Spyware
XBinder XLoader C2/Generic-A
Created on 2021-12-09T14:20:00
sample.jar
Remarks (2/3)
(0x02000051): The maximum number of 1000 connections has been exceeded. Further connections were not analyzed.
(0x0200000E): The overall sleep time of all monitored processes was truncated from "6 days, 3 hours, 24 minutes, 17 seconds" to "3 minutes, 6 seconds" to reveal dormant functionality.
Remarks
(0x0200004A): 4 dumps were skipped because they exceeded the maximum dump size of 16 MB. The largest one was 20 MB.
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
XBinder | Packer used to distribute malware | - |
5/5
|
...
|
Verdict |
malicious
|
Arch Type | CPU_TYPE_X86_64 |
Arch Subtype | CPU_SUBTYPE_X86_64_ALL |
Type | Executable |
Flags | MH_NOUNDEFS, MH_DYLDLINK, MH_TWOLEVEL |
UUID | 05c5adec-b5fd-39f2-b84e-0a594460a97a |
Entry Point | 0x10001df00 |
Virtual Address | 0x0 |
Virtual Size | 0x100000000 |
Raw Data Offset | 0x0 |
Raw Data Size | 0x0 |
Initial Protection | - |
Maximum Protection | - |
Flags | - |
Entropy | 0.0 |
Virtual Address | 0x100000000 |
Virtual Size | 0x1e000 |
Raw Data Offset | 0x0 |
Raw Data Size | 0x1e000 |
Initial Protection | VM_PROT_READ, VM_PROT_EXECUTE |
Maximum Protection | VM_PROT_READ, VM_PROT_WRITE, VM_PROT_EXECUTE |
Flags | - |
Entropy | 7.1 |
Name | Type | Virtual Address | Raw Data Offset | Size | Attributes |
---|---|---|---|---|---|
__text | S_REGULAR | 0x100000700 | 0x700 | 0x1d83e | S_ATTR_PURE_INSTRUCTIONS, S_ATTR_SOME_INSTRUCTIONS |
__stubs | S_SYMBOL_STUBS | 0x10001df3e | 0x1df3e | 0x6 | S_ATTR_PURE_INSTRUCTIONS, S_ATTR_SOME_INSTRUCTIONS |
__stub_helper | S_REGULAR | 0x10001df44 | 0x1df44 | 0x1a | S_ATTR_PURE_INSTRUCTIONS, S_ATTR_SOME_INSTRUCTIONS |
__const | S_REGULAR | 0x10001df60 | 0x1df60 | 0x40 | - |
__unwind_info | S_REGULAR | 0x10001dfa0 | 0x1dfa0 | 0x48 | - |
Virtual Address | 0x10001e000 |
Virtual Size | 0x1000 |
Raw Data Offset | 0x1e000 |
Raw Data Size | 0x1000 |
Initial Protection | VM_PROT_READ, VM_PROT_WRITE |
Maximum Protection | VM_PROT_READ, VM_PROT_WRITE, VM_PROT_EXECUTE |
Flags | - |
Entropy | 0.01 |
Name | Type | Virtual Address | Raw Data Offset | Size | Attributes |
---|---|---|---|---|---|
__nl_symbol_ptr | S_NON_LAZY_SYMBOL_POINTERS | 0x10001e000 | 0x1e000 | 0x10 | - |
__la_symbol_ptr | S_LAZY_SYMBOL_POINTERS | 0x10001e010 | 0x1e010 | 0x8 | - |
Virtual Address | 0x10001f000 |
Virtual Size | 0x340 |
Raw Data Offset | 0x1f000 |
Raw Data Size | 0x340 |
Initial Protection | VM_PROT_READ |
Maximum Protection | VM_PROT_READ, VM_PROT_WRITE, VM_PROT_EXECUTE |
Flags | - |
Entropy | 3.84 |
Name | Version | Compatibility Version |
---|---|---|
/usr/lib/libSystem.B.dylib | 169.3.0 | 1.0.0 |
bind_off | 126976 |
bind_size | 24 |
export_off | 127016 |
export_size | 336 |
lazy_bind_off | 127000 |
lazy_bind_size | 16 |
rebase_off | 0 |
rebase_size | 0 |
weak_bind_off | 0 |
weak_bind_size | 0 |
nsyms | 4 |
stroff | 127736 |
strsize | 72 |
symoff | 127656 |
extrefsymoff | 0 |
extreloff | 0 |
iextdefsym | 1 |
ilocalsym | 0 |
indirectsymoff | 127720 |
iundefsym | 2 |
locreloff | 0 |
modtaboff | 0 |
nextdefsym | 1 |
nextrefsyms | 0 |
nextrel | 0 |
nindirectsyms | 4 |
nlocalsym | 1 |
nlocrel | 0 |
nmodtab | 0 |
ntoc | 0 |
nundefsym | 2 |
tocoff | 0 |
name | /usr/lib/dyld |
uuid | 05c5adec-b5fd-39f2-b84e-0a594460a97a |
sdk | 10.8.0 |
version | 10.6.0 |
cs | 0x0000000000000000 |
fs | 0x0000000000000000 |
gs | 0x0000000000000000 |
r10 | 0x0000000000000000 |
r11 | 0x0000000000000000 |
r12 | 0x0000000000000000 |
r13 | 0x0000000000000000 |
r14 | 0x0000000000000000 |
r15 | 0x0000000000000000 |
r8 | 0x0000000000000000 |
r9 | 0x0000000000000000 |
rax | 0x0000000000000000 |
rbp | 0x0000000000000000 |
rbx | 0x0000000000000000 |
rcx | 0x0000000000000000 |
rdi | 0x0000000000000000 |
rdx | 0x0000000000000000 |
rflags | 0x0000000000000000 |
rip | 0x000000010001DF00 |
rsi | 0x0000000000000000 |
rsp | 0x0000000000000000 |
dataoff | 127352 |
datasize | 304 |
dataoff | 127656 |
datasize | 0 |
Name | Process ID | Start VA | End VA | Dump Reason | Mach-O Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
hgl2uhxq | 3 | 0x100000000 | 0x10001FFFF | Relevant Image | 64-bit | 0x100001000 |
...
|
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
XLoader_MacOS | XLoader MacOS | Spyware |
5/5
|
...
|
/Users/lxfjnlar/m2rKEl2wJZ.txt | Dropped File | Text |
clean
Known to be clean.
|
...
|
/Users/lxfjnlar/.rH6PLhr8yR/Bdch.app/Contents/Info.plist | Dropped File | Text |
clean
|
...
|