As someone interested in computer security and who uses Mac os on a daily basis, I am a huge fan of Partick Wardle @ https://objective-see.com/malware.html
In a recent stream, he goes through the malware of 2018. One malware in particular is MaMi, one he was able to name. I downloaded MaMi to take a look at it.
I have been playing around with jtool lately, I like the output. With it I can dump the headers.
# jtool -h MaMi Magic: 64-bit Mach-OType: executable CPU: x86_64 Cmds: 27 size: 4176 bytesFlags: 0x218085
Unfortunately jtool can not do Intel disassembly
# jtool -d MaMi Intel Disassembly not supported yet. Patience, little grasshopper (you can, however, dump __TEXT.__cstring, and CFStrings)
So lets dump those string...
# jtool -d __TEXT.__cstring MaMi Dumping C-Strings from address 0x100038180 (Segment: __TEXT.__cstring).. 0x100038180: START 0x100038186: |START|+ 0x10003818f: AppVersion: %@\rAppBuild: %@ 0x1000381ab: 1.1.0 0x1000381b1: 0 0x1000381b3: uZmgulcipekSbayTO9ByamTUu_zVtsflazc2Nsuqgq0dXkoOzKMJMNTULoLpd-....73g2dsNG-qDuVi8i 0x100038aac: dnsChanger 0x100038ab7: initConfigurationFinished 0x100038ad1: |CONFIG|+ 0x100038adb: time_report 0x100038ae7: |time_report|+ 0x100038af6: |setupDNS|+ ....
There is a lot more to the output but already you can see a string that might make you go huh? 0x100038aac: dnsChanger
We can use jtool to dump any objective-c classes
#jtool -d objc MaMi AppDelegate SBMaMiSettings SBConfigManager SBSharedStorage ASIDataCompressor ASIFormDataRequest ASIDataDecompressor SBParamUnit SBNetwork SBPayload SBDataAppender SBUtilities ASIHTTPRequest SBReportManager SBSystemInfo SBErrorCenter SBFileSystem ASIInputStream SBMaMiManager SBCryptoSystem ASIDownloadCache ASINetworkQueue
jtool is really nice to use. However even just dumping strings for this binary, its pretty clear it is up to no good. I have clipped the output for brevity.
# strings MaMi ... setRequestDidReceiveResponseHeadersSelector: setRequestDidFailSelector: setRequestDidFinishSelector: setQueueDidFinishSelector: setBytesUploadedSoFar: setTotalBytesToUpload: setBytesDownloadedSoFar: setTotalBytesToDownload: resetProgressDelegate: ... loadMaMiAtPath: %@ %d /bin/launchctl load -w %@ load -w %@ unloadMaMiAtPath: %@ %d unload -w %@ ...
The launchctl load is important as that has to do with its persistence.
I would like to spend more time on this, but its just a hobby. I haven't really proved what it actually does here, just showed some ways to look at what a binary is up to.
For more information check out Patrick Wardle's video on osx malware in 2018 here, really interesting.
And you can find jtool here