search

chainguard-dev / bincapz

detect malicious program behaviors
Apache License 2.0
387 stars 24 forks source link

XProtect flags bincapz as malware #176

Closed tstromberg closed 2 months ago

tstromberg commented 2 months ago

This is at bincapz HEAD with Sonoma 14.4.1 and XProtect signature base 2192

Screenshot 2024-05-01 at 8 44 31 AM
tstromberg commented 2 months ago 
yara -s -w /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara

shows:

XProtect_MACOS_SOMA_D /Users/t/go/bin/bincapz
0x320532:$a02: 57 65 62 20 44 61 74 61
0x343a2e:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1069b12:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x10c881d:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x10cf065:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x10cf6f8:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x110fbd5:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x120d343:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1289274:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x12892d4:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1289950:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x171a3ac:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1732750:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1758cdb:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x17ea105:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x18af6f0:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x18ebe40:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x196a46e:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1974302:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1974381:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1974466:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1a7e49b:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1afba64:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1afbaa4:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1afbae4:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1afbb1d:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1afbb55:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1b136be:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1cf6d39:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1cf6d87:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x1e34743:$a03: 4C 6F 67 69 6E 20 44 61 74 61
0x31864b:$a04: 63 6F 6F 6B 69 65 73 2E 73 71 6C 69 74 65
0x35c1ad:$a04: 63 6F 6F 6B 69 65 73 2E 73 71 6C 69 74 65
0x35c762:$a04: 63 6F 6F 6B 69 65 73 2E 73 71 6C 69 74 65
0x31c0c3:$a05: 66 6F 72 6D 68 69 73 74 6F 72 79 2E 73 71 6C 69 74 65
0x35c837:$a05: 66 6F 72 6D 68 69 73 74 6F 72 79 2E 73 71 6C 69 74 65
0x1718c46:$a06: 6B 65 79 34 2E 64 62
0x171a420:$a06: 6B 65 79 34 2E 64 62
0x10ceff3:$a07: 6C 6F 67 69 6E 73 2E 6A 73 6F 6E
0x110fc8c:$a07: 6C 6F 67 69 6E 73 2E 6A 73 6F 6E
0x1718c8f:$a07: 6C 6F 67 69 6E 73 2E 6A 73 6F 6E
0x171a469:$a07: 6C 6F 67 69 6E 73 2E 6A 73 6F 6E
0x1737a25:$a07: 6C 6F 67 69 6E 73 2E 6A 73 6F 6E
0x1758d2b:$a07: 6C 6F 67 69 6E 73 2E 6A 73 6F 6E
0x1b13511:$a07: 6C 6F 67 69 6E 73 2E 6A 73 6F 6E
0x35c28e:$a08: 66 69 6E 64 2D 67 65 6E 65 72 69 63 2D 70 61 73 73 77 6F 72 64
0x127a14a:$a08: 66 69 6E 64 2D 67 65 6E 65 72 69 63 2D 70 61 73 73 77 6F 72 64
0x2f3e41:$a10: 6F 73 61 73 63 72 69 70 74
0x2f75fa:$a10: 6F 73 61 73 63 72 69 70 74
0x2fb486:$a10: 6F 73 61 73 63 72 69 70 74
0x3013e8:$a10: 6F 73 61 73 63 72 69 70 74
0x31d2e4:$a10: 6F 73 61 73 63 72 69 70 74
0x31d368:$a10: 6F 73 61 73 63 72 69 70 74
0x327123:$a10: 6F 73 61 73 63 72 69 70 74
0x3290b9:$a10: 6F 73 61 73 63 72 69 70 74
0x3290c6:$a10: 6F 73 61 73 63 72 69 70 74
0x330cc3:$a10: 6F 73 61 73 63 72 69 70 74
0x33e8c6:$a10: 6F 73 61 73 63 72 69 70 74
0x33ec3f:$a10: 6F 73 61 73 63 72 69 70 74
0x33ec4c:$a10: 6F 73 61 73 63 72 69 70 74
0x33ec67:$a10: 6F 73 61 73 63 72 69 70 74
0x33ec76:$a10: 6F 73 61 73 63 72 69 70 74
0x35c256:$a10: 6F 73 61 73 63 72 69 70 74
0x35c263:$a10: 6F 73 61 73 63 72 69 70 74
0x32901f:$a11: 73 79 73 74 65 6D 5F 70 72 6F 66 69 6C 65 72
0x34d58a:$a11: 73 79 73 74 65 6D 5F 70 72 6F 66 69 6C 65 72
0x34d88e:$a11: 73 79 73 74 65 6D 5F 70 72 6F 66 69 6C 65 72
0x350580:$a11: 73 79 73 74 65 6D 5F 70 72 6F 66 69 6C 65 72
0x350593:$a11: 73 79 73 74 65 6D 5F 70 72 6F 66 69 6C 65 72
0x3505ba:$a13: 53 50 48 61 72 64 77 61 72 65 44 61 74 61 54 79 70 65
0x62527e:$b1: 6F 6F 6B 6A 6C 62 6B 69 69 6A 69 6E 68 70 6D 6E 6A 66 66 63 6F 66 6A 6F 6E 62 66 62 67 61 6F 63
0x621c2f:$b2: 63 67 65 65 6F 64 70 66 61 67 6A 63 65 65 66 69 65 66 6C 6D 64 66 70 68 70 6C 6B 65 6E 6C 66 6B
0x623f76:$b5: 68 6D 65 6F 62 6E 66 6E 66 63 6D 64 6B 64 63 6D 6C 62 6C 67 61 67 6D 66 70 66 62 6F 69 65 61 66
0x624f0e:$b6: 6E 6B 62 69 68 66 62 65 6F 67 61 65 61 6F 65 68 6C 65 66 6E 6B 6F 64 62 65 66 67 70 67 6B 6E 6E

de-obfuscating the output shows the 3 matches in both sets that the YARA rule looks for:

yara -s -w /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara ~/go/bin/bincapz | grep "\$a" | cut -d: -f3 | sort -u | xxd -r -p

The $a values:

Login DataSPHardwareDataTypeWeb Datacookies.sqlitefind-generic-passwordformhistory.sqlitekey4.dblogins.jsonosascriptsystem_profiler⏎

The $b values:

cgeeodpfagjceefieflmdfphplkenlfkhmeobnfnfcmdkdcmlblgagmfpfboieafnkbihfbeogaeaoehlefnkodbefgpgknnookjlbkiijinhpmnjffcofjonbfbgaoc
tstromberg commented 2 months ago

The tricky part is that most of these strings come from YARAForge rules - particularly the wallet IDs.