Analysis Overview
SHA256
de405e80d59503bf1ac724e65aea61f0c6849311338fa120c9a01354228d0ef9
Threat Level: Known bad
The file 32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.zip was found to be: Known bad.
Malicious Activity Summary
Remcos family
JavaScript
Resource Forking
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-11 19:25
Signatures
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-11 19:25
Reported
2025-01-11 19:27
Platform
macos-20241106-en
Max time kernel
92s
Max time network
88s
Command Line
Signatures
JavaScript
| Description | Indicator | Process | Target |
| N/A | "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar | N/A | N/A |
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper | N/A | N/A |
| N/A | /System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe]
/bin/zsh
[/bin/zsh -c /Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe]
/Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe
[/Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe]
/usr/libexec/xpcproxy
[xpcproxy com.apple.quicklook.ui.helper]
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.JarLauncher.2128]
/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher
[/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher]
/usr/libexec/xpcproxy
[xpcproxy com.apple.metadata.mdwrite]
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java
[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -jar /Users/run/tmp/hello.jar]
/usr/libexec/xpcproxy
[xpcproxy com.apple.PerformanceAnalysis.animationperfd]
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
[/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Safari.2028]
/Applications/Safari.app/Contents/MacOS/Safari
[/Applications/Safari.app/Contents/MacOS/Safari]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Safari.History]
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History]
/usr/libexec/xpcproxy
[xpcproxy com.apple.WebKit.WebContent.4709AF76-6CE6-46D2-A32A-F943EE928724 509]
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.SafariLaunchAgent]
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
[/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.WebKit.WebContent.A26C9200-2E37-4DCA-A657-F832D7921F88 509]
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Safari.SearchHelper 509]
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Safari.SafeBrowsing.Service]
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
[/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service]
/usr/libexec/xpcproxy
[xpcproxy com.apple.WebKit.WebContent.41A69C53-F8C9-4037-AE24-0B730E1422DD 509]
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.WebKit.WebContent.D74ABA28-78B1-4B07-8AAD-975396DCFEA3 509]
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.WebKit.WebContent.B9F8B33D-D99B-440A-8791-2DE294B96F80 509]
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.WebKit.WebContent.FF6D06C4-1C37-48A7-842C-7B2B0BD15ACF 509]
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.speech.speechsynthesisd]
/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd
[/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.WebKit.WebContent.85573A37-B2FD-418B-A243-76AC95857100 509]
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | b._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | db._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | b._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | db._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | itunes.apple.com | udp |
| US | 8.8.8.8:53 | api-glb-aeun1b.smoot.apple.com | udp |
| SE | 16.16.163.191:443 | api-glb-aeun1b.smoot.apple.com | tcp |
| US | 8.8.8.8:53 | clients1.google.com | udp |
| GB | 142.250.187.238:443 | clients1.google.com | tcp |
| GB | 142.250.187.238:443 | clients1.google.com | tcp |
| US | 8.8.8.8:53 | cdn2.smoot.apple.com | udp |
| US | 8.8.8.8:53 | cdn.smoot.apple.com | udp |
| GB | 17.253.77.201:443 | cdn.smoot.apple.com | tcp |
| US | 8.8.8.8:53 | safebrowsing.googleapis.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.169.74:443 | safebrowsing.googleapis.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.238:443 | clients1.google.com | tcp |
| US | 8.8.8.8:53 | bit.ly | udp |
| US | 8.8.8.8:53 | docrdsfx76ssb.cloudfront.net | udp |
| US | 8.8.8.8:53 | cdn.optimizely.com | udp |
| US | 8.8.8.8:53 | app-ab01.marketo.com | udp |
| US | 8.8.8.8:53 | bitly.com | udp |
| US | 8.8.8.8:53 | munchkin.marketo.net | udp |
| US | 8.8.8.8:53 | public.profitwell.com | udp |
| US | 8.8.8.8:53 | zippyfrog.co | udp |
| US | 67.199.248.11:80 | bit.ly | tcp |
| FR | 3.165.112.63:443 | docrdsfx76ssb.cloudfront.net | tcp |
| US | 104.18.66.57:443 | cdn.optimizely.com | tcp |
| US | 67.199.248.15:443 | bitly.com | tcp |
| DE | 88.221.60.75:443 | munchkin.marketo.net | tcp |
| US | 23.253.207.75:443 | zippyfrog.co | tcp |
| FR | 18.155.129.96:443 | public.profitwell.com | tcp |
| US | 104.16.96.80:443 | app-ab01.marketo.com | tcp |
| DE | 88.221.60.75:443 | munchkin.marketo.net | tcp |
| FR | 23.192.237.209:443 | www.bing.com | tcp |
| FR | 23.192.237.209:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| FR | 23.192.237.206:443 | r.bing.com | tcp |
| FR | 23.192.237.206:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| GB | 184.50.112.19:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 40.126.32.133:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | platform.bing.com | udp |
| US | 204.79.197.237:443 | www2.bing.com | tcp |
| US | 204.79.197.237:443 | www2.bing.com | tcp |
| FR | 23.192.237.206:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | e6858.dscx.akamaiedge.net | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| FR | 23.192.237.200:443 | th.bing.com | tcp |
| FR | 23.192.237.216:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | www.clarity.ms | udp |
| US | 13.107.246.64:443 | www.clarity.ms | tcp |
| US | 8.8.8.8:53 | c.clarity.ms | udp |
| IE | 13.74.129.1:443 | c.clarity.ms | tcp |
| US | 8.8.8.8:53 | u.clarity.ms | udp |
| US | 8.8.8.8:53 | c.bing.com | udp |
| US | 4.227.249.197:443 | u.clarity.ms | tcp |
| US | 13.107.21.237:443 | c.bing.com | tcp |
| US | 4.227.249.197:443 | u.clarity.ms | tcp |
| US | 8.8.8.8:53 | mylocation.org | udp |
| DE | 23.88.65.58:443 | mylocation.org | tcp |
| US | 8.8.8.8:53 | stats.monohost.com | udp |
| DE | 5.9.83.149:443 | stats.monohost.com | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.200.34:443 | googleads.g.doubleclick.net | tcp |
| DE | 5.9.83.149:443 | stats.monohost.com | tcp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| GB | 142.250.178.14:443 | fundingchoicesmessages.google.com | tcp |
| GB | 142.250.178.14:443 | fundingchoicesmessages.google.com | tcp |
| DE | 23.88.65.58:443 | mylocation.org | tcp |
| US | 8.8.8.8:53 | ep1.adtrafficquality.google | udp |
| GB | 142.250.180.2:443 | ep1.adtrafficquality.google | tcp |
| US | 8.8.8.8:53 | ep2.adtrafficquality.google | udp |
| GB | 216.58.201.97:443 | ep2.adtrafficquality.google | tcp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| GB | 142.250.180.1:443 | tpc.googlesyndication.com | tcp |
| GB | 142.250.180.2:443 | ep1.adtrafficquality.google | tcp |
| GB | 142.250.187.238:443 | clients1.google.com | tcp |
| FR | 23.192.237.211:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | www.weather.com | udp |
| FR | 23.217.186.82:443 | www.weather.com | tcp |
| US | 8.8.8.8:53 | weather.com | udp |
| US | 8.8.8.8:53 | eum.instana.io | udp |
| US | 8.8.8.8:53 | cdn.privacy-mgmt.com | udp |
| US | 8.8.8.8:53 | cdn.confiant-integrations.net | udp |
| US | 8.8.8.8:53 | s.w-x.co | udp |
| US | 8.8.8.8:53 | assets.adobedtm.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | websdk.appsflyer.com | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| FR | 23.72.248.208:443 | eum.instana.io | tcp |
| FR | 18.245.199.15:443 | cdn.privacy-mgmt.com | tcp |
| US | 151.101.2.133:443 | s.w-x.co | tcp |
| US | 172.64.144.166:443 | cdn.confiant-integrations.net | tcp |
| GB | 184.26.57.29:443 | assets.adobedtm.com | tcp |
| BE | 142.251.173.84:443 | accounts.google.com | tcp |
| FR | 52.84.174.66:443 | websdk.appsflyer.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | s.go-mpulse.net | udp |
Files
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression
| MD5 | 24e88ed9a00987c2ab4dd494588daee2 |
| SHA1 | c49fb5719365551cbb1d2f8b4b8107dab79c0713 |
| SHA256 | 399f71fd9592ea8935e3c84c36085c8fb791b6f6e02895bdb67d29abd269ca9d |
| SHA512 | 775832e29251e8b7786a0f416e2c565f1bd19cae376c9ae057552b4e2807d4a030d43e68abf2aaca3c5a5caf975a776ecdcd081f6c3a17239c58cb23766d0a20 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression
| MD5 | 16d2a210564cc2b113f58d6a639c0434 |
| SHA1 | a22072b91eaa391993583365a7e677be655a613d |
| SHA256 | d4c4fba396fd80ccf0dfd34861448f06e55d9985f6eb5c7fcf63ecd858f77187 |
| SHA512 | bece807f3141f2cf0f6658ef038ecb5b147c8716bec46067194d82feaaa38d63c99b484cb2666335f803ab1038f52d19a377aabc94df64b95c45bfd0505cb543 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression
| MD5 | 400263614b7258f72cc2ec563f74f7e5 |
| SHA1 | e3fa8f2548390a8f246ccb58034407f5ffbd4c42 |
| SHA256 | 1bcb6074c146ae79247045a89bedb0e15b3feb02ddd308a83564ddea6a091d96 |
| SHA512 | b8319f525d238d7c78e9ddf609329622f691bb652b57159285b3eaeae3cd9c21b191650c5bfa6d9f4cb1794cf6f26ce152f78b93f0631718082bfb24100e699d |
/Users/run/Library/Safari/Favicon Cache/favicons/6950D9EFC03B8A4F37B6F5FB7B694716
| MD5 | 0b038a7a7498d6c62f4256cd5ea649f6 |
| SHA1 | efdbd7999d20108c44de32a661eb504b9d6cfdf1 |
| SHA256 | 1013ffd709cd7e1922ad2b1058d65efc9bcbd603e327aa7ea7cdb512b253768f |
| SHA512 | 9ddc9527752d8fe1ed06345e96f7e346f78ae4870a2d760212d59676b964bf30faf491fde7517ec6e69a9e76fde58ea1a58948051a8b88f845ab355dc7657126 |
/Users/run/Library/Safari/Favicon Cache/favicons/C24061FC89C3E7772447F7E5E42C765E
| MD5 | 9c06c9ce51e994786a3d6e5f6a754aec |
| SHA1 | ae0ab8050b676a9f8ea905582f547538a866c50e |
| SHA256 | 3be07b8d96589e989f9a7aa18f08d9add4936a25c6aab9b4b5c9d7e8e951e1d1 |
| SHA512 | 1569dc06acb5afe1a076c5276674f0c088f61b248c7912bb9a282db56a81fa3d6a956c3230b85e2c1d6e5c14c1c3f9cc0fd94d92aee74a0405563b8eeeea1b3c |