evilgnome | 819eab9afaca5601ffd83c85a7edd6cd1899e6b431ab8e901a385065912adeb1

Resubmissions

28/02/2022, 15:41

220228-s4qs8seeg3 10

12/06/2021, 09:55

210612-f7rmdwaays 10

12/06/2021, 09:51

210612-kcegep1ef2 7

Analysis

max time network
299s
platform
macos_amd64
resource
macos
submitted
12/06/2021, 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer.run
Size

99KB
MD5

d4b45f4ab1ec5616026e8fbed2431be8
SHA1

28ecd4944f37bb8f9b7dfd1d486f7c9c027166d0
SHA256

819eab9afaca5601ffd83c85a7edd6cd1899e6b431ab8e901a385065912adeb1
SHA512

2026b561dce762930e3c6a7179d509efb7be482281111f65461328ed6da5c04e1bb7a7bf3f5cd883920a2cdd50e5c72b1c500d6f4963174792f0c183070b0771

Score

10^/10

evilgnome backdoor trojan

Malware Config

Signatures

Detected EvilGnome 4 IoCs

resource	yara_rule
behavioral2/files/0x0000000300020f81-2.dat	family_evilgnome
behavioral2/files/0x0000000300020f87-8.dat	family_evilgnome
behavioral2/files/0x0000000300020f81-7.dat	family_evilgnome
behavioral2/files/0x0000000300020f87-28.dat	family_evilgnome

EvilGnome Backdoor
Linux malware which targets desktop users. Includes common stealer/keylogger functionality as well as downloading and executing various modules.
backdoor trojan evilgnome

/bin/sh
sh -c "sudo /Users/run/installer.run"
1⤵
PID:449

/bin/bash
sh -c "sudo /Users/run/installer.run"
1⤵
PID:449

/usr/bin/sudo
sudo /Users/run/installer.run
1⤵
PID:449
- /Users/run/installer.run
  /Users/run/installer.run
  2⤵
  PID:450
- /bin/bash
  /bin/sh /Users/run/installer.run
  2⤵
  PID:450
- - /usr/bin/id
    id -u
    3⤵
    PID:452
- - /usr/bin/tty
    tty -s
    3⤵
    PID:453
- - /bin/mkdir
    mkdir /tmp/selfgz45031114
    3⤵
    PID:454
- - /usr/bin/basename
    basename /usr/bin/shasum
    3⤵
    PID:469
- - /usr/bin/basename
    basename /sbin/md5
    3⤵
    PID:473
- - /bin/expr
    expr 1 + 1
    3⤵
    PID:504
- - /bin/expr
    expr 14819 + 87287
    3⤵
    PID:505
- - /bin/expr
    expr 14819 + 87287
    3⤵
    PID:538
- - ./setup.sh
    ./setup.sh
    3⤵
    PID:539
- - /bin/bash
    /bin/sh ./setup.sh
    3⤵
    PID:539
  - - /bin/mkdir
      mkdir -p /Users/run/.cache/gnome-software/gnome-shell-extensions
      4⤵
      PID:540
  - - /bin/cp
      cp ./gnome-shell-ext /Users/run/.cache/gnome-software/gnome-shell-extensions
      4⤵
      PID:541
  - - /bin/cp
      cp ./gnome-shell-ext.sh /Users/run/.cache/gnome-software/gnome-shell-extensions
      4⤵
      PID:542
  - - /bin/cp
      cp ./rtp.dat /Users/run/.cache/gnome-software/gnome-shell-extensions
      4⤵
      PID:543
  - - /bin/chmod
      chmod +x /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext
      4⤵
      PID:544
  - - /bin/chmod
      chmod +x /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
      4⤵
      PID:545
  - - /usr/bin/grep
      grep -q "0-59 * * * * /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
      4⤵
      PID:547
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:546
  - - /usr/bin/crontab
      crontab -u root -
      4⤵
      PID:550
  - - /usr/bin/crontab
      crontab -u root -l
      4⤵
      PID:548
  - - /usr/bin/nohup
      nohup /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
      4⤵
      PID:554
  - - /bin/rm
      rm -rf -- /private/tmp/selfgz45031114
      4⤵
      PID:556
  - - /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
      /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
      4⤵
      PID:554
  - - /bin/bash
      /bin/sh /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
      4⤵
      PID:554
    - - /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext
        
        /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext
        5⤵
        
        PID:559
- - /bin/rm
    /bin/rm -rf /tmp/selfgz45031114
    3⤵
    PID:557

/usr/bin/which
which md5sum
1⤵
PID:457

/usr/bin/which
which md5
1⤵
PID:459

/usr/bin/which
which shasum
1⤵
PID:461

/usr/bin/head
head -n 587 /Users/run/installer.run
1⤵
PID:463

/usr/bin/wc
wc -c
1⤵
PID:464

/usr/bin/tr
tr -d " "
1⤵
PID:465

/usr/bin/cut
cut "-d " -f1
1⤵
PID:468

/usr/bin/cut
cut "-d " -f1
1⤵
PID:472

/usr/bin/cut
cut "-d " -f1
1⤵
PID:476

/usr/bin/cut
cut -b-32
1⤵
PID:481

/bin/expr
expr 4194304 / 4
1⤵
PID:483

/sbin/md5
/sbin/md5
1⤵
PID:482

/bin/expr
expr 1048576 / 4
1⤵
PID:485

/bin/expr
expr 262144 / 4
1⤵
PID:487

/bin/expr
expr 87287 / 65536
1⤵
PID:489

/bin/expr
expr 87287 "%" 65536
1⤵
PID:491

/bin/dd
dd "ibs=14819" "skip=1"
1⤵
PID:493

/bin/expr
expr 0 + 65536
1⤵
PID:495

/bin/dd
dd "bs=65536" "count=1"
1⤵
PID:496

/bin/expr
expr 87287 / 100
1⤵
PID:498

/bin/expr
expr 65536 / 872
1⤵
PID:500

/bin/expr
expr 65536 + 65536
1⤵
PID:502

/bin/dd
dd "bs=21751" "count=1"
1⤵
PID:503

/usr/bin/head
head -n 587 /Users/run/installer.run
1⤵
PID:507

/usr/bin/wc
wc -c
1⤵
PID:508

/usr/bin/tr
tr -d " "
1⤵
PID:509

/usr/bin/tail
tail -1
1⤵
PID:513

/bin/df
df -kP /tmp/selfgz45031114
1⤵
PID:512

/usr/bin/awk
awk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"
1⤵
PID:514

/usr/bin/gzip
gzip -cd
1⤵
PID:518

/usr/bin/tar
tar xpvf -
1⤵
PID:519

/bin/expr
expr 4194304 / 4
1⤵
PID:520

/bin/expr
expr 1048576 / 4
1⤵
PID:521

/bin/expr
expr 262144 / 4
1⤵
PID:522

/bin/expr
expr 87287 / 65536
1⤵
PID:523

/bin/expr
expr 87287 "%" 65536
1⤵
PID:524

/bin/dd
dd "ibs=14819" "skip=1"
1⤵
PID:526

/bin/expr
expr 0 + 65536
1⤵
PID:527

/bin/dd
dd "bs=65536" "count=1"
1⤵
PID:528

/bin/expr
expr 87287 / 100
1⤵
PID:529

/bin/expr
expr 65536 / 872
1⤵
PID:530

/bin/expr
expr 65536 + 65536
1⤵
PID:531

/bin/dd
dd "bs=21751" "count=1"
1⤵
PID:532

/usr/bin/id
id -u
1⤵
PID:534

/usr/sbin/chown
chown -R 0 .
1⤵
PID:535

/usr/bin/id
id -g
1⤵
PID:536

/usr/bin/chgrp
chgrp -R 0 .
1⤵
PID:537

/usr/bin/whoami
whoami
1⤵
PID:551

/bin/cat
cat
1⤵
PID:552

/usr/bin/whoami
whoami
1⤵
PID:553

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads