Executing Malware on Mac

[Bob Joe]

When attempting to execute malware on a High Sierra Mac, I receive the following message:

I have not been able to find a way to override this protection and would like to execute the sample.

 

[Deleted member 65228]

The malware is being blocked from executing by an OS X security feature named "Gatekeeper". Gatekeeper was introduced in OS X 10.9.

You can disable Gatekeeper from within System Preferences.
1. Go to System Preferences
2. Select Security & Privacy
3. Unlock with authentication to change the security settings
4. Switch the configuration for "Allow applications downloaded from" to 'Anywhere'
5. Re-lock the settings

You're responsible for your own environment so make sure this environment is not your genuine Host environment, and by executing the malware sample you're trying to experiment with the documents on the environment will become encrypted. The sample you're trying to experiment with is known for masking itself as an Adobe Photoshop or Microsoft Office hack-tool (aka. "crack") and is going through torrent websites, and will encrypt the documents on the environment when you open it up and attempt to work the fake hack-tool with it's UI.

References:
OS X: About Gatekeeper

 

[Bob Joe]

Opcode, thank you for the suggestion. I am using High Sierra, and it looks like the steps are slightly different in order to disable Gatekeeper. Unfortunately, it looks like there might be an additional layer of defense:

 

[Deleted member 65228]

@Bob Joe Try making an exception in Gate Keeper for the sample.

1. Open the Terminal

spctl --add --label "OFFICEPATCHER" /PATHOFAPPLICATIONHERE/FILENAME.EXTENSION

You need to replace /PATHOFAPPLICATIONHERE/FILENAME.EXTENSION with the correct file-name path/extension to the sample. Then hit enter and see if it overrides the protection mechanism.

References:
How to bypass damaged-application warnings in OS X

 

[Bob Joe]

Thank you once more. It looks like the command itself worked because I received a prompt to enter the admin credentials. Yet, the OS still will not permit execution of the file:

 

[Deleted member 65228]

@Bob Joe

Damn, let's try something else then.

Re-open the sample and then hit the Cancel button. Then go back to the Security & Privacy area under the System Preferences and check if there's a button underneath the "Anywhere" option which basically says something along the lines of "Run anyway". I've seen some cases if this happening if it's Gatekeeper related but I am not sure.

If this doesn't work out (e.g. no button is displayed) then maybe the sample has the quarantine flag. Open the terminal and type the following.

sudo xattr -rd com.apple.quarantine /Applications/Patcher.app

(Move the Patcher.app to the Applications folder for the above terminal script to be valid).

Then try to re-open the sample. If it still fails, then try the below terminal script.

sudo spctl --master-disable

Hopefully this time it will work with one of these attempts... If it turns out that none of them are working, then reboot the system after trying them all and then see if the sample will run then since it may take a reboot for changes to fully take effect.

References:
About the
"XXX can't be opened. You should move it to trash." for flash projector applications on mac os sierra

 

[Bob Joe]

Brilliant! This part worked:

If this doesn't work out (e.g. no button is displayed) then maybe the sample has the quarantine flag. Open the terminal and type the following.

Code:
sudo xattr -rd com.apple.quarantine /Applications/Patcher.app

(Move the Patcher.app to the Applications folder for the above terminal script to be valid).
​

Thank you very much for your help. How do I buy you a beer?

 

[Deleted member 65228]

Thank you very much for your help. How do I buy you a beer?

No problem my friend and there's honestly no need I'm glad you finally got it working