Xcode Ghost dropped files (http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/): Artifact used by this malware
Query:
select * from ( \ select apps.bundle_short_version as xcode_version, \ apps.path as xcode_path, \ file.path, \ file.type as file_type \ from apps, file \ where apps.bundle_name='Xcode' and \ file.path like (apps.path || '/Contents/Developer/Platforms/%/Developer/SDKs/Library/%%') \ ) join hash using (path) where file_type = 'regular';Additional Query Info:
Version: 1.4.5
Platform: darwin
Interval: 3600
JSON:
{ "queries": { "XcodeGhost": { "query" : "select * from ( \ select apps.bundle_short_version as xcode_version, \ apps.path as xcode_path, \ file.path, \ file.type as file_type \ from apps, file \ where apps.bundle_name='Xcode' and \ file.path like (apps.path || '/Contents/Developer/Platforms/%/Developer/SDKs/Library/%%') \ ) join hash using (path) where file_type = 'regular';", "interval" : "3600", "platform" : "darwin", "version": "1.4.5", "description" : "Xcode Ghost dropped files (http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/)", "value" : "Artifact used by this malware" } } }