diff --git a/ANALYSIS.md b/ANALYSIS.md index 51fac38..15e3adf 100644 --- a/ANALYSIS.md +++ b/ANALYSIS.md @@ -164,12 +164,12 @@ coruna-main/ ├── utility_module.js # Crypto helpers, Int64, LZW ├── Stage3_VariantB.js # Sandbox escape + MachOPayloadBuilder ├── other/ -│ └── bootstrap.dylib # Extracted dylib with ChaCha20 + LZMA ├── downloaded/ # 17 files fetched from C2 server │ └── .min.js # Raw encrypted payloads ├── extracted/ # Base64-decoded qbrdr payloads (from repo JS files) │ └── .bin └── payload/ # All 19 decrypted + decompressed F00DBEEF containers + ├── bootstrap.dylib # Bootstrap dylib to validate and load other dylibs ├── 7a7d...payload # Decrypted manifest (F00DBEEF with 19 download entries) ├── .bin # F00DBEEF container └── / # Extracted entries per container