{
	"id": "1c541ac7-fe29-459a-b7eb-ed8aba0a7d51",
	"created_at": "2026-04-06T00:13:05.127446Z",
	"updated_at": "2026-04-10T03:21:22.026021Z",
	"deleted_at": null,
	"sha1_hash": "853e1e524019370d45e90cdde175b67b8cb7e08d",
	"title": "Malware Analysis Spotlight: OSAMiner Uses Run-Only AppleScripts to Evade Detection - VMRay",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1062321,
	"plain_text": "Malware Analysis Spotlight: OSAMiner Uses Run-Only\r\nAppleScripts to Evade Detection - VMRay\r\nBy VMRay Labs\r\nPublished: 2021-01-14 · Archived: 2026-04-05 14:30:16 UTC\r\nThis week the team at SentinelLabs released an in-depth analysis of macOS.OSAMiner, a Monero mining trojan\r\ninfecting macOS users since 2015. The authors of macOS.OSAMiner used run-only AppleScripts which made\r\nattempts at further analysis more difficult.\r\nIn 2020, the SentinelLabs Team discovered that the malware authors were evolving their evasion techniques,\r\nadding more complexity by embedding one run-only AppleScript inside another. We analyzed one of the latest\r\nsamples “com.apple.4V.plist” using VMRay Analyzer. In this Malware Analysis Spotlight, we will showcase the\r\nkey behaviors identified during the dynamic analysis.\r\nNote, at the time of analysis this sample of OSAMiner had a 2/60 detection rate on VirusTotal.\r\nOSAMiner Analysis\r\nThe “com.apple.4V.plist” file is placed in ~/Library/LaunchAgents by the original dropper and disguised as a\r\nProperty list configuration file (PLIST) while it is in fact a compiled AppleScript.\r\nStraight away, we see that a number of VMRay Threat Identifier (VTI) rules hit and the sample is classified as\r\nmalicious. From the Overview Tab, we can see the main behaviors of the sample including network connectivity,\r\nfile dropping behavior, and system information gathering. Now we can dig deeper into each of these\r\ncharacteristics.\r\nhttps://www.vmray.com/cyber-security-blog/osaminer-uses-applescripts-evade-detection-malware-analysis-spotlight/\r\nPage 1 of 7\n\nThe Network Tab shows multiple C2 connections. The first request to budaybu100001[.]com:8080 returns the\r\nsecond-stage URL embedded in the string “-=-=-=” as a marker. Interestingly, there are two URLs that were\r\nreturned. The second one might be a fallback or used by another variant of the family.\r\nhttps://www.vmray.com/cyber-security-blog/osaminer-uses-applescripts-evade-detection-malware-analysis-spotlight/\r\nPage 2 of 7\n\nThe second stage is another compiled AppleScript stored at ~/Library/11.png. All downloads are performed using\r\ncurl which is clearly visible in the Behavior Tab. The second stage is again executed using “osascript” and has two\r\nmain tasks:\r\n1. Download and extract the third stage mining payload\r\n2. Write the mining configuration (pools.txt, config.txt, cpu.txt)\r\nhttps://www.vmray.com/cyber-security-blog/osaminer-uses-applescripts-evade-detection-malware-analysis-spotlight/\r\nPage 3 of 7\n\nThe third stage is a zip file containing two dynamic libraries (dylibs) and finally a Mach-O binary, again disguised\r\nas a PLIST which can be clearly seen in the Files Tab.\r\nhttps://www.vmray.com/cyber-security-blog/osaminer-uses-applescripts-evade-detection-malware-analysis-spotlight/\r\nPage 4 of 7\n\nIn addition, the second stage uses the system tool “caffeinate” to prevent the machine from going to sleep while\r\nthe first stage will continuously query the running processes for common AV programs using the ps command:\r\nsh -c ps ax | grep -E ‘360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac’ | grep -v grep | awk ‘{print\r\n$1}’\r\nAll of these actions are performed using sub-processes so they can be observed in the process graph and process\r\noverview.\r\nhttps://www.vmray.com/cyber-security-blog/osaminer-uses-applescripts-evade-detection-malware-analysis-spotlight/\r\nPage 5 of 7\n\nAs we can see, this sample uses a different kind of evasion, using a rather uncommon file type, a compiled\r\nAppleScript, disguised as a PLIST file. This file type won’t have a problem running on a victim’s machine but it is\r\ndifficult for security teams to analyze because of the inherent obfuscation and limited tooling available.\r\nRunning the sample in VMRay gives analysts an immediate view into the key behaviors, characteristics, and\r\nIOCs. Within 2 minutes of analysis time, analysts can see a majority of the sample’s behavior, compared to hours\r\nof manual reverse engineering. And for deeper analysis, the second and third stages are visible and available from\r\nthe VMRay Analyzer Report.\r\nIOCs\r\nSample\r\ncom.apple.4V.plist\r\ndf550039acad9e637c7c3ec2a629abf8b3f35faca18e58d447f490cf23f114e8\r\nSecond Stage\r\n~/Library/11.png\r\nhttps://www.vmray.com/cyber-security-blog/osaminer-uses-applescripts-evade-detection-malware-analysis-spotlight/\r\nPage 6 of 7\n\nff9fa2ee1d42cbde7307c10907470e4950db5085d9cb43c3ade118da9bfe35c3\r\nThird Stage\r\n~/Library/Caches/com.apple.l0/ssl4.plist\r\n97febb1aa15ad7b1c321f056f7164526eb698297e0fea0c23bd127498ba3e9bb\r\nAV Detection Script embedded in First Stage\r\n~/Library/k.plist\r\n0cc04703ae218b0217e1b025de60cec82087e0774eb59b984419949cee5c2173\r\nContacted URLs\r\nhxxp://www.budaybu100001[.]com:8080\r\nhxxp://budaybu[.]com:8080/budaybu.png\r\nhxxp://ondayon[.]com:8080/ondayon.png (possibly backup URL)\r\nhxxp://budaybu[.]com:8080/ssl.zip\r\nbudaybu[.]com:8888 (mining pool address)\r\nList of Queried Processes\r\n360\r\nKeeper\r\nMacMgr\r\nLemon\r\nMalware\r\nAvast\r\nAvira\r\nCleanMyMac\r\nSource: https://www.vmray.com/cyber-security-blog/osaminer-uses-applescripts-evade-detection-malware-analysis-spotlight/\r\nhttps://www.vmray.com/cyber-security-blog/osaminer-uses-applescripts-evade-detection-malware-analysis-spotlight/\r\nPage 7 of 7\n\n https://www.vmray.com/cyber-security-blog/osaminer-uses-applescripts-evade-detection-malware-analysis-spotlight/     \nThe Network Tab shows multiple C2 connections. The first request to budaybu100001[.]com:8080  returns the\nsecond-stage URL embedded in the string “-=-=-=” as a marker. Interestingly, there are two URLs that were\nreturned. The second one might be a fallback or used by another variant of the family. \n   Page 2 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.vmray.com/cyber-security-blog/osaminer-uses-applescripts-evade-detection-malware-analysis-spotlight/"
	],
	"report_names": [
		"osaminer-uses-applescripts-evade-detection-malware-analysis-spotlight"
	],
	"threat_actors": [],
	"ts_created_at": 1775434385,
	"ts_updated_at": 1775791282,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/853e1e524019370d45e90cdde175b67b8cb7e08d.pdf",
		"text": "https://archive.orkl.eu/853e1e524019370d45e90cdde175b67b8cb7e08d.txt",
		"img": "https://archive.orkl.eu/853e1e524019370d45e90cdde175b67b8cb7e08d.jpg"
	}
}