Analysis Overview
SHA256
8d9f4a8b68d142878192f3c7b81b1c0722b1cfda9cceeab9e4e758876ea39fff
Threat Level: Likely benign
The file 5c998852ec3bbb7438f101a511c2c4ed52e51d90.jpeg was found to be: Likely benign.
Malicious Activity Summary
File Deletion
Launch Agent
JavaScript
Resource Forking
Launchctl
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 21:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 21:48
Reported
2024-11-13 21:51
Platform
macos-20241101-en
Max time kernel
126s
Max time network
123s
Command Line
Signatures
File Deletion
Launch Agent
JavaScript
| Description | Indicator | Process | Target |
| N/A | "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar | N/A | N/A |
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd | N/A | N/A |
| N/A | /System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer | N/A | N/A |
| N/A | "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck | N/A | N/A |
| N/A | /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper | N/A | N/A |
Launchctl
| Description | Indicator | Process | Target |
| N/A | /bin/launchctl load /Library/LaunchAgents/com.microsoft.update.agent.plist | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/5c998852ec3bbb7438f101a511c2c4ed52e51d90.jpg"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/5c998852ec3bbb7438f101a511c2c4ed52e51d90.jpg"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/5c998852ec3bbb7438f101a511c2c4ed52e51d90.jpg]
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
[/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer]
/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged
[/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged]
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
[/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd]
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck]
/usr/libexec/pkreporter
[/usr/libexec/pkreporter]
/bin/zsh
[/bin/zsh -c /Users/run/5c998852ec3bbb7438f101a511c2c4ed52e51d90.jpg]
/Users/run/5c998852ec3bbb7438f101a511c2c4ed52e51d90.jpg
[/Users/run/5c998852ec3bbb7438f101a511c2c4ed52e51d90.jpg]
/usr/libexec/xpcproxy
[xpcproxy com.apple.iCal.CalendarNC 313]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ncplugin.weather 313]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ncplugin.stocks 313]
/System/Applications/Calendar.app/Contents/PlugIns/com.apple.iCal.CalendarNC.appex/Contents/MacOS/com.apple.iCal.CalendarNC
[/System/Applications/Calendar.app/Contents/PlugIns/com.apple.iCal.CalendarNC.appex/Contents/MacOS/com.apple.iCal.CalendarNC]
/System/Library/CoreServices/Weather.app/Contents/PlugIns/com.apple.ncplugin.weather.appex/Contents/MacOS/com.apple.ncplugin.weather
[/System/Library/CoreServices/Weather.app/Contents/PlugIns/com.apple.ncplugin.weather.appex/Contents/MacOS/com.apple.ncplugin.weather]
/System/Library/CoreServices/StocksWidget.app/Contents/PlugIns/com.apple.ncplugin.stocks.appex/Contents/MacOS/com.apple.ncplugin.stocks
[/System/Library/CoreServices/StocksWidget.app/Contents/PlugIns/com.apple.ncplugin.stocks.appex/Contents/MacOS/com.apple.ncplugin.stocks]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Terminal.2100]
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
[/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal]
/usr/bin/login
[login -pf run]
/bin/zsh
[-zsh]
/usr/libexec/path_helper
[/usr/libexec/path_helper -s]
/usr/bin/locale
[locale LC_CTYPE]
/usr/bin/sudo
[sudo]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nsurlstoraged]
/usr/libexec/nsurlstoraged
[/usr/libexec/nsurlstoraged --privileged]
/usr/bin/sudo
[sudo rm -rf]
/usr/bin/login
[login -pf run]
/bin/zsh
[-zsh]
/usr/libexec/path_helper
[/usr/libexec/path_helper -s]
/usr/bin/locale
[locale LC_CTYPE]
/usr/libexec/xpcproxy
[xpcproxy com.apple.quicklook.ui.helper]
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.JarLauncher.2128]
/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher
[/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher]
/usr/libexec/xpcproxy
[xpcproxy com.apple.metadata.mdwrite]
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java
[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -jar /Users/run/tmp/hello.jar]
/usr/libexec/xpcproxy
[xpcproxy com.apple.spindump]
/usr/sbin/spindump
[/usr/sbin/spindump]
/usr/libexec/xpcproxy
[xpcproxy com.apple.spindump_agent]
/usr/libexec/spindump_agent
[/usr/libexec/spindump_agent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.quicklook.ui.helper]
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.xpc.launchd.oneshot.0x10000001.Microsoft Word]
/Applications/Microsoft Word.app/Contents/MacOS/Microsoft Word
[/Applications/Microsoft Word.app/Contents/MacOS/Microsoft Word -psn_0_184365]
/usr/libexec/xpcproxy
[xpcproxy com.apple.XprotectFramework.AnalysisService 402]
/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService
[/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.storeuid]
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
[/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid]
/usr/libexec/xpcproxy
[xpcproxy com.apple.storedownloadd]
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
[/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd]
/usr/libexec/xpcproxy
[xpcproxy com.microsoft.autoupdate.fba.2660]
/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant
[/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant]
/bin/launchctl
[/bin/launchctl list]
/usr/libexec/xpcproxy
[xpcproxy com.microsoft.autoupdate.helper]
/bin/launchctl
[/bin/launchctl load /Library/LaunchAgents/com.microsoft.update.agent.plist]
/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper
[/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper]
/usr/bin/codesign
[/usr/bin/codesign -v /Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.PackageKit.InstallStatus]
/usr/libexec/xpcproxy
[xpcproxy com.apple.warmd_agent]
/usr/libexec/warmd_agent
[/usr/libexec/warmd_agent]
/System/Library/CoreServices/Install in Progress.app/Contents/MacOS/Install in Progress
[/System/Library/CoreServices/Install in Progress.app/Contents/MacOS/Install in Progress]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ReportMemoryException]
/usr/libexec/ReportMemoryException
[/usr/libexec/ReportMemoryException]
/usr/libexec/xpcproxy
[xpcproxy com.apple.coremedia.videodecoder 124]
/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
[/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.rtcreportingd]
/usr/libexec/rtcreportingd
[/usr/libexec/rtcreportingd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sessionlogoutd]
/System/Library/CoreServices/sessionlogoutd
[/System/Library/CoreServices/sessionlogoutd]
/sbin/shutdown
[/sbin/shutdown -h now]
/bin/sh
[sh -c /usr/bin/wall -n]
/bin/bash
[sh -c /usr/bin/wall -n]
/usr/bin/wall
[/usr/bin/wall -n]
/System/Library/Extensions/IOGraphicsFamily.kext/iogdiagnose
[iogdiagnose -b /var/log/displaypolicy/iogdiagnose-last.bin]
/usr/sbin/spindump
[spindump -shutdownstall 2 -timelimit 5]
/bin/sh
[sh -c /usr/sbin/kextstat]
/bin/bash
[sh -c /usr/sbin/kextstat]
/usr/sbin/kextstat
[/usr/sbin/kextstat]
/bin/bash
[bash /private/var/install/shutdown_installer_tasks]
/bin/bash
[bash /private/var/install/deferred_install]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 50.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | apple-finance.query.yahoo.com | udp |
| IE | 87.248.100.168:443 | apple-finance.query.yahoo.com | tcp |
| IE | 87.248.100.168:443 | apple-finance.query.yahoo.com | tcp |
| IE | 87.248.100.168:443 | apple-finance.query.yahoo.com | tcp |
| US | 8.8.8.8:53 | b._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | db._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | b._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | db._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | itunes.apple.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | ecs.office.com | udp |
| US | 52.113.194.132:443 | ecs.office.com | tcp |
| US | 8.8.8.8:53 | odc.officeapps.live.com | udp |
| IE | 52.109.76.144:443 | odc.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | messaging.engagement.office.com | udp |
| NL | 52.111.243.12:443 | messaging.engagement.office.com | tcp |
| US | 8.8.8.8:53 | lb._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | e6858.dscx.akamaiedge.net | udp |
| US | 8.8.8.8:53 | e673.dsce9.akamaiedge.net | udp |
Files
/dev/ttys000
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/var/db/nsurlstoraged/dafsaData.bin
| MD5 | 64f469698e53d0c828b7f90acd306082 |
| SHA1 | bcc041b3849e1b0b4104ffeb46002207eeac54f3 |
| SHA256 | d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd |
| SHA512 | a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f |
/Users/run/.zsh_history
| MD5 | 9975278f76f30ad087bced32e6f5ea2d |
| SHA1 | d2619a5d202a42393f398361a516bb24bc41371f |
| SHA256 | de488143aa2ccbaa9ee06a03d4684e1716dcd77e186a0e3b37d5f1a1b6629942 |
| SHA512 | 7167578b79e5674c2a4c08b693d128d7bea1ffef78d0a173b3007f25ccda862590a43f6b0f9f07ae5982f479a55546e28f3119214efd05eefb43ce11e67860f4 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.microsoft.Word//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.microsoft.Word//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/Users/run/Library/Group Containers/UBF8T346G9.Office/FontCache/4/PreviewFont/hier_officeFontsPreview_4_40.ttf
| MD5 | 8c638d09eea80c9b1963af8cc35870a5 |
| SHA1 | f67fc7503e05b99f232945bc1bbb7d50bc70f88d |
| SHA256 | 4bcfa32557e0bfffd5766cf6057b9e04ac9af9c101033fd305fba7190305a385 |
| SHA512 | b1cee1f2e0f2cdd2611c1af18d5cd3b481da6c7c761cc74f2fc9c99025215a8c03f117bd1f8cdd3fa01210c542ba9e1c7246954e43ce100c84b1ea4082000c07 |
/Users/run/Library/Containers/com.microsoft.Word/Data/Library/Application Support/Microsoft/Office/16.0/microsoft word_Rules.xml
| MD5 | 5a33211bed7be6cc385ae7fbef44e01a |
| SHA1 | a0b3b3ed558bb4efec995b2173645123667a9945 |
| SHA256 | fae19f0f726a3973bd8e7ae5b3fe7afaedacda3cbe0f9642526e710c58a485d4 |
| SHA512 | e469ce16cbc7ba515a0b2d9e2785d186b7ed30b88c1546f655182d85578a9df7e13c174eeb9ccfa0f971676fb39e35e0621dabdb34ad848da8e6552c9654aa97 |
/Users/run/Library/Containers/com.microsoft.Word/Data/Library/Application Support/Microsoft/Office/16.0/Floodgate/Word.Settings.json
| MD5 | e4e83f8123e9740b8aa3c3dfa77c1c04 |
| SHA1 | 5281eae96efde7b0e16a1d977f005f0d3bd7aad0 |
| SHA256 | 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31 |
| SHA512 | bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9 |
/Users/run/Library/Containers/com.microsoft.Word/Data/Library/Application Support/Microsoft/Office/16.0/Floodgate/SurveyEventActivityStats.json
| MD5 | 6ca4960355e4951c72aa5f6364e459d5 |
| SHA1 | 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 |
| SHA256 | 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
| SHA512 | 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d |
/Users/run/Library/Containers/com.microsoft.Word/Data/Library/Application Support/Microsoft/Office/16.0/Floodgate/Word.CampaignStates.json
| MD5 | da7b321936a4650a446dc9236c1894ce |
| SHA1 | 4950cd50437470597303a7451ae4e8b1d98af034 |
| SHA256 | 5d468a964d6ad8e3ce0e0078b7955977545c2083cdb1c8929b1bf1c40f074c1c |
| SHA512 | e27efae91b4622e0c4838daf0752ba20cf1f21e88dbd2251adf20dc0df4859876a3d29be0a5adae8b7f5bbcbc02b9ea0f583d786a6d6b7902a55cb66fa8cb3bf |
/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//spindump.txt
| MD5 | dba1ddd9eca02e5aa4fb6a65784c5a30 |
| SHA1 | a41992bf59a92d84b6afc4afba23650b4bf74513 |
| SHA256 | 0dccad1896b0fb72b9e258cf017a052d258ecd06595afc5f1c5f0f18557cf791 |
| SHA512 | 008d66812d7abafe2c42609532db7b5f0df13121e43f8aa38a32e609e8813aa99007939cfee72e9f3531e19c5b9893c3fa688701f3ad96f5f986ccf3ae130069 |