evilquest | 439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307

Analysis

max time kernel
5s
max time network
91s
platform
macos_amd64
resource
macos
submitted
02/05/2022, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307
Size

180KB
MD5

15e24a256a648d5a8b4636c638a4a642
SHA1

606043220a4be5fd0beea054cd251f7a00162812
SHA256

439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307
SHA512

6d1f3bc7054f166470d06724182d30851629f9f932ad6073d460161f9980a8dd257bf25b9477a9632632317f69353686d51e7bcf19324fd3b2483012358d572a

Score

10^/10

evilquest backdoor

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0000000300089886-0.dat	family_evilquest
behavioral1/files/0x0000000300089886-3.dat	family_evilquest
behavioral1/files/0x00000003000898dd-4.dat	family_evilquest
behavioral1/files/0x0000000300089886-5.dat	family_evilquest
behavioral1/files/0x0000000300089886-6.dat	family_evilquest
behavioral1/files/0x00000003000898df-7.dat	family_evilquest
behavioral1/files/0x00000003000898e1-8.dat	family_evilquest

/usr/sbin/spctl
/usr/sbin/spctl --test-devid-status
1⤵
PID:619

/usr/bin/syslog
/usr/bin/syslog -s -k com.apple.message.domain com.apple.security.assessment.current_state com.apple.message.signature "assessments enabled" com.apple.message.signature2 "devid enabled" Message "Gatekeeper state assessments enabled/devid enabled"
1⤵
PID:620

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307\""
1⤵
PID:621

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307\""
1⤵
PID:621

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307\""
1⤵
PID:621

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307
1⤵
PID:621

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307
1⤵
PID:621
- /bin/zsh
  /bin/zsh -c /Users/run/439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307
  2⤵
  PID:623
- /bin/zsh
  /bin/zsh -c /Users/run/439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307
  2⤵
  PID:623
- /Users/run/439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307
  /Users/run/439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307
  2⤵
  PID:623
- /Users/run/439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307
  /Users/run/439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307
  2⤵
  PID:623

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:624

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:624

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:624

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:624

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:624

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" "-Djdk.disableLastUsageTracking=true" "-Djava.awt.headless=true " -cp "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deploy.jar" com.sun.deploy.panel.ControlPanel -getSecurityLevel
1⤵
PID:625

/bin/sh
sh -c "vileges\""
1⤵
PID:645

/bin/bash
sh -c "vileges\""
1⤵
PID:645

/bin/bash
sh -c "vileges\""
1⤵
PID:645

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:646

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:646

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:646

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:646

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:646

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:648

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:648

/bin/sh
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:649

/bin/bash
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:649

/bin/bash
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:649

/bin/launchctl
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:649

/bin/launchctl
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:649

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:650

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:650

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:650

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:650

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:650

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:651

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:651

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:651

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:651

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:651

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:652

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:652

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:652

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:652

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:652

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:653

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:653

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:653

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:653

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:653

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/LaunchDaemons/com.apple.afsvcpd.plist

Filesize
57B

MD5
77711df6cc61c1ffcad6b083c281bc14

SHA1
8e188a650a6ed247ab85fb4e7706afcb13886397

SHA256
7ec24f1fc0287b8f5baf326e4ec5a0f12ace91ce103e99e103f9c1231ea3929f

SHA512
92212a16ec4a270bc942ea060906cd50502fa8894ba0d2139f43bea7bc06154729bebb05d4d73758ded9e5e93e064fbf7e60d757621dd11977a2fea2f1003473

Download Submit
/Library/osxmobiledata/com.apple.afsvcpd

Filesize
180KB

MD5
d3a41f50ff01860decf215f47f24e5a6

SHA1
be43823a07fd40b7c54674067fd58c7812eb393d

SHA256
f37fff9e75584c3b5890e93896f9ab68b824cdda3c2365aa244817d9d3f19548

SHA512
7188293f217c635243e3e34596cdb4a725e55598211fd739c37378dc19e3461a8e9c0125a915d7197f2918cf3549c4d0db7bd1c05a641a525cbe5c91e02e9293

Download Submit
/Users/run/439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307

Filesize
180KB

MD5
d3a41f50ff01860decf215f47f24e5a6

SHA1
be43823a07fd40b7c54674067fd58c7812eb393d

SHA256
f37fff9e75584c3b5890e93896f9ab68b824cdda3c2365aa244817d9d3f19548

SHA512
7188293f217c635243e3e34596cdb4a725e55598211fd739c37378dc19e3461a8e9c0125a915d7197f2918cf3549c4d0db7bd1c05a641a525cbe5c91e02e9293

Download Submit
/Users/run/439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307

Filesize
180KB

MD5
d3a41f50ff01860decf215f47f24e5a6

SHA1
be43823a07fd40b7c54674067fd58c7812eb393d

SHA256
f37fff9e75584c3b5890e93896f9ab68b824cdda3c2365aa244817d9d3f19548

SHA512
7188293f217c635243e3e34596cdb4a725e55598211fd739c37378dc19e3461a8e9c0125a915d7197f2918cf3549c4d0db7bd1c05a641a525cbe5c91e02e9293

Download Submit
/Users/run/439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307

Filesize
180KB

MD5
d3a41f50ff01860decf215f47f24e5a6

SHA1
be43823a07fd40b7c54674067fd58c7812eb393d

SHA256
f37fff9e75584c3b5890e93896f9ab68b824cdda3c2365aa244817d9d3f19548

SHA512
7188293f217c635243e3e34596cdb4a725e55598211fd739c37378dc19e3461a8e9c0125a915d7197f2918cf3549c4d0db7bd1c05a641a525cbe5c91e02e9293

Download Submit
/Users/run/439808cd693a4a409477580f8a1b1c55992b2b644c06155af46905b7c9d7f307

Filesize
180KB

MD5
d3a41f50ff01860decf215f47f24e5a6

SHA1
be43823a07fd40b7c54674067fd58c7812eb393d

SHA256
f37fff9e75584c3b5890e93896f9ab68b824cdda3c2365aa244817d9d3f19548

SHA512
7188293f217c635243e3e34596cdb4a725e55598211fd739c37378dc19e3461a8e9c0125a915d7197f2918cf3549c4d0db7bd1c05a641a525cbe5c91e02e9293

Download Submit
/Users/run/Library/Application Support/Oracle/Java/Deployment/deployment.properties

Filesize
613B

MD5
c02393a822504cd9a1e8695cc514785a

SHA1
fa5eb653948ad50e242cded78ab8aab9d95359a7

SHA256
5d3a480bcfbf46ebcdf011f978424737e5f00352e2e8829205859af9111b7ebc

SHA512
dfa761f23188e0c85ee9827105f40a16e27143d0ff8476a2373445df58f70170cbc0996172800a55e89a5b619c8c10ac190a0932e9f8738b98f5f16c6ea9a1d9

Download Submit
/Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist

Filesize
430B

MD5
3d269391b44f568c96f9f5a420609082

SHA1
e2d49405da7ba6f883b366f71b6905b6ab556cae

SHA256
261e6af4aec0840afe0b4c75c21353d7bc8d69ffb1d26db364f5475962381a12

SHA512
81ae24faac0d2973a90b7ec7415273f95789fbbdeae164df6ffab10bfdfc4896d6ecf4d9b09ca13b2a151a385c59f48594d7b3d0df3b49e3bbc056f15908432c

Download Submit
/Users/run/Library/com.apple.fmrd

Filesize
180KB

MD5
d3a41f50ff01860decf215f47f24e5a6

SHA1
be43823a07fd40b7c54674067fd58c7812eb393d

SHA256
f37fff9e75584c3b5890e93896f9ab68b824cdda3c2365aa244817d9d3f19548

SHA512
7188293f217c635243e3e34596cdb4a725e55598211fd739c37378dc19e3461a8e9c0125a915d7197f2918cf3549c4d0db7bd1c05a641a525cbe5c91e02e9293

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
180KB

MD5
d3a41f50ff01860decf215f47f24e5a6

SHA1
be43823a07fd40b7c54674067fd58c7812eb393d

SHA256
f37fff9e75584c3b5890e93896f9ab68b824cdda3c2365aa244817d9d3f19548

SHA512
7188293f217c635243e3e34596cdb4a725e55598211fd739c37378dc19e3461a8e9c0125a915d7197f2918cf3549c4d0db7bd1c05a641a525cbe5c91e02e9293

Download Submit
/private/etc/emond.d/rules/com.apple.afsvcpd.plist

Filesize
610B

MD5
3caf58748fbc551d38eca0afd5a82171

SHA1
5fb28536e2e2cc93744202afe7f763a7336cdca3

SHA256
62c02caab63b164c1264c41e92d76426a0c2f13abe3c94e0e89e1345a8149332

SHA512
cb6b65b928bf09d9cf1f46e81a08762d2332c7387aa9a2afd4e723b5a3c911bd7930b77deb17d68afeb21e17704c2d61d535aaa789208a10c58ac49be4cc3ff6

Download Submit
/private/tmp/eo/623

Filesize
28B

MD5
9cf04db13740a3c33bc50007eea5eaa2

SHA1
f488569ad38fb31806aa37cc309c2471371e6329

SHA256
66c3f4661d46f08c0285c97e5fbd3f36a60e3144034daff57c66a6e8bd1536d1

SHA512
df88f44797cdf3c75604e18c22631cb0a2cbb9300a6b1052414f508ba99efa3ede5bc9eb6e84da636dc35a09f2be0e77a832a68d989507c58dad23977468aeb0

Download Submit
/private/tmp/eo/623

Filesize
28B

MD5
9cf04db13740a3c33bc50007eea5eaa2

SHA1
f488569ad38fb31806aa37cc309c2471371e6329

SHA256
66c3f4661d46f08c0285c97e5fbd3f36a60e3144034daff57c66a6e8bd1536d1

SHA512
df88f44797cdf3c75604e18c22631cb0a2cbb9300a6b1052414f508ba99efa3ede5bc9eb6e84da636dc35a09f2be0e77a832a68d989507c58dad23977468aeb0

Download Submit
/private/tmp/eo/623

Filesize
28B

MD5
df8f56fdfc6fccc3fef057ca57abae0d

SHA1
e8c9c7a62e8edf1bab32bc96ffc2d74c00d76732

SHA256
c2406c815c918e289e0feec68bcdea6ebdde786fcf007e63ebd8f50a8491a6be

SHA512
21b9e9160589a0e1d4c35aa81b8d1c9db37777b967d09630dfb513c5fa7d0321a25bf5dd0babba63c9b5fc25cd91e7de7af83967269a63a3e62d56d76ddeabac

Download Submit
/private/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/hsperfdata_run/625

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads