hiddenlotus | 7769af718266fcc91c9f39eb71d1b137156b95d6e6704d9b783988e3421ac656

General

Target

HiddedLotus.dmg
Size

548KB
MD5

54f7eadddcae17f1cb10d0cdaf426408
SHA1

bda404cb5709a1f026c47a1c0508b2b753a47836
SHA256

7769af718266fcc91c9f39eb71d1b137156b95d6e6704d9b783988e3421ac656
SHA512

a1baa3532e2237a73e8ccc353b1e1de936ec49e2a3b995ae030092873f4f5bb74d7be47eb75e85a3da254f3d21c147e2327fa67b728e70ebe09d297ccc188179

Score

10^/10

hiddenlotus miner

Malware Config

Signatures

Hiddenlotus
Hiddenlotus family.
miner hiddenlotus

/usr/bin/hdiutil
hdiutil attach /Users/run/HiddedLotus.dmg -shadow
1⤵
PID:453

/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper -uuid 101856FB-4C93-4BCD-8335-47931DA248EB
1⤵
PID:455

/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper -uuid 101856FB-4C93-4BCD-8335-47931DA248EB -post-exec 4
1⤵
PID:456

/usr/bin/hdiutil
hdiutil info -plist
1⤵
PID:465

/bin/chmod
chmod -R 755 /Volumes/HiddedLotus
1⤵
PID:466

/usr/sbin/sysctl
sysctl -w "kern.bigmacbundlepath=/Volumes/HiddedLotus/HiddedLotus.app"
1⤵
PID:467

/bin/sh
sh -c /tmp/exec
1⤵
PID:468

/bin/bash
sh -c /tmp/exec
1⤵
PID:468

/tmp/exec
/tmp/exec
1⤵
PID:468

/bin/bash
/bin/sh /tmp/exec
1⤵
PID:468

/bin/rm
rm -- /tmp/exec
2⤵
PID:471

/usr/bin/sudo
sudo -k -S open /Volumes/HiddedLotus/HiddedLotus.app
2⤵
PID:470

/usr/bin/open
open /Volumes/HiddedLotus/HiddedLotus.app
3⤵
PID:472

/Volumes/HiddedLotus/HiddedLotus.app/Contents/MacOS/Lê Thu Hà (HAEDC)
"/Volumes/HiddedLotus/HiddedLotus.app/Contents/MacOS/Lê Thu Hà (HAEDC)"
1⤵
PID:473

/bin/sh
sh -c "osascript -e 'tell application \"Finder\"' -e 'set visible of process \"Terminal\" to false' -e 'end tell' > /dev/null 2>&1"
1⤵
PID:477

/bin/bash
sh -c "osascript -e 'tell application \"Finder\"' -e 'set visible of process \"Terminal\" to false' -e 'end tell' > /dev/null 2>&1"
1⤵
PID:477

/usr/bin/osascript
osascript -e "tell application \"Finder\"" -e "set visible of process \"Terminal\" to false" -e "end tell"
2⤵
PID:478

/bin/sh
sh -c "touch -t 1502141925 \"/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd\" >/dev/null 2>&1"
1⤵
PID:480

/bin/bash
sh -c "touch -t 1502141925 \"/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd\" >/dev/null 2>&1"
1⤵
PID:480

/usr/bin/touch
touch -t 1502141925 /Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd
2⤵
PID:481

/bin/sh
sh -c "touch -t 1502141925 \"/Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist\" >/dev/null 2>&1"
1⤵
PID:482

/bin/bash
sh -c "touch -t 1502141925 \"/Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist\" >/dev/null 2>&1"
1⤵
PID:482

/usr/bin/touch
touch -t 1502141925 /Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist
2⤵
PID:483

/bin/sh
sh -c "launchctl load ~/Library/LaunchAgents/com.apple.hidd.shared.plist > /dev/null 2>&1 &"
1⤵
PID:484

/bin/sh
sh -c "mv -f \"/Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys\" \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1 ; open \"/tmp/HiddedLotus.pdf\" & > /dev/null 2>&1 ; rm -rf \"/Volumes/HiddedLotus/HiddedLotus.app\" > /dev/null 2>&1 ; cp -f \"/tmp/HiddedLotus.pdf\" \"/Volumes/HiddedLotus/HiddedLotus.pdf\" > /dev/null 2>&1 ; sleep 3 ; rm -rf \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1"
1⤵
PID:485

/bin/bash
sh -c "launchctl load ~/Library/LaunchAgents/com.apple.hidd.shared.plist > /dev/null 2>&1 &"
1⤵
PID:484

/bin/launchctl
launchctl load /Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist
2⤵
PID:486

/bin/bash
sh -c "mv -f \"/Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys\" \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1 ; open \"/tmp/HiddedLotus.pdf\" & > /dev/null 2>&1 ; rm -rf \"/Volumes/HiddedLotus/HiddedLotus.app\" > /dev/null 2>&1 ; cp -f \"/tmp/HiddedLotus.pdf\" \"/Volumes/HiddedLotus/HiddedLotus.pdf\" > /dev/null 2>&1 ; sleep 3 ; rm -rf \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1"
1⤵
PID:485

/bin/mv
mv -f /Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys /tmp/HiddedLotus.pdf
2⤵
PID:487

/usr/bin/open
open /tmp/HiddedLotus.pdf
2⤵
PID:498

/bin/rm
rm -rf /Volumes/HiddedLotus/HiddedLotus.app
2⤵
PID:499

/bin/cp
cp -f /tmp/HiddedLotus.pdf /Volumes/HiddedLotus/HiddedLotus.pdf
2⤵
PID:500

/bin/sleep
sleep 3
2⤵
PID:502

/bin/rm
rm -rf /tmp/HiddedLotus.pdf
2⤵
PID:506

/usr/libexec/xpcproxy
xpcproxy com.apple.hidd.shared
1⤵
PID:488

/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd
/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd
1⤵
PID:488

/bin/sh
sh -c "ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }' 2>&1"
1⤵
PID:489

/bin/bash
sh -c "ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }' 2>&1"
1⤵
PID:489

/usr/sbin/ioreg
ioreg -rd1 -c IOPlatformExpertDevice
2⤵
PID:490

/usr/bin/awk
awk "/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }"
2⤵
PID:491

/bin/sh
sh -c "touch -t 1409012135 \"/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync\" >/dev/null 2>&1"
1⤵
PID:492

/bin/bash
sh -c "touch -t 1409012135 \"/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync\" >/dev/null 2>&1"
1⤵
PID:492

/usr/bin/touch
touch -t 1409012135 "/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync"
2⤵
PID:493

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:494

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:494

/usr/bin/sw_vers
sw_vers -productVersion
2⤵
PID:495

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:496

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:496

/usr/bin/uname
uname -m
2⤵
PID:497

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:511

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:511

/usr/bin/sw_vers
sw_vers -productVersion
2⤵
PID:512

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:513

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:513

/usr/bin/uname
uname -m
2⤵
PID:514

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:518

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:518

/usr/bin/sw_vers
sw_vers -productVersion
2⤵
PID:519

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:520

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:520

/usr/bin/uname
uname -m
2⤵
PID:521

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:523

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:523

/usr/bin/sw_vers
sw_vers -productVersion
2⤵
PID:524

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:525

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:525

/usr/bin/uname
uname -m
2⤵
PID:526

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:535

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:535

/usr/bin/sw_vers
sw_vers -productVersion
2⤵
PID:536

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:537

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:537

/usr/bin/uname
uname -m
2⤵
PID:538

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:540

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:540

/usr/bin/sw_vers
sw_vers -productVersion
2⤵
PID:541

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:542

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:542

/usr/bin/uname
uname -m
2⤵
PID:543

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/Volumes/HiddedLotus/HiddedLotus.pdf
MD5
f344d1b15be233d6fdc600d7aac76609

SHA1
3e9cebc29c7e95fb152a8a0c8fcbd4470c46aadb

SHA256
31f30c93721e9e5e483dd680d5aeff7e0863e2df925667ffd48e58eaf567212c

SHA512
482a26e51803845505e96136bcee47b2ac67b87f3eeb604d80177859fd59c60ff5e2eff0336b5b2a5c1f20fb24b9be0f1f132acc8185b3f7a476a158849e656c

Download Submit
/private/tmp/HiddedLotus.pdf
MD5
f344d1b15be233d6fdc600d7aac76609

SHA1
3e9cebc29c7e95fb152a8a0c8fcbd4470c46aadb

SHA256
31f30c93721e9e5e483dd680d5aeff7e0863e2df925667ffd48e58eaf567212c

SHA512
482a26e51803845505e96136bcee47b2ac67b87f3eeb604d80177859fd59c60ff5e2eff0336b5b2a5c1f20fb24b9be0f1f132acc8185b3f7a476a158849e656c

Download Submit
/private/tmp/HiddedLotus.pdf
MD5
f344d1b15be233d6fdc600d7aac76609

SHA1
3e9cebc29c7e95fb152a8a0c8fcbd4470c46aadb

SHA256
31f30c93721e9e5e483dd680d5aeff7e0863e2df925667ffd48e58eaf567212c

SHA512
482a26e51803845505e96136bcee47b2ac67b87f3eeb604d80177859fd59c60ff5e2eff0336b5b2a5c1f20fb24b9be0f1f132acc8185b3f7a476a158849e656c

Download Submit
/private/tmp/HiddedLotus.pdf
MD5
f344d1b15be233d6fdc600d7aac76609

SHA1
3e9cebc29c7e95fb152a8a0c8fcbd4470c46aadb

SHA256
31f30c93721e9e5e483dd680d5aeff7e0863e2df925667ffd48e58eaf567212c

SHA512
482a26e51803845505e96136bcee47b2ac67b87f3eeb604d80177859fd59c60ff5e2eff0336b5b2a5c1f20fb24b9be0f1f132acc8185b3f7a476a158849e656c

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads