AlienSpyRAT_B2856B11FF23D35DA2C9C906C61781BA.pcap |
AlienSpyRAT_79E9DD35AEF6558461C4B93CD0C55B76.pcap |
Pony_B5E7CD42B45F8670ADAF96BBCA5AE2D0.pcap |
AlienspyRAT_DB46ADCFAE462E7C475C171FBE66DF82-OSXLion.pcap |
AlienspyRAT_DB46ADCFAE462E7C475C171FBE66DF82-WinXP.pcap |
As you see, all Windows traffic captures have identical fields following the GZIP stream, while OSX traffic has different data. The jar files that had Pony Downloader payload did not have other OSX malware packaged and I saw no activity on OSX other than calling the C2 and writing to the randomly named timestamp file (e.g VblVc5kEqY.tmp - updating current timestamp in Unix epoch format)
Click to Open Code Editor