Malware Analysis Report

2024-10-16 06:44

Sample ID 240619-ngpv7stenl
Target AudioSlicer-1.1.1.dmg
SHA256 c0ef4d9b1690943def00ce4c7bb2838ff08cfe0d3ff85d39ca1e4ddc97593d01
Tags
evasion pdf link
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

c0ef4d9b1690943def00ce4c7bb2838ff08cfe0d3ff85d39ca1e4ddc97593d01

Threat Level: Likely benign

The file AudioSlicer-1.1.1.dmg was found to be: Likely benign.

Malicious Activity Summary

evasion pdf link

Resource Forking

One or more HTTP URLs in PDF identified

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 11:22

Signatures

One or more HTTP URLs in PDF identified

pdf link

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 11:22

Reported

2024-06-19 11:23

Platform

macos-20240611-en

Max time kernel

44s

Max time network

51s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/MacOS/AudioSlicer"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/MacOS/AudioSlicer"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/MacOS/AudioSlicer"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/MacOS/AudioSlicer]

/bin/zsh

[/bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/MacOS/AudioSlicer]

/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/MacOS/AudioSlicer

[/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/MacOS/AudioSlicer]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterBCBF2C69/OneDrive.app]

Network

Country Destination Domain Proto
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.42.65.93:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 11:22

Reported

2024-06-19 11:23

Platform

macos-20240611-en

Max time kernel

56s

Max time network

61s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A sudo /bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf N/A N/A
N/A /bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf N/A N/A
N/A /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf N/A N/A
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A
N/A sh -c "sudo /bin/zsh -c \"/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf\"" N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf]

/bin/zsh

[/bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf]

/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf

[/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/AudioSlicer_User_Guide.pdf]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater66017B75/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

Network

Country Destination Domain Proto
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 a1366.dscapi6.akamai.net udp
GB 104.91.71.16:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 104.18.38.233:80 tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
NL 23.72.252.80:443 a1366.dscapi6.akamai.net tcp
GB 17.253.77.202:80 valid.apple.com tcp
US 8.8.8.8:53 gsp64-ssl.ls-apple.com.akadns.net udp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 e528863522ec78e22d41392c18c81054
SHA1 09689eb0fc8e0e2f2f6c1bae2c0fac7d24983f62
SHA256 d5beb39e6137d1fbe62dcfaa559174116c5400e3b2786f174ce21b33bcd2322c
SHA512 20a3298fe4b09e1c606c24807e40f15a4d8694b31796a0dd276b63586c4f56563e95fec1e121b85a288a2d8c270e8fafad4f2d66908af25202f05bf051b7ac26

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-19 11:22

Reported

2024-06-19 11:23

Platform

macos-20240611-en

Max time kernel

51s

Max time network

44s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A sh -c "sudo /bin/zsh -c \"/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf\"" N/A N/A
N/A sudo /bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf N/A N/A
N/A /bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf N/A N/A
N/A /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf]

/bin/zsh

[/bin/zsh -c /Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf]

/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf

[/Users/run/AudioSlicer-1.1.1/AudioSlicer.app/Contents/Resources/English.lproj/Credits.rtf]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater0B4C966A/OneDrive.app]

Network

Country Destination Domain Proto
US 151.101.195.6:443 tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 20.42.65.84:443 mobile.events.data.trafficmanager.net tcp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 151.101.195.6:443 h3.apis.apple.map.fastly.net tcp
US 151.101.131.6:443 h3.apis.apple.map.fastly.net tcp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 11:22

Reported

2024-06-19 11:23

Platform

macos-20240611-en

Max time kernel

39s

Max time network

52s

Command Line

[sh -c sudo /bin/zsh -c "open /Volumes/AudioSlicer-1.1.1/AudioSlicer.app"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "open /Volumes/AudioSlicer-1.1.1/AudioSlicer.app"]

/bin/bash

[sh -c sudo /bin/zsh -c "open /Volumes/AudioSlicer-1.1.1/AudioSlicer.app"]

/usr/bin/sudo

[sudo /bin/zsh -c open /Volumes/AudioSlicer-1.1.1/AudioSlicer.app]

/bin/zsh

[/bin/zsh -c open /Volumes/AudioSlicer-1.1.1/AudioSlicer.app]

/usr/bin/open

[open /Volumes/AudioSlicer-1.1.1/AudioSlicer.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.quicklook.satellite.88DC986C-A3E8-4BC9-86F6-B0EEFB1E33EB 551]

/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite

[/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite]

/usr/libexec/xpcproxy

[xpcproxy com.apple.bird]

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird

[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.quicklook.ui.helper]

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper

[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.TextEdit.2092]

/System/Applications/TextEdit.app/Contents/MacOS/TextEdit

[/System/Applications/TextEdit.app/Contents/MacOS/TextEdit]

/usr/libexec/xpcproxy

[xpcproxy com.apple.metadata.mdwrite]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

Network

Country Destination Domain Proto
US 52.182.143.213:443 tcp
GB 17.250.81.65:443 tcp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 itunes.apple.com udp
US 8.8.8.8:53 e6858.dscx.akamaiedge.net udp

Files

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1 ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA256 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512 db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 4d3efd632ec536e165b91e26b8fbde8a
SHA1 833a9b9e93b418474bfacce83dbc6b3355ef6075
SHA256 05205992906b7e74d921ef7e1643c83c861abf69adabb15d3699620fd456a630
SHA512 d5493e235e660bb83300e367498f6695370f0552c627e35a202529069d65354a591b7c47c2567b2149dca9fc5084e3655216b2dd585b598d12af4d6f22aaf2fc