Analysis
-
max time kernel
33s -
max time network
36s -
platform
macos-10.15_amd64 -
resource
macos-20240410-en -
resource tags
-
submitted
26-04-2024 14:41
Errors
General
-
Target
00ff7d1fcbeae75e90c503c81dce1dfc_JaffaCakes118
-
Size
168KB
-
MD5
00ff7d1fcbeae75e90c503c81dce1dfc
-
SHA1
51f9533b6293ddd0c9cef039744e217afa18d267
-
SHA256
40c59822cd12927bee52756464921433f8493ec6224a626075569ceb4413cb5e
-
SHA512
2169defcb59ed59062b69df7774040a050922d8779058f675ad8bcaa3f82b0e415bb6d9310c4b4554481c7e33aba2f40fe8af1758c4091e8f8004728c6aea508
-
SSDEEP
3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9MF0:5SeOQdaZNxtk8cqhSxvHY9M
Malware Config
Signatures
-
EvilQuest
EvilQuest family.
-
EvilQuest payload 3 IoCs
-
Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
-
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
-
AppleScript 1 TTPs 8 IoCs
AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.
-
Resource Forking 1 TTPs 1 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
-
Launchctl 1 TTPs 16 IoCs
Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/00ff7d1fcbeae75e90c503c81dce1dfc_JaffaCakes118\""1⤵
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/00ff7d1fcbeae75e90c503c81dce1dfc_JaffaCakes118\""1⤵
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/00ff7d1fcbeae75e90c503c81dce1dfc_JaffaCakes1181⤵
-
/bin/zsh/bin/zsh -c /Users/run/00ff7d1fcbeae75e90c503c81dce1dfc_JaffaCakes1182⤵
-
-
/Users/run/00ff7d1fcbeae75e90c503c81dce1dfc_JaffaCakes118/Users/run/00ff7d1fcbeae75e90c503c81dce1dfc_JaffaCakes1182⤵
-
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.sysmond1⤵
-
/usr/libexec/sysmond/usr/libexec/sysmond1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.security.authtrampoline1⤵
-
/System/Library/Frameworks/Security.framework/authtrampoline/System/Library/Frameworks/Security.framework/authtrampoline1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.ReportCrash.Root1⤵
-
/System/Library/CoreServices/ReportCrash/System/Library/CoreServices/ReportCrash daemon1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.security.cloudkeychainproxy31⤵
-
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.geod1⤵
-
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.geod1⤵
-
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.secinitd1⤵
-
/usr/libexec/secinitd/usr/libexec/secinitd1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.AddressBook.ContactsAccountsService1⤵
-
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/sbin/spctl/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.assistantd1⤵
-
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.nehelper1⤵
-
/usr/libexec/nehelper/usr/libexec/nehelper1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.routined1⤵
-
/usr/libexec/routined/usr/libexec/routined LAUNCHED_BY_LAUNCHD1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A1⤵
-
/usr/libexec/neagent/usr/libexec/neagent1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.Maps.mapspushd1⤵
-
/System/Library/CoreServices/mapspushd/System/Library/CoreServices/mapspushd1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156B
MD51a95fb6a42486b63e644fa59ad972e6c
SHA1211f4f3d46b6d73b0bebad74e56205476d3d38bc
SHA25626b4c221c091a99d6250c0fc39473ca5201aa705d76bd3d388db190ac7ec75a7
SHA51220afb223b7939ecb221066dcaf23c63b6b8e36e046d0f7fe5694644a1fbe3e2e91db806871ecce12b3fc7e9f24ffc2d904872be14b237ecc9f0ba39a54b9b9b2
-
Filesize
42B
MD5ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA2569261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb
-
Filesize
81B
MD5520bb9b65b89f03050030e5a985b9cd1
SHA191defba6d4540d4c8ede177730d104d747e8f57b
SHA2566bb23965fd46b9ffe67a1cdb2144943543894e063c05db3a4de54e94b84968a0
SHA51281eebb3eda761a9ecc94aa9564deab4d476522d94025ec19e002e91b12b7fbf2bffda23e7c393c09cb91b6ecd953ec1bf39ef5f787058b70289a5a5d777f0cf6
-
Filesize
126B
MD552ef57acdaa153c35594e46bde4fe42c
SHA1c2a5b1748aa61c311b670ef319d92663e3f92b00
SHA25658add3e6d1d91409a9ddd9bb9b7cb173f3ec1162905d907839ab007e43cf2d2a
SHA512defea7dd6200a17dbf0b619e16efb2919dc14199e7f3cb6755b4e5f1fdc8fb2942fa9f7c8c4c19d9026acb0c64a7df0462c7e10685c7482e710e94ed15964209
-
Filesize
124KB
MD50d5de66f40d9359cd7921ab9a0c79f88
SHA10040ddb3835dfc23c4d56669e2e49066e6194b67
SHA2564cf97c91e0a39525a8bf03a1680236f85fc90c7ac797e0155395a98c3599f757
SHA5128beb43884aa7b09f2b5520c4be24e62d744802f1ceaeaa2f0b5bc140094fff93455e2dca58f45b86da9e2b8ab619a8369be3bb1984a5bf7f593eb3292f9a4950
-
Filesize
167KB
MD5a645869f7bf432953f0292ca5fd17ad8
SHA19063c8541f8d4d81d301df8b359a30071d42b119
SHA25604daf260c11cd34cd84f42fb5a47f1d5717d0b2f62b236826d7c3a6f0a1c9db9
SHA5126449c45cd990750cf88cbf75b3320e6d972ba1b10dd8bb23835e1d298efb0b5d50399ad2c4be9d3d068619d645e544afc3245c66630da1878c8688811e76fca4
-
Filesize
168KB
MD5cb4409fce2c68ba0be4b0f75fdc26238
SHA13209b8ebf5d216e94184577ba029998251c69dcc
SHA256579b1d0d512e7aa747f4209b2e893a96d050cc38c3bf3b8181e380d216ed7a55
SHA5128c3d3a7487196706ee0defa8f7bb4d27cbc836c23747794a5a587c6a2bdabc20454b8a201c0ff6b25d3dda54dc637e144e763415a903aea531b8df636621e0ae
-
Filesize
168KB
MD582551f465ec0d6cbab6e4ef9aab82bc7
SHA1a40baf33fd8047789763b41b1abc01566bf599c0
SHA2564b1f403f78277c64a64c15d486a533054390cf67823bcef0713a9f59d744d0fe
SHA5121d5e31cc497cb8b8e33d8c4f5852fa8fdd171ec3e5daefa7cba688b18f250e4151d0abab959411bc4dc0bdb154abb8294a6e8169c6b52c3d16ce1d80cb14d669
-
Filesize
168KB
MD5da02e4370e8f82759da049e3cb792fba
SHA1479ad088a84caff62ec0d3659de3e61beab4feb3
SHA256a87e757bb7cec66a9363860d4ab1e369640ad11aa39e0d5d7cadbc09f0141be2
SHA5129dd0c2c5f28f51ad230a3c954ef647dcc024b6af6b60bf66c38705b0f6e9c67f5ee6851b1e8fb98244fb392ad5ca859057b84eb5b88760d57adabbe3def5cdbb
-
Filesize
47KB
MD50e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA5121dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20
-
Filesize
4KB
MD5d3a1859e6ec593505cc882e6def48fc8
SHA1f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA2563ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818