evilquest | 07cc5df0fe22a12b51fc6a48722c4f87d662513e534d5833f46604ee4e40ba96

Analysis

max time kernel
150s
max time network
151s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
27-04-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

030ec1a7d7c28f0c6cab4c4c55281cb0_JaffaCakes118
Size

168KB
MD5

030ec1a7d7c28f0c6cab4c4c55281cb0
SHA1

9f29735cabff9ecaab52bb461623cb94d0d83f07
SHA256

07cc5df0fe22a12b51fc6a48722c4f87d662513e534d5833f46604ee4e40ba96
SHA512

309ae10d5f61e52212ae32f18bab0e00fc94bcd4e9b3fee68e2747209d3230156c4173c4cffccf6d07ac0fcee9f273f7be5e919233ae78aac8c5eeac22c5e352
SSDEEP

3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9rzFe50:5SeOQdaZNxtk8cqhSxvHY9rzFe

Score

10^/10

evilquest backdoor evasion execution persistence

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 16 IoCs

Processes:

resource	yara_rule
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/030ec1a7d7c28f0c6cab4c4c55281cb0_JaffaCakes118	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 8 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

Processes:

ioc	process
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""

Resource Forking 1 TTPs 1 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
evasion

Resource Forking
T1564.009

Processes:

ioc process

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

ioc	process
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

Launchctl 1 TTPs 16 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

Processes:

ioc	process
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/030ec1a7d7c28f0c6cab4c4c55281cb0_JaffaCakes118\""
1⤵
PID:562

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/030ec1a7d7c28f0c6cab4c4c55281cb0_JaffaCakes118\""
1⤵
PID:562

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/030ec1a7d7c28f0c6cab4c4c55281cb0_JaffaCakes118
1⤵
PID:562
- /bin/zsh
  /bin/zsh -c /Users/run/030ec1a7d7c28f0c6cab4c4c55281cb0_JaffaCakes118
  2⤵
  PID:563
- /Users/run/030ec1a7d7c28f0c6cab4c4c55281cb0_JaffaCakes118
  /Users/run/030ec1a7d7c28f0c6cab4c4c55281cb0_JaffaCakes118
  2⤵
  PID:563

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:564

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:564

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:564

/usr/libexec/dmd
/usr/libexec/dmd
1⤵
PID:552

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:579

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:579

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:592

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:592

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:593

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:593

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:594

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:594

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:594

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:595

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:595

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:596

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:596

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:596

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:597

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:597

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:597

/bin/sh
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:598

/bin/bash
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:598

/bin/launchctl
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:598

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:599

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:599

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:599

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:600

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:600

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:600

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:601

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:601

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash
1⤵
PID:602

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:601

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:603

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:603

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:603

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash agent
1⤵
PID:602

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash.Root
1⤵
PID:606

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash daemon
1⤵
PID:606

/usr/libexec/xpcproxy
xpcproxy com.apple.security.cloudkeychainproxy3
1⤵
PID:609

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
1⤵
PID:609

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:614

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:614

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:616

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:616

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:616

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:617

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:617

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:618

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:618

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:619

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:619

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app
1⤵
PID:620

/usr/libexec/xpcproxy
xpcproxy com.apple.assistantd
1⤵
PID:623

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
1⤵
PID:623

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:627

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:627

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:628

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:628

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:628

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:629

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:629

/usr/libexec/xpcproxy
xpcproxy com.apple.suggestd
1⤵
PID:630

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
1⤵
PID:630

/usr/libexec/xpcproxy
xpcproxy com.apple.knowledge-agent
1⤵
PID:631

/usr/libexec/knowledge-agent
/usr/libexec/knowledge-agent
1⤵
PID:631

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:632

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:632

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:633

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:633

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:635

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:635

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:636

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:636

/usr/libexec/xpcproxy
xpcproxy com.apple.siri.context.service
1⤵
PID:637

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:638

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:638

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
1⤵
PID:637

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:639

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:639

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:639

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:643

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:643

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:645

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:645

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:645

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:648

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:648

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:649

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:649

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:649

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:653

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:653

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:654

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:654

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:654

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:655

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:655

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:656

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:656

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:656

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:657

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:658

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:659

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:659

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:660

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:660

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:660

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:661

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:661

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:662

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:662

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:663

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:663

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:663

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:664

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:664

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:665

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:665

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:665

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:666

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:666

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:667

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:667

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:667

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:676

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:676

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:677

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:677

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:677

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:678

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:678

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:679

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:679

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:679

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:680

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:680

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:681

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:681

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:681

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

System Services

T1569

Launchctl

T1569.001

Persistence

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Privilege Escalation

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
33c8fff4c81483af4f42d2b4add9001b

SHA1
7c3ca66f5084c6c8276008066ffd08acb0183005

SHA256
0b59b2ff5b065c9eafce0172fa7a9f051cef06b8e2e66ad38ebc6d98c0a3ca26

SHA512
0c96b806555080793ec45bd6cdfed8e9d3d587fe0fdf12943bd560867184626f4c5996c306e5d6ec27750805273a14b2994b63b9419c105f42bee56fd29c09b6

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
9ffb34ad897cbfb19fda40f0fec67a00

SHA1
b2c28dac061e18b5a0387850645ee576acf67aa0

SHA256
a9eb0855bc50fe0a6c5bcf81ed752dfad130bbed32a6dfcd30d88c649934b328

SHA512
3876baf5553ccd13363748fc1127ffff70768df9ad0e8b4de6adeae0bbc036db0dc6d6d6770993a6a8e2147d2d58a766e3d38f4e80f9298a861db3123d1e60d2

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
696ea17a77c5b4c223f99c378f174c7e

SHA1
950246e85b830c89d31af4fed35f32b16ad94f1f

SHA256
cf3a7dfcdc0f06c667b88966d20f0be353c9bf076739956930396abe6c481517

SHA512
cfe53511d590741ea2e2e6f1ef61ccb7db9e0a2b4ba7017ee77f4371ce639f50b5a3d2552cf59bcb554fc8bfbd6b8a28e242742e886e856ee6a865f5d8b58177

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
2c2e87361c6b9252b363095895974cbb

SHA1
d592f4d8ee7c3a59e8bb1434cdbb0a19279af9bf

SHA256
1b9f4030cd6df6adf04434b04228cf454154cf813053fd914c30b0bbd8b8ef1d

SHA512
d318763c5a10b493b5c635f5e4bb634c1f55c6e52fdc8ccfcfc77940480275c308fefc8f7b30c063657aa9538f4aed8841f3edd95c73758ccc63745a5fcb9ffc

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
c4f809c2c25e4de91c0443b761d24e5c

SHA1
06307446da3a9b3baa02736d3088e8744365a589

SHA256
ebccdeca6408bdb113c47f67a0772918f5ce08cd6c23be5e7f28b328f2a26012

SHA512
8cbcfaed7738700e81c809a032446e40139bb0dd2dfcb51df82f36ffcea7626e6fa4236898d43389e14885590be1d070c0731dffbd9dc1d6cebf8eece47cd926

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
fdde4a87e0d76498a076a9114d415dc8

SHA1
bee0156913cc5fc9b441cf559b2f03f86df54482

SHA256
f01e20fb741214d76f048ce3346c690e55c5fa20a475003de9bd4682de60b71b

SHA512
1bdb5a7ab10d58d822fb62cff67a2cc1f87b3de7e861866908d951e67422c67682f8429e231cf2fab048e3f8b490e16c6938ffcef15671c11d4f02560cc2528b

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
8797d9290924cea84efaa375c41d3c70

SHA1
70f5b835bebf8c241fba6aeefa7a0a04c2e0a540

SHA256
30ec29df4e83ca197ed28bf986920103a65210cf65d0a94ac142daa1ed395cac

SHA512
cf1a690b3c9f94c9ccd6b94884703cc84224d93b00de12c0912de53f8a17c3b9bc97631ad88febc95006d36568535c5a3720a61fe7bb942ddea6df4b77025bcf

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
2336412907db3f9ca068e4909bbe530e

SHA1
fbbbbbffd912843a7eb72990cd9fd50683b5f970

SHA256
d8ac26c3c0ea1ebdcdaf0ad210944a740af4a62fe317c552dc3f5c83f45d717e

SHA512
e7083a6a37f85e4233b38bd807ab32db825de0e43272a2003fb0ca3e3ae3fe95a4b5c71691929e130b2cd0fe1970c1a74449688fe892f7017915a062bdc6b4c4

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
5d24616ad5e5ca08b149abf1e788c271

SHA1
5d871c831741502e308e74b408c6b89fd1f336e4

SHA256
ff0470e19457dc5afd99303261bbe3623d57ed8f5d2123b9b3fc5d5b20cd61e6

SHA512
b507f3dca8c9b34f78f4969b9483413f867df30af6eb92ecb5a217a63fc7924952350ee5f1c3e0006c377c8bcd9e85c765ec4c17edcaee4ea92dc35b3ccfc16a

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
57660f400b1c2de93b1f3fc4bc868093

SHA1
f15bcce13efa99d9f7399c4f54654254e8ed5f78

SHA256
32209a45846ca2a136630bc301966acdb14e7d31886085967d09754a619b7091

SHA512
e7b86e2b9612d30570be00577ff743f9bcf32d2c055fb755fc68e90db9235929247c68d77a5e966f1d06c645a5a41a96c9afbf486f6320e63cf1f2e372eebdcb

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
8025ed8f62cbff6f60ffb58713e19468

SHA1
9ae9ccbc9e452aee97fec4640d57a299cac056d8

SHA256
230eb1cd6b64875efc344bb09f9cf8de4e43973dee846f88e2e9da47dafbe09a

SHA512
ad125dfe39e64f19228b40f85b2889c5378e4f2704b540332ad74b89ef875eb28162f956c5636a197ab18aa2e5f8504fca8b8206d9b7464567831732f5175a52

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
250a09faa7d2018bf7eef60e9f263487

SHA1
e7ff74d2e71349c75ee6e0364a5b3f4b25bfe262

SHA256
09143bf7a91db81c936c2a2d3051b638b1f074bc62319c17f06fbc4eb9dafcf1

SHA512
42f104fa9724a793fa7824e38472f43f9dd4c26398ed19cd3e9943ff8dbdb59d040f6e8b09ad2c393e65bbaa6fd4e77ba422beec52bcc03b348aa97d13ac8d92

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
2ba64d01b77294d4e76628c0b0b05f88

SHA1
3bb0efd325066450dbfad1bd4217f90a41af0b69

SHA256
2b9888c3e49ab1b9e2c916793ac7e21f9748c7ec58a2e1eed524fe82ff84122f

SHA512
7a9a53abdc259c46dd750e9c36afe95160c9521d5b1017d5388f3e383c41b3f0ab0954431d2b6c8a29a873a19a5ef8528fb9e3e3826d0d60341464cff2c01e24

Download Submit
/Users/run/030ec1a7d7c28f0c6cab4c4c55281cb0_JaffaCakes118

Filesize
168KB

MD5
13ca26fb4eca87e2160209d47b31b93b

SHA1
c929ef25795723773cf347bc7e5e14ffb2821c3f

SHA256
c2d00b332d490eb25bf1446ae931b75501e5e202925b50e4f90321b7d32c0383

SHA512
8fce5037acbeb4513d3d42dc38d8930edc8c1e6610f3456a0cac592cbd355df895c1c58ab35bb65c4cfb281755884361e86a0a928f29753c0659bfd4a291b126

Download Submit
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

Filesize
124KB

MD5
57f834ec14cdb359b2b68bbd1beef2e6

SHA1
2f091716d1953c325a8cbb5946148a424d13cb73

SHA256
4a390d866f2fdfe2d5fdbe65d7f5e5e9274142cb31946dd0fa2ff8c9481fb85b

SHA512
7c3a3e58f448710b1abb60018fe5946e3eb3188431ed9c4fa5b39d25883d5be6cce6ed2828fe12433c8b67914c6d6def7e8648b25da8924d98991233fc83299d

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
6333553ee325fedf01f8f4d1dd47051e

SHA1
51525da4e13c7f27ba658d38276432fda609ced7

SHA256
bee8635651f3993c1a991ed83c34ce2d32c710f710c6115e4c56197f3fd6d72b

SHA512
286313505c9794dc7b024785811790fc6db0093e6965ea26b7658ae47172ba5dc9fbb8fd92fbb00c002fd4b7ba4f868cafe180cf84481f08fa6c39b92f309f9a

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
ff0175090446f39dfcb1f5275b47054d

SHA1
ea3e713c2a6c4d01da97429b615475ab549d867d

SHA256
b30259982ff4e83c7251f00bebaa6bbd14c92d1b328e0704be345d4b8d7957d1

SHA512
78cc8a941e0e435a91e90beb57caedb5179f05db0c824683bedff179715373380fc57d4b3285b9f8663808452cec64cdb3c5de9254c20326bcfabcb446f5c4cf

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
c62a4101026c9f64d36b0a3b35451e63

SHA1
8aa1b850cb2fbcd371690908d89a8c51fe274e84

SHA256
07fe882f325bc38d574a44b461afce596dca00f3a7f102466454087bfaa67071

SHA512
499d120b90bbde98b2ccc29e08e4ef3bcab8cc724f88e59282f933101a5c8c63bb1036ed152c22ebea97ddb5cbdc5a7921b9ac3d96f38475377a9e1c498aad8b

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
106acc3f7e501bb502a057d11a1e6479

SHA1
3f5ebea5c6293212b833ec1dd506caf7aeab787d

SHA256
f5a9356bfeeb03ed24a2029a5cf2b65c1053b023fa8688c7bcc3d94f59270b0d

SHA512
2b134a2845c42c1358700c26f74e780a0af7022f13dce370cc2be7309864567f7dbb389f1a0a2ee14a1f7e0cc26ee5746ea5b20314398be3b41c470ba31f6baf

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
34431a96f83fb3d972781ceecf2ab6fd

SHA1
fc50b67ef0c6002d583e86f3c0ada6a31c4128ba

SHA256
0a05d1af2230acdab154d2adf9afa4847e4d1c625e2e5dc6816b5436ac7fcdea

SHA512
1c7e5ba4e130beb39fe482caa73c5fba9b30ca6cefebf600fde1005c067cc7966da097fd384c44bc436eb9e0e7ce4df7ecb6c0be7515067e1d0a566b5c3bfa2b

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
5742bf7f8bf1ea8d62f7bf5e8753ac0d

SHA1
88cd680649867e01ea5be8eaec6843e93222571c

SHA256
fb851472d182817106667a1c710cfce0cbf062d5f7c6d24d36aac424ddc24765

SHA512
e19ff19d2d428f611465791e7975f30c9eda2732982b51d4f744f46c75e6860d9e9ecd3bb1af0c0c95b8678c3fbb59fa61596d31531887fe4627756479e93080

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
c7b58f36b599caab129d859747547a85

SHA1
7bf04b83e3cfec2268277e98548befd4745fe7ec

SHA256
c490a07b19a9035dfb236645b425fa5c3279344d697a948f4b76d2e55147d785

SHA512
a866b80cfd76407c1bf50a6edefc4938fed90a280645be264ca38b1db1fe0f0b286532d7b489bbde95aa5f208cf33488a5e54fc4e5239b7dd51dbbd128e9b5b8

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
731d3462e80422a739b3b1787ea4e9bc

SHA1
f66d3f5e253808c293be0c571720e621842b25bf

SHA256
fe8f6cb5999229425d9f227b5d9fdd0052d25df5dfe800454efc50b703d10a10

SHA512
bcc7d86b7a55af3ff7246a81a2cdb713a1ff19c07417d3e0323eeac5031c28003678e8fe4c9f8e6498888fd2b6ec5a2b2c33069b1f265c5e39aca850d1195cc0

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
b8e972c3bd14698634253c13c890412e

SHA1
b81aa3070846c9c1b57b7996e5e0239a651e7baa

SHA256
be63c01c2a3b8ac91f72b07338ee6c1c6fb72ae3381a99598d088941f09d059d

SHA512
a6219a9f39bd895927a476cd85000b21cdd319bab8b925eb1d8d204baffef83e22a2a77d21120d88abead6bbc65ab50f04278848b5f6d06db71d82859d3fc6e6

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
d157cb854c4bf6fd4b2c0d8f91fea7ee

SHA1
bd0ea5cd246e465e27951205326eb11541e53233

SHA256
40d2814a69ada9962f0b5154347745b5fc9fb6230981cd356ee1003de132de30

SHA512
badf35d097f322a70b0ec928198e81d3deca8d6a367577056026bc478da25a65e18532cd2230327f2faf16b35f1ed0c3191d0e1d31837a9ce17d551be1675390

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
5196d14b1b5c87ee6ca486d8ad1c2d73

SHA1
17190e2600a2f30e074a4eaacf50f6163dbace85

SHA256
06a424123bed1df3fc2ad58550766a3c17172746d769e790e829822f8e6817fe

SHA512
64e82428cbcf6a8fe7af963b24f46769bd7a531f8a08b51f5b7da1172660225946a85f3df6d1f80b2a55f658df5848e33a127f44f301f5f0bd462a327a45feaf

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
4e7a6cbaf7dd40d2f093ea2a77799917

SHA1
928919c64a29c9b7da73ea27661d80a110d8ff1e

SHA256
675393a55c1e01ff6b4030821fd61ea817e91aab06027fbb97f31e612cfaf7f2

SHA512
3a392902226c386b892fc93cceec332eac7c522fe079b3bad06d25a2ee365ec16aad34dae5403fdb8d0a0d88e7150315ff6c3240f34da02bd79040567b4c964b

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
3eaae820582a92ad3b7483f6ab706daf

SHA1
6fe79dd32394e20f44e1183bf9f096c52522d82f

SHA256
60aa8f5445b2da34f803638350d7fe2204d155649dabc523f279ac3a2366e709

SHA512
49ed65ded1690a7595577b47cc6b55895fc2a01c5fb3cabcd904ca3ec103f943e8e18742e5ef93ef202441ff32947a50ad416e7641e8335a02637d604c6b7c50

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
0c75524dd860297d2eaa971e4411e355

SHA1
f2891f22cc532b98d8bb685d047ace0e8a7c8e43

SHA256
07289b3406c213372694a7b3206da51e9a5b5cef179781879bbee90c8f99995c

SHA512
79fa5e28be28dbb339f685b1c5db6a8c705812fb90feb8fe17c6638348f358775efc7f78fbbb71123707ae5c5875f3a96fbc2b6dfc005aceb0b73aba7675de40

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
d1ff93143edcdca255f32fbb3a87618e

SHA1
c53a1b52177e73140a76c182f0ac54b705591067

SHA256
3df9faec79b60037b829a4b45652784882087e7af0def64f652e0f3dd854c968

SHA512
023bd954c8ba3808daf1a06c549b07bb89f43ed8da7921d7d49ba0ceb183b7b70b090ca709404398bc39c83e02e7de0b1727f7b37ef38765af305e34f9c7a656

Download Submit
/var/db/locationd/Library/Caches/GeoServices/Resources/altitude-1269.xml

Filesize
167KB

MD5
a645869f7bf432953f0292ca5fd17ad8

SHA1
9063c8541f8d4d81d301df8b359a30071d42b119

SHA256
04daf260c11cd34cd84f42fb5a47f1d5717d0b2f62b236826d7c3a6f0a1c9db9

SHA512
6449c45cd990750cf88cbf75b3320e6d972ba1b10dd8bb23835e1d298efb0b5d50399ad2c4be9d3d068619d645e544afc3245c66630da1878c8688811e76fca4

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit