API tools faq
paste
rhcp011235

Untitled

rhcp011235
Feb 4th, 2026
1,344
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 11.83 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2.  
  3. set -e
  4.  
  5. RED='\033[0;31m'
  6. GREEN='\033[0;32m'
  7. YELLOW='\033[1;33m'
  8. CYAN='\033[0;36m'
  9. NC='\033[0m'
  10.  
  11. echo "========================================"
  12. echo "OGF InfoStealer Detection Script v4.0"
  13. echo "========================================"
  14. echo ""
  15. echo "Based on: https://rentry.co/ogf_malware & rentry.co/ogf_malware_behavior"
  16. echo ""
  17.  
  18. DETECTIONS=0
  19. WARNINGS=0
  20.  
  21. echo "[1/12] Checking for known infected releases in Downloads..."
  22. echo ""
  23.  
  24. DOWNLOADS_DIR="$HOME/Downloads"
  25.  
  26. KNOWN_MALICIOUS_HASHES="5f37ea4e9c38e3ab9b8ae9403dc92ed9|8c1ca9899a3850f0302f2b4c2b76237d|d7f8b30accdebbd343e0a63b05b2d527|ea795c69ff68af3ea67dbf5f841dac1a|5bf80ea3e65a3327504120d5833b3b6a|ac60b72617c8ce08931a4fd424ed4565|c30ad49debf39d1e73350ee06d370e59|bb300ba91a09ba23fbd7af43247ad4b3|d79d030e383eccaf3142e593b9ab074c|18590ff4d9eb846e9db01ab2cfd6537f"
  27.  
  28. KNOWN_MALICIOUS_NAMES="ParallelsDesktop|CleanMyMac|Adobe.*DC|Adobe.*Pro|Photoshop.*[0-9]|Premiere.*Pro|DaVinci.*Resolve|Final.*Cut.*Pro|PDF.*Expert|Capture.*One|Logic.*Pro|Office.*2024|Microsoft.*Office"
  29.  
  30. if [ -d "$DOWNLOADS_DIR" ]; then
  31.     FOUND_INFECTED=""
  32.  
  33.     while IFS= read -r -d '' f; do
  34.         NAME=$(basename "$f")
  35.         SIZE=$(ls -lh "$f" 2>/dev/null | awk '{print $5}')
  36.         MOD=$(stat -f "%Sm" -t "%Y-%m-%d" "$f" 2>/dev/null || stat -c "%y" "$f" 2>/dev/null | cut -d' ' -f1)
  37.  
  38.         if echo "$NAME" | grep -qE "$KNOWN_MALICIOUS_NAMES"; then
  39.             echo -e "  ${RED}[KNOWN INFECTED RELEASE]${NC} $NAME ($SIZE, $MOD)"
  40.             echo "    ^ On the OGF malware infected list!"
  41.             FOUND_INFECTED="$FOUND_INFECTED$NAME\n"
  42.             WARNINGS=$((WARNINGS + 10))
  43.         fi
  44.     done < <(find "$DOWNLOADS_DIR" -maxdepth 2 \( -name "*.dmg" -o -name "*.iso" \) -print0 2>/dev/null)
  45.  
  46.     if [ -z "$FOUND_INFECTED" ]; then
  47.         echo "  No KNOWN INFECTED releases found in Downloads."
  48.     fi
  49. fi
  50.  
  51. echo ""
  52. echo "[2/12] Checking for 'Open Gatekeeper Friendly' files..."
  53. echo ""
  54.  
  55. OGF_FILES=$(find "$DOWNLOADS_DIR" -maxdepth 3 -iname "*gatekeeper*" -o -iname "*Open*Gatekeeper*" 2>/dev/null)
  56. if [ -n "$OGF_FILES" ]; then
  57.     echo "  Found Open Gatekeeper Friendly files:"
  58.     echo "$OGF_FILES" | while read f; do
  59.         NAME=$(basename "$f")
  60.         SIZE=$(ls -lh "$f" 2>/dev/null | awk '{print $5}')
  61.         if [ -f "$f" ]; then
  62.             ACTUAL_SIZE=$(stat -f%z "$f" 2>/dev/null || stat -c%s "$f" 2>/dev/null || echo "0")
  63.             if [ "$ACTUAL_SIZE" -gt 500000 ]; then
  64.                 echo -e "    ${RED}[SUSPICIOUS]${NC} $NAME ($SIZE) - Large binary (>500KB), likely MALICIOUS"
  65.                 WARNINGS=$((WARNINGS + 5))
  66.             else
  67.                 echo -e "    ${YELLOW}[REVIEW]${NC} $NAME ($SIZE)"
  68.             fi
  69.         fi
  70.     done
  71. else
  72.     echo "  No 'Open Gatekeeper Friendly' files found."
  73. fi
  74.  
  75. echo ""
  76. echo "[3/12] Checking for suspicious files in /tmp..."
  77. echo ""
  78.  
  79. TMP_DIRS=$(ls -la /tmp/ 2>/dev/null | grep "^d" | awk '{print $NF}' | grep -E "^[a-z0-9]{4,10}$")
  80. if [ -n "$TMP_DIRS" ]; then
  81.     echo "  Random-looking directories in /tmp:"
  82.     echo "$TMP_DIRS" | while read dir; do
  83.         FULL_PATH="/tmp/$dir"
  84.         CONTENTS=$(ls -la "$FULL_PATH" 2>/dev/null | head -5)
  85.         if [ -n "$CONTENTS" ]; then
  86.             echo -e "    ${RED}[DETECTED]${NC} $FULL_PATH"
  87.             echo "      Contents:"
  88.             echo "$CONTENTS" | while read line; do
  89.                 echo "        $line"
  90.             done
  91.             DETECTIONS=$((DETECTIONS + 1))
  92.         else
  93.             echo "    $FULL_PATH (empty)"
  94.         fi
  95.     done
  96. else
  97.     echo "  No suspicious random directories in /tmp."
  98. fi
  99.  
  100. echo ""
  101. echo "[4/12] Checking for suspicious /tmp/out.zip..."
  102. echo ""
  103.  
  104. if [ -f "/tmp/out.zip" ]; then
  105.     echo -e "  ${RED}[DETECTED]${NC} /tmp/out.zip - MALWARE STAGE!"
  106.     echo "    This is where the malware stages stolen data before exfiltration."
  107.     DETECTIONS=$((DETECTIONS + 1))
  108. else
  109.     echo "  /tmp/out.zip not found (good)."
  110. fi
  111.  
  112. echo ""
  113. echo "[5/12] Checking for suspicious processes..."
  114. echo ""
  115.  
  116. SUSPICIOUS_PROCS=$(ps aux | grep -v grep | grep -iE "(osascript.*curl|curl.*POST.*file|ditto.*tmp" | head -10)
  117. if [ -n "$SUSPICIOUS_PROCS" ]; then
  118.     echo -e "  ${RED}[DETECTED]${NC} Active malware process detected!"
  119.     echo "$SUSPICIOUS_PROCS" | while read line; do
  120.         echo "    $line"
  121.     done
  122.     DETECTIONS=$((DETECTIONS + 1))
  123. else
  124.     echo "  No active malware processes found."
  125. fi
  126.  
  127. echo ""
  128. echo "[6/12] Checking for known malicious network connections..."
  129. echo ""
  130.  
  131. EXFIL_SERVERS="81.19.135.54|82.115.223.9|85.209.11.155|141.98.9.20|141.98.9.203|185.7.214.148|193.124.185.54|odyssey1.to|zblong.com|rgueapp.com"
  132.  
  133. echo "  Checking active connections against known exfil servers..."
  134.  
  135. ACTIVE_CONN=$(netstat -an 2>/dev/null | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort -u || echo "")
  136. if [ -n "$ACTIVE_CONN" ]; then
  137.     MALICIOUS_CONN=""
  138.     echo "$ACTIVE_CONN" | while read ip; do
  139.         if echo "$ip" | grep -qE "$EXFIL_SERVERS"; then
  140.             echo -e "    ${RED}[DETECTED]${NC} Connection to KNOWN MALICIOUS SERVER: $ip"
  141.             MALICIOUS_CONN="$MALICIOUS_CONN$ip\n"
  142.             DETECTIONS=$((DETECTIONS + 1))
  143.         fi
  144.     done
  145.  
  146.     if [ -z "$MALICIOUS_CONN" ]; then
  147.         echo "  No connections to known exfil servers."
  148.     fi
  149. else
  150.     echo "  Unable to check connections (netstat failed)."
  151. fi
  152.  
  153. echo ""
  154. echo "[7/12] Checking launch agents/daemons..."
  155. echo ""
  156.  
  157. LAUNCH_DIR="$HOME/Library/LaunchAgents"
  158. if [ -d "$LAUNCH_DIR" ]; then
  159.     AGENTS=$(ls "$LAUNCH_DIR"/*.plist 2>/dev/null | wc -l | tr -d ' ')
  160.     echo "  Found $AGENTS launch agents in ~/Library/LaunchAgents:"
  161.     ls "$LAUNCH_DIR"/*.plist 2>/dev/null | while read f; do
  162.         NAME=$(basename "$f")
  163.         if echo "$NAME" | grep -qE "(adobe|microsoft|parallels|cleanmymac|davinci)"; then
  164.             :
  165.         else
  166.             echo "  [INFO] $NAME"
  167.         fi
  168.     done
  169. fi
  170.  
  171. echo ""
  172. echo "[8/12] Checking browser extensions for crypto theft..."
  173. echo ""
  174.  
  175. echo "  The malware steals these crypto extensions:"
  176. echo "    MetaMask, Ledger Live, Exodus, Atomic, Wasabi, Trezor, Binance, TON"
  177. echo "  Checking for these in Chrome..."
  178.  
  179. BROWSER_EXT_DIRS=(
  180.     "$HOME/Library/Application Support/Google/Chrome/Default/Extensions"
  181.     "$HOME/Library/Application Support/BraveSoftware/Brave-Browser/Default/Extensions"
  182. )
  183.  
  184. for dir in "${BROWSER_EXT_DIRS[@]}"; do
  185.     if [ -d "$dir" ]; then
  186.         STOLEN_EXT="nkbihfbeogaeaoehlefnkodbefgpgknn|fhbohimaelbohpjbbldcngcnapndodjp|odpnjmimokcmjgojhnhfcnalnegdjmdn|jnlgamecbpmbajjfhmmmlhejkemejdma|aodkklnadndmjcnmkjhfamgmpcpfeghf"
  187.  
  188.         FOUND_EXT=$(find "$dir" -maxdepth 2 -type d -name "*$STOLEN_EXT*" 2>/dev/null | head -5)
  189.         if [ -n "$FOUND_EXT" ]; then
  190.             echo "  Found crypto extensions (could be legitimate):"
  191.             echo "$FOUND_EXT" | while read f; do
  192.                 echo "    $f"
  193.             done
  194.             echo "  ^ These could be legitimate or stolen by malware."
  195.         fi
  196.     fi
  197. done
  198.  
  199. echo ""
  200. echo "[9/12] Checking for Telegram data collection..."
  201. echo ""
  202.  
  203. TELEGRAM_TDATA=$(find "$HOME/Library/Application Support" -maxdepth 3 -path "*Telegram Desktop/tdata*" -type d 2>/dev/null)
  204. if [ -n "$TELEGRAM_TDATA" ]; then
  205.     echo "  Telegram data folder found:"
  206.     echo "$TELEGRAM_TDATA" | head -3 | while read f; do
  207.         echo "    $f"
  208.     done
  209.     echo "  ^ This is what the malware targets!"
  210. fi
  211.  
  212. echo ""
  213. echo "[10/12] Checking Downloads for known infected releases by hash patterns..."
  214. echo ""
  215.  
  216. if [ -d "$DOWNLOADS_DIR" ]; then
  217.     echo "  Scanning for 99+ known infected releases..."
  218.  
  219.     while IFS= read -r -d '' f; do
  220.         NAME=$(basename "$f")
  221.         SIZE=$(ls -lh "$f" 2>/dev/null | awk '{print $5}')
  222.  
  223.         case "$NAME" in
  224.             *ParallelsDesktop-20.1.2*|*ParallelsDesktop-20.2.0*|*ParallelsDesktop-20.2.1*|*ParallelsDesktop-20.1.1*)
  225.                 echo -e "    ${RED}[INFECTED]${NC} $NAME ($SIZE) - ON KNOWN INFECTED LIST!"
  226.                 WARNINGS=$((WARNINGS + 10))
  227.                 ;;
  228.             *CleanMyMac*5.0.4*|*CleanMyMac*5.0.5*)
  229.                 echo -e "    ${RED}[INFECTED]${NC} $NAME ($SIZE) - ON KNOWN INFECTED LIST!"
  230.                 WARNINGS=$((WARNINGS + 10))
  231.                 ;;
  232.             *PDF*Expert*3.10.18*)
  233.                 echo -e "    ${RED}[INFECTED]${NC} $NAME ($SIZE) - ON KNOWN INFECTED LIST!"
  234.                 WARNINGS=$((WARNINGS + 10))
  235.                 ;;
  236.             *DaVinci*Resolve*Studio*19*|*DaVinci*Resolve*Studio*20*)
  237.                 echo -e "    ${RED}[INFECTED]${NC} $NAME ($SIZE) - ON KNOWN INFECTED LIST!"
  238.                 WARNINGS=$((WARNINGS + 10))
  239.                 ;;
  240.             *Adobe*|*Final*Cut*Pro*|*Logic*Pro*)
  241.                 echo -e "    ${YELLOW}[POTENTIAL RISK]${NC} $NAME ($SIZE)"
  242.                 WARNINGS=$((WARNINGS + 3))
  243.                 ;;
  244.             *)
  245.                 ;;
  246.         esac
  247.     done < <(find "$DOWNLOADS_DIR" -maxdepth 2 \( -name "*.dmg" -o -name "*.iso" \) -print0 2>/dev/null)
  248. fi
  249.  
  250. echo ""
  251. echo "[11/12] Checking Full Disk Access permissions..."
  252. echo ""
  253.  
  254. FDA_APPS=$(sqlite3 "$HOME/Library/Application Support/com.apple.TCC/TCC.db" "SELECT client FROM access WHERE client NOT LIKE '%Apple%' AND client NOT LIKE '%com.apple%';" 2>/dev/null | head -20)
  255. if [ -n "$FDA_APPS" ]; then
  256.     echo "  Apps with Full Disk Access:"
  257.     echo "$FDA_APPS" | while read app; do
  258.         case "$app" in
  259.             *Terminal*|*Finder*|*Chrome*|*Safari*)
  260.                 ;;
  261.             *)
  262.                 echo -e "    ${YELLOW}[REVIEW]${NC} $app"
  263.                 WARNINGS=$((WARNINGS + 1))
  264.                 ;;
  265.         esac
  266.     done
  267. else
  268.     echo "  No unusual Full Disk Access entries found (or TCC.db not readable)."
  269. fi
  270.  
  271. echo ""
  272. echo "[12/12] Checking Gatekeeper quarantine bypass..."
  273. echo ""
  274.  
  275. NO_QUARANTINE=$(find "$DOWNLOADS_DIR" -maxdepth 2 \( -name "*.dmg" -o -name "*.app" -o -name "*.pkg" \) -print0 2>/dev/null | xargs -0 xattr 2>/dev/null | grep -l "com.apple.quarantine" || echo "found")
  276. if [ "$NO_QUARANTINE" != "found" ]; then
  277.     NO_QUARANTINE_FILES=$(find "$DOWNLOADS_DIR" -maxdepth 2 \( -name "*.dmg" -o -name "*.app" -o -name "*.pkg" \) -exec sh -c 'xattr "$1" 2>/dev/null | grep -q "com.apple.quarantine" || echo "$1"' _ {} \; 2>/dev/null)
  278.     if [ -n "$NO_QUARANTINE_FILES" ]; then
  279.         echo -e "  ${RED}[GATEKEEPER BYPASSED]${NC} Files without quarantine flag:"
  280.         echo "$NO_QUARANTINE_FILES" | head -5 | while read f; do
  281.             NAME=$(basename "$f")
  282.             echo "    $NAME"
  283.         done
  284.         WARNINGS=$((WARNINGS + 1))
  285.     fi
  286. fi
  287.  
  288. echo ""
  289. echo "========================================"
  290. echo "Scan Complete"
  291. echo "========================================"
  292. echo ""
  293.  
  294. if [ $DETECTIONS -gt 0 ]; then
  295.     echo -e "${RED}⚠️  CRITICAL: $DETECTIONS MALWARE INDICATORS DETECTED!${NC}"
  296.     echo ""
  297.     echo "IMMEDIATE ACTIONS:"
  298.     echo "1. DISCONNECT FROM INTERNET NOW"
  299.     echo "2. Run: sudo pkill -f osascript"
  300.     echo "3. Run: sudo rm -rf /tmp/[a-z0-9]* 2>/dev/null"
  301.     echo "4. Delete all pirated software from Downloads"
  302.     echo "5. Change ALL passwords (email, banking, crypto, etc.)"
  303.     echo "6. Consider reinstalling macOS"
  304. elif [ $WARNINGS -gt 0 ]; then
  305.     echo -e "${YELLOW}⚠️  Found $WARNINGS potential risk indicators.${NC}"
  306.     echo ""
  307.     echo "Recommended actions:"
  308.     echo "1. Delete pirated software from Downloads"
  309.     echo "2. Change important passwords as precaution"
  310.     echo "3. Enable 2FA on all accounts"
  311.     echo "4. Run Malwarebytes or Combo Cleaner"
  312. else
  313.     echo -e "${GREEN}✅ No obvious malware indicators detected.${NC}"
  314. fi
  315.  
  316. echo ""
  317. echo "Summary:"
  318. echo "  - Critical Detections: $DETECTIONS"
  319. echo "  - Warnings: $WARNINGS"
  320.  
  321. echo ""
  322. echo "For cleanup instructions, see:"
  323. echo "  https://rentry.co/ogf_malware"
  324. echo ""
  325. echo "Known infected releases count: 99+"
  326. echo "Known malicious binaries: 24+"
  327.  
Advertisement
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!