Analysis
-
max time kernel
146s -
max time network
141s -
platform
macos-10.15_amd64 -
resource
macos-20241106-en -
resource tags
-
submitted
29-12-2024 18:42
General
-
Target
2024-12-29_1ab0e94ac2722b394cff6a3d2ffb095b_adload_evilquest_rekoobe
-
Size
168KB
-
MD5
1ab0e94ac2722b394cff6a3d2ffb095b
-
SHA1
bb7f33c3d102bf23b491e9f54172589aff9e874b
-
SHA256
2a7a8064109e287ad883414e735095ff3fd2d29d31e899eadc57c3a336d995b9
-
SHA512
aea4a274f319bccac3a844bb8221ffbc9b47c75969e574deb7a3422acdf606c3ebbba5fa5ce0a5bb340e3d739e2f643fc79981c3f3167b77bf815561de182707
-
SSDEEP
3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9x0:5SeOQdaZNxtk8cqhSxvHY9
Malware Config
Signatures
-
EvilQuest
EvilQuest family.
-
EvilQuest payload 2 IoCs
-
Evilquest family
-
Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
-
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
-
AppleScript 1 TTPs 8 IoCs
AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.
-
Resource Forking 1 TTPs 2 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
-
Launchctl 1 TTPs 16 IoCs
Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/2024-12-29_1ab0e94ac2722b394cff6a3d2ffb095b_adload_evilquest_rekoobe\""1⤵
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/2024-12-29_1ab0e94ac2722b394cff6a3d2ffb095b_adload_evilquest_rekoobe\""1⤵
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/2024-12-29_1ab0e94ac2722b394cff6a3d2ffb095b_adload_evilquest_rekoobe1⤵
-
/bin/zsh/bin/zsh -c /Users/run/2024-12-29_1ab0e94ac2722b394cff6a3d2ffb095b_adload_evilquest_rekoobe2⤵
-
-
/Users/run/2024-12-29_1ab0e94ac2722b394cff6a3d2ffb095b_adload_evilquest_rekoobe/Users/run/2024-12-29_1ab0e94ac2722b394cff6a3d2ffb095b_adload_evilquest_rekoobe2⤵
-
-
/usr/libexec/pkreporter/usr/libexec/pkreporter1⤵
-
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd1⤵
-
/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"1⤵
-
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer1⤵
-
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.security.authtrampoline1⤵
-
/System/Library/Frameworks/Security.framework/authtrampoline/System/Library/Frameworks/Security.framework/authtrampoline1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/bin/sh/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.nsurlstoraged1⤵
-
/usr/libexec/nsurlstoraged/usr/libexec/nsurlstoraged --privileged1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/Users/run/Library/osxmobiledata/com.apple.afsvcpd/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5ebff9f181582701261e3703dfda785ee
SHA114360180df1d12bb043d8f123ee173cfeb7c9e90
SHA256be48a45acbbb005da688c4cde86387fd4813a63a477be9d25ad8767150598f1e
SHA512c7b451226b2f30485c16b159b3694dc8ddb61c699462fff58e73d9413c0fc0b19058254ad1a632c34c8e9da761ba903fe3a9530bb8d8798b22cac9f29b639f52
-
Filesize
430B
MD53d269391b44f568c96f9f5a420609082
SHA1e2d49405da7ba6f883b366f71b6905b6ab556cae
SHA256261e6af4aec0840afe0b4c75c21353d7bc8d69ffb1d26db364f5475962381a12
SHA51281ae24faac0d2973a90b7ec7415273f95789fbbdeae164df6ffab10bfdfc4896d6ecf4d9b09ca13b2a151a385c59f48594d7b3d0df3b49e3bbc056f15908432c
-
Filesize
168KB
MD5aefb8bc67c65380d04d23519486729bb
SHA1197228d18374736c659534c03a34ffa514215efe
SHA256e6e77583ec8e9b67e4f71cd6e54051fff14e03c19acd085c119e29ff0fa5b47e
SHA51274373c0326aee085d76995adc54389adb0a2e163cf72d2b00ef76bbf987bc097ffeb8a987115e49fc28a040bbfd5ced4ee1bb2649bed2e1eaf54ed2011b64b5c
-
Filesize
54KB
MD564f469698e53d0c828b7f90acd306082
SHA1bcc041b3849e1b0b4104ffeb46002207eeac54f3
SHA256d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd
SHA512a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f