Oddly and still unexplainable is the fact that the malware also modified the following files: What the purpose of these files or this additional appended data is for, it’s not yet known. The first one strangely contained a copy of the patch file, with a second copy of the data from that file appended to the end, followed by an additional 9 bytes: the hexidecimal string 03705701 00CEFAAD DE. The first file was modified in a very strange way/Users/user/Library/.ak5t3o0X2 while the last file was identical to the original patch file. Strangely, the malware also copied itself to the following files: But it’s rare for anyone to log in as root, so this in fact doesn’t serve any real purpose or concern. And the root user or account as it’s also known is the one that by default has access to all commands and files on a Linux or other Unix-like operating system. It actually- leads to a creation of the files in the root user’s folder. The group of files /private/var/root/ is likely due to a virus within the code that creates the files in the user folder. It also set up persistence via launch agent and daemon plist files: Both variants installed copies of the patch file at the following locations: The malware began spreading itself quite liberally around the hard drive, once the infection was triggered by the installer. This simply dropped the Mixed In Key app into the Applications folder directly so it did not include code to launch a legitimate installer. Meanwhile, the Mixed In Key installer had only a slightly different file names and postinstall script, so it turned out to be quite similar.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |