evilquest | 57a2ed4dbd018d2aa1f8701d6d8f3686cdd9f9f7096f4b5133efedde69c79c6c

General

Target

57a2ed4dbd018d2aa1f8701d6d8f3686cdd9f9f7096f4b5133efedde69c79c6c
Size

180KB
MD5

5013e55f2d1ef1cc715531097a3c77f6
SHA1

d8138ff8175a9360f6941eb36ea3a527a8d9b6c3
SHA256

57a2ed4dbd018d2aa1f8701d6d8f3686cdd9f9f7096f4b5133efedde69c79c6c
SHA512

7f31937362b725ec660638bfa7bc4a153a794ee6e6cd17750fff9d0bad4239db05ff37452618f8f8f1d37d25739f92df4e6541cfb47e62ef55a6477571ee666b

Score

10^/10

evilquest backdoor

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest Payload 22 IoCs

resource	yara_rule
behavioral1/files/0x0000000300089886-0.dat	family_evilquest
behavioral1/files/0x0000000300089886-3.dat	family_evilquest
behavioral1/files/0x00000003000898de-4.dat	family_evilquest
behavioral1/files/0x0000000300089886-5.dat	family_evilquest
behavioral1/files/0x0000000300089886-6.dat	family_evilquest
behavioral1/files/0x00000003000898e0-7.dat	family_evilquest
behavioral1/files/0x00000003000898e2-8.dat	family_evilquest
behavioral1/files/0x00000003000898e2-14.dat	family_evilquest
behavioral1/files/0x00000003000898e2-17.dat	family_evilquest
behavioral1/files/0x00000003000898e2-19.dat	family_evilquest
behavioral1/files/0x00000003000898e2-21.dat	family_evilquest
behavioral1/files/0x00000003000898e2-23.dat	family_evilquest
behavioral1/files/0x00000003000898e2-25.dat	family_evilquest
behavioral1/files/0x00000003000898e2-27.dat	family_evilquest
behavioral1/files/0x00000003000898e2-29.dat	family_evilquest
behavioral1/files/0x00000003000898e2-31.dat	family_evilquest
behavioral1/files/0x00000003000898e2-33.dat	family_evilquest
behavioral1/files/0x00000003000898e2-35.dat	family_evilquest
behavioral1/files/0x00000003000898e2-37.dat	family_evilquest
behavioral1/files/0x00000003000898e2-39.dat	family_evilquest
behavioral1/files/0x00000003000898e2-41.dat	family_evilquest
behavioral1/files/0x00000003000898e2-43.dat	family_evilquest

/usr/sbin/spctl
/usr/sbin/spctl --test-devid-status
1⤵
PID:619

/usr/bin/syslog
/usr/bin/syslog -s -k com.apple.message.domain com.apple.security.assessment.current_state com.apple.message.signature "assessments enabled" com.apple.message.signature2 "devid enabled" Message "Gatekeeper state assessments enabled/devid enabled"
1⤵
PID:620

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/57a2ed4dbd018d2aa1f8701d6d8f3686cdd9f9f7096f4b5133efedde69c79c6c\""
1⤵
PID:621

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/57a2ed4dbd018d2aa1f8701d6d8f3686cdd9f9f7096f4b5133efedde69c79c6c\""
1⤵
PID:621

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/57a2ed4dbd018d2aa1f8701d6d8f3686cdd9f9f7096f4b5133efedde69c79c6c\""
1⤵
PID:621

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/57a2ed4dbd018d2aa1f8701d6d8f3686cdd9f9f7096f4b5133efedde69c79c6c
1⤵
PID:621

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/57a2ed4dbd018d2aa1f8701d6d8f3686cdd9f9f7096f4b5133efedde69c79c6c
1⤵
PID:621
- /bin/zsh
  /bin/zsh -c /Users/run/57a2ed4dbd018d2aa1f8701d6d8f3686cdd9f9f7096f4b5133efedde69c79c6c
  2⤵
  PID:623
- /bin/zsh
  /bin/zsh -c /Users/run/57a2ed4dbd018d2aa1f8701d6d8f3686cdd9f9f7096f4b5133efedde69c79c6c
  2⤵
  PID:623
- /Users/run/57a2ed4dbd018d2aa1f8701d6d8f3686cdd9f9f7096f4b5133efedde69c79c6c
  /Users/run/57a2ed4dbd018d2aa1f8701d6d8f3686cdd9f9f7096f4b5133efedde69c79c6c
  2⤵
  PID:623
- /Users/run/57a2ed4dbd018d2aa1f8701d6d8f3686cdd9f9f7096f4b5133efedde69c79c6c
  /Users/run/57a2ed4dbd018d2aa1f8701d6d8f3686cdd9f9f7096f4b5133efedde69c79c6c
  2⤵
  PID:623

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:624

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:624

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:624

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:624

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:624

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" "-Djdk.disableLastUsageTracking=true" "-Djava.awt.headless=true " -cp "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deploy.jar" com.sun.deploy.panel.ControlPanel -getSecurityLevel
1⤵
PID:637

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:645

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:645

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:645

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:645

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:645

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:646

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:646

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:647

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:647

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:647

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:647

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:647

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:648

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:648

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:649

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:649

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:649

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:649

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:649

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:652

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:652

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:653

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:653

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:653

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:653

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:653

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:654

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:654

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:655

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:655

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:655

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:655

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:655

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:656

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:656

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:657

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:657

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:657

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:657

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:657

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:658

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:658

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:659

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:659

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:659

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:659

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:659

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:660

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:660

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:661

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:661

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:661

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:661

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:661

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:662

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:662

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:663

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:663

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:664

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:664

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:664

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:664

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:664

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:665

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:665

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:666

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:666

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:666

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:666

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:666

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:667

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:667

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:668

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:668

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:668

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:668

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:668

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:669

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:669

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:670

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:670

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:670

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:670

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:670

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:671

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:671

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:672

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:672

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:672

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:672

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:672

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:673

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:673

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:674

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:674

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:674

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:674

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:674

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:675

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:675

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:676

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:676

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:676

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:676

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:676

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:677

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:677

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:678

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:678

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:678

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:678

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:678

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads