Resubmissions
12-02-2024 18:09
240212-wrhtmsce28 1012-02-2024 09:43
240212-lpzn9sbh65 1012-02-2024 09:37
240212-llppwshh61 10Analysis
-
max time kernel
148s -
max time network
120s -
platform
macos-10.15_amd64 -
resource
macos-20231201-en -
resource tags
-
submitted
12-02-2024 09:37
General
-
Target
Mixed In Key 8.dmg
-
Size
10.4MB
-
MD5
58680abd58baca826c2029f32e5b78b3
-
SHA1
98040c4d358a6fb9fed970df283a9b25f0ab393b
-
SHA256
b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a
-
SHA512
be852ea2a0ce7a119392f6f28033dfcec27ac897f3479767287da8e5b2babd2cff95b94c399e64d5f219fbef3508a3a2f2b2f4346e057ddce416353825994d28
-
SSDEEP
196608:1kBu2wBiw00Bsqbxxf15AS2710A8O2RgXuHueFrs/7M+49/jhHh/:ig2whsQr5ASEcO28enS/7J4tT/
Malware Config
Signatures
-
EvilQuest
EvilQuest family.
-
EvilQuest payload 1 IoCs
-
File Permission 1 TTPs
-
Launch Daemon 1 TTPs
-
AppleScript 1 TTPs 9 IoCs
-
Resource Forking 1 TTPs 4 IoCs
-
Command and Scripting Interpreter 1 TTPs
-
Launchctl 1 TTPs 9 IoCs
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""1⤵
-
/bin/bashsh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""1⤵
-
/usr/bin/sudosudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"1⤵
-
/bin/zsh/bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"2⤵
-
-
/usr/sbin/installerinstaller -pkg /Users/run/setup.pkg -target /2⤵
-
-
/usr/libexec/xpcproxyxpcproxy com.apple.installd1⤵
-
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd1⤵
-
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid1⤵
-
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/B76A51C7-5546-4A22-AD47-6A35B813C348.activeSandbox/Root /1⤵
-
/tmp/PKInstallSandbox.27tZAG/Scripts/com.mixedinkey.installer.rfywEm/postinstall/tmp/PKInstallSandbox.27tZAG/Scripts/com.mixedinkey.installer.rfywEm/postinstall /Users/run/setup.pkg /Applications / /1⤵
-
/bin/bash/bin/sh /tmp/PKInstallSandbox.27tZAG/Scripts/com.mixedinkey.installer.rfywEm/postinstall /Users/run/setup.pkg /Applications / /1⤵
-
/bin/mkdirmkdir /Library/mixednkey2⤵
-
-
/bin/mvmv /Applications/Utils/patch /Library/mixednkey/toolroomd2⤵
-
-
/bin/rmdirrmdir /Application/Utils2⤵
-
-
/bin/chmodchmod +x /Library/mixednkey/toolroomd2⤵
-
-
/Library/mixednkey/toolroomd/Library/mixednkey/toolroomd2⤵
-
-
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.bird1⤵
-
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.accountsd1⤵
-
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.accountsd1⤵
-
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.accountsd1⤵
-
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.accountsd1⤵
-
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.accountsd1⤵
-
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E1⤵
-
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.accountsd1⤵
-
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.accountsd1⤵
-
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.accountsd1⤵
-
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.accountsd1⤵
-
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.accountsd1⤵
-
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2AppleScript
1Unix Shell
1System Services
1Launchctl
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85KB
MD5322f4fb8f257a2e651b128c41df92b1d
SHA1efbb681a61967e6f5a811f8649ec26efe16f50ae
SHA2565a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b
SHA51233c8cf815e4b37a3481c0ba4dfb14a4735a46575f6f70d5b351a8595e4ec8886224577c89c80d726f2e3d7cf2460d0cdd983379acb5fda0a9b7310f86c988e53
-
Filesize
99KB
MD50f07cb15d467adba0a80120ef583d92c
SHA19a66033fcbbd2c4a4ad82d173b7d686febcd7509
SHA256977d7b35b060620e979cd8337ef0e4972afc08388986354b7a6b57763d0450d4
SHA512e681f21eb24279dd9bf4f9c9f339f075e6e948d497fb42c4bf614425c4c62bae8fb9e71d9efc61a50f3d6957c211aaebbc20d36836a0d212d96950c252f93561
-
Filesize
82B
MD55f57248f8a15969f55f716d8e7ce1447
SHA12daf28e0b224464534eecc6576c5b87e05cad4a7
SHA25603ee1b034d79af0d5bc807f1560e7ffd5554ff56fcf29a47b3ac5db4f7fa4eb5
SHA5122d9a3e97a5b991d9d22ef5e008f1828b9a7f8b8aa35111250edf45f9ed3f772378119f2a8c18cf5d1141f34d0b04200eadc7b75f1aaa57e0c15083c28f73c5c7
-
Filesize
435B
MD5a3d34532a7dd2cd1d73cea75deb0677f
SHA13019d1c50907fb2597121c03619990c5670ff6f4
SHA256779a31e4de99f9de28de8bf064c504382e050c114e2e865cc1f694c7e6339735
SHA51252618a5f14247c909a3857b122a124d0ddd00890c128cf041976182423b3d728cab11daf5b6a1adb6845d062b54083e72380184b6f76369482305c2782bedd91
-
Filesize
314B
MD5bc523f4e6d8e9f3f549eee6c1ec7dbf6
SHA1140baea3cbe248629da2c6dd82977e020e1dbea0
SHA25635afe26a2517408ecb6150be9a24dedae03413ea15868f5e3dcca84ad2bda248
SHA5126518d36de0b04045b92f4b47dcb20d052626248f05293fc8b6f7bcafac1a4e12bf4226daed268fdfd51fc0ad5eb123db6ccf49f51adea7fdbc142e0f3d018a5a
-
Filesize
423B
MD5eb73619f4e724257ff0fd951883a30ae
SHA15032251e50b32e340d8171631a598596bad8991e
SHA2566e56467f3f5502588094c91e2d58bbb1e43c4e8171093db14931dd41788e17d4
SHA512ec95c395414181bc77c7a2980fbd3fe69b718aa98c878e514c3f28b738e1669488126cbdfa96e3a182afd8536b54bc1791a044fa3535d1fd3fad54dfda337b7c
-
Filesize
3B
MD56e2713a6efee97bacb63e52c54f0ada0
SHA1859371c78674de37bb9ae20743117bad002716e1
SHA2565fbc314fb0b511345465b5b907ec6961328e5e393ff831c8d74912184098bf41
SHA51271095ca02f2cd854850294a5525798175361c75695cf41148804e687b6db1a66a7b3a658c37ef32491721cc80e1caa07f4c20e3e05be29b529d1f22c1b8c419b
-
Filesize
190B
MD503fc4e3ef9bdbccd7ea68537970ce472
SHA17cc289badfe38c5677175fa38810e0e18c51e1d3
SHA256abcce423690c96a06414f68090db40cbdaee12b67f90d1ca64bddbdc1d11d097
SHA5126f089d9c977fabc18e0a599c8239200031b6eeed1fbbd2f8197bb82e7cdd8f695b220902bef49276c6b1ca8784ebc3503aba841146a4ce36b1b571703e832bf1