Edit tour

macOS Analysis Report
locker

Overview

General Information

Sample Name:	locker
Analysis ID:	3293996
MD5:	abf01633960dd77c6137175a21fccf34
SHA1:	2d15286d25f0e0938823dcd742bc928e78199b3d
SHA256:	3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79
Infos:

Detection

LockBit ransomware

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected LockBit ransomware

Likely encrypts files before changing their extension which is indicative for ransomware

Found potential ransomware demand text

Contains symbols with suspicious names likely related to ransomware

Found Tor onion address

Contains symbols with suspicious names likely related to ransomware targeting virtualization

Tries to kill the VMware ESXi syslog daemon (likely for hiding)

Contains symbols with suspicious names likely related to encryption

Contains symbols with suspicious names likely related to virtualization

Yara signature match

Sample is code signed by an ad-hoc signature

Executes the "grep" command used to find patterns in files or piped streams

Writes files to the user's download directory

Executes commands using a shell command-line interpreter

Executes the "ps" command used to list the status of processes

Contains symbols with suspicious names likely related to anti-analysis

Classification

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	3293996
Start date and time:	2023-08-16 09:48:28 +02:00
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 3m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	macOS - Ventura.jbs
Analysis system description:	Mac Mini, Apple Silicon ARM64, Ventura
macOS major version:	13
CPU architecture:	arm64
Analysis Mode:	default
Sample file name:	locker
Detection:	MAL
Classification:	mal72.rans.evad.mac@0/3@0/0

Warnings

Excluded IPs from analysis (whitelisted): 23.32.238.66, 23.32.238.50
Excluded domains from analysis (whitelisted): 1-courier.sandbox.push.apple.com, lb._dns-sd._udp.0.0.168.192.in-addr.arpa, 56.0.168.192.in-addr.arpa, weather-data.apple.com.akamaized.net, weather-data.apple.com, stocks-data-service.apple.com, a1091.dscw154.akamai.net, weather-data.apple.com.akadns.net, stocks-data-service.lb-apple.com.akadns.net, stocks-data-service.apple.com.edgesuite.net, api.smoot.apple.com, bag-smoot.v.aaplimg.com

Runtime Messages

Command:	/Users/rodrigo/Desktop/locker -f -p test -i /Users/rodrigo/Downloads/myfiles
PID:	1322
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

System is mac-arm-ventura

mono-sgen64 New Fork (PID: 1322, Parent: 1257)

locker (MD5: abf01633960dd77c6137175a21fccf34) Arguments: /Users/rodrigo/Desktop/locker -f -p test -i /Users/rodrigo/Downloads/myfiles

locker New Fork (PID: 1323, Parent: 1322)

locker New Fork (PID: 1324, Parent: 1323)

sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c pciconf -lv

bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c pciconf -lv

locker New Fork (PID: 1325, Parent: 1323)

sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c esxcfg-scsidevs -l | egrep -i 'display name|vendor'

bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c esxcfg-scsidevs -l | egrep -i 'display name|vendor'

bash New Fork (PID: 1326, Parent: 1325)

bash New Fork (PID: 1327, Parent: 1325)

egrep (MD5: 6f66c1fde5ed2bf315b619fec82808e7) Arguments: egrep -i display name|vendor

locker New Fork (PID: 1329, Parent: 1323)

sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c ps -ef | grep 'vmsyslogd' | grep -v grep | awk '{print $2}' | xargs -r kill -9

bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c ps -ef | grep 'vmsyslogd' | grep -v grep | awk '{print $2}' | xargs -r kill -9

bash New Fork (PID: 1330, Parent: 1329)

ps (MD5: c69d135ec952c1e7e71a6661d7f2c668) Arguments: ps -ef

bash New Fork (PID: 1331, Parent: 1329)

egrep (MD5: 6f66c1fde5ed2bf315b619fec82808e7) Arguments: grep vmsyslogd

bash New Fork (PID: 1332, Parent: 1329)

grep (MD5: 6f66c1fde5ed2bf315b619fec82808e7) Arguments: grep -v grep

bash New Fork (PID: 1333, Parent: 1329)

awk (MD5: 97896adae88543b8cb6b90100baf16fb) Arguments: awk {print $2}

bash New Fork (PID: 1334, Parent: 1329)

xargs (MD5: dc3e49e00351048640a9116224da6c69) Arguments: xargs -r kill -9

locker New Fork (PID: 1338, Parent: 1323)

sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c ps -ef | grep 'zsxdcxz' | grep -v grep | awk '{print $2}' | xargs -r kill -9

bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c ps -ef | grep 'zsxdcxz' | grep -v grep | awk '{print $2}' | xargs -r kill -9

bash New Fork (PID: 1339, Parent: 1338)

ps (MD5: c69d135ec952c1e7e71a6661d7f2c668) Arguments: ps -ef

bash New Fork (PID: 1340, Parent: 1338)

grep (MD5: 6f66c1fde5ed2bf315b619fec82808e7) Arguments: grep zsxdcxz

bash New Fork (PID: 1341, Parent: 1338)

grep (MD5: 6f66c1fde5ed2bf315b619fec82808e7) Arguments: grep -v grep

bash New Fork (PID: 1342, Parent: 1338)

awk (MD5: 97896adae88543b8cb6b90100baf16fb) Arguments: awk {print $2}

bash New Fork (PID: 1343, Parent: 1338)

xargs (MD5: dc3e49e00351048640a9116224da6c69) Arguments: xargs -r kill -9

locker New Fork (PID: 1345, Parent: 1323)

sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper /Users/rodrigo/Downloads/myfiles

bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper /Users/rodrigo/Downloads/myfiles

bash New Fork (PID: 1346, Parent: 1345)

wordexp-helper (MD5: fe300e6642f4527972a259fc8f350927) Arguments: /usr/lib/system/wordexp-helper /Users/rodrigo/Downloads/myfiles

locker New Fork (PID: 1348, Parent: 1323)

sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper

bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper

bash New Fork (PID: 1349, Parent: 1348)

wordexp-helper (MD5: fe300e6642f4527972a259fc8f350927) Arguments: /usr/lib/system/wordexp-helper

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
locker	MAL_RANSOM_LNX_macOS_LockBit_Apr23_1	Detects LockBit ransomware samples for Linux and macOS	Florian Roth	0x4ddcf:$x1: restore-my-files.txt 0x4dd90:$s1: ntuser.dat.log 0x4dd9f:$s2: bootsect.bak 0x4ddac:$s3: autorun.inf 0x62f64:$s4: lockbit 0x4dc92:$xc1: 33 38 36 00 63 6D 64 00 61 6E 69 00 61 64 76 00 6D 73 69 00 6D 73 70 00 63 6F 6D 00 6E 6C 73 0x4dd8a:$xc2: 6E 74 6C 64 72 00 6E 74 75 73 65 72 2E 64 61 74 2E 6C 6F 67 00 62 6F 6F 74 73 65 63 74 2E 62 61 6B 0x4dc52:$xc3: 76 6D 2E 73 74 61 74 73 2E 76 6D 2E 76 5F 66 72 65 65 5F 63 6F 75 6E 74 00 61 2B 00 2F 2A
locker	MAL_RANSOM_LockBit_Apr23_1	Detects indicators found in LockBit ransomware	Florian Roth	0x543ef:$xe1: \x14P\x19\x1E\x16IXMQ\x16MV\x16ZK@IM\x1E 0x5498f:$xe2: QMMI\x03\x16\x16UVZR[PM 0x549d5:$xe2: QMMI\x03\x16\x16UVZR[PM 0x54a1b:$xe2: QMMI\x03\x16\x16UVZR[PM 0x54a61:$xe2: QMMI\x03\x16\x16UVZR[PM 0x54aa7:$xe2: QMMI\x03\x16\x16UVZR[PM 0x54aed:$xe2: QMMI\x03\x16\x16UVZR[PM 0x54b33:$xe2: QMMI\x03\x16\x16UVZR[PM 0x54b79:$xe2: QMMI\x03\x16\x16UVZR[PM 0x54bbf:$xe2: QMMI\x03\x16\x16UVZR[PM 0x54c20:$xe2: QMMI\x03\x16\x16UVZR[PM 0x54c69:$xe2: QMMI\x03\x16\x16UVZR[PM 0x54cb2:$xe2: QMMI\x03\x16\x16UVZR[PM 0x54cfb:$xe2: QMMI\x03\x16\x16UVZR[PM 0x54d44:$xe2: QMMI\x03\x16\x16UVZR[PM 0x54d8d:$xe2: QMMI\x03\x16\x16UVZR[PM 0x54dd6:$xe2: QMMI\x03\x16\x16UVZR[PM 0x54e1f:$xe2: QMMI\x03\x16\x16UVZR[PM 0x54e68:$xe2: QMMI\x03\x16\x16UVZR[PM 0x55558:$xe2: QMMI\x03\x16\x16UVZR[PM 0x5559e:$xe2: QMMI\x03\x16\x16UVZR[PM
locker	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
/Users/rodrigo/Downloads/myfiles/!!!-Restore-My-Files-!!!	MAL_RANSOM_LockBit_Apr23_1	Detects indicators found in LockBit ransomware	Florian Roth	0x1b5:$xe2: http://lockbit 0x1fb:$xe2: http://lockbit 0x241:$xe2: http://lockbit 0x287:$xe2: http://lockbit 0x2cd:$xe2: http://lockbit 0x313:$xe2: http://lockbit 0x359:$xe2: http://lockbit 0x39f:$xe2: http://lockbit 0x3e5:$xe2: http://lockbit 0x446:$xe2: http://lockbit 0x48f:$xe2: http://lockbit 0x4d8:$xe2: http://lockbit 0x521:$xe2: http://lockbit 0x56a:$xe2: http://lockbit 0x5b3:$xe2: http://lockbit 0x5fc:$xe2: http://lockbit 0x645:$xe2: http://lockbit 0x68e:$xe2: http://lockbit 0xd7d:$xe2: http://lockbit 0xdc3:$xe2: http://lockbit 0xe09:$xe2: http://lockbit
/Users/rodrigo/Downloads/myfiles/!!!-Restore-My-Files-!!!	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
/private/tmp/locklog	MAL_RANSOM_LockBit_Locker_LOG_Apr23_1	Detects indicators found in LockBit ransomware log files	Florian Roth	0x394:$s1: is encrypted. Checksum after encryption 0x42e:$s1: is encrypted. Checksum after encryption 0xd2:$s2: ~~~~~Hardware~~~~ 0xfd:$s2: ~~~~~Hardware~~~~ 0x133:$s3: [+] Add directory to encrypt: 0x16:$s4: ][+] Launch parameters:

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: submission: locker	Mach-O symbol: _crypto_core_salsa208_constbytes
Source: submission: locker	Mach-O symbol: _encrypt_all_files_in_dir
Source: submission: locker	Mach-O symbol: _crypto_core_salsa208_inputbytes
Source: submission: locker	Mach-O symbol: _crypto_core_hsalsa20
Source: submission: locker	Mach-O symbol: _crypto_core_salsa20
Source: submission: locker	Mach-O symbol: _mbedtls_aes_decrypt_cbc
Source: submission: locker	Mach-O symbol: _crypto_core_salsa2012
Source: submission: locker	Mach-O symbol: _mbedtls_aes_encrypt_cbc
Source: submission: locker	Mach-O symbol: _crypto_core_salsa2012_constbytes
Source: submission: locker	Mach-O symbol: _crypto_core_salsa2012_inputbytes
Source: submission: locker	Mach-O symbol: _mbedtls_aes_init_decrypt
Source: submission: locker	Mach-O symbol: _crypto_core_salsa2012_keybytes
Source: submission: locker	Mach-O symbol: _mbedtls_aes_init_encrypt
Source: submission: locker	Mach-O symbol: _crypto_core_salsa2012_outputbytes
Source: submission: locker	Mach-O symbol: _mbedtls_internal_aes_decrypt
Source: submission: locker	Mach-O symbol: _crypto_core_salsa208
Source: submission: locker	Mach-O symbol: _mbedtls_internal_aes_encrypt
Source: submission: locker	Mach-O symbol: _crypto_generichash_blake2b_init
Source: submission: locker	Mach-O symbol: _crypto_core_salsa208_outputbytes
Source: submission: locker	Mach-O symbol: _encrypt_file_by_spots
Source: submission: locker	Mach-O symbol: _crypto_core_salsa20_constbytes
Source: submission: locker	Mach-O symbol: _encrypt_file_first_N_bytes
Source: submission: locker	Mach-O symbol: _crypto_core_salsa20_inputbytes
Source: submission: locker	Mach-O symbol: _encrypt_small_file
Source: submission: locker	Mach-O symbol: _crypto_core_salsa20_keybytes
Source: submission: locker	Mach-O symbol: _crypto_core_salsa20_outputbytes
Source: submission: locker	Mach-O symbol: _crypto_generichash
Source: submission: locker	Mach-O symbol: _crypto_generichash_blake2b
Source: submission: locker	Mach-O symbol: _crypto_generichash_blake2b_final
Source: submission: locker	Mach-O symbol: _encrypt_all_files_in_dir_by_ext
Source: submission: locker	Mach-O symbol: _crypto_core_salsa208_keybytes
Source: submission: locker	Mach-O symbol: _encrypt_file
Source: submission: locker	Mach-O symbol: _crypto_generichash_blake2b_update
Source: submission: locker	Mach-O symbol: _crypto_generichash_bytes
Source: submission: locker	Mach-O symbol: _crypto_generichash_bytes_max
Source: submission: locker	Mach-O symbol: _crypto_generichash_bytes_min
Source: submission: locker	Mach-O symbol: _crypto_generichash_final
Source: submission: locker	Mach-O symbol: _crypto_generichash_init
Source: submission: locker	Mach-O symbol: _crypto_generichash_keybytes
Source: submission: locker	Mach-O symbol: _crypto_generichash_keybytes_max
Source: submission: locker	Mach-O symbol: _crypto_generichash_blake2b_init_salt_personal
Source: submission: locker	Mach-O symbol: _crypto_generichash_blake2b_salt_personal
Source: submission: locker	Mach-O symbol: _crypto_box_beforenmbytes
Source: submission: locker	Mach-O symbol: _crypto_box_beforenm
Source: submission: locker	Mach-O symbol: _crypto_box_afternm
Source: submission: locker	Mach-O symbol: _crypto_box
Source: submission: locker	Mach-O symbol: _crypto_generichash_statebytes
Source: submission: locker	Mach-O symbol: _crypto_generichash_update
Source: submission: locker	Mach-O symbol: _crypto_hash_sha512
Source: submission: locker	Mach-O symbol: _crypto_box_boxzerobytes
Source: submission: locker	Mach-O symbol: _crypto_hash_sha512_final
Source: submission: locker	Mach-O symbol: _crypto_hash_sha512_init
Source: submission: locker	Mach-O symbol: _crypto_hash_sha512_update
Source: submission: locker	Mach-O symbol: _crypto_onetimeauth_poly1305
Source: submission: locker	Mach-O symbol: _crypto_generichash_keybytes_min
Source: submission: locker	Mach-O symbol: _crypto_generichash_keygen
Source: submission: locker	Mach-O symbol: _crypto_generichash_primitive
Source: submission: locker	Mach-O symbol: _crypto_onetimeauth_poly1305_keygen
Source: submission: locker	Mach-O symbol: _crypto_onetimeauth_poly1305_statebytes
Source: submission: locker	Mach-O symbol: _crypto_onetimeauth_poly1305_update
Source: submission: locker	Mach-O symbol: _crypto_onetimeauth_poly1305_verify
Source: submission: locker	Mach-O symbol: _crypto_scalarmult_curve25519
Source: submission: locker	Mach-O symbol: _crypto_scalarmult_curve25519_base
Source: submission: locker	Mach-O symbol: _crypto_onetimeauth_poly1305_bytes
Source: submission: locker	Mach-O symbol: _crypto_onetimeauth_poly1305_final
Source: submission: locker	Mach-O symbol: _crypto_onetimeauth_poly1305_init
Source: submission: locker	Mach-O symbol: _crypto_onetimeauth_poly1305_keybytes
Source: submission: locker	Mach-O symbol: _crypto_secretbox_open_easy
Source: submission: locker	Mach-O symbol: _crypto_secretbox_xsalsa20poly1305
Source: submission: locker	Mach-O symbol: _crypto_secretbox_xsalsa20poly1305_boxzerobytes
Source: submission: locker	Mach-O symbol: _crypto_secretbox_xsalsa20poly1305_keybytes
Source: submission: locker	Mach-O symbol: _crypto_secretbox_xsalsa20poly1305_keygen
Source: submission: locker	Mach-O symbol: _crypto_scalarmult_curve25519_bytes
Source: submission: locker	Mach-O symbol: _crypto_scalarmult_curve25519_scalarbytes
Source: submission: locker	Mach-O symbol: _crypto_secretbox_detached
Source: submission: locker	Mach-O symbol: _crypto_secretbox_easy
Source: submission: locker	Mach-O symbol: _crypto_secretbox_open_detached
Source: submission: locker	Mach-O symbol: _crypto_stream_chacha20_ietf
Source: submission: locker	Mach-O symbol: _crypto_stream_chacha20_ietf_keybytes
Source: submission: locker	Mach-O symbol: _crypto_stream_chacha20_ietf_keygen
Source: submission: locker	Mach-O symbol: _crypto_stream_chacha20_ietf_messagebytes_max
Source: submission: locker	Mach-O symbol: _crypto_secretbox_xsalsa20poly1305_macbytes
Source: submission: locker	Mach-O symbol: _crypto_secretbox_xsalsa20poly1305_messagebytes_max
Source: submission: locker	Mach-O symbol: _crypto_secretbox_xsalsa20poly1305_noncebytes
Source: submission: locker	Mach-O symbol: _crypto_secretbox_xsalsa20poly1305_open
Source: submission: locker	Mach-O symbol: _crypto_secretbox_xsalsa20poly1305_zerobytes
Source: submission: locker	Mach-O symbol: _crypto_stream_chacha20
Source: submission: locker	Mach-O symbol: _all_bytes_encrypted
Source: submission: locker	Mach-O symbol: _crypto_stream_chacha20_xor
Source: submission: locker	Mach-O symbol: _crypto_stream_chacha20_xor_ic
Source: submission: locker	Mach-O symbol: _crypto_stream_salsa20
Source: submission: locker	Mach-O symbol: _crypto_stream_chacha20_ietf_noncebytes
Source: submission: locker	Mach-O symbol: _crypto_stream_chacha20_ietf_xor
Source: submission: locker	Mach-O symbol: _crypto_stream_chacha20_ietf_xor_ic
Source: submission: locker	Mach-O symbol: _crypto_stream_chacha20_keybytes
Source: submission: locker	Mach-O symbol: _crypto_stream_chacha20_keygen
Source: submission: locker	Mach-O symbol: _crypto_stream_chacha20_messagebytes_max
Source: submission: locker	Mach-O symbol: _crypto_stream_chacha20_noncebytes
Source: submission: locker	Mach-O symbol: _pre_encrypt_file
Source: submission: locker	Mach-O symbol: _crypto_box_curve25519xsalsa20poly1305_noncebytes
Source: submission: locker	Mach-O symbol: _crypto_stream_salsa20_xor_ic
Source: submission: locker	Mach-O symbol: _crypto_box_curve25519xsalsa20poly1305_keypair
Source: submission: locker	Mach-O symbol: _crypto_stream_xsalsa20
Source: submission: locker	Mach-O symbol: _crypto_box_curve25519xsalsa20poly1305_boxzerobytes
Source: submission: locker	Mach-O symbol: _crypto_stream_xsalsa20_keybytes
Source: submission: locker	Mach-O symbol: _crypto_box_curve25519xsalsa20poly1305_messagebytes_max
Source: submission: locker	Mach-O symbol: _crypto_stream_xsalsa20_keygen
Source: submission: locker	Mach-O symbol: _crypto_box_curve25519xsalsa20poly1305_macbytes
Source: submission: locker	Mach-O symbol: _crypto_stream_xsalsa20_messagebytes_max
Source: submission: locker	Mach-O symbol: _crypto_box_curve25519xsalsa20poly1305_afternm
Source: submission: locker	Mach-O symbol: _crypto_box_curve25519xsalsa20poly1305
Source: submission: locker	Mach-O symbol: _crypto_box_curve25519xsalsa20poly1305_beforenmbytes
Source: submission: locker	Mach-O symbol: _crypto_box_curve25519xsalsa20poly1305_beforenm
Source: submission: locker	Mach-O symbol: _crypto_box_curve25519xsalsa20poly1305_open_afternm
Source: submission: locker	Mach-O symbol: _crypto_stream_salsa20_keybytes
Source: submission: locker	Mach-O symbol: _crypto_box_curve25519xsalsa20poly1305_open
Source: submission: locker	Mach-O symbol: _crypto_stream_salsa20_keygen
Source: submission: locker	Mach-O symbol: _crypto_stream_salsa20_messagebytes_max
Source: submission: locker	Mach-O symbol: _crypto_stream_salsa20_noncebytes
Source: submission: locker	Mach-O symbol: _crypto_stream_salsa20_xor
Source: submission: locker	Mach-O symbol: _crypto_verify_32_bytes
Source: submission: locker	Mach-O symbol: _crypto_box_detached
Source: submission: locker	Mach-O symbol: _crypto_verify_64
Source: submission: locker	Mach-O symbol: _crypto_box_curve25519xsalsa20poly1305_zerobytes
Source: submission: locker	Mach-O symbol: _crypto_verify_64_bytes
Source: submission: locker	Mach-O symbol: _crypto_box_easy
Source: submission: locker	Mach-O symbol: _crypto_box_detached_afternm
Source: submission: locker	Mach-O symbol: _crypto_box_curve25519xsalsa20poly1305_secretkeybytes
Source: submission: locker	Mach-O symbol: _crypto_box_curve25519xsalsa20poly1305_publickeybytes
Source: submission: locker	Mach-O symbol: _crypto_box_curve25519xsalsa20poly1305_seedbytes
Source: submission: locker	Mach-O symbol: _crypto_box_curve25519xsalsa20poly1305_seed_keypair
Source: submission: locker	Mach-O symbol: _crypto_stream_xsalsa20_noncebytes
Source: submission: locker	Mach-O symbol: _crypto_stream_xsalsa20_xor
Source: submission: locker	Mach-O symbol: _crypto_stream_xsalsa20_xor_ic
Source: submission: locker	Mach-O symbol: _crypto_verify_16
Source: submission: locker	Mach-O symbol: _crypto_verify_16_bytes
Source: submission: locker	Mach-O symbol: _crypto_verify_32
Source: submission: locker	Mach-O symbol: _CalculateCryptoBlocksShift
Source: submission: locker	Mach-O symbol: _crypto_box_open_afternm
Source: submission: locker	Mach-O symbol: _crypto_box_open_detached
Source: submission: locker	Mach-O symbol: _crypto_box_open_detached_afternm
Source: submission: locker	Mach-O symbol: _crypto_box_open_easy
Source: submission: locker	Mach-O symbol: _crypto_box_easy_afternm
Source: submission: locker	Mach-O symbol: _crypto_box_keypair
Source: submission: locker	Mach-O symbol: _crypto_box_macbytes
Source: submission: locker	Mach-O symbol: _crypto_box_messagebytes_max
Source: submission: locker	Mach-O symbol: _crypto_box_noncebytes
Source: submission: locker	Mach-O symbol: _crypto_box_open
Source: submission: locker	Mach-O symbol: _crypto_box_seed_keypair
Source: submission: locker	Mach-O symbol: _crypto_box_seedbytes
Source: submission: locker	Mach-O symbol: _crypto_box_zerobytes
Source: submission: locker	Mach-O symbol: _crypto_box_open_easy_afternm
Source: submission: locker	Mach-O symbol: _crypto_box_primitive
Source: submission: locker	Mach-O symbol: _crypto_box_publickeybytes
Source: submission: locker	Mach-O symbol: _crypto_box_seal
Source: submission: locker	Mach-O symbol: _crypto_box_seal_open
Source: submission: locker	Mach-O symbol: _crypto_box_sealbytes
Source: submission: locker	Mach-O symbol: _crypto_box_secretkeybytes

Networking

Found Tor onion address

Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion

Contains symbols with suspicious names likely related to ransomware targeting virtualization

Source: submission: locker	Mach-O symbol: _kill_esxi_1
Source: submission: locker	Mach-O symbol: _kill_esxi_2
Source: submission: locker	Mach-O symbol: _kill_esxi_3
Source: submission: locker	Mach-O symbol: _killed_force_vm_id

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54215
Source: unknown	Network traffic detected: HTTP traffic on port 54215 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 2.21.20.146
Source: unknown	TCP traffic detected without corresponding DNS query: 2.21.20.146
Source: unknown	TCP traffic detected without corresponding DNS query: 2.21.20.146
Source: unknown	TCP traffic detected without corresponding DNS query: 2.21.20.146
Source: unknown	TCP traffic detected without corresponding DNS query: 2.21.20.146
Source: unknown	TCP traffic detected without corresponding DNS query: 2.21.20.146
Source: unknown	TCP traffic detected without corresponding DNS query: 2.21.20.146
Source: unknown	TCP traffic detected without corresponding DNS query: 2.21.20.146
Source: unknown	TCP traffic detected without corresponding DNS query: 2.21.20.146
Source: unknown	TCP traffic detected without corresponding DNS query: 2.21.20.146
Source: unknown	TCP traffic detected without corresponding DNS query: 2.21.20.146

Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: https://twitter.com/hashtag/lockbit?f=live
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: https://www.torproject.org/

Spam, unwanted Advertisements and Ransom Demands

Yara detected LockBit ransomware

Source: Yara match	File source: locker, type: SAMPLE
Source: Yara match	File source: /Users/rodrigo/Downloads/myfiles/!!!-Restore-My-Files-!!!, type: DROPPED

Likely encrypts files before changing their extension which is indicative for ransomware

Source: /Users/rodrigo/Desktop/locker (PID: 1323)	Written file moved: /Users/rodrigo/Downloads/myfiles/foo.zip -> /Users/rodrigo/Downloads/myfiles/foo.zip.lockbit			Jump to behavior
Source: /Users/rodrigo/Desktop/locker (PID: 1323)	Written file moved: /Users/rodrigo/Downloads/myfiles/bar.zip -> /Users/rodrigo/Downloads/myfiles/bar.zip.lockbit			Jump to behavior

Found potential ransomware demand text

Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: >>>>> Your data is stolen and encrypted.
Source: !!!-Restore-My-Files-!!!.15.dr	String found in binary or memory: If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.

Contains symbols with suspicious names likely related to ransomware

Source: submission: locker	Mach-O symbol: _bwipe
Source: submission: locker	Mach-O symbol: _end_wipe
Source: submission: locker	Mach-O symbol: _end_wiping
Source: submission: locker	Mach-O symbol: _Restore_My_Files_body_3
Source: submission: locker	Mach-O symbol: _Restore_My_Files_name
Source: submission: locker	Mach-O symbol: _Restore_My_Files_body_1
Source: submission: locker	Mach-O symbol: _Restore_My_Files_body_2
Source: submission: locker	Mach-O symbol: _Restore_My_Files_body
Source: submission: locker	Mach-O symbol: _wipe
Source: submission: locker	Mach-O symbol: _wipe_error_fmt
Source: submission: locker	Mach-O symbol: _wipe_routine
Source: submission: locker	Mach-O symbol: _wiping
Source: submission: locker	Mach-O symbol: _lock_all_files_in_dir
Source: submission: locker	Mach-O symbol: _lock_all_files_in_dir_by_ext
Source: submission: locker	Mach-O symbol: _start_wipe
Source: submission: locker	Mach-O symbol: _start_wiping

Source: locker, type: SAMPLE	Matched rule: MAL_RANSOM_LNX_macOS_LockBit_Apr23_1 date = 2023-04-15, hash5 = dc3d08480f5e18062a0643f9c4319e5c3f55a2e7e93cd8eddd5e0c02634df7cf, hash4 = c9cac06c9093e9026c169adc3650b018d29c8b209e3ec511bbe34cbe1638a0d8, hash3 = a405d034c01a357a89c9988ffe8a46a165915df18fd297469b2bcaaf97578442, hash2 = 9ebcbaf3c9e2bbce6b2331238ab584f95f7ced326ca4aba2ddcc8aa8ee964f66, hash1 = 0a2bffa0a30ec609d80591eef1d0994d8b37ab1f6a6bad7260d9d435067fb48e, author = Florian Roth, description = Detects LockBit ransomware samples for Linux and macOS, score = , hash8 = 3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79, hash7 = 0be6f1e927f973df35dad6fc661048236d46879ad59f824233d757ec6e722bde, hash6 = e77124c2e9b691dbe41d83672d3636411aaebc0aff9a300111a90017420ff096, reference = https://twitter.com/malwrhunterteam/status/1647384505550876675?s=20
Source: locker, type: SAMPLE	Matched rule: MAL_RANSOM_LockBit_Apr23_1 date = 2023-04-17, author = Florian Roth, description = Detects indicators found in LockBit ransomware, score = , reference = https://objective-see.org/blog/blog_0x75.html
Source: /Users/rodrigo/Downloads/myfiles/!!!-Restore-My-Files-!!!, type: DROPPED	Matched rule: MAL_RANSOM_LockBit_Apr23_1 date = 2023-04-17, author = Florian Roth, description = Detects indicators found in LockBit ransomware, score = , reference = https://objective-see.org/blog/blog_0x75.html
Source: /private/tmp/locklog, type: DROPPED	Matched rule: MAL_RANSOM_LockBit_Locker_LOG_Apr23_1 date = 2023-04-17, author = Florian Roth, description = Detects indicators found in LockBit ransomware log files, score = , reference = https://objective-see.org/blog/blog_0x75.html

Source: classification engine

Classification label: mal72.rans.evad.mac@0/3@0/0

Source: submission

Code Signing Info: Signature=adhoc

Source: /bin/bash (PID: 1327)	Grep executable: /usr/bin/egrep -> egrep -i display name\|vendor	Jump to behavior
Source: /bin/bash (PID: 1331)	Grep executable: /usr/bin/egrep -> grep vmsyslogd	Jump to behavior
Source: /bin/bash (PID: 1332)	Grep executable: /usr/bin/grep -> grep -v grep	Jump to behavior
Source: /bin/bash (PID: 1340)	Grep executable: /usr/bin/grep -> grep zsxdcxz	Jump to behavior
Source: /bin/bash (PID: 1341)	Grep executable: /usr/bin/grep -> grep -v grep	Jump to behavior

Source: /Users/rodrigo/Desktop/locker (PID: 1323)

File created in download directory: /Users/rodrigo/Downloads/myfiles/!!!-Restore-My-Files-!!!

Jump to dropped file

Source: /Users/rodrigo/Desktop/locker (PID: 1324)	Shell command executed: sh -c pciconf -lv	Jump to behavior
Source: /bin/sh (PID: 1324)	Shell command executed: sh -c pciconf -lv	Jump to behavior
Source: /Users/rodrigo/Desktop/locker (PID: 1325)	Shell command executed: sh -c esxcfg-scsidevs -l \| egrep -i 'display name\|vendor'	Jump to behavior
Source: /bin/sh (PID: 1325)	Shell command executed: sh -c esxcfg-scsidevs -l \| egrep -i 'display name\|vendor'	Jump to behavior
Source: /Users/rodrigo/Desktop/locker (PID: 1329)	Shell command executed: sh -c ps -ef \| grep 'vmsyslogd' \| grep -v grep \| awk '{print $2}' \| xargs -r kill -9	Jump to behavior
Source: /bin/sh (PID: 1329)	Shell command executed: sh -c ps -ef \| grep 'vmsyslogd' \| grep -v grep \| awk '{print $2}' \| xargs -r kill -9	Jump to behavior
Source: /Users/rodrigo/Desktop/locker (PID: 1338)	Shell command executed: sh -c ps -ef \| grep 'zsxdcxz' \| grep -v grep \| awk '{print $2}' \| xargs -r kill -9	Jump to behavior
Source: /bin/sh (PID: 1338)	Shell command executed: sh -c ps -ef \| grep 'zsxdcxz' \| grep -v grep \| awk '{print $2}' \| xargs -r kill -9	Jump to behavior
Source: /Users/rodrigo/Desktop/locker (PID: 1345)	Shell command executed: sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper /Users/rodrigo/Downloads/myfiles	Jump to behavior
Source: /bin/sh (PID: 1345)	Shell command executed: sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper /Users/rodrigo/Downloads/myfiles	Jump to behavior
Source: /Users/rodrigo/Desktop/locker (PID: 1348)	Shell command executed: sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper	Jump to behavior
Source: /bin/sh (PID: 1348)	Shell command executed: sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper	Jump to behavior

Source: /bin/bash (PID: 1330)	Ps executable: /bin/ps -> ps -ef			Jump to behavior
Source: /bin/bash (PID: 1339)	Ps executable: /bin/ps -> ps -ef			Jump to behavior

Source: /bin/bash (PID: 1333)	Awk executable: /usr/bin/awk -> awk {print $2}			Jump to behavior
Source: /bin/bash (PID: 1342)	Awk executable: /usr/bin/awk -> awk {print $2}			Jump to behavior

Source: submission

CodeSign Info: Executable=/Users/rodrigo/Desktop/locker

Hooking and other Techniques for Hiding and Protection

Tries to kill the VMware ESXi syslog daemon (likely for hiding)

Source: /Users/rodrigo/Desktop/locker (PID: 1329)	Kill vmsyslogd: /bin/sh -> sh -c ps -ef \| grep 'vmsyslogd' \| grep -v grep \| awk '{print $2}' \| xargs -r kill -9			Jump to behavior
Source: /bin/sh (PID: 1329)	Kill vmsyslogd: /bin/bash -> sh -c ps -ef \| grep 'vmsyslogd' \| grep -v grep \| awk '{print $2}' \| xargs -r kill -9			Jump to behavior

Source: submission: locker	Mach-O symbol: _esxcfg_scsidevs1
Source: submission: locker	Mach-O symbol: _check_esxi
Source: submission: locker	Mach-O symbol: _esxi_enable
Source: submission: locker	Mach-O symbol: _esxcfg_scsidevs2
Source: submission: locker	Mach-O symbol: _esxcfg_scsidevs3
Source: submission: locker	Mach-O symbol: _esxi_disable
Source: submission: locker	Mach-O symbol: _ps_esxi
Source: submission: locker	Mach-O symbol: _vmware_v
Source: submission: locker	Mach-O symbol: _kill_esxi_1
Source: submission: locker	Mach-O symbol: _kill_esxi_2
Source: submission: locker	Mach-O symbol: _is_esxi
Source: submission: locker	Mach-O symbol: _kill_esxi_3
Source: submission: locker	Mach-O symbol: _kill_processes_Esxi

Source: submission: locker	Mach-O symbol: _ptrace
Source: submission: locker	Mach-O symbol: _vmware_v
Source: submission: locker	Mach-O symbol: _kill_processes
Source: submission: locker	Mach-O symbol: _kill_processes_Esxi

Source: locker

Binary or memory string: _vmware_v

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	Path Interception	Path Interception	22 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	1 Scripting	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 Service Stop
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Scripting	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Proxy	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Invalid Code Signature	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Code Signing	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://twitter.com/hashtag/lockbit?f=live	!!!-Restore-My-Files-!!!.15.dr	false	high
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion	!!!-Restore-My-Files-!!!.15.dr	true	unknown
https://www.torproject.org/	!!!-Restore-My-Files-!!!.15.dr	false	high
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly	!!!-Restore-My-Files-!!!.15.dr	true	unknown
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion	!!!-Restore-My-Files-!!!.15.dr	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
2.21.20.146	unknown	European Union		20940	AKAMAI-ASN1EU	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	Aged_Receivables_Report.html	Get hash	malicious	HTMLPhisher	Browse	2.16.241.10
	https://digilander.libero.it/Secure_PDF_1a30/	Get hash	malicious	Unknown	Browse	95.101.149.233
	http://clouuds-haze-bca9.esalasaimr-c19.workers.dev	Get hash	malicious	HTMLPhisher	Browse	2.16.164.106
	https://click.email.active.com/q/K65IlciDYQZc4rAeAa0c9A~~/AAOtGgA~/RgRmvkOYPVcDc3BjQgpk27--22SS25FAUhJzYXJub2xkQHN0ZXBhbi5jb21YBAAAAAs~	Get hash	malicious	HTMLPhisher	Browse	23.55.110.199
	https://click.email.active.com/f/a/9ZSIMwxuS3nTzxIyiOMIjA~~/AAOtGgA~/RgRmvkOTP0SCaHR0cHM6Ly9jb21tdXNlcnVpLXZpcC5hdy5hY3RpdmUuY29tL2NsaWNrLzEvMTcwNjA5MTQwNy9lNzExOGEwZi02MjI4LTRhMDktOTE5Mi00NWJjNjBlZDlmZmQvNTFFNDM3QzYtNEJCRi00RDhGLTk2ODAtNzMyQjQxQjVDNjkwL1cDc3BjQgpk1Ky-22QJY2mTUhFobGV2cmFAc3RlcGFuLmNvbVgEAAAACw~~	Get hash	malicious	HTMLPhisher	Browse	2.16.238.152
	https://1drv.ms/o/s!AoCWiirawl1cgUyDq_YQaZgx0Qcb?e=KXF1RW	Get hash	malicious	HTMLPhisher, SharepointPhisher	Browse	2.16.238.149
	http://www.imt.niu.edu/ipdb3n4m.azodusexz?ccyWVKqcc00VXcyKGjcccWgctcB5J7kxlrcbbb5m======	Get hash	malicious	Phisher	Browse	2.16.241.18
	https://ipfs.io/ipfs/QmTbHi4fauGcrRixT41ZBjKvHPzCgmM1nCM8QsAcBcz5Pv#	Get hash	malicious	HTMLPhisher	Browse	23.0.174.91
	https://ppehostedverificationnetwork.acctelephones.com/?ybcnruks	Get hash	malicious	HTMLPhisher	Browse	2.16.238.152
	https://trilongrp.sharepoint.com/:f:/s/OCTARailTrail/EvyL5xUu88RPnf_0mxXJo2EBuVrFnns4-twoJX21f0hyzg?e=5%3adTYd0d&at=9	Get hash	malicious	HTMLPhisher	Browse	2.22.242.16
	SecuriteInfo.com.Trojan.DownLoader45.65183.28425.18884.exe	Get hash	malicious	FormBook, DBatLoader	Browse	172.232.30.16
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=VDB4_7HZ70GLQRf-WcLjILmiqGK8Tj1HtqQ7v6Tkv_pUMEVQSDVCT1BUSjZYRjhYMFdKUk9IQUVMWS4u	Get hash	malicious	HTMLPhisher	Browse	104.110.191.205
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=_HkV8W7DpUuifstDSryGNxqrvyMyb5JNtRYXwlOy-ZhUMkZaWk1ISTRDNlcyVlYyQ0JTWjdRR0Q1RS4u	Get hash	malicious	HTMLPhisher	Browse	104.110.191.172
	2646fef76ae933018ff8a48e7c46c4ae6a82176107f7d.exe	Get hash	malicious	NetSupport RAT	Browse	80.67.82.211
	5dc7e9979eac4e1aef7b7479431445d4397bd53757f23.exe	Get hash	malicious	NetSupport RAT	Browse	23.0.174.104
	5dc7e9979eac4e1aef7b7479431445d4397bd53757f23.exe	Get hash	malicious	NetSupport RAT	Browse	23.0.174.123
	6b109e55911293b4e5098d3711849b85499a988385721.exe	Get hash	malicious	NetSupport RAT	Browse	23.0.174.112
	6b109e55911293b4e5098d3711849b85499a988385721.exe	Get hash	malicious	NetSupport RAT	Browse	23.0.174.123
	ebcad8758c000304d86b7a43e2755bdf656cd477a9390.exe	Get hash	malicious	NetSupport RAT	Browse	23.0.174.112
	027.dll	Get hash	malicious	Petya / NotPetya, Mimikatz	Browse	184.28.113.215

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/Users/rodrigo/Downloads/myfiles/!!!-Restore-My-Files-!!!

Download File

Process:	/Users/rodrigo/Desktop/locker
File Type:	ASCII text, with very long lines (855)
Category:	dropped
Size (bytes):	4171
Entropy (8bit):	5.0273174802063165
Encrypted:	false
SSDEEP:	96:vW0YUS8YT0Zn/yjKzyxhSkKLByEfJinWKwZurLA0:vWYVYT0Zn/yjFhj2fJuQiZ
MD5:	3522EEAA83392B60EEC1C746A07F1B9D
SHA1:	EF958F3CF201F9323CEAE9663D86464021F8E10D
SHA-256:	8AA41F78D44F80C56B7364954B397525B5271EB2338C2C2A8ED4A1D05FD1F0D3
SHA-512:	8103B8DC09FF63BEBE278DE2D9697056D78115D15BB24CBE24794BFB12DEEC9E006537B0ED331D344516CB671387117BB8A46757DC9298847AA496699399C6A9
Malicious:	true
Yara Hits:	Rule: MAL_RANSOM_LockBit_Apr23_1, Description: Detects indicators found in LockBit ransomware, Source: /Users/rodrigo/Downloads/myfiles/!!!-Restore-My-Files-!!!, Author: Florian Roth Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: /Users/rodrigo/Downloads/myfiles/!!!-Restore-My-Files-!!!, Author: Joe Security
Reputation:	low
Preview:	~~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~..>>>>> Your data is stolen and encrypted..If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe...Tor Browser Links:.http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.htt

/private/tmp/locker.pid

Download File

Process:	/Users/rodrigo/Desktop/locker
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file
Preview:

/private/tmp/locklog

Download File

Process:	/Users/rodrigo/Desktop/locker
File Type:	ASCII text
Category:	dropped
Size (bytes):	1122
Entropy (8bit):	5.200729478336906
Encrypted:	false
SSDEEP:	24:yGYwFuUDf+34Z+L4ZbL4Z+CO4ZBCZvAPULTPkWVUaPkW0:yWFukUU/4woPQHVC
MD5:	083A1256D33DFFE220931B9E2E5273BF
SHA1:	E1288F4E68365AB30468B9C93DC80D828459B337
SHA-256:	81F06CB5B768B5FAF065D4B24E612406528D26422B7245E71AA7C24D05BDA23B
SHA-512:	B38B96FF2E6DE52B4DCCC9A9D0092194C568590E0513FB45D7116EE2E3DBF51D0D49C29DA384A8946B8E04484BDF482D58634D2C8BD72D458B3207106597C0A9
Malicious:	false
Yara Hits:	Rule: MAL_RANSOM_LockBit_Locker_LOG_Apr23_1, Description: Detects indicators found in LockBit ransomware log files, Source: /private/tmp/locklog, Author: Florian Roth
Reputation:	low
Preview:	[09:48:47][3999588480l][+] Launch parameters: /Users/rodrigo/Desktop/locker -i '/Users/rodrigo/Downloads/myfiles' -m 16 -w 0 -b 0 -r 0 -l 0 -n 0 -d 1 -e '' -s 10 -p test -o 0 -t 0 -f 1 -a 0 -z 0 -y 0.~~~~~~~~~~~~~~~Hardware~~~~~~~~~~~~~~~~~~..~~~~~~~~~~~~~~~Hardware~~~~~~~~~~~~~~~~~~.[09:48:51][8294555776][+] Add directory to encrypt: /Users/rodrigo/Downloads/myfiles.[09:48:51][6123139072][+] Start encrypting file /Users/rodrigo/Downloads/myfiles/bar.zip.[09:48:51][6123712512][+] Start encrypting file /Users/rodrigo/Downloads/myfiles/foo.zip.[09:48:51][6123712512][+] Start encrypting file /Users/rodrigo/Downloads/myfiles/foo.zip spot 0 from 1. Original checksum 2232859300.[09:48:51][6123139072][+] Start encrypting file /Users/rodrigo/Downloads/myfiles/bar.zip spot 0 from 1. Original checksum 2897208693.[09:48:51][6123712512][+] End file /Users/rodrigo/Downloads/myfiles/foo.zip size 23011 time 1692179325 is encrypted. Checksum after encryption 1702492450.[09:48:51][6123139072][+] End fi

Static File Info

General

File type:	Mach-O 64-bit arm64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>
Entropy (8bit):	6.843741465163178
TrID:	Mac OS X Mach-O 64-bit ARM executable (little-endian) (4008/2) 50.02% Mac OS X Mach-O 64-bit executable (little-endian) (4004/1) 49.98%
File name:	locker
File size:	412'227 bytes
MD5:	abf01633960dd77c6137175a21fccf34
SHA1:	2d15286d25f0e0938823dcd742bc928e78199b3d
SHA256:	3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79
SHA512:	4929d96033de0ecbb5a2356f12dc8e1cbf1a4d9659bb3c30005b55e8691981176e7162672b250ff1a8008e8dbdf4272df2a8d7fd0b7f03a6069df64f87ea01c3
SSDEEP:	6144:dsjtmdjmg8o3TMkdSFKvrhWmc/aa/YxyPy0y5ykyPpelPyrO8BrGd2//ryj4hqq1:dsj0dApBS3lPy7nn24cq1g+bKpbIfp
TLSH:	93949D099C6C1D77EAC6A0FD18504ECC710FFFA8CE5092B2728E885D9FDA695B050B79
File Content Preview:	.......................... .........H...__PAGEZERO..........................................................x...__TEXT..........................................................__text..........__TEXT..........x...............x..............................

CodeSign Information

[
    "Executable=/Users/rodrigo/Desktop/locker",
    "Identifier=locker",
    "Format=Mach-O thin (arm64)",
    "CodeDirectory v=20400 size=3295 flags=0x20002(adhoc,linker-signed) hashes=100+0 location=embedded",
    "VersionPlatform=1",
    "VersionMin=720896",
    "VersionSDK=721664",
    "Hash type=sha256 size=32",
    "CandidateCDHash sha256=2ab536073c816091835f2df5ff9d1d75e212254a",
    "CandidateCDHashFull sha256=2ab536073c816091835f2df5ff9d1d75e212254a75ffff977fc3675fd1ff9f11",
    "Hash choices=sha256",
    "CMSDigest=2ab536073c816091835f2df5ff9d1d75e212254a75ffff977fc3675fd1ff9f11",
    "CMSDigestType=2",
    "Page size=4096",
    "Launch Constraints:",
    "None",
    "CDHash=2ab536073c816091835f2df5ff9d1d75e212254a",
    "Signature=adhoc",
    "Info.plist=not bound",
    "TeamIdentifier=not set",
    "Sealed Resources=none",
    "Internal requirements=none"
]

Static Mach Info

General Information for header 1
Endian:	little-endian
Size:	64-bit
Architecture:	arm64
Filetype:	execute
Nbr. of load commands:	17
Entry point:	0xB0D4

segment_command_64 aggregated: 5

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x50000

fileoff

0x0

filesize

0x50000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x100002E78	0x3F818	0x2E78	6.9536	0x2	0x0	0	0x80000400
__stubs	__TEXT	0x100042690	0x51C	0x42690	3.9876	0x2	0x0	0	0x80000408
__stub_helper	__TEXT	0x100042BAC	0x534	0x42BAC	4.0660	0x2	0x0	0	0x80000400
__const	__TEXT	0x1000430E0	0xAB3C	0x430E0	1.3211	0x4	0x0	0	0x0
__cstring	__TEXT	0x10004DC1C	0x354	0x4DC1C	5.0895	0x0	0x0	0	0x2
__unwind_info	__TEXT	0x10004DF70	0x12D4	0x4DF70	2.0050	0x2	0x0	0	0x0
__eh_frame	__TEXT	0x10004F248	0xDB8	0x4F248	4.5057	0x3	0x0	0	0x0

Name

Value

segname

__DATA_CONST

vmaddr

0x100050000

vmsize

0x4000

fileoff

0x50000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x10

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__got	__DATA_CONST	0x100050000	0x48	0x50000	-0.0000	0x3	0x0	0	0x6
__const	__DATA_CONST	0x100050048	0x278	0x50048	1.3211	0x3	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x100054000

vmsize

0x8000

fileoff

0x54000

filesize

0x8000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__la_symbol_ptr	__DATA	0x100054000	0x368	0x54000	3.0002	0x3	0x0	0	0x7
__data	__DATA	0x100054368	0x72B4	0x54368	5.9896	0x3	0x0	0	0x0
__common	__DATA	0x10005B620	0x554	0x0	0.0000	0x3	0x0	0	0x1
__bss	__DATA	0x10005BB78	0x29	0x0	0.0000	0x3	0x0	0	0x1

Name	Value
segname	__LINKEDIT
vmaddr	0x10005C000
vmsize	0xC000
fileoff	0x5C000
filesize	0x8A43
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	376832
rebase_size	24
bind_off	376856
bind_size	128
weak_bind_off	0
weak_bind_size	0
lazy_bind_off	376984
lazy_bind_size	1840
export_off	378824
export_size	8704

symtab_command aggregated: 1

Name	Value
symoff	388064
nsyms	587
stroff	398368
strsize	10536

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	0
iextdefsym	0
nextdefsym	469
iundefsym	469
nundefsym	118
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	397456
nindirectsyms	227
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'\xf9b\xf1\x8b\x12\xa136\x8a\xa4\x07y\x08\x9c+\t'

build_version_command aggregated: 1

Name

Value

platform

minos

720896

sdk

721664

ntools

Datas

source_version_command aggregated: 1

Name	Value
version	0

entry_point_command aggregated: 1

Name	Value
entryoff	45268
stacksize	0

dylib_command aggregated: 1

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1292.100.5

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

linkedit_data_command aggregated: 3

Name	Value
dataoff	387528
datasize	536

Name	Value
dataoff	388064
datasize	0

Name	Value
dataoff	408912
datasize	3315

Internal Symbols

_CalculateCryptoBlocksShift

_KEYSIZE

_PrintLog

_PrintLog2

_Restore_My_Files_body

_Restore_My_Files_body_1

_Restore_My_Files_body_2

_Restore_My_Files_body_3

_Restore_My_Files_name

_SkipByDirName

_SkipByFileName

_Suspend_VM_ID_ERROR

_Suspended_VM_ID

___assert_rtn

___chkstk_darwin

___error

___memcpy_chk

___sprintf_chk

___stack_chk_fail

___stack_chk_guard

___stderrp

___stdinp

___strcat_chk

___strcpy_chk

___strncat_chk

___tolower

__mh_execute_header

_abort

_access

_add_dir

_add_node_to_chain

_all_aparams

_all_bytes_encrypted

_all_bytes_ignored

_all_bytes_readed

_all_failed_files_count

_all_files_count

_all_success_files_count

_all_vms_count

_alloc_node

_apple_config

_ast

_atoi

_atol

_autostart_off

_avmdk

_bRunning

_bSelfRemove

_bVMDKmode

_basename

_bdaemon

_beginfile

_bfullog

_bin

_bin_vim_cmd

_bin_vm_support

_bnostop

_boot_cmd

_bwipe

_bzero

_calloc

_chdir

_check_esxi

_chmod

_close

_comma

_cpusummary1_bsd

_cpusummary1_linux

_cpusummary2_bsd

_cpusummary2_linux

_cpusummary3_bsd

_cpusummary3_linux

_crc32_table

_create_log_file

_create_spots

_create_spots_2

_crypto_box

_crypto_box_afternm

_crypto_box_beforenm

_crypto_box_beforenmbytes

_crypto_box_boxzerobytes

_crypto_box_curve25519xsalsa20poly1305

_crypto_box_curve25519xsalsa20poly1305_afternm

_crypto_box_curve25519xsalsa20poly1305_beforenm

_crypto_box_curve25519xsalsa20poly1305_beforenmbytes

_crypto_box_curve25519xsalsa20poly1305_boxzerobytes

_crypto_box_curve25519xsalsa20poly1305_keypair

_crypto_box_curve25519xsalsa20poly1305_macbytes

_crypto_box_curve25519xsalsa20poly1305_messagebytes_max

_crypto_box_curve25519xsalsa20poly1305_noncebytes

_crypto_box_curve25519xsalsa20poly1305_open

_crypto_box_curve25519xsalsa20poly1305_open_afternm

_crypto_box_curve25519xsalsa20poly1305_publickeybytes

_crypto_box_curve25519xsalsa20poly1305_secretkeybytes

_crypto_box_curve25519xsalsa20poly1305_seed_keypair

_crypto_box_curve25519xsalsa20poly1305_seedbytes

_crypto_box_curve25519xsalsa20poly1305_zerobytes

_crypto_box_detached

_crypto_box_detached_afternm

_crypto_box_easy

_crypto_box_easy_afternm

_crypto_box_keypair

_crypto_box_macbytes

_crypto_box_messagebytes_max

_crypto_box_noncebytes

_crypto_box_open

_crypto_box_open_afternm

_crypto_box_open_detached

_crypto_box_open_detached_afternm

_crypto_box_open_easy

_crypto_box_open_easy_afternm

_crypto_box_primitive

_crypto_box_publickeybytes

_crypto_box_seal

_crypto_box_seal_open

_crypto_box_sealbytes

_crypto_box_secretkeybytes

_crypto_box_seed_keypair

_crypto_box_seedbytes

_crypto_box_zerobytes

_crypto_core_hsalsa20

_crypto_core_salsa20

_crypto_core_salsa2012

_crypto_core_salsa2012_constbytes

_crypto_core_salsa2012_inputbytes

_crypto_core_salsa2012_keybytes

_crypto_core_salsa2012_outputbytes

_crypto_core_salsa208

_crypto_core_salsa208_constbytes

_crypto_core_salsa208_inputbytes

_crypto_core_salsa208_keybytes

_crypto_core_salsa208_outputbytes

_crypto_core_salsa20_constbytes

_crypto_core_salsa20_inputbytes

_crypto_core_salsa20_keybytes

_crypto_core_salsa20_outputbytes

_crypto_generichash

_crypto_generichash_blake2b

_crypto_generichash_blake2b_final

_crypto_generichash_blake2b_init

_crypto_generichash_blake2b_init_salt_personal

_crypto_generichash_blake2b_salt_personal

_crypto_generichash_blake2b_update

_crypto_generichash_bytes

_crypto_generichash_bytes_max

_crypto_generichash_bytes_min

_crypto_generichash_final

_crypto_generichash_init

_crypto_generichash_keybytes

_crypto_generichash_keybytes_max

_crypto_generichash_keybytes_min

_crypto_generichash_keygen

_crypto_generichash_primitive

_crypto_generichash_statebytes

_crypto_generichash_update

_crypto_hash_sha512

_crypto_hash_sha512_final

_crypto_hash_sha512_init

_crypto_hash_sha512_update

_crypto_onetimeauth_poly1305

_crypto_onetimeauth_poly1305_bytes

_crypto_onetimeauth_poly1305_final

_crypto_onetimeauth_poly1305_init

_crypto_onetimeauth_poly1305_keybytes

_crypto_onetimeauth_poly1305_keygen

_crypto_onetimeauth_poly1305_statebytes

_crypto_onetimeauth_poly1305_update

_crypto_onetimeauth_poly1305_verify

_crypto_scalarmult_curve25519

_crypto_scalarmult_curve25519_base

_crypto_scalarmult_curve25519_bytes

_crypto_scalarmult_curve25519_scalarbytes

_crypto_secretbox_detached

_crypto_secretbox_easy

_crypto_secretbox_open_detached

_crypto_secretbox_open_easy

_crypto_secretbox_xsalsa20poly1305

_crypto_secretbox_xsalsa20poly1305_boxzerobytes

_crypto_secretbox_xsalsa20poly1305_keybytes

_crypto_secretbox_xsalsa20poly1305_keygen

_crypto_secretbox_xsalsa20poly1305_macbytes

_crypto_secretbox_xsalsa20poly1305_messagebytes_max

_crypto_secretbox_xsalsa20poly1305_noncebytes

_crypto_secretbox_xsalsa20poly1305_open

_crypto_secretbox_xsalsa20poly1305_zerobytes

_crypto_stream_chacha20

_crypto_stream_chacha20_ietf

_crypto_stream_chacha20_ietf_keybytes

_crypto_stream_chacha20_ietf_keygen

_crypto_stream_chacha20_ietf_messagebytes_max

_crypto_stream_chacha20_ietf_noncebytes

_crypto_stream_chacha20_ietf_xor

_crypto_stream_chacha20_ietf_xor_ic

_crypto_stream_chacha20_keybytes

_crypto_stream_chacha20_keygen

_crypto_stream_chacha20_messagebytes_max

_crypto_stream_chacha20_noncebytes

_crypto_stream_chacha20_xor

_crypto_stream_chacha20_xor_ic

_crypto_stream_salsa20

_crypto_stream_salsa20_keybytes

_crypto_stream_salsa20_keygen

_crypto_stream_salsa20_messagebytes_max

_crypto_stream_salsa20_noncebytes

_crypto_stream_salsa20_xor

_crypto_stream_salsa20_xor_ic

_crypto_stream_xsalsa20

_crypto_stream_xsalsa20_keybytes

_crypto_stream_xsalsa20_keygen

_crypto_stream_xsalsa20_messagebytes_max

_crypto_stream_xsalsa20_noncebytes

_crypto_stream_xsalsa20_xor

_crypto_stream_xsalsa20_xor_ic

_crypto_verify_16

_crypto_verify_16_bytes

_crypto_verify_32

_crypto_verify_32_bytes

_crypto_verify_64

_crypto_verify_64_bytes

_daemon

_daemonize

_dashes

_date_time_fmt

_de_xor

_de_xor_all

_dec

_delay_c

_df_h

_dirkipped

_dirname

_dis_autostart

_disable_autostart

_displayName

_do_I_need_to_bypass_this_file

_do_I_need_to_bypass_this_folder2

_do_I_need_to_bypass_this_folder_ubuntu

_do_I_need_to_bypass_this_vms

_dontforget

_dot

_dotdot

_en_ssh

_en_ssh_fmt_m

_en_ssh_fmt_p

_enable_ssh

_enable_ssh_t

_enc

_enc_entry

_enced

_encing

_encrypt_all_files_in_dir

_encrypt_all_files_in_dir_by_ext

_encrypt_file

_encrypt_file_by_spots

_encrypt_file_first_N_bytes

_encrypt_small_file

_end_wipe

_end_wiping

_enter_pass

_err

_esxcfg_scsidevs1

_esxcfg_scsidevs2

_esxcfg_scsidevs3

_esxi_disable

_esxi_enable

_etc_c

_except_foler1

_except_foler2

_exit

_extensions_c

_extrac

_exts_divide

_fclose

_fcntl

_fd_log

_fgets

_filesystemlist1

_filesystemlist1_bsd

_filesystemlist1_linux

_filesystemlist2

_filesystemlist2_bsd

_filesystemlist2_linux

_filesystemlist3_bsd

_finished_time

_flock

_fopen

_force_kill_fmt_1

_force_kill_fmt_2

_fork

_fprintf

_free

_free_chain

_free_ram

_fstat

_fstatfs

_fsync

_full_c

_g_Config

_getFile

_get_all_files

_get_all_processes

_get_displayName

_get_filename_ext

_get_filename_ext2

_get_hardware

_get_password

_get_proccesorinfo

_get_uname_a

_get_version

_get_volumes_info

_getopt_long

_getpagesize

_getppid

_gl_err

_glob

_globfree

_gmtime

_go

_home

_hostname

_hostsummary1

_hostsummary2

_hostsummary3

_hostsummary4

_iMinfilesize

_iSpotMaximum

_ibeginRegion

_idelayinmin

_indir

_init

_irepeatinmin

_isBE

_is_directory

_is_esxi

_kill_1

_kill_2

_kill_3

_kill_4

_kill_5

_kill_esxi_1

_kill_esxi_2

_kill_esxi_3

_kill_processes

_kill_processes_Esxi

_killed_force_vm_id

_listvms

_lock_all_files_in_dir

_lock_all_files_in_dir_by_ext

_lockbit

_locker_pid

_lockex

_log_c

_log_to_console

_logg

_logg_1

_logg_2

_ls_al_p_r

_ls_al_r

_lseek

_lspci_bsd_c

_lspci_c

_main

_malloc

_mask_all

_mbedtls_aes_decrypt_cbc

_mbedtls_aes_encrypt_cbc

_mbedtls_aes_free

_mbedtls_aes_init_decrypt

_mbedtls_aes_init_encrypt

_mbedtls_internal_aes_decrypt

_mbedtls_internal_aes_encrypt

_memcmp

_memcpy

_memmove

_memset

_memset_s

_minfile

_minus_d

_minus_f

_minus_l

_minus_n

_minus_o

_minus_r

_minus_t

_minus_w

_mlock

_mmap

_mmap_alloc

_mmap_error

_mprotect

_munlock

_munmap

_mutex

_nanosleep

_need_ram

_no_log

_noext

_noexts_c

_nolog

_nostop

_not_dec

_not_enc

_null_two

_number_of_processors

_open

_optarg

_opterr

_optind

_optopt

_page_size

_pass

_pclose

_pid_file

_popen

_pre_encrypt_file

_pre_str

_printf

_processor_info

_processors

_ps_bsd

_ps_esxi

_ps_linux

_pthread_cond_broadcast

_pthread_cond_destroy

_pthread_cond_init

_pthread_cond_signal

_pthread_cond_wait

_pthread_create

_pthread_detach

_pthread_join

_pthread_mutex_destroy

_pthread_mutex_init

_pthread_mutex_lock

_pthread_mutex_unlock

_pthread_self

_ptrace

_publickey

_put_note

_qstrcmp

_raise

_rand

_rand_value

_randombytes

_randombytes_buf

_randombytes_buf_deterministic

_randombytes_close

_randombytes_implementation_name

_randombytes_random

_randombytes_seedbytes

_randombytes_set_implementation

_randombytes_stir

_randombytes_sysrandom_implementation

_randombytes_uniform

_rc_local

_read

_read_with_retry

_readlink

_remove_c

_rename

_repeat_c

_reports

_rmd

_rstrstr

_running

_s_a_s_n

_s_s

_s_s_n

_sbin

_sbin_vm_support

_sbin_vmdumper

_setitimer

_setsid

_setvbuf

_sigaction

_signal

_skeleton_daemon

_slash

_sleep

_snprintf

_sodium_add

_sodium_allocarray

_sodium_compare

_sodium_free

_sodium_increment

_sodium_init

_sodium_is_zero

_sodium_malloc

_sodium_memcmp

_sodium_memzero

_sodium_misuse

_sodium_mlock

_sodium_mprotect_noaccess

_sodium_mprotect_readonly

_sodium_mprotect_readwrite

_sodium_munlock

_sodium_pad

_sodium_runtime_has_aesni

_sodium_runtime_has_avx

_sodium_runtime_has_avx2

_sodium_runtime_has_avx512f

_sodium_runtime_has_neon

_sodium_runtime_has_pclmul

_sodium_runtime_has_rdrand

_sodium_runtime_has_sse2

_sodium_runtime_has_sse3

_sodium_runtime_has_sse41

_sodium_runtime_has_ssse3

_sodium_set_misuse_handler

_sodium_stackzero

_sodium_sub

_sodium_unpad

_spot

_srand

_start_enc

_start_enc_offset

_start_enc_spot

_start_from_dir

_start_wipe

_start_wiping

_started_time

_stat

_strcasecmp

_strchr

_strcmp

_strcpy

_strdup

_strerror

_strftime

_strlen

_strncmp

_strncpy

_strrchr

_strstr

_strtok

_sudoers_d

_suspend_routine

_suspend_working_vms

_sysconf

_sysctlbyname

_system

_target_and_nftw

_target_and_nftw2

_tempnam

_threadpool

_time

_time_fmt

_timer_handler

_tpool_add_work

_tpool_create

_tpool_destroy

_tpool_wait

_trying

_umask

_uname_a

_unlink

_usage

_usr_share

_var_log

_version

_vfprintf

_vmdk

_vmdk_c

_vmdumper_l

_vmdumper_suspend_vm

_vmware_v

_vprintf

_vswp

_wait_for_stop

_wait_for_stop_error

_wait_for_wid_stopped

_wbskipped

_wholefile

_wholefile_c

_wid_str

_wipe

_wipe_error_fmt

_wipe_routine

_wiping

_wordexp

_wordfree

_workers_count

_write

_write_on_disk

_write_with_retry

_xcrc32

_xor_val

dyld_stub_binder

External Symbols

___assert_rtn

___error

___memcpy_chk

___sprintf_chk

___stack_chk_fail

___strcat_chk

___strcpy_chk

___strncat_chk

___tolower

_abort

_access

_atoi

_atol

_basename

_bzero

_calloc

_chdir

_chmod

_close

_daemon

_dirname

_exit

_fclose

_fcntl

_fgets

_flock

_fopen

_fork

_fprintf

_free

_fstat

_fstatfs

_fsync

_getopt_long

_getpagesize

_getppid

_glob

_globfree

_gmtime

_lseek

_malloc

_memcmp

_memcpy

_memmove

_memset

_memset_s

_mlock

_mmap

_mprotect

_munlock

_munmap

_nanosleep

_open

_pclose

_popen

_printf

_pthread_cond_broadcast

_pthread_cond_destroy

_pthread_cond_init

_pthread_cond_signal

_pthread_cond_wait

_pthread_create

_pthread_detach

_pthread_join

_pthread_mutex_destroy

_pthread_mutex_init

_pthread_mutex_lock

_pthread_mutex_unlock

_pthread_self

_ptrace

_raise

_rand

_read

_readlink

_rename

_setitimer

_setsid

_setvbuf

_sigaction

_signal

_sleep

_snprintf

_srand

_stat

_strcasecmp

_strchr

_strcmp

_strcpy

_strdup

_strerror

_strftime

_strlen

_strncmp

_strncpy

_strrchr

_strstr

_strtok

_sysconf

_sysctlbyname

_system

_tempnam

_time

_umask

_unlink

_vfprintf

_vprintf

_wordexp

_wordfree

_write

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 16, 2023 09:48:47.185632944 CEST	54215	443	192.168.0.56	2.21.20.146
Aug 16, 2023 09:48:47.196001053 CEST	443	54215	2.21.20.146	192.168.0.56
Aug 16, 2023 09:48:47.196578979 CEST	54215	443	192.168.0.56	2.21.20.146
Aug 16, 2023 09:48:47.196578979 CEST	54215	443	192.168.0.56	2.21.20.146
Aug 16, 2023 09:48:47.206788063 CEST	443	54215	2.21.20.146	192.168.0.56
Aug 16, 2023 09:48:47.218308926 CEST	443	54215	2.21.20.146	192.168.0.56
Aug 16, 2023 09:48:47.218341112 CEST	443	54215	2.21.20.146	192.168.0.56
Aug 16, 2023 09:48:47.218359947 CEST	443	54215	2.21.20.146	192.168.0.56
Aug 16, 2023 09:48:47.218380928 CEST	443	54215	2.21.20.146	192.168.0.56
Aug 16, 2023 09:48:47.218902111 CEST	54215	443	192.168.0.56	2.21.20.146
Aug 16, 2023 09:48:47.222924948 CEST	54215	443	192.168.0.56	2.21.20.146
Aug 16, 2023 09:48:47.223351955 CEST	54215	443	192.168.0.56	2.21.20.146
Aug 16, 2023 09:48:47.233186960 CEST	443	54215	2.21.20.146	192.168.0.56
Aug 16, 2023 09:48:47.233238935 CEST	443	54215	2.21.20.146	192.168.0.56
Aug 16, 2023 09:48:47.233360052 CEST	443	54215	2.21.20.146	192.168.0.56
Aug 16, 2023 09:48:47.233378887 CEST	443	54215	2.21.20.146	192.168.0.56
Aug 16, 2023 09:48:47.233576059 CEST	54215	443	192.168.0.56	2.21.20.146
Aug 16, 2023 09:48:47.233652115 CEST	54215	443	192.168.0.56	2.21.20.146
Aug 16, 2023 09:48:47.465276003 CEST	443	54215	2.21.20.146	192.168.0.56
Aug 16, 2023 09:48:47.465306997 CEST	443	54215	2.21.20.146	192.168.0.56
Aug 16, 2023 09:48:47.465327024 CEST	443	54215	2.21.20.146	192.168.0.56
Aug 16, 2023 09:48:47.465344906 CEST	443	54215	2.21.20.146	192.168.0.56
Aug 16, 2023 09:48:47.465363979 CEST	443	54215	2.21.20.146	192.168.0.56
Aug 16, 2023 09:48:47.465626955 CEST	54215	443	192.168.0.56	2.21.20.146
Aug 16, 2023 09:48:47.465744972 CEST	54215	443	192.168.0.56	2.21.20.146
Aug 16, 2023 09:48:47.679861069 CEST	54215	443	192.168.0.56	2.21.20.146

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 16, 2023 09:48:47.229587078 CEST	53	54481	4.2.2.1	192.168.0.56

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 16, 2023 09:48:46.760468006 CEST	4.2.2.1	192.168.0.56	c424	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:48:48.819890022 CEST	4.2.2.1	192.168.0.56	c424	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:48:48.819921970 CEST	4.2.2.1	192.168.0.56	c42b	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:48:52.993401051 CEST	4.2.2.1	192.168.0.56	c424	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:48:52.993432045 CEST	4.2.2.1	192.168.0.56	c42b	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:48:52.993887901 CEST	4.2.2.1	192.168.0.56	c433	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:48:52.993918896 CEST	4.2.2.1	192.168.0.56	c422	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:49:01.157387972 CEST	4.2.2.2	192.168.0.56	c425	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:49:01.157526016 CEST	4.2.2.2	192.168.0.56	c41f	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:49:01.157830000 CEST	4.2.2.2	192.168.0.56	c42c	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:49:01.157847881 CEST	4.2.2.2	192.168.0.56	c423	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:49:01.157936096 CEST	4.2.2.2	192.168.0.56	c434	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:49:17.792175055 CEST	4.2.2.2	192.168.0.56	c425	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:49:17.792273045 CEST	4.2.2.2	192.168.0.56	c41f	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:49:17.792542934 CEST	4.2.2.2	192.168.0.56	c42c	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:49:17.792671919 CEST	4.2.2.2	192.168.0.56	c434	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:49:17.792690039 CEST	4.2.2.2	192.168.0.56	c423	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:49:47.841537952 CEST	4.2.2.1	192.168.0.56	c424	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:49:47.841648102 CEST	4.2.2.1	192.168.0.56	c42b	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:49:47.842015028 CEST	4.2.2.1	192.168.0.56	c433	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:49:47.842137098 CEST	4.2.2.1	192.168.0.56	c422	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:49:47.842272043 CEST	4.2.2.1	192.168.0.56	c41e	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:50:18.930401087 CEST	4.2.2.1	192.168.0.56	c424	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:50:18.930430889 CEST	4.2.2.1	192.168.0.56	c42b	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:50:18.930721045 CEST	4.2.2.1	192.168.0.56	c433	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:50:18.930825949 CEST	4.2.2.1	192.168.0.56	c422	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:50:18.931076050 CEST	4.2.2.1	192.168.0.56	c41e	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:50:49.775155067 CEST	4.2.2.2	192.168.0.56	c425	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:50:49.775286913 CEST	4.2.2.2	192.168.0.56	c41f	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:50:49.775516987 CEST	4.2.2.2	192.168.0.56	c42c	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:50:49.775633097 CEST	4.2.2.2	192.168.0.56	c434	(Port unreachable)	Destination Unreachable
Aug 16, 2023 09:50:49.775759935 CEST	4.2.2.2	192.168.0.56	c423	(Port unreachable)	Destination Unreachable

System Behavior

Analysis Process: mono-sgen64 PID: 1322, Parent PID: 1257

General

Start time:	09:48:47
Start date:	16/08/2023
Path:	/Library/Frameworks/Mono.framework/Versions/6.12.0/bin/mono-sgen64
Arguments:	-
File size:	4699168 bytes
MD5 hash:	98f65da8c6a62423d3f4cda359f06a87

Chronological Activities

Analysis Process: locker PID: 1322, Parent PID: 1257

General

Start time:	09:48:47
Start date:	16/08/2023
Path:	/Users/rodrigo/Desktop/locker
Arguments:	/Users/rodrigo/Desktop/locker -f -p test -i /Users/rodrigo/Downloads/myfiles
File size:	412227 bytes
MD5 hash:	abf01633960dd77c6137175a21fccf34

Chronological Activities

Analysis Process: locker PID: 1323, Parent PID: 1322

General

Start time:	09:48:47
Start date:	16/08/2023
Path:	/Users/rodrigo/Desktop/locker
Arguments:	-
File size:	412227 bytes
MD5 hash:	abf01633960dd77c6137175a21fccf34

Chronological Activities

Analysis Process: locker PID: 1324, Parent PID: 1323

General

Start time:	09:48:47
Start date:	16/08/2023
Path:	/Users/rodrigo/Desktop/locker
Arguments:	-
File size:	412227 bytes
MD5 hash:	abf01633960dd77c6137175a21fccf34

Chronological Activities

Analysis Process: sh PID: 1324, Parent PID: 1323

General

Start time:	09:48:47
Start date:	16/08/2023
Path:	/bin/sh
Arguments:	sh -c pciconf -lv
File size:	134000 bytes
MD5 hash:	68a37d17986d5af3dc693748d56e9248

Chronological Activities

Analysis Process: bash PID: 1324, Parent PID: 1323

General

Start time:	09:48:47
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	sh -c pciconf -lv
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: locker PID: 1325, Parent PID: 1323

General

Start time:	09:48:47
Start date:	16/08/2023
Path:	/Users/rodrigo/Desktop/locker
Arguments:	-
File size:	412227 bytes
MD5 hash:	abf01633960dd77c6137175a21fccf34

Chronological Activities

Analysis Process: sh PID: 1325, Parent PID: 1323

General

Start time:	09:48:47
Start date:	16/08/2023
Path:	/bin/sh
Arguments:	sh -c esxcfg-scsidevs -l \| egrep -i 'display name\|vendor'
File size:	134000 bytes
MD5 hash:	68a37d17986d5af3dc693748d56e9248

Chronological Activities

Analysis Process: bash PID: 1325, Parent PID: 1323

General

Start time:	09:48:47
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	sh -c esxcfg-scsidevs -l \| egrep -i 'display name\|vendor'
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: bash PID: 1326, Parent PID: 1325

General

Start time:	09:48:47
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	-
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: bash PID: 1327, Parent PID: 1325

General

Start time:	09:48:47
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	-
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: egrep PID: 1327, Parent PID: 1325

General

Start time:	09:48:47
Start date:	16/08/2023
Path:	/usr/bin/egrep
Arguments:	egrep -i display name\|vendor
File size:	186512 bytes
MD5 hash:	6f66c1fde5ed2bf315b619fec82808e7

Chronological Activities

Analysis Process: locker PID: 1329, Parent PID: 1323

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/Users/rodrigo/Desktop/locker
Arguments:	-
File size:	412227 bytes
MD5 hash:	abf01633960dd77c6137175a21fccf34

Chronological Activities

Analysis Process: sh PID: 1329, Parent PID: 1323

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/bin/sh
Arguments:	sh -c ps -ef \| grep 'vmsyslogd' \| grep -v grep \| awk '{print $2}' \| xargs -r kill -9
File size:	134000 bytes
MD5 hash:	68a37d17986d5af3dc693748d56e9248

Chronological Activities

Analysis Process: bash PID: 1329, Parent PID: 1323

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	sh -c ps -ef \| grep 'vmsyslogd' \| grep -v grep \| awk '{print $2}' \| xargs -r kill -9
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: bash PID: 1330, Parent PID: 1329

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	-
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: ps PID: 1330, Parent PID: 1329

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/bin/ps
Arguments:	ps -ef
File size:	203584 bytes
MD5 hash:	c69d135ec952c1e7e71a6661d7f2c668

Chronological Activities

Analysis Process: bash PID: 1331, Parent PID: 1329

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	-
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: egrep PID: 1331, Parent PID: 1329

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/usr/bin/egrep
Arguments:	grep vmsyslogd
File size:	186512 bytes
MD5 hash:	6f66c1fde5ed2bf315b619fec82808e7

Chronological Activities

Analysis Process: bash PID: 1332, Parent PID: 1329

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	-
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: grep PID: 1332, Parent PID: 1329

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/usr/bin/grep
Arguments:	grep -v grep
File size:	186512 bytes
MD5 hash:	6f66c1fde5ed2bf315b619fec82808e7

Chronological Activities

Analysis Process: bash PID: 1333, Parent PID: 1329

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	-
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: awk PID: 1333, Parent PID: 1329

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/usr/bin/awk
Arguments:	awk {print $2}
File size:	334992 bytes
MD5 hash:	97896adae88543b8cb6b90100baf16fb

Chronological Activities

Analysis Process: bash PID: 1334, Parent PID: 1329

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	-
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: xargs PID: 1334, Parent PID: 1329

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/usr/bin/xargs
Arguments:	xargs -r kill -9
File size:	168768 bytes
MD5 hash:	dc3e49e00351048640a9116224da6c69

Chronological Activities

Analysis Process: locker PID: 1338, Parent PID: 1323

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/Users/rodrigo/Desktop/locker
Arguments:	-
File size:	412227 bytes
MD5 hash:	abf01633960dd77c6137175a21fccf34

Chronological Activities

Analysis Process: sh PID: 1338, Parent PID: 1323

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/bin/sh
Arguments:	sh -c ps -ef \| grep 'zsxdcxz' \| grep -v grep \| awk '{print $2}' \| xargs -r kill -9
File size:	134000 bytes
MD5 hash:	68a37d17986d5af3dc693748d56e9248

Chronological Activities

Analysis Process: bash PID: 1338, Parent PID: 1323

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	sh -c ps -ef \| grep 'zsxdcxz' \| grep -v grep \| awk '{print $2}' \| xargs -r kill -9
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: bash PID: 1339, Parent PID: 1338

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	-
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: ps PID: 1339, Parent PID: 1338

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/bin/ps
Arguments:	ps -ef
File size:	203584 bytes
MD5 hash:	c69d135ec952c1e7e71a6661d7f2c668

Chronological Activities

Analysis Process: bash PID: 1340, Parent PID: 1338

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	-
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: grep PID: 1340, Parent PID: 1338

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/usr/bin/grep
Arguments:	grep zsxdcxz
File size:	186512 bytes
MD5 hash:	6f66c1fde5ed2bf315b619fec82808e7

Chronological Activities

Analysis Process: bash PID: 1341, Parent PID: 1338

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	-
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: grep PID: 1341, Parent PID: 1338

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/usr/bin/grep
Arguments:	grep -v grep
File size:	186512 bytes
MD5 hash:	6f66c1fde5ed2bf315b619fec82808e7

Chronological Activities

Analysis Process: bash PID: 1342, Parent PID: 1338

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	-
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: awk PID: 1342, Parent PID: 1338

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/usr/bin/awk
Arguments:	awk {print $2}
File size:	334992 bytes
MD5 hash:	97896adae88543b8cb6b90100baf16fb

Chronological Activities

Analysis Process: bash PID: 1343, Parent PID: 1338

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	-
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: xargs PID: 1343, Parent PID: 1338

General

Start time:	09:48:48
Start date:	16/08/2023
Path:	/usr/bin/xargs
Arguments:	xargs -r kill -9
File size:	168768 bytes
MD5 hash:	dc3e49e00351048640a9116224da6c69

Chronological Activities

Analysis Process: locker PID: 1345, Parent PID: 1323

General

Start time:	09:48:51
Start date:	16/08/2023
Path:	/Users/rodrigo/Desktop/locker
Arguments:	-
File size:	412227 bytes
MD5 hash:	abf01633960dd77c6137175a21fccf34

Chronological Activities

Analysis Process: sh PID: 1345, Parent PID: 1323

General

Start time:	09:48:51
Start date:	16/08/2023
Path:	/bin/sh
Arguments:	sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper /Users/rodrigo/Downloads/myfiles
File size:	134000 bytes
MD5 hash:	68a37d17986d5af3dc693748d56e9248

Chronological Activities

Analysis Process: bash PID: 1345, Parent PID: 1323

General

Start time:	09:48:51
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper /Users/rodrigo/Downloads/myfiles
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: bash PID: 1346, Parent PID: 1345

General

Start time:	09:48:51
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	-
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: wordexp-helper PID: 1346, Parent PID: 1345

General

Start time:	09:48:51
Start date:	16/08/2023
Path:	/usr/lib/system/wordexp-helper
Arguments:	/usr/lib/system/wordexp-helper /Users/rodrigo/Downloads/myfiles
File size:	133696 bytes
MD5 hash:	fe300e6642f4527972a259fc8f350927

Chronological Activities

Analysis Process: locker PID: 1348, Parent PID: 1323

General

Start time:	09:48:51
Start date:	16/08/2023
Path:	/Users/rodrigo/Desktop/locker
Arguments:	-
File size:	412227 bytes
MD5 hash:	abf01633960dd77c6137175a21fccf34

Chronological Activities

Analysis Process: sh PID: 1348, Parent PID: 1323

General

Start time:	09:48:51
Start date:	16/08/2023
Path:	/bin/sh
Arguments:	sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper
File size:	134000 bytes
MD5 hash:	68a37d17986d5af3dc693748d56e9248

Chronological Activities

Analysis Process: bash PID: 1348, Parent PID: 1323

General

Start time:	09:48:51
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	sh -c [ $# -gt 0 ] && export IFS="$1" /usr/lib/system/wordexp-helper
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: bash PID: 1349, Parent PID: 1348

General

Start time:	09:48:51
Start date:	16/08/2023
Path:	/bin/bash
Arguments:	-
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Chronological Activities

Analysis Process: wordexp-helper PID: 1349, Parent PID: 1348

General

Start time:	09:48:51
Start date:	16/08/2023
Path:	/usr/lib/system/wordexp-helper
Arguments:	/usr/lib/system/wordexp-helper
File size:	133696 bytes
MD5 hash:	fe300e6642f4527972a259fc8f350927

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature , this activity will result in a valid signature.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	API monitoring, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report locker

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Dropped Files

Snort Signatures

Joe Sandbox Signatures

Cryptography

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/Users/rodrigo/Downloads/myfiles/!!!-Restore-My-Files-!!!

/private/tmp/locker.pid

/private/tmp/locklog

Static File Info

General

CodeSign Information

Static Mach Info

General Information for header 1

Internal Symbols

External Symbols

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

System Behavior

Analysis Process: mono-sgen64 PID: 1322, Parent PID: 1257

General

Chronological Activities

Analysis Process: locker PID: 1322, Parent PID: 1257

General

Chronological Activities

Analysis Process: locker PID: 1323, Parent PID: 1322

General

Chronological Activities

Analysis Process: locker PID: 1324, Parent PID: 1323

General

Chronological Activities

Analysis Process: sh PID: 1324, Parent PID: 1323

General

macOS Analysis Report
locker