The migration assistant does not account for the developer tools installation.

I believe you can also get just the Xcode command-line tools which is about 170 MB..

On one of the infected Macs, the launch agent file had a creation date in January of 2015.

That’s not strong evidence of the true creation date, though, as those dates can easily be changed.

The malware was extremely simplistic on the surface, consisting of only two files: ~/.client SHA256: ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044 ~/Library/Launch Agents/com.client.client.plist SHA256: 83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3 The .client file was where things got really interesting.

In El Capitan, in terminal I just used gcc -v, it then said gcc wasn't available and asked if I wanted to install the command line Apple Developer Tools. Terminal session below: Pauls-MBP:~ paulhillman$ gcc -v xcode-select: note: no developer tools were found at '/Applications/', requesting install. Interestingly, it has code to do this both using the Mac "screencapture" command and the Linux "xwd" command. It also has code to get the system's uptime, using the Mac "uptime" command or the Linux "cat /proc/uptime" command.

