evilquest | 45691d3bfc345a8aea4b04bffa4c0f83c13b6def3f34396df7e67ee8db60f851

General

Target

0040d195181e5a3928b023ac9c3f03c4_JaffaCakes118
Size

168KB
MD5

0040d195181e5a3928b023ac9c3f03c4
SHA1

1134266d6d40f140f34ee37617053b7309f6cf37
SHA256

45691d3bfc345a8aea4b04bffa4c0f83c13b6def3f34396df7e67ee8db60f851
SHA512

3d9e36b520f6e1d301241314b240ef2ab5f0ae19f514860513bf3a3efe24a7ffab65817a12bed7a2857dfcecbec637243b364b414e363379475281fa2b638eb0
SSDEEP

3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9J0:5SeOQdaZNxtk8cqhSxvHY9

Score

10^/10

evilquest backdoor execution persistence

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 2 IoCs

Processes:

resource	yara_rule
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 10 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

Processes:

ioc	process
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"

Launchctl 1 TTPs 20 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

Processes:

ioc	process
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/0040d195181e5a3928b023ac9c3f03c4_JaffaCakes118\""
1⤵
PID:485

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/0040d195181e5a3928b023ac9c3f03c4_JaffaCakes118\""
1⤵
PID:485

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/0040d195181e5a3928b023ac9c3f03c4_JaffaCakes118
1⤵
PID:485
- /bin/zsh
  /bin/zsh -c /Users/run/0040d195181e5a3928b023ac9c3f03c4_JaffaCakes118
  2⤵
  PID:486
- /Users/run/0040d195181e5a3928b023ac9c3f03c4_JaffaCakes118
  /Users/run/0040d195181e5a3928b023ac9c3f03c4_JaffaCakes118
  2⤵
  PID:486

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:487

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:487

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:487

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:513

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:513

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:513

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:514

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:514

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:515

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:515

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:515

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:516

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:516

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:517

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:517

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:517

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:518

/bin/sh
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:519

/bin/bash
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:519

/bin/launchctl
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:519

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:518

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:518

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:520

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:520

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:520

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:521

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:521

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:521

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:522

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:522

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:522

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:524

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:524

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:524

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:525

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:525

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:525

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:526

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:526

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:526

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:533

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:533

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:534

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:534

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:534

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:536

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:536

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:537

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:537

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:537

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:541

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:541

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:542

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:542

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:542

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:543

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:543

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:544

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:544

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:544

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:548

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:548

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:549

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:549

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:553

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:553

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:554

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:554

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:554

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:555

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:555

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:556

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:556

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:556

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:557

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:557

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:558

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:558

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:558

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:560

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:560

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:561

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:561

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:561

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:562

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:562

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:563

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:563

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:563

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:565

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:565

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:566

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:566

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:566

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:567

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:567

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:568

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:568

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:568

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:569

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:569

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:570

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:570

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:570

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:571

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:571

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:572

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:572

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

AppleScript

1

T1059.002

System Services

1

T1569

Launchctl

1

T1569.001

Persistence

Create or Modify System Process

2

T1543

Launch Agent

1

T1543.001

Launch Daemon

1

T1543.004

Privilege Escalation

Create or Modify System Process

2

T1543

Launch Agent

1

T1543.001

Launch Daemon

1

T1543.004

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
3249558879042e334f05310f8ca86b9a

SHA1
2ed53992081f9fdfc9088b3e6177d587d3821ad5

SHA256
151e6575449ccad1d880a74d890d0e58c4a138f6abf7410a26033c45d7bb59d5

SHA512
f60ea375f28e1b911ec25f40dc61500914228760cd49174016a94a40e0b85bd62f00328e111ddde9dc26ede1db4ef184c84f17d6c5de79f67c859bf2bf0f2fa7

Download Submit
/Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist

Filesize
430B

MD5
3d269391b44f568c96f9f5a420609082

SHA1
e2d49405da7ba6f883b366f71b6905b6ab556cae

SHA256
261e6af4aec0840afe0b4c75c21353d7bc8d69ffb1d26db364f5475962381a12

SHA512
81ae24faac0d2973a90b7ec7415273f95789fbbdeae164df6ffab10bfdfc4896d6ecf4d9b09ca13b2a151a385c59f48594d7b3d0df3b49e3bbc056f15908432c

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
72b65806a25742eea15fa84442bd928b

SHA1
c422a02afae81fd10c1977c7596c467d4fd35011

SHA256
3678a9009b945fcfc1c622295a673110753c080f5d373604e1fb8468d6deb24c

SHA512
a6ad96b09ee147ea921e38fbbff000befe164feafeccad999fb109360d7530037b6da74118ef841ceee6d0350781e9e923baa9b0e7b4f8c08ab29b9c2012f17e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads