{
	"id": "61ee6d44-f277-4ab1-9b30-34b27f178830",
	"created_at": "2026-04-06T00:15:48.648295Z",
	"updated_at": "2026-04-10T13:11:48.083087Z",
	"deleted_at": null,
	"sha1_hash": "4dfbaaac2eb7b1426059500f1500bca251e6b0f4",
	"title": "Mac.BackDoor.Systemd.1 — Dr.Web Malware description library",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70431,
	"plain_text": "Mac.BackDoor.Systemd.1 — Dr.Web Malware description library\r\nPublished: 2017-05-15 · Archived: 2026-04-05 14:15:57 UTC\r\nAdded to the Dr.Web virus database: 2017-05-11\r\nVirus description added: 2017-05-15\r\nSHA1:\r\n3cb1cfa072dbd28f02bd4a6162ba0a69f06f33f0\r\nTrojan backdoor for macOS. Once launched, it sends the following string to the console:\r\nThis file is corrupted and connot be opened\r\nIt is executed as a daemon called systemd. In order to conceal its file, the Trojan marks it with flags uchg, schg\r\nand hidden. It can use the following arguments for the launch:\r\nargument value\r\nd daemon\r\nr launch\r\nu update\r\nThen the Trojan creates file with SH commands and a PLIST file in order to register itself in the autorun.\r\n#!/bin/sh\r\n. /etc/rc.common\r\nStartService (){\r\n ConsoleMessage \"Start system Service\"\r\n “File path\" d\r\n}\r\nStopService (){\r\n return 0\r\n}\r\nRestartService (){\r\n return 0\r\n}\r\nRunService \"$1\"\r\nhttps://vms.drweb.com/virus/?_is=1\u0026i=15299312\u0026lng=en\r\nPage 1 of 4\n\nA file with the following content is created:\n{\n Description = \"Start systemd\";\n Provides = (\"system\");\n Requires = (\"Network\");\n OrderPreference = \"None\";\n}\nAlso a PLIST file is created:\n?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e DisabledUserNamerootLabel com.appule.sysetmd KeepAliveNetworkStateProgramArguments File path dRunAtLoadStartInterval5 The Trojan stores configuration information in its own file and encrypts it with the 3DES algorithm. Example of\nthe decrypted configuration is as follows:\nhttps://vms.drweb.com/virus/?_is=1\u0026i=15299312\u0026lng=en\nPage 2 of 4\n\n01 02 00 00-00 30 31 02-32 00 00 00-31 32 39 2E ☺☻ 01☻2 ***.\r\n32 33 32 2E-31 39 35 2E-32 32 36 2C-34 33 2E 32 ***.***.226,**.2\r\n34 37 2E 32-36 2E 33 37-2C 78 69 73-66 69 77 70 **.**.37,xis****\r\n65 69 64 73-73 64 77 65-61 64 2E 63-6F 6D 03 05 *****wead.com♥♣\r\n00 00 00 31-30 34 34 33-04 02 01 00-00 00 04 BC 10443♦☻☺ ♦╝\r\n8E 12 99 9C-83 58 E6 0C-52 0C 3E DE-00 CA F2 0E О↕ЩЬГXц♀R♀\u003e▐ ╩Є♫\r\nA4 1D ED 65-BF 47 3A CB-F9 26 3E B9-D9 3F 08 4C д↔эe┐G:╦∙\u0026\u003e╣┘?◘L\r\n57 E8 C4 F6-05 3D 27 98-74 29 5D 1C-A8 44 ED 87 Wш─Ў♣='Шt)]∟иDэЗ\r\nF4 86 98 5F-4B A8 13 BA-5A FE 8F 90-FF C0 41 F0 ЇЖШ_Kи‼║Z■ПР └AЁ\r\nCC D9 60 4D-F5 C3 42 29-19 88 95 72-10 64 6F 00 ╠┘`Mї├B)↓ИХr►do\r\n22 8E 49 1C-28 CE DC AC-AA 1B 61 A3-97 2F 76 00 \"ОI∟(╬▄мк←aгЧ/v\r\n7E 1C ED 05-7D FC A3 96-A9 8A E4 57-6F 10 3A 2F ~∟э♣}№гЦйКфWo►:/\r\n56 3B EA EB-1E CE 41 93-61 B2 FC 09-10 30 4F 00 V;ъы▲╬AУa▓№○►0O\r\n00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00\r\n00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00\r\n00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00\r\n00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00\r\n00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00\r\n00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00\r\n00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00\r\n00 00 00 00-00 00 00 00-00 00 00 00-01 00 01 05 ☺ ☺♣\r\n10 00 00 00-62 31 65 31-35 64 38 61-36 63 36 34 ► b1e15d8a6c64\r\n34 39 30 33-08 80 00 00-00 82 76 EE-86 35 91 59 4903◘А ВvюЖ5СY\r\nEF 72 28 0F-6A AB 99 33-4B 18 22 3F-AA 66 69 78 яr(☼jлЩ3K↑\"?кfix\r\n79 25 65 5D-15 B5 00 7A-B8 5A 79 F6-CF E1 71 C3 y%e]§╡ z╕ZyЎ╧сq├\r\nEB F9 D4 95-2E 2B E9 C8-C5 81 3E 65-FB 19 EA 79 ы∙╘Х.+щ╚┼Б\u003ee√↓ъy\r\nA1 38 B4 06-0B AF A5 02-6C 19 65 BA-5C 2C 51 BE б8┤♠♂пе☻l↓e║\\,Q╛\r\n05 11 4C 8C-24 54 E5 2A-BC 4A 74 01-1C F3 51 6A ♣◄LМ$Tх*╝Jt☺∟єQj\r\n1D 91 2E A1-05 02 5C 58-AA 5F F2 C7-A3 F5 08 3D ↔С.б♣☻\\Xк_Є╟гї◘=\r\nBE 3E 3C 8F-09 DB FE DD-B3 8C D5 9B-23 8B 11 AA ╛\u003e\u003cП○█■▌│М╒Ы#Л◄к\r\nCA C5 48 8A-C7 A5 D1 F6-1B 00 00 00-00 00 00 07 ╩┼HК╟е╤Ў← •\r\nDepending on the Trojan configuration, it establishes a connection with the command and control server itself or\r\nwaits for an incoming connection request. Once connected, the backdoor executes the commands it receives and\r\nperiodically sends the following information to cybercriminals:\r\nName and version of the operating system;\r\nUser name;\r\nAvailability of root privileges;\r\nMAC addresses of all available network interfaces;\r\nIP addresses of all available network interfaces;\r\nExternal IP address;\r\nCPU type;\r\nRAM amount;\r\nData about the malware version and its configuration.\r\nhttps://vms.drweb.com/virus/?_is=1\u0026i=15299312\u0026lng=en\r\nPage 3 of 4\n\nInformation, which is shared between the Trojan and the C\u0026C server, is encrypted with the 3DES algorithm. The\r\nbackdoor can execute the following commands:\r\ncommand Parameter Value\r\n0x200 file manager execute commands of the file manager\r\n1 - list dir (ls -la *) receive a list of the contents of a specified directory\r\n2 - read file read a file\r\n3 - write file write to a file, it also can write data to a file for an update\r\n4 - list file (ls -la file) get the contents of a file\r\n5 - chmod/chown/rename execute CHMOD, CHOWN and RENAME commands\r\n6 - delete file delete a file\r\n7 - mkdir create a directory\r\n0x300 execute a command in the bash shell\r\n0x400 update the Trojan\r\n0x500 reinstall the Trojan\r\n0x800 change the command and control server’s IP address\r\n0x900 install a plug-in\r\nNews about the Trojan\r\nSource: https://vms.drweb.com/virus/?_is=1\u0026i=15299312\u0026lng=en\r\nhttps://vms.drweb.com/virus/?_is=1\u0026i=15299312\u0026lng=en\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://vms.drweb.com/virus/?_is=1\u0026i=15299312\u0026lng=en"
	],
	"report_names": [
		"?_is=1\u0026i=15299312\u0026lng=en"
	],
	"threat_actors": [],
	"ts_created_at": 1775434548,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4dfbaaac2eb7b1426059500f1500bca251e6b0f4.pdf",
		"text": "https://archive.orkl.eu/4dfbaaac2eb7b1426059500f1500bca251e6b0f4.txt",
		"img": "https://archive.orkl.eu/4dfbaaac2eb7b1426059500f1500bca251e6b0f4.jpg"
	}
}