OSX_Proton_Files

by | posted: October 12, 2018 0 Comment
Name: OSX_Proton_Files
OSX/Proton bundled with a tampered version of Handbrake and Elmedia Player: (https://objective-see.com/blog/blog_0x1D.html and https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/): Artifacts created by this malware

Query: 
select * from file \
        where path like '/Users/%/Library/RenderFiles/activity_agent.app/' OR \
        path like '/Users/%/Library/LaunchAgents/fr.handbrake.activity_agent.plist' OR \
        path='/tmp/Updater.app' OR path='/Library/.rand/updateragent.app' OR \
        path='/Library/LaunchAgents/com.apple.xpcd.plist' OR \
        path='/Library/.cachedir' OR \
        path='/Library/.random';
Additional Query Info:
Version: 1.4.5
Platform: darwin
Interval: 3600

JSON: 
{
  "queries": {
    "OSX_Proton_Files": {
      "query" : "select * from file \
        where path like '/Users/%/Library/RenderFiles/activity_agent.app/' OR \
        path like '/Users/%/Library/LaunchAgents/fr.handbrake.activity_agent.plist' OR \
        path='/tmp/Updater.app' OR path='/Library/.rand/updateragent.app' OR \
        path='/Library/LaunchAgents/com.apple.xpcd.plist' OR \
        path='/Library/.cachedir' OR \
        path='/Library/.random';",
      "interval" : "3600",
      "platform" : "darwin",
      "version": "1.4.5",
      "description" : "OSX/Proton bundled with a tampered version of Handbrake and Elmedia Player: (https://objective-see.com/blog/blog_0x1D.html and https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/)",
      "value" : "Artifacts created by this malware"
    }
  }
}
OSquery

admin

View all posts by admin »»

Recent Posts

You must be logged in to post a comment.

Proudly powered by WordPress   Premium Style Theme by www.gopiplus.com