![]() The first location is a simple sysctl hw.model check to make sure the malware is running on Mac hardware: As we have decrypted the string values, we can quickly identify these locations and add an appropriate bypass. ![]() We know from the earlier analysis by Patrick and Fortinet that MacRansom contains a number of “anti-analysis” checks to verify that it is not executing within a virtual machine or sandbox. Now that we have a manageable disassembly complete with strings references, I wanted to see the ransomware execute in all its glory. When we add this script to Hopper, we find that we now have the ability to decrypt values on the fly, by selecting the instruction and executing the script: Seg.setInlineCommentAtAddress(adr, "Error decrypting argument") Seg.setInlineCommentAtAddress(adr, "Decrypted: %s" % (decrypted)) Again we can use Hoppers scripting capability again to make our life a bit easier when recovering these values: #!/usr/bin/python Here we can see the values 0xb6dce406d9b6c57c and 0xa8dcfb1d are added to the stack and passed to the decryption method. While this works in the majority of places, we find places where strings are constructed and decrypted based on register values, for example: Refs = doc.getSegmentAtAddress(START+x).getReferencesOfAddress(START+x)ĭecrypted = doc.getSegmentAtAddress(START+x).readUInt64LE(START+x)ĭoc.getSegmentAtAddress(ref).setInlineCommentAtAddress(ref, 'Decrypted: %s' % (doc.getSegmentAtAddress(ref).readBytes(START+x,16)))ĭoc.getSegmentAtAddress(ref).setInlineCommentAtAddress(ref, 'Error referencing decryption')Īfter executing this Hopper script on the sample, we find that the decrypted strings are now available:Īdditionally, inline comments added by the script makes it easier to follow the disassembly of the malware: Seg.writeUInt32LE(START+(x*4), decrypted) Using Python and Hoppers API, we can create a script that looks something like this: #!/usr/bin/python Search for any references to the decrypted string, and add an inline comment to make further analysis easier. ![]()
0 Comments
Leave a Reply. |