Overview

overview

10

Static

static

EvilQuest.dmg

macos_amd64

10

Resubmissions

11-03-2022 16:26

220311-txmcxaaca8 10

24-06-2021 12:52

210624-2gpv6tpede 10

Analysis

  • max time network
    158s
  • platform
    macos_amd64
  • resource
    macos
  • submitted
    24-06-2021 12:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EvilQuest.dmg

  • Size

    10.4MB

  • MD5

    58680abd58baca826c2029f32e5b78b3

  • SHA1

    98040c4d358a6fb9fed970df283a9b25f0ab393b

  • SHA256

    b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a

  • SHA512

    be852ea2a0ce7a119392f6f28033dfcec27ac897f3479767287da8e5b2babd2cff95b94c399e64d5f219fbef3508a3a2f2b2f4346e057ddce416353825994d28

Score
10/10
evilquestbackdoor

Malware Config

Signatures

Processes

  • /bin/sh
    sh -c "sudo installer -pkg /Users/run/setup.pkg -target /"
    1⤵
      PID:508
    • /bin/bash
      sh -c "sudo installer -pkg /Users/run/setup.pkg -target /"
      1⤵
        PID:508
      • /usr/bin/sudo
        sudo installer -pkg /Users/run/setup.pkg -target /
        1⤵
          PID:508
          • /usr/sbin/installer
            installer -pkg /Users/run/setup.pkg -target /
            2⤵
              PID:509
          • /usr/libexec/xpcproxy
            xpcproxy com.apple.installd
            1⤵
              PID:511
            • /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
              /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
              1⤵
                PID:511
              • /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor
                /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid
                1⤵
                  PID:515
                • /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove
                  /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/85417BE7-7716-4B9A-9EBE-2B8D8A18D44C.activeSandbox/Root /
                  1⤵
                    PID:516
                  • /tmp/PKInstallSandbox.QWqEcF/Scripts/com.mixedinkey.installer.sURY9t/postinstall
                    /tmp/PKInstallSandbox.QWqEcF/Scripts/com.mixedinkey.installer.sURY9t/postinstall /Users/run/setup.pkg /Applications / /
                    1⤵
                      PID:517
                    • /bin/bash
                      /bin/sh /tmp/PKInstallSandbox.QWqEcF/Scripts/com.mixedinkey.installer.sURY9t/postinstall /Users/run/setup.pkg /Applications / /
                      1⤵
                        PID:517
                        • /bin/mkdir
                          mkdir /Library/mixednkey
                          2⤵
                            PID:518
                          • /bin/mv
                            mv /Applications/Utils/patch /Library/mixednkey/toolroomd
                            2⤵
                              PID:519
                            • /bin/rmdir
                              rmdir /Application/Utils
                              2⤵
                                PID:520
                              • /bin/chmod
                                chmod +x /Library/mixednkey/toolroomd
                                2⤵
                                  PID:521
                                • /Library/mixednkey/toolroomd
                                  /Library/mixednkey/toolroomd
                                  2⤵
                                    PID:522
                                • /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update
                                  /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c
                                  1⤵
                                    PID:524
                                  • /bin/sh
                                    sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
                                    1⤵
                                      PID:525
                                    • /bin/bash
                                      sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
                                      1⤵
                                        PID:525
                                      • /bin/sh
                                        sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
                                        1⤵
                                          PID:526
                                        • /bin/bash
                                          sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
                                          1⤵
                                            PID:526

                                          Network

                                          MITRE ATT&CK Matrix

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads