sysJoker malware detection

mickl089
Contributor II

Hello world,

just a small script for the detection of sysJoker malware for your machines.
if you don´t know what i´m talking about: https://www.jamf.com/blog/sysjoker-malware-jamfs-got-you-covered/

Just make a new extension attribute with the following script with settings: script / general / script.

 

Spoiler

#!/bin/bash

###############
# Variables #
###############

user=`ls -la /dev/console | cut -d " " -f 4`
result=()
filesFound=0
suspiciousFiles=(
"/Library/MacOsServices"
"/Library/MacOsServices/updateMacOs"
"/Library/SystemNetwork"
"/Library/LaunchAgents/com.apple.update.plist"

)

###############
# Script #
###############

for suspiciousFile in "${suspiciousFiles[@]}"; do
echo "Looking for $suspiciousFile"
if [ -e "$suspiciousFile" ]; then
filesFound=$(expr $filesFound + 1)
result+=("$suspiciousFile")
fi
done

if [ $filesFound -ne 0 ]; then
echo "<result>"Yes: "${result[@]}</result>"
else
echo "<result>No</result>"
fi

exit

 

Afterwards, you can create a Smart Computer Group, which will immediately show you how many computers are infected in the Jamf Dashboard.

sysJoker infected / like / yes

 

 

Thank you for your attention 🙂




0 REPLIES 0