1e468b1d177cd48603f0736751a9ec1538baece915bcd5e2bcc5507b45c8a1ee

General

Target

00dfdd9067c5013c5c179301f91c2978_JaffaCakes118
Size

168KB
MD5

00dfdd9067c5013c5c179301f91c2978
SHA1

5c7ccc55c6d097519e19e68d9c5797516c8bc4f7
SHA256

1e468b1d177cd48603f0736751a9ec1538baece915bcd5e2bcc5507b45c8a1ee
SHA512

64fe607cba864b87bdd9de4857360165874ce3c4f78a6dde31bec46ff11b9579d4d09d2fa4c7e57427df0522a87b2a32c0e5f081150b3607f2fb025815002efd
SSDEEP

3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9e3biu10:5SeOQdaZNxtk8cqhSxvHY9

Score

5^/10

execution persistence

Malware Config

Signatures

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001

AppleScript 1 TTPs 2 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found

Launchctl 1 TTPs 4 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

ioc	Process
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/00dfdd9067c5013c5c179301f91c2978_JaffaCakes118\""
1⤵
PID:482

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/00dfdd9067c5013c5c179301f91c2978_JaffaCakes118\""
1⤵
PID:482

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/00dfdd9067c5013c5c179301f91c2978_JaffaCakes118
1⤵
PID:482
- /bin/zsh
  /bin/zsh -c /Users/run/00dfdd9067c5013c5c179301f91c2978_JaffaCakes118
  2⤵
  PID:483
- /Users/run/00dfdd9067c5013c5c179301f91c2978_JaffaCakes118
  /Users/run/00dfdd9067c5013c5c179301f91c2978_JaffaCakes118
  2⤵
  PID:483

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:484

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:484

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:484

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:511

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:511

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:511

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:512

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:512

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:513

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:513

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:513

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:514

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:514

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:515

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:515

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:515

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:520

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:520

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:521

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:521

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:521

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:525

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:525

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:526

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:526

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:526

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:531

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:531

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:532

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:532

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:532

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:534

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:534

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:535

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:535

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:535

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:538

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:538

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:539

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:539

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:539

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app
1⤵
PID:541

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:543

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:543

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:547

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:547

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:547

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:548

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:548

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:549

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:549

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:550

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:550

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:551

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:551

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:551

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:554

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:554

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:555

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:555

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:556

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:556

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:557

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:557

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:557

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:558

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:558

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:559

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:559

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:559

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:560

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:561

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:562

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:562

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:563

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:563

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:563

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:572

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:572

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:573

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:573

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:574

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:574

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:574

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:575

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:575

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:576

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:576

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:576

Network

DNS

apis.apple.map.fastly.net

Remote address:

8.8.8.8:53

Request

apis.apple.map.fastly.net

IN A

Response

apis.apple.map.fastly.net

IN A

151.101.3.6

apis.apple.map.fastly.net

IN A

151.101.67.6

apis.apple.map.fastly.net

IN A

151.101.131.6

apis.apple.map.fastly.net

IN A

151.101.195.6
DNS

mobile.events.data.trafficmanager.net

Remote address:

8.8.8.8:53

Request

mobile.events.data.trafficmanager.net

IN A

Response

mobile.events.data.trafficmanager.net

IN CNAME

onedscolprdwus20.westus.cloudapp.azure.com

onedscolprdwus20.westus.cloudapp.azure.com

IN A

20.189.173.25
DNS

cds.apple.com

Remote address:

8.8.8.8:53

Request

cds.apple.com

IN A

Response

cds.apple.com

IN CNAME

cds-cdn.v.aaplimg.com

cds-cdn.v.aaplimg.com

IN CNAME

cds.apple.com.akadns.net

cds.apple.com.akadns.net

IN CNAME

cds.apple.com.edgekey.net

cds.apple.com.edgekey.net

IN CNAME

e14768.dscb.akamaiedge.net

e14768.dscb.akamaiedge.net

IN A

104.68.86.71
DNS

help.apple.com

Remote address:

8.8.8.8:53

Request

help.apple.com

IN A

Response

help.apple.com

IN CNAME

help.origin-apple.com.akadns.net

help.origin-apple.com.akadns.net

IN CNAME

help-ar.apple.com.edgekey.net

help-ar.apple.com.edgekey.net

IN CNAME

e11408.d.akamaiedge.net

e11408.d.akamaiedge.net

IN A

23.220.113.166

20.52.64.201:443

tls, https

1.6kB
16
17.250.81.67:443

tls, https

128 B
40 B
2
1
51.116.246.105:443

mobile.pipe.aria.microsoft.com

tls

13.2kB
8.5kB
37
26
104.68.86.71:443

cds.apple.com

tls

18.9kB
163.3kB
214
234
23.220.113.166:443

help.apple.com

tls

29.5kB
110.8kB
164
121
23.220.113.166:443

help.apple.com

tls

1.5kB
1.1kB
8
5

8.8.8.8:53

apis.apple.map.fastly.net

dns

71 B
135 B
1
1

DNS Request

apis.apple.map.fastly.net

DNS Response

151.101.3.6

151.101.67.6

151.101.131.6

151.101.195.6
8.8.8.8:53

mobile.events.data.trafficmanager.net

dns

83 B
155 B
1
1

DNS Request

mobile.events.data.trafficmanager.net

DNS Response

20.189.173.25
224.0.0.251:5353

332 B
1
8.8.8.8:53

cds.apple.com

dns

59 B
218 B
1
1

DNS Request

cds.apple.com

DNS Response

104.68.86.71
8.8.8.8:53

help.apple.com

dns

60 B
196 B
1
1

DNS Request

help.apple.com

DNS Response

23.220.113.166