evilquest | 55832f32e9ef543e6c24394025ebf4b5a6e13561bcbe8ade0f015611d11693d1

Analysis

max time kernel
148s
max time network
153s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
25-04-2024 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

000c1e86a49c6f2a66dc3419946bac81_JaffaCakes118
Size

168KB
MD5

000c1e86a49c6f2a66dc3419946bac81
SHA1

7f4f0e180708828ebce1b27f9e9145ebc4885245
SHA256

55832f32e9ef543e6c24394025ebf4b5a6e13561bcbe8ade0f015611d11693d1
SHA512

92bd7f57657a04956523a8be7a542d009bee4ed41c88bcf6d6e35019a2117f66d24a128a47a99f2612e21537c1225139fcb7f4747b5634fe90a9793f610a605c
SSDEEP

3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9+YB0:5SeOQdaZNxtk8cqhSxvHY9R

Score

10^/10

evilquest backdoor evasion execution persistence

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 15 IoCs

Processes:

resource	yara_rule
/Users/run/000c1e86a49c6f2a66dc3419946bac81_JaffaCakes118	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 8 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

Processes:

ioc	process
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"

Resource Forking 1 TTPs 1 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
evasion

Resource Forking
T1564.009

Processes:

ioc process

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

ioc	process
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

Launchctl 1 TTPs 16 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

Processes:

ioc	process
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"

/usr/libexec/xpcproxy
xpcproxy com.apple.newsyslog
1⤵
PID:560

/usr/libexec/xpcproxy
xpcproxy com.apple.csrutil.report
1⤵
PID:561

/usr/bin/csrutil
/usr/bin/csrutil report
1⤵
PID:561

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/000c1e86a49c6f2a66dc3419946bac81_JaffaCakes118\""
1⤵
PID:562

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/000c1e86a49c6f2a66dc3419946bac81_JaffaCakes118\""
1⤵
PID:562

/usr/libexec/dmd
/usr/libexec/dmd
1⤵
PID:552

/usr/sbin/newsyslog
/usr/sbin/newsyslog
1⤵
PID:560

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/000c1e86a49c6f2a66dc3419946bac81_JaffaCakes118
1⤵
PID:562
- /bin/zsh
  /bin/zsh -c /Users/run/000c1e86a49c6f2a66dc3419946bac81_JaffaCakes118
  2⤵
  PID:564
- /Users/run/000c1e86a49c6f2a66dc3419946bac81_JaffaCakes118
  /Users/run/000c1e86a49c6f2a66dc3419946bac81_JaffaCakes118
  2⤵
  PID:564

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:565

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:565

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:565

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:589

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:589

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:590

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:590

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:590

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:591

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:591

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:592

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:592

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:593

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:593

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:594

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:594

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:595

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:595

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:595

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:594

/bin/sh
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:596

/bin/bash
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:596

/bin/launchctl
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:596

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:597

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:597

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:597

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:598

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:598

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:598

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:599

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash
1⤵
PID:600

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:599

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:599

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:601

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:601

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:601

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash agent
1⤵
PID:600

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash.Root
1⤵
PID:603

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash daemon
1⤵
PID:603

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:604

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:604

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:605

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:605

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:605

/usr/libexec/xpcproxy
xpcproxy com.apple.security.cloudkeychainproxy3
1⤵
PID:609

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
1⤵
PID:609

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app
1⤵
PID:611

/usr/libexec/xpcproxy
xpcproxy com.apple.assistantd
1⤵
PID:613

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
1⤵
PID:613

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:616

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:616

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:617

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:617

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:617

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:624

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:624

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:625

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:625

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:626

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:626

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:627

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:627

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:628

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:628

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:630

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:630

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:630

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:634

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:634

/usr/libexec/xpcproxy
xpcproxy com.apple.suggestd
1⤵
PID:635

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
1⤵
PID:635

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:636

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:636

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:637

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:637

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:637

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:639

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:639

/usr/libexec/xpcproxy
xpcproxy com.apple.knowledge-agent
1⤵
PID:640

/usr/libexec/knowledge-agent
/usr/libexec/knowledge-agent
1⤵
PID:640

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:642

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:642

/usr/libexec/xpcproxy
xpcproxy com.apple.siri.context.service
1⤵
PID:643

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
1⤵
PID:643

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:644

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:644

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:645

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:645

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:646

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:646

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:646

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:650

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:650

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:651

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:651

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:651

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:653

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:653

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:654

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:654

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:654

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:655

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:655

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:656

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:656

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:656

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:657

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:658

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:659

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:659

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:660

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:660

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:660

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:668

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:668

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:669

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:669

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:669

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:670

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:670

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:671

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:671

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:671

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:672

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:672

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:673

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:673

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:673

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:677

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:677

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:678

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:678

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:678

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:679

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:679

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:680

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:680

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

System Services

T1569

Launchctl

T1569.001

Persistence

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Privilege Escalation

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
e6f941f14a3c6e26f90727a61ca023dc

SHA1
5fb5c085e330f85bf885b819ca16e8d8422abe6f

SHA256
468158e90b6831466acca04df7fb75730ce50637b329d76355056517a5b7d3f4

SHA512
9b9df7c23a8e7731c62e54aca1d8fc7332516d4720904db71f6c5430cca723717c85477882fa61b638fcbb8893788923c2ca6ad09047cfef1ba649b676f2b92f

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
aa5bbb9274de566035968a7a4b95db8e

SHA1
962edc5af43543854947dffbd466171d3fda9d3e

SHA256
4107b02424b9cf9393f49086a40debbe32d86de7985c4d8659cd1dbe624870f8

SHA512
84c47cced10e3edfebbbd514bb4245229a27461754d8a8caa5d3e0ba65dedfca17001e84247676744aa2c2931f93ccc555ee1a33d4417757b8ccab295d4609d3

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
18cbc7663ed0307c3b1c89f0219df749

SHA1
a68d2729461fba646f357e1d9d6bd88e8cdfeeed

SHA256
2817ac87856eea0cb7ec3e2c06dfd2d134b2b99b98e2e6b4afa5c72e73dd7f85

SHA512
155ca3ab293bd03b07fbc8e868d26f56bdf15f44999cf162b9ab6221782d49b2d4abbebfd77ca59760c6c2c26c6729710dddd18682fe03ed7c0ddaf9c41dd78c

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
d695edd8d4bc4622ffe00256f1bb81ee

SHA1
18628a7b843a12f1398cb19c0c5f298ab7e47b18

SHA256
3b5040c5d2cd26655decc4d82976a2a75f58f8baf4d99f44982227e25595baf4

SHA512
06fcf3ccc5109f7602bc60f4ae720b3daf79c56da6110dd46cc75425647294c7dae9173f0050e8faf9fc99abd6582d81071116fe9793efd1a99de95fd8e6b608

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
ad9b4ef4574e39cd0799c10889532077

SHA1
1eefee7904053ff3d0b6951600485abd24e0c278

SHA256
7d858364c0e2500b35ff270348a621605700edaa3fa44879852d2f7e3b8e1751

SHA512
308a7cacb38e61171be1e445abea3a31e8f8bf473a09255b72df4de59ab6ab50e536d6238827bf51072b50059bb72c8ab11e0f4864d603a61528fec0178c0c8b

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
8646c812b71031c056a6666f5f8f4f8b

SHA1
efc43bdc3b9f0c9e0fb8db0693eb790b5d9513f6

SHA256
a0725cfc4377a095d273e69ae6599f513506fababf1208f05cb040dce14bd512

SHA512
cfbab2a03c9d8bf2c17f03efc08c88ed990734f9e6d051de3713ac3ebaf3d6110e742cf4c9d130c0046e4446190a7985243d1e72ebf99152578f440604e7328c

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
e5d101ff90e8cac49255cf0912e8350d

SHA1
6b0892ca1d35f16bce4122a2f6cb468250fbc0d5

SHA256
138cca7dac7e7a78c760937bab1f6a0cf0f9096dc170971a97b46c6ff9f0d25e

SHA512
b6b9bb50de970094b9e3e0bbc115b9f428300e9ce0a2c892f028d12d21f267ec0aca21a1b5e1f3230a810efc113950bbd310956b5bffe7620bf47a308ba1d916

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
64c5a655764d9c97f38c8197a270c71b

SHA1
075dda53002c7535a2908f679f5cca96f7e9fe38

SHA256
64a878e4626f6e3f6a99629c6418690cd465b86348be6335a5aed43c4f49fca6

SHA512
dc7f041bf59a2b19b7266f0dc90cb9e08fca1f9ae8669f707a17d971f8af66539594d62202f61b77d04ffe9de0828e0c9fdb07a0e5ec43cd45bf729cae48fcd8

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
55666b47e2b0f2178b42946cd8f2b236

SHA1
bc3736497e3266ebe9776f156486ab61800ee17f

SHA256
57bb08445812dd0f81967681c2e2d0e12e2c81914a58d2f75aae3ef824145bcc

SHA512
5ba7b2c628689dd16dcc440aa58c7ecc58ad074d40220d08fdfa7fa31b8babeac9a7f6cc46bfbb7fe4f5d1bba77b1377a94fec4c743b7df9e1b6abd50eb5ae7e

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
d945a87a7de0ac56a17af2f78f414b05

SHA1
78ecc88450fa3be50ef4fbc7a7be9200a78bcc5a

SHA256
e4c253b4bac719a2e18045596facaba5344134611ae1394749e34237d95357e4

SHA512
751021fbcffd3a104f9ebb4b168435d48b99ddb6dbd7c9f58690a616a0829df291454a179e1f868ef4058566ae5a331d98cb9e240d5b9da7781bb122b651ccc6

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
657c5b0be9071e13c14ac78841a178f6

SHA1
2b52e5cd07b64dd1e21693d580d25cfb43b91817

SHA256
53fcc10518fdaf0cdc8fc3857230f73ea607d590b586e410685f1a2ae40fdd91

SHA512
320248fa467dd2c7c8b42f8fc382d215a10eb996b24c2e51d4003cd04c25cbd3557dff1b7fa8468f91cee35b70a091c35dcf6cfb5f3ce0fd22f8e9dd5a484453

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
dc35cbc36020e3b3602cc9c0693ed1c5

SHA1
9dd37234d8e4d5bfef65868716522405cf565927

SHA256
04a3f9a66df7fdfc3365c3c53bdc6700d168818813559a599e6c0e902659d7bf

SHA512
f990a1e5bbec125c16bbd13376b51107fc57b5bbf0e404e4112332c130012daf092a046d7d3cacfadba172df5661de0dfc33b213a3964bd26b8db195047fa3a0

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
b33822bfe07fa430795b260da9688f49

SHA1
e468bb335a2e0d41e110d6a49621e62b9647f22a

SHA256
0fbb7cfe294fbcd443cde6f60e788e2f340429b45a1ef3ff4e5920f5785aef4f

SHA512
64aea1c23510012b60bea9f2c504ba8d4e37bf7231417028f746e2a162a4b5b9f362a96ca59bd08595cf5f478258b64d4341310875c90ff6cb1aa93713d8de30

Download Submit
/Users/run/000c1e86a49c6f2a66dc3419946bac81_JaffaCakes118

Filesize
168KB

MD5
f081bd0810c3458d6933efca1b5f2333

SHA1
49f14d298aff20cfb23fcde162753c5bfaaca6c8

SHA256
ad64d89522e2db6d6ea6b8d7c01797e7d7f004c23500509134c4aee712a3bb76

SHA512
bd127403bb629470f4fc548d2861cb1ffbea3d41779c7b923c1c2ce6c467c70dc1fd8bba02c9c06533c55d0efb07fd08ac0fae07e122601d0f56d04f4da0b6a0

Download Submit
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

Filesize
124KB

MD5
414115f56a7c67c3a3c72b13dff2186f

SHA1
5f7e3ba7dda503e14e5788e12696438fc489343a

SHA256
eaae27eb43d2f3ea7db919466ac5445441cd898fcf09f44c1cdaf05684be4e28

SHA512
2fe41431df783ddcb9bb2eb3d1bfaa7d4f675e66664bd9f78e74a5aa18e4de9a8e4a82a7ff5306309d6f9cba588a5e5d65683e2a50cb32cce31380efb7f1734d

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
ecc66688c059dd964cede8bace869695

SHA1
8d081d8178f6b42a08a66a0f51b20e71fc18f252

SHA256
9bc04bb7f0ecfec8c774e4496b164d75286338c10be3fc44679c3c2e916b502f

SHA512
5c5a1a47ab6faf4033ebed8b20585628fda9fd8bd1ce24487173407cf1d0205168eb2825b4d58d8b675c4688a24db8eedb11d8571ef37af9e6fc52d73f4e1162

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
4abf03a880d64703bc7a136978e8aab8

SHA1
daf7107dbfe6f36ab297a50c89e52d3a8c7cc776

SHA256
d4de5ba34358d52e3a1341387e583a39bd81f1d95fb1890140d9e0adfd6e465a

SHA512
29bbfbb527e39b3f6e3931dc4b91383ef102acdc20adfd6ac883c32510298af99bf50f95980bfee2b1e5c9e6802e25069f46b110e0c91cfdb305eb2e5a89a2da

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
afe7494487f771a70f6053e83e6a75cd

SHA1
3465030c2ed67dd79fcbfff796a439faac34e93a

SHA256
3f9af68b704b10e854cab91e949bf2e09d0892b9a3c11663dafd2321af013315

SHA512
8b31a38a12d8708897e9359f68acbf688b2b02785366aa269f1ca3de9acf317d6714d5cd55a484fa732700c3c30ef7af8fa4901d169d9c5ef880a6f4deccec6d

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
731d34b3cd8d99a4e1ed0711e3791348

SHA1
606533708f52a20a3fedfabaa5288cc22f5444d9

SHA256
c52e61e3810634bff573ac7c838fc64db148e2273de36784726b06d18cc0ea18

SHA512
c4858c7b8e1a1f26e1ad826ce31b823149f51e9aec39e3a9e713f3ce8640865295935ffb1ace72a69f645edc4bcec0de02cb738cb640edb19b52b6943583de80

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
4559cb5a6cba720efc479fda2d33de28

SHA1
10a1737cf0b63630f2bf8f2c96738dfd09913fe6

SHA256
dcd2c2685a63d9f806c507ac2029c9d5906c34c3c8458298ac54a91d3298af66

SHA512
2c4e5813af2509d42c616b02286b6a2a55cf5d19c5716dac0494d1afa61ac2705ad12c4339f7c5bfde60c1b6f7bcbfd9c1909e6f4ab3bca62e02306e92013d52

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
95fdcaafb5c63718ef67e55ae5650981

SHA1
f9bc34204e1502e820e016d9c648b64e15f2e272

SHA256
2f655b5d9ae4f805d4ae91ee1f2ee384c645f34ba5c138c38db2c5df3d58fbd8

SHA512
9e4da1571f639da3d1f172d3e32052f56129f7e2a9107226ab77ff4cbfcb2692da88bd9a7a2fd6e2780d63fa5c2b31b621da737ce324cda974278135a44078d4

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
5bedf0a00db015a7327cec026b7396fb

SHA1
eed38e513ad878d34077682a92773f5565f31ce5

SHA256
18498ffb0cd5dccfbc52962a246223ff973138ae7c10ca43ba694eb880198eba

SHA512
63a76358e81dd001f7679bf6f147868186e396c1771381767231543def20c7bddd8bbfd0d1866374286b87a0f9abeb1aaecd4a3eea1e5f80c18c26a06c1ad125

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
753d6a4311fda511a2b32465ac003bec

SHA1
d2fbf1eb190eb39854057da4065ea99a9c1aa87a

SHA256
b70a2cb77d5dfd45c3525e14ef96d5c2b7ffe90ea2a1d6caa886424d03c10dbc

SHA512
f14079c2d180c4277b51ec4eeb03ef3d79d74f27b493e90ce317cd8cc1e48de46b3575e40e7c5dc40dbe6501107c258d04f3f63970e099e5abee1200ab396cf2

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
90be73b7d8be5587c05564c20d89492a

SHA1
bb9167141e46670a066755f281b2bcb2b0749942

SHA256
42edfde9d4511dff5c09ffc9ae411edaf1455c942562eca1840009857d957423

SHA512
473e7ebaeae661ded2ae851973b93b3b0863b7b4dc81c9156a70b3ab9db5d98b6863dff7f67015ef17853c5bed2d9673abf6c2d3fc5335b99b5a83db45c3cb72

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
e9db1854b85cb43a2670ccb8ce75b05b

SHA1
d6f7a95530011cf4036da64ea8af463643a7ff29

SHA256
ddce6b661b61a6cc436a79ac96a5639e7e19deffdf45dc44f78e7e404eda6d8a

SHA512
16c54ea1ad94528b80d9dfb45f948a15d4a127c80bba485c231b391c127f08f7a054105011eca00b702803baf359abea483c45cf105d0856109aecd072627b33

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
2d4cb107b112b4ccced6f5c9c104ae95

SHA1
5011fc9539617303ba829a15506ea031e7ee5a52

SHA256
a21fc071f46698ed5bfe67440c282a374d00a8978bb07270f1a145da5a62ae17

SHA512
bf28997f96fc8463ae0241ba04447eabba852d45cc70331eb460da7bbe1e4ab58dfbde55de9fded2184e1e6f84738baa4eb8df5edf1f4eeec5cb8d379d2f3f2d

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
f0b80cb0b00bc7b515415498e03696e6

SHA1
dca6b4708110163c113dfaa9b2a20c7139ec174e

SHA256
e21b4b5f156e855e7bc51d75c6f4fc9697ee2498a8a0e9d6feb58bef1b06e7c2

SHA512
a0f2a334adf9ade566baae3d319494e0bc9634a582ef4bda0a7f5f31eff71d32dec954ca6134432a6d0ce23c24a822843ceb69e614dc3842333e89c2ddec21c5

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
ddb49b1032bcc1636477226d58cfe7ba

SHA1
e54c68188d754668f57225d7dc7a6be405d01128

SHA256
1fee65140484bade9544f8398372ed59a571f0d5c862f81ea9f5a8461d3fe38c

SHA512
e6fb9825a0c174a37e6be560ec0170d220fbba4832346b862ab476a17b668ef6a9eea68088c5bc3ca33c796ff0745e579e8aca8d8ea0403f7e93f4f167b0c9de

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
c4fe0f57ca683edeccf7226765ed53c8

SHA1
90df7ddcfe41923cc7539b4127d4896da9e3aa8a

SHA256
c45b25c740c47e6f1f4c33a8693cee7161f9a110aabc275256cd50de3f179b32

SHA512
91abcab7f6bc4e6628a8584b3df51c73001a8d4e6aebd7cb639e975f3a6c97656bf941d9557ed0214bbe7f777feafadf50d8a8399f30914d231d9d6924ddb38a

Download Submit
/var/db/locationd/Library/Caches/GeoServices/Resources/altitude-1269.xml

Filesize
167KB

MD5
a645869f7bf432953f0292ca5fd17ad8

SHA1
9063c8541f8d4d81d301df8b359a30071d42b119

SHA256
04daf260c11cd34cd84f42fb5a47f1d5717d0b2f62b236826d7c3a6f0a1c9db9

SHA512
6449c45cd990750cf88cbf75b3320e6d972ba1b10dd8bb23835e1d298efb0b5d50399ad2c4be9d3d068619d645e544afc3245c66630da1878c8688811e76fca4

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit