evilquest | 43eeb078b670d36490ad9396f476319342a18684e7265924d4b6076eba1dc620

Analysis

max time kernel
149s
max time network
150s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
26-04-2024 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0030582d9908d971baa86fc2c1776281_JaffaCakes118
Size

168KB
MD5

0030582d9908d971baa86fc2c1776281
SHA1

53faf722f684c916c96337aecbd6f9112b0db0b3
SHA256

43eeb078b670d36490ad9396f476319342a18684e7265924d4b6076eba1dc620
SHA512

b615e7f3465d1b2361f1e6ccbfa8c57252869806a8b54f808a1d06b2631396e8770a536779dce3d2b5484347d987d48fb22af02e8cc95f2877e673a5ccd097b2
SSDEEP

3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9660:5SeOQdaZNxtk8cqhSxvHY96

Score

10^/10

evilquest backdoor evasion execution persistence

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 16 IoCs

Processes:

resource	yara_rule
/Users/run/0030582d9908d971baa86fc2c1776281_JaffaCakes118	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 8 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

Processes:

ioc	process
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"

Resource Forking 1 TTPs 1 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
evasion

Resource Forking
T1564.009

Processes:

ioc process

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

ioc	process
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

Launchctl 1 TTPs 16 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

Processes:

ioc	process
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/0030582d9908d971baa86fc2c1776281_JaffaCakes118\""
1⤵
PID:566

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/0030582d9908d971baa86fc2c1776281_JaffaCakes118\""
1⤵
PID:566

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/0030582d9908d971baa86fc2c1776281_JaffaCakes118
1⤵
PID:566

/bin/zsh
/bin/zsh -c /Users/run/0030582d9908d971baa86fc2c1776281_JaffaCakes118
2⤵
PID:567

/Users/run/0030582d9908d971baa86fc2c1776281_JaffaCakes118
/Users/run/0030582d9908d971baa86fc2c1776281_JaffaCakes118
2⤵
PID:567

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:568

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:568

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:568

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:591

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:591

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:592

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:592

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:593

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:593

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:594

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:594

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:594

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:595

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:595

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:596

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:596

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:596

/bin/sh
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:597

/bin/bash
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:597

/bin/launchctl
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:597

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:598

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:598

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:598

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:599

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:599

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:599

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:600

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:600

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:600

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:601

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:601

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:601

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash
1⤵
PID:602

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash agent
1⤵
PID:602

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:603

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:603

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:603

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash.Root
1⤵
PID:608

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash daemon
1⤵
PID:608

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:610

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:610

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:611

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:611

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:612

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:612

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:616

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:616

/usr/libexec/xpcproxy
xpcproxy com.apple.security.cloudkeychainproxy3
1⤵
PID:617

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
1⤵
PID:617

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:619

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:619

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:619

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:620

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:620

/usr/libexec/xpcproxy
xpcproxy com.apple.suggestd
1⤵
PID:621

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
1⤵
PID:621

/usr/libexec/xpcproxy
xpcproxy com.apple.knowledge-agent
1⤵
PID:622

/usr/libexec/knowledge-agent
/usr/libexec/knowledge-agent
1⤵
PID:622

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:623

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:623

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:624

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:624

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:625

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:625

/usr/libexec/xpcproxy
xpcproxy com.apple.siri.context.service
1⤵
PID:626

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
1⤵
PID:626

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:628

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:628

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:629

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:629

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:629

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:633

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:633

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:634

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:634

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:634

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:638

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:638

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:640

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:640

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:640

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:641

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:641

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:642

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:642

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:642

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:644

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:644

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:645

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:645

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:645

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:646

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:646

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:647

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:647

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:647

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:648

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:648

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:649

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:649

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:649

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:653

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:653

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:654

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:654

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:654

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:655

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:655

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:656

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:656

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:656

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:657

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:657

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:658

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:658

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:658

/usr/libexec/xpcproxy
xpcproxy com.apple.assistantd
1⤵
PID:659

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
1⤵
PID:659

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:660

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:660

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:661

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:661

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:662

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:662

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:662

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:663

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:663

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:664

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:664

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:664

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:665

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:665

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:666

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:666

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:666

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

System Services

T1569

Launchctl

T1569.001

Persistence

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Privilege Escalation

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist
Filesize
156B

MD5
943b388cd75e83e2a33d36992fca4043

SHA1
21d7e93e87a9451edf6ce03e72ec60d53c7fdbfc

SHA256
884dd28311140583243453e37d2d1c74ac4ad7f3ead69244e73756ff645c31f5

SHA512
6fa04b5a64ba171a6f64f0e6e2b73743628d8c6f5d4426e9c83575649a0b22913a58520db815fe6676f6437c5270ae1141c505c0ff7f7982143b024627b09622

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist
Filesize
156B

MD5
c74b7f11a8039a35f8275e8e5dd1d07e

SHA1
0aee038a18e566ba9d1a9dc7aafee1121503772e

SHA256
37e0a1ecbb8c328101d53b1366a2b20f73f716bf863316e12e3b65954db93122

SHA512
1aaed413588c6a509e47aea161935652fa61990aedfeba6d9628bc19f85946f2c2d664fce1d9cfb4014dd1cc7b0a16cab34c9fc01ada3d85b3aba3e462ae5c89

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist
Filesize
156B

MD5
aa6af5debfd307c0a3f453f4b12b7841

SHA1
e350e78ca2ab87505e874074e32938103b8cc31a

SHA256
695f2d71e1f72d9af5ccb364e7bd72380dea15911a4911f3b17410f5439712f3

SHA512
ce007a1c6f7dc0217fb6e0ef1b9abd59441603111b050a119789ee04f08aa9adbd92610571147f6658b74f8742a071e9f407f81742bc63e185e7989763cc539d

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist
Filesize
156B

MD5
7b78ea31852ff853d316b63aca4e63de

SHA1
e757a6e8b936c0f7af6d186dedc6015cdf8778d1

SHA256
2783d4e8cae547ce49879ff00a11f6957aae8a48ddea0293070346f19d998bdf

SHA512
718b93ce37c5c57ed8e480f56a4d7c8814ff0dff1b05c93611b07b142b7465d47c542df8da400d833b4f4578afc7cdbb5642037ba57ac653784f3e13e56f12c1

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist
Filesize
156B

MD5
7319240763b7115143eb3dc15c3071f7

SHA1
844dc0cf447fabaf92b1acfa64cdb746ce8972df

SHA256
0eaeb4a895ca92dfcd231b21178a6391ccbc36524732a3b037540b21f9f7d486

SHA512
464606f628452d307692c53d8ec0b2ff16f985a64952c48230d531fac36b80be14b3f8a869d6478faa03395eed9474d32bb664f295429662a7208728402456d8

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist
Filesize
156B

MD5
1ac4f50820a157ba922f865ebf41a646

SHA1
e85a7394bd97bc023cf3f225d4c628cdaea90e68

SHA256
a48fe88e06fde8f18ae5b73b4bed3de29869d07f42950ae481751b4e03429414

SHA512
287ad519e28e74617bfef44094f2ec1a7981616e4cc1ab9334394d0693fc10d26e0d9fa1fbe109248a2ff22722b3d2a088839b98d713b226c7f42264888890f5

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist
Filesize
156B

MD5
e608e0b2ce7726fd4e19e839d8e523a3

SHA1
268c45b074ed5bbe2d4b019cd02e64785b7e7c9f

SHA256
75ecedfe109e8b2c4f20af163cd984568ccebf7408a6caa63360971f68f787c4

SHA512
4c2fec9002b83e3321092f86ff8f42c590ccf1ea1d63428a4b674e26f7e2eca6f39d1313510f8191f319aeb2b8e4d9ea248bec50de5f394f3bd156a356db03db

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist
Filesize
156B

MD5
0eac77a96313a61e030d1ad3c0d479bf

SHA1
221a1aed89572d93c5e25fadb6eeeb95808a57e2

SHA256
98ed500777d008927602467f0d28e59964508ee00e093249dc5e08d5a73e10bd

SHA512
a3a6a1891815d9dc9ddb177cfb36b89c8d5f24b82de37d571bdd35573efe62b3a5cac0cb7a94bd2828fbe214289ebec8b82382fc26df6341b909dda85c2d9e58

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist
Filesize
156B

MD5
8e65eb46b4aba27a9161e872eb42f673

SHA1
79993ad566ab2ad0de2e1af8acc6ba1f62440dc3

SHA256
37bbcca55580cda8b6a7ee61a6aca30a2d7fa96731f46269c9643e68661e71c4

SHA512
243949d216ad17651e379ddf8ec78d2363258293dcc6e213ccd0d5ac6f7ed4c18169947df8cecc9d266696f995fec49c25e63be8573395aba68b7f22fcf9878b

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist
Filesize
156B

MD5
1300ae2fd3184b1109983ad18937212e

SHA1
414378f61b7a58bf5a13fc03237e8ad6d7c0a3d5

SHA256
d3f783d4f06da5370198e18a1f49bc1bfc3dffd2d7dc3d648961c726420adb5f

SHA512
3fe51977ac53108fb332a20a257abe9874f126cab9255e8d43de08232191bc7063d0c3c1fe82c9c9255459459cc0baf9b5acbe45ab8b92705cb6c3078dbf267a

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist
Filesize
156B

MD5
6dc5123f49659191a8cd216c132650ae

SHA1
5068067b447f3ced9a935916634764afa1c0b33c

SHA256
22e4fb2aa14a3b1ca266882c7b79e3e1e9a1c649e5f7b314ea8c0b5a49e8a6cf

SHA512
bb099b3f24f22aad71969ec60511dd916562795eae955fb20e8f1ba3be74f5a56ada0d77becdbd7c3a5653a85d1585cca9299993cb125d9159217dd6e0b17c35

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist
Filesize
156B

MD5
fc3a019a6dae38ee86834d7ff379db40

SHA1
329a9e1258f52d3b7bd5963d07d6ac9eff8d5c20

SHA256
43841a2c9233a38e319bf4ede52ab2dd17483574060a7ded3e97ae0b24a47d44

SHA512
5b6a2bf3ddb870c596a47be388d4a65018ced47deff7cc4c5a3c86714238540c830f4b89f7ae8681ed323648c75d215db40df991e4631ee54021ba6a5e567090

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist
Filesize
156B

MD5
83a61731ede00c43c001de571a809353

SHA1
d8af01f7ece2077e802ccf6e0cca6f45515eff02

SHA256
fdcc475469f0548c81c83fc14a81a91eebb8b972c4cf9930c6e6e6cd4b32ca8f

SHA512
9794143cb38057ee6dec181399ddb5eb965fc670a4bd1c021dd84a704a1a7ec2125b9745b79412300cbb94dfcf9dd6ebc036eec71a0d5fdd284b44d46b1d9e3f

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist
Filesize
156B

MD5
17de8b5bc6cf801abaf18e6969166766

SHA1
aec260a3528c3cf8e14030357ee1867403b578cb

SHA256
542d09b6932ad03534c3119c016cf5a80b26953aaacdd80943aa1b0317ede7ec

SHA512
52e525084b6d68c5c9d6307a2e8d05e222ec6523f71e1df8179eb4ddd729ffcbc04e9dce0ec30ae46860e806bdccfda70279e13e179f5707792a9b571eb865a8

Download Submit
/Users/run/0030582d9908d971baa86fc2c1776281_JaffaCakes118
Filesize
168KB

MD5
cab0f9c60d67c760be4d28db37551139

SHA1
2eaf55c41a7dae00e6c90a292c01ca059e606725

SHA256
165bba008f0fc19bef9863200a7c82257d205f63ee3645fb63b51fb8fc976f56

SHA512
eca0e9f3a508f35880137ee83edcee18f5e5b9f9babcbdae99c119f88a72de2f5674251cb8c5576b1086070fb6a1e452ba05db8d633be60c31f13d3bd3bbc0a7

Download Submit
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
Filesize
124KB

MD5
7aaf4bc91920976b43aaa9c1b055cb83

SHA1
baf9e4a07a3102e849da7c800fd3fa66d7ab4ddd

SHA256
47791b180289320f162a1cd3a010877d90dbb0e6b9aff91c3a91a2fafe62e815

SHA512
c4d86790dded0fb62042d98ba76b3f1b3351ebf9101c66612d40773a5bfe4003c9a6827b5357aa31e5aaa9ab973b2968a377a490986d57c4fab627862bb0edca

Download Submit
/Users/run/Library/Caches/GeoServices/Experiments.pbd
Filesize
291B

MD5
0b46570f7138930e1bd20a8bc3cdd9d2

SHA1
73d414f3f0540681f00100d3f3b1e0b4dd5ffaa5

SHA256
2a3c89af0b3fd7b1c7bb023b4c308a9e8c3b14a841defb1486c35c4afe2ad535

SHA512
cd3068538c1ed3cf828e03a2b8cd80866a6a04135cd91d34d75e5c88a47535a4cb204c0477d9477247454f7dcff315a890aaec0d3c5ead2b194cfda142bfc18e

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
1998a8c0008fe11767ec9c02471883ac

SHA1
591458127a7ba74d8b53a978a869a8f4de82b427

SHA256
100ffe3c5ba019299ce9247b1bea3552f6ee11d90ff8c325b5a75dda3965732c

SHA512
895f033a9a2ee0c1399616cc867daef86c797bae1976bbf446f79ee3e870faa6ec8b7e8fa0102bbf915598aa32bd0d3f614bdb2bd1b28955667bf23d7728d7ff

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
8746da2e42c1b8c96deef655f7323ec9

SHA1
b81f9f7efb154e268628feaf7a9ed0651ff81e70

SHA256
7f14058cdbbe62e1f2e0cc4c0c6c32d2ade752ab945428a78da715bac1cdba15

SHA512
cb5c1018ce6bf7a77cf846a3871cc18e5a9746d9ffa124a17cd1e15296b37e1544f920cc79736369556fc11507ff78ed6f2cee4848720caa8360be8c49870ed4

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
aa0d1fb266e7183aad2f71944a216d43

SHA1
817316d520d723583da8f9adc284f83340915809

SHA256
6b0ec76525374a6d746a4e8bc18010acbff59d3e9771c2b404303494c8a02a4f

SHA512
88dd6f15da46e03d26206afd5ccb5cff078558d72aecc0b820b11b4b994deb326b49cd56fdabc99df1ada6426ca7b0212bd7726a9be733e2bc1092500544215a

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
138a4c51d789480c81c00ab6d6f1751b

SHA1
862526b81c20f46e73528ca3c87d08624079ca48

SHA256
f631fc6c105d4620833b92f4502bc211f1740c7f77bbb83cb4cd5e604a49033f

SHA512
19f4d1a8d0b74c9124c661586d6ae4e4ddcdb03329c67cfe09da2e2337f549cd22035de980f0a918afc446d59765f434fb3d6702e7655252cea0f3ade1463f4d

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
e6cb2069cb8a958c196101a0928da6d1

SHA1
1ebdc6dde50e2e1dc02e052e4706768cdb0687d4

SHA256
4b5e7f2db310b4f77aae0e56dbaa354b74955748d57ef6a16323235338e52fb3

SHA512
ed5aaeecef0e259aedaffaeaf5c34e35817c37172fadfd8c37b402ae4be12202c585eda43724a1581bf9616bf22e8e22e7a260bd613d12d33ffca367ae224e30

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
241d0ba149d8548ab9ad008aff3bf8a6

SHA1
87901b41d93f093d21fe5768926f0f13de472f23

SHA256
3d171505c30f6e891b408fcfac7777fec89cee7a0503ce5a08783bc362c196a8

SHA512
4bea336209fd44bb39175f995486ca40d4b870cf4bbd882fdcf5199f69cf2178fa6bcf2101624428fa4e01befe5d9f81b4498ab2603241f608849e249fbeaaf1

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
c065fe3f7eb5da6b03b4b845dfd64b69

SHA1
7f8caccba830560a6d13420b09f75e154c8e30db

SHA256
f7c963e6e510e52827d19f9e4fdb6ba6fcb9f954809cf3c649338cd714a1c9c9

SHA512
4082ec590d18354c8da95e5212bd65573a8328323b07fd6b8ccd6ec6db8d27ae70010e846c66d67ad07cfbd4752c8b8e73cfab61338f5e1da07fc75ace6e5c55

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
de4e05ae1ca68bc79a9f4b3b8be74546

SHA1
96cc51a24d3ff5c1c888f6004a5fc0b3dd7a628b

SHA256
04dc659651d79b828568afb7b2d9842dcaff95aada7cd743a93a207b14bf1b07

SHA512
b62c064bc1eb5202b71521847e98028b7dec9a62a8f23ea935c6b26699c788acec09b260f36bf5bb85a43d56d575a2e96f7216a25b487392beb7ac8718c909c8

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
95a0b443f940b1b2db79cbcacb88a92c

SHA1
d4523d5a41f2dd254e2ee9bc5e8981d181b659a2

SHA256
2371eb9653740a1279699a717bfe5601f0e80895c828ba89db7cdfc42b7099e1

SHA512
aaefdfbaa893566e484b57ce864118dfc7532203c87a6e23c6aca5598baa7dab9e9fcbfcdb0328e9312c93ff52556fd83539db6eb6a4ff54866d701010cb4924

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
14930979565056aff51a22950e674d6a

SHA1
87c0edce22daa81251c9bd3f81d20680802c5605

SHA256
a55fb5e89e0ecd36320a1703ddfe909f1f78f870a81b879518b9e5b1da0e82c7

SHA512
ff1aca66e4a80d643f75a82b915a5d9598ac10add3c1150718078104c37bcada78d449219e422bcbc9dbbecadcbc75f5bb4576ff12a44285cbd719618d93ba19

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
e1c720cb301b066f96f880d4b48cfccb

SHA1
fc46093b460f9f7074be6d385656cc593bfdfa91

SHA256
1ff23514726fd06a140bf0ff626bec5b2d665f923508dfce22e59f85d9828873

SHA512
1c42ff09fdf798cb3decb35ef44dabfd4386d4334687f8bba4048f464d139f609d9b8bf4eeed21479ddaae3cf11123c11e47fa3dbae88c6cfa5894c8de14294a

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
5ba02155a86a41616bfa33349e6f0d3e

SHA1
0a91a97b8b821da4d36e490a9abdadb4b1e13521

SHA256
2463fd80dc55f4fc9e60e42563cb50f124307c46ef8b1338f09be16bb6cc8021

SHA512
a7cc09bf9b9cdda68c9387064599c6a7fb25e9d909e7773cf2f5bcc48563d0858c569fbfbc8f4f75c61a328a6ddb27671c88d1b657f88ca3fc6ae0c0fbddf646

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
a7d749dc4fab5e39c5a773f604aaa1a0

SHA1
8826d3a5edaa748ae16f0943591e1ad721be4445

SHA256
e8d69fdd5de132e46983e5b8b1ecf1084f624882e4b95b1c9375b4d79ed0e437

SHA512
4d0d9d9ea6fffee3b38c888a91282b5b88aa33a7e45fe27e72bac2cdc0619b2c8523c251ab4fae7b90dda4d436c0c8babcf75349ee051fac6c7f725b7a84283a

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
680188cd4aaa1e71b9024dcb5f7dae4b

SHA1
b22fe33e5f72783456c6a636c40c810442691615

SHA256
ce49566e46485dd4e397a78f4f0e804d7a43b0b26ce8777450a9e662242d823c

SHA512
6682e94c0e8bd523fd955d5b44f31eeba5af943acda3b2a218d6ebbd2df9e76caf6c562d643aeb5f342131813177924ac0f8bb33bc817f58ca48cdd61aa95a00

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
4b05c4218de7b0d6c95d8448d38e6422

SHA1
ccd912f16bd20c0939eef390452e200c24de22a8

SHA256
60f4cad359bbfe1124b1116ef6c2464bc0414adeeebf36842d0ff02c67e687c8

SHA512
d7b30b9be05b0cbfa8e200e27fcf1da569587248130898e6b5fba58cadd9250b5286879e695ddf7eee92a89ec7863edbb87d9cba61bf5a5b547e3884064c650d

Download Submit
/var/db/locationd/Library/Caches/GeoServices/Resources/altitude-1269.xml
Filesize
167KB

MD5
a645869f7bf432953f0292ca5fd17ad8

SHA1
9063c8541f8d4d81d301df8b359a30071d42b119

SHA256
04daf260c11cd34cd84f42fb5a47f1d5717d0b2f62b236826d7c3a6f0a1c9db9

SHA512
6449c45cd990750cf88cbf75b3320e6d972ba1b10dd8bb23835e1d298efb0b5d50399ad2c4be9d3d068619d645e544afc3245c66630da1878c8688811e76fca4

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db
Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db
Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit