Resubmissions
04-06-2021 11:41
210604-62q4dlr18s 1004-06-2021 11:25
210604-5xq6ap77we 1003-06-2021 17:10
210603-wqhytdhkea 1003-06-2021 16:16
210603-lf7tyvce86 10Analysis
-
max time network
1803s -
platform
macos_amd64 -
resource
macos -
submitted
04-06-2021 11:41
General
-
Target
HiddedLotus.dmg
-
Size
548KB
-
MD5
54f7eadddcae17f1cb10d0cdaf426408
-
SHA1
bda404cb5709a1f026c47a1c0508b2b753a47836
-
SHA256
7769af718266fcc91c9f39eb71d1b137156b95d6e6704d9b783988e3421ac656
-
SHA512
a1baa3532e2237a73e8ccc353b1e1de936ec49e2a3b995ae030092873f4f5bb74d7be47eb75e85a3da254f3d21c147e2327fa67b728e70ebe09d297ccc188179
Score
10/10
Malware Config
Signatures
-
Hiddenlotus
Hiddenlotus family.
Processes
-
/bin/shsh -c "sudo open /Volumes/HiddedLotus/HiddedLotus.app"1⤵
-
/bin/bashsh -c "sudo open /Volumes/HiddedLotus/HiddedLotus.app"1⤵
-
/usr/bin/sudosudo open /Volumes/HiddedLotus/HiddedLotus.app1⤵
-
/usr/bin/openopen /Volumes/HiddedLotus/HiddedLotus.app2⤵
-
-
/Volumes/HiddedLotus/HiddedLotus.app/Contents/MacOS/Lê Thu Hà (HAEDC)"/Volumes/HiddedLotus/HiddedLotus.app/Contents/MacOS/Lê Thu Hà (HAEDC)"1⤵
-
/bin/shsh -c "osascript -e 'tell application \"Finder\"' -e 'set visible of process \"Terminal\" to false' -e 'end tell' > /dev/null 2>&1"1⤵
-
/bin/bashsh -c "osascript -e 'tell application \"Finder\"' -e 'set visible of process \"Terminal\" to false' -e 'end tell' > /dev/null 2>&1"1⤵
-
/usr/bin/osascriptosascript -e "tell application \"Finder\"" -e "set visible of process \"Terminal\" to false" -e "end tell"2⤵
-
-
/bin/shsh -c "touch -t 1407112212 \"/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd\" >/dev/null 2>&1"1⤵
-
/bin/bashsh -c "touch -t 1407112212 \"/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd\" >/dev/null 2>&1"1⤵
-
/usr/bin/touchtouch -t 1407112212 /Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd2⤵
-
-
/bin/shsh -c "touch -t 1407112212 \"/Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist\" >/dev/null 2>&1"1⤵
-
/bin/bashsh -c "touch -t 1407112212 \"/Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist\" >/dev/null 2>&1"1⤵
-
/usr/bin/touchtouch -t 1407112212 /Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist2⤵
-
-
/bin/shsh -c "launchctl load ~/Library/LaunchAgents/com.apple.hidd.shared.plist > /dev/null 2>&1 &"1⤵
-
/bin/shsh -c "mv -f \"/Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys\" \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1 ; open \"/tmp/HiddedLotus.pdf\" & > /dev/null 2>&1 ; rm -rf \"/Volumes/HiddedLotus/HiddedLotus.app\" > /dev/null 2>&1 ; cp -f \"/tmp/HiddedLotus.pdf\" \"/Volumes/HiddedLotus/HiddedLotus.pdf\" > /dev/null 2>&1 ; sleep 3 ; rm -rf \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1"1⤵
-
/bin/bashsh -c "launchctl load ~/Library/LaunchAgents/com.apple.hidd.shared.plist > /dev/null 2>&1 &"1⤵
-
/bin/launchctllaunchctl load /Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist2⤵
-
-
/bin/bashsh -c "mv -f \"/Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys\" \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1 ; open \"/tmp/HiddedLotus.pdf\" & > /dev/null 2>&1 ; rm -rf \"/Volumes/HiddedLotus/HiddedLotus.app\" > /dev/null 2>&1 ; cp -f \"/tmp/HiddedLotus.pdf\" \"/Volumes/HiddedLotus/HiddedLotus.pdf\" > /dev/null 2>&1 ; sleep 3 ; rm -rf \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1"1⤵
-
/bin/mvmv -f /Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys /tmp/HiddedLotus.pdf2⤵
-
-
/usr/bin/openopen /tmp/HiddedLotus.pdf2⤵
-
-
/bin/rmrm -rf /Volumes/HiddedLotus/HiddedLotus.app2⤵
-
-
/bin/cpcp -f /tmp/HiddedLotus.pdf /Volumes/HiddedLotus/HiddedLotus.pdf2⤵
-
-
/bin/sleepsleep 32⤵
-
-
/bin/rmrm -rf /tmp/HiddedLotus.pdf2⤵
-
-
/usr/libexec/xpcproxyxpcproxy com.apple.hidd.shared1⤵
-
/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd1⤵
-
/bin/shsh -c "ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }' 2>&1"1⤵
-
/bin/bashsh -c "ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }' 2>&1"1⤵
-
/usr/sbin/ioregioreg -rd1 -c IOPlatformExpertDevice2⤵
-
-
/usr/bin/awkawk "/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }"2⤵
-
-
/bin/shsh -c "touch -t 1407112212 \"/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync\" >/dev/null 2>&1"1⤵
-
/bin/bashsh -c "touch -t 1407112212 \"/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync\" >/dev/null 2>&1"1⤵
-
/usr/bin/touchtouch -t 1407112212 "/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync"2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-
-
/bin/shsh -c "sw_vers -productVersion 2>&1"1⤵
-
/bin/bashsh -c "sw_vers -productVersion 2>&1"1⤵
-
/usr/bin/sw_verssw_vers -productVersion2⤵
-
-
/bin/shsh -c "uname -m 2>&1"1⤵
-
/bin/bashsh -c "uname -m 2>&1"1⤵
-
/usr/bin/unameuname -m2⤵
-