/var/log/jamf.log.Tue Oct 03 15:26:03 purgatory jamf[52]: Daemon startingSo every time the jamf infected computer goes online or offline, changed to root etc., the Sauron will be notified about it. More interesting part comes next.
Tue Oct 03 15:26:05 purgatory jamf[363]:
There was an error.
Connection failure: "The Internet connection appears to be offline."
Tue Oct 03 15:26:06 purgatory jamf[52]: Network state changed, checking for policies...
Tue Oct 03 15:26:06 purgatory jamf[407]: Could not connect to the JSS. Looking for cached policies...
Tue Oct 03 15:26:07 purgatory jamf[52]: Network state changed, checking for policies...
Tue Oct 03 15:26:10 purgatory jamf[52]: Network state changed, checking for policies...
Tue Oct 03 15:26:13 purgatory jamf[52]: Network state changed, checking for policies...
Tue Oct 03 15:26:29 purgatory jamf[52]: Informing the JSS about login for user castiel
Tue Oct 03 15:26:38 purgatory jamf[52]: Network state changed, checking for policies...
Tue Oct 03 15:27:12 purgatory jamf[52]: Network state changed, checking for policies...
Tue Oct 03 15:27:17 purgatory jamf[52]: Network state changed, checking for policies...
Tue Oct 03 15:27:38 purgatory jamf[52]: Network state changed, checking for policies...
Tue Oct 03 15:27:56 purgatory jamf[52]: Network state changed, checking for policies...
Tue Oct 03 15:28:03 purgatory jamf[52]: Network state changed, checking for policies...
Tue Oct 03 15:28:04 purgatory jamf[2573]: Checking for policies triggered by "networkStateChange" for user "castiel"...
Tue Oct 03 15:28:04 purgatory jamf[2356]: Checking for policies triggered by "networkStateChange" for user "castiel"...
Tue Oct 03 15:28:04 purgatory jamf[2087]: Checking for policies triggered by "networkStateChange" for user "castiel"...
Tue Oct 03 15:28:07 purgatory jamf[2573]: Could not connect to the JSS. Looking for cached policies...
Tue Oct 03 15:28:07 purgatory jamf[2087]: Could not connect to the JSS. Looking for cached policies...
***
Wed Oct 04 20:02:06 purgatory jamf[13815]: Checking for policies triggered by "recurring check-in" for user "castiel"...
Wed Oct 04 20:02:10 purgatory jamf[13815]: Could not connect to the JSS. Looking for cached policies...
Wed Oct 04 20:05:33 purgatory jamf[52]: Network state changed, checking for policies...
***
Thu Oct 05 09:26:25 purgatory jamf[99672]: Checking for policies triggered by "networkStateChange"...
Thu Oct 05 10:04:40 purgatory jamf[52]: Informing the JSS about login for user root
***
Sat Oct 07 07:51:30 purgatory jamf[64843]: Checking for policies triggered by "networkStateChange" for user "castiel"...
Sat Oct 07 08:02:52 purgatory jamf[69647]: Checking for policies triggered by "recurring check-in" for user "castiel"...
Sat Oct 07 08:02:55 purgatory jamf[69647]: Executing Policy Enable local firewall
Sat Oct 07 08:02:56 purgatory jamf[69647]: Executing Policy Inventory Daily
Sat Oct 07 08:02:57 purgatory jamf[69647]: Executing Policy Update Username Field in Inventory
Sat Oct 07 08:29:25 purgatory jamf[52]: Network state changed, checking for policies...
Sat Oct 07 08:30:27 purgatory jamf[87635]: Checking for policies triggered by "networkStateChange" for user "castiel"...
Sat Oct 07 08:30:28 purgatory jamf[87262]: Checking for policies triggered by "recurring check-in" for user "castiel"...
Sat Oct 07 08:31:45 purgatory jamf[87635]: Could not connect to the JSS. Looking for cached policies...
Sat Oct 07 08:31:46 purgatory jamf[87262]: Could not connect to the JSS. Looking for cached policies...
Sat Oct 07 08:31:46 purgatory jamf[87262]: Executing Offline Policy Enable local firewall
Sat Oct 07 08:49:57 purgatory jamf[97458]: Checking for policies triggered by "recurring check-in" for user "castiel"...
Sat Oct 07 08:51:15 purgatory jamf[97458]: Could not connect to the JSS. Looking for cached policies...
Sat Oct 07 08:51:15 purgatory jamf[97458]: Executing Offline Policy Enable local firewall
Sat Oct 07 09:09:24 purgatory jamf[8836]: Checking for policies triggered by "recurring check-in" for user "castiel"...
Sat Oct 07 09:10:41 purgatory jamf[8836]: Could not connect to the JSS. Looking for cached policies...
Sat Oct 07 09:10:41 purgatory jamf[8836]: Executing Offline Policy Enable local firewall
***
Mon Oct 09 10:27:46 purgatory jamf[20026]: Checking for policies triggered by "recurring check-in" for user "castiel"...
Mon Oct 09 13:45:26 purgatory jamf[28409]: Checking for policies triggered by "recurring check-in" for user "castiel"...
Mon Oct 09 13:45:29 purgatory jamf[28409]: Executing Policy Inventory Daily
Mon Oct 09 14:16:56 purgatory jamf[28409]: Error running recon: Connection failure: "The request timed out."
Mon Oct 09 14:20:26 purgatory jamf[52]: Daemon shutdown completed
Mon Oct 09 14:20:26 purgatory jamf[52]: Daemon exiting
It tracks all applications used by the users and the amount of time spend with it. That treasure is in
/Library/Application Support/JAMF/Usage folder. There will be folders like 2017-10-07, 2017-10-08, 2017-10-09. Looking at one of those folders will give logs like (null).plist, idle.plist, castiel.plist, etc.Let us see what
castiel.plist has to offer.<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>/Applications/Calendar.app</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>968</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>58112</string>
<key>version</key>
<string>9.0</string>
</dict>
<key>/Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app</key>
<dict>
<key>foremost</key>
<string>1</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>55</string>
<key>secondsopen</key>
<string>114686</string>
<key>version</key>
<string>4.1.08005</string>
</dict>
<key>/Applications/GIMP.app</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>114685</string>
<key>version</key>
<string>2.8.18</string>
</dict>
<key>/Applications/GitHub Desktop.app</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>114685</string>
<key>version</key>
<string>Hasty Things Done Hastily</string>
</dict>
<key>/Applications/Google Chrome.app</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>114685</string>
<key>version</key>
<string>63.0.3223.8</string>
</dict>
<key>/Applications/Mail.app</key>
<dict>
<key>foremost</key>
<string>2</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>134</string>
<key>secondsopen</key>
<string>114686</string>
<key>version</key>
<string>10.3</string>
</dict>
<key>/Applications/Notes.app</key>
<dict>
<key>foremost</key>
<string>1</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>27</string>
<key>secondsopen</key>
<string>114686</string>
<key>version</key>
<string>4.4</string>
</dict>
<key>/Applications/Photos.app</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>114685</string>
<key>version</key>
<string>2.0</string>
</dict>
<key>/Applications/Postman.app</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>114685</string>
<key>version</key>
<string>5.2.1</string>
</dict>
<key>/Applications/Preview.app</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>114686</string>
<key>version</key>
<string>9.0</string>
</dict>
<key>/Applications/Reminders.app</key>
<dict>
<key>foremost</key>
<string>1</string>
<key>open</key>
<string>54</string>
<key>secondsforemost</key>
<string>31</string>
<key>secondsopen</key>
<string>3272</string>
<key>version</key>
<string>4.0</string>
</dict>
<key>/Applications/Safari Technology Preview.app</key>
<dict>
<key>foremost</key>
<string>65</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>3920</string>
<key>secondsopen</key>
<string>114685</string>
<key>version</key>
<string>11.1</string>
</dict>
<key>/Applications/Slack.app</key>
<dict>
<key>foremost</key>
<string>56</string>
<key>open</key>
<string>1892</string>
<key>secondsforemost</key>
<string>3381</string>
<key>secondsopen</key>
<string>113558</string>
<key>version</key>
<string>2.8.1</string>
</dict>
<key>/Applications/Sublime Text.app</key>
<dict>
<key>foremost</key>
<string>33</string>
<key>open</key>
<string>1662</string>
<key>secondsforemost</key>
<string>2026</string>
<key>secondsopen</key>
<string>99735</string>
<key>version</key>
<string>Build 3143</string>
</dict>
<key>/Applications/Utilities/Keychain Access.app</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>114685</string>
<key>version</key>
<string>9.0</string>
</dict>
<key>/Applications/Utilities/Terminal.app</key>
<dict>
<key>foremost</key>
<string>1</string>
<key>open</key>
<string>1908</string>
<key>secondsforemost</key>
<string>9</string>
<key>secondsopen</key>
<string>114527</string>
<key>version</key>
<string>2.7.3</string>
</dict>
<key>/Applications/VLC.app</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>114686</string>
<key>version</key>
<string>2.2.6</string>
</dict>
<key>/Applications/[...snip..]Crypt.app</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>114685</string>
<key>version</key>
<string>1.xx</string>
</dict>
<key>/Applications/Xcode.app</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>114686</string>
<key>version</key>
<string>9.0</string>
</dict>
<key>/Applications/iTunes.app</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>114686</string>
<key>version</key>
<string>12.7</string>
</dict>
<key>/System/Library/CoreServices/CoreServicesUIAgent.app</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>114685</string>
<key>version</key>
<string>168.3</string>
</dict>
<key>/System/Library/CoreServices/Finder.app</key>
<dict>
<key>foremost</key>
<string>1</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>55</string>
<key>secondsopen</key>
<string>114685</string>
<key>version</key>
<string>10.12.5</string>
</dict>
<key>/System/Library/CoreServices/SystemUIServer.app</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>114686</string>
<key>version</key>
<string>1.7</string>
</dict>
<key>/System/Library/CoreServices/UserNotificationCenter.app</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>114686</string>
<key>version</key>
<string>3.3.0</string>
</dict>
<key>/System/Library/CoreServices/loginwindow.app</key>
<dict>
<key>foremost</key>
<string>1685</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>101144</string>
<key>secondsopen</key>
<string>114686</string>
<key>version</key>
<string>9.0</string>
</dict>
<key>/System/Library/Frameworks/ScreenSaver.framework/Resources/ScreenSaverEngine.app</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>114686</string>
<key>version</key>
<string>5.0</string>
</dict>
<key>/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>114686</string>
<key>version</key>
<string>9.0</string>
</dict>
<key>/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc</key>
<dict>
<key>foremost</key>
<string>0</string>
<key>open</key>
<string>1911</string>
<key>secondsforemost</key>
<string>0</string>
<key>secondsopen</key>
<string>114686</string>
<key>version</key>
<string>12603</string>
</dict>
<key>/private/var/folders/9m/_fh0czw947g8q7pdhxbfbjdh0000gn/T/AppTranslocation/AB999B43-95BD-4B9E-880D-6C59DFD81558/d/Base64.app</key>
<dict>
<key>foremost</key>
<string>1</string>
<key>open</key>
<string>72</string>
<key>secondsforemost</key>
<string>7</string>
<key>secondsopen</key>
<string>4344</string>
<key>version</key>
<string>1.0</string>
</dict>
</dict>
</plist>
The cure
The cure is very simple however. Turn off the jamf service. And next time when we want to turn it on, say to see if IT has pushed some clever software, clear all the logs before hand, close all apps. Then load the daemon back.
sudo launchctl load /Library/LaunchDaemons/com.jamfsoftware.jamf.daemon.plistLet the update get pushed to the system, then turn it off.
sudo launchctl load /Library/LaunchDaemons/com.jamfsoftware.task.1.plist #com.jamfsoftware.task.{n}.plist check the folder for correct number
Also as per policy, we cannot set the OS X firewall in stealth mode, blocking all connections. It automatically changes to "on" mode as the policy will be forced down the throat.
Turn off jamf
sudo launchctl unload /Library/LaunchDaemons/com.jamfsoftware.jamf.daemon.plist
sudo launchctl unload /Library/LaunchDaemons/com.jamfsoftware.task.1.plist #com.jamfsoftware.task.{n}.plist check the folder for correct number
Also jamf can do screen sharing, with or without user consent if configured so. It is a RAT as well.
Update
After the daemon being dead for a week, it is back up running again. Mostly the above commands will alone not stop jamf daemon. I doubt it is because of the
com.jamfsoftware.startupItem.plist and /Library/LaunchAgents/com.jamfsoftware.jamf.agent.plist. We can check if this malware is running usingps aux | grep jamfSo to get rid of this, rename
# root 48968 0.0 0.0 xxx xxx ?? SN 0:00 0:00.11 /usr/local/jamf/bin/jamfAgent
# root 48834 0.0 0.1 xxx xxx ?? SNs 0:00 0:00.37 /usr/local/jamf/bin/jamf launchDaemon -monitorUsage -enforceRestrictions -monitorNetworkStateChanges
jamf and not delete because we need it. Or remove the plists.sudo suRIP jamf.
cd /usr/local/bin
mv jamfAgent ripjamfAgent
mv jamf ripjamf