Edit tour

macOS Analysis Report
palera1n-macos-arm64

Overview

General Information

Sample Name:	palera1n-macos-arm64
Analysis ID:	1335881
MD5:	0ae3f4d1ea920ae68d9dde33afed3d96
SHA1:	9ea6b47044857ab4a15baa85fa33cd25bef165ef
SHA256:	55101f72fe65d0d7707ed4b1b8340ad2e7bedf061cd46feff05361308422e02b
Infos:

Errors No process behavior to analyse as no analysis process or sample was found

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Mach-O contains sections with high entropy indicating compressed/encrypted content

Contains symbols with suspicious names likely related to networking

Classification

Analysis Advice

Exit code suggests that the sample could not be started, try to look at standard streams or writes to anonymous pipes for possible reason.

Mach-O sample file can only execute on ARM64 Apple Silicon.

Non-zero exit code suggests an error during the execution. Lookup the error code for hints.

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1335881
Start date and time:	2023-11-02 09:36:10 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, High Sierra (Office 2016 16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:	10.13
CPU architecture:	x86_64
Analysis Mode:	default
Sample file name:	palera1n-macos-arm64
Detection:	MAL
Classification:	mal48.mac@0/0@0/0

Errors

No process behavior to analyse as no analysis process or sample was found

Warnings

Excluded IPs from analysis (whitelisted): 17.253.13.204, 17.253.13.201, 23.213.225.112, 17.253.13.205, 17.253.13.207, 17.253.13.206
Excluded domains from analysis (whitelisted): cds-cdn.v.aaplimg.com, e11408.d.akamaiedge.net, cds.apple.com.akadns.net, ocsp-a.g.aaplimg.com, cds.apple.com, help-ar.apple.com.edgekey.net, valid.apple.com, lb._dns-sd._udp.0.11.168.192.in-addr.arpa, ocsp-lb.apple.com.akadns.net, ocsp.apple.com, valid.origin-apple.com.akadns.net, help.origin-apple.com.akadns.net, valid-apple.g.aaplimg.com, help.apple.com, world-gen.g.aaplimg.com

Runtime Messages

Command:	/Users/berri/Desktop/palera1n-macos-arm64
PID:	897
Exit Code:	255
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Yara Signatures

⊘No yara matches

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: palera1n-macos-arm64

Virustotal: Detection: 8%

Perma Link

Source: submission: palera1n-macos-arm64	Mach-O symbol: _send
Source: submission: palera1n-macos-arm64	Mach-O symbol: _setsockopt
Source: submission: palera1n-macos-arm64	Mach-O symbol: _connect
Source: submission: palera1n-macos-arm64	Mach-O symbol: _socket
Source: submission: palera1n-macos-arm64	Mach-O symbol: _getsockopt
Source: submission: palera1n-macos-arm64	Mach-O symbol: _kIOMasterPortDefault
Source: submission: palera1n-macos-arm64	Mach-O symbol: _IONotificationPortGetRunLoopSource
Source: submission: palera1n-macos-arm64	Mach-O symbol: _IONotificationPortCreate

Source: palera1n-macos-arm64	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: palera1n-macos-arm64	String found in binary or memory: https://checkra.in
Source: palera1n-macos-arm64	String found in binary or memory: https://checkra.in#====
Source: palera1n-macos-arm64	String found in binary or memory: https://checkra.infirmware-versionBooted
Source: palera1n-macos-arm64	String found in binary or memory: https://ellekit.space/
Source: palera1n-macos-arm64	String found in binary or memory: https://repo.palera.in/
Source: palera1n-macos-arm64	String found in binary or memory: https://strap.palera.in/

Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.13.202
Source: unknown	TCP traffic detected without corresponding DNS query: 23.45.32.198
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.13.202
Source: unknown	TCP traffic detected without corresponding DNS query: 23.45.32.198

Source: classification engine

Classification label: mal48.mac@0/0@0/0

Source: submission

Mach-O header: Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>

Source: submission: palera1n-macos-arm64

Mach-O header: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Source: submission

CodeSign Info: Executable=/Users/berri/Desktop/palera1n-macos-arm64

Source: palera1n-macos-arm64

Submission file: section __data with 7.2381 entropy (max. 8.0)

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Invalid Code Signature	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Code Signing	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
palera1n-macos-arm64	8%	Virustotal		Browse
palera1n-macos-arm64	8%	ReversingLabs	MacOS.PUA.Jailbreak

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://checkra.in	palera1n-macos-arm64	false	unknown
https://checkra.in#====	palera1n-macos-arm64	false	unknown
https://repo.palera.in/	palera1n-macos-arm64	false	unknown
https://strap.palera.in/	palera1n-macos-arm64	false	unknown
https://ellekit.space/	palera1n-macos-arm64	false	unknown
https://checkra.infirmware-versionBooted	palera1n-macos-arm64	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.45.32.198	unknown	United States		16625	AKAMAI-ASUS	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	skid.x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	96.7.64.170
	file.exe	Get hash	malicious	Glupteba, SmokeLoader, Vidar, zgRAT	Browse	23.36.118.84
	file.exe	Get hash	malicious	Amadey, Glupteba, SmokeLoader	Browse	2.17.5.164
	tW89v9x9F4.elf	Get hash	malicious	Mirai	Browse	104.92.20.179
	https://t.ly/mV-Qq#M=SmFuLVBldGVyLkhlaXNlQG5vcnRvbnJvc2VmdWxicmlnaHQuY29t	Get hash	malicious	HTMLPhisher	Browse	104.106.162.18
	https://acrobat.adobe.com/id/urn:aaid:sc:US:b1c915de-7158-4dd9-aa63-db461c226178	Get hash	malicious	HTMLPhisher	Browse	23.212.249.86
	file.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, zgRAT	Browse	23.50.124.114
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Mirai	Browse	184.50.149.118
	eOIFF58KfU.elf	Get hash	malicious	Unknown	Browse	104.76.15.38
	https://indd.adobe.com/view/73bb3547-7519-45db-b904-9b659611f483	Get hash	malicious	HTMLPhisher	Browse	23.52.160.23
	file.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, zgRAT	Browse	23.55.204.114
	file.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	23.50.124.114
	file.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, zgRAT	Browse	23.55.204.114
	sDZf1h3xl6.elf	Get hash	malicious	Mirai	Browse	23.65.239.76
	ePqNFTeLyU.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, RedLine, SmokeLoader, zgRAT	Browse	23.50.124.114
	24zU4pepXX.exe	Get hash	malicious	Amadey, Babadeda, Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader	Browse	23.220.124.106
	BL.xls	Get hash	malicious	Unknown	Browse	23.50.124.134
	file.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	23.50.124.114
	7CS0Vo57.exe	Get hash	malicious	Babadeda	Browse	23.50.124.114
	file.exe	Get hash	malicious	Glupteba, SmokeLoader, Vidar	Browse	23.40.18.82

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	Mach-O 64-bit arm64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>
Entropy (8bit):	7.197670595515602
TrID:	Mac OS X Mach-O 64-bit ARM executable (little-endian) (4008/2) 50.02% Mac OS X Mach-O 64-bit executable (little-endian) (4004/1) 49.98%
File name:	palera1n-macos-arm64
File size:	4'890'544 bytes
MD5:	0ae3f4d1ea920ae68d9dde33afed3d96
SHA1:	9ea6b47044857ab4a15baa85fa33cd25bef165ef
SHA256:	55101f72fe65d0d7707ed4b1b8340ad2e7bedf061cd46feff05361308422e02b
SHA512:	9cc612ae9347ea5b4d080a95f4176c7e4b08fa43119660e4f4ce68193a99579fa36f570a57a3c289e4c7561bfc91b2b6ced2e97fdb14a5c38c18c4591eab0a10
SSDEEP:	98304:Ng6mTdfylkLXLjy+Iq6+pCF5s2Pd+CifyBFmSx:u3dfylkmw6+y5s2F+vK
TLSH:	05360291EE1C2D11D2C2E1BEC9054B90523FF4B18766C3A97561A23DEECA7E0317A763
File Content Preview:	.......................... .........H...__PAGEZERO..........................................................x...__TEXT...................@...............@......................__text..........__TEXT..........45..............45.............................

CodeSign Information

[
    "Executable=/Users/berri/Desktop/palera1n-macos-arm64",
    "Identifier=palera1n-macosx-arm64",
    "Format=Mach-O thin (arm64)",
    "CodeDirectory v=20400 size=37902 flags=0x0(none) hashes=1179+2 location=embedded",
    "Hash type=sha256 size=32",
    "CandidateCDHash sha1=0d9c7e67a13cf0d493cd8ac8c44649b755b73025",
    "CandidateCDHash sha256=d402f1fe583a994e53e6470004257d463bb4fde1",
    "Hash choices=sha1,sha256",
    "Executable Segment base=0",
    "Executable Segment limit=475136",
    "Executable Segment flags=0x1",
    "Page size=4096",
    "CDHash=d402f1fe583a994e53e6470004257d463bb4fde1",
    "/Users/berri/Desktop/palera1n-macos-arm64: no signature",
    "Info.plist=not bound",
    "TeamIdentifier=not set",
    "Sealed Resources=none",
    "Internal requirements count=1 size=140"
]

Static Mach Info

General Information for header 1
Endian:	little-endian
Size:	64-bit
Architecture:	arm64
Filetype:	execute
Nbr. of load commands:	19
Entry point:	0x353C

segment_command_64 aggregated: 5

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x74000

fileoff

0x0

filesize

0x74000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x100003534	0x5CCEC	0x3534	6.7803	0x2	0x0	0	0x80000400
__stubs	__TEXT	0x100060220	0x69C	0x60220	4.0152	0x2	0x0	0	0x80000408
__stub_helper	__TEXT	0x1000608BC	0x6B4	0x608BC	4.1961	0x2	0x0	0	0x80000400
__const	__TEXT	0x100060F70	0x8600	0x60F70	2.3741	0x4	0x0	0	0x0
__cstring	__TEXT	0x100069570	0xA40D	0x69570	5.6399	0x0	0x0	0	0x2
__ustring	__TEXT	0x10007397E	0x1E	0x7397E	3.3559	0x1	0x0	0	0x0
__unwind_info	__TEXT	0x10007399C	0x658	0x7399C	5.7993	0x2	0x0	0	0x0

Name

Value

segname

__DATA_CONST

vmaddr

0x100074000

vmsize

0xC000

fileoff

0x74000

filesize

0xC000

maxprot

0x3

initprot

0x3

nsects

flags

0x10

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__got	__DATA_CONST	0x100074000	0x80	0x74000	-0.0000	0x3	0x0	0	0x6
__mod_init_func	__DATA_CONST	0x100074080	0x30	0x74080	2.3752	0x3	0x0	0	0x9
__const	__DATA_CONST	0x1000740B0	0x8580	0x740B0	2.3741	0x3	0x0	0	0x0
__cfstring	__DATA_CONST	0x10007C630	0xE0	0x7C630	1.5927	0x3	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x100080000

vmsize

0x418000

fileoff

0x80000

filesize

0x418000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__la_symbol_ptr	__DATA	0x100080000	0x468	0x80000	3.0757	0x3	0x0	0	0x7
__data	__DATA	0x100080468	0x414B58	0x80468	7.2381	0x3	0x0	0	0x0
__bss	__DATA	0x100494FC0	0x730	0x0	0.0000	0x4	0x0	0	0x1

Name	Value
segname	__LINKEDIT
vmaddr	0x100498000
vmsize	0x14000
fileoff	0x498000
filesize	0x11FB0
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	4816896
rebase_size	1800
bind_off	4818696
bind_size	400
weak_bind_off	0
weak_bind_size	0
lazy_bind_off	4819096
lazy_bind_size	2800
export_off	4821896
export_size	48

symtab_command aggregated: 1

Name	Value
symoff	4822800
nsyms	159
stroff	4826536
strsize	2176

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	1
iextdefsym	1
nextdefsym	1
iundefsym	2
nundefsym	157
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	4825344
nindirectsyms	298
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'9\xe7UQ\xfe\xc95\xfd\x80\xa8;\xdd\x1c\xa3\xfe\x03'

build_version_command aggregated: 1

Name

Value

platform

minos

720896

sdk

852224

ntools

Datas

source_version_command aggregated: 1

Name	Value
version	0

entry_point_command aggregated: 1

Name	Value
entryoff	13628
stacksize	0

dylib_command aggregated: 3

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1319.0.0

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1953.255.0

compatibility_version

150.0.0

Datas

/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

275.0.0

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

linkedit_data_command aggregated: 3

Name	Value
dataoff	4821944
datasize	856

Name	Value
dataoff	4822800
datasize	0

Name	Value
dataoff	4828720
datasize	61824

Internal Symbols

_CFDictionaryCreate

_CFDictionarySetValue

_CFNumberCreate

_CFNumberGetValue

_CFRelease

_CFRetain

_CFRunLoopAddSource

_CFRunLoopGetCurrent

_CFRunLoopRun

_CFRunLoopStop

_CFStringCreateWithFormat

_CFStringFind

_CFStringGetCString

_CFUUIDGetConstantUUIDWithBytes

_CFUUIDGetUUIDBytes

_IOCreatePlugInInterfaceForService

_IODestroyPlugInInterface

_IOIteratorNext

_IONotificationPortCreate

_IONotificationPortGetRunLoopSource

_IOObjectRelease

_IORegistryEntryCreateCFProperty

_IORegistryEntryGetRegistryEntryID

_IOServiceAddMatchingNotification

_IOServiceGetMatchingServices

_IOServiceMatching

__DefaultRuneLocale

__NSGetExecutablePath

___CFConstantStringClassReference

___assert_rtn

___chkstk_darwin

___cxa_atexit

___darwin_check_fd_set_overflow

___error

___exp10

___memcpy_chk

___memset_chk

___sprintf_chk

___stack_chk_fail

___stack_chk_guard

___stderrp

___stdoutp

___strncat_chk

___strncpy_chk

___udivti3

__mh_execute_header

_access

_asprintf

_atof

_bzero

_calloc

_chmod

_close

_connect

_environ

_exit

_fclose

_fcntl

_fflush

_fopen

_fprintf

_fputc

_fread

_free

_freeaddrinfo

_freeifaddrs

_fstat

_fwrite

_gai_strerror

_getaddrinfo

_getchar

_getenv

_getifaddrs

_getopt_long

_getprogname

_getsockopt

_gmtime

_gmtime_r

_inet_ntop

_kCFAllocatorDefault

_kCFAllocatorSystemDefault

_kCFRunLoopDefaultMode

_kCFTypeDictionaryKeyCallBacks

_kCFTypeDictionaryValueCallBacks

_kIOMasterPortDefault

_localtime

_mach_error_string

_malloc

_memchr

_memcmp

_memcpy

_memmove

_memset

_mkstemp

_mmap

_munmap

_open

_optarg

_optind

_perror

_posix_spawn

_printf

_pthread_cancel

_pthread_cond_destroy

_pthread_cond_init

_pthread_cond_signal

_pthread_cond_wait

_pthread_create

_pthread_exit

_pthread_join

_pthread_kill

_pthread_mutex_destroy

_pthread_mutex_init

_pthread_mutex_lock

_pthread_mutex_unlock

_pthread_once

_pthread_self

_putchar

_puts

_rand

_realloc

_recv

_select

_send

_setbuf

_setenv

_setsockopt

_shutdown

_sleep

_snprintf

_socket

_srand

_sscanf

_stat

_stpncpy

_strcasecmp

_strchr

_strcmp

_strcpy

_strdup

_strerror

_strftime

_strlen

_strncmp

_strncpy

_strndup

_strptime

_strrchr

_strstr

_strtol

_strtoull

_time

_unlink

_vasprintf

_vprintf

_waitpid

_write

dyld_stub_binder

radr://5614542

External Symbols

_CFDictionaryCreate

_CFDictionarySetValue

_CFNumberCreate

_CFNumberGetValue

_CFRelease

_CFRetain

_CFRunLoopAddSource

_CFRunLoopGetCurrent

_CFRunLoopRun

_CFRunLoopStop

_CFStringCreateWithFormat

_CFStringFind

_CFStringGetCString

_CFUUIDGetConstantUUIDWithBytes

_CFUUIDGetUUIDBytes

_IOCreatePlugInInterfaceForService

_IODestroyPlugInInterface

_IOIteratorNext

_IONotificationPortCreate

_IONotificationPortGetRunLoopSource

_IOObjectRelease

_IORegistryEntryCreateCFProperty

_IORegistryEntryGetRegistryEntryID

_IOServiceAddMatchingNotification

_IOServiceGetMatchingServices

_IOServiceMatching

__NSGetExecutablePath

___assert_rtn

___cxa_atexit

___darwin_check_fd_set_overflow

___error

___exp10

___memcpy_chk

___memset_chk

___sprintf_chk

___stack_chk_fail

___strncat_chk

___strncpy_chk

___udivti3

_access

_asprintf

_atof

_bzero

_calloc

_chmod

_close

_connect

_exit

_fclose

_fcntl

_fflush

_fopen

_fprintf

_fputc

_fread

_free

_freeaddrinfo

_freeifaddrs

_fstat

_fwrite

_gai_strerror

_getaddrinfo

_getchar

_getenv

_getifaddrs

_getopt_long

_getprogname

_getsockopt

_gmtime

_gmtime_r

_inet_ntop

_localtime

_mach_error_string

_malloc

_memchr

_memcmp

_memcpy

_memmove

_memset

_mkstemp

_mmap

_munmap

_open

_perror

_posix_spawn

_printf

_pthread_cancel

_pthread_cond_destroy

_pthread_cond_init

_pthread_cond_signal

_pthread_cond_wait

_pthread_create

_pthread_exit

_pthread_join

_pthread_kill

_pthread_mutex_destroy

_pthread_mutex_init

_pthread_mutex_lock

_pthread_mutex_unlock

_pthread_once

_pthread_self

_putchar

_puts

_rand

_realloc

_recv

_select

_send

_setbuf

_setenv

_setsockopt

_shutdown

_sleep

_snprintf

_socket

_srand

_sscanf

_stat

_stpncpy

_strcasecmp

_strchr

_strcmp

_strcpy

_strdup

_strerror

_strftime

_strlen

_strncmp

_strncpy

_strndup

_strptime

_strrchr

_strstr

_strtol

_strtoull

_time

_unlink

_vasprintf

_vprintf

_waitpid

_write

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2023 09:37:35.652091980 CET	49375	80	192.168.11.11	17.253.13.202
Nov 2, 2023 09:37:35.652333975 CET	49376	80	192.168.11.11	23.45.32.198
Nov 2, 2023 09:37:35.781440020 CET	80	49375	17.253.13.202	192.168.11.11
Nov 2, 2023 09:37:35.783050060 CET	49375	80	192.168.11.11	17.253.13.202
Nov 2, 2023 09:37:35.797913074 CET	80	49376	23.45.32.198	192.168.11.11
Nov 2, 2023 09:37:35.799566031 CET	49376	80	192.168.11.11	23.45.32.198

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2023 09:37:32.608099937 CET	53	50393	1.1.1.1	192.168.11.11

Description:	Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature , this activity will result in a valid signature.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report palera1n-macos-arm64

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Errors

Warnings

Runtime Messages

Yara Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

CodeSign Information

Static Mach Info

General Information for header 1

Internal Symbols

External Symbols

Network Behavior

TCP Packets

UDP Packets

System Behavior

macOS Analysis Report
palera1n-macos-arm64