This is a new trick for OSAMiner, compared to previous versions we have seen, and makes automated analysis of the malware even more difficult. That, combined with the knowledge of Apple's magic strings at the beginning and end of an AppleScript, allow us to identify the second run-only AppleScript hidden in this file. This file is a little more difficult to analyze, however, a little digging will uncover some hex code in this file. This line is using do shell script to call the com.apple.4V.plist script in the ~/Library/LaunchAgents/ directory.Īs it turns out, com.apple.4V.plist is not a Property List file, but a run-only AppleScript file. However, line 13 is what is especially interesting in this script, because it starts us down the path to truly analyzing this malware. The repeated use of osascript is highly unusual, which draws attention here, and also gives us the name OSAMiner as this is using Open Scripting Architecture scripts to accomplish its goals. The array in lines 10-14 is very telling. This file is simple, but gives away a key file used in these cryptojacking attacks. ![]() plist file extension, only one is a legitimate Property List file, so we'll start there. While several of the files associated with OSAMiner are Property List files, with the. Analysis of the Embedded Run-Only AppleScript
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |