- #Stockfolio mac app cracked cracked
- #Stockfolio mac app cracked serial number
- #Stockfolio mac app cracked archive
At first glance, it was challenging to directly identify its malicious behavior because the shell script references other files such as AppCode. The suspicious shell script which was flagged by our system To verify that the behavior was indeed malicious, we sourced the parent file using both our infrastructure and the aggregate website VirusTotal (which had the sample but lacked detections from other major security vendors at the time of writing).įigure 1.
#Stockfolio mac app cracked archive
The initial sample we analyzed was a zip archive file (detected as ) that contained an app bundle ( Stockfoli.app) and a hidden encrypted file (.app). The fake app presents itself as legitimate to trick users, but we found that it contained several malicious components.įigure 2. Note that the app bundle is missing the “o” at the end, whereas the legitimate app is called Stockfolio. The first suspicious component we found was an app bundle under the Resources directory, which seems to be a copy of the legitimate Stockfolio version 1.4.13 but with the malware author’s digital certificate.Ĭomparing it to the Resources directory of the current version (1.5) found on the Stockfolio website revealed a number of differences, as shown in the figure below.įigure 3. When the app is executed, an actual trading app interface will appear on-screen.Ĭomparison of the app bundle folder structure between the malware variant (top) and the legitimate app (version 1.5, bottom). The plugin shell script collects the following information from the infected system: The main Mach-O executable will launch the following bundled shell scripts in the Resources directory: interface displayed when the malware app bundle is executed However, unbeknownst to the user, the malware variant is already performing its malicious routines in the background.įigure 4. It then encodes the collected information using base64 encoding and saves the collected information in a hidden file: /tmp/.info.
#Stockfolio mac app cracked serial number
It then uploads the file to hxxps:///panel/uploadphp using the collected username and machine serial number as identifiers.
#Stockfolio mac app cracked cracked
If a successful response is sent from the URL, it will write the response in another hidden file ~/Library/Containers/.pass #Stockfolio mac cracked app serial number app file, executes it, then drops the following: #Stockfolio mac cracked app zipĪpp file, which is the hidden file in the zip bundle that comes with Stockfoli.app The stock shell script will copy Stockfoli.app/Contents/Resources/appcode to /private/var/tmp/appcode. app file then check if the file ~/Library/Containers/.pass exists. Using the contents of the ‘.pass’ file as the key, the malware variant will decrypt /private/var/tmp/appcode, which is encrypted using AES-256-CBC. It then saves the decrypted file to /tmp/appcode. If it fails to do so, it will delete the /tmp/appcode file and ~/Library/Containers/.pass. Comparison of the code-signing information of the malicious app (top) and the legitimate Stockfolio app (bottom) Note that in the sample we analyzed, the decryption routine failed since the sample was not able to create ~/Library/Containers/.pass.įigure 7. We suspect the file appcode is a malware file that contains additional routines. However, at the time of writing, we were unable to decrypt this file since the upload URL hxxps:///panel/uploadphp was inaccessible (according to VirusTotal, the domain was active from January to February 2019).
0 kommentar(er)
