Malware Analysis Report

2024-10-10 07:36

Sample ID 240617-pjbl2avbmm
Target 20a11d3fcdac288035963eb479102e63034fa39c30ee2d063fc2b9cae45112ba
SHA256 20a11d3fcdac288035963eb479102e63034fa39c30ee2d063fc2b9cae45112ba
Tags
evasion
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

20a11d3fcdac288035963eb479102e63034fa39c30ee2d063fc2b9cae45112ba

Threat Level: Likely benign

The file 20a11d3fcdac288035963eb479102e63034fa39c30ee2d063fc2b9cae45112ba was found to be: Likely benign.

Malicious Activity Summary

evasion

Resource Forking

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 12:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 12:21

Reported

2024-06-17 12:22

Platform

macos-20240611-en

Max time kernel

78s

Max time network

79s

Command Line

[xpcproxy com.apple.pluginkit.pkd]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/usr/libexec/xpcproxy

[xpcproxy com.apple.pluginkit.pkd]

/usr/libexec/pkd

[/usr/libexec/pkd]

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/20a11d3fcdac288035963eb479102e63034fa39c30ee2d063fc2b9cae45112ba"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/20a11d3fcdac288035963eb479102e63034fa39c30ee2d063fc2b9cae45112ba"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/20a11d3fcdac288035963eb479102e63034fa39c30ee2d063fc2b9cae45112ba]

/bin/zsh

[/bin/zsh -c /Users/run/20a11d3fcdac288035963eb479102e63034fa39c30ee2d063fc2b9cae45112ba]

/Users/run/20a11d3fcdac288035963eb479102e63034fa39c30ee2d063fc2b9cae45112ba

[/Users/run/20a11d3fcdac288035963eb479102e63034fa39c30ee2d063fc2b9cae45112ba]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater2E18A62F/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.suggestd]

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd

[/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.knowledge-agent]

/usr/libexec/knowledge-agent

[/usr/libexec/knowledge-agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.siri.context.service]

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService

[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]

Network

Country Destination Domain Proto
US 8.8.8.8:53 bag-cdn.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
GB 104.77.118.129:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp

Files

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 e9038b61860114d74320357e3c499256
SHA1 e05a83d71cf42e2b4d7cf1411c891bd565478d78
SHA256 9ff749f01fe2287d19c2b503ccf7d99e23046afa31235f4aa8180f87cc1db951
SHA512 3e0686ef0a98d7715e068bf6e093beee7e5301b4072617695619b4ea06e0f77691fa8208fba3bca0635f7c5e0ee1cd4948bfb6d16f647047d04f3799d180bab3