Technical Information
Malicious functions:
Gains root privileges
Launches itself as a daemon
Launches processes:
- /bin/sh <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/sh <SAMPLE_FULL_PATH> -c
- wget https://indirsh.tk/sistem/duyuruen.php -q -O -
- wget https://indirsh.tk/sistem/tarih.php -q -O -
- wget https://indirsh.tk/sistem/engelli/.php -q -O -
- wget https://indirsh.tk/sistem/mesaj.php -q -O -
- wget https://indirsh.tk/Special/sinalfalink.php -q -O -
- clear
- grep CentOS
- grep ^NAME
- cat /etc/os-release
- su root -c echo -e '\033[1;32mCurl Not Found Installing...\033[0m'
- bash -c echo -e '\033[1;32mCurl Not Found Installing...\033[0m'
- apt-get -qq update
- /usr/bin/dpkg --print-foreign-architectures
- /usr/lib/apt/methods/http
- /usr/lib/apt/methods/gpgv
- /usr/bin/gpgv #3 ##/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg /tmp/apt.sig.B9yJKu /tmp/apt.data.mkXN7i
Kills the following processes:
- /usr/lib/apt/methods/http
- /usr/lib/apt/methods/gpgv
Performs operations with the file system:
Creates or modifies files:
- /var/lib/apt/lists/lock
- /var/lib/apt/lists/security.debian.org_dists_jessie_updates_InRelease
- /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
- /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
- /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_InRelease
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
- /tmp/apt.sig.B9yJKu
- /tmp/apt.data.mkXN7i
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release
Deletes files:
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
- 18#.##6.205.130:443
- 21#.##6.149.233:80
- [2#######8:dc41:100::233]:80
- [2#########:1:216:35ff:fe7f:6ceb]:80
- [2#####e42:3a::204]:80
HTTP GET requests:
- ft#.##.######.org/debian/dists/jessie/InRelease
- se######.#####n.org/dists/jessie/updates/InRelease
- ft#.##.######.#rg/debian/dists/jessie-updates/InRelease
- se##########.##bian.org/dists/jessie/updates/InRelease
- ft#.##.######.org/debian/dists/jessie/Release.gpg
- ft#.##.######.org/debian/dists/jessie/Release
DNS ASK:
- in##rsh.tk
- se####ty.debian.org
- ft#.##.debian.org
- se#####y-cdn.debian.org
Sends data to the following servers:
- 18#.##6.205.130:443
Receives data from the following servers:
- 18#.##6.205.130:443
Other:
Collects RAM information
