60ae9c4be38de0dc6d5c5754b9168e7289a2cbdaff67be2d3b44eed47d84c957

General

Target

05e2abaaf9048d461084793473970c11_JaffaCakes118
Size

168KB
MD5

05e2abaaf9048d461084793473970c11
SHA1

b351cd4d7c0531960ddfd5486830ffbad58adbc3
SHA256

60ae9c4be38de0dc6d5c5754b9168e7289a2cbdaff67be2d3b44eed47d84c957
SHA512

6972fc1b25d4ac294794f13ff00431ee95da06807b1418c4e6974c98def8a834a3e6209b0fddb95de185014788ace6e0b525315973b93b867dd2ebbf5abe7505
SSDEEP

3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9Z0:5SeOQdaZNxtk8cqhSxvHY9

Score

5^/10

execution persistence

Malware Config

Signatures

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 8 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

Processes:

ioc	process
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""

Launchctl 1 TTPs 16 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

Processes:

ioc	process
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"

/usr/libexec/xpcproxy
xpcproxy com.apple.systemstats.daily
1⤵
PID:482

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/05e2abaaf9048d461084793473970c11_JaffaCakes118\""
1⤵
PID:483

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/05e2abaaf9048d461084793473970c11_JaffaCakes118\""
1⤵
PID:483

/usr/libexec/xpcproxy
xpcproxy com.apple.newsyslog
1⤵
PID:484

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/05e2abaaf9048d461084793473970c11_JaffaCakes118
1⤵
PID:483
- /bin/zsh
  /bin/zsh -c /Users/run/05e2abaaf9048d461084793473970c11_JaffaCakes118
  2⤵
  PID:488
- /Users/run/05e2abaaf9048d461084793473970c11_JaffaCakes118
  /Users/run/05e2abaaf9048d461084793473970c11_JaffaCakes118
  2⤵
  PID:488

/usr/sbin/newsyslog
/usr/sbin/newsyslog
1⤵
PID:484

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:489

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:489

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:489

/usr/bin/pluginkit
/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync
1⤵
PID:490

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater0BF23177/OneDrive.app
1⤵
PID:491

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:512

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:512

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:512

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:513

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:513

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:514

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:514

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:514

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:515

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:515

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:516

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:516

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:517

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:516

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:517

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:517

/bin/sh
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:518

/bin/bash
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:518

/bin/launchctl
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:518

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:519

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:519

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:519

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:520

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:520

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:520

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:521

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:521

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:521

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:522

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:522

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:522

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:530

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:530

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:533

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:533

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:533

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:535

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:535

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:536

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:536

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:536

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:541

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:541

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:542

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:542

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:542

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:543

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:543

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:544

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:544

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:544

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:547

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:547

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:548

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:548

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:548

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:549

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:549

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:550

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:550

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:550

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app
1⤵
PID:554

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:555

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:555

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:556

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:556

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:556

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:561

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:561

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:562

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:562

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:562

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:563

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:563

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:564

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:564

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:564

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:567

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:567

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:568

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:568

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:568

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:569

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:569

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:570

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:570

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:570

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:571

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:571

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:572

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:572

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:572

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:573

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:574

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:575

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:575

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:576

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:576

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:576

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:577

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:577

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:578

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:578

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:578

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

AppleScript

1

T1059.002

System Services

1

T1569

Launchctl

1

T1569.001

Persistence

Create or Modify System Process

2

T1543

Launch Agent

1

T1543.001

Launch Daemon

1

T1543.004

Privilege Escalation

Create or Modify System Process

2

T1543

Launch Agent

1

T1543.001

Launch Daemon

1

T1543.004

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads