evilquest | b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a

Resubmissions

12-02-2024 18:09

240212-wrhtmsce28 10

12-02-2024 09:43

240212-lpzn9sbh65 10

12-02-2024 09:37

240212-llppwshh61 10

Analysis

max time kernel
163s
max time network
175s
platform
macos-10.15_amd64
resource
macos-20231201-en
resource tags

arch:amd64arch:i386image:macos-20231201-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
12-02-2024 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mixed In Key 8.dmg
Size

10.4MB
MD5

58680abd58baca826c2029f32e5b78b3
SHA1

98040c4d358a6fb9fed970df283a9b25f0ab393b
SHA256

b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a
SHA512

be852ea2a0ce7a119392f6f28033dfcec27ac897f3479767287da8e5b2babd2cff95b94c399e64d5f219fbef3508a3a2f2b2f4346e057ddce416353825994d28
SSDEEP

196608:1kBu2wBiw00Bsqbxxf15AS2710A8O2RgXuHueFrs/7M+49/jhHh/:ig2whsQr5ASEcO28enS/7J4tT/

Score

10^/10

evilquest backdoor evasion execution persistence ransomware

Malware Config

Extracted

Path

/Users/run/Desktop/READ_ME_NOW.txt

Ransom Note

YOUR IMPORTANT FILES ARE ENCRYPTED Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your file without our decryption service. We use 256-bit AES algorithm so it will take you more than a billion years to break this encryption without knowing the key (you can read Wikipedia about AES if you don't believe this statement). Anyways, we guarantee that you can recover your files safely and easily. This will require us to use some processing power, electricity and storage on our side, so there's a fixed processing fee of 50 USD. This is a one-time payment, no additional fees included. In order to accept this offer, you have to deposit payment within 72 hours (3 days) after receiving this message, otherwise this offer will expire and you will lose your files forever. Payment has to be deposited in Bitcoin based on Bitcoin/USD exchange rate at the moment of payment. The address you have to make payment is: 13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7 Decryption will start automatically within 2 hours after the payment has been processed and will take from 2 to 5 hours depending on the processing power of your computer. After that all of your files will be restored. THIS OFFER IS VALID FOR 72 HOURS AFTER RECEIVING THIS MESSAGE

Wallets

13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 1 IoCs

Processes:

resource	yara_rule
/Library/AppQuest/com.apple.questd	family_evilquest

File Permission 1 TTPs
evasion

Linux and Mac File and Directory Permissions Modification
T1222.002
Launch Daemon 1 TTPs
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 25 IoCs

execution

AppleScript

T1059.002

Processes:

ioc	process
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""

Resource Forking 1 TTPs 9 IoCs

evasion

Resource Forking

T1564.009

Processes:

ioc	process
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/76190580-F2F3-4BE3-899A-9BB0DEA1B8F0.activeSandbox/Root /
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd

Command and Scripting Interpreter 1 TTPs

Unix Shell
T1059.004

Launchctl 1 TTPs 24 IoCs

execution

Launchctl

T1569.001

Processes:

ioc	process
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""

/bin/sh
sh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""
1⤵
PID:554

/bin/bash
sh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""
1⤵
PID:554

/usr/bin/sudo
sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
1⤵
PID:554

/bin/zsh
/bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
2⤵
PID:555

/usr/sbin/installer
installer -pkg /Users/run/setup.pkg -target /
2⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.apple.installd
1⤵
PID:556

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
1⤵
PID:556

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid
1⤵
PID:557

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/76190580-F2F3-4BE3-899A-9BB0DEA1B8F0.activeSandbox/Root /
1⤵
PID:558

/tmp/PKInstallSandbox.lNhZtG/Scripts/com.mixedinkey.installer.IuOVo1/postinstall
/tmp/PKInstallSandbox.lNhZtG/Scripts/com.mixedinkey.installer.IuOVo1/postinstall /Users/run/setup.pkg /Applications / /
1⤵
PID:559

/bin/bash
/bin/sh /tmp/PKInstallSandbox.lNhZtG/Scripts/com.mixedinkey.installer.IuOVo1/postinstall /Users/run/setup.pkg /Applications / /
1⤵
PID:559

/bin/mkdir
mkdir /Library/mixednkey
2⤵
PID:560

/bin/mv
mv /Applications/Utils/patch /Library/mixednkey/toolroomd
2⤵
PID:561

/bin/rmdir
rmdir /Application/Utils
2⤵
PID:562

/bin/chmod
chmod +x /Library/mixednkey/toolroomd
2⤵
PID:563

/Library/mixednkey/toolroomd
/Library/mixednkey/toolroomd
2⤵
PID:564

/Users/run/Hellper.app
2⤵
PID:564

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c
1⤵
PID:565

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:568

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:568

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:569

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:569

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:572

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:572

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:573

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:573

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:576

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:576

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:577

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:577

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:579

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:579

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:580

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:580

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:581

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:581

/usr/libexec/xpcproxy
xpcproxy com.apple.installer.2124
1⤵
PID:582

/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
1⤵
PID:582

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:583

/usr/libexec/xpcproxy
xpcproxy com.apple.replayd
1⤵
PID:586

/usr/libexec/replayd
/usr/libexec/replayd
1⤵
PID:586

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:588

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:588

/usr/libexec/xpcproxy
xpcproxy com.apple.storedownloadd
1⤵
PID:591

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
1⤵
PID:591

/usr/libexec/xpcproxy
xpcproxy com.apple.system_installd
1⤵
PID:592

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.CacheDeleteExtension 584
1⤵
PID:593

/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
1⤵
PID:593

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:596

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:596

/usr/libexec/xpcproxy
xpcproxy com.apple.security.agent
1⤵
PID:598

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
1⤵
PID:598

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:602

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:602

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:603

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:603

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authhost.00000000-0000-0000-0000-0000000186A6
1⤵
PID:604

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost
1⤵
PID:604

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:609

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:609

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:612

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:612

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.CacheDeleteExtension 584
1⤵
PID:616

/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
1⤵
PID:616

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:618

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:618

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:620

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:620

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:622

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:622

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:623

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:623

/usr/libexec/xpcproxy
xpcproxy com.apple.installer.2124
1⤵
PID:624

/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
1⤵
PID:624

/usr/libexec/xpcproxy
xpcproxy com.apple.security.agent
1⤵
PID:625

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
1⤵
PID:625

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:626

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:626

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:627

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:627

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:628

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:628

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:629

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:629

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:630

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:630

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:631

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:631

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:632

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:632

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:633

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:633

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:634

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:634

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authhost.00000000-0000-0000-0000-0000000186A6
1⤵
PID:635

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost
1⤵
PID:635

/bin/sh
sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\""
1⤵
PID:636

/bin/bash
sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\""
1⤵
PID:636

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.satellite.EDA20573-B455-4868-8CAD-F48228F48D53 589
1⤵
PID:637

/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite
/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite
1⤵
PID:637

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:638

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:638

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:639

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:639

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:640

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:640

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:641

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:641

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:642

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:642

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:643

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:643

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:644

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:644

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:645

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:645

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:646

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:646

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:651

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:651

/usr/libexec/xpcproxy
xpcproxy com.apple.TextEdit.2092
1⤵
PID:652

/System/Applications/TextEdit.app/Contents/MacOS/TextEdit
/System/Applications/TextEdit.app/Contents/MacOS/TextEdit
1⤵
PID:652

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:654

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:654

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:670

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:670

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:696

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:696

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:708

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:708

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:709

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:709

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:710

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:710

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:711

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:711

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

Unix Shell

T1059.004

System Services

T1569

Launchctl

T1569.001

Persistence

Create or Modify System Process

T1543

Launch Daemon

T1543.004

Privilege Escalation

Create or Modify System Process

T1543

Launch Daemon

T1543.004

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Applications/Mixed In Key 8.app/Contents/Info.plist

Filesize
3KB

MD5
eb5ba03f7e18e66f902c3080682d4476

SHA1
f9fb20c25769bf24b717a18755d442b00f91ee9b

SHA256
25462eb1953770cb4b44669d2480c5b772a977de699caa181c408f20835790ab

SHA512
67f30b0ace358bf41322235c10262f44324f2b8e11b50702ff95afd52c39934edfcc16d7009332dd60cdfb4a416b1a375474637acfd58f319bc08cd987408dc5

Download Submit
/Library/AppQuest/com.apple.questd

Filesize
85KB

MD5
322f4fb8f257a2e651b128c41df92b1d

SHA1
efbb681a61967e6f5a811f8649ec26efe16f50ae

SHA256
5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b

SHA512
33c8cf815e4b37a3481c0ba4dfb14a4735a46575f6f70d5b351a8595e4ec8886224577c89c80d726f2e3d7cf2460d0cdd983379acb5fda0a9b7310f86c988e53

Download Submit
/Library/InstallerSandboxes/.PKInstallSandboxManager/76190580-F2F3-4BE3-899A-9BB0DEA1B8F0.activeSandbox/Boms/com.mixedinkey.installer.bom

Filesize
99KB

MD5
0f07cb15d467adba0a80120ef583d92c

SHA1
9a66033fcbbd2c4a4ad82d173b7d686febcd7509

SHA256
977d7b35b060620e979cd8337ef0e4972afc08388986354b7a6b57763d0450d4

SHA512
e681f21eb24279dd9bf4f9c9f339f075e6e948d497fb42c4bf614425c4c62bae8fb9e71d9efc61a50f3d6957c211aaebbc20d36836a0d212d96950c252f93561

Download Submit
/Library/InstallerSandboxes/.PKInstallSandboxManager/76190580-F2F3-4BE3-899A-9BB0DEA1B8F0.activeSandbox/Scripts/com.mixedinkey.installer.IuOVo1//Scripts/._postinstall__

Filesize
82B

MD5
5f57248f8a15969f55f716d8e7ce1447

SHA1
2daf28e0b224464534eecc6576c5b87e05cad4a7

SHA256
03ee1b034d79af0d5bc807f1560e7ffd5554ff56fcf29a47b3ac5db4f7fa4eb5

SHA512
2d9a3e97a5b991d9d22ef5e008f1828b9a7f8b8aa35111250edf45f9ed3f772378119f2a8c18cf5d1141f34d0b04200eadc7b75f1aaa57e0c15083c28f73c5c7

Download Submit
/Library/LaunchDaemons/com.apple.questd.plist

Filesize
435B

MD5
a3d34532a7dd2cd1d73cea75deb0677f

SHA1
3019d1c50907fb2597121c03619990c5670ff6f4

SHA256
779a31e4de99f9de28de8bf064c504382e050c114e2e865cc1f694c7e6339735

SHA512
52618a5f14247c909a3857b122a124d0ddd00890c128cf041976182423b3d728cab11daf5b6a1adb6845d062b54083e72380184b6f76369482305c2782bedd91

Download Submit
/Users/run/.CFUserTextEncoding

Filesize
314B

MD5
2a4002c2cd9fdd06cc4b22750f8b4cfb

SHA1
c11048f42927bf0d724d04e81002bf8082a3173a

SHA256
3e375778aef5a3396ffb2d570de278abf6e76426513cac8178f4eb808341334e

SHA512
71b22fa328f9f3e0d30416a4b89800cbfb3b28df3b52a6bc542d7aa2024ed52e7d88e1a91f2cfdc6ad09e498f7786748622caa5b723861725436f7a3ff4de337

Download Submit
/Users/run/Desktop/READ_ME_NOW.txt

Filesize
1KB

MD5
7a7187f67a2d1523378ae5c72e9c281d

SHA1
5afcffb685913f2760d88613648919630b79a9c8

SHA256
19744bd95c27fdef870911dffa9c86dca5e3af94c2d28c4faf630450b456f4ad

SHA512
dc70978fb1403bf22f7b61adcfad2e32274898616e418737c26135ce42aa952de889bbb3d43d4a07de2080a65c133c0027f83fa6aac6779492b443b60d657f58

Download Submit
/Users/run/Library/Containers/com.apple.TextEdit/Data/Library/Saved Application State/com.apple.TextEdit.savedState/data.data

Filesize
1KB

MD5
653514f2b0273e43afc03d87a1b3eeb7

SHA1
9ac841e45c5ceee04893eb5076b149db8d90ce22

SHA256
7ad86921d8e83496bfd669820fc8586d2c14e09246623437b74ab5e7b7131e96

SHA512
146652782e06d1da5be63ed275cd50ba6d2b7e88290b5454780a9060dfe2d401a8a6d77cb1a547b9856950ff1eb04bcc30008ffd9f6c48479aa9bf68b8012a2b

Download Submit
/Users/run/Library/LaunchAgents/com.apple.questd.plist

Filesize
423B

MD5
eb73619f4e724257ff0fd951883a30ae

SHA1
5032251e50b32e340d8171631a598596bad8991e

SHA256
6e56467f3f5502588094c91e2d58bbb1e43c4e8171093db14931dd41788e17d4

SHA512
ec95c395414181bc77c7a2980fbd3fe69b718aa98c878e514c3f28b738e1669488126cbdfa96e3a182afd8536b54bc1791a044fa3535d1fd3fad54dfda337b7c

Download Submit
/private/var/db/receipts/com.mixedinkey.installer.plist

Filesize
258B

MD5
4b0aa5074938a05838bc43ba5af19393

SHA1
295306c00e877bdd5d3b9761a82fdb290fa3aa81

SHA256
709e75c5ae0bb653a426666438a82ef7ffbfb58bf2eba1e5b7b0d5a69b5887be

SHA512
5bd39a14277610d45d50c3d82418964c010ce7489e67583407e363e135715912c2582206cba15503ff485f20f12b0f473dd06866b042ccf46effce86d593b5d6

Download Submit
/private/var/run/installd.commit.pid

Filesize
3B

MD5
11b921ef080f7736089c757404650e40

SHA1
170377543ef02d8082756be316e863c382a1d1bc

SHA256
9d6aa3d89c0171b9c2ccd57e6d41ccec3053d3c3f118386e7f10b89ebaa7b8e4

SHA512
c0abf258c73d41d29f1dd99f324216ba64b551e2e0d5e4968f858dbedbbac6cd47aa90a01cd426e6d301d543428d6953a183ee3997a64bcc0b82fd300bf2df50

Download Submit
/tmp/PKInstallSandbox.lNhZtG/Scripts/com.mixedinkey.installer.IuOVo1/postinstall

Filesize
190B

MD5
03fc4e3ef9bdbccd7ea68537970ce472

SHA1
7cc289badfe38c5677175fa38810e0e18c51e1d3

SHA256
abcce423690c96a06414f68090db40cbdaee12b67f90d1ca64bddbdc1d11d097

SHA512
6f089d9c977fabc18e0a599c8239200031b6eeed1fbbd2f8197bb82e7cdd8f695b220902bef49276c6b1ca8784ebc3503aba841146a4ce36b1b571703e832bf1

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit