hiddenlotus | 7769af718266fcc91c9f39eb71d1b137156b95d6e6704d9b783988e3421ac656

General

Target

HiddedLotus.dmg
Size

548KB
MD5

54f7eadddcae17f1cb10d0cdaf426408
SHA1

bda404cb5709a1f026c47a1c0508b2b753a47836
SHA256

7769af718266fcc91c9f39eb71d1b137156b95d6e6704d9b783988e3421ac656
SHA512

a1baa3532e2237a73e8ccc353b1e1de936ec49e2a3b995ae030092873f4f5bb74d7be47eb75e85a3da254f3d21c147e2327fa67b728e70ebe09d297ccc188179

Score

10^/10

hiddenlotus miner

Malware Config

Signatures

Hiddenlotus
Hiddenlotus family.
miner hiddenlotus

/usr/bin/hdiutil
hdiutil attach /Users/run/HiddedLotus.dmg -shadow
1⤵
PID:453

/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper -uuid 0929F2EE-F09E-4133-B7C7-BD3C9D73E173
1⤵
PID:455

/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper -uuid 0929F2EE-F09E-4133-B7C7-BD3C9D73E173 -post-exec 4
1⤵
PID:456

/usr/bin/hdiutil
hdiutil info -plist
1⤵
PID:464

/bin/chmod
chmod -R 755 /Volumes/HiddedLotus
1⤵
PID:465

/usr/sbin/sysctl
sysctl -w "kern.bigmacbundlepath=/Volumes/HiddedLotus/HiddedLotus.app"
1⤵
PID:466

/bin/sh
sh -c /tmp/exec
1⤵
PID:467

/bin/bash
sh -c /tmp/exec
1⤵
PID:467

/tmp/exec
/tmp/exec
1⤵
PID:467

/bin/bash
/bin/sh /tmp/exec
1⤵
PID:467
- /bin/rm
  rm -- /tmp/exec
  2⤵
  PID:470
- /usr/bin/sudo
  sudo -k -S open /Volumes/HiddedLotus/HiddedLotus.app
  2⤵
  PID:469
- - /usr/bin/open
    open /Volumes/HiddedLotus/HiddedLotus.app
    3⤵
    PID:471

/Volumes/HiddedLotus/HiddedLotus.app/Contents/MacOS/Lê Thu Hà (HAEDC)
"/Volumes/HiddedLotus/HiddedLotus.app/Contents/MacOS/Lê Thu Hà (HAEDC)"
1⤵
PID:472

/bin/sh
sh -c "osascript -e 'tell application \"Finder\"' -e 'set visible of process \"Terminal\" to false' -e 'end tell' > /dev/null 2>&1"
1⤵
PID:474

/bin/bash
sh -c "osascript -e 'tell application \"Finder\"' -e 'set visible of process \"Terminal\" to false' -e 'end tell' > /dev/null 2>&1"
1⤵
PID:474
- /usr/bin/osascript
  osascript -e "tell application \"Finder\"" -e "set visible of process \"Terminal\" to false" -e "end tell"
  2⤵
  PID:475

/bin/sh
sh -c "touch -t 1407112212 \"/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd\" >/dev/null 2>&1"
1⤵
PID:477

/bin/bash
sh -c "touch -t 1407112212 \"/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd\" >/dev/null 2>&1"
1⤵
PID:477
- /usr/bin/touch
  touch -t 1407112212 /Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd
  2⤵
  PID:478

/bin/sh
sh -c "touch -t 1407112212 \"/Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist\" >/dev/null 2>&1"
1⤵
PID:479

/bin/bash
sh -c "touch -t 1407112212 \"/Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist\" >/dev/null 2>&1"
1⤵
PID:479
- /usr/bin/touch
  touch -t 1407112212 /Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist
  2⤵
  PID:480

/bin/sh
sh -c "launchctl load ~/Library/LaunchAgents/com.apple.hidd.shared.plist > /dev/null 2>&1 &"
1⤵
PID:481

/bin/sh
sh -c "mv -f \"/Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys\" \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1 ; open \"/tmp/HiddedLotus.pdf\" & > /dev/null 2>&1 ; rm -rf \"/Volumes/HiddedLotus/HiddedLotus.app\" > /dev/null 2>&1 ; cp -f \"/tmp/HiddedLotus.pdf\" \"/Volumes/HiddedLotus/HiddedLotus.pdf\" > /dev/null 2>&1 ; sleep 3 ; rm -rf \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1"
1⤵
PID:482

/bin/bash
sh -c "launchctl load ~/Library/LaunchAgents/com.apple.hidd.shared.plist > /dev/null 2>&1 &"
1⤵
PID:481
- /bin/launchctl
  launchctl load /Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist
  2⤵
  PID:483

/bin/bash
sh -c "mv -f \"/Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys\" \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1 ; open \"/tmp/HiddedLotus.pdf\" & > /dev/null 2>&1 ; rm -rf \"/Volumes/HiddedLotus/HiddedLotus.app\" > /dev/null 2>&1 ; cp -f \"/tmp/HiddedLotus.pdf\" \"/Volumes/HiddedLotus/HiddedLotus.pdf\" > /dev/null 2>&1 ; sleep 3 ; rm -rf \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1"
1⤵
PID:482
- /bin/mv
  mv -f /Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys /tmp/HiddedLotus.pdf
  2⤵
  PID:484
- /usr/bin/open
  open /tmp/HiddedLotus.pdf
  2⤵
  PID:495
- /bin/rm
  rm -rf /Volumes/HiddedLotus/HiddedLotus.app
  2⤵
  PID:496
- /bin/cp
  cp -f /tmp/HiddedLotus.pdf /Volumes/HiddedLotus/HiddedLotus.pdf
  2⤵
  PID:497
- /bin/sleep
  sleep 3
  2⤵
  PID:499
- /bin/rm
  rm -rf /tmp/HiddedLotus.pdf
  2⤵
  PID:502

/usr/libexec/xpcproxy
xpcproxy com.apple.hidd.shared
1⤵
PID:485

/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd
/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd
1⤵
PID:485

/bin/sh
sh -c "ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }' 2>&1"
1⤵
PID:486

/bin/bash
sh -c "ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }' 2>&1"
1⤵
PID:486
- /usr/sbin/ioreg
  ioreg -rd1 -c IOPlatformExpertDevice
  2⤵
  PID:487
- /usr/bin/awk
  awk "/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }"
  2⤵
  PID:488

/bin/sh
sh -c "touch -t 1407112212 \"/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync\" >/dev/null 2>&1"
1⤵
PID:489

/bin/bash
sh -c "touch -t 1407112212 \"/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync\" >/dev/null 2>&1"
1⤵
PID:489
- /usr/bin/touch
  touch -t 1407112212 "/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync"
  2⤵
  PID:490

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:491

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:491
- /usr/bin/sw_vers
  sw_vers -productVersion
  2⤵
  PID:492

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:493

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:493
- /usr/bin/uname
  uname -m
  2⤵
  PID:494

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:508

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:508
- /usr/bin/sw_vers
  sw_vers -productVersion
  2⤵
  PID:509

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:510

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:510
- /usr/bin/uname
  uname -m
  2⤵
  PID:511

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:515

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:515
- /usr/bin/sw_vers
  sw_vers -productVersion
  2⤵
  PID:516

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:517

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:517
- /usr/bin/uname
  uname -m
  2⤵
  PID:518

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:520

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:520
- /usr/bin/sw_vers
  sw_vers -productVersion
  2⤵
  PID:521

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:522

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:522
- /usr/bin/uname
  uname -m
  2⤵
  PID:523

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:533

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:533
- /usr/bin/sw_vers
  sw_vers -productVersion
  2⤵
  PID:534

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:535

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:535
- /usr/bin/uname
  uname -m
  2⤵
  PID:536

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/Volumes/HiddedLotus/HiddedLotus.pdf

MD5
f344d1b15be233d6fdc600d7aac76609

SHA1
3e9cebc29c7e95fb152a8a0c8fcbd4470c46aadb

SHA256
31f30c93721e9e5e483dd680d5aeff7e0863e2df925667ffd48e58eaf567212c

SHA512
482a26e51803845505e96136bcee47b2ac67b87f3eeb604d80177859fd59c60ff5e2eff0336b5b2a5c1f20fb24b9be0f1f132acc8185b3f7a476a158849e656c

Download Submit
/private/tmp/HiddedLotus.pdf

MD5
f344d1b15be233d6fdc600d7aac76609

SHA1
3e9cebc29c7e95fb152a8a0c8fcbd4470c46aadb

SHA256
31f30c93721e9e5e483dd680d5aeff7e0863e2df925667ffd48e58eaf567212c

SHA512
482a26e51803845505e96136bcee47b2ac67b87f3eeb604d80177859fd59c60ff5e2eff0336b5b2a5c1f20fb24b9be0f1f132acc8185b3f7a476a158849e656c

Download Submit
/private/tmp/HiddedLotus.pdf

MD5
f344d1b15be233d6fdc600d7aac76609

SHA1
3e9cebc29c7e95fb152a8a0c8fcbd4470c46aadb

SHA256
31f30c93721e9e5e483dd680d5aeff7e0863e2df925667ffd48e58eaf567212c

SHA512
482a26e51803845505e96136bcee47b2ac67b87f3eeb604d80177859fd59c60ff5e2eff0336b5b2a5c1f20fb24b9be0f1f132acc8185b3f7a476a158849e656c

Download Submit
/private/tmp/HiddedLotus.pdf

MD5
f344d1b15be233d6fdc600d7aac76609

SHA1
3e9cebc29c7e95fb152a8a0c8fcbd4470c46aadb

SHA256
31f30c93721e9e5e483dd680d5aeff7e0863e2df925667ffd48e58eaf567212c

SHA512
482a26e51803845505e96136bcee47b2ac67b87f3eeb604d80177859fd59c60ff5e2eff0336b5b2a5c1f20fb24b9be0f1f132acc8185b3f7a476a158849e656c

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads