Analysis Report Nt7gLoFlYn
Overview
General Information
Detection
EvilQuest
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Detected macOS EvilQuest ransomware
Yara detected EvilQuest Ransomware
Contains functionality related to in-memory code execution
Contains functionality related to key logging
Contains symbols with suspicious names likely related to anti-analysis
Contains symbols with suspicious names likely related to privilege escalation
Creates hidden Mach-O files
Deletes many files in the user directory
Denies being traced/debugged (via ptrace PT_DENY_ATTACH)
Executes shell scripts with administrative rights
Executes the "sudo" command used to execute a command as another user
Might steal keychain information which contains credentials
Moves itself during installation or deletes itself after installation
Reads local browser cookies
Reads process information of other processes
Writes Mach-O files to untypical directories
Changes permissions of written Mach-O files
Contains symbols with suspicious names likely related to encryption
Contains symbols with suspicious names likely related to networking
Contains symbols with suspicious names likely related to well-known browsers
Creates 'launchd' managed services aka launch agents with bundle ID names to possibly disguise malicious intentions
Creates application bundles
Creates code signed application bundles
Creates hidden files, links and/or directories
Creates memory-persistent launch services
Creates system-wide 'launchd' managed services aka launch daemons
Creates user-wide 'launchd' managed services aka launch agents
Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "mkdir" command used to create folders
Executes the "security_authtrampoline" command used to authorize execution with root privileges (GUI prompt)
Explicitly loads/starts launch services
HTTP GET or POST without a user agent
Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)
Reads hardware related sysctl values
Reads launchservices plist files
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)
Reads the systems OS release and/or type
Reads the systems hostname
Reads user launchservices plist file containing default apps for corresponding file types
Uses AppleScript framework/components containing Apple Script related functionalities
Uses AppleScript scripting additions containing additional functionalities for Apple Scripts
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)
Uses Security framework containing interfaces for system-level user authentication and authorization
Writes 64-bit Mach-O files to disk
Writes RTF files to disk
Writes a file containing only its PID
Classification
Startup |
---|
|