christopheranderton · January 30, 2025 14:58
diff --git a/checkGFK.sh b/checkGFK.sh
 #!/bin/bash

 # Malicious Script Detection and Mitigation Script
 # This script checks for traces of the malicious AppleScript payload on macOS systems and removes them if found.
 # More info: https://rentry.co/ogf_malware

 # Global variable to track if anything suspicious is detected
 suspicious_found=false

 # Function to check and clean suspicious temporary files and directories
 check_and_clean_tmp() {
  echo "[+] Checking /tmp for suspicious artifacts..."
  local suspicious_files=(
    "out.zip"
    "*.sqlite"
    "*.sqlite-wal"
    "*.sqlite-shm"
  )

  for file in "${suspicious_files[@]}"; do
    find /tmp -name "$file" 2>/dev/null | while read -r line; do
      echo "    [!] Found: $line"
      suspicious_found=true
      read -p "    [?] Do you want to remove this file? (y/n): " confirm
      if [[ "$confirm" =~ ^[Yy]$ ]]; then
        rm -f "$line"
        alert_user "Artifact detected and removed: $line"
      else
        echo "    [!] Skipped removal of: $line"
      fi
    done
  done

  # Check for temporary directories matching the malicious pattern
  find /tmp -maxdepth 1 -type d -name '[0-9][0-9][0-9][0-9]' 2>/dev/null | while read -r dir; do
    echo "    [!] Found potential staging directory: $dir"
    suspicious_found=true
    if [ -n "$(ls -A "$dir" 2>/dev/null)" ]; then
      echo "    [!] Directory contains files."
      ls -la "$dir"
      read -p "    [?] Do you want to remove this directory and its contents? (y/n): " confirm
      if [[ "$confirm" =~ ^[Yy]$ ]]; then
        rm -rf "$dir"
        alert_user "Suspicious directory detected and removed: $dir"
      else
        echo "    [!] Skipped removal of: $dir"
      fi
    else
      echo "    [!] Directory is empty. Removing..."
      rm -rf "$dir"
      alert_user "Empty suspicious directory detected and removed: $dir"
    fi
  done
 }

 # Function to check system logs for suspicious curl activity
 check_logs() {
  echo "[+] Checking system logs for suspicious activity..."
  grep -i "http://81.19.135.54/joinsystem" /var/log/system.log 2>/dev/null | while read -r line; do
    echo "    [!] Suspicious network activity: $line"
    suspicious_found=true
    alert_user "Suspicious network activity detected: $line"
  done
 }

 # Function to check and kill running instances of the malicious script
 check_and_kill_processes() {
  echo "[+] Checking running processes for osascript or curl activity..."
  ps aux | grep -E 'osascript|curl' | grep -v grep | while read -r line; do
    echo "    [!] Found suspicious process: $line"
    suspicious_found=true
    local pid=$(echo "$line" | awk '{print $2}')
    echo "    [!] Killing process with PID: $pid"
    kill -9 "$pid" && alert_user "Suspicious process detected and killed: $line"
  done
 }

 # Function to alert the user when artifacts are detected
 alert_user() {
  local message="$1"
  echo "[ALERT]: $message"
  # Optional: Use macOS notifications (uncomment if desired)
  # osascript -e "display notification \"$message\" with title \"Malicious Activity Detected\""
 }

 # Function to provide a summary of the results
 provide_summary() {
  if [ "$suspicious_found" = true ]; then
    echo "
 [RESULT]: Suspicious activity or artifacts were detected and handled."
  else
    echo "[RESULT]: No suspicious activity or artifacts were found."
  fi
 }

 # Function to provide next steps if suspicious artifacts are found
 provide_guidance() {
  echo "
 [+] If suspicious artifacts or processes were detected and cleaned, take the following steps:
    1. Disconnect your machine from the internet if not already done.
    2. Change your passwords for potentially compromised accounts.
    3. Scan your system with antivirus software.
    4. Monitor your system for any unusual activity."
 }

 # Main script execution
 echo "[+] Starting detection and mitigation for malicious activity..."
 check_and_clean_tmp
 check_logs
 check_and_kill_processes
 provide_guidance
 provide_summary
 echo "[+] Detection and mitigation complete."
	#!/bin/bash

	# Malicious Script Detection and Mitigation Script
	# This script checks for traces of the malicious AppleScript payload on macOS systems and removes them if found.
	# More info: https://rentry.co/ogf_malware

	# Global variable to track if anything suspicious is detected
	suspicious_found=false

	# Function to check and clean suspicious temporary files and directories
	check_and_clean_tmp() {
	echo "[+] Checking /tmp for suspicious artifacts..."
	local suspicious_files=(
	"out.zip"
	"*.sqlite"
	"*.sqlite-wal"
	"*.sqlite-shm"
	)

	for file in "${suspicious_files[@]}"; do
	find /tmp -name "$file" 2>/dev/null \| while read -r line; do
	echo " [!] Found: $line"
	suspicious_found=true
	read -p " [?] Do you want to remove this file? (y/n): " confirm
	if [[ "$confirm" =~ ^[Yy]$ ]]; then
	rm -f "$line"
	alert_user "Artifact detected and removed: $line"
	else
	echo " [!] Skipped removal of: $line"
	fi
	done
	done

	# Check for temporary directories matching the malicious pattern
	find /tmp -maxdepth 1 -type d -name '[0-9][0-9][0-9][0-9]' 2>/dev/null \| while read -r dir; do
	echo " [!] Found potential staging directory: $dir"
	suspicious_found=true
	if [ -n "$(ls -A "$dir" 2>/dev/null)" ]; then
	echo " [!] Directory contains files."
	ls -la "$dir"
	read -p " [?] Do you want to remove this directory and its contents? (y/n): " confirm
	if [[ "$confirm" =~ ^[Yy]$ ]]; then
	rm -rf "$dir"
	alert_user "Suspicious directory detected and removed: $dir"
	else
	echo " [!] Skipped removal of: $dir"
	fi
	else
	echo " [!] Directory is empty. Removing..."
	rm -rf "$dir"
	alert_user "Empty suspicious directory detected and removed: $dir"
	fi
	done
	}

	# Function to check system logs for suspicious curl activity
	check_logs() {
	echo "[+] Checking system logs for suspicious activity..."
	grep -i "http://81.19.135.54/joinsystem" /var/log/system.log 2>/dev/null \| while read -r line; do
	echo " [!] Suspicious network activity: $line"
	suspicious_found=true
	alert_user "Suspicious network activity detected: $line"
	done
	}

	# Function to check and kill running instances of the malicious script
	check_and_kill_processes() {
	echo "[+] Checking running processes for osascript or curl activity..."
	ps aux \| grep -E 'osascript\|curl' \| grep -v grep \| while read -r line; do
	echo " [!] Found suspicious process: $line"
	suspicious_found=true
	local pid=$(echo "$line" \| awk '{print $2}')
	echo " [!] Killing process with PID: $pid"
	kill -9 "$pid" && alert_user "Suspicious process detected and killed: $line"
	done
	}

	# Function to alert the user when artifacts are detected
	alert_user() {
	local message="$1"
	echo "[ALERT]: $message"
	# Optional: Use macOS notifications (uncomment if desired)
	# osascript -e "display notification \"$message\" with title \"Malicious Activity Detected\""
	}

	# Function to provide a summary of the results
	provide_summary() {
	if [ "$suspicious_found" = true ]; then
	echo "
	[RESULT]: Suspicious activity or artifacts were detected and handled."
	else
	echo "[RESULT]: No suspicious activity or artifacts were found."
	fi
	}

	# Function to provide next steps if suspicious artifacts are found
	provide_guidance() {
	echo "
	[+] If suspicious artifacts or processes were detected and cleaned, take the following steps:
	1. Disconnect your machine from the internet if not already done.
	2. Change your passwords for potentially compromised accounts.
	3. Scan your system with antivirus software.
	4. Monitor your system for any unusual activity."
	}

	# Main script execution
	echo "[+] Starting detection and mitigation for malicious activity..."
	check_and_clean_tmp
	check_logs
	check_and_kill_processes
	provide_guidance
	provide_summary
	echo "[+] Detection and mitigation complete."