Technical Information
Malicious functions:
Launches processes:
- /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/bash <SAMPLE_FULL_PATH> -c
- rm -rf shot attack
- clear
- useradd -N -m -r -p 1234567890 shot
- nscd -i passwd
- nscd -i group
- mkdir /home/shot
- apt-get update -y
- /usr/bin/dpkg --print-foreign-architectures
- /usr/lib/apt/methods/http
- /usr/lib/apt/methods/gpgv
- /usr/bin/gpgv #3 ##/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg /tmp/apt.sig.CGYRZW /tmp/apt.data.9blxbP
Kills the following processes:
- /usr/lib/apt/methods/http
- /usr/lib/apt/methods/gpgv
Performs operations with the file system:
Modifies file access rights:
- /home/shot
- /home/shot/.bashrc
- /home/shot/.bash_logout
- /home/shot/.profile
- /etc/passwd+
- /etc/shadow+
- /etc/subuid+
- /etc/subgid+
Creates folders:
- /home/shot
Creates symlinks:
- /etc/passwd.lock
- /etc/group.lock
- /etc/gshadow.lock
- /etc/subuid.lock
- /etc/subgid.lock
- /etc/shadow.lock
Creates or modifies files:
- /etc/.pwd.lock
- /etc/passwd.709
- /etc/group.709
- /etc/gshadow.709
- /etc/subuid.709
- /etc/subgid.709
- /etc/shadow.709
- /var/log/faillog
- /var/log/lastlog
- /home/shot/.bashrc
- /home/shot/.bash_logout
- /home/shot/.profile
- /etc/passwd-
- /etc/passwd+
- /etc/shadow-
- /etc/shadow+
- /etc/subuid-
- /etc/subuid+
- /etc/subgid-
- /etc/subgid+
- /var/lib/apt/lists/lock
- /var/lib/apt/lists/security.debian.org_dists_jessie_updates_InRelease
- /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
- /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
- /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_InRelease
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
- /tmp/apt.sig.CGYRZW
- /tmp/apt.data.9blxbP
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release
- /tmp/fileutl.message.KvRb4w
- /tmp/fileutl.message.KvRb4w (deleted)
Deletes files:
- /usr/lib/shot
- /usr/lib/attack
- /etc/passwd.709
- /etc/group.709
- /etc/gshadow.709
- /etc/subuid.709
- /etc/subgid.709
- /etc/shadow.709
- /etc/shadow.lock
- /etc/passwd.lock
- /etc/group.lock
- /etc/gshadow.lock
- /etc/subuid.lock
- /etc/subgid.lock
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
- /tmp/apt.sig.CGYRZW
- /tmp/apt.data.9blxbP
- /tmp/fileutl.message.KvRb4w
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
- 21#.##6.149.233:80
- [2#########:1:216:35ff:fe7f:6ceb]:80
- [2#######8:dc41:100::233]:80
- [2#####e42:3a::204]:80
HTTP GET requests:
- se######.#####n.org/dists/jessie/updates/InRelease
- ft#.##.######.org/debian/dists/jessie/InRelease
- ft#.##.######.#rg/debian/dists/jessie-updates/InRelease
- se##########.##bian.org/dists/jessie/updates/InRelease
- ft#.##.######.org/debian/dists/jessie/Release.gpg
- ft#.##.######.org/debian/dists/jessie/Release
DNS ASK:
- ft#.##.debian.org
- se####ty.debian.org
- se#####y-cdn.debian.org
Other:
Collects RAM information
