Malware Analysis Report

2024-10-10 07:27

Sample ID 240615-h9yqxswbrp
Target ad5337a5e1b7448b3e37522535695244_JaffaCakes118
SHA256 44cf0eeda0dd2519ce6b947fc1b2bbe931f6ff57566522d67f7f9217b3239d69
Tags
discovery evasion execution persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

44cf0eeda0dd2519ce6b947fc1b2bbe931f6ff57566522d67f7f9217b3239d69

Threat Level: Shows suspicious behavior

The file ad5337a5e1b7448b3e37522535695244_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion execution persistence

File Permission

Installer Packages

File Deletion

File and Directory Discovery.

Resource Forking

Command and Scripting Interpreter

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 07:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 07:26

Reported

2024-06-15 07:29

Platform

macos-20240611-en

Max time kernel

147s

Max time network

149s

Command Line

[sh -c sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"]

Signatures

File Permission

evasion

Installer Packages

persistence
Description Indicator Process Target
N/A /tmp/PKInstallSandbox.N2wXql/Scripts/com.PermissionResearch.bzLMag/postinstall /Users/run/setup.pkg /tmp/PermissionResearch / / N/A N/A

File Deletion

evasion

File and Directory Discovery.

discovery
Description Indicator Process Target
N/A dirname /Users/run/setup.pkg N/A N/A

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/11C1B59C-C403-4E8B-B8D0-3338E5E978B8.activeSandbox/Root / N/A N/A

Command and Scripting Interpreter

execution

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"]

/bin/bash

[sh -c sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"]

/usr/bin/sudo

[sudo /bin/zsh -c installer -pkg /Users/run/setup.pkg -target /]

/bin/zsh

[/bin/zsh -c installer -pkg /Users/run/setup.pkg -target /]

/usr/sbin/installer

[installer -pkg /Users/run/setup.pkg -target /]

/usr/libexec/xpcproxy

[xpcproxy com.apple.installd]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/11C1B59C-C403-4E8B-B8D0-3338E5E978B8.activeSandbox/Root /]

/tmp/PKInstallSandbox.N2wXql/Scripts/com.PermissionResearch.bzLMag/postinstall

[/tmp/PKInstallSandbox.N2wXql/Scripts/com.PermissionResearch.bzLMag/postinstall /Users/run/setup.pkg /tmp/PermissionResearch / /]

/bin/mkdir

[mkdir /var/run/risal.559]

/bin/chmod

[chmod 755 /var/run/risal.559]

/bin/dirname

[dirname /Users/run/setup.pkg]

/sbin/dirname

[dirname /Users/run/setup.pkg]

/usr/bin/dirname

[dirname /Users/run/setup.pkg]

/usr/bin/cd

[/usr/bin/cd /tmp/PermissionResearch]

/bin/bash

[/bin/sh /usr/bin/cd /tmp/PermissionResearch]

/usr/bin/tr

[tr [:upper:] [:lower:]]

/bin/cp

[/bin/cp /tmp/PermissionResearch/PermissionResearch /var/run/risal.559/PermissionResearch]

/usr/bin/cd

[/usr/bin/cd /var/run/risal.559]

/bin/bash

[/bin/sh /usr/bin/cd /var/run/risal.559]

/usr/bin/tr

[tr [:upper:] [:lower:]]

/bin/chmod

[/bin/chmod 755 /tmp/PermissionResearch]

/bin/chmod

[/bin/chmod 755 /var/run/risal.559]

/bin/cp

[/bin/cp /var/run/risal.559/PermissionResearch /var/run/risal.559/helper]

/bin/cp

[/bin/cp /Users/run/bid.txt /var/run/risal.559/bid.txt]

/bin/chmod

[chmod 777 /var/run/risal.559/PermissionResearch]

/bin/chmod

[chmod 777 /var/run/risal.559/helper]

/var/run/risal.559/PermissionResearch

[/var/run/risal.559/PermissionResearch -install -start -noprogressbar -temp_path:/var/run/risal.559 -bidFile:/var/run/risal.559/bid.txt -v:NONE]

/bin/expr

[expr 0 + 1]

/bin/expr

[expr 1 + 1]

/bin/expr

[expr 2 + 1]

/bin/expr

[expr 3 + 1]

/bin/expr

[expr 4 + 1]

/bin/expr

[expr 5 + 1]

/bin/expr

[expr 6 + 1]

/bin/expr

[expr 7 + 1]

/bin/expr

[expr 8 + 1]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterBCBF2C69/OneDrive.app]

/bin/expr

[expr 9 + 1]

/bin/expr

[expr 10 + 1]

/bin/expr

[expr 11 + 1]

/bin/expr

[expr 12 + 1]

/bin/expr

[expr 13 + 1]

/bin/expr

[expr 14 + 1]

/bin/expr

[expr 15 + 1]

/bin/expr

[expr 16 + 1]

/bin/expr

[expr 17 + 1]

/bin/expr

[expr 18 + 1]

/bin/expr

[expr 19 + 1]

/usr/bin/osascript

[/usr/bin/osascript]

/bin/rm

[rm -rf /var/run/risal.559]

/bin/rm

[/bin/rm -rf /tmp/PermissionResearch]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.42.65.93:443 tcp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
GB 17.253.77.202:80 valid.apple.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
SE 23.34.233.79:443 help.apple.com tcp
SE 23.34.233.79:443 help.apple.com tcp

Files

/Library/InstallerSandboxes/.PKInstallSandboxManager/11C1B59C-C403-4E8B-B8D0-3338E5E978B8.activeSandbox/Scripts/com.PermissionResearch.bzLMag//._.DS_Store__

MD5 f0d9d90674bab5908378533975df5a01
SHA1 11050c2745c99ec8dacff161c2a0a22ffacb8b47
SHA256 74694443e1068dda8cb89e61b380ea27bcf410293bb68b4680e9d1253da73d4d
SHA512 a9e031f6f1ef80c20bf92938dc0164d1c0f640323a8c5c97e0b40743d5d3c72a692288a495a6d8a54b464e64876389eb79e79c1846a4c45eedd78824743c862c

/private/var/run/installd.commit.pid

MD5 7bcdf75ad237b8e02e301f4091fb6bc8
SHA1 093f0b067a05c35392acf5a68ae51f414b877d32
SHA256 8def3488486c17dfbc2861301b63237c3c3a05b4c23afed03d59829fba57e10c
SHA512 db361792f6d39384a4c80cd5392bfff740541f233dbfd4d814a50174f3fd38579db4b3625ef87e9d8ef53ef85ac1fc5bf4038f6580e838de9b54bdf4e14b94c1

/tmp/PKInstallSandbox.N2wXql/Scripts/com.PermissionResearch.bzLMag/postinstall

MD5 844198b9ef2842a73ae69775f77050ac
SHA1 6154ac098de147899eb8cf534044460f88efcde1
SHA256 a462532e7103ff2038db70208c0b5f47db02883bafd75a5c97ee7acacd4814e7
SHA512 fca52a8d982b78f1578bd8dce73d0e977aa55529fc26a7490010c8ea06c3f6eec4943c5d2bbe528bcbb2287f6ba46d1e04e98cbebc611c4cdc10672dcf7da46e

/tmp/PermissionResearch/PermissionResearch

MD5 7db241addf3024f152b96f730114e19b
SHA1 38afbf7e16b55853b3b46fab95c3d22866f8b2fe
SHA256 6dc118f3aeb6b8ed76efa7fc3e83336e144fbd9aa3f2540077854f4f6cd9d34f
SHA512 26eabaa1c46f1e6365ee3acdd508383c4a35135141ed9aa06e1b2a915fc0bfe5593216058380573148d857acb55cec0eda1580f9566d1899338ccf614681ca11