was found to be: Likely benign.

Malicious Activity Summary

evasion

Resource Forking

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 12:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 12:40

Reported

2024-06-11 12:44

Platform

macos-20240410-en

Max time kernel

144s

Max time network

151s

Command Line

[xpcproxy com.apple.loginwindow.LWWeeklyMessageTracer]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer N/A N/A
N/A "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck N/A N/A
N/A /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid N/A N/A

Processes

/usr/libexec/xpcproxy

[xpcproxy com.apple.loginwindow.LWWeeklyMessageTracer]

/usr/libexec/xpcproxy

[xpcproxy com.apple.gkreport]

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer

[/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer]

/usr/libexec/gkreport

[/usr/libexec/gkreport]

/bin/sh

[sh -c sudo /bin/zsh -c "/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --simulate-outdated-no-au='Tue, 31 Dec 2099' --new-window https://www.youtube.com/watch?v=1JBjTvn4QY8"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --simulate-outdated-no-au='Tue, 31 Dec 2099' --new-window https://www.youtube.com/watch?v=1JBjTvn4QY8"]

/usr/bin/sudo

[sudo /bin/zsh -c /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --simulate-outdated-no-au='Tue, 31 Dec 2099' --new-window https://www.youtube.com/watch?v=1JBjTvn4QY8]

/usr/libexec/xpcproxy

[xpcproxy com.oracle.java.Java-Updater]

/usr/libexec/xpcproxy

[xpcproxy com.apple.systemstats.daily]

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater

[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck]

/bin/zsh

[/bin/zsh -c /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --simulate-outdated-no-au='Tue, 31 Dec 2099' --new-window https://www.youtube.com/watch?v=1JBjTvn4QY8]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AppStore.1900]

/System/Applications/App Store.app/Contents/MacOS/App Store

[/System/Applications/App Store.app/Contents/MacOS/App Store]

/usr/libexec/xpcproxy

[xpcproxy com.apple.storeuid]

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid

[/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid]

/usr/libexec/xpcproxy

[xpcproxy com.apple.rtcreportingd]

/usr/libexec/rtcreportingd

[/usr/libexec/rtcreportingd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.accessibility.mediaaccessibilityd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.coremedia.videodecoder 510]

/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd

[/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd]

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService

[/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.PerformanceAnalysis.animationperfd]

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd

[/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Notes.1736]

/System/Applications/Notes.app/Contents/MacOS/Notes

[/System/Applications/Notes.app/Contents/MacOS/Notes]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.2028]

/Applications/Safari.app/Contents/MacOS/Safari

[/Applications/Safari.app/Contents/MacOS/Safari]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.History]

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History

[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.2F9BCFC4-5965-47D5-91F7-4F98E060FD82 546]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.SafariLaunchAgent]

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent

[/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.CFDA6F1A-8E6F-4FA4-BD3A-1EA14926A470 546]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.SearchHelper 546]

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper

[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.SafeBrowsing.Service]

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service

[/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.A38C565B-0499-4B9D-AF66-68CA6E655C92 546]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.SandboxHelper 553]

/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper

[/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.010DF6F5-D70E-482C-B4A3-5B34B7648118 546]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
DE 20.52.64.201:443 tcp
US 8.8.8.8:53 apis.apple.map.fastly.net udp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 apps.mzstatic.com udp
US 8.8.8.8:53 s.mzstatic.com udp
GB 2.21.188.28:443 s.mzstatic.com tcp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 play.itunes.apple.com udp
BE 23.14.90.74:443 play.itunes.apple.com tcp
US 8.8.8.8:53 buy.itunes.apple.com udp
US 17.156.128.10:443 buy.itunes.apple.com tcp
US 8.8.8.8:53 sf-api-token-service.itunes.apple.com udp
BE 23.55.96.25:443 sf-api-token-service.itunes.apple.com tcp
US 8.8.8.8:53 amp-api-edge.apps.apple.com udp
BE 23.14.90.112:443 amp-api-edge.apps.apple.com tcp
US 8.8.8.8:53 is1-ssl.mzstatic.com udp
US 8.8.8.8:53 apptrailers.itunes.apple.com udp
US 8.8.8.8:53 amp-api.apps.apple.com udp
BE 23.55.96.123:443 amp-api.apps.apple.com tcp
GB 17.253.77.201:80 apptrailers.itunes.apple.com tcp
US 8.8.8.8:53 search.itunes.apple.com udp
GB 17.250.81.67:443 tcp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
IE 17.57.146.88:5223 tcp
US 8.8.8.8:53 e6858.dscx.akamaiedge.net udp
US 8.8.8.8:53 a1806.dscw154.akamai.net udp
BE 23.14.90.74:443 a1806.dscw154.akamai.net tcp
GB 17.253.77.202:80 mesu-cdn.origin-apple.com.akadns.net tcp
US 8.8.8.8:53 e673.dsce9.akamaiedge.net udp
US 8.8.8.8:53 api-glb-aeuw3b.smoot.apple.com udp
US 8.8.8.8:53 gateway.fe2.apple-dns.net udp
US 8.8.8.8:53 clients1.google.com udp
US 8.8.8.8:53 clients1.google.com udp
US 8.8.8.8:53 clients1.google.com udp
GB 142.250.187.206:443 clients1.google.com tcp
US 8.8.8.8:53 cdn2.smoot.apple.com udp
US 8.8.8.8:53 cdn.smoot.apple.com udp
GB 142.250.187.206:443 clients1.google.com tcp
GB 142.250.187.206:443 clients1.google.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com tcp
US 8.8.8.8:53 safebrowsing.googleapis.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.180.22:443 i.ytimg.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.27.84:443 accounts.google.com tcp
US 8.8.8.8:53 rr1---sn-q4fzen7y.googlevideo.com udp
US 8.8.8.8:53 itunes.apple.com udp
GB 142.250.180.14:443 www.youtube.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
US 8.8.8.8:53 rr4---sn-hgn7rnls.googlevideo.com udp
FR 173.194.18.9:443 rr4---sn-hgn7rnls.googlevideo.com tcp
FR 173.194.18.9:443 rr4---sn-hgn7rnls.googlevideo.com tcp
FR 173.194.18.9:443 rr4---sn-hgn7rnls.googlevideo.com tcp
FR 173.194.18.9:443 rr4---sn-hgn7rnls.googlevideo.com tcp
FR 173.194.18.9:443 rr4---sn-hgn7rnls.googlevideo.com tcp
FR 173.194.18.9:443 rr4---sn-hgn7rnls.googlevideo.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.180.14:443 www.youtube.com tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 static.doubleclick.net udp
GB 172.217.169.74:443 jnn-pa.googleapis.com tcp
GB 216.58.213.6:443 static.doubleclick.net tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.200.46:443 youtube.com tcp
US 8.8.8.8:53 suggestqueries-clients6.youtube.com udp
GB 172.217.16.238:443 suggestqueries-clients6.youtube.com tcp
GB 172.217.16.238:443 suggestqueries-clients6.youtube.com tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
DE 51.116.246.105:443 tcp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
SE 23.34.233.79:443 help.apple.com tcp
SE 23.34.233.79:443 help.apple.com tcp
US 8.8.8.8:53 e17437.dsct.akamaiedge.net udp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.AppStore//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.AppStore//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist

MD5 64e24aa2b0d5b85b780cb77e1e897ef0
SHA1 84323a362065a8b056529f870a84551b2b90dc6d
SHA256 8b5b32f6ac5457ee19637e1157d58bf9cf020a12c35c28df9e0a6527b871435f
SHA512 f2d99417c296aa78485c2f39602907401773d07b6b650a861db9dc3e6bbbc0c054465ca35400273dfcc18eec8151f4076e4276ca9fffff5cdedb483616f6bb0f

/Users/run/Library/Safari/Favicon Cache/favicons/3EA0938D21D7307A80C51683148DA646

MD5 f00ffb858024f95fbde9c8ef2a62c4bc
SHA1 ca0fc41d59a2d8bd769f2376d1fd828912bb3c76
SHA256 0a3ba6c9348a3d6a485cb00c88ad6b04be11e61d9c0150558003e9f8502939c3
SHA512 1a666cbd95a5c09f30c862dbabe6784ca87856d23ef0d2a289bc94eb991aea268b39d423fc317bd00b7e9816a45f8bd5df2ca75b24361a203f64a7bf0ff51fbf

/Users/run/Library/Safari/Favicon Cache/favicons/636B42BE83A264A0D007C5C1F135EA8E

MD5 80f7367cb52983d2b58c2570460a9e9b
SHA1 8b1020b84f2c57bc43c0b0e504529fbd176fc694
SHA256 d7dd223f488a3dc314edecff758abc774093909d8cdaabb5c6b3f5a84a6f4be7
SHA512 ec16f486883b31551597eaa82406989c159a5e186ec33fcc8fbc85093d1ac758bfab065a9a8f91ef3087456cc2a0b2b097dbb074f567280f5ccf8f3838eaceb3

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

MD5 34899fd0f8532a91b643945f8a0f6241
SHA1 29e6263ea3cc01e616f491e770905fa6b00b1ad9
SHA256 b09cc856b632a1a7f9e8b363b9b0110f143b6c521cc4889502fd068719141d44
SHA512 12ab02108d7ae5bbdc6a075c8f804d5f7e0e5b12aafdea59fa8124bd1012d84cb85ab3b7b796f2b84a5de00a44e7f80304692647bdbf738690998a5b3b1bbf5c

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

MD5 daba85e31ad497f6b39164dd74dcc672
SHA1 f88fd2cb0a15cafbebf41c56157e344adb7a6373
SHA256 0f0b596458a3f80eb46293f32ef3dcc47fb32bc70ad541fbf693efa2e252da90
SHA512 9c3d4aa00c85523b15f975fe44971710a6fa653190419eb5774be77e4f779c5e1d322618b06c43bbf2382c938070b7321c8edeb5ba086edcabdb78941a0ea364

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

MD5 23ca63afc2e82a3130cee8240dc30743
SHA1 5ea2a8ef7fd506861941fa7ec19bb146f82ad336
SHA256 fb3d9e9b55f7faafefe5e6b7c865ca989d95ddf4d46891903aea40864c63c9b8
SHA512 a1da25f1281c0c71fe9e67def5d7201da4295ff723d5edc1422e0a0fe09d6ec1b8a09a68f0c5206cc0fef596d365572e9680924567f81dbf207ce16eb17f487a