Some methods to analyse the Mach-O files:
- The
otoolutility can be used to parse Mach-O binaries MachOViewis a user-friendly utility capable of parsing Mach-O files- Universal binaries start with a header (fat_header), a variable number of fat_arch structures that describe the supported architectures, and then the architecture-speci!c Mach-O binaries concatenated together. You can dump the fat_header by using the otool utility with the -f ag
otool -fv GoSearch22.app/Contents/MacOS/GoSearch22 - For universal binaries use lipo
- You can parse a Mach-O binary’s LC_LOAD_DYLIB load command in order to view the binary’s dependencies. To do so, use the otools utility with the -L ag or MachOView
Classifying Mach-O files
- Hashes : Use the below given hashes on the file and check online for any presence of this hash file. if file is labelled malicious we’re effectively done since we can always find a good analysis on said malware.
- SHA-1, SHA256, MD5
- Then search on Virustotal or Google We can also use hashes to label stuff as goodware. search in goodware collections online.
- Code-Signing Information :
- status of the signing Digital Signature, Code-signing authorities, and the Team Identifiers
- if a Mach-O binary is signed but Apple has revoked its certificate
- codesign can be used to get this info
- check Notarisation (Don’t solely rely on the notarization)
- strings
- Objective-C Class Information through class-dump
- Non-Binary Binaries:
- Identifying the Tool Used to Build the Binary: