hiddenlotus | 7769af718266fcc91c9f39eb71d1b137156b95d6e6704d9b783988e3421ac656

Analysis

max time kernel
135s
max time network
114s
platform
macos-10.15_amd64
resource
macos-20241106-en
resource tags

arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
09/02/2025, 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HiddedLotus.dmg
Size

548KB
MD5

54f7eadddcae17f1cb10d0cdaf426408
SHA1

bda404cb5709a1f026c47a1c0508b2b753a47836
SHA256

7769af718266fcc91c9f39eb71d1b137156b95d6e6704d9b783988e3421ac656
SHA512

a1baa3532e2237a73e8ccc353b1e1de936ec49e2a3b995ae030092873f4f5bb74d7be47eb75e85a3da254f3d21c147e2327fa67b728e70ebe09d297ccc188179
SSDEEP

12288:Z+u8CJLXDVykPpdRVVcAI7uV4fDmkggQgNfbhG:ffNPzVcApZgQgNf

Score

10^/10

hiddenlotus defense_evasion discovery execution miner persistence

Malware Config

Signatures

Hiddenlotus
Hiddenlotus family.
miner hiddenlotus
Hiddenlotus family
hiddenlotus

Identifies devices as anti-VM 2 IoCs

ioc	Process
sh -c "ioreg -rd1 -c IOPlatformExpertDevice \| awk '/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }' 2>&1"	Process not Found
ioreg -rd1 -c IOPlatformExpertDevice	Process not Found

Queries the hardware information (I/O Kit registry). 1 TTPs 2 IoCs

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

discovery

System Information Discovery

T1082

ioc	Process
sh -c "ioreg -rd1 -c IOPlatformExpertDevice \| awk '/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }' 2>&1"	Process not Found
ioreg -rd1 -c IOPlatformExpertDevice	Process not Found

Queries the macOS version information. 1 TTPs 10 IoCs

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

discovery

System Information Discovery

T1082

ioc	Process
sh -c "sw_vers -productVersion 2>&1"	Process not Found
sw_vers -productVersion	Process not Found
sw_vers -productVersion	Process not Found
sh -c "sw_vers -productVersion 2>&1"	Process not Found
sw_vers -productVersion	Process not Found
sw_vers -productVersion	Process not Found
sh -c "sw_vers -productVersion 2>&1"	Process not Found
sh -c "sw_vers -productVersion 2>&1"	Process not Found
sw_vers -productVersion	Process not Found
sh -c "sw_vers -productVersion 2>&1"	Process not Found

Modify File 1 TTPs 6 IoCs

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

defense_evasion

Masquerading

T1036

ioc	Process
touch -t 1402031820 "/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync"	Process not Found
sh -c "touch -t 1511092317 \"/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd\" >/dev/null 2>&1"	Process not Found
touch -t 1511092317 /Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd	Process not Found
sh -c "touch -t 1511092317 \"/Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist\" >/dev/null 2>&1"	Process not Found
touch -t 1511092317 /Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist	Process not Found
sh -c "touch -t 1402031820 \"/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync\" >/dev/null 2>&1"	Process not Found

File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur.
defense_evasion

File Deletion
T1070.004
Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001

Timestomp 1 TTPs 6 IoCs

Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.

defense_evasion

Timestomp

T1070.006

ioc	Process
touch -t 1511092317 /Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd	Process not Found
sh -c "touch -t 1511092317 \"/Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist\" >/dev/null 2>&1"	Process not Found
touch -t 1511092317 /Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist	Process not Found
sh -c "touch -t 1402031820 \"/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync\" >/dev/null 2>&1"	Process not Found
touch -t 1402031820 "/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync"	Process not Found
sh -c "touch -t 1511092317 \"/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd\" >/dev/null 2>&1"	Process not Found

AppleScript 1 TTPs 2 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
osascript -e "tell application \"Finder\"" -e "set visible of process \"Terminal\" to false" -e "end tell"	Process not Found
sh -c "osascript -e 'tell application \"Finder\"' -e 'set visible of process \"Terminal\" to false' -e 'end tell' > /dev/null 2>&1"	Process not Found

Resource Forking 1 TTPs 1 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

defense_evasion

Resource Forking

T1564.009

ioc	Process
mv -f /Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys /tmp/HiddedLotus.pdf	Process not Found

Launchctl 1 TTPs 2 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

ioc	Process
sh -c "launchctl load ~/Library/LaunchAgents/com.apple.hidd.shared.plist > /dev/null 2>&1 &"	Process not Found
launchctl load /Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"open /Volumes/HiddedLotus/HiddedLotus.app\""
1⤵
PID:511

/bin/bash
sh -c "sudo /bin/zsh -c \"open /Volumes/HiddedLotus/HiddedLotus.app\""
1⤵
PID:511

/usr/bin/sudo
sudo /bin/zsh -c "open /Volumes/HiddedLotus/HiddedLotus.app"
1⤵
PID:511
- /bin/zsh
  /bin/zsh -c "open /Volumes/HiddedLotus/HiddedLotus.app"
  2⤵
  PID:512
- /usr/bin/open
  open /Volumes/HiddedLotus/HiddedLotus.app
  2⤵
  PID:512

/usr/libexec/xpcproxy
xpcproxy com.apple.files.2332
1⤵
PID:513

/Volumes/HiddedLotus/HiddedLotus.app/Contents/MacOS/Lê Thu Hà (HAEDC)
"/Volumes/HiddedLotus/HiddedLotus.app/Contents/MacOS/Lê Thu Hà (HAEDC)"
1⤵
PID:513

/bin/sh
sh -c "osascript -e 'tell application \"Finder\"' -e 'set visible of process \"Terminal\" to false' -e 'end tell' > /dev/null 2>&1"
1⤵
PID:514

/bin/bash
sh -c "osascript -e 'tell application \"Finder\"' -e 'set visible of process \"Terminal\" to false' -e 'end tell' > /dev/null 2>&1"
1⤵
PID:514
- /usr/bin/osascript
  osascript -e "tell application \"Finder\"" -e "set visible of process \"Terminal\" to false" -e "end tell"
  2⤵
  PID:515

/bin/sh
sh -c "touch -t 1511092317 \"/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd\" >/dev/null 2>&1"
1⤵
PID:517

/bin/bash
sh -c "touch -t 1511092317 \"/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd\" >/dev/null 2>&1"
1⤵
PID:517
- /usr/bin/touch
  touch -t 1511092317 /Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd
  2⤵
  PID:518

/bin/sh
sh -c "touch -t 1511092317 \"/Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist\" >/dev/null 2>&1"
1⤵
PID:519

/bin/bash
sh -c "touch -t 1511092317 \"/Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist\" >/dev/null 2>&1"
1⤵
PID:519
- /usr/bin/touch
  touch -t 1511092317 /Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist
  2⤵
  PID:520

/bin/sh
sh -c "launchctl load ~/Library/LaunchAgents/com.apple.hidd.shared.plist > /dev/null 2>&1 &"
1⤵
PID:521

/bin/bash
sh -c "launchctl load ~/Library/LaunchAgents/com.apple.hidd.shared.plist > /dev/null 2>&1 &"
1⤵
PID:521
- /bin/launchctl
  launchctl load /Users/run/Library/LaunchAgents/com.apple.hidd.shared.plist
  2⤵
  PID:523

/bin/sh
sh -c "mv -f \"/Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys\" \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1 ; open \"/tmp/HiddedLotus.pdf\" & > /dev/null 2>&1 ; rm -rf \"/Volumes/HiddedLotus/HiddedLotus.app\" > /dev/null 2>&1 ; cp -f \"/tmp/HiddedLotus.pdf\" \"/Volumes/HiddedLotus/HiddedLotus.pdf\" > /dev/null 2>&1 ; sleep 3 ; rm -rf \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1"
1⤵
PID:522

/bin/bash
sh -c "mv -f \"/Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys\" \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1 ; open \"/tmp/HiddedLotus.pdf\" & > /dev/null 2>&1 ; rm -rf \"/Volumes/HiddedLotus/HiddedLotus.app\" > /dev/null 2>&1 ; cp -f \"/tmp/HiddedLotus.pdf\" \"/Volumes/HiddedLotus/HiddedLotus.pdf\" > /dev/null 2>&1 ; sleep 3 ; rm -rf \"/tmp/HiddedLotus.pdf\" > /dev/null 2>&1"
1⤵
PID:522
- /bin/mv
  mv -f /Volumes/HiddedLotus/HiddedLotus.app/Contents/Resources/configureDefault.sys /tmp/HiddedLotus.pdf
  2⤵
  PID:524
- /usr/bin/open
  open /tmp/HiddedLotus.pdf
  2⤵
  PID:535
- /bin/rm
  rm -rf /Volumes/HiddedLotus/HiddedLotus.app
  2⤵
  PID:536
- /bin/cp
  cp -f /tmp/HiddedLotus.pdf /Volumes/HiddedLotus/HiddedLotus.pdf
  2⤵
  PID:537
- /bin/sleep
  sleep 3
  2⤵
  PID:540
- /bin/rm
  rm -rf /tmp/HiddedLotus.pdf
  2⤵
  PID:543

/usr/libexec/xpcproxy
xpcproxy com.apple.hidd.shared
1⤵
PID:525

/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd
/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd
1⤵
PID:525

/bin/sh
sh -c "ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }' 2>&1"
1⤵
PID:526

/bin/bash
sh -c "ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }' 2>&1"
1⤵
PID:526
- /usr/sbin/ioreg
  ioreg -rd1 -c IOPlatformExpertDevice
  2⤵
  PID:527
- /usr/bin/awk
  awk "/IOPlatformSerialNumber/ { split(\$0, line, \"\\\"\"); printf(\"%s\", line[4]); }"
  2⤵
  PID:528

/bin/sh
sh -c "touch -t 1402031820 \"/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync\" >/dev/null 2>&1"
1⤵
PID:529

/bin/bash
sh -c "touch -t 1402031820 \"/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync\" >/dev/null 2>&1"
1⤵
PID:529
- /usr/bin/touch
  touch -t 1402031820 "/Users/run/Library/Calendars/Calendar Sync Changes/Calendar Sync"
  2⤵
  PID:530

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:531

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:531
- /usr/bin/sw_vers
  sw_vers -productVersion
  2⤵
  PID:532

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:533

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:533
- /usr/bin/uname
  uname -m
  2⤵
  PID:534

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:539

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:547

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:547
- /usr/bin/sw_vers
  sw_vers -productVersion
  2⤵
  PID:548

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:549

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:549
- /usr/bin/uname
  uname -m
  2⤵
  PID:550

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:551

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:551
- /usr/bin/sw_vers
  sw_vers -productVersion
  2⤵
  PID:552

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:553

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:553
- /usr/bin/uname
  uname -m
  2⤵
  PID:554

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:555

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:555
- /usr/bin/sw_vers
  sw_vers -productVersion
  2⤵
  PID:556

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:557

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:557
- /usr/bin/uname
  uname -m
  2⤵
  PID:558

/bin/sh
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:559

/bin/bash
sh -c "sw_vers -productVersion 2>&1"
1⤵
PID:559
- /usr/bin/sw_vers
  sw_vers -productVersion
  2⤵
  PID:560

/bin/sh
sh -c "uname -m 2>&1"
1⤵
PID:561

/bin/bash
sh -c "uname -m 2>&1"
1⤵
PID:561
- /usr/bin/uname
  uname -m
  2⤵
  PID:562

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

System Services

T1569

Launchctl

T1569.001

Persistence

Create or Modify System Process

T1543

Launch Agent

T1543.001

Privilege Escalation

Create or Modify System Process

T1543

Launch Agent

T1543.001

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Indicator Removal

T1070

File Deletion

T1070.004

Timestomp

T1070.006

Masquerading

T1036

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd

Filesize
98KB

MD5
e7a0587c80f273b9444795947f034aab

SHA1
f07267c736886e4db05e5f1255c1a2afb111f606

SHA256
a7872fbf84513d1409ce6a13a718a9ff901b3dd92c1671a5ada13f871aaa9975

SHA512
a00325036b57bdb5a38e6aa1dd62e7a9e6b47f9f74b026a47258cea3b23b2c332e2e161e4afc9c8946d18a163232b64190c9d7f7220e5ea1ae8192d52e0f1f3b

Download Submit
/tmp/HiddedLotus.pdf

Filesize
428KB

MD5
f344d1b15be233d6fdc600d7aac76609

SHA1
3e9cebc29c7e95fb152a8a0c8fcbd4470c46aadb

SHA256
31f30c93721e9e5e483dd680d5aeff7e0863e2df925667ffd48e58eaf567212c

SHA512
482a26e51803845505e96136bcee47b2ac67b87f3eeb604d80177859fd59c60ff5e2eff0336b5b2a5c1f20fb24b9be0f1f132acc8185b3f7a476a158849e656c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads