Malware Analysis Report

2024-10-24 21:56

Sample ID 240606-fd7ylshg68
Target 2024-06-06_e69f2c7f3fb666740e328f2708bf3ae0_adload_evilquest_rekoobe
SHA256 89de80f56854848498d327699ebdf5778ef87e353b342b3f443d5aa8d9e0ae33
Tags
evilquest evasion execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

89de80f56854848498d327699ebdf5778ef87e353b342b3f443d5aa8d9e0ae33

Threat Level: Known bad

The file 2024-06-06_e69f2c7f3fb666740e328f2708bf3ae0_adload_evilquest_rekoobe was found to be: Known bad.

Malicious Activity Summary

evilquest evasion execution persistence

EvilQuest payload

Evilquest family

Launch Agent

AppleScript

Resource Forking

Launchctl

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 04:46

Signatures

EvilQuest payload

Description Indicator Process Target
N/A N/A N/A N/A

Evilquest family

evilquest

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 04:46

Reported

2024-06-06 04:49

Platform

macos-20240410-en

Max time kernel

148s

Max time network

137s

Command Line

[xpcproxy com.apple.loginwindow.LWWeeklyMessageTracer]

Signatures

Launch Agent

persistence

AppleScript

execution
Description Indicator Process Target
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer N/A N/A
N/A "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck N/A N/A

Launchctl

execution
Description Indicator Process Target
N/A launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A
N/A /bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" N/A N/A
N/A launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A
N/A /bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" N/A N/A

Processes

/usr/libexec/xpcproxy

[xpcproxy com.apple.loginwindow.LWWeeklyMessageTracer]

/usr/libexec/xpcproxy

[xpcproxy com.apple.gkreport]

/usr/libexec/gkreport

[/usr/libexec/gkreport]

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer

[/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer]

/usr/libexec/xpcproxy

[xpcproxy com.oracle.java.Java-Updater]

/usr/libexec/xpcproxy

[xpcproxy com.apple.systemstats.daily]

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/2024-06-06_e69f2c7f3fb666740e328f2708bf3ae0_adload_evilquest_rekoobe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/2024-06-06_e69f2c7f3fb666740e328f2708bf3ae0_adload_evilquest_rekoobe"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/2024-06-06_e69f2c7f3fb666740e328f2708bf3ae0_adload_evilquest_rekoobe]

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater

[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck]

/bin/zsh

[/bin/zsh -c /Users/run/2024-06-06_e69f2c7f3fb666740e328f2708bf3ae0_adload_evilquest_rekoobe]

/Users/run/2024-06-06_e69f2c7f3fb666740e328f2708bf3ae0_adload_evilquest_rekoobe

[/Users/run/2024-06-06_e69f2c7f3fb666740e328f2708bf3ae0_adload_evilquest_rekoobe]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" with administrator privileges]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.authtrampoline]

/System/Library/Frameworks/Security.framework/authtrampoline

[/System/Library/Frameworks/Security.framework/authtrampoline]

/bin/sh

[/bin/sh -c launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/bash

[/bin/sh -c launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/launchctl

[launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/bash

[/bin/sh -c launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/launchctl

[launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

Network

Country Destination Domain Proto
DE 20.52.64.201:443 tcp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
GB 17.250.81.67:443 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
DE 51.116.246.105:443 tcp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 2.21.189.171:443 help.apple.com tcp
GB 2.21.189.171:443 help.apple.com tcp

Files

N/A