evilquest | 7bf7c18042227ac254d6d33ec7de34c844a4cd1767932073f29bb8d31ab28db3

General

Target

010ca47900964fd8757bf7e84451225e_JaffaCakes118
Size

168KB
MD5

010ca47900964fd8757bf7e84451225e
SHA1

437737f33914283a52a05bbd21dc5282bc75f85a
SHA256

7bf7c18042227ac254d6d33ec7de34c844a4cd1767932073f29bb8d31ab28db3
SHA512

6bf0e6fabcc743c98b841a27aca05719ae41258e34338af1a0e7a5f404f89d99c6e3359070186844bd538cdbf48266dc4532718d325843f949cfb97471587ce4
SSDEEP

3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq95u0:5SeOQdaZNxtk8cqhSxvHY9

Score

10^/10

evilquest backdoor execution persistence

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000000030008b667-1.dat	family_evilquest
behavioral1/files/0x000000030008b665-0.dat	family_evilquest

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 10 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found

Launchctl 1 TTPs 20 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

ioc	Process
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"	Process not Found
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist	Process not Found
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/010ca47900964fd8757bf7e84451225e_JaffaCakes118\""
1⤵
PID:476

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/010ca47900964fd8757bf7e84451225e_JaffaCakes118\""
1⤵
PID:476

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/010ca47900964fd8757bf7e84451225e_JaffaCakes118
1⤵
PID:476
- /bin/zsh
  /bin/zsh -c /Users/run/010ca47900964fd8757bf7e84451225e_JaffaCakes118
  2⤵
  PID:479
- /Users/run/010ca47900964fd8757bf7e84451225e_JaffaCakes118
  /Users/run/010ca47900964fd8757bf7e84451225e_JaffaCakes118
  2⤵
  PID:479

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:480

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:480

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:480

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:504

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:504

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:504

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:506

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:506

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:507

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:507

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:507

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:508

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:508

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:509

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:509

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:509

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:510

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:510

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:510

/bin/sh
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:511

/bin/bash
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:511

/bin/launchctl
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:511

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:512

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:512

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:512

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:513

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:513

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:513

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:514

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:514

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:514

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:516

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:516

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:516

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:517

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:517

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:517

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:519

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:519

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:519

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:525

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:525

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:526

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:526

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:526

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:527

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:527

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:528

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:528

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:528

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:530

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:530

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:531

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:531

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:536

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:536

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:537

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:537

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:537

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:538

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:538

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:539

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:539

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:539

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:543

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:543

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:544

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:544

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:544

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:545

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:545

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:546

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:546

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:546

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:547

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:547

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:548

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:548

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:548

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:549

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:549

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:550

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:550

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:550

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:557

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:557

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:558

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:558

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:558

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:559

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:559

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:560

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:560

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:560

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:561

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:561

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:562

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:562

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:562

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:563

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:563

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:564

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:564

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:564

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:565

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:565

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:566

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:566

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:566

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

AppleScript

1

T1059.002

System Services

1

T1569

Launchctl

1

T1569.001

Persistence

Create or Modify System Process

2

T1543

Launch Agent

1

T1543.001

Launch Daemon

1

T1543.004

Privilege Escalation

Create or Modify System Process

2

T1543

Launch Agent

1

T1543.001

Launch Daemon

1

T1543.004

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
13ec59902a25d3e2a32a9b5dce62d0e2

SHA1
1d58655ab6e99f46f16e909e1072f4444befdcbf

SHA256
ce5f6eea4bbe2b3d7d1936de02fa46a923ed17770ef3f6a6282392415efccd3c

SHA512
d45312c9fe4285a415afdd2f7f6c0148f53231741eff79bf7a1d82589f4e52d0062c9bb8828535f2c3f811d7bf58a494cc4febb549d0b53948a5bb910359af12

Download Submit
/Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist

Filesize
430B

MD5
3d269391b44f568c96f9f5a420609082

SHA1
e2d49405da7ba6f883b366f71b6905b6ab556cae

SHA256
261e6af4aec0840afe0b4c75c21353d7bc8d69ffb1d26db364f5475962381a12

SHA512
81ae24faac0d2973a90b7ec7415273f95789fbbdeae164df6ffab10bfdfc4896d6ecf4d9b09ca13b2a151a385c59f48594d7b3d0df3b49e3bbc056f15908432c

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
15bf27a1c73d6abd419884999a142b18

SHA1
28b7773cfb665ca465c62bf4b32e9c842b6edc36

SHA256
741c4dbc981110a26bb2a61d5515ddf54fa6ef70576ea64dd51704f4103e1bee

SHA512
175de29ffcaaf35a0fd2fe6b435707752deabc3e170691d238f9f353eb431e2a8a27080d64d69a9cf16c9b36ba46230bff57568ef92e18120cc223a340bbc5a8

Download Submit

Analysis

Sharing