OSX Snake

OSquery

OS X port of Snake malware discovered by Fox-IT (https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/):

Query

select * from file \\
         where path = '/Library/LaunchDaemons/com.adobe.update.plist' OR \\
           path = '/Library/Scripts/installd.sh' OR \\
           path = '/Library/Scripts/queue' OR \\
           path = '/tmp/.gdm-socket' OR \\
           path = '/tmp/.gdm-selinux' OR \\
           path LIKE '/var/tmp/.ur-%%';

Additional Query Info

Version: 1.4.5
Interval: 3600

JSON

{
  "queries": {
    "OSX Snake": {
      "query": "select * from file \\
         where path = '/Library/LaunchDaemons/com.adobe.update.plist' OR \\
           path = '/Library/Scripts/installd.sh' OR \\
           path = '/Library/Scripts/queue' OR \\
           path = '/tmp/.gdm-socket' OR \\
           path = '/tmp/.gdm-selinux' OR \\
           path LIKE '/var/tmp/.ur-%%';",
      "interval": "3600",
      "platform": "",
      "version": "1.4.5",
      "description": "OS X port of Snake malware discovered by Fox-IT (https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/)",
      "value": ""
    }
  }
}