evilquest | ec520e951eebf4e7193b7279c460d7aeec4d44cc463e6bf5200c86c05d793cff

Analysis

max time kernel
142s
max time network
148s
platform
macos-10.15_amd64
resource
macos-20241101-en
resource tags

arch:amd64arch:i386image:macos-20241101-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
23-12-2024 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-23_1e096e830e4491cd79c35a0c46850f39_adload_evilquest_rekoobe
Size

1.8MB
MD5

1e096e830e4491cd79c35a0c46850f39
SHA1

3700d9aab3aa1ca3064ac15d822da2794da69e6c
SHA256

ec520e951eebf4e7193b7279c460d7aeec4d44cc463e6bf5200c86c05d793cff
SHA512

61f9780f6862be308373e76ad850f6c62a8572d2e8196a5e9f0c72f134c6646ed5eb60fc9c78848ed1172e5580ea6d34da177f2ed4b2b766f79405b37f794416
SSDEEP

6144:UtjZtjZtjvtjGtjZtjZtjZtjvtjGtjGtjZtjZtjvtjGtjZtjZtjZtjvttbSjIVg5:U33dQ333dQk33dQ333d7GGcTN

Score

10^/10

evilquest backdoor execution persistence

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000000030008e5fa-1.dat	family_evilquest

Evilquest family
evilquest

Compromise Client Software Binary 1 TTPs 7 IoCs

Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server.

persistence

Compromise Host Software Binary

T1554

ioc	Process
/Users/run/Library/AppQuest/com.apple.questd	Process not Found
/Users/run/Library/AppQuest/com.apple.questd	Process not Found
/Library/AppQuest/com.apple.questd	Process not Found
/Users/run/Library/AppQuest/com.apple.questd	Process not Found
/Library/AppQuest/com.apple.questd	Process not Found
/Library/AppQuest/com.apple.questd	Process not Found
/var/root/Library/AppQuest/com.apple.questd	Process not Found

Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 22 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
osascript -e "do shell script \"sudo /Library/AppQuest/com.apple.questd\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"sudo /Library/AppQuest/com.apple.questd\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found

Launchctl 1 TTPs 50 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

ioc	Process
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
launchctl start questd	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
launchctl start questd	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
launchctl start questd	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
launchctl start questd	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
launchctl start questd	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
launchctl start questd	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
launchctl start questd	Process not Found
launchctl start questd	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
launchctl start questd	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
launchctl start questd	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/2024-12-23_1e096e830e4491cd79c35a0c46850f39_adload_evilquest_rekoobe\""
1⤵
PID:465

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/2024-12-23_1e096e830e4491cd79c35a0c46850f39_adload_evilquest_rekoobe\""
1⤵
PID:465

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/2024-12-23_1e096e830e4491cd79c35a0c46850f39_adload_evilquest_rekoobe
1⤵
PID:465
- /bin/zsh
  /bin/zsh -c /Users/run/2024-12-23_1e096e830e4491cd79c35a0c46850f39_adload_evilquest_rekoobe
  2⤵
  PID:466
- /Users/run/2024-12-23_1e096e830e4491cd79c35a0c46850f39_adload_evilquest_rekoobe
  /Users/run/2024-12-23_1e096e830e4491cd79c35a0c46850f39_adload_evilquest_rekoobe
  2⤵
  PID:466
- /Users/run/.2024-12-23_1e096e830e4491cd79c35a0c46850f39_adload_evilquest_rekoobe1
  2⤵
  PID:466

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:490

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:490

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:490

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:491

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:491

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:492

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:492
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:493
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:495

/usr/libexec/xpcproxy
xpcproxy questd
1⤵
PID:494

/usr/bin/sudo
sudo /Library/AppQuest/com.apple.questd --silent
1⤵
PID:494
- /Library/AppQuest/com.apple.questd
  /Library/AppQuest/com.apple.questd --silent
  2⤵
  PID:500

/bin/sh
sh -c "osascript -e \"do shell script \\\"sudo /Library/AppQuest/com.apple.questd\\\" with administrator privileges\""
1⤵
PID:497

/bin/bash
sh -c "osascript -e \"do shell script \\\"sudo /Library/AppQuest/com.apple.questd\\\" with administrator privileges\""
1⤵
PID:497

/usr/bin/osascript
osascript -e "do shell script \"sudo /Library/AppQuest/com.apple.questd\" with administrator privileges"
1⤵
PID:497

/bin/sh
/bin/sh -c "sudo /Library/AppQuest/com.apple.questd"
1⤵
PID:498

/bin/bash
/bin/sh -c "sudo /Library/AppQuest/com.apple.questd"
1⤵
PID:498

/usr/bin/sudo
sudo /Library/AppQuest/com.apple.questd
1⤵
PID:498
- /Library/AppQuest/com.apple.questd
  /Library/AppQuest/com.apple.questd
  2⤵
  PID:499

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:504

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:504

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:504

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:505

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:505

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:505

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:506

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:506
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:507
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:508

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:509

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:509

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:509

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:510

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:510
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:511
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:512

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:513

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:513
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:514
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:515

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:516

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:516

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:516

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:517

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:517

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:517

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:518

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:518
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:519
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:520

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:521

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:521
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:522
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:523

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:524

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:524

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:524

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:525

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:525
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:526
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:527

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:528

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:528

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:528

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:529

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:529

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:529

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:530

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:530
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:531
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:532

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:533

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:533
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:534
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:535

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:536

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:536

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:536

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:537

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:537
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:538
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:539

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:544

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:544

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:545

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:545

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:546

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:546

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:547

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:547

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:548

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:548

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:549

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:550

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:550

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

System Services

T1569

Launchctl

T1569.001

Persistence

Compromise Host Software Binary

T1554

Create or Modify System Process

T1543

Launch Daemon

T1543.004

Privilege Escalation

Create or Modify System Process

T1543

Launch Daemon

T1543.004

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/LaunchDaemons/com.apple.questd.plist

Filesize
435B

MD5
a3d34532a7dd2cd1d73cea75deb0677f

SHA1
3019d1c50907fb2597121c03619990c5670ff6f4

SHA256
779a31e4de99f9de28de8bf064c504382e050c114e2e865cc1f694c7e6339735

SHA512
52618a5f14247c909a3857b122a124d0ddd00890c128cf041976182423b3d728cab11daf5b6a1adb6845d062b54083e72380184b6f76369482305c2782bedd91

Download Submit
/Users/run/.CFUserTextEncoding

Filesize
314B

MD5
a24ea02ae4d3c8c7078802b59c5485ed

SHA1
1beceb8db2e2c6a8cb5a09a2f6c58663ed88dc4c

SHA256
82ef828c02995db4297672e3a55e87e68c2a64ae15e60868ab8a0c42b47b1c98

SHA512
ab261b3e2ba37c39bf81f72f04ea8d6bed77843631115765fa93f7d1c37be5f12cc49a2c3d95701f3d36d18bf3776ce9d7bd91b932856c62c338412a87252e4a

Download Submit
/Users/run/Library/AppQuest/com.apple.questd

Filesize
1.6MB

MD5
6b03e873c16736e84bcfede381174a3c

SHA1
a71e45d29dc6bc9b5a1fad2cec2c69114ec0f747

SHA256
3c4bbdcc063138a3e218b733309cb98587e1842d650d26bd9ada9481cc0348cf

SHA512
3ab73eba4f07bc5161412921b5fafe6cb5c2427fd70d0133807c096dd46b89b79190d23203c1400194423c35d6c74944509ad2ab80c9bf70af921186f9bf7934

Download Submit
/Users/run/Library/LaunchAgents/com.apple.questd.plist

Filesize
423B

MD5
eb73619f4e724257ff0fd951883a30ae

SHA1
5032251e50b32e340d8171631a598596bad8991e

SHA256
6e56467f3f5502588094c91e2d58bbb1e43c4e8171093db14931dd41788e17d4

SHA512
ec95c395414181bc77c7a2980fbd3fe69b718aa98c878e514c3f28b738e1669488126cbdfa96e3a182afd8536b54bc1791a044fa3535d1fd3fad54dfda337b7c

Download Submit
/var/root/Library/LaunchAgents/com.apple.questd.plist

Filesize
422B

MD5
70c1e05ff6b32db6e1ef873321abd1f9

SHA1
16878e40cd5a569bc8f441988cc07b66ffc8534a

SHA256
ba60feb2a639cd847674e6599cabf986ede7876231a292785b0365d58b7b9378

SHA512
1e82629b3b1fa7bb88e7efe0393aee7114631555fbfe614d33b9b1efb4d299c35dac5e393f834dcc26a5e192e46e317124c0b841f65ab371819c34802424712e

Download Submit