Malware Analysis Report

2024-11-30 16:06

Sample ID 240125-hhgnbsahfn
Target 2024-01-25_f4e514a1877c8d5465614fdb90e170a5_adload_evilquest
SHA256 bef03faf06b74d094fdb30fcae133d94ff5159a9dcdf3ee44c90896b3ab37147
Tags
execution persistence evilquest
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bef03faf06b74d094fdb30fcae133d94ff5159a9dcdf3ee44c90896b3ab37147

Threat Level: Known bad

The file 2024-01-25_f4e514a1877c8d5465614fdb90e170a5_adload_evilquest was found to be: Known bad.

Malicious Activity Summary

execution persistence evilquest

EvilQuest payload

Evilquest family

Launch Agent

Launchctl

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 06:44

Signatures

EvilQuest payload

Description Indicator Process Target
N/A N/A N/A N/A

Evilquest family

evilquest

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 06:44

Reported

2024-01-25 06:46

Platform

macos-20231201-en

Max time kernel

148s

Max time network

147s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/2024-01-25_f4e514a1877c8d5465614fdb90e170a5_adload_evilquest"]

Signatures

Launch Agent

persistence

Launchctl

execution
Description Indicator Process Target
N/A launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A
N/A /bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" N/A N/A
N/A launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A
N/A /bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/2024-01-25_f4e514a1877c8d5465614fdb90e170a5_adload_evilquest"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/2024-01-25_f4e514a1877c8d5465614fdb90e170a5_adload_evilquest"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/2024-01-25_f4e514a1877c8d5465614fdb90e170a5_adload_evilquest]

/bin/zsh

[/bin/zsh -c /Users/run/2024-01-25_f4e514a1877c8d5465614fdb90e170a5_adload_evilquest]

/Users/run/2024-01-25_f4e514a1877c8d5465614fdb90e170a5_adload_evilquest

[/Users/run/2024-01-25_f4e514a1877c8d5465614fdb90e170a5_adload_evilquest]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" with administrator privileges]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.authtrampoline]

/System/Library/Frameworks/Security.framework/authtrampoline

[/System/Library/Frameworks/Security.framework/authtrampoline]

/bin/sh

[/bin/sh -c launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/bash

[/bin/sh -c launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/launchctl

[launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/bash

[/bin/sh -c launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/launchctl

[launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

Network

Country Destination Domain Proto
US 20.42.73.28:443 tcp
US 8.8.8.8:53 e673.dsce9.akamaiedge.net udp
US 8.8.8.8:53 certs.apple.com udp
DE 17.253.79.202:80 certs.apple.com tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.2:443 tcp
US 8.8.8.8:53 cds.apple.com udp
RO 82.78.25.240:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 23.44.233.108:443 help.apple.com tcp
GB 23.44.233.108:443 help.apple.com tcp
N/A 224.0.0.251:5353 udp

Files

N/A