Analysis Overview
SHA256
4b3bbdb0f2078a3eafa62b68dd77039d588e778885b1343fccae996f12c54b76
Threat Level: Shows suspicious behavior
The file b32da496039560f42411578535dd04db_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Installer Packages
Resource Forking
File and Directory Discovery.
Launchctl
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-16 11:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 11:05
Reported
2024-06-16 11:08
Platform
macos-20240611-en
Max time kernel
123s
Max time network
142s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/b32da496039560f42411578535dd04db_JaffaCakes118"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/b32da496039560f42411578535dd04db_JaffaCakes118"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/b32da496039560f42411578535dd04db_JaffaCakes118]
/bin/zsh
[/bin/zsh -c /Users/run/b32da496039560f42411578535dd04db_JaffaCakes118]
/Users/run/b32da496039560f42411578535dd04db_JaffaCakes118
[/Users/run/b32da496039560f42411578535dd04db_JaffaCakes118]
/usr/libexec/dmd
[/usr/libexec/dmd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.routined]
/usr/libexec/routined
[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Maps.mapspushd]
/System/Library/CoreServices/mapspushd
[/System/Library/CoreServices/mapspushd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nehelper]
/usr/libexec/nehelper
[/usr/libexec/nehelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]
/usr/libexec/neagent
[/usr/libexec/neagent]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.bird]
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
Network
| Country | Destination | Domain | Proto |
| US | 52.182.143.213:443 | tcp | |
| GB | 17.250.81.65:443 | tcp | |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | a1366.dscapi6.akamai.net | udp |
| GB | 23.59.171.27:443 | tcp | |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | a479.dscg4.akamai.net | udp |
| US | 8.8.8.8:53 | gateway.fe2.apple-dns.net | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/Users/run/Library/Caches/GeoServices/Resources/altitude-1285.xml
| MD5 | 9a43af57707d2fb460832049d1f217d1 |
| SHA1 | 056d813f8cb5198ca82072f7e3484f38ea5267f8 |
| SHA256 | 7224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c |
| SHA512 | 1f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7 |
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
| MD5 | 495d23100e242156aa200c13b60e3778 |
| SHA1 | 043be031ab708e4ec77965f74fa0de7e98ffb3d5 |
| SHA256 | 319ae33ada78196f77b001f9a8c64ea0486233b9be3f0379208df073d0c7197d |
| SHA512 | 15bb68be2008aecc0d38c2385764330da1d543f3859afafaf312f3a5bc07af17d7c9aa9fbb39e7296668fcfb877316576be7a65fd4222698f6156dfec20af134 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | 55d707d8a498ca399dd49c710374392d |
| SHA1 | 94956fb7af8ebb24faa018be5739179ae2e21dbb |
| SHA256 | 0de9ce482bde894cb5d5042cfeaf0d54cb0f56ad4852caa4d06ad54a53a7b49f |
| SHA512 | e6183083a8f1f1ea5e67806ecbcab5adefc331aca2622e3b846cee48b803a91076dfd9a905573ee71c900bc5563b4e6e7f3ab994de7e29552a01647cd29ad20e |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | a6ef4856e99c9d8e1d9bb762c5a8503a |
| SHA1 | 25d5405ad91791b716ae5a56b37aa2b393854967 |
| SHA256 | 232441aa129d4f21999860b8bf31db4b8617df9f7d32ef5f25a383edff82d9fa |
| SHA512 | 582fa1ea60766a5a4e99b295a8ed98c94f6bab45e42b7e8db61e9ad645f531891082cd457bfd11d660195af86f02c4ed93589e6e6daded683cff2d8319bbc489 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | 2f01f7a00c85e424f82b00b2bf794a7c |
| SHA1 | c75cb52aa31012888dd7c65373d5faba6048c425 |
| SHA256 | 23d6746cb1c1906c9cfb5c69f7377f7cb68965ac0708ed1d600bfd3d3c34ce32 |
| SHA512 | 75131e0145182653cef2edbb968853c9cb3c26c37c5821f3cd69c3ecdde7979ae37e74ecea8ad333090a473177c6dad43bc34f94a8fd104cd4c9b16c8f7b54f8 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | ec55f376103cdb3183d77c1e135ebf9c |
| SHA1 | af6d3b90109230e42cf2690fc98aa655b29b1cc3 |
| SHA256 | fded2310b1244e727faf76d043cdbcd6d9fa209d7312ceb4cec0710685f141b8 |
| SHA512 | f3a0bef7dcd60fe99d4a780e9572de211ed6292e02fdd1100626af056ce022f7a2b3fa526050894516af22ec0900cf46d8ffa4bb413f1bd2703716c769437fea |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | ce7f5b3d4bfc7b4b0da6a06dccc515f2 |
| SHA1 | ce657a52a052a3aaf534ecfbf7cbdde4ee334c10 |
| SHA256 | 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1 |
| SHA512 | db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 11:05
Reported
2024-06-16 11:08
Platform
macos-20240611-en
Max time kernel
123s
Max time network
137s
Command Line
Signatures
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPInstallHelper"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPInstallHelper"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPInstallHelper]
/bin/zsh
[/bin/zsh -c /Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPInstallHelper]
/Users/run/Flash
[/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPInstallHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.cloudkeychainproxy3]
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nehelper]
/usr/libexec/nehelper
[/usr/libexec/nehelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AddressBook.ContactsAccountsService]
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.routined]
/usr/libexec/routined
[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]
/usr/libexec/xpcproxy
[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]
/usr/libexec/neagent
[/usr/libexec/neagent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Maps.mapspushd]
/System/Library/CoreServices/mapspushd
[/System/Library/CoreServices/mapspushd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
Network
| Country | Destination | Domain | Proto |
| GB | 51.132.193.104:443 | tcp | |
| GB | 17.250.81.67:443 | tcp | |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.189.173.17:443 | tcp | |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | gspe1-ssl.ls.apple.com.edgesuite.net | udp |
| GB | 104.77.118.121:443 | gspe1-ssl.ls.apple.com.edgesuite.net | tcp |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | a479.dscg4.akamai.net | udp |
| GB | 104.77.118.129:443 | gspe1-ssl.ls.apple.com.edgesuite.net | tcp |
| GB | 17.253.77.202:80 | valid.apple.com | tcp |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| BE | 104.68.86.71:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| US | 23.220.113.166:443 | help.apple.com | tcp |
| US | 23.220.113.166:443 | help.apple.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | ce7f5b3d4bfc7b4b0da6a06dccc515f2 |
| SHA1 | ce657a52a052a3aaf534ecfbf7cbdde4ee334c10 |
| SHA256 | 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1 |
| SHA512 | db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | a60a7bcfc47eacaa66e5e3d701d3ba80 |
| SHA1 | 7093ffc5beca33187c18461c7ff3259a1781ae35 |
| SHA256 | 17e96efaf7f2e45e407a3c68fb57b78f09dea6fc1edf3732b888be4a4eadd468 |
| SHA512 | 58736bd680d6c7a25b8d7db08fd4a258cf761dbaa44a5ece0c2b813ab12c20dc213ab40844dfc780687945cf2459f549f1a38bf3da16c5c332756f3b53e1c3a5 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | 95f24d2f9121654acd5a1c44e572082b |
| SHA1 | ea13b61b35ef396ebe42f09e638a39f13b93fd9b |
| SHA256 | 2b7b2a1c679a5a0d2465351f35584f1eb6de22160daefb4cba351838f98f155e |
| SHA512 | d1eaa0bd0b245f98a03d24197e02096400abea41f5a36905a41c777bedba15194f3de256c12b4f038e38267147986e8b9dd543189fdc6d1788d3c012bc63270d |
/Users/run/Library/Caches/GeoServices/Resources/altitude-1285.xml
| MD5 | 9a43af57707d2fb460832049d1f217d1 |
| SHA1 | 056d813f8cb5198ca82072f7e3484f38ea5267f8 |
| SHA256 | 7224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c |
| SHA512 | 1f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7 |
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
| MD5 | c96a7b4a7cd96b16ef1323bd3ff3a469 |
| SHA1 | 6b4f848b83f0815f5a7d716e6b0741e2da9b1e7c |
| SHA256 | 5541ab7124e9f6880bdcbdcf2c7f9c64b6a0641123513cb230cb80c3d4c15c04 |
| SHA512 | 9b964de2341feb7f5c8afdbb9d82e3acdb070dc0944a1a281183440fc8ed52a5c2cdbe7a0de8a6a3f3f7c2079b336df7048fac65c0438fb6168edef8f06bfd5f |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | 1340033aca269b30874eafa2ec72adfe |
| SHA1 | e1c0e123ffc93a5f22c906c7206a625a149944d1 |
| SHA256 | fb10f63de2c68693f4360c0c8cb0dd64e163dde54ffb9c97932d804df4a4f724 |
| SHA512 | 587feb19b7dcfc422a0feb360fc1a855a766e518d8a16b0e6b1df509706c0b703270449e5688bcc584002f277981d6f1edbed996abdd81b8a402ba968c2d08e6 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-16 11:05
Reported
2024-06-16 11:08
Platform
macos-20240611-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPUninstallHelper"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPUninstallHelper"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPUninstallHelper]
/bin/zsh
[/bin/zsh -c /Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPUninstallHelper]
/Users/run/Flash
[/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/Helpers/FPUninstallHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater0B4C966A/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
Network
| Country | Destination | Domain | Proto |
| US | 151.101.3.6:443 | tcp | |
| US | 151.101.195.6:443 | tcp | |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.189.173.6:443 | tcp | |
| US | 8.8.8.8:53 | api.apple-cloudkit.fe2.apple-dns.net | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-16 11:05
Reported
2024-06-16 11:08
Platform
macos-20240611-en
Max time kernel
147s
Max time network
147s
Command Line
Signatures
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/Flash Player/Install Adobe Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager]
/bin/zsh
[/bin/zsh -c /Users/run/Flash Player/Install Adobe Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager]
/Users/run/Flash
[/Users/run/Flash Player/Install Adobe Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.cloudkeychainproxy3]
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater66017B75/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AddressBook.ContactsAccountsService]
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.routined]
/usr/libexec/routined
[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Maps.mapspushd]
/System/Library/CoreServices/mapspushd
[/System/Library/CoreServices/mapspushd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]
/usr/libexec/neagent
[/usr/libexec/neagent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.assistantd]
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lb._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.189.173.6:443 | tcp | |
| US | 8.8.8.8:53 | api.apple-cloudkit.fe2.apple-dns.net | udp |
| US | 8.8.8.8:53 | a1366.dscapi6.akamai.net | udp |
| GB | 104.91.71.16:443 | tcp | |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| GB | 104.77.118.129:443 | a1366.dscapi6.akamai.net | tcp |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| BE | 104.68.86.71:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| US | 23.220.113.166:443 | help.apple.com | tcp |
| US | 23.220.113.166:443 | help.apple.com | tcp |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | gsp-ssl.ls.apple.com | udp |
| GB | 17.253.29.214:443 | gsp-ssl.ls.apple.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | gsp64-ssl.ls-apple.com.akadns.net | udp |
Files
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
| MD5 | 2ad2862170ecffa776b030dc2c41e32a |
| SHA1 | c57805a57f323e545a73deff24504a0de344e85d |
| SHA256 | 948c602d37d54720ba868bf3c66caf38cc2ec7c7cfe0cc2dbeca6ccec582e6da |
| SHA512 | 1392e12d02984e7c0ef45f820883fb229ddecd973d56f50c775fa4e970adf33f9f98940c4bdc863af75adde0459c63a7c5e414d00611de646b92c7a0761b80ef |
/Users/run/Library/Caches/GeoServices/Experiments.pbd
| MD5 | 14c8eec4c4a1e8763ac8ea95afb9e6e3 |
| SHA1 | aa5301b2e15687e43e77952f0221d5b9322c3bd2 |
| SHA256 | a462af34314e135f31dfa39fa5d244434edd4283f1413b338203087faa1809f9 |
| SHA512 | 121b6efb74a01be41eb4ffdd30736ef191cd9aeaf613f37b1187be0d94f689aaf7a61644c59ccda84742a36d678e25fa47d8230bc299e184e12d6278519884d4 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-16 11:05
Reported
2024-06-16 11:08
Platform
macos-20240611-en
Max time kernel
134s
Max time network
154s
Command Line
Signatures
Installer Packages
| Description | Indicator | Process | Target |
| N/A | /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall /Users/run/setup.pkg / / / | N/A | N/A |
| N/A | /bin/sh /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall /Users/run/setup.pkg / / / | N/A | N/A |
File and Directory Discovery.
| Description | Indicator | Process | Target |
| N/A | dirname /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall | N/A | N/A |
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update "/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root/Applications/Utilities/Adobe Flash Player Install Manager.app" | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root / | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd | N/A | N/A |
Launchctl
| Description | Indicator | Process | Target |
| N/A | /bin/launchctl load //Library/LaunchDaemons/com.adobe.fpsaud.plist | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"]
/bin/bash
[sh -c sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"]
/usr/bin/sudo
[sudo /bin/zsh -c installer -pkg /Users/run/setup.pkg -target /]
/bin/zsh
[/bin/zsh -c installer -pkg /Users/run/setup.pkg -target /]
/usr/sbin/installer
[installer -pkg /Users/run/setup.pkg -target /]
/usr/libexec/xpcproxy
[xpcproxy com.apple.installd]
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd]
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update
[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root/Applications/Utilities/Adobe Flash Player Install Manager.app]
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor
[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid]
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove
[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root /]
/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall
[/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall /Users/run/setup.pkg / / /]
/bin/bash
[/bin/sh /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall /Users/run/setup.pkg / / /]
/usr/bin/logger
[/usr/bin/logger Flash Player Install: Launching SAU Daemon...]
/bin/launchctl
[/bin/launchctl load //Library/LaunchDaemons/com.adobe.fpsaud.plist]
/usr/bin/logger
[/usr/bin/logger Flash Player Install: Finalizing Plugin installation...]
/usr/bin/dirname
[dirname /tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall]
/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/finalize
[/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/finalize /]
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update
[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterBCBF2C69/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.apple-cloudkit.fe2.apple-dns.net | udp |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.42.65.93:443 | tcp | |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| BE | 104.68.86.71:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| US | 23.220.113.166:443 | help.apple.com | tcp |
| US | 23.220.113.166:443 | help.apple.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/_CodeSignature/._CodeResources__
| MD5 | 9462cbe481a48e13312ef26462c183cc |
| SHA1 | 562358edeb448cf880230dcdb66b6260f7d47297 |
| SHA256 | 3abf7cd6e1a4a9ffc70badeb027ddd36c07ba218f9f38f5203d66c93890c290e |
| SHA512 | 781de912e55401a5ce997dcfa1d162ec893bfab54bc2e801d0ef2d40020347cc47cb5e8a2247b2563f4c8f3920f1337d3db88d873f20d2f70cdaf2d512f3f2ad |
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/MacOS/._Adobe Flash Player Install Manager__
| MD5 | 44553a79fa4b006c5a4a55b88ff93ff6 |
| SHA1 | 90764d741d80c2a5fbb10fab7e1aaf761267c1c6 |
| SHA256 | eee7d55b3663ad41ab9be32c6a642c07ded1c9c1eee27d55cef6ec470b68bb38 |
| SHA512 | 1d9f72ec023b3c40fab6b4522083f1b75454d8c0765fdcc92e3b1ebce7419fd8836e6813c96fabeeae64d2aa46615b7398dc1b1abc6e9161a71c6f8a2fcaeb28 |
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/Resources/._English.lproj__
| MD5 | b857d79f769e70b1660d45cdfbe4647a |
| SHA1 | 0507b9ec7f9d5bf2e0d2ca1062509b86deefbe4b |
| SHA256 | 5151cde3d1d95dcafebf27fe875ee2aad727fcb71febbe987ae1c17d8a033b51 |
| SHA512 | e4fd7c9b46cc45d1b2e95fa159c49355e39c5f96edda13dcefae5a454062205af1a4ee23adc06f8b242b3972c8b7e4adf608cf365020c841d774939f3e019264 |
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/._Helpers__
| MD5 | a067e3cc0f1a970ba994a2b4a6446cc2 |
| SHA1 | 510dba90c0b58483daeb4dbc5c11524f254dc554 |
| SHA256 | af1c677bf6b6e99680580fc5225c7e1bda16cdf8c01e3a79d54b0958efb8012f |
| SHA512 | 29acebe38de4704ac4437a3a5e6068ed3d9542798ea72d8fd328deffd6ae5e02219970b465c968b889813c3fa3d3eda353e38e0758f045388ffbf7d5ebe1353f |
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/._Resources__
| MD5 | b66d7236b966764ee3540dc355162f26 |
| SHA1 | fb1319893789a9881a82f12be0d0ba4aeec04f47 |
| SHA256 | 8eb639ec765513d9090e412c025c4d8133b31be86e21e0cfe483442451a16310 |
| SHA512 | 970a3bd158370db9ea6172e259af27971bd39597cbee7c634471884c16c9c015835ac2086ee55f867870b6114eb156050a90d947a76cda65829dd5aceaf71619 |
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/Adobe Flash Player Install Manager.app/._Contents__
| MD5 | a226d8977cc8358c0e819f8fc9591297 |
| SHA1 | 458bde93d3f75f1fd4da8ae06991675262c41097 |
| SHA256 | e7e7aba9aafcb062bd0aea7b24ef6cfc42efc8b8cf53644255f007965d437f0f |
| SHA512 | d194bf062360e4b500618a5918cffd0d49859ebbfcaf0ef50cc78b379998056a3944e46ae858002ae03c6c17a455f430279eb730ecc4c8f9fa4e71e33aced0db |
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root//Applications/Utilities/._Adobe Flash Player Install Manager.app__
| MD5 | 4fdc66c51f562ecd3216b95e3ad9d66b |
| SHA1 | 3849197ece111c2bdf89980b83f790a6da0f33b7 |
| SHA256 | 6137481ad820f9cd0a0218da709fe719edc7f163009f7631eca7aa33c04fa038 |
| SHA512 | a876587bdcbf73768bb26ce2b28764fc3f5ac09f8f495c9a9f6a402e45475402b109b89a18a08e92bfd1808fcd5375dfeea109e597678836ed38014cf8c1e7e2 |
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root/Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/Info.plist
| MD5 | 42ddaa22596dd0c864100c46880e918c |
| SHA1 | 8347603d23c8c5d4fe462f8148b6f241ed4c2492 |
| SHA256 | 716cb97525d313d4725f3641ec38a7d9b8f72a0fd90fabab0b8e1ae5790615a8 |
| SHA512 | 366864222b016783eef9bd2bd5e4cb9e608188b61d6620249e87685676da67bb49b5c700f52c5d46ce5de3269d2d5a1eab49b27882caac07a9c781365a16374f |
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Root/Applications/Utilities/Adobe Flash Player Install Manager.app/Contents/Resources/English.lproj/InfoPlist.strings
| MD5 | 112182c72eca910844e6d45cdd2cca87 |
| SHA1 | 7e45feb848736d28be9bc64e361452fa51950ca5 |
| SHA256 | 8ef60f3215f7e417fc7563ca9240ab0df298e7873fd4a80a29a01fe35098ea7d |
| SHA512 | 6bdd72df1a8b983abe823ac446a90101f46a39647db1058609f2c2db2d52ae06d405a11cb0db49ad19bcbe1cfd1207f56915254b140b5d046be38c1321b3e2d7 |
/private/var/run/installd.commit.pid
| MD5 | 3a0772443a0739141292a5429b952fe6 |
| SHA1 | 2473f01571bf0dcb7d2b16d67da6dd031769947d |
| SHA256 | 0d6f9709edaeba4bebf576d6b886b8c7083374f521f5256bf571add42fc7465c |
| SHA512 | 81ca6a07d5f4f941b52a01afbc0b608c3e0344e1c1644b716d09cd1f3420e4da8d98576af61a0337f470c2b8ea2492af4fc7dddb5865ddae8e52dbf29784ec92 |
/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/postinstall
| MD5 | ef3020256bd669e8529e6e4aed1c24b2 |
| SHA1 | 37fc45f29c6a6a7962b23b3195517ada211091a9 |
| SHA256 | 486573d2e273734fb25e8faaa542a0654cf81f0e09eeb088a839ff82d8ffecf7 |
| SHA512 | 751d9b03fe01ddd78901b66fd6a0fb5b07385793a73e6c45d44003691c79b3e1099f218237114716a81660f16632c0a1d3bb9d728b1d6738dd24e333fbc3a3f9 |
/tmp/PKInstallSandbox.hErRmG/Scripts/com.adobe.pkg.FlashPlayer.pSc7G1/finalize
| MD5 | 280e0f3ffb5a78e24835f9f7e1370eff |
| SHA1 | 1daf0275d6fff3ae5145435e40d8007d00ec54d0 |
| SHA256 | f0281ad22738d65ce61e72987d5900665bfb8abe13257905ddb0ba4362bcc47a |
| SHA512 | 9f99c5e3b1490321157ad032e0afded5c9ce456f3788a27f1cd88bcb7ae3609be6224b01108e6aeabe942fac04e92893a4cf31c5ae02399dcc7ff35a8b5196b7 |
/Library/InstallerSandboxes/.PKInstallSandboxManager/60C54D08-55E3-4300-8C08-7F30C0E03B56.activeSandbox/Boms/com.adobe.pkg.FlashPlayer.bom
| MD5 | 4dc632a89e380b9cb1fe7ede80f0c329 |
| SHA1 | 8a8dedc55e35c706e015cfd1b0be8b0d4895dc65 |
| SHA256 | 3e7e8280049ed9e5de13cf26607e1283e236587628056efb2710bccd0248e6a1 |
| SHA512 | ff6eb360dba11a703e72bda1ddfc56b52cc5a6fb22723ebb1a6d7e76647f9bdb6f6f221e70fbc723cfd2401398f64e86c7526e60b3d751bcc6082b716cf55b16 |