Analysis
-
max time kernel
145s -
max time network
119s -
platform
macos-10.15_amd64 -
resource
macos-20240410-en -
resource tags
-
submitted
26-04-2024 07:13
General
-
Target
0040d195181e5a3928b023ac9c3f03c4_JaffaCakes118
-
Size
168KB
-
MD5
0040d195181e5a3928b023ac9c3f03c4
-
SHA1
1134266d6d40f140f34ee37617053b7309f6cf37
-
SHA256
45691d3bfc345a8aea4b04bffa4c0f83c13b6def3f34396df7e67ee8db60f851
-
SHA512
3d9e36b520f6e1d301241314b240ef2ab5f0ae19f514860513bf3a3efe24a7ffab65817a12bed7a2857dfcecbec637243b364b414e363379475281fa2b638eb0
-
SSDEEP
3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9J0:5SeOQdaZNxtk8cqhSxvHY9
Score
10/10
Malware Config
Signatures
-
EvilQuest
EvilQuest family.
-
EvilQuest payload 2 IoCs
-
Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
-
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
-
AppleScript 1 TTPs 10 IoCs
AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.
-
Launchctl 1 TTPs 20 IoCs
Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/0040d195181e5a3928b023ac9c3f03c4_JaffaCakes118\""1⤵
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/0040d195181e5a3928b023ac9c3f03c4_JaffaCakes118\""1⤵
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/0040d195181e5a3928b023ac9c3f03c4_JaffaCakes1181⤵
-
/bin/zsh/bin/zsh -c /Users/run/0040d195181e5a3928b023ac9c3f03c4_JaffaCakes1182⤵
-
/Users/run/0040d195181e5a3928b023ac9c3f03c4_JaffaCakes118/Users/run/0040d195181e5a3928b023ac9c3f03c4_JaffaCakes1182⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.security.authtrampoline1⤵
-
/System/Library/Frameworks/Security.framework/authtrampoline/System/Library/Frameworks/Security.framework/authtrampoline1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/sh/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/Library/osxmobiledata/com.apple.afsvcpdFilesize
168KB
MD53249558879042e334f05310f8ca86b9a
SHA12ed53992081f9fdfc9088b3e6177d587d3821ad5
SHA256151e6575449ccad1d880a74d890d0e58c4a138f6abf7410a26033c45d7bb59d5
SHA512f60ea375f28e1b911ec25f40dc61500914228760cd49174016a94a40e0b85bd62f00328e111ddde9dc26ede1db4ef184c84f17d6c5de79f67c859bf2bf0f2fa7
-
/Users/run/Library/LaunchAgents/com.apple.afsvcpd.plistFilesize
430B
MD53d269391b44f568c96f9f5a420609082
SHA1e2d49405da7ba6f883b366f71b6905b6ab556cae
SHA256261e6af4aec0840afe0b4c75c21353d7bc8d69ffb1d26db364f5475962381a12
SHA51281ae24faac0d2973a90b7ec7415273f95789fbbdeae164df6ffab10bfdfc4896d6ecf4d9b09ca13b2a151a385c59f48594d7b3d0df3b49e3bbc056f15908432c
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpdFilesize
168KB
MD572b65806a25742eea15fa84442bd928b
SHA1c422a02afae81fd10c1977c7596c467d4fd35011
SHA2563678a9009b945fcfc1c622295a673110753c080f5d373604e1fb8468d6deb24c
SHA512a6ad96b09ee147ea921e38fbbff000befe164feafeccad999fb109360d7530037b6da74118ef841ceee6d0350781e9e923baa9b0e7b4f8c08ab29b9c2012f17e