![]() While malware hunting on VirusTotal, we came across the following property list:ĩad23b781a22085588dd32f5c0a1d7c5d2f6585b14f1369fd1ab056cb97b0702Īs noted above, we have seen this before in 2018 and earlier in 2020. In the 2018 version, the malware tries to disguise itself as belonging to both “apple.Google” and “apple.Yahoo”: The older persistence agents are almost identical save for the labels and names of the targeted executable. The tell-tale LaunchAgent program argument is odd for its redundant use of osascript to call itself via a do shell script command (Lines 11-13). However, pivoting on the program argument, com.apple.4V.plist, led us to this newer sample for the executable:ĭf550039acad9e637c7c3ec2a629abf8b3f35faca18e58d447f490cf23f114e8Īs with earlier versions of this malware, the executable also uses a. We can quickly confirm that this is a run-only AppleScript by attempting to decompile with osadecompile, which returns the error: errOSASourceNotAvailable ( -1756) Strings May Tell You Something, But Not Much plist extension and runs from the user’s Library LaunchAgents folder and, again, com.apple.4V.plist is not a property list file but a run-only AppleScript: The best starting point with run-only scripts is to dump the strings and the hex. For strings, we generally find the floss tool to be superior to the macOS version of the strings command line tool. This sample proves to be a case in point, because what strings won’t show you but floss will is all the UTF-16 encoded hex that are buried in this file:Īt this point we should look at the hexdump. #Macos used runonly applescripts to avoid code#.#Macos used runonly applescripts to avoid full#.#Macos used runonly applescripts to avoid cracked#. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |