gimmick | 2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f

Analysis

max time kernel
149s
max time network
156s
platform
macos-10.15_amd64
resource
macos-20240214-en
resource tags

arch:amd64arch:i386image:macos-20240214-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
03-04-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

047
Size

713KB
MD5

23699799f496b8e872d05f19d2b397f8
SHA1

fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8
SHA256

2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f
SHA512

f347c47afe06ed7ef2a71b7e40ac0103f4f33e26250661173775b349bba7452ea458e5d4137a57b34801556959bca14093a9f693d59c147061f63f2b78614288
SSDEEP

6144:0RDkTCDC628O+i5Npv56/SfQ7WXIRPeTqiKjBAaIeuLkN04b1Z2O/a0csN2oGA8s:q5o657MOPhKCuo64b//nPpA/OGg2Y5

Score

10^/10

gimmick backdoor execution persistence

Malware Config

Signatures

Gimmick
Gimmick family.
backdoor gimmick
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

Launchctl 1 TTPs 4 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

Processes:

ioc	Process
launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
sh -c "launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist"
launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
sh -c "launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist"

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/047\""
1⤵
PID:533

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/047\""
1⤵
PID:533

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/047
1⤵
PID:533
- /bin/zsh
  /bin/zsh -c /Users/run/047
  2⤵
  PID:535
- /Users/run/047
  /Users/run/047
  2⤵
  PID:535

/bin/sh
sh -c "ps -ef |grep CorelDRAW |grep -v /Users/run/047 |grep -v 'CorelDRAW\\s*Graphics\\s*Suite' |awk '{print \$2}' |xargs kill -9"
1⤵
PID:537

/bin/bash
sh -c "ps -ef |grep CorelDRAW |grep -v /Users/run/047 |grep -v 'CorelDRAW\\s*Graphics\\s*Suite' |awk '{print \$2}' |xargs kill -9"
1⤵
PID:537
- /bin/ps
  ps -ef
  2⤵
  PID:538
- /usr/bin/grep
  grep CorelDRAW
  2⤵
  PID:539
- /usr/bin/grep
  grep -v /Users/run/047
  2⤵
  PID:540
- /usr/bin/grep
  grep -v "CorelDRAW\\s*Graphics\\s*Suite"
  2⤵
  PID:541
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:542
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:543

/usr/bin/kill
kill -9 539 541
1⤵
PID:544

/bin/kill
kill -9 539 541
1⤵
PID:544

/bin/sh
sh -c "ps -ef |grep CorelDRAW |grep -v /Users/run/047 |grep -v 'CorelDRAW\\s*Graphics\\s*Suite' |awk '{print \$2}' |xargs kill -9"
1⤵
PID:545

/bin/bash
sh -c "ps -ef |grep CorelDRAW |grep -v /Users/run/047 |grep -v 'CorelDRAW\\s*Graphics\\s*Suite' |awk '{print \$2}' |xargs kill -9"
1⤵
PID:545
- /bin/ps
  ps -ef
  2⤵
  PID:546
- /usr/bin/grep
  grep CorelDRAW
  2⤵
  PID:547
- /usr/bin/grep
  grep -v /Users/run/047
  2⤵
  PID:548
- /usr/bin/grep
  grep -v "CorelDRAW\\s*Graphics\\s*Suite"
  2⤵
  PID:549
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:550
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:551

/usr/bin/kill
kill -9 547 549
1⤵
PID:552

/bin/kill
kill -9 547 549
1⤵
PID:552

/bin/sh
sh -c "cp /Users/run/047 /var/root/Library/Preferences/CorelDRAW/CorelDRAW"
1⤵
PID:553

/bin/bash
sh -c "cp /Users/run/047 /var/root/Library/Preferences/CorelDRAW/CorelDRAW"
1⤵
PID:553

/bin/cp
cp /Users/run/047 /var/root/Library/Preferences/CorelDRAW/CorelDRAW
1⤵
PID:553

/bin/sh
sh -c "launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist"
1⤵
PID:554

/bin/bash
sh -c "launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist"
1⤵
PID:554

/bin/launchctl
launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
1⤵
PID:554

/bin/sh
sh -c "launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist"
1⤵
PID:555

/bin/bash
sh -c "launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist"
1⤵
PID:555

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.CorelDRAW.va.plist
1⤵
PID:556

/var/root/Library/Preferences/CorelDRAW/CorelDRAW
/var/root/Library/Preferences/CorelDRAW/CorelDRAW
1⤵
PID:556

/usr/libexec/xpcproxy
xpcproxy com.apple.secd
1⤵
PID:561

/usr/libexec/secd
/usr/libexec/secd
1⤵
PID:561

/usr/libexec/xpcproxy
xpcproxy com.apple.nehelper
1⤵
PID:562

/usr/libexec/nehelper
/usr/libexec/nehelper
1⤵
PID:562

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:563

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:563

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:564

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:564

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:591

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:591

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:592

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:593

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:593

/usr/libexec/xpcproxy
xpcproxy com.apple.cfprefsd.xpc.agent
1⤵
PID:594

/usr/sbin/cfprefsd
/usr/sbin/cfprefsd agent
1⤵
PID:594

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:598

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:598

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:600

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:600

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:601

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:601

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:606

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:606

/usr/libexec/xpcproxy
xpcproxy com.apple.assistantd
1⤵
PID:607

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
1⤵
PID:607

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Launchctl

T1569.001

Persistence

Create or Modify System Process

T1543

Launch Daemon

T1543.004

Privilege Escalation

Create or Modify System Process

T1543

Launch Daemon

T1543.004

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
439B

MD5
c05b619361d2cac0288befbdef519546

SHA1
634e507971e2bd2697df0cdbbe8772e6fbec276e

SHA256
1b2c817978649cad70d67be41215a663790d97707b7512cfc156b488438cbec8

SHA512
86308ab30375670ff5eb886d50e3b5be5f3b7d60e0de53458e0372c0c67cbfd1c58450acb201c7d21a5f351c2b0e796d1777dbaa1e2b83ef7f69a83dac26ba20

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
487B

MD5
e251c94fc14a772dbd695b0919d4f53a

SHA1
63c2eaa2aae3f097a6ad8952064d4764fe8295e0

SHA256
2e8a5e8288abdb773269792173899a3261c3a04c2a4d07c119988542d1978b49

SHA512
92222001d9e6f4bebf5abfc02f4a0b379b33c4f7dc4e9b27170e8b2d43f7c7e017632f893619d04f01eeaa48cfd79f77c7b910cc47d74d5b81f69ea83bd69a5d

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
487B

MD5
7d3535f2750c80fb5549715a6eb18997

SHA1
e4c3448aa704f5a1c3e3dc8c6362ec9238e38ef9

SHA256
273fc7ecbe78aaf71d4692bc0c939735d1d6b02e48b9b7b503e9554bf54980b7

SHA512
a3344e01a57099e812e88cd83577f43e0dc756a06460ceb3177dae23a15a09a77a6175d99f7704eef66dc0edbf3539afa7982686703d7a0f2cd0a729be59fe83

Download Submit
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

Filesize
124KB

MD5
4edb912407f455a8895accd45fdd64f8

SHA1
d28fd4a77444602ce882bb8aefdcfd89acf1d8a6

SHA256
7ab2db23e6f5c74523f4966e80132ddc4227380ce970dc85d88945fb64e070dc

SHA512
a57060257bce06029841ff558205e65af514b025107bdaf8f170697acf7920c4cf77e7c85335630e9999518e28224e153aca126efce5dc074ee9fbc9509f5707

Download Submit
/Users/run/Library/Caches/GeoServices/Experiments.pbd

Filesize
137B

MD5
4be852c9a4c2d88590cf422672d3b131

SHA1
f9c839d55ae9362d02fac51497156a9ce433bf8b

SHA256
f95be6c6cf59f103375c96632d603409340db14a801b1b658a886bda46957949

SHA512
dbf4d3dc1d96a77b1a0a86c3250e6cf3044ba92d8c00f12b2aa4ff4cb6d5a535062d508be5112ccd74f4319e8efc77af6afa8a474c579e24d9e17929cd2bb338

Download Submit
/var/db/locationd/Library/Caches/GeoServices/Resources/altitude-1261.xml

Filesize
162KB

MD5
461dcb8e6914ac8c3efadaa2ab3bfe82

SHA1
bfb82d565114a505c0dc45a7b88c64fe24c2a96f

SHA256
267aae1978c73f986ab32623d3edd0415e24888226d266bb42943765fbf12904

SHA512
b6e500d7c269c1fa7fe796ded05d3489d2c773f1e02ddc87b99a777cb89f5837b527bfcf4a1ec01a155ed8c07bc4fe9b8ff8c7d3672bc9ee89be09c71bac13d2

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit
/var/root/Library/Preferences/CorelDRAW/CorelDRAW

Filesize
713KB

MD5
23699799f496b8e872d05f19d2b397f8

SHA1
fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8

SHA256
2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f

SHA512
f347c47afe06ed7ef2a71b7e40ac0103f4f33e26250661173775b349bba7452ea458e5d4137a57b34801556959bca14093a9f693d59c147061f63f2b78614288

Download Submit