Analysis Overview
SHA256
bce3b751920caaae8f5ea88535156f230daf35c02c87ef57405f648441c32664
Threat Level: Known bad
The file 2024-03-04_42e95c6e8b2c7dbd21eddf77be752c49_adload_evilquest was found to be: Known bad.
Malicious Activity Summary
EvilQuest payload
Evilquest family
Launch Agent
Launch Daemon
AppleScript
Launchctl
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-04 12:25
Signatures
EvilQuest payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Evilquest family
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-04 12:25
Reported
2024-03-04 12:25
Platform
macos-20240214-en
Max time kernel
11s
Max time network
16s
Command Line
Signatures
Launch Agent
Launch Daemon
AppleScript
| Description | Indicator | Process | Target |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\"" | N/A | N/A |
Launchctl
| Description | Indicator | Process | Target |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist | N/A | N/A |
| N/A | /bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist" | N/A | N/A |
| N/A | launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist" | N/A | N/A |
| N/A | launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/2024-03-04_42e95c6e8b2c7dbd21eddf77be752c49_adload_evilquest"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/2024-03-04_42e95c6e8b2c7dbd21eddf77be752c49_adload_evilquest"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/2024-03-04_42e95c6e8b2c7dbd21eddf77be752c49_adload_evilquest]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pluginkit.pkd]
/usr/libexec/pkd
[/usr/libexec/pkd]
/bin/zsh
[/bin/zsh -c /Users/run/2024-03-04_42e95c6e8b2c7dbd21eddf77be752c49_adload_evilquest]
/Users/run/2024-03-04_42e95c6e8b2c7dbd21eddf77be752c49_adload_evilquest
[/Users/run/2024-03-04_42e95c6e8b2c7dbd21eddf77be752c49_adload_evilquest]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist" with administrator privileges]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.authtrampoline]
/System/Library/Frameworks/Security.framework/authtrampoline
[/System/Library/Frameworks/Security.framework/authtrampoline]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist]
/usr/libexec/xpcproxy
[xpcproxy afsvcpd]
/usr/bin/sudo
[sudo /Library/osxmobiledata/com.apple.afsvcpd --silent]
/Library/osxmobiledata/com.apple.afsvcpd
[/Library/osxmobiledata/com.apple.afsvcpd --silent]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist]
/bin/bash
[/bin/sh -c launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist]
/bin/launchctl
[launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist" with administrator privileges]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/bin/sh
[/bin/sh -c launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist]
/bin/bash
[/bin/sh -c launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist]
/bin/launchctl
[launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist" with administrator privileges]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater4B941C11/OneDrive.app]
Network
| Country | Destination | Domain | Proto |
| GB | 17.57.146.152:5223 | tcp | |
| US | 8.8.8.8:53 | 2-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.42.72.131:443 | tcp |