evilquest | b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a

Analysis

max time kernel
146s
max time network
156s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
02-06-2024 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mixed In Key 8.dmg
Size

10.4MB
MD5

58680abd58baca826c2029f32e5b78b3
SHA1

98040c4d358a6fb9fed970df283a9b25f0ab393b
SHA256

b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a
SHA512

be852ea2a0ce7a119392f6f28033dfcec27ac897f3479767287da8e5b2babd2cff95b94c399e64d5f219fbef3508a3a2f2b2f4346e057ddce416353825994d28
SSDEEP

196608:1kBu2wBiw00Bsqbxxf15AS2710A8O2RgXuHueFrs/7M+49/jhHh/:ig2whsQr5ASEcO28enS/7J4tT/

Score

10^/10

evilquest backdoor evasion execution persistence

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 1 IoCs

Processes:

resource	yara_rule
/Users/run/Library/AppQuest/com.apple.questd	family_evilquest

Compromise Client Software Binary 1 TTPs 2 IoCs
Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server.
persistence

Compromise Host Software Binary
T1554

Processes:

ioc process

/Library/AppQuest/com.apple.questd
/Users/run/Library/AppQuest/com.apple.questd
File Permission 1 TTPs
Adversaries may modify file permissions/attributes to evade access control lists (ACLs) and access protected files.
evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

ioc	process
/Library/AppQuest/com.apple.questd
/Users/run/Library/AppQuest/com.apple.questd

Installer Packages 1 TTPs 2 IoCs

Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system.

persistence

Installer Packages

T1546.016

Processes:

ioc	process
/tmp/PKInstallSandbox.p2ElIK/Scripts/com.mixedinkey.installer.7kO6EH/postinstall /Users/run/setup.pkg /Applications / /
/bin/sh /tmp/PKInstallSandbox.p2ElIK/Scripts/com.mixedinkey.installer.7kO6EH/postinstall /Users/run/setup.pkg /Applications / /

Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 8 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

Processes:

ioc	process
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""

Resource Forking 1 TTPs 7 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

Processes:

ioc	process
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/B0A0CAA1-07B6-402E-A2CD-412E5F265D2E.activeSandbox/Root /
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd

Command and Scripting Interpreter 1 TTPs
Adversaries may abuse Unix shell commands and scripts for execution.
execution

Unix Shell
T1059.004

Launchctl 1 TTPs 8 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

Processes:

ioc	process
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""

/bin/sh
sh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""
1⤵
PID:527

/bin/bash
sh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""
1⤵
PID:527

/usr/bin/sudo
sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
1⤵
PID:527
- /bin/zsh
  /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
  2⤵
  PID:528
- /usr/sbin/installer
  installer -pkg /Users/run/setup.pkg -target /
  2⤵
  PID:528

/usr/libexec/xpcproxy
xpcproxy com.apple.installd
1⤵
PID:529

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
1⤵
PID:529

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid
1⤵
PID:532

/usr/bin/bzip2
/usr/bin/bzip2 -f /var/log/wifi.log.0
1⤵
PID:531

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/B0A0CAA1-07B6-402E-A2CD-412E5F265D2E.activeSandbox/Root /
1⤵
PID:533

/tmp/PKInstallSandbox.p2ElIK/Scripts/com.mixedinkey.installer.7kO6EH/postinstall
/tmp/PKInstallSandbox.p2ElIK/Scripts/com.mixedinkey.installer.7kO6EH/postinstall /Users/run/setup.pkg /Applications / /
1⤵
PID:534

/bin/bash
/bin/sh /tmp/PKInstallSandbox.p2ElIK/Scripts/com.mixedinkey.installer.7kO6EH/postinstall /Users/run/setup.pkg /Applications / /
1⤵
PID:534
- /bin/mkdir
  mkdir /Library/mixednkey
  2⤵
  PID:535
- /bin/mv
  mv /Applications/Utils/patch /Library/mixednkey/toolroomd
  2⤵
  PID:536
- /bin/rmdir
  rmdir /Application/Utils
  2⤵
  PID:537
- /bin/chmod
  chmod +x /Library/mixednkey/toolroomd
  2⤵
  PID:538
- /Library/mixednkey/toolroomd
  /Library/mixednkey/toolroomd
  2⤵
  PID:540

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c
1⤵
PID:541

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:542

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:542

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:543

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:543

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:545

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:545

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:546

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:546

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:549

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:549

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:550

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:550

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:551

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:551

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:557

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:557

/usr/libexec/xpcproxy
xpcproxy com.apple.installer.2124
1⤵
PID:558

/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
1⤵
PID:558

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:559

/usr/libexec/xpcproxy
xpcproxy com.apple.replayd
1⤵
PID:562

/usr/libexec/replayd
/usr/libexec/replayd
1⤵
PID:562

/usr/libexec/xpcproxy
xpcproxy com.apple.storedownloadd
1⤵
PID:566

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
1⤵
PID:566

/usr/libexec/xpcproxy
xpcproxy com.apple.system_installd
1⤵
PID:567

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
1⤵
PID:567

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:568

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:568

/usr/libexec/xpcproxy
xpcproxy com.apple.security.agent
1⤵
PID:569

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
1⤵
PID:569

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.CacheDeleteExtension 560
1⤵
PID:571

/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
1⤵
PID:571

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:573

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:573

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:574

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:574

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authhost.00000000-0000-0000-0000-0000000186A6
1⤵
PID:575

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost
1⤵
PID:575

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:578

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:578

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:593

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

Unix Shell

T1059.004

System Services

T1569

Launchctl

T1569.001

Persistence

Compromise Host Software Binary

T1554

Create or Modify System Process

T1543

Launch Daemon

T1543.004

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Create or Modify System Process

T1543

Launch Daemon

T1543.004

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Applications/Mixed In Key 8.app/Contents/Info.plist

Filesize
3KB

MD5
eb5ba03f7e18e66f902c3080682d4476

SHA1
f9fb20c25769bf24b717a18755d442b00f91ee9b

SHA256
25462eb1953770cb4b44669d2480c5b772a977de699caa181c408f20835790ab

SHA512
67f30b0ace358bf41322235c10262f44324f2b8e11b50702ff95afd52c39934edfcc16d7009332dd60cdfb4a416b1a375474637acfd58f319bc08cd987408dc5

Download Submit
/Library/InstallerSandboxes/.PKInstallSandboxManager/B0A0CAA1-07B6-402E-A2CD-412E5F265D2E.activeSandbox/Boms/com.mixedinkey.installer.bom

Filesize
99KB

MD5
0f07cb15d467adba0a80120ef583d92c

SHA1
9a66033fcbbd2c4a4ad82d173b7d686febcd7509

SHA256
977d7b35b060620e979cd8337ef0e4972afc08388986354b7a6b57763d0450d4

SHA512
e681f21eb24279dd9bf4f9c9f339f075e6e948d497fb42c4bf614425c4c62bae8fb9e71d9efc61a50f3d6957c211aaebbc20d36836a0d212d96950c252f93561

Download Submit
/Library/InstallerSandboxes/.PKInstallSandboxManager/B0A0CAA1-07B6-402E-A2CD-412E5F265D2E.activeSandbox/Scripts/com.mixedinkey.installer.7kO6EH//Scripts/._postinstall__

Filesize
82B

MD5
5f57248f8a15969f55f716d8e7ce1447

SHA1
2daf28e0b224464534eecc6576c5b87e05cad4a7

SHA256
03ee1b034d79af0d5bc807f1560e7ffd5554ff56fcf29a47b3ac5db4f7fa4eb5

SHA512
2d9a3e97a5b991d9d22ef5e008f1828b9a7f8b8aa35111250edf45f9ed3f772378119f2a8c18cf5d1141f34d0b04200eadc7b75f1aaa57e0c15083c28f73c5c7

Download Submit
/Library/LaunchDaemons/com.apple.questd.plist

Filesize
435B

MD5
a3d34532a7dd2cd1d73cea75deb0677f

SHA1
3019d1c50907fb2597121c03619990c5670ff6f4

SHA256
779a31e4de99f9de28de8bf064c504382e050c114e2e865cc1f694c7e6339735

SHA512
52618a5f14247c909a3857b122a124d0ddd00890c128cf041976182423b3d728cab11daf5b6a1adb6845d062b54083e72380184b6f76369482305c2782bedd91

Download Submit
/Users/run/Library/AppQuest/com.apple.questd

Filesize
85KB

MD5
322f4fb8f257a2e651b128c41df92b1d

SHA1
efbb681a61967e6f5a811f8649ec26efe16f50ae

SHA256
5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b

SHA512
33c8cf815e4b37a3481c0ba4dfb14a4735a46575f6f70d5b351a8595e4ec8886224577c89c80d726f2e3d7cf2460d0cdd983379acb5fda0a9b7310f86c988e53

Download Submit
/Users/run/Library/LaunchAgents/com.apple.questd.plist

Filesize
423B

MD5
eb73619f4e724257ff0fd951883a30ae

SHA1
5032251e50b32e340d8171631a598596bad8991e

SHA256
6e56467f3f5502588094c91e2d58bbb1e43c4e8171093db14931dd41788e17d4

SHA512
ec95c395414181bc77c7a2980fbd3fe69b718aa98c878e514c3f28b738e1669488126cbdfa96e3a182afd8536b54bc1791a044fa3535d1fd3fad54dfda337b7c

Download Submit
/private/var/db/receipts/com.mixedinkey.installer.plist

Filesize
258B

MD5
da06f538f503e5ffa32ea670b29e3953

SHA1
7f1457f4c186d7b381bc68511ae6fb585c50211e

SHA256
281ed5a371b57ac92639df67bb7f4d6b40472b66362b7427b7021666d3c5bbdf

SHA512
310b6ce620a51010fff897af8fe5896f49d8d083e7ecfaad26efb2c117c1c5fec6eae3d759d91be88dd86bef0d4234d69eb96ce31c4779ddbfc25a0e5f1b9bdf

Download Submit
/private/var/db/spindump/tailspin-trace.2024-06-02_00-03-47.tailspin

Filesize
16.9MB

MD5
83a0fd022bf084fe97ee13dc5aa59b1c

SHA1
1cf02b398059b1225fa4cbe8640b9f00534a7cb5

SHA256
ea44f8167dff83803752b6290e98a4265fd501e1f5c3bfc3e6ef1388e5570344

SHA512
2a7563079a61773c733bea2be0e2ea757a3706f30fd4eb8585409fb3f6d2667e4cf68655026adbed2925507ecc25fdd8a26226a58533fe260beeb45559bbd89c

Download Submit
/private/var/run/installd.commit.pid

Filesize
3B

MD5
37f0e884fbad9667e38940169d0a3c95

SHA1
945335a6aaa02e8642218d06ddbb9073cb1e3d69

SHA256
8920a14a7f6469b955b114111564cb9736440238d220fc9fd525efdb9a056d3e

SHA512
0d9644d4343a61d259e61f380888142ebaecac451f732cbe67bf73a62489c8fa0c4ddc97a64860d66298a926ada5b4c9b4ed7f40e4cb16edbe25f957480fb866

Download Submit
/tmp/PKInstallSandbox.p2ElIK/Scripts/com.mixedinkey.installer.7kO6EH/postinstall

Filesize
190B

MD5
03fc4e3ef9bdbccd7ea68537970ce472

SHA1
7cc289badfe38c5677175fa38810e0e18c51e1d3

SHA256
abcce423690c96a06414f68090db40cbdaee12b67f90d1ca64bddbdc1d11d097

SHA512
6f089d9c977fabc18e0a599c8239200031b6eeed1fbbd2f8197bb82e7cdd8f695b220902bef49276c6b1ca8784ebc3503aba841146a4ce36b1b571703e832bf1

Download Submit