Malware Analysis Report

2024-10-16 06:43

Sample ID 240619-nd143ayhkf
Target BTRT.dmg
SHA256 32ccc2ac393e46cb7c45fddf714570bf2d2524aa77227fa049c40341fcc2dd37
Tags
evasion
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

32ccc2ac393e46cb7c45fddf714570bf2d2524aa77227fa049c40341fcc2dd37

Threat Level: Likely benign

The file BTRT.dmg was found to be: Likely benign.

Malicious Activity Summary

evasion

Resource Forking

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 11:17

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 11:17

Reported

2024-06-19 11:17

Platform

macos-20240611-en

Max time kernel

0s

Max time network

4s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/Boonana Trojan Removal Tool/Boonana Removal Tool.app/Contents/MacOS/Boonana Removal Tool"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/Boonana Trojan Removal Tool/Boonana Removal Tool.app/Contents/MacOS/Boonana Removal Tool"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/Boonana Trojan Removal Tool/Boonana Removal Tool.app/Contents/MacOS/Boonana Removal Tool"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/Boonana Trojan Removal Tool/Boonana Removal Tool.app/Contents/MacOS/Boonana Removal Tool]

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 11:17

Reported

2024-06-19 11:17

Platform

macos-20240611-en

Max time kernel

0s

Max time network

4s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/Boonana Trojan Removal Tool/ReadMe.rtf"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/Boonana Trojan Removal Tool/ReadMe.rtf"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/Boonana Trojan Removal Tool/ReadMe.rtf"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/Boonana Trojan Removal Tool/ReadMe.rtf]

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 11:17

Reported

2024-06-19 11:18

Platform

macos-20240611-en

Max time kernel

58s

Max time network

67s

Command Line

[sh -c sudo /bin/zsh -c "open /Volumes/Boonana\ Trojan\ Removal\ Tool/Boonana\ Removal\ Tool.app"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "open /Volumes/Boonana\ Trojan\ Removal\ Tool/Boonana\ Removal\ Tool.app"]

/bin/bash

[sh -c sudo /bin/zsh -c "open /Volumes/Boonana\ Trojan\ Removal\ Tool/Boonana\ Removal\ Tool.app"]

/usr/bin/sudo

[sudo /bin/zsh -c open /Volumes/Boonana\ Trojan\ Removal\ Tool/Boonana\ Removal\ Tool.app]

/bin/zsh

[/bin/zsh -c open /Volumes/Boonana\ Trojan\ Removal\ Tool/Boonana\ Removal\ Tool.app]

/usr/bin/open

[open /Volumes/Boonana Trojan Removal Tool/Boonana Removal Tool.app]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater66017B75/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.quicklook.satellite.A8F54724-F570-41CA-9A8B-478DEF2BC3A0 603]

/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite

[/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite]

/usr/libexec/xpcproxy

[xpcproxy com.apple.siri.context.service]

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService

[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.TextInputMenuAgent]

/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent

[/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.TextInputSwitcher]

/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher

[/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher]

Network

Country Destination Domain Proto
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 itunes.apple.com udp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 a1366.dscapi6.akamai.net udp
GB 104.91.71.16:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
GB 104.77.118.121:443 a1366.dscapi6.akamai.net tcp
US 8.8.8.8:53 gsp64-ssl.ls-apple.com.akadns.net udp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 e528863522ec78e22d41392c18c81054
SHA1 09689eb0fc8e0e2f2f6c1bae2c0fac7d24983f62
SHA256 d5beb39e6137d1fbe62dcfaa559174116c5400e3b2786f174ce21b33bcd2322c
SHA512 20a3298fe4b09e1c606c24807e40f15a4d8694b31796a0dd276b63586c4f56563e95fec1e121b85a288a2d8c270e8fafad4f2d66908af25202f05bf051b7ac26