We recently received a Mac sample, with a Disk Image File (DMG) extension, that claims to be a MacCinema Installer. The file was downloaded from the following link:
This is a fake video site that serves a fake Adobe Flash Player update for Macs, supposedly to watch a video.
Anyway, when mounted the DMG file has a package file named "install.pkg". Here's the snapshot of what you get when you open the package:
The "install.pkg" file contains the following files:
We extracted the "Archive.pax.gz" which contains the following files:
We analyzed each file and found that "AdobeFlash", "preinstall" and "preupgrade" are all the same thing, which is actually an obfuscated bash script:
So here's the de-obfuscated script:
Based on the above code, the script searches for the string "AdobeFlash" in the Schedule Jobs list; if the string doesn't exist, the script creates the following Schedule Job to run the "AdobeFlash" file every 5 hours.