Analysis Overview
SHA256
39f13b867408e02352716b6f29226c54588d7585b0d641ee2aa377d4d9f4dc77
Threat Level: Likely benign
The file video_2024-06-06_21-58-03.avi was found to be: Likely benign.
Malicious Activity Summary
JavaScript
Resource Forking
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-15 19:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 19:36
Reported
2024-06-15 19:39
Platform
macos-20240611-en
Max time kernel
147s
Max time network
145s
Command Line
Signatures
JavaScript
| Description | Indicator | Process | Target |
| N/A | "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar | N/A | N/A |
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy | N/A | N/A |
| N/A | /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/video_2024-06-06_21-58-03.avi"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/video_2024-06-06_21-58-03.avi"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/video_2024-06-06_21-58-03.avi]
/bin/zsh
[/bin/zsh -c /Users/run/video_2024-06-06_21-58-03.avi]
/Users/run/video_2024-06-06_21-58-03.avi
[/Users/run/video_2024-06-06_21-58-03.avi]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.cloudkeychainproxy3]
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.quicklook.ui.helper]
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.JarLauncher.2128]
/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher
[/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher]
/usr/libexec/xpcproxy
[xpcproxy com.apple.metadata.mdwrite]
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java
[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -jar /Users/run/tmp/hello.jar]
/usr/libexec/xpcproxy
[xpcproxy com.apple.siri.context.service]
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nehelper]
/usr/libexec/nehelper
[/usr/libexec/nehelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]
/usr/libexec/neagent
[/usr/libexec/neagent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AddressBook.ContactsAccountsService]
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.routined]
/usr/libexec/routined
[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Maps.mapspushd]
/System/Library/CoreServices/mapspushd
[/System/Library/CoreServices/mapspushd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AppStore.1900]
/System/Applications/App Store.app/Contents/MacOS/App Store
[/System/Applications/App Store.app/Contents/MacOS/App Store]
/usr/libexec/xpcproxy
[xpcproxy com.apple.storeuid]
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
[/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid]
/usr/libexec/xpcproxy
[xpcproxy com.apple.adid]
/System/Library/PrivateFrameworks/CoreADI.framework/adid
[/System/Library/PrivateFrameworks/CoreADI.framework/adid]
/usr/libexec/xpcproxy
[xpcproxy com.apple.PerformanceAnalysis.animationperfd]
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
[/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.coremedia.videodecoder 575]
/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
[/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Safari.2028]
/Applications/Safari.app/Contents/MacOS/Safari
[/Applications/Safari.app/Contents/MacOS/Safari]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Safari.History]
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History]
/usr/libexec/xpcproxy
[xpcproxy com.apple.WebKit.WebContent.E1269168-FC41-40ED-B3EC-3BF057CE2CAE 589]
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.SafariLaunchAgent]
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
[/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.akd]
/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd
[/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.WebKit.WebContent.811E8A2B-F65E-4257-BA90-F66341B44FC6 589]
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.CoreAuthentication.agent]
/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd
[/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.knowledge-agent]
/usr/libexec/knowledge-agent
[/usr/libexec/knowledge-agent]
Network
| Country | Destination | Domain | Proto |
| GB | 51.132.193.104:443 | tcp | |
| GB | 17.250.81.67:443 | tcp | |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.189.173.17:443 | tcp | |
| US | 20.42.73.28:443 | mobile.events.data.trafficmanager.net | tcp |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | b._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | db._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | gspe1-ssl.ls.apple.com.edgesuite.net | udp |
| GB | 104.77.118.121:443 | tcp | |
| US | 8.8.8.8:53 | a479.dscg4.akamai.net | udp |
| US | 8.8.8.8:53 | itunes.apple.com | udp |
| NL | 23.72.252.80:443 | gspe1-ssl.ls.apple.com.edgesuite.net | tcp |
| US | 8.8.8.8:53 | apps.mzstatic.com | udp |
| US | 151.101.195.6:443 | apps.mzstatic.com | tcp |
| US | 8.8.8.8:53 | s.mzstatic.com | udp |
| US | 8.8.8.8:53 | buy.itunes.apple.com | udp |
| US | 17.156.128.10:443 | buy.itunes.apple.com | tcp |
| US | 8.8.8.8:53 | play.itunes.apple.com | udp |
| US | 2.22.144.39:443 | play.itunes.apple.com | tcp |
| US | 8.8.8.8:53 | sf-api-token-service.itunes.apple.com | udp |
| BE | 104.90.24.24:443 | sf-api-token-service.itunes.apple.com | tcp |
| US | 8.8.8.8:53 | amp-api-edge.apps.apple.com | udp |
| IE | 2.18.24.10:443 | amp-api-edge.apps.apple.com | tcp |
| US | 8.8.8.8:53 | is1-ssl.mzstatic.com | udp |
| US | 8.8.8.8:53 | amp-api.apps.apple.com | udp |
| BE | 104.90.24.118:443 | amp-api.apps.apple.com | tcp |
| GB | 17.253.77.201:80 | valid.apple.com | tcp |
| GB | 17.253.77.201:80 | valid.apple.com | tcp |
| US | 8.8.8.8:53 | se-edge.itunes.apple.com | udp |
| US | 8.8.8.8:53 | osxapps.itunes.apple.com | udp |
| NL | 2.18.121.27:443 | osxapps.itunes.apple.com | tcp |
| US | 8.8.8.8:53 | certs.apple.com | udp |
| GB | 17.253.37.207:80 | certs.apple.com | tcp |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| BE | 104.68.86.71:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| US | 23.220.113.166:443 | help.apple.com | tcp |
| US | 23.220.113.166:443 | help.apple.com | tcp |
| US | 8.8.8.8:53 | e673.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | api-glb-aeuw3b.smoot.apple.com | udp |
| US | 8.8.8.8:53 | gateway.fe2.apple-dns.net | udp |
| US | 8.8.8.8:53 | a1806.dscw154.akamai.net | udp |
| US | 2.22.144.16:443 | play.itunes.apple.com | tcp |
| US | 8.8.8.8:53 | e17437.dsct.akamaiedge.net | udp |
Files
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | c7a83f4f13edf946a90396e2203813dd |
| SHA1 | 5282ca6a0b8e45b6108337feaf897555716e6d4a |
| SHA256 | c2eb1d058a1be59da36b3ea30784b0b7a9eacc84937f83113f92a0b97d34a623 |
| SHA512 | 28ddcae711fe0d08bd215b1604766ec1415e453dae79f4d13a0b88ed5012ef1022d7b36ea5e069394aec31813196d4fd0825e340da6902a65278ae084db1e843 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | cbef9a7773c2d6f258a8105de11c1201 |
| SHA1 | 6cf653d94e04faa5a6ace19a4d515dc974cf9e29 |
| SHA256 | e0ee91a8896374ec44176f7272e3cf7ce832932b84a81e236e35b7f4120fc673 |
| SHA512 | 5f1dd07e5ae5ea34b24d2a6d8b0c156a72a0c2a7bb4096cf4e50f3c5b768cb1a3d520cc3309dd080dbfe0451e71f27c576b1a282ef501e79ff655d321c2e15d5 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | 5a6d7d2b9b187b0318bd91a39c1931b6 |
| SHA1 | 9495a9ddcf194fd64a11df23c3432f0297d9125e |
| SHA256 | 32b778a919946745c368120b0196e50582e50f527b1786a737442b25de83688c |
| SHA512 | 8968ca300a206e16c166c7ffdd7a553874b595d8b8908bbe92f1ebd04899e49a19fd1c7de6b8242970a074d0826d11964a5cfc632a06f978a164bf27c32c8d49 |
/Users/run/Library/Caches/GeoServices/Resources/altitude-1285.xml
| MD5 | 9a43af57707d2fb460832049d1f217d1 |
| SHA1 | 056d813f8cb5198ca82072f7e3484f38ea5267f8 |
| SHA256 | 7224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c |
| SHA512 | 1f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7 |
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
| MD5 | ea54481150978967a284413ef6e7241a |
| SHA1 | 4a9809b241ca2115cef57918d74b10aa82865cec |
| SHA256 | 32d722c0e70d8345291b3344ce79ba1d64145ed6ac7651602c94527f4cf9befe |
| SHA512 | 96aab702d88e40a8fec705524af17fd8f389a5d03278163a3cff01b4c1c49190b93aaf6b6eaeb054d563bd2169f9cf5053bead754016a110a9717e26703f5c5c |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | 8655a33a52564f25db2287a5a1e27571 |
| SHA1 | b7192394475318b164620bb66af85dd00038175a |
| SHA256 | 5eb6f61715267d422bcc592b0c2252eb005a87d6fc1d75fe49f6b6b8c0d11e2c |
| SHA512 | 005fd8a99bf6f3d7b1cc3f25c2611dd43ddcdfcc08072d2512d8dbe16461e5081155b33d06cb199224004ab00deea0ff32f5a5eea92e01f832ce0ef64f475c08 |