Malware Analysis Report

2024-11-30 16:07

Sample ID 231023-ynkj6seb81
Target NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown
SHA256 e9c6463527fad82ce0f0c6f6f4f8c98295e336283513cbaff9a5f8a6629bd14f
Tags
evilquest backdoor
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e9c6463527fad82ce0f0c6f6f4f8c98295e336283513cbaff9a5f8a6629bd14f

Threat Level: Known bad

The file NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown was found to be: Known bad.

Malicious Activity Summary

evilquest backdoor

EvilQuest payload

Evilquest family

EvilQuest

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-10-23 19:55

Signatures

EvilQuest payload

Description Indicator Process Target
N/A N/A N/A N/A

Evilquest family

evilquest

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-23 19:55

Reported

2023-10-23 19:58

Platform

macos-20220504-en

Max time kernel

142s

Max time network

152s

Command Line

[/usr/sbin/spctl --status]

Signatures

EvilQuest

backdoor evilquest

EvilQuest payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

/usr/sbin/spctl

[/usr/sbin/spctl --status]

/usr/sbin/spctl

[/usr/sbin/spctl --test-devid-status]

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown]

/usr/bin/syslog

[/usr/bin/syslog -s -k com.apple.message.domain com.apple.security.assessment.current_state com.apple.message.signature assessments enabled com.apple.message.signature2 devid enabled Message Gatekeeper state assessments enabled/devid enabled]

/bin/zsh

[/bin/zsh -c /Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown]

/bin/zsh

[/bin/zsh -c /Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown]

/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown

[/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown]

/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown

[/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 e673.dsce9.akamaiedge.net udp
US 2.16.118.172:443 tcp
US 8.8.8.8:53 16-courier.push.apple.com udp
US 8.8.8.8:53 18-courier.push.apple.com udp
US 8.8.8.8:53 35-courier.push.apple.com udp
US 8.8.8.8:53 5-courier.push.apple.com udp
US 8.8.8.8:53 itunes.apple.com udp
US 8.8.8.8:53 50.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 3.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 0.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 47.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 17.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 0.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 39-courier.push.apple.com udp
US 8.8.8.8:53 43.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 21.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 48.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 1.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 41-courier.push.apple.com udp
US 8.8.8.8:53 16.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 29.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 20.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 40.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 2.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 11.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 40.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 44-courier.push.apple.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 4-courier.push.apple.com udp
US 8.8.8.8:53 36-courier.push.apple.com udp
US 8.8.8.8:53 9-courier.push.apple.com udp
US 8.8.8.8:53 19.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 0.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 6-courier.push.apple.com udp
US 8.8.8.8:53 8-courier.push.apple.com udp

Files

/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown

MD5 dcce6ebd296fdf1827ae051c8bd587cc
SHA1 7d33c36a569d36f44fd79847bb38e18875766e45
SHA256 3bae7b70d222e768878db2d17292d4084e6c35990cfd4d32510262368ab3f441
SHA512 afdb4df9d58d91e5869a3976cb1557e0404bf2396652ff887b20289b1989c1251e3f4d8369407c51fffd19258bcf80d104fb266a1a5bda5ecccc65c6e488bb81

/private/tmp/eo/512

MD5 ff9256f01fa5c9704936b83a50415aef
SHA1 b33c11e80cb52e6098cb8bf951c305b913436a0b
SHA256 75652eaf6bc7678abd5f0e8f8e9eac1c190273e74c00e155e1b5cf341e2b786f
SHA512 a7e8dee15c839059eef237e5254d00e3a7d1b5a64459d418b33918c7d0bbd5214c27008ab16f9510c015d465663adbf642fb4b39e575a84404384e71e0598327

/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown

MD5 dcce6ebd296fdf1827ae051c8bd587cc
SHA1 7d33c36a569d36f44fd79847bb38e18875766e45
SHA256 3bae7b70d222e768878db2d17292d4084e6c35990cfd4d32510262368ab3f441
SHA512 afdb4df9d58d91e5869a3976cb1557e0404bf2396652ff887b20289b1989c1251e3f4d8369407c51fffd19258bcf80d104fb266a1a5bda5ecccc65c6e488bb81

/Users/run/Library/com.apple.fmgd

MD5 dcce6ebd296fdf1827ae051c8bd587cc
SHA1 7d33c36a569d36f44fd79847bb38e18875766e45
SHA256 3bae7b70d222e768878db2d17292d4084e6c35990cfd4d32510262368ab3f441
SHA512 afdb4df9d58d91e5869a3976cb1557e0404bf2396652ff887b20289b1989c1251e3f4d8369407c51fffd19258bcf80d104fb266a1a5bda5ecccc65c6e488bb81

/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown

MD5 dcce6ebd296fdf1827ae051c8bd587cc
SHA1 7d33c36a569d36f44fd79847bb38e18875766e45
SHA256 3bae7b70d222e768878db2d17292d4084e6c35990cfd4d32510262368ab3f441
SHA512 afdb4df9d58d91e5869a3976cb1557e0404bf2396652ff887b20289b1989c1251e3f4d8369407c51fffd19258bcf80d104fb266a1a5bda5ecccc65c6e488bb81

/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown

MD5 dcce6ebd296fdf1827ae051c8bd587cc
SHA1 7d33c36a569d36f44fd79847bb38e18875766e45
SHA256 3bae7b70d222e768878db2d17292d4084e6c35990cfd4d32510262368ab3f441
SHA512 afdb4df9d58d91e5869a3976cb1557e0404bf2396652ff887b20289b1989c1251e3f4d8369407c51fffd19258bcf80d104fb266a1a5bda5ecccc65c6e488bb81

/Library/osxmobiledata/com.apple.afsvcpd

MD5 dcce6ebd296fdf1827ae051c8bd587cc
SHA1 7d33c36a569d36f44fd79847bb38e18875766e45
SHA256 3bae7b70d222e768878db2d17292d4084e6c35990cfd4d32510262368ab3f441
SHA512 afdb4df9d58d91e5869a3976cb1557e0404bf2396652ff887b20289b1989c1251e3f4d8369407c51fffd19258bcf80d104fb266a1a5bda5ecccc65c6e488bb81

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 dcce6ebd296fdf1827ae051c8bd587cc
SHA1 7d33c36a569d36f44fd79847bb38e18875766e45
SHA256 3bae7b70d222e768878db2d17292d4084e6c35990cfd4d32510262368ab3f441
SHA512 afdb4df9d58d91e5869a3976cb1557e0404bf2396652ff887b20289b1989c1251e3f4d8369407c51fffd19258bcf80d104fb266a1a5bda5ecccc65c6e488bb81

/Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist

MD5 3d269391b44f568c96f9f5a420609082
SHA1 e2d49405da7ba6f883b366f71b6905b6ab556cae
SHA256 261e6af4aec0840afe0b4c75c21353d7bc8d69ffb1d26db364f5475962381a12
SHA512 81ae24faac0d2973a90b7ec7415273f95789fbbdeae164df6ffab10bfdfc4896d6ecf4d9b09ca13b2a151a385c59f48594d7b3d0df3b49e3bbc056f15908432c

/Library/LaunchDaemons/com.apple.afsvcpd.plist

MD5 98ac9867a02942743223416bb55cb710
SHA1 96a0bddf25fa6587af228c1e1ccc8daefd921c64
SHA256 9c902e7c84016b5bb9839f9fbc44ad9a545a3e2770b56a94e6d8ca277111ef60
SHA512 190ca2fc3fef6d8be34777ce59287894a703f5f5aa9f70c9d3af876c58092a5de3d9a52ab0b8b2b56c528a82595954c07705602cdd46bdfffeef13303556db69

/private/etc/emond.d/rules/com.apple.afsvcpd.plist

MD5 3caf58748fbc551d38eca0afd5a82171
SHA1 5fb28536e2e2cc93744202afe7f763a7336cdca3
SHA256 62c02caab63b164c1264c41e92d76426a0c2f13abe3c94e0e89e1345a8149332
SHA512 cb6b65b928bf09d9cf1f46e81a08762d2332c7387aa9a2afd4e723b5a3c911bd7930b77deb17d68afeb21e17704c2d61d535aaa789208a10c58ac49be4cc3ff6

/private/tmp/eo/512

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/private/tmp/eo/512

MD5 45a747786c65138e3085b1595325fc16
SHA1 0b86560fbbc6da2b5397677ba903a92ac635e61d
SHA256 11c3eb95be081ddf083cd5831e510cfdba5ebac9f638613349f13162e3ee65eb
SHA512 8dc663f76d27ce2553cc3ae8666bb56ecc36ff19d4b9eaf4d9e5a1c144866bf787be685cbc1fbb49c389bb3bdea7a4aebbd578170ec63cfa4e373278d36d1ebf