Lets check VT first. Here are some interesting
facts
Type
|
Macintosh Disk Image
|
Detection
ratio
|
1 / 57
|
First
submission
|
2019-06-24 20:51:46 UTC ( 1 week ago )
|
Signature size 9056
Authority Developer
ID Application: Sanela Lovic (5UA7HW48Y7)
Authority Developer
ID Certification Authority
Authority Apple
Root CA
Timestamp Jun
17, 2019 at 3:14:07 PM
Info.plist entries 26
TeamIdentifier 5UA7HW48Y7
Signature verification Valid
Signature
Signing Certificates
|
[+] Apple Inc.
[+] Apple Inc.
[+] Sanela Lovic
|
So, what do
we learn:
·
DMG File
·
Signed, Sanela
Lovic (5UA7HW48Y7)
·
Low detection (ESET
only) even thought it’s been there for more than a week.
Now let’s
download the file and see what’s inside.
As soon as
we mount DMG, the label is Player. So,
it can be imitating Flash player. Now when you open the DMG, there is one Player.app
inside. The app has disable sign on it, which indicates that it won’t run on the
Mac OS X version I’m using (using my old 10.8 image and I’ve a new one too).
This can be easily determined by looking at the plist inside the app. The
following key and value pair:
The key is self-explanatory. If we change the string to
10.8, the disable sign is no more, but the application crashes as it is not
meant to be run on 10.8. Before going to 10.11+, we’ll look some more artifacts
if we can find.
The copyright is for company called Lights:
Bundle Identifier is wiered (no offense):
There is one more interesting file inside Resources
directory, antiviruses.json. It
contains json array with entries of AV and one shouldSearch field, in this
format:
[
{
"name": "Bitdefender",
"shouldSearch": true
},
{
"name": "Intego",
"shouldSearch": true
},
…………….
{
"name": "Webroot",
"shouldSearch": true
}
]
Total of 18 entries are there.
Along with
antiviruses.json, there is another file virtualmachines.json, with following entries:
[
{
"name":
"VirtualBox",
"shouldSearch": true,
"shouldStop": true
},
{
"name": "VMware
Workstation",
"shouldSearch": true,
"shouldStop": true
},
{
"name": "VMware
Fusion",
"shouldSearch": true,
"shouldStop": true
},
{
"name": "Hyper-V",
"shouldSearch": true,
"shouldStop": true
},
{
"name":
"Parallels",
"shouldSearch": true,
"shouldStop": true
},
……………
{
"name": "ceBox",
"shouldSearch": true,
"shouldStop": true
}
]
Also, there
is one Update.zip file in Resources, which contains Updatee.app, which might be
update module for the malware. The copyright for the updater is: Copyright © 2019
com.lights.oblivion. All rights reserved.
Couldn’t
find anything more interesting in app directory.
Bad news, I
was not able to run the sample, as this is crashing. Tried few tricks and on
multiple machines, but it’s not running. I got more hashes from Intego’s blog:
638004ee6a45903dcbf03d03e31d2e83c6270377973a64188f0b89d4062f321e
b111891b698dfdafb6952b0cf89aaebde51c5c1758df316e6b843624ed2db205
8938e48a0b0f8765a017d2e25ed5a68bd7954d220e460c5aa4b1c59763ec5a8d
But these
are either corrupted or not available publicly. I’ve asked them if they have
some samples. Meanwhile, we’ll do some static work, like strings on the Binary
File. Let’s see if we find something.
/Users/mehdira/Desktop/WaningCrescent/WaningCrescent/Utils/TextUtils.swift
/Users/mehdira/Desktop/WaningCrescent/WaningCrescent/Networking/Service/PixelRequest.swift
/Users/mehdira/Desktop/WaningCrescent/WaningCrescent/Models/VirtualMachines.swift
https://px-storage.com/index.php
https://refererhider.com/?http://www.vuimvox.pw/gkiw/ypwy?ci=15537909241698037507125201614113712&p2=298097
http://cdn.macclean-pro.com/mcp/builds/mcp_mcpcnsppi.dmg
Here is the link https://file.io/geAJQK for string file, if anyone wants to have a look, I'm pretty sure, I've missed something.
So there
are some interesting things, mehidra
is trying to Create WaningCrescent project
in Swift. Also, there are some URLs which I’ll analyze and post later(don’t have
access to dirty net right now), if I found anything.
It’s a shame
that this app is crashing on VM, I do wanted to reverse and analyze that. But I’ll
definitely see if I can find any alternate app.
Meanwhile, following
conclusions can be drawn from the static analysis of the app:
·
It belongs to a legit
dev or the cert is stolen (most likely), so it can bypass gatekeeper.
·
It may try to evade
any antivirus present in the system as it is highly probable that it will scan
for them, as we saw the json files
·
It might also try
to see if, either its being run in VM (exciting) or there is VM installed on
the system.
·
The username is
most likely mehdira, and project
name is WaningCrescent
·
There are references
to some URLs, macclean-pro being highly suspicious. Vuimvox.pw also seems suspicious, but don’t have any info on it as
of now.
Till next
time. :)
-->
0 comments:
Post a Comment