evilquest | 40997add87576eb71c90c70be76b613e1d529fe8c96b8c3e3c3ff70139fe5a71

Resubmissions

27-04-2024 17:21

240427-vw5zasdg6w 10

27-04-2024 13:26

240427-qptv8sbh61 10

Analysis

max time kernel
150s
max time network
138s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
27-04-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0357e11dd1b803758eeed5a7e70543ac_JaffaCakes118
Size

168KB
MD5

0357e11dd1b803758eeed5a7e70543ac
SHA1

d049ca913035dab2a74fc55bf5ce2da6395cb363
SHA256

40997add87576eb71c90c70be76b613e1d529fe8c96b8c3e3c3ff70139fe5a71
SHA512

9063f2a3a51b5cf0c31be21590891663e38a8f895729f618dd31f13394870509ee431e9ca294deb0a3748933a7c2956ccde7c01178e5b8754d46a97b6d556069
SSDEEP

3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9ji40:5SeOQdaZNxtk8cqhSxvHY9

Score

10^/10

evilquest backdoor evasion execution persistence

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 16 IoCs

Processes:

resource	yara_rule
/Users/run/0357e11dd1b803758eeed5a7e70543ac_JaffaCakes118	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 8 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

Processes:

ioc	process
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""

Resource Forking 1 TTPs 1 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
evasion

Resource Forking
T1564.009

Processes:

ioc process

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

ioc	process
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

Launchctl 1 TTPs 16 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

Processes:

ioc	process
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/0357e11dd1b803758eeed5a7e70543ac_JaffaCakes118\""
1⤵
PID:565

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/0357e11dd1b803758eeed5a7e70543ac_JaffaCakes118\""
1⤵
PID:565

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/0357e11dd1b803758eeed5a7e70543ac_JaffaCakes118
1⤵
PID:565
- /bin/zsh
  /bin/zsh -c /Users/run/0357e11dd1b803758eeed5a7e70543ac_JaffaCakes118
  2⤵
  PID:566
- /Users/run/0357e11dd1b803758eeed5a7e70543ac_JaffaCakes118
  /Users/run/0357e11dd1b803758eeed5a7e70543ac_JaffaCakes118
  2⤵
  PID:566

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:567

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:567

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:567

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:571

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:571

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:592

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:592

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:593

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:593

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:594

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:594

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:594

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:595

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:595

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:596

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:596

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:596

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:597

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:597

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:597

/bin/sh
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:598

/bin/bash
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:598

/bin/launchctl
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:598

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:599

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:599

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:599

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:600

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:600

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:600

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:601

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:601

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:601

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:602

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:602

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:602

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash
1⤵
PID:603

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash agent
1⤵
PID:603

/usr/libexec/xpcproxy
xpcproxy com.apple.security.cloudkeychainproxy3
1⤵
PID:605

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
1⤵
PID:605

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash.Root
1⤵
PID:607

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash daemon
1⤵
PID:607

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:608

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:608

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:609

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:609

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:609

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:617

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:617

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:618

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:618

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:619

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:619

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:621

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:621

/usr/libexec/xpcproxy
xpcproxy com.apple.suggestd
1⤵
PID:622

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
1⤵
PID:622

/usr/libexec/xpcproxy
xpcproxy com.apple.knowledge-agent
1⤵
PID:623

/usr/libexec/knowledge-agent
/usr/libexec/knowledge-agent
1⤵
PID:623

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:624

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:624

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:625

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:625

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:627

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:627

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:628

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:628

/usr/libexec/xpcproxy
xpcproxy com.apple.siri.context.service
1⤵
PID:629

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
1⤵
PID:629

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:630

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:630

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:630

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:632

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:632

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:633

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:633

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:633

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:639

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:639

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:641

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:641

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:641

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:642

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:642

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:643

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:643

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:643

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:645

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:645

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:646

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:646

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:646

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:647

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:647

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:648

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:648

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:648

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:649

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:649

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:650

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:650

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:651

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:651

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:651

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:652

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:652

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:653

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:653

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:653

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:662

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:662

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:663

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:663

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:663

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:664

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:664

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:665

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:665

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:665

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:666

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:666

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:667

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:667

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:667

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:668

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:668

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:669

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:669

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:669

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:670

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:670

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:671

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:671

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:671

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

System Services

T1569

Launchctl

T1569.001

Persistence

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Privilege Escalation

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
77eecb5d1bdde1d8a01e6dd78fb5fb94

SHA1
197ee8306513d2b1dcb8ad91d529579813847c92

SHA256
196025c779f53abfc6cec5134d95af59f7ec8fc651795f217b7f07f7d787a6d4

SHA512
92dc9298d233c6ea4971e1858312bfc706953e0a52f37e230d3871920e3a66e052892262d1b085845a126148e7c7812bb20c8e9870695a0b1f4cc4bde5f382d6

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
5ab8e03f07fe01385679639134def00b

SHA1
96905b6ea53ee99a462c4b880beb2e69ddac1037

SHA256
d5634edfb08b4fc5fb3e3ac51c5d78b8156e289edb57e572eec2634363438f16

SHA512
930d9df78142a955d35009ab96ec59bc84897e265c39e4ee6bceeeab764e6552b80e2d3cd6e62f0cd0c1eb3d9f1e5fca6410cf2f497620d451832ae6c26475f9

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
38b107a5f1312f2a657acea405de0068

SHA1
aedc047fd5c29d7b8d2868303617c57da0d0d3b8

SHA256
617be24614d384b54c937f4c823379733cdb16f0830b0bd8d13c046f0f854550

SHA512
b489438b10588f8c238650e7a622a3fe5e9ee0b06d5b0589884b35733146c57ce910c8f582602c16737ad4d9ca0ad000e14d2bb9f31f90d22c0b40b7d9a0d77d

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
35f9137feb7e50f5297f82419fd8ff8c

SHA1
ffaa031517f072661e828f0c5fae4cfb189736f3

SHA256
d375891e627c1682680d63bd3b87c1097fc7021da4d324c783c6bee72d5b1047

SHA512
926072e8fdcafcef3cc12c5e6cf70ad66c0d61a94c2d43ded599a1769754f10e6bc61557c87153c10824b14c49e52d714a4c2fe44d5e424428c489ac01c835a2

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
22f5db365e39566cb965fb29a7e5c4ab

SHA1
e153f7f0037c9a0641194745cd3e37b61f1322b2

SHA256
fbdbe0223772635267c847c6ec0ada8fecba2b3a241d70e149a0a289e799e45a

SHA512
2700493fa3add6fafa298d9bd412fc8810e65e8699bd12c79b41adff53f27bf0fd0668a476e5b5465d55edeb0fb9074717d144bc70667ed976a9dd36de65de39

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
e2689dff5aee45fa693b832e30f37047

SHA1
51709a93532414433bdeaea710df62d1de3b26f2

SHA256
5f9d33d1ab9c55a7b847d7a24c2a1266168e80375ebbeda3a037b48e1e704899

SHA512
fab494375e42bfe8b9a650e7de610df7a4350856f176ec327da5d90349e62e01d14fd2cb12228f5f606fc115fc65200b6e814a76aca90ab37646009f9150ca13

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
57ff323114544ece7b142ac0e3724c17

SHA1
f8f361bbab253c8022d8e20beff3baddc41806eb

SHA256
704c1fa3526262de31d28a7393d62f04608e9344689bc5daf42902241a210319

SHA512
35f9624117dd75c28b3da16708ecb3a229670b32c4491fc7654f9cb4f6fa326d45807136c87c5028cd717d2c4a1e1b75e26c32edd44aa7c5afeeaa5f009569e3

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
a7538b5d61929ea484094292ea21a505

SHA1
05582984af418346be6f5cac45ec3c5ee089939f

SHA256
f120f5b405064e5a762682729b478459756b240042c19ed98bdd23af66d0d487

SHA512
1f71c197521c07b610a98b5ff88bb812afef17529e3f81da6c15e997f8f6346ed821e193f0263ffd6973b4d45bedced861e69f62938bd5879c3ccfe862451d27

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
dd47649af622c7b6316431059704d30f

SHA1
8afbc838d80a78278d43c920f1066096d9ead5c3

SHA256
5ebce3a1e1397fed2cb56d4a7c0899919334391ff1fc1954ecd54e217c7964b3

SHA512
9c64e4ce214ce92255c8dd042e5128e341469a9d2bcc07da41ad1ad64a9d9f7f5897fb0d02a1ea537f636032f3ce49419aa9b369a21cb043a67722422bae91bb

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
8265d680ab3a06ce80a639df1b36badf

SHA1
57334621b29f6d2ad889bfe8826e576f581433d5

SHA256
401807cafdcbed9727e5a3b404be320a65df96d00602fd28ced220709717a727

SHA512
6225c33833fa4e1377ba08ceab73096674629027608f34b8511997f63671dfc26b8eaa734111828a28bce1e3de61e5dfecde3c0d7b822f6082bedfb0fc4dc500

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
9b14469b2b0a57f34abd4cf7c940f233

SHA1
db077c2cd2644c03d23f7b8fa1d31b12c2bf8c5f

SHA256
4edf0b784b8142c5b5481167664dd47f327a237ff725c5e97acf2e821082b035

SHA512
68fc229ef3948b21b9412e333fe1ce3211dac3bd9e4700cf2ee1a05d609c0947b58473bad2801d8cb4dc872c3afe56e657b7fd75c5c6777afc56616b76067478

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
e68d8176aad7676ca3a0680e36258a00

SHA1
1d319fb3de89f6b0a87fb120ce311f7f67767a29

SHA256
d44f83eeecfb14d9c14c72c8dad03c57ddf413d798537c2dea1d80be8921b587

SHA512
977d0a1aa782d27456581adfadc5784f53e654e02a783b377b6b3c830512848adc699d8498e4fb96b9e3d16d037703e9e4f4d05a20c101b5eb4dd5a4db7aeafa

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
b33595862f9943ca7eef37c6f56aaf9d

SHA1
170bfa70f37f9f78e63e2d8cbd25165ba0df6c5e

SHA256
5295ca732844e6f0fbb72e7b016a9973b11a5b666966cd542e323195d81a1db0

SHA512
2b4671b4a3ee6361699bd7f18e998a4a1d8eed16eabeb102ef7606e37d77c9d6a6a721e55712c3f993dbc5f231f166301832c27365f7fdf297294f8c9220db10

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
c42df81a50b70b8959d84072a661b9be

SHA1
b357f9926fbac4dcf25e93e668fc647257314237

SHA256
925b8ad47021518381bac1920f645e56f325783f12db947cff5bd16042d4bf4d

SHA512
a6aa8930a00412b5491ae2a6ba7273b1e5b2b7af3d56b65d1f4965c61e179620963bf6c8bd76da294d3ff08bbd4033bfe57583cceb8b7066d92cfe136083c23b

Download Submit
/Users/run/0357e11dd1b803758eeed5a7e70543ac_JaffaCakes118

Filesize
168KB

MD5
fa391643c145e1054db8b05a09b24b7f

SHA1
b6361f457b5e11e3b167b9d57a90ae6ee710ae6e

SHA256
7dfc326b712e490ce0537da26916044aabb4102d0fd3ce433b4b1ed21347c7a8

SHA512
d9bb6b348e5dea329a09404d05b547cd9b8dd605fc14e5dac8b6e64b5d68cec0ca653860e497ee9ac2a19f973d936451bfcfcd90523bb6892553add0923ccc8b

Download Submit
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

Filesize
124KB

MD5
727dd875fda82ccf3745f11d50aaa457

SHA1
a3f56fd41b1c7c62247651ac793a8e95d1e65700

SHA256
6e5f7aa636c9e5005127f62eb9d7acff35db74927ee7fde87894989be94f2436

SHA512
42e23d282e4ce7663996c65013bce6c9ad6aeca76c31316c06187e7d45820a14861b23f24ba77a45934cff100fce746622eee99782aa050d2dbbbfc4ac36de64

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
c021b14adba45a86ee5b34a5d8ea045b

SHA1
db9565acdacf538bf2bfcf7a5789f709489a8dbc

SHA256
0dfb38a5a5b81725a0d0bff5640166df841942f1b62b8703475ed72c209e3b77

SHA512
3471bf5f55495e36c817d3ce0a84c824707c32428bc2514be853f86e2496449db7c9ed346679aa5f916c35a1fea646bb604e25bf3e34fb98fbf86044b834773a

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
45956c66ab3b4fac3edfda051c4fd583

SHA1
e1a3193f4a1d46a0a75fb7ec2a1d5d47aa489bde

SHA256
9c1a4822c0bd2dd8c4dc13dbd1f6f8745c5d7c2aa14edc6a953e3381091129fd

SHA512
b416d304e38f8d3f1e7f878d11772a39363952e4d6ee189b885dc547b483263b75535d34e9469dada021ea18b971d2cfb40551f60762cb57f6040caf945387b9

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
fff7c0147582c1dd46d895d0bca471ac

SHA1
b28c6ff76d21aec8fce6e491b18940c2afc55384

SHA256
2dcc026fa8aefde795943ff68fcc5fde66710468a6d6f20c39f520941c4c6862

SHA512
fe3b140c42d02ec0d7597dfbad5fb0d412a2e4e190a5fc076d3026d11aef067255e101c99b30986a554a327e374eede966fdbcba22ef92e47e16584d56f263e7

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
84503d4bdd200cf28ed95a023de14056

SHA1
f18da4687bcc0309a4997e1ade2cfd36981b373f

SHA256
d37bb06c1a240f3e9bfe0e0019c8189932242d34f8133faf5c5beea6f3f2eb7f

SHA512
89985752491076f234c0c624ca443d10d42c8e25426af5b76b48cf7a93e2252f855d18fbb987f9295a05f41af400d909840e8ce47ad6ed29cad0b479929db292

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
45b0b48cd3fdda8d810e4bd638d24744

SHA1
176c1e258e34c43633c3d7cdab5cdda8102f98b5

SHA256
d6eb94308bb4c9c960ac57ca88775d21d4c76f5e11312fc33f6ecabdbf8af9ef

SHA512
b73533d9c7630c86ba5a9f2abeb7a7084117a882c07e0edcca822e51883ac1031839b52d071006086b1d13f8539475c164c92171d4b447732b0f179e3a118c82

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
bab778dd6b085c88a4972f1250664cb3

SHA1
5f9cd22a40f804a113600cec07911a636efeb089

SHA256
40b7520f78f22db28504ccbeb629d730828cbb6cd6e56d51f433a418bb5d75b4

SHA512
dac070fa1486ae32b382adefd572de59b607ce8a1c0e116135911f8a093b8fda2b75a5010dcccb75e19acc00923ed0669b823b607bba04939996bcdb8806ca89

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
5c6ef635a2f6fe15ab630800b3ba98e8

SHA1
02d6ad612e1fe64b5be6bdd0577c8ef702f4342a

SHA256
bfeee2ad5ab1b33ba731cbd2c97fea513ae35ad7939add519a07af0ac012d339

SHA512
b77849c5416d61f7d32f9616df8260c927e159d96f81ee126dbe3b444de45e7f1465e4ad4d30fe8d6cb6031e7483db222d4a4e64e85d5b50dc5ee4f8038725b6

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
236a468565fdf5649b2988933ff76822

SHA1
a7d0f4001ef1fccaf4040f8b584a5888412014d5

SHA256
2e484cceb64f27a62148cd77a1cb0a42e2424dab38a602e4e63abeb9317a63fb

SHA512
6d4a46e025a5391dc3696230f6559b038868681248e3652e274a0597ddb33bc353c1aa196712a1579d2a90e68be68ffb9d5f9603ddd63e3017dbda7b35966da0

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
4170e3804f0bce0fcaf0c7e8959713a7

SHA1
81231422808885ba93fec03f469b5e80cf64d206

SHA256
7d9608821b8f740b50345611d6a3956f08dfe5f75a65dd4f898d8a788546d145

SHA512
b407d5e703f5d597723e6e485d78b5f8b8c129bc242de9d9d0c9fcf25b9279de747ec19d37cfd192bdf312977248320c2049e25395819f3c8f1f89df6d4368ea

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
ebda788d2623e30a6acd8a442863066c

SHA1
d2977c80a28dfc2d95fad41bd78715f5996ad535

SHA256
9a8fc0cfa3a9a5d88e16d95ec2e7e2e94b9d0c8b0f8eae84d0e70d486bf3bee8

SHA512
8c9c9589ec6af828b380a1b1733e3c2a330e7bc5331b1f78d16c69ccc79ad7a91cf93f52129b848bde14f89600497e3ccce36781cb0921086f5f074083b14338

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
1bc94e75f7a322cea814959be5036c7c

SHA1
286ab0520d345f5f355427780938c483fe4fb001

SHA256
d5e7f3610e50bfe48158a45bb18e03608fcd2bc2d63405a4cabb916996e0e14c

SHA512
f9af9040d5a13297bce33301b867b4256ca960c8d4739c5e4adc801375a7e11e3c83810f58dba3c95e9649e4c916dfec4f299b783762aae46624782787ff920a

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
6c56be395c4811f0d86ebd0cd640bcb7

SHA1
6e541006924e0989e95d996f7f3d750937f38d3f

SHA256
6ca9752e52b52642413ca5b7e975b15e2424db544abe44c6a10612997587b65e

SHA512
c0834d6365c88282c5d3ad64baebaa645b6e17714e839f62d94b44486f88249c4f9c9d712a66cf1bab20f97eb9978251a75f1ea925e68e5cb92fcc943aaca0f4

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
c996b8d121605217b4d797ee4c41ea0c

SHA1
eb6d752dcc9636f14915b2563f1239d1741b53e5

SHA256
f0bf0fe18f32ebf34fd0373d96b0f93cca43555844710f13141b9df07323defd

SHA512
f9fa0a603c485764f0793be38ad6c03b031d35186784fca4181ee717086348bcbab48e615cd5331c93211bd18adb224a6e8437318446acc62180685f1f408b9d

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
766f7baa752df3e3e712766d0e505599

SHA1
3e8f75f0fe4df6adab11d1bfc4b8439b1ea916f4

SHA256
d017fb19a4bca1cdd38c4d5d9992d1f4b28b847b2ab98d76e6603376ae29e1ef

SHA512
c64ab2bce2b72aff49d0860de66f8d66e9a30130d1d9c3145e3ba58916dbf28ff31358953066df40d22d2dcb3fdc2e240477d5dd6bf1819f916c3f00cea5cf9f

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
11bf7e159a91c790ac23d9694e3fee53

SHA1
58bb4644cb69f667d3e7e5194875731225ed6477

SHA256
30a793a8dd7ab0383ec6b9f11aa54752a64e6013c4efd6a5226c840a45c57bc0

SHA512
43c05f65c347c9838fb0083e879fa8c9172908200015b3c3d0fb989d2c509396327f079c868740fe38c45e79fab75baeee37d0101d88660af31a945d6811d3d6

Download Submit
/var/db/locationd/Library/Caches/GeoServices/Resources/altitude-1269.xml

Filesize
167KB

MD5
a645869f7bf432953f0292ca5fd17ad8

SHA1
9063c8541f8d4d81d301df8b359a30071d42b119

SHA256
04daf260c11cd34cd84f42fb5a47f1d5717d0b2f62b236826d7c3a6f0a1c9db9

SHA512
6449c45cd990750cf88cbf75b3320e6d972ba1b10dd8bb23835e1d298efb0b5d50399ad2c4be9d3d068619d645e544afc3245c66630da1878c8688811e76fca4

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit