id - an identifier of the installed application.The response has the following main fields: The server response is also encrypted with the key included in the installer’s body and contains the programs list which can be downloaded to the user’s Mac. The rest fields are updated with data that is identified based on the operation system parameters. The following values can be used as a parameter of the “browser” variable: Then, the following line is created: hexencode(iv+key+encoded_url)Īfter that, the following request is made: The node URL from which the applications will be downloaded is created the following way: The following fields are retrieved from the configuration file: publisher For encryption the AES algorithm is used in СВС mode. In order to get the list of applications for download prompting, the installer creates URL and encrypts it using the key randomly generated. For instance, if in the configuration file the URL is admin.best*****, the address of the C&C server will be api.best*****". Once launched, the installer replaces a subdomain of the C&C server with the “api” value. The file looks as follows: host|hex-encoded json The installer also contains another "payload” file, but it is not used. Once launched, it reads the ".payload” file in the application folder. a6a6d0050d9ac5d69eef7228cfd0fb4480e06bb1 (mach-o)Īn installer of unwanted applications that targets OS X.
0 kommentar(er)
