Analysis Overview
SHA256
89de80f56854848498d327699ebdf5778ef87e353b342b3f443d5aa8d9e0ae33
Threat Level: Known bad
The file 2024-06-06_e69f2c7f3fb666740e328f2708bf3ae0_adload_evilquest_rekoobe was found to be: Known bad.
Malicious Activity Summary
EvilQuest payload
Evilquest family
Launch Agent
AppleScript
Resource Forking
Launchctl
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-06 04:46
Signatures
EvilQuest payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Evilquest family
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 04:46
Reported
2024-06-06 04:49
Platform
macos-20240410-en
Max time kernel
148s
Max time network
137s
Command Line
Signatures
Launch Agent
AppleScript
| Description | Indicator | Process | Target |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" | N/A | N/A |
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer | N/A | N/A |
| N/A | "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck | N/A | N/A |
Launchctl
| Description | Indicator | Process | Target |
| N/A | launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" | N/A | N/A |
| N/A | launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" | N/A | N/A |
| N/A | /bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" | N/A | N/A |
Processes
/usr/libexec/xpcproxy
[xpcproxy com.apple.loginwindow.LWWeeklyMessageTracer]
/usr/libexec/xpcproxy
[xpcproxy com.apple.gkreport]
/usr/libexec/gkreport
[/usr/libexec/gkreport]
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
[/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer]
/usr/libexec/xpcproxy
[xpcproxy com.oracle.java.Java-Updater]
/usr/libexec/xpcproxy
[xpcproxy com.apple.systemstats.daily]
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/2024-06-06_e69f2c7f3fb666740e328f2708bf3ae0_adload_evilquest_rekoobe"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/2024-06-06_e69f2c7f3fb666740e328f2708bf3ae0_adload_evilquest_rekoobe"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/2024-06-06_e69f2c7f3fb666740e328f2708bf3ae0_adload_evilquest_rekoobe]
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck]
/bin/zsh
[/bin/zsh -c /Users/run/2024-06-06_e69f2c7f3fb666740e328f2708bf3ae0_adload_evilquest_rekoobe]
/Users/run/2024-06-06_e69f2c7f3fb666740e328f2708bf3ae0_adload_evilquest_rekoobe
[/Users/run/2024-06-06_e69f2c7f3fb666740e328f2708bf3ae0_adload_evilquest_rekoobe]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" with administrator privileges]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.authtrampoline]
/System/Library/Frameworks/Security.framework/authtrampoline
[/System/Library/Frameworks/Security.framework/authtrampoline]
/bin/sh
[/bin/sh -c launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]
/bin/bash
[/bin/sh -c launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]
/bin/launchctl
[launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]
/usr/libexec/xpcproxy
[xpcproxy afsvcpd]
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]
/bin/bash
[/bin/sh -c launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]
/bin/launchctl
[launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/usr/libexec/xpcproxy
[xpcproxy afsvcpd]
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/usr/libexec/xpcproxy
[xpcproxy afsvcpd]
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/usr/libexec/xpcproxy
[xpcproxy afsvcpd]
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/usr/libexec/xpcproxy
[xpcproxy afsvcpd]
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/usr/libexec/xpcproxy
[xpcproxy afsvcpd]
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/usr/libexec/xpcproxy
[xpcproxy afsvcpd]
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy afsvcpd]
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/usr/libexec/xpcproxy
[xpcproxy afsvcpd]
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/usr/libexec/xpcproxy
[xpcproxy afsvcpd]
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/usr/libexec/xpcproxy
[xpcproxy afsvcpd]
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/usr/libexec/xpcproxy
[xpcproxy afsvcpd]
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]
/usr/libexec/xpcproxy
[xpcproxy afsvcpd]
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
/usr/libexec/xpcproxy
[xpcproxy afsvcpd]
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/usr/libexec/xpcproxy
[xpcproxy afsvcpd]
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
Network
| Country | Destination | Domain | Proto |
| DE | 20.52.64.201:443 | tcp | |
| US | 8.8.8.8:53 | bag-cdn-lb.itunes-apple.com.akadns.net | udp |
| GB | 17.250.81.67:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| DE | 51.116.246.105:443 | tcp | |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| BE | 104.68.86.71:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| GB | 2.21.189.171:443 | help.apple.com | tcp |
| GB | 2.21.189.171:443 | help.apple.com | tcp |