Analysis Overview
SHA256
c0ef4d9b1690943def00ce4c7bb2838ff08cfe0d3ff85d39ca1e4ddc97593d01
Threat Level: Likely benign
The file AudioSlicer-1.1.1.dmg was found to be: Likely benign.
Malicious Activity Summary
Resource Forking
One or more HTTP URLs in PDF identified
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-19 11:22
Signatures
One or more HTTP URLs in PDF identified
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 11:22
Reported
2024-06-19 11:23
Platform
macos-20240611-en
Max time kernel
44s
Max time network
51s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/MacOS/AudioSlicer"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/MacOS/AudioSlicer"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/MacOS/AudioSlicer]
/bin/zsh
[/bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/MacOS/AudioSlicer]
/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/MacOS/AudioSlicer
[/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/MacOS/AudioSlicer]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterBCBF2C69/OneDrive.app]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.42.65.93:443 | tcp | |
| US | 8.8.8.8:53 | api.apple-cloudkit.fe2.apple-dns.net | udp |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-19 11:22
Reported
2024-06-19 11:23
Platform
macos-20240611-en
Max time kernel
56s
Max time network
61s
Command Line
Signatures
Resource Forking
| Description | Indicator | Process | Target |
| N/A | sudo /bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf | N/A | N/A |
| N/A | /bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf | N/A | N/A |
| N/A | /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf | N/A | N/A |
| N/A | /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy | N/A | N/A |
| N/A | sh -c "sudo /bin/zsh -c \"/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf\"" | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf]
/bin/zsh
[/bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf]
/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf
[/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.systemsoundserverd]
/usr/sbin/systemsoundserverd
[/usr/sbin/systemsoundserverd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.AudioComponentRegistrar]
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.cloudkeychainproxy3]
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater66017B75/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AddressBook.ContactsAccountsService]
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.routined]
/usr/libexec/routined
[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]
/usr/libexec/xpcproxy
[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]
/usr/libexec/neagent
[/usr/libexec/neagent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Maps.mapspushd]
/System/Library/CoreServices/mapspushd
[/System/Library/CoreServices/mapspushd]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lb._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | a1366.dscapi6.akamai.net | udp |
| GB | 104.91.71.16:443 | tcp | |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| US | 104.18.38.233:80 | tcp | |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.189.173.6:443 | tcp | |
| US | 8.8.8.8:53 | api.apple-cloudkit.fe2.apple-dns.net | udp |
| NL | 23.72.252.80:443 | a1366.dscapi6.akamai.net | tcp |
| GB | 17.253.77.202:80 | valid.apple.com | tcp |
| US | 8.8.8.8:53 | gsp64-ssl.ls-apple.com.akadns.net | udp |
Files
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
| MD5 | e528863522ec78e22d41392c18c81054 |
| SHA1 | 09689eb0fc8e0e2f2f6c1bae2c0fac7d24983f62 |
| SHA256 | d5beb39e6137d1fbe62dcfaa559174116c5400e3b2786f174ce21b33bcd2322c |
| SHA512 | 20a3298fe4b09e1c606c24807e40f15a4d8694b31796a0dd276b63586c4f56563e95fec1e121b85a288a2d8c270e8fafad4f2d66908af25202f05bf051b7ac26 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-19 11:22
Reported
2024-06-19 11:23
Platform
macos-20240611-en
Max time kernel
51s
Max time network
44s
Command Line
Signatures
Resource Forking
| Description | Indicator | Process | Target |
| N/A | sh -c "sudo /bin/zsh -c \"/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf\"" | N/A | N/A |
| N/A | sudo /bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf | N/A | N/A |
| N/A | /bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf | N/A | N/A |
| N/A | /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf]
/bin/zsh
[/bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf]
/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf
[/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.systemsoundserverd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/usr/sbin/systemsoundserverd
[/usr/sbin/systemsoundserverd]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.AudioComponentRegistrar]
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater0B4C966A/OneDrive.app]
Network
| Country | Destination | Domain | Proto |
| US | 151.101.195.6:443 | tcp | |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.189.173.6:443 | tcp | |
| US | 8.8.8.8:53 | api.apple-cloudkit.fe2.apple-dns.net | udp |
| US | 20.42.65.84:443 | mobile.events.data.trafficmanager.net | tcp |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| US | 151.101.195.6:443 | h3.apis.apple.map.fastly.net | tcp |
| US | 151.101.131.6:443 | h3.apis.apple.map.fastly.net | tcp |
Files
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 11:22
Reported
2024-06-19 11:23
Platform
macos-20240611-en
Max time kernel
39s
Max time network
52s
Command Line
Signatures
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "open /Volumes/AudioSlicer-1.1.1/AudioSlicer.app"]
/bin/bash
[sh -c sudo /bin/zsh -c "open /Volumes/AudioSlicer-1.1.1/AudioSlicer.app"]
/usr/bin/sudo
[sudo /bin/zsh -c open /Volumes/AudioSlicer-1.1.1/AudioSlicer.app]
/bin/zsh
[/bin/zsh -c open /Volumes/AudioSlicer-1.1.1/AudioSlicer.app]
/usr/bin/open
[open /Volumes/AudioSlicer-1.1.1/AudioSlicer.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nehelper]
/usr/libexec/nehelper
[/usr/libexec/nehelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.quicklook.satellite.88DC986C-A3E8-4BC9-86F6-B0EEFB1E33EB 551]
/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite
[/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite]
/usr/libexec/xpcproxy
[xpcproxy com.apple.bird]
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.quicklook.ui.helper]
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.TextEdit.2092]
/System/Applications/TextEdit.app/Contents/MacOS/TextEdit
[/System/Applications/TextEdit.app/Contents/MacOS/TextEdit]
/usr/libexec/xpcproxy
[xpcproxy com.apple.metadata.mdwrite]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.systemsoundserverd]
/usr/sbin/systemsoundserverd
[/usr/sbin/systemsoundserverd]
Network
| Country | Destination | Domain | Proto |
| US | 52.182.143.213:443 | tcp | |
| GB | 17.250.81.65:443 | tcp | |
| US | 8.8.8.8:53 | b._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | db._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | b._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | db._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | itunes.apple.com | udp |
| US | 8.8.8.8:53 | e6858.dscx.akamaiedge.net | udp |
Files
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | ce7f5b3d4bfc7b4b0da6a06dccc515f2 |
| SHA1 | ce657a52a052a3aaf534ecfbf7cbdde4ee334c10 |
| SHA256 | 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1 |
| SHA512 | db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | 4d3efd632ec536e165b91e26b8fbde8a |
| SHA1 | 833a9b9e93b418474bfacce83dbc6b3355ef6075 |
| SHA256 | 05205992906b7e74d921ef7e1643c83c861abf69adabb15d3699620fd456a630 |
| SHA512 | d5493e235e660bb83300e367498f6695370f0552c627e35a202529069d65354a591b7c47c2567b2149dca9fc5084e3655216b2dd585b598d12af4d6f22aaf2fc |