Posted on 01-20-2022 01:47 AM
Hello world,
just a small script for the detection of sysJoker malware for your machines.
if you don´t know what i´m talking about: https://www.jamf.com/blog/sysjoker-malware-jamfs-got-you-covered/
Just make a new extension attribute with the following script with settings: script / general / script.
#!/bin/bash
###############
# Variables #
###############
user=`ls -la /dev/console | cut -d " " -f 4`
result=()
filesFound=0
suspiciousFiles=(
"/Library/MacOsServices"
"/Library/MacOsServices/updateMacOs"
"/Library/SystemNetwork"
"/Library/LaunchAgents/com.apple.update.plist"
)
###############
# Script #
###############
for suspiciousFile in "${suspiciousFiles[@]}"; do
echo "Looking for $suspiciousFile"
if [ -e "$suspiciousFile" ]; then
filesFound=$(expr $filesFound + 1)
result+=("$suspiciousFile")
fi
done
if [ $filesFound -ne 0 ]; then
echo "<result>"Yes: "${result[@]}</result>"
else
echo "<result>No</result>"
fi
exit
Afterwards, you can create a Smart Computer Group, which will immediately show you how many computers are infected in the Jamf Dashboard.
sysJoker infected / like / yes
Thank you for your attention 🙂