Malware Analysis Report

2024-10-10 07:25

Sample ID 240611-xbzynaxcjm
Target curseforge-latest.dmg
SHA256 cd8caaef7fc2ec4507f9a71bdb5e2cad3538a7e0fe1a05ae38c8322b5bd42b8c
Tags
evasion
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

cd8caaef7fc2ec4507f9a71bdb5e2cad3538a7e0fe1a05ae38c8322b5bd42b8c

Threat Level: Likely benign

The file curseforge-latest.dmg was found to be: Likely benign.

Malicious Activity Summary

evasion

Resource Forking

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 18:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 18:41

Reported

2024-06-11 18:45

Platform

macos-20240410-en

Max time kernel

17s

Max time network

68s

Command Line

[sh -c sudo /bin/zsh -c "open /Volumes/CurseForge\ 1.251.0-0-universal/CurseForge.app"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "open /Volumes/CurseForge\ 1.251.0-0-universal/CurseForge.app"]

/bin/bash

[sh -c sudo /bin/zsh -c "open /Volumes/CurseForge\ 1.251.0-0-universal/CurseForge.app"]

/usr/bin/sudo

[sudo /bin/zsh -c open /Volumes/CurseForge\ 1.251.0-0-universal/CurseForge.app]

/bin/zsh

[/bin/zsh -c open /Volumes/CurseForge\ 1.251.0-0-universal/CurseForge.app]

/usr/bin/open

[open /Volumes/CurseForge 1.251.0-0-universal/CurseForge.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.overwolf.curseforge.2300]

/Volumes/CurseForge 1.251.0-0-universal/CurseForge.app/Contents/MacOS/CurseForge

[/Volumes/CurseForge 1.251.0-0-universal/CurseForge.app/Contents/MacOS/CurseForge]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump]

/usr/sbin/spindump

[/usr/sbin/spindump]

/usr/libexec/xpcproxy

[xpcproxy com.apple.tailspind]

/usr/libexec/tailspind

[/usr/libexec/tailspind]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump_agent]

/usr/libexec/spindump_agent

[/usr/libexec/spindump_agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.DesktopServicesHelper.6C9CDE86-2721-41BB-9190-916A90BC0DB4]

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper

[/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

Network

Country Destination Domain Proto
AU 40.79.173.41:443 tcp
DE 17.253.79.202:80 tcp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp

Files

N/A