evilquest | b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a

Analysis

max time kernel
148s
max time network
155s
platform
macos-10.15_amd64
resource
macos-20240214-en
resource tags

arch:amd64arch:i386image:macos-20240214-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
03-04-2024 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mixed In Key 8.pkg
Size

10.0MB
MD5

66405f4bb6db1136037fde9f43830119
SHA1

0898cd7a55b55853ce9da0f0f360ec31ecec4974
SHA256

9e8c30955ccb5797efaab676ffdf36fe08ce32d4aab4d18e1a9ed2be43d5db0f
SHA512

3c176a83742d35b10645b70db4ed2ff00b888073d0daa73c7a4ce11c88b5b2cda818b9ab1844b35192bbd2436567e186ca200432fe4ef8a377ecf4be49da3da1
SSDEEP

196608:NkBu2wBiw00Bsqbxxf19Hhx7r0A8JAi2RgXuHueFrs/7M+XvEYBu:Kg2whsQrndWJAi28enS/7JXtBu

Score

10^/10

evilquest backdoor evasion execution persistence

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 1 IoCs

resource	yara_rule
behavioral5/files/0x000000030008b306-12.dat	family_evilquest

Compromise Client Software Binary 1 TTPs 2 IoCs

Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server.

persistence

Compromise Host Software Binary

T1554

ioc	Process
/Library/AppQuest/com.apple.questd	Process not Found
/Users/run/Library/AppQuest/com.apple.questd	Process not Found

File Permission 1 TTPs
Adversaries may modify file permissions/attributes to evade access control lists (ACLs) and access protected files.
evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Installer Packages 1 TTPs 2 IoCs

Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system.

persistence

Installer Packages

T1546.016

ioc	Process
/tmp/PKInstallSandbox.2qiXVL/Scripts/com.mixedinkey.installer.XVNem6/postinstall /Users/run/setup.pkg /Applications / /	Process not Found
/bin/sh /tmp/PKInstallSandbox.2qiXVL/Scripts/com.mixedinkey.installer.XVNem6/postinstall /Users/run/setup.pkg /Applications / /	Process not Found

Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 14 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found

Resource Forking 1 TTPs 4 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid	Process not Found
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/5901FEA0-A3DF-4219-ADC3-696F0061013D.activeSandbox/Root /	Process not Found
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c	Process not Found
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd	Process not Found

Command and Scripting Interpreter 1 TTPs
Adversaries may abuse Unix shell commands and scripts for execution.
execution

Unix Shell
T1059.004

Launchctl 1 TTPs 14 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

ioc	Process
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""
1⤵
PID:544

/bin/bash
sh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""
1⤵
PID:544

/usr/bin/sudo
sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
1⤵
PID:544
- /bin/zsh
  /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
  2⤵
  PID:545
- /usr/sbin/installer
  installer -pkg /Users/run/setup.pkg -target /
  2⤵
  PID:545

/usr/libexec/xpcproxy
xpcproxy com.apple.nehelper
1⤵
PID:546

/usr/libexec/nehelper
/usr/libexec/nehelper
1⤵
PID:546

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:547

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:547

/usr/libexec/xpcproxy
xpcproxy com.apple.installd
1⤵
PID:548

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
1⤵
PID:548

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid
1⤵
PID:549

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/5901FEA0-A3DF-4219-ADC3-696F0061013D.activeSandbox/Root /
1⤵
PID:550

/tmp/PKInstallSandbox.2qiXVL/Scripts/com.mixedinkey.installer.XVNem6/postinstall
/tmp/PKInstallSandbox.2qiXVL/Scripts/com.mixedinkey.installer.XVNem6/postinstall /Users/run/setup.pkg /Applications / /
1⤵
PID:551

/bin/bash
/bin/sh /tmp/PKInstallSandbox.2qiXVL/Scripts/com.mixedinkey.installer.XVNem6/postinstall /Users/run/setup.pkg /Applications / /
1⤵
PID:551
- /bin/mkdir
  mkdir /Library/mixednkey
  2⤵
  PID:552
- /bin/mv
  mv /Applications/Utils/patch /Library/mixednkey/toolroomd
  2⤵
  PID:553
- /bin/rmdir
  rmdir /Application/Utils
  2⤵
  PID:555
- /bin/chmod
  chmod +x /Library/mixednkey/toolroomd
  2⤵
  PID:556
- /Library/mixednkey/toolroomd
  /Library/mixednkey/toolroomd
  2⤵
  PID:557

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c
1⤵
PID:558

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:578

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:578

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:579

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:579

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:580

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:580

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:581

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:581

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:582

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:582

/usr/libexec/xpcproxy
xpcproxy com.apple.assistantd
1⤵
PID:583

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
1⤵
PID:583

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:585

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:585

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:587

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:587

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:588

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:588

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:589

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:589

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:590

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:590

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:591

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:591

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:592

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:593

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:593

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:594

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:594

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:592

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:595

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:595

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:596

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:596

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:617

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash
1⤵
PID:618

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:617

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash agent
1⤵
PID:618

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:621

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:621

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:630

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:630

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:635

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:635

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:638

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:638

/usr/libexec/xpcproxy
xpcproxy com.apple.security.agent
1⤵
PID:642

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
1⤵
PID:642

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:643

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:643

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:646

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:646

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:652

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:652

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:658

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:658

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:663

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:663

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:664

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:664

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:665

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:665

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

Unix Shell

T1059.004

System Services

T1569

Launchctl

T1569.001

Persistence

Compromise Host Software Binary

T1554

Create or Modify System Process

T1543

Launch Daemon

T1543.004

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Create or Modify System Process

T1543

Launch Daemon

T1543.004

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/AppQuest/com.apple.questd

Filesize
85KB

MD5
322f4fb8f257a2e651b128c41df92b1d

SHA1
efbb681a61967e6f5a811f8649ec26efe16f50ae

SHA256
5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b

SHA512
33c8cf815e4b37a3481c0ba4dfb14a4735a46575f6f70d5b351a8595e4ec8886224577c89c80d726f2e3d7cf2460d0cdd983379acb5fda0a9b7310f86c988e53

Download Submit
/Library/InstallerSandboxes/.PKInstallSandboxManager/5901FEA0-A3DF-4219-ADC3-696F0061013D.activeSandbox/Boms/com.mixedinkey.installer.bom

Filesize
99KB

MD5
0f07cb15d467adba0a80120ef583d92c

SHA1
9a66033fcbbd2c4a4ad82d173b7d686febcd7509

SHA256
977d7b35b060620e979cd8337ef0e4972afc08388986354b7a6b57763d0450d4

SHA512
e681f21eb24279dd9bf4f9c9f339f075e6e948d497fb42c4bf614425c4c62bae8fb9e71d9efc61a50f3d6957c211aaebbc20d36836a0d212d96950c252f93561

Download Submit
/Library/InstallerSandboxes/.PKInstallSandboxManager/5901FEA0-A3DF-4219-ADC3-696F0061013D.activeSandbox/Scripts/com.mixedinkey.installer.XVNem6//Scripts/._postinstall__

Filesize
82B

MD5
5f57248f8a15969f55f716d8e7ce1447

SHA1
2daf28e0b224464534eecc6576c5b87e05cad4a7

SHA256
03ee1b034d79af0d5bc807f1560e7ffd5554ff56fcf29a47b3ac5db4f7fa4eb5

SHA512
2d9a3e97a5b991d9d22ef5e008f1828b9a7f8b8aa35111250edf45f9ed3f772378119f2a8c18cf5d1141f34d0b04200eadc7b75f1aaa57e0c15083c28f73c5c7

Download Submit
/Library/LaunchDaemons/com.apple.questd.plist

Filesize
435B

MD5
a3d34532a7dd2cd1d73cea75deb0677f

SHA1
3019d1c50907fb2597121c03619990c5670ff6f4

SHA256
779a31e4de99f9de28de8bf064c504382e050c114e2e865cc1f694c7e6339735

SHA512
52618a5f14247c909a3857b122a124d0ddd00890c128cf041976182423b3d728cab11daf5b6a1adb6845d062b54083e72380184b6f76369482305c2782bedd91

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
439B

MD5
c05b619361d2cac0288befbdef519546

SHA1
634e507971e2bd2697df0cdbbe8772e6fbec276e

SHA256
1b2c817978649cad70d67be41215a663790d97707b7512cfc156b488438cbec8

SHA512
86308ab30375670ff5eb886d50e3b5be5f3b7d60e0de53458e0372c0c67cbfd1c58450acb201c7d21a5f351c2b0e796d1777dbaa1e2b83ef7f69a83dac26ba20

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
42B

MD5
ce7f5b3d4bfc7b4b0da6a06dccc515f2

SHA1
ce657a52a052a3aaf534ecfbf7cbdde4ee334c10

SHA256
9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1

SHA512
db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

Download Submit
/Users/run/.CFUserTextEncoding

Filesize
314B

MD5
e1602e10f2166316534304882ed812fe

SHA1
ab7c57fc7e9024e1be5f9607b1b3fe4f11346e13

SHA256
57c59f2a84faa2c07c745ae684ea95b6a018eb709aa196ffd15efac476256e17

SHA512
01fd4a1de6db8d5ac9ac9539baeb9f811cbf7d7c11559eda0a8903240c0d46e295a772b698573e97c895de3ba4643328b895c0401e4d3fe3ec88e3ac3e4637d4

Download Submit
/Users/run/Library/Keychains/login.keychain-db

Filesize
102KB

MD5
19649f60a514e768f47fddb885dbdd8d

SHA1
008b2b7e09bfc417f848080e354480d101446b04

SHA256
7404fa3dc97bea8d6620536420b198df41c5f27fc28924f44d49a855f44e476d

SHA512
b2ce1a9f272fdfda06c9f2c65295a8517beb08e5a6b3c2625b37b41499cb0292281b7b21e69eeb0a9bb74d68942e09d3c53110128e5c4a3bb94fdf1b9c39978a

Download Submit
/Users/run/Library/LaunchAgents/com.apple.questd.plist

Filesize
423B

MD5
eb73619f4e724257ff0fd951883a30ae

SHA1
5032251e50b32e340d8171631a598596bad8991e

SHA256
6e56467f3f5502588094c91e2d58bbb1e43c4e8171093db14931dd41788e17d4

SHA512
ec95c395414181bc77c7a2980fbd3fe69b718aa98c878e514c3f28b738e1669488126cbdfa96e3a182afd8536b54bc1791a044fa3535d1fd3fad54dfda337b7c

Download Submit
/Users/run/Library/Preferences/ByHost/.GlobalPreferences.C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

Filesize
1KB

MD5
fe12d2946e5853696d5ccff8edc7a37d

SHA1
ff3eff7c8bdcb0f664cd266887ea02ed62509437

SHA256
0bc38eb0df45929bc3eac16440a0f12801a8228b3fea4bdf3c40e43d9bcf735b

SHA512
1969947770d47ae2a7b7747e239de26d52ea8e0f54aad2c2d58b507abdee0ce386290cf9598d42bee0d1339a832b003a9c3f9d8c76d6ea8a33c5a732b322f97d

Download Submit
/private/var/run/installd.commit.pid

Filesize
3B

MD5
8d34201a5b85900908db6cae92723617

SHA1
916f5b10fee9db4c317b6fbbc343cc3cd03f1569

SHA256
6e2d4d3a3d4c4bb21b095657230061140c63b1ff4d89d85e32fb9a312319b35f

SHA512
d6f05e1dbd0120194a8504e4cc3872b961e506fcef82524e44f179a976d125369ae773935df81c7a9c94fea19c8d6ed5098733ae3423309786d20841f7db2111

Download Submit
/tmp/PKInstallSandbox.2qiXVL/Scripts/com.mixedinkey.installer.XVNem6/postinstall

Filesize
190B

MD5
03fc4e3ef9bdbccd7ea68537970ce472

SHA1
7cc289badfe38c5677175fa38810e0e18c51e1d3

SHA256
abcce423690c96a06414f68090db40cbdaee12b67f90d1ca64bddbdc1d11d097

SHA512
6f089d9c977fabc18e0a599c8239200031b6eeed1fbbd2f8197bb82e7cdd8f695b220902bef49276c6b1ca8784ebc3503aba841146a4ce36b1b571703e832bf1

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads