Analysis
-
max time kernel
57s -
max time network
56s -
platform
macos-10.15_amd64 -
resource
macos-20240410-en -
resource tags
-
submitted
27-04-2024 17:21
General
-
Target
0357e11dd1b803758eeed5a7e70543ac_JaffaCakes118
-
Size
168KB
-
MD5
0357e11dd1b803758eeed5a7e70543ac
-
SHA1
d049ca913035dab2a74fc55bf5ce2da6395cb363
-
SHA256
40997add87576eb71c90c70be76b613e1d529fe8c96b8c3e3c3ff70139fe5a71
-
SHA512
9063f2a3a51b5cf0c31be21590891663e38a8f895729f618dd31f13394870509ee431e9ca294deb0a3748933a7c2956ccde7c01178e5b8754d46a97b6d556069
-
SSDEEP
3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9ji40:5SeOQdaZNxtk8cqhSxvHY9
Malware Config
Signatures
-
EvilQuest
EvilQuest family.
-
EvilQuest payload 7 IoCs
-
Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
-
AppleScript 1 TTPs 2 IoCs
AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.
-
Resource Forking 1 TTPs 4 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
-
Launchctl 1 TTPs 4 IoCs
Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/0357e11dd1b803758eeed5a7e70543ac_JaffaCakes118\""1⤵
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/0357e11dd1b803758eeed5a7e70543ac_JaffaCakes118\""1⤵
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/0357e11dd1b803758eeed5a7e70543ac_JaffaCakes1181⤵
-
/bin/zsh/bin/zsh -c /Users/run/0357e11dd1b803758eeed5a7e70543ac_JaffaCakes1182⤵
-
-
/Users/run/0357e11dd1b803758eeed5a7e70543ac_JaffaCakes118/Users/run/0357e11dd1b803758eeed5a7e70543ac_JaffaCakes1182⤵
-
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.sysmond1⤵
-
/usr/libexec/sysmond/usr/libexec/sysmond1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.ReportCrash1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.security.authtrampoline1⤵
-
/System/Library/Frameworks/Security.framework/authtrampoline/System/Library/Frameworks/Security.framework/authtrampoline1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/System/Library/CoreServices/ReportCrash/System/Library/CoreServices/ReportCrash agent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.security.cloudkeychainproxy31⤵
-
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.ReportCrash.Root1⤵
-
/System/Library/CoreServices/ReportCrash/System/Library/CoreServices/ReportCrash daemon1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.TextInputMenuAgent1⤵
-
/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.geod1⤵
-
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.TextInputSwitcher1⤵
-
/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.geod1⤵
-
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.secinitd1⤵
-
/usr/libexec/secinitd/usr/libexec/secinitd1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.AddressBook.ContactsAccountsService1⤵
-
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.suggestd1⤵
-
/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.knowledge-agent1⤵
-
/usr/libexec/knowledge-agent/usr/libexec/knowledge-agent1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.routined1⤵
-
/usr/libexec/routined/usr/libexec/routined LAUNCHED_BY_LAUNCHD1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.Maps.mapspushd1⤵
-
/System/Library/CoreServices/mapspushd/System/Library/CoreServices/mapspushd1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A1⤵
-
/usr/libexec/neagent/usr/libexec/neagent1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.siri.context.service1⤵
-
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.Terminal.21001⤵
-
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal1⤵
-
/usr/bin/loginlogin -pf run2⤵
-
/bin/zsh-zsh3⤵
-
/usr/libexec/path_helper/usr/libexec/path_helper -s4⤵
-
-
/usr/bin/localelocale LC_CTYPE4⤵
-
-
-
-
/usr/libexec/xpcproxyxpcproxy com.apple.audio.systemsoundserverd1⤵
-
/usr/sbin/systemsoundserverd/usr/sbin/systemsoundserverd1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.AccountPolicyHelper1⤵
-
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.audio.AudioComponentRegistrar1⤵
-
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.systemprofiler1⤵
-
/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information"/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information"1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.replayd1⤵
-
/usr/libexec/replayd/usr/libexec/replayd1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.storedownloadd1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.system_installd1⤵
-
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd1⤵
-
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.installd1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.ReportMemoryException1⤵
-
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd1⤵
-
/usr/libexec/ReportMemoryException/usr/libexec/ReportMemoryException1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.Safari.CacheDeleteExtension 6491⤵
-
/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156B
MD501b0c64b6da559e231e8aac1fc5e8db1
SHA1b86a9ffcc8faa13814db043e795941a81870885a
SHA2569ecd92216819d2f1c7a15a3b45e720f64bf803e099fc904ee5caaf81d2625f68
SHA512a869a74593d178712a2d5c6b385d7c0eb4843e4fe3381716453c2440c04093863962a6338c18ea2d7954dbfd9fe8333df839d1cc47722a03fa7be72b4e228be0
-
Filesize
156B
MD5c1c3434d8dc3111e03fdc81353138da0
SHA1c6f47aa3f8fadc5b383e3190acd86398518a1c9c
SHA2569e7355eb294cce6ebe24cafb0f8a5ba93dd097b4a263d07116ff556eb187237a
SHA51284e6890b82361d6ecf58beb1c8659cade851c0362076a71723fb19cd609e6e024edd4390801dc7a0baaed6503085cf7b857b99f7668c1fc2ec6875d430a9f0ba
-
Filesize
156B
MD5106ba45eb4a2ad925c63943a02c5c7fe
SHA166199f919697ab466166fc24d0957b8cbf0a4e5c
SHA256575b6f750ebf69a427cdde09b12196f792f3127a27fef173f9d9326a6fda7b64
SHA5124c75f5dc6a800a71c84ec22f421c41f2f61835a84ac9c1db5d76f8333c467ac0fac052db1c4af5bdbd96645883c0c35e8477d2a175f6cc25af84b8ba4409aa62
-
Filesize
156B
MD52fb90cf2d2adf9c4d7d65b61217465c8
SHA1c34f79224f675f470f1e21b5e1a55569441b9742
SHA25696b2fc2595c3c120f44c0acdc2c8a568557ffc2a5611025bfd1f30a5949d7cee
SHA512dfbd4b742d1cb58b74425002a4df7eadc701d64821a27e6cb58d9cd16cca2467c2bdb906652f0ca4dc6f4ddd124c4ebbfb0d0f26482d0ca027ffcb48648e1530
-
Filesize
156B
MD51ddaf4a2d93f01ff56e0654315305dd0
SHA1599248929719b4b1bef86b896ddbd79a63b5a4d2
SHA2561f71e8b39f4e3e2631f00cde598aebff161e6fd18ab474ec00383f9c6f23f7d0
SHA5126497e83f9cb0b884932f6c999c386163b2483fb7cdd93d7ccd06a06bf5a860fb5464a09388d36a13c2e08ad9df8fc93b52ab22de703379c652aeb2bcf673d843
-
Filesize
168KB
MD5dfeb11dddd831fdda79827c7a127cf86
SHA1356b2904508ea1bebb05c16b1495550fb465e595
SHA256b936a4a21836f254611d10b75d4f6e76601c70d4e019f1f28a41e7df49b833c1
SHA512a8da9f386234c6aa04eb65416ebf6a92de76454970e3c16f7d364f1f3664ff073a19c0eae7b47085e052c6aa4650b13fda9121ffc67d199ecfa9ede9182bed77
-
Filesize
124KB
MD5afefcbb748b6b7ec346b175fdad47740
SHA1d8b840a08f655aba44143541ef0d57ed846fcd07
SHA2562c8036f0f774be5d2031ff0b379a6e343ada6c3eb8079da8d24ce0e422599bc1
SHA5124b144902911faea1b7c15aea949eb8a6437b99990a9c7b905aa2c2df286890f60c75be10ee80378f424c6e5a6305c3b0b648cf390853818637c359d046fe6500
-
Filesize
168KB
MD50d9dbff27c5e44d74e1bb4b521b2c8f4
SHA10da2d6409169e3d62a179cc012a247cade239cdf
SHA256c22c186c673b67ba8478d848b88e0fb1044c031d63c9fc057706332aad6e9c75
SHA512a769a48decb1a151f168281439aeaee69361cb90525e2d513acc25c32603a86d9a31603dc6d362dc04ee11ba7ac856880284baea9c0fdac449d61f88162f49b3
-
Filesize
168KB
MD598c7fa2e53c99a23894d10d0f110505c
SHA13e2ad5708b47a4f76a0ef6d73d79344bdf4a70b1
SHA2569a3b08b5d7dca95b9cb2f48bd34e87c9e41ad77a857e159c9f392492ad95d56c
SHA51224cc614d5ee73349a8910e1859658b9581fe860f9cdaadfc1ecef4a286fc7c747735ef949416e93d32e325816a71012caefa71219721c4563002be1824454d6c
-
Filesize
168KB
MD5a42ff835f590a04c046f235960664cfa
SHA12e77fa1769e4d65ecec9a444d76a61f457728a1e
SHA25659297e93e57cf60db2a610f918b7316470cd778c00c810a3e1bedcf03aa20937
SHA5128870098d95d28a82a12018ff6bf786278eb9d3531690cdd71c5f87e1bb4afc5573835ef95590520dac22b414994ed93da7cbd97ce3bb01282493a40c56af1f94
-
Filesize
168KB
MD5e1e3aa53d663e36325d6853a2c41ca3b
SHA1ad027ccc1c8781c18bf6e4d97f73192378655372
SHA25659f906d2e2b201431ef53809a696e3e68853e611aea0f127c681099a0418f523
SHA51217448965b6d941806f300124c6ab2dab749cfeb6d58230973458e90ec223a98d0133a35fbc4924cf1de93c512f16192f3278da94816e67ff30fa60e31c5f8583
-
Filesize
168KB
MD5d476204767970c4c1eb714e3775c6719
SHA16701657bfbc6a1aec2111a28bfa60c19df1f6864
SHA256d805a96bd13e30c2b5893af76cd3f7358a78a0fa168b3a5b8ffa08cfb11f735c
SHA5124490c4b8a88e0b9db1560d0a5d3280b55585598c1afa1eb2e1baaf7b25a622cb8ded1e73cfff5234d5b29fe81be1ec014261b994a1c97e2d9078d1fee3079350
-
Filesize
168KB
MD570701a3b06079e929af1f7e198ba95f2
SHA10d7ee3b58149b9164288ca0794183491f4915c3e
SHA2563c9f8c5259181f635e21cdcf9321fa8a5e4614b69c1882c16889e0a3f1032359
SHA512f6de695e1340c22e3870672641cd597f94af2bc8876b3eb24143373e9fbc3a76530f87af69adfae6e2b913b665d448a4257294f0dda38892e991afd1dc805563
-
Filesize
167KB
MD5a645869f7bf432953f0292ca5fd17ad8
SHA19063c8541f8d4d81d301df8b359a30071d42b119
SHA25604daf260c11cd34cd84f42fb5a47f1d5717d0b2f62b236826d7c3a6f0a1c9db9
SHA5126449c45cd990750cf88cbf75b3320e6d972ba1b10dd8bb23835e1d298efb0b5d50399ad2c4be9d3d068619d645e544afc3245c66630da1878c8688811e76fca4
-
Filesize
47KB
MD50e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA5121dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20
-
Filesize
4KB
MD5d3a1859e6ec593505cc882e6def48fc8
SHA1f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA2563ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818