Analysis Overview
SHA256
44cf0eeda0dd2519ce6b947fc1b2bbe931f6ff57566522d67f7f9217b3239d69
Threat Level: Shows suspicious behavior
The file ad5337a5e1b7448b3e37522535695244_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
File Permission
Installer Packages
File Deletion
File and Directory Discovery.
Resource Forking
Command and Scripting Interpreter
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-15 07:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 07:26
Reported
2024-06-15 07:29
Platform
macos-20240611-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
File Permission
Installer Packages
| Description | Indicator | Process | Target |
| N/A | /tmp/PKInstallSandbox.N2wXql/Scripts/com.PermissionResearch.bzLMag/postinstall /Users/run/setup.pkg /tmp/PermissionResearch / / | N/A | N/A |
File Deletion
File and Directory Discovery.
| Description | Indicator | Process | Target |
| N/A | dirname /Users/run/setup.pkg | N/A | N/A |
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/11C1B59C-C403-4E8B-B8D0-3338E5E978B8.activeSandbox/Root / | N/A | N/A |
Command and Scripting Interpreter
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"]
/bin/bash
[sh -c sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"]
/usr/bin/sudo
[sudo /bin/zsh -c installer -pkg /Users/run/setup.pkg -target /]
/bin/zsh
[/bin/zsh -c installer -pkg /Users/run/setup.pkg -target /]
/usr/sbin/installer
[installer -pkg /Users/run/setup.pkg -target /]
/usr/libexec/xpcproxy
[xpcproxy com.apple.installd]
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd]
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor
[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid]
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove
[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/11C1B59C-C403-4E8B-B8D0-3338E5E978B8.activeSandbox/Root /]
/tmp/PKInstallSandbox.N2wXql/Scripts/com.PermissionResearch.bzLMag/postinstall
[/tmp/PKInstallSandbox.N2wXql/Scripts/com.PermissionResearch.bzLMag/postinstall /Users/run/setup.pkg /tmp/PermissionResearch / /]
/bin/mkdir
[mkdir /var/run/risal.559]
/bin/chmod
[chmod 755 /var/run/risal.559]
/bin/dirname
[dirname /Users/run/setup.pkg]
/sbin/dirname
[dirname /Users/run/setup.pkg]
/usr/bin/dirname
[dirname /Users/run/setup.pkg]
/usr/bin/cd
[/usr/bin/cd /tmp/PermissionResearch]
/bin/bash
[/bin/sh /usr/bin/cd /tmp/PermissionResearch]
/usr/bin/tr
[tr [:upper:] [:lower:]]
/bin/cp
[/bin/cp /tmp/PermissionResearch/PermissionResearch /var/run/risal.559/PermissionResearch]
/usr/bin/cd
[/usr/bin/cd /var/run/risal.559]
/bin/bash
[/bin/sh /usr/bin/cd /var/run/risal.559]
/usr/bin/tr
[tr [:upper:] [:lower:]]
/bin/chmod
[/bin/chmod 755 /tmp/PermissionResearch]
/bin/chmod
[/bin/chmod 755 /var/run/risal.559]
/bin/cp
[/bin/cp /var/run/risal.559/PermissionResearch /var/run/risal.559/helper]
/bin/cp
[/bin/cp /Users/run/bid.txt /var/run/risal.559/bid.txt]
/bin/chmod
[chmod 777 /var/run/risal.559/PermissionResearch]
/bin/chmod
[chmod 777 /var/run/risal.559/helper]
/var/run/risal.559/PermissionResearch
[/var/run/risal.559/PermissionResearch -install -start -noprogressbar -temp_path:/var/run/risal.559 -bidFile:/var/run/risal.559/bid.txt -v:NONE]
/bin/expr
[expr 0 + 1]
/bin/expr
[expr 1 + 1]
/bin/expr
[expr 2 + 1]
/bin/expr
[expr 3 + 1]
/bin/expr
[expr 4 + 1]
/bin/expr
[expr 5 + 1]
/bin/expr
[expr 6 + 1]
/bin/expr
[expr 7 + 1]
/bin/expr
[expr 8 + 1]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterBCBF2C69/OneDrive.app]
/bin/expr
[expr 9 + 1]
/bin/expr
[expr 10 + 1]
/bin/expr
[expr 11 + 1]
/bin/expr
[expr 12 + 1]
/bin/expr
[expr 13 + 1]
/bin/expr
[expr 14 + 1]
/bin/expr
[expr 15 + 1]
/bin/expr
[expr 16 + 1]
/bin/expr
[expr 17 + 1]
/bin/expr
[expr 18 + 1]
/bin/expr
[expr 19 + 1]
/usr/bin/osascript
[/usr/bin/osascript]
/bin/rm
[rm -rf /var/run/risal.559]
/bin/rm
[/bin/rm -rf /tmp/PermissionResearch]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.apple-cloudkit.fe2.apple-dns.net | udp |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.42.65.93:443 | tcp | |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| GB | 17.253.77.202:80 | valid.apple.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| BE | 104.68.86.71:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| SE | 23.34.233.79:443 | help.apple.com | tcp |
| SE | 23.34.233.79:443 | help.apple.com | tcp |
Files
/Library/InstallerSandboxes/.PKInstallSandboxManager/11C1B59C-C403-4E8B-B8D0-3338E5E978B8.activeSandbox/Scripts/com.PermissionResearch.bzLMag//._.DS_Store__
| MD5 | f0d9d90674bab5908378533975df5a01 |
| SHA1 | 11050c2745c99ec8dacff161c2a0a22ffacb8b47 |
| SHA256 | 74694443e1068dda8cb89e61b380ea27bcf410293bb68b4680e9d1253da73d4d |
| SHA512 | a9e031f6f1ef80c20bf92938dc0164d1c0f640323a8c5c97e0b40743d5d3c72a692288a495a6d8a54b464e64876389eb79e79c1846a4c45eedd78824743c862c |
/private/var/run/installd.commit.pid
| MD5 | 7bcdf75ad237b8e02e301f4091fb6bc8 |
| SHA1 | 093f0b067a05c35392acf5a68ae51f414b877d32 |
| SHA256 | 8def3488486c17dfbc2861301b63237c3c3a05b4c23afed03d59829fba57e10c |
| SHA512 | db361792f6d39384a4c80cd5392bfff740541f233dbfd4d814a50174f3fd38579db4b3625ef87e9d8ef53ef85ac1fc5bf4038f6580e838de9b54bdf4e14b94c1 |
/tmp/PKInstallSandbox.N2wXql/Scripts/com.PermissionResearch.bzLMag/postinstall
| MD5 | 844198b9ef2842a73ae69775f77050ac |
| SHA1 | 6154ac098de147899eb8cf534044460f88efcde1 |
| SHA256 | a462532e7103ff2038db70208c0b5f47db02883bafd75a5c97ee7acacd4814e7 |
| SHA512 | fca52a8d982b78f1578bd8dce73d0e977aa55529fc26a7490010c8ea06c3f6eec4943c5d2bbe528bcbb2287f6ba46d1e04e98cbebc611c4cdc10672dcf7da46e |
/tmp/PermissionResearch/PermissionResearch
| MD5 | 7db241addf3024f152b96f730114e19b |
| SHA1 | 38afbf7e16b55853b3b46fab95c3d22866f8b2fe |
| SHA256 | 6dc118f3aeb6b8ed76efa7fc3e83336e144fbd9aa3f2540077854f4f6cd9d34f |
| SHA512 | 26eabaa1c46f1e6365ee3acdd508383c4a35135141ed9aa06e1b2a915fc0bfe5593216058380573148d857acb55cec0eda1580f9566d1899338ccf614681ca11 |