2b113d5e16249531d159cd960bee9e63bece5dcff62e3291aaf67549a64f9574

General

Target

2024-10-29_133328a2045926a25a7543519e128a7a_adload_evilquest_rekoobe
Size

337KB
MD5

133328a2045926a25a7543519e128a7a
SHA1

e18a8877a1d50666cf7dd7191d42ddea2f3546d1
SHA256

2b113d5e16249531d159cd960bee9e63bece5dcff62e3291aaf67549a64f9574
SHA512

9e04a832684ceac93a7c31b5e86ccc2cad4e29a1a8adceada7f38291cf2daf0a49cd40337553cb565e74d5ddda639d411f9346f2e9b16f423539fa25b15bd2d7
SSDEEP

6144:5SeOQdaZNxtk8cqhSxvHY9DSeOQdaZNxtk8cqhSxvHY9:5LOQdaDxq8cqavHYtLOQdaDxq8cqavHY

Score

5^/10

execution persistence

Malware Config

Signatures

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 8 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found

Launchctl 1 TTPs 16 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

ioc	Process
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"	Process not Found
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist	Process not Found
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/2024-10-29_133328a2045926a25a7543519e128a7a_adload_evilquest_rekoobe\""
1⤵
PID:485

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/2024-10-29_133328a2045926a25a7543519e128a7a_adload_evilquest_rekoobe\""
1⤵
PID:485

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/2024-10-29_133328a2045926a25a7543519e128a7a_adload_evilquest_rekoobe
1⤵
PID:485
- /bin/zsh
  /bin/zsh -c /Users/run/2024-10-29_133328a2045926a25a7543519e128a7a_adload_evilquest_rekoobe
  2⤵
  PID:486
- /Users/run/2024-10-29_133328a2045926a25a7543519e128a7a_adload_evilquest_rekoobe
  /Users/run/2024-10-29_133328a2045926a25a7543519e128a7a_adload_evilquest_rekoobe
  2⤵
  PID:486

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:488

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:488

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:488

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:513

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:513

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:513

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:514

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:514

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:515

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:515

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:515

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:516

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:516

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:517

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:517

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:517

/bin/sh
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:518

/bin/bash
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:518

/bin/launchctl
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:518

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:519

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:519

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:519

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:520

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:520

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:520

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:521

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:521

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:521

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:522

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:522

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:522

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:524

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:524

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:525

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:525

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:525

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:526

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:526

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:527

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:527

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:527

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:535

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:535

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:536

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:536

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:536

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:540

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:540

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:541

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:541

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:541

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:544

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:544

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:545

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:545

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:545

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:548

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:548

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:549

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:549

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:550

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:550

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:551

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:551

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:551

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:552

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:552

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:553

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:553

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:553

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:555

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:555

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:556

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:556

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:556

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:559

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:559

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:560

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:560

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:560

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:564

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:564

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:565

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:565

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:565

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:566

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:566

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:567

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:567

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:567

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:568

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:568

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:569

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:569

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:569

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:570

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:570

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:571

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:571

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:571

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:572

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:572

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:573

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:573

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:573

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

AppleScript

1

T1059.002

System Services

1

T1569

Launchctl

1

T1569.001

Persistence

Create or Modify System Process

2

T1543

Launch Agent

1

T1543.001

Launch Daemon

1

T1543.004

Privilege Escalation

Create or Modify System Process

2

T1543

Launch Agent

1

T1543.001

Launch Daemon

1

T1543.004

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads