XcodeGhost

Name: XcodeGhost
Xcode Ghost dropped files (http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/): Artifact used by this malware

Query:
select * from ( \
        select apps.bundle_short_version as xcode_version, \
          apps.path as xcode_path, \
          file.path, \
          file.type as file_type \
        from apps, file \
        where apps.bundle_name='Xcode' and \
          file.path like (apps.path || '/Contents/Developer/Platforms/%/Developer/SDKs/Library/%%') \
      ) join hash using (path) where file_type = 'regular';
Additional Query Info:
Version: 1.4.5
Platform: darwin
Interval: 3600

JSON:
{
  "queries": {
    "XcodeGhost": {
      "query" : "select * from ( \
        select apps.bundle_short_version as xcode_version, \
          apps.path as xcode_path, \
          file.path, \
          file.type as file_type \
        from apps, file \
        where apps.bundle_name='Xcode' and \
          file.path like (apps.path || '/Contents/Developer/Platforms/%/Developer/SDKs/Library/%%') \
      ) join hash using (path) where file_type = 'regular';",
      "interval" : "3600",
      "platform" : "darwin",
      "version": "1.4.5",
      "description" : "Xcode Ghost dropped files (http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/)",
      "value" : "Artifact used by this malware"
    }
  }
}

You must be logged in to post a comment.

Proudly powered by WordPress   Premium Style Theme by www.gopiplus.com