evilgnome | 819eab9afaca5601ffd83c85a7edd6cd1899e6b431ab8e901a385065912adeb1

Resubmissions

17-06-2021 18:16

210617-arb9rgsa9n 10

12-06-2021 13:38

210612-55n311k7mn 7

Analysis

max time network
301s
platform
macos_amd64
resource
macos
submitted
17-06-2021 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer.run
Size

99KB
MD5

d4b45f4ab1ec5616026e8fbed2431be8
SHA1

28ecd4944f37bb8f9b7dfd1d486f7c9c027166d0
SHA256

819eab9afaca5601ffd83c85a7edd6cd1899e6b431ab8e901a385065912adeb1
SHA512

2026b561dce762930e3c6a7179d509efb7be482281111f65461328ed6da5c04e1bb7a7bf3f5cd883920a2cdd50e5c72b1c500d6f4963174792f0c183070b0771

Score

10^/10

evilgnome backdoor trojan

Malware Config

Signatures

Detected EvilGnome 4 IoCs

resource	yara_rule
behavioral1/files/0x0000000300020fac-2.dat	family_evilgnome
behavioral1/files/0x0000000300020fac-7.dat	family_evilgnome
behavioral1/files/0x0000000300020fb2-8.dat	family_evilgnome
behavioral1/files/0x0000000300020fb2-28.dat	family_evilgnome

EvilGnome Backdoor
Linux malware which targets desktop users. Includes common stealer/keylogger functionality as well as downloading and executing various modules.
backdoor trojan evilgnome

/bin/sh
sh -c "sudo /Users/run/installer.run"
1⤵
PID:468

/bin/bash
sh -c "sudo /Users/run/installer.run"
1⤵
PID:468

/usr/bin/sudo
sudo /Users/run/installer.run
1⤵
PID:468
- /Users/run/installer.run
  /Users/run/installer.run
  2⤵
  PID:469
- /bin/bash
  /bin/sh /Users/run/installer.run
  2⤵
  PID:469
- - /usr/bin/id
    id -u
    3⤵
    PID:471
- - /usr/bin/tty
    tty -s
    3⤵
    PID:472
- - /bin/mkdir
    mkdir /tmp/selfgz46910155
    3⤵
    PID:473
- - /usr/bin/basename
    basename /usr/bin/shasum
    3⤵
    PID:488
- - /usr/bin/basename
    basename /sbin/md5
    3⤵
    PID:492
- - /bin/expr
    expr 1 + 1
    3⤵
    PID:523
- - /bin/expr
    expr 14819 + 87287
    3⤵
    PID:524
- - /bin/expr
    expr 14819 + 87287
    3⤵
    PID:557
- - ./setup.sh
    ./setup.sh
    3⤵
    PID:558
- - /bin/bash
    /bin/sh ./setup.sh
    3⤵
    PID:558
  - - /bin/mkdir
      mkdir -p /Users/run/.cache/gnome-software/gnome-shell-extensions
      4⤵
      PID:559
  - - /bin/cp
      cp ./gnome-shell-ext /Users/run/.cache/gnome-software/gnome-shell-extensions
      4⤵
      PID:560
  - - /bin/cp
      cp ./gnome-shell-ext.sh /Users/run/.cache/gnome-software/gnome-shell-extensions
      4⤵
      PID:561
  - - /bin/cp
      cp ./rtp.dat /Users/run/.cache/gnome-software/gnome-shell-extensions
      4⤵
      PID:562
  - - /bin/chmod
      chmod +x /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext
      4⤵
      PID:563
  - - /bin/chmod
      chmod +x /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
      4⤵
      PID:564
  - - /usr/bin/grep
      grep -q "0-59 * * * * /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
      4⤵
      PID:566
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:565
  - - /usr/bin/crontab
      crontab -u root -
      4⤵
      PID:570
  - - /usr/bin/crontab
      crontab -u root -l
      4⤵
      PID:567
  - - /usr/bin/nohup
      nohup /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
      4⤵
      PID:573
  - - /bin/rm
      rm -rf -- /private/tmp/selfgz46910155
      4⤵
      PID:576
  - - /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
      /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
      4⤵
      PID:573
  - - /bin/bash
      /bin/sh /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
      4⤵
      PID:573
    - - /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext
        
        /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext
        5⤵
        
        PID:579
- - /bin/rm
    /bin/rm -rf /tmp/selfgz46910155
    3⤵
    PID:577

/usr/bin/which
which md5sum
1⤵
PID:476

/usr/bin/which
which md5
1⤵
PID:478

/usr/bin/which
which shasum
1⤵
PID:480

/usr/bin/wc
wc -c
1⤵
PID:483

/usr/bin/head
head -n 587 /Users/run/installer.run
1⤵
PID:482

/usr/bin/tr
tr -d " "
1⤵
PID:484

/usr/bin/cut
cut "-d " -f1
1⤵
PID:487

/usr/bin/cut
cut "-d " -f1
1⤵
PID:491

/usr/bin/cut
cut "-d " -f1
1⤵
PID:495

/usr/bin/cut
cut -b-32
1⤵
PID:499

/sbin/md5
/sbin/md5
1⤵
PID:501

/bin/expr
expr 4194304 / 4
1⤵
PID:502

/bin/expr
expr 1048576 / 4
1⤵
PID:504

/bin/expr
expr 262144 / 4
1⤵
PID:506

/bin/expr
expr 87287 / 65536
1⤵
PID:508

/bin/expr
expr 87287 "%" 65536
1⤵
PID:510

/bin/dd
dd "ibs=14819" "skip=1"
1⤵
PID:512

/bin/expr
expr 0 + 65536
1⤵
PID:514

/bin/dd
dd "bs=65536" "count=1"
1⤵
PID:515

/bin/expr
expr 87287 / 100
1⤵
PID:517

/bin/expr
expr 65536 / 872
1⤵
PID:519

/bin/expr
expr 65536 + 65536
1⤵
PID:521

/bin/dd
dd "bs=21751" "count=1"
1⤵
PID:522

/usr/bin/head
head -n 587 /Users/run/installer.run
1⤵
PID:526

/usr/bin/wc
wc -c
1⤵
PID:527

/usr/bin/tr
tr -d " "
1⤵
PID:528

/usr/bin/tail
tail -1
1⤵
PID:532

/bin/df
df -kP /tmp/selfgz46910155
1⤵
PID:531

/usr/bin/awk
awk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"
1⤵
PID:533

/bin/expr
expr 4194304 / 4
1⤵
PID:537

/usr/bin/gzip
gzip -cd
1⤵
PID:538

/usr/bin/tar
tar xpvf -
1⤵
PID:539

/bin/expr
expr 1048576 / 4
1⤵
PID:540

/bin/expr
expr 262144 / 4
1⤵
PID:541

/bin/expr
expr 87287 / 65536
1⤵
PID:542

/bin/expr
expr 87287 "%" 65536
1⤵
PID:543

/bin/dd
dd "ibs=14819" "skip=1"
1⤵
PID:545

/bin/expr
expr 0 + 65536
1⤵
PID:546

/bin/dd
dd "bs=65536" "count=1"
1⤵
PID:547

/bin/expr
expr 87287 / 100
1⤵
PID:548

/bin/expr
expr 65536 / 872
1⤵
PID:549

/bin/expr
expr 65536 + 65536
1⤵
PID:550

/bin/dd
dd "bs=21751" "count=1"
1⤵
PID:551

/usr/bin/id
id -u
1⤵
PID:553

/usr/sbin/chown
chown -R 0 .
1⤵
PID:554

/usr/bin/id
id -g
1⤵
PID:555

/usr/bin/chgrp
chgrp -R 0 .
1⤵
PID:556

/usr/bin/whoami
whoami
1⤵
PID:569

/bin/cat
cat
1⤵
PID:571

/usr/bin/whoami
whoami
1⤵
PID:572

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads