Resubmissions
28-02-2022 15:41
220228-s4qs8seeg3 1012-06-2021 09:55
210612-f7rmdwaays 1012-06-2021 09:51
210612-kcegep1ef2 7Analysis
-
max time kernel
240s -
max time network
287s -
platform
macos_amd64 -
resource
macos -
submitted
28-02-2022 15:41
General
-
Target
installer.run
-
Size
99KB
-
MD5
d4b45f4ab1ec5616026e8fbed2431be8
-
SHA1
28ecd4944f37bb8f9b7dfd1d486f7c9c027166d0
-
SHA256
819eab9afaca5601ffd83c85a7edd6cd1899e6b431ab8e901a385065912adeb1
-
SHA512
2026b561dce762930e3c6a7179d509efb7be482281111f65461328ed6da5c04e1bb7a7bf3f5cd883920a2cdd50e5c72b1c500d6f4963174792f0c183070b0771
Score
10/10
Malware Config
Signatures
-
Detected EvilGnome 4 IoCs
-
EvilGnome Backdoor
Linux malware which targets desktop users. Includes common stealer/keylogger functionality as well as downloading and executing various modules.
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/installer.run\""1⤵
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/installer.run\""1⤵
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/installer.run\""1⤵
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/installer.run1⤵
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/installer.run1⤵
-
/bin/zsh/bin/zsh -c /Users/run/installer.run2⤵
-
-
/bin/zsh/bin/zsh -c /Users/run/installer.run2⤵
-
-
/Users/run/installer.run/Users/run/installer.run2⤵
-
-
/Users/run/installer.run/Users/run/installer.run2⤵
-
-
/bin/bash/bin/sh /Users/run/installer.run2⤵
-
-
/bin/bash/bin/sh /Users/run/installer.run2⤵
-
/usr/bin/idid -u3⤵
-
-
/usr/bin/idid -u3⤵
-
-
/usr/bin/ttytty -s3⤵
-
-
/usr/bin/ttytty -s3⤵
-
-
/bin/mkdirmkdir /tmp/selfgz591223373⤵
-
-
/bin/mkdirmkdir /tmp/selfgz591223373⤵
-
-
/usr/bin/basenamebasename /usr/bin/shasum3⤵
-
-
/usr/bin/basenamebasename /usr/bin/shasum3⤵
-
-
/usr/bin/basenamebasename /sbin/md53⤵
-
-
/usr/bin/basenamebasename /sbin/md53⤵
-
-
/bin/exprexpr 1 + 13⤵
-
-
/bin/exprexpr 1 + 13⤵
-
-
/bin/exprexpr 14819 + 872873⤵
-
-
/bin/exprexpr 14819 + 872873⤵
-
-
/bin/exprexpr 14819 + 872873⤵
-
-
/bin/exprexpr 14819 + 872873⤵
-
-
./setup.sh./setup.sh3⤵
-
-
./setup.sh./setup.sh3⤵
-
-
/bin/bash/bin/sh ./setup.sh3⤵
-
-
/bin/bash/bin/sh ./setup.sh3⤵
-
/bin/mkdirmkdir -p /Users/run/.cache/gnome-software/gnome-shell-extensions4⤵
-
-
/bin/mkdirmkdir -p /Users/run/.cache/gnome-software/gnome-shell-extensions4⤵
-
-
/bin/cpcp ./gnome-shell-ext /Users/run/.cache/gnome-software/gnome-shell-extensions4⤵
-
-
/bin/cpcp ./gnome-shell-ext /Users/run/.cache/gnome-software/gnome-shell-extensions4⤵
-
-
/bin/cpcp ./gnome-shell-ext.sh /Users/run/.cache/gnome-software/gnome-shell-extensions4⤵
-
-
/bin/cpcp ./gnome-shell-ext.sh /Users/run/.cache/gnome-software/gnome-shell-extensions4⤵
-
-
/bin/cpcp ./rtp.dat /Users/run/.cache/gnome-software/gnome-shell-extensions4⤵
-
-
/bin/cpcp ./rtp.dat /Users/run/.cache/gnome-software/gnome-shell-extensions4⤵
-
-
/bin/chmodchmod +x /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext4⤵
-
-
/bin/chmodchmod +x /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext4⤵
-
-
/bin/chmodchmod +x /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh4⤵
-
-
/bin/chmodchmod +x /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh4⤵
-
-
/usr/bin/grepgrep -q "0-59 * * * * /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"4⤵
-
-
/usr/bin/grepgrep -q "0-59 * * * * /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"4⤵
-
-
/usr/bin/crontabcrontab -l4⤵
-
-
/usr/bin/crontabcrontab -l4⤵
-
-
/usr/bin/crontabcrontab -u root -l4⤵
-
-
/usr/bin/crontabcrontab -u root -l4⤵
-
-
/usr/bin/crontabcrontab -u root -4⤵
-
-
/usr/bin/crontabcrontab -u root -4⤵
-
-
/usr/bin/nohupnohup /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh4⤵
-
-
/usr/bin/nohupnohup /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh4⤵
-
-
/bin/rmrm -rf -- /private/tmp/selfgz591223374⤵
-
-
/bin/rmrm -rf -- /private/tmp/selfgz591223374⤵
-
-
/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh4⤵
-
-
/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh4⤵
-
-
/bin/bash/bin/sh /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh4⤵
-
-
/bin/bash/bin/sh /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh4⤵
-
/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext5⤵
-
-
/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext5⤵
-
-
-
-
/bin/rm/bin/rm -rf /tmp/selfgz591223373⤵
-
-
/bin/rm/bin/rm -rf /tmp/selfgz591223373⤵
-
-
-
/usr/bin/whichwhich md5sum1⤵
-
/usr/bin/whichwhich md5sum1⤵
-
/usr/bin/whichwhich md51⤵
-
/usr/bin/whichwhich md51⤵
-
/usr/bin/whichwhich shasum1⤵
-
/usr/bin/whichwhich shasum1⤵
-
/usr/bin/wcwc -c1⤵
-
/usr/bin/wcwc -c1⤵
-
/usr/bin/headhead -n 587 /Users/run/installer.run1⤵
-
/usr/bin/headhead -n 587 /Users/run/installer.run1⤵
-
/usr/bin/trtr -d " "1⤵
-
/usr/bin/trtr -d " "1⤵
-
/usr/bin/cutcut "-d " -f11⤵
-
/usr/bin/cutcut "-d " -f11⤵
-
/usr/bin/cutcut "-d " -f11⤵
-
/usr/bin/cutcut "-d " -f11⤵
-
/usr/bin/cutcut "-d " -f11⤵
-
/usr/bin/cutcut "-d " -f11⤵
-
/usr/bin/cutcut -b-321⤵
-
/usr/bin/cutcut -b-321⤵
-
/sbin/md5/sbin/md51⤵
-
/sbin/md5/sbin/md51⤵
-
/bin/exprexpr 4194304 / 41⤵
-
/bin/exprexpr 4194304 / 41⤵
-
/bin/exprexpr 1048576 / 41⤵
-
/bin/exprexpr 1048576 / 41⤵
-
/bin/exprexpr 262144 / 41⤵
-
/bin/exprexpr 262144 / 41⤵
-
/bin/exprexpr 87287 / 655361⤵
-
/bin/exprexpr 87287 / 655361⤵
-
/bin/exprexpr 87287 "%" 655361⤵
-
/bin/exprexpr 87287 "%" 655361⤵
-
/bin/dddd "ibs=14819" "skip=1"1⤵
-
/bin/dddd "ibs=14819" "skip=1"1⤵
-
/bin/exprexpr 0 + 655361⤵
-
/bin/exprexpr 0 + 655361⤵
-
/bin/dddd "bs=65536" "count=1"1⤵
-
/bin/dddd "bs=65536" "count=1"1⤵
-
/bin/exprexpr 87287 / 1001⤵
-
/bin/exprexpr 87287 / 1001⤵
-
/bin/exprexpr 65536 / 8721⤵
-
/bin/exprexpr 65536 / 8721⤵
-
/bin/exprexpr 65536 + 655361⤵
-
/bin/exprexpr 65536 + 655361⤵
-
/bin/dddd "bs=21751" "count=1"1⤵
-
/bin/dddd "bs=21751" "count=1"1⤵
-
/usr/bin/headhead -n 587 /Users/run/installer.run1⤵
-
/usr/bin/headhead -n 587 /Users/run/installer.run1⤵
-
/usr/bin/wcwc -c1⤵
-
/usr/bin/wcwc -c1⤵
-
/usr/bin/trtr -d " "1⤵
-
/usr/bin/trtr -d " "1⤵
-
/bin/dfdf -kP /tmp/selfgz591223371⤵
-
/bin/dfdf -kP /tmp/selfgz591223371⤵
-
/usr/bin/tailtail -11⤵
-
/usr/bin/tailtail -11⤵
-
/usr/bin/awkawk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"1⤵
-
/usr/bin/awkawk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"1⤵
-
/bin/exprexpr 4194304 / 41⤵
-
/bin/exprexpr 4194304 / 41⤵
-
/usr/bin/gzipgzip -cd1⤵
-
/usr/bin/gzipgzip -cd1⤵
-
/usr/bin/tartar xpvf -1⤵
-
/usr/bin/tartar xpvf -1⤵
-
/bin/exprexpr 1048576 / 41⤵
-
/bin/exprexpr 1048576 / 41⤵
-
/bin/exprexpr 262144 / 41⤵
-
/bin/exprexpr 262144 / 41⤵
-
/bin/exprexpr 87287 / 655361⤵
-
/bin/exprexpr 87287 / 655361⤵
-
/bin/exprexpr 87287 "%" 655361⤵
-
/bin/exprexpr 87287 "%" 655361⤵
-
/bin/dddd "ibs=14819" "skip=1"1⤵
-
/bin/dddd "ibs=14819" "skip=1"1⤵
-
/bin/exprexpr 0 + 655361⤵
-
/bin/exprexpr 0 + 655361⤵
-
/bin/dddd "bs=65536" "count=1"1⤵
-
/bin/dddd "bs=65536" "count=1"1⤵
-
/bin/exprexpr 87287 / 1001⤵
-
/bin/exprexpr 87287 / 1001⤵
-
/bin/exprexpr 65536 / 8721⤵
-
/bin/exprexpr 65536 / 8721⤵
-
/bin/exprexpr 65536 + 655361⤵
-
/bin/exprexpr 65536 + 655361⤵
-
/bin/dddd "bs=21751" "count=1"1⤵
-
/bin/dddd "bs=21751" "count=1"1⤵
-
/usr/bin/idid -u1⤵
-
/usr/bin/idid -u1⤵
-
/usr/sbin/chownchown -R 0 .1⤵
-
/usr/sbin/chownchown -R 0 .1⤵
-
/usr/bin/idid -g1⤵
-
/usr/bin/idid -g1⤵
-
/usr/bin/chgrpchgrp -R 0 .1⤵
-
/usr/bin/chgrpchgrp -R 0 .1⤵
-
/usr/bin/whoamiwhoami1⤵
-
/usr/bin/whoamiwhoami1⤵
-
/bin/catcat1⤵
-
/bin/catcat1⤵
-
/usr/bin/whoamiwhoami1⤵
-
/usr/bin/whoamiwhoami1⤵
-
/usr/libexec/xpcproxyxpcproxy com.vix.cron1⤵
-
/usr/sbin/cron/usr/sbin/cron1⤵
-
/bin/sh/bin/sh -c /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/sh/bin/sh -c /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/bash/bin/sh -c /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/bash/bin/sh -c /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/bash/bin/sh /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/bash/bin/sh /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/var/root/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext/var/root/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext2⤵
-
-
/var/root/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext/var/root/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext2⤵
-
-
/bin/sh/bin/sh -c /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/sh/bin/sh -c /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/bash/bin/sh -c /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/bash/bin/sh -c /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/bash/bin/sh /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/bash/bin/sh /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/var/root/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext/var/root/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext2⤵
-
-
/var/root/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext/var/root/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext2⤵
-
-
/bin/sh/bin/sh -c /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/sh/bin/sh -c /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/bash/bin/sh -c /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/bash/bin/sh -c /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/bash/bin/sh /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/bash/bin/sh /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/var/root/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext/var/root/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext2⤵
-
-
/var/root/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext/var/root/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext2⤵
-
-
/bin/sh/bin/sh -c /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/sh/bin/sh -c /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/bash/bin/sh -c /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/bash/bin/sh -c /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh/Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/bash/bin/sh /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/bin/bash/bin/sh /Users/run/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh1⤵
-
/var/root/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext/var/root/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext2⤵
-
-
/var/root/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext/var/root/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext2⤵
-