Malware Analysis Report

2024-10-10 07:35

Sample ID 240616-m63b6a1bre
Target b32da496039560f42411578535dd04db_JaffaCakes118
SHA256 4b3bbdb0f2078a3eafa62b68dd77039d588e778885b1343fccae996f12c54b76
Tags
evasion discovery execution persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4b3bbdb0f2078a3eafa62b68dd77039d588e778885b1343fccae996f12c54b76

Threat Level: Shows suspicious behavior

The file b32da496039560f42411578535dd04db_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion discovery execution persistence

Installer Packages

Resource Forking

File and Directory Discovery.

Launchctl

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 11:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 11:05

Reported

2024-06-16 11:08

Platform

macos-20240611-en

Max time kernel

123s

Max time network

142s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/b32da496039560f42411578535dd04db_JaffaCakes118"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/b32da496039560f42411578535dd04db_JaffaCakes118"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/b32da496039560f42411578535dd04db_JaffaCakes118"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/b32da496039560f42411578535dd04db_JaffaCakes118]

/bin/zsh

[/bin/zsh -c /Users/run/b32da496039560f42411578535dd04db_JaffaCakes118]

/Users/run/b32da496039560f42411578535dd04db_JaffaCakes118

[/Users/run/b32da496039560f42411578535dd04db_JaffaCakes118]

/usr/libexec/dmd

[/usr/libexec/dmd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.bird]

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird

[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

Network

Country Destination Domain Proto
US 52.182.143.213:443 tcp
GB 17.250.81.65:443 tcp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 a1366.dscapi6.akamai.net udp
GB 23.59.171.27:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 a479.dscg4.akamai.net udp
US 8.8.8.8:53 gateway.fe2.apple-dns.net udp
N/A 224.0.0.251:5353 udp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Users/run/Library/Caches/GeoServices/Resources/altitude-1285.xml

MD5 9a43af57707d2fb460832049d1f217d1
SHA1 056d813f8cb5198ca82072f7e3484f38ea5267f8
SHA256 7224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c
SHA512 1f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 495d23100e242156aa200c13b60e3778
SHA1 043be031ab708e4ec77965f74fa0de7e98ffb3d5
SHA256 319ae33ada78196f77b001f9a8c64ea0486233b9be3f0379208df073d0c7197d
SHA512 15bb68be2008aecc0d38c2385764330da1d543f3859afafaf312f3a5bc07af17d7c9aa9fbb39e7296668fcfb877316576be7a65fd4222698f6156dfec20af134

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 55d707d8a498ca399dd49c710374392d
SHA1 94956fb7af8ebb24faa018be5739179ae2e21dbb
SHA256 0de9ce482bde894cb5d5042cfeaf0d54cb0f56ad4852caa4d06ad54a53a7b49f
SHA512 e6183083a8f1f1ea5e67806ecbcab5adefc331aca2622e3b846cee48b803a91076dfd9a905573ee71c900bc5563b4e6e7f3ab994de7e29552a01647cd29ad20e

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 a6ef4856e99c9d8e1d9bb762c5a8503a
SHA1 25d5405ad91791b716ae5a56b37aa2b393854967
SHA256 232441aa129d4f21999860b8bf31db4b8617df9f7d32ef5f25a383edff82d9fa
SHA512 582fa1ea60766a5a4e99b295a8ed98c94f6bab45e42b7e8db61e9ad645f531891082cd457bfd11d660195af86f02c4ed93589e6e6daded683cff2d8319bbc489

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 2f01f7a00c85e424f82b00b2bf794a7c
SHA1 c75cb52aa31012888dd7c65373d5faba6048c425
SHA256 23d6746cb1c1906c9cfb5c69f7377f7cb68965ac0708ed1d600bfd3d3c34ce32
SHA512 75131e0145182653cef2edbb968853c9cb3c26c37c5821f3cd69c3ecdde7979ae37e74ecea8ad333090a473177c6dad43bc34f94a8fd104cd4c9b16c8f7b54f8

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 ec55f376103cdb3183d77c1e135ebf9c
SHA1 af6d3b90109230e42cf2690fc98aa655b29b1cc3
SHA256 fded2310b1244e727faf76d043cdbcd6d9fa209d7312ceb4cec0710685f141b8
SHA512 f3a0bef7dcd60fe99d4a780e9572de211ed6292e02fdd1100626af056ce022f7a2b3fa526050894516af22ec0900cf46d8ffa4bb413f1bd2703716c769437fea

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1 ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA256 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512 db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 11:05

Reported

2024-06-16 11:08

Platform

macos-20240611-en

Max time kernel

123s

Max time network

137s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPInstallHelper"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPInstallHelper"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPInstallHelper"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPInstallHelper]

/bin/zsh

[/bin/zsh -c /Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPInstallHelper]

/Users/run/Flash

[/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPInstallHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
GB 51.132.193.104:443 tcp
GB 17.250.81.67:443 tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.17:443 tcp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
GB 104.77.118.121:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 a479.dscg4.akamai.net udp
GB 104.77.118.129:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
GB 17.253.77.202:80 valid.apple.com tcp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
US 23.220.113.166:443 help.apple.com tcp
US 23.220.113.166:443 help.apple.com tcp
N/A 224.0.0.251:5353 udp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1 ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA256 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512 db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 a60a7bcfc47eacaa66e5e3d701d3ba80
SHA1 7093ffc5beca33187c18461c7ff3259a1781ae35
SHA256 17e96efaf7f2e45e407a3c68fb57b78f09dea6fc1edf3732b888be4a4eadd468
SHA512 58736bd680d6c7a25b8d7db08fd4a258cf761dbaa44a5ece0c2b813ab12c20dc213ab40844dfc780687945cf2459f549f1a38bf3da16c5c332756f3b53e1c3a5

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 95f24d2f9121654acd5a1c44e572082b
SHA1 ea13b61b35ef396ebe42f09e638a39f13b93fd9b
SHA256 2b7b2a1c679a5a0d2465351f35584f1eb6de22160daefb4cba351838f98f155e
SHA512 d1eaa0bd0b245f98a03d24197e02096400abea41f5a36905a41c777bedba15194f3de256c12b4f038e38267147986e8b9dd543189fdc6d1788d3c012bc63270d

/Users/run/Library/Caches/GeoServices/Resources/altitude-1285.xml

MD5 9a43af57707d2fb460832049d1f217d1
SHA1 056d813f8cb5198ca82072f7e3484f38ea5267f8
SHA256 7224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c
SHA512 1f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 c96a7b4a7cd96b16ef1323bd3ff3a469
SHA1 6b4f848b83f0815f5a7d716e6b0741e2da9b1e7c
SHA256 5541ab7124e9f6880bdcbdcf2c7f9c64b6a0641123513cb230cb80c3d4c15c04
SHA512 9b964de2341feb7f5c8afdbb9d82e3acdb070dc0944a1a281183440fc8ed52a5c2cdbe7a0de8a6a3f3f7c2079b336df7048fac65c0438fb6168edef8f06bfd5f

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 1340033aca269b30874eafa2ec72adfe
SHA1 e1c0e123ffc93a5f22c906c7206a625a149944d1
SHA256 fb10f63de2c68693f4360c0c8cb0dd64e163dde54ffb9c97932d804df4a4f724
SHA512 587feb19b7dcfc422a0feb360fc1a855a766e518d8a16b0e6b1df509706c0b703270449e5688bcc584002f277981d6f1edbed996abdd81b8a402ba968c2d08e6

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 11:05

Reported

2024-06-16 11:08

Platform

macos-20240611-en

Max time kernel

149s

Max time network

146s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPUninstallHelper"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPUninstallHelper"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPUninstallHelper"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPUninstallHelper]

/bin/zsh

[/bin/zsh -c /Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPUninstallHelper]

/Users/run/Flash

[/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPUninstallHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater0B4C966A/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

Network

Country Destination Domain Proto
US 151.101.3.6:443 tcp
US 151.101.195.6:443 tcp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
N/A 224.0.0.251:5353 udp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-16 11:05

Reported

2024-06-16 11:08

Platform

macos-20240611-en

Max time kernel

147s

Max time network

147s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/Flash Player/Install Adobe Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager]

/bin/zsh

[/bin/zsh -c /Users/run/Flash Player/Install Adobe Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager]

/Users/run/Flash

[/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater66017B75/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

Network

Country Destination Domain Proto
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 a1366.dscapi6.akamai.net udp
GB 104.91.71.16:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
GB 104.77.118.129:443 a1366.dscapi6.akamai.net tcp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
US 23.220.113.166:443 help.apple.com tcp
US 23.220.113.166:443 help.apple.com tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 gsp-ssl.ls.apple.com udp
GB 17.253.29.214:443 gsp-ssl.ls.apple.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 gsp64-ssl.ls-apple.com.akadns.net udp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 2ad2862170ecffa776b030dc2c41e32a
SHA1 c57805a57f323e545a73deff24504a0de344e85d
SHA256 948c602d37d54720ba868bf3c66caf38cc2ec7c7cfe0cc2dbeca6ccec582e6da
SHA512 1392e12d02984e7c0ef45f820883fb229ddecd973d56f50c775fa4e970adf33f9f98940c4bdc863af75adde0459c63a7c5e414d00611de646b92c7a0761b80ef

/Users/run/Library/Caches/GeoServices/Experiments.pbd

MD5 14c8eec4c4a1e8763ac8ea95afb9e6e3
SHA1 aa5301b2e15687e43e77952f0221d5b9322c3bd2
SHA256 a462af34314e135f31dfa39fa5d244434edd4283f1413b338203087faa1809f9
SHA512 121b6efb74a01be41eb4ffdd30736ef191cd9aeaf613f37b1187be0d94f689aaf7a61644c59ccda84742a36d678e25fa47d8230bc299e184e12d6278519884d4

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-16 11:05

Reported

2024-06-16 11:08

Platform

macos-20240611-en

Max time kernel

134s

Max time network

154s

Command Line

[sh -c sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"]

Signatures

Installer Packages

persistence
Description Indicator Process Target
N/A /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall /Users/run/setup.pkg / / / N/A N/A
N/A /bin/sh /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall /Users/run/setup.pkg / / / N/A N/A

File and Directory Discovery.

discovery
Description Indicator Process Target
N/A dirname /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall N/A N/A

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update "/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root/Applications/Utilities/Adobe Flash Player Install Manager.app" N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root / N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd N/A N/A

Launchctl

execution
Description Indicator Process Target
N/A /bin/launchctl load //Library/LaunchDaemons/com.adobe.fpsaud.plist N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"]

/bin/bash

[sh -c sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"]

/usr/bin/sudo

[sudo /bin/zsh -c installer -pkg /Users/run/setup.pkg -target /]

/bin/zsh

[/bin/zsh -c installer -pkg /Users/run/setup.pkg -target /]

/usr/sbin/installer

[installer -pkg /Users/run/setup.pkg -target /]

/usr/libexec/xpcproxy

[xpcproxy com.apple.installd]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root/Applications/Utilities/Adobe Flash Player Install Manager.app]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root /]

/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall

[/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall /Users/run/setup.pkg / / /]

/bin/bash

[/bin/sh /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall /Users/run/setup.pkg / / /]

/usr/bin/logger

[/usr/bin/logger Flash Player Install: Launching SAU Daemon...]

/bin/launchctl

[/bin/launchctl load //Library/LaunchDaemons/com.adobe.fpsaud.plist]

/usr/bin/logger

[/usr/bin/logger Flash Player Install: Finalizing Plugin installation...]

/usr/bin/dirname

[dirname /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall]

/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/finalize

[/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/finalize /]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterBCBF2C69/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.42.65.93:443 tcp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
US 23.220.113.166:443 help.apple.com tcp
US 23.220.113.166:443 help.apple.com tcp
N/A 224.0.0.251:5353 udp

Files

/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/_CodeSignature/._CodeResources__

MD5 9462cbe481a48e13312ef26462c183cc
SHA1 562358edeb448cf880230dcdb66b6260f7d47297
SHA256 3abf7cd6e1a4a9ffc70badeb027ddd36c07ba218f9f38f5203d66c93890c290e
SHA512 781de912e55401a5ce997dcfa1d162ec893bfab54bc2e801d0ef2d40020347cc47cb5e8a2247b2563f4c8f3920f1337d3db88d873f20d2f70cdaf2d512f3f2ad

/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/MacOS/._Adobe Flash Player Install Manager__

MD5 44553a79fa4b006c5a4a55b88ff93ff6
SHA1 90764d741d80c2a5fbb10fab7e1aaf761267c1c6
SHA256 eee7d55b3663ad41ab9be32c6a642c07ded1c9c1eee27d55cef6ec470b68bb38
SHA512 1d9f72ec023b3c40fab6b4522083f1b75454d8c0765fdcc92e3b1ebce7419fd8836e6813c96fabeeae64d2aa46615b7398dc1b1abc6e9161a71c6f8a2fcaeb28

/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/Resources/._English.lproj__

MD5 b857d79f769e70b1660d45cdfbe4647a
SHA1 0507b9ec7f9d5bf2e0d2ca1062509b86deefbe4b
SHA256 5151cde3d1d95dcafebf27fe875ee2aad727fcb71febbe987ae1c17d8a033b51
SHA512 e4fd7c9b46cc45d1b2e95fa159c49355e39c5f96edda13dcefae5a454062205af1a4ee23adc06f8b242b3972c8b7e4adf608cf365020c841d774939f3e019264

/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/._Helpers__

MD5 a067e3cc0f1a970ba994a2b4a6446cc2
SHA1 510dba90c0b58483daeb4dbc5c11524f254dc554
SHA256 af1c677bf6b6e99680580fc5225c7e1bda16cdf8c01e3a79d54b0958efb8012f
SHA512 29acebe38de4704ac4437a3a5e6068ed3d9542798ea72d8fd328deffd6ae5e02219970b465c968b889813c3fa3d3eda353e38e0758f045388ffbf7d5ebe1353f

/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/._Resources__

MD5 b66d7236b966764ee3540dc355162f26
SHA1 fb1319893789a9881a82f12be0d0ba4aeec04f47
SHA256 8eb639ec765513d9090e412c025c4d8133b31be86e21e0cfe483442451a16310
SHA512 970a3bd158370db9ea6172e259af27971bd39597cbee7c634471884c16c9c015835ac2086ee55f867870b6114eb156050a90d947a76cda65829dd5aceaf71619

/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/._Contents__

MD5 a226d8977cc8358c0e819f8fc9591297
SHA1 458bde93d3f75f1fd4da8ae06991675262c41097
SHA256 e7e7aba9aafcb062bd0aea7b24ef6cfc42efc8b8cf53644255f007965d437f0f
SHA512 d194bf062360e4b500618a5918cffd0d49859ebbfcaf0ef50cc78b379998056a3944e46ae858002ae03c6c17a455f430279eb730ecc4c8f9fa4e71e33aced0db

/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/._Adobe Flash Player Install Manager.app__

MD5 4fdc66c51f562ecd3216b95e3ad9d66b
SHA1 3849197ece111c2bdf89980b83f790a6da0f33b7
SHA256 6137481ad820f9cd0a0218da709fe719edc7f163009f7631eca7aa33c04fa038
SHA512 a876587bdcbf73768bb26ce2b28764fc3f5ac09f8f495c9a9f6a402e45475402b109b89a18a08e92bfd1808fcd5375dfeea109e597678836ed38014cf8c1e7e2

/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root/Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/Info.plist

MD5 42ddaa22596dd0c864100c46880e918c
SHA1 8347603d23c8c5d4fe462f8148b6f241ed4c2492
SHA256 716cb97525d313d4725f3641ec38a7d9b8f72a0fd90fabab0b8e1ae5790615a8
SHA512 366864222b016783eef9bd2bd5e4cb9e608188b61d6620249e87685676da67bb49b5c700f52c5d46ce5de3269d2d5a1eab49b27882caac07a9c781365a16374f

/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root/Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/Resources/English.lproj/InfoPlist.strings

MD5 112182c72eca910844e6d45cdd2cca87
SHA1 7e45feb848736d28be9bc64e361452fa51950ca5
SHA256 8ef60f3215f7e417fc7563ca9240ab0df298e7873fd4a80a29a01fe35098ea7d
SHA512 6bdd72df1a8b983abe823ac446a90101f46a39647db1058609f2c2db2d52ae06d405a11cb0db49ad19bcbe1cfd1207f56915254b140b5d046be38c1321b3e2d7

/private/var/run/installd.commit.pid

MD5 3a0772443a0739141292a5429b952fe6
SHA1 2473f01571bf0dcb7d2b16d67da6dd031769947d
SHA256 0d6f9709edaeba4bebf576d6b886b8c7083374f521f5256bf571add42fc7465c
SHA512 81ca6a07d5f4f941b52a01afbc0b608c3e0344e1c1644b716d09cd1f3420e4da8d98576af61a0337f470c2b8ea2492af4fc7dddb5865ddae8e52dbf29784ec92

/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall

MD5 ef3020256bd669e8529e6e4aed1c24b2
SHA1 37fc45f29c6a6a7962b23b3195517ada211091a9
SHA256 486573d2e273734fb25e8faaa542a0654cf81f0e09eeb088a839ff82d8ffecf7
SHA512 751d9b03fe01ddd78901b66fd6a0fb5b07385793a73e6c45d44003691c79b3e1099f218237114716a81660f16632c0a1d3bb9d728b1d6738dd24e333fbc3a3f9

/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/finalize

MD5 280e0f3ffb5a78e24835f9f7e1370eff
SHA1 1daf0275d6fff3ae5145435e40d8007d00ec54d0
SHA256 f0281ad22738d65ce61e72987d5900665bfb8abe13257905ddb0ba4362bcc47a
SHA512 9f99c5e3b1490321157ad032e0afded5c9ce456f3788a27f1cd88bcb7ae3609be6224b01108e6aeabe942fac04e92893a4cf31c5ae02399dcc7ff35a8b5196b7

/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Boms/com.adobe.pkg.FlashPlayer.bom

MD5 4dc632a89e380b9cb1fe7ede80f0c329
SHA1 8a8dedc55e35c706e015cfd1b0be8b0d4895dc65
SHA256 3e7e8280049ed9e5de13cf26607e1283e236587628056efb2710bccd0248e6a1
SHA512 ff6eb360dba11a703e72bda1ddfc56b52cc5a6fb22723ebb1a6d7e76647f9bdb6f6f221e70fbc723cfd2401398f64e86c7526e60b3d751bcc6082b716cf55b16