Malware Analysis Report

2024-10-10 07:28

Sample ID 240615-ybdk4asera
Target video_2024-06-06_21-58-03.avi
SHA256 39f13b867408e02352716b6f29226c54588d7585b0d641ee2aa377d4d9f4dc77
Tags
evasion execution
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

39f13b867408e02352716b6f29226c54588d7585b0d641ee2aa377d4d9f4dc77

Threat Level: Likely benign

The file video_2024-06-06_21-58-03.avi was found to be: Likely benign.

Malicious Activity Summary

evasion execution

JavaScript

Resource Forking

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 19:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 19:36

Reported

2024-06-15 19:39

Platform

macos-20240611-en

Max time kernel

147s

Max time network

145s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/video_2024-06-06_21-58-03.avi"]

Signatures

JavaScript

execution
Description Indicator Process Target
N/A "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar N/A N/A

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A
N/A /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper N/A N/A
N/A /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/video_2024-06-06_21-58-03.avi"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/video_2024-06-06_21-58-03.avi"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/video_2024-06-06_21-58-03.avi]

/bin/zsh

[/bin/zsh -c /Users/run/video_2024-06-06_21-58-03.avi]

/Users/run/video_2024-06-06_21-58-03.avi

[/Users/run/video_2024-06-06_21-58-03.avi]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.quicklook.ui.helper]

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper

[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.JarLauncher.2128]

/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher

[/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher]

/usr/libexec/xpcproxy

[xpcproxy com.apple.metadata.mdwrite]

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java

[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -jar /Users/run/tmp/hello.jar]

/usr/libexec/xpcproxy

[xpcproxy com.apple.siri.context.service]

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService

[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AppStore.1900]

/System/Applications/App Store.app/Contents/MacOS/App Store

[/System/Applications/App Store.app/Contents/MacOS/App Store]

/usr/libexec/xpcproxy

[xpcproxy com.apple.storeuid]

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid

[/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid]

/usr/libexec/xpcproxy

[xpcproxy com.apple.adid]

/System/Library/PrivateFrameworks/CoreADI.framework/adid

[/System/Library/PrivateFrameworks/CoreADI.framework/adid]

/usr/libexec/xpcproxy

[xpcproxy com.apple.PerformanceAnalysis.animationperfd]

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd

[/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.coremedia.videodecoder 575]

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService

[/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.2028]

/Applications/Safari.app/Contents/MacOS/Safari

[/Applications/Safari.app/Contents/MacOS/Safari]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.History]

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History

[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.E1269168-FC41-40ED-B3EC-3BF057CE2CAE 589]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.SafariLaunchAgent]

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent

[/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.akd]

/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd

[/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.811E8A2B-F65E-4257-BA90-F66341B44FC6 589]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.CoreAuthentication.agent]

/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd

[/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.knowledge-agent]

/usr/libexec/knowledge-agent

[/usr/libexec/knowledge-agent]

Network

Country Destination Domain Proto
GB 51.132.193.104:443 tcp
GB 17.250.81.67:443 tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.17:443 tcp
US 20.42.73.28:443 mobile.events.data.trafficmanager.net tcp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
GB 104.77.118.121:443 tcp
US 8.8.8.8:53 a479.dscg4.akamai.net udp
US 8.8.8.8:53 itunes.apple.com udp
NL 23.72.252.80:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
US 8.8.8.8:53 apps.mzstatic.com udp
US 151.101.195.6:443 apps.mzstatic.com tcp
US 8.8.8.8:53 s.mzstatic.com udp
US 8.8.8.8:53 buy.itunes.apple.com udp
US 17.156.128.10:443 buy.itunes.apple.com tcp
US 8.8.8.8:53 play.itunes.apple.com udp
US 2.22.144.39:443 play.itunes.apple.com tcp
US 8.8.8.8:53 sf-api-token-service.itunes.apple.com udp
BE 104.90.24.24:443 sf-api-token-service.itunes.apple.com tcp
US 8.8.8.8:53 amp-api-edge.apps.apple.com udp
IE 2.18.24.10:443 amp-api-edge.apps.apple.com tcp
US 8.8.8.8:53 is1-ssl.mzstatic.com udp
US 8.8.8.8:53 amp-api.apps.apple.com udp
BE 104.90.24.118:443 amp-api.apps.apple.com tcp
GB 17.253.77.201:80 valid.apple.com tcp
GB 17.253.77.201:80 valid.apple.com tcp
US 8.8.8.8:53 se-edge.itunes.apple.com udp
US 8.8.8.8:53 osxapps.itunes.apple.com udp
NL 2.18.121.27:443 osxapps.itunes.apple.com tcp
US 8.8.8.8:53 certs.apple.com udp
GB 17.253.37.207:80 certs.apple.com tcp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
US 23.220.113.166:443 help.apple.com tcp
US 23.220.113.166:443 help.apple.com tcp
US 8.8.8.8:53 e673.dsce9.akamaiedge.net udp
US 8.8.8.8:53 api-glb-aeuw3b.smoot.apple.com udp
US 8.8.8.8:53 gateway.fe2.apple-dns.net udp
US 8.8.8.8:53 a1806.dscw154.akamai.net udp
US 2.22.144.16:443 play.itunes.apple.com tcp
US 8.8.8.8:53 e17437.dsct.akamaiedge.net udp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 c7a83f4f13edf946a90396e2203813dd
SHA1 5282ca6a0b8e45b6108337feaf897555716e6d4a
SHA256 c2eb1d058a1be59da36b3ea30784b0b7a9eacc84937f83113f92a0b97d34a623
SHA512 28ddcae711fe0d08bd215b1604766ec1415e453dae79f4d13a0b88ed5012ef1022d7b36ea5e069394aec31813196d4fd0825e340da6902a65278ae084db1e843

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 cbef9a7773c2d6f258a8105de11c1201
SHA1 6cf653d94e04faa5a6ace19a4d515dc974cf9e29
SHA256 e0ee91a8896374ec44176f7272e3cf7ce832932b84a81e236e35b7f4120fc673
SHA512 5f1dd07e5ae5ea34b24d2a6d8b0c156a72a0c2a7bb4096cf4e50f3c5b768cb1a3d520cc3309dd080dbfe0451e71f27c576b1a282ef501e79ff655d321c2e15d5

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 5a6d7d2b9b187b0318bd91a39c1931b6
SHA1 9495a9ddcf194fd64a11df23c3432f0297d9125e
SHA256 32b778a919946745c368120b0196e50582e50f527b1786a737442b25de83688c
SHA512 8968ca300a206e16c166c7ffdd7a553874b595d8b8908bbe92f1ebd04899e49a19fd1c7de6b8242970a074d0826d11964a5cfc632a06f978a164bf27c32c8d49

/Users/run/Library/Caches/GeoServices/Resources/altitude-1285.xml

MD5 9a43af57707d2fb460832049d1f217d1
SHA1 056d813f8cb5198ca82072f7e3484f38ea5267f8
SHA256 7224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c
SHA512 1f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 ea54481150978967a284413ef6e7241a
SHA1 4a9809b241ca2115cef57918d74b10aa82865cec
SHA256 32d722c0e70d8345291b3344ce79ba1d64145ed6ac7651602c94527f4cf9befe
SHA512 96aab702d88e40a8fec705524af17fd8f389a5d03278163a3cff01b4c1c49190b93aaf6b6eaeb054d563bd2169f9cf5053bead754016a110a9717e26703f5c5c

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 8655a33a52564f25db2287a5a1e27571
SHA1 b7192394475318b164620bb66af85dd00038175a
SHA256 5eb6f61715267d422bcc592b0c2252eb005a87d6fc1d75fe49f6b6b8c0d11e2c
SHA512 005fd8a99bf6f3d7b1cc3f25c2611dd43ddcdfcc08072d2512d8dbe16461e5081155b33d06cb199224004ab00deea0ff32f5a5eea92e01f832ce0ef64f475c08