Technical Information
Malicious functions:
Launches processes:
- /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/bash <SAMPLE_FULL_PATH> -c
- wget -qO- https://icanhazip.com
- ip -o -4 route show to default
- awk {print $5}
- mkdir /home/sstp
- touch /home/sstp/sstp_account
- touch /var/lib/premium-script/data-user-sstp
- uname -r
- apt-get install -y build-essential cmake gcc linux-headers-3.16.7-ckt20 git libpcre3-dev libssl-dev liblua5.1-0-dev ppp
- /usr/bin/dpkg --print-foreign-architectures
- /usr/lib/apt/methods/http
- mkdir /opt/accel-ppp-code/build
- make
- dpkg -i accel-ppp.deb
- mv /etc/accel-ppp.conf.dist /etc/accel-ppp.conf
Kills the following processes:
- /usr/lib/apt/methods/http
Performs operations with the file system:
Modifies file access rights:
- /var/cache/apt/pkgcache.bin.ltVyA3
- /var/lib/dpkg/status-new
Creates folders:
- /home/sstp
Creates symlinks:
- /var/lib/dpkg/status-old
Creates or modifies files:
- /home/sstp/sstp_account
- /var/lib/premium-script/data-user-sstp
- /var/lib/dpkg/lock
- /var/cache/apt/pkgcache.bin.ltVyA3
- /var/cache/apt/archives/lock
- /var/cache/apt/archives/partial/cmake-data_3.0.2-1+deb8u1_all.deb
- /var/cache/apt/archives/partial/libarchive13_3.1.2-11+deb8u3_amd64.deb
- /var/cache/apt/archives/partial/cmake_3.0.2-1+deb8u1_amd64.deb
- /var/cache/apt/archives/partial/liblua5.1-0_5.1.5-7.1_amd64.deb
- /var/cache/apt/archives/partial/libpcap0.8_1.6.2-2_amd64.deb
- /var/cache/apt/archives/partial/autotools-dev_20140911.1_all.deb
- /var/cache/apt/archives/partial/libltdl-dev_2.4.2-1.11+b1_amd64.deb
- /var/cache/apt/archives/partial/libreadline6-dev_6.3-8+b3_amd64.deb
- /var/cache/apt/archives/partial/libreadline-dev_6.3-8+b3_amd64.deb
- /var/cache/apt/archives/partial/liblua5.1-0-dev_5.1.5-7.1_amd64.deb
- /var/cache/apt/archives/partial/libtool_2.4.2-1.11_all.deb
- /var/cache/apt/archives/partial/libtool-bin_2.4.2-1.11+b1_amd64.deb
- /var/cache/apt/archives/partial/ppp_2.4.6-3.1_amd64.deb
- /var/lib/dpkg/updates/tmp.i
- /var/lib/dpkg/triggers/Lock
- /var/log/dpkg.log
- /var/lib/dpkg/status-new
Deletes files:
- /var/cache/apt/pkgcache.bin
- /var/lib/dpkg/status-old
- /var/lib/dpkg/updates/tmp.i
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
- 10#.#8.6.156:0
- 10#.#8.7.156:0
- [2#####700::6812:79c]:0
- [2#####700::6812:69c]:0
- 10#.##.6.156:443
- [2#####e42:600::644]:80
- [2####4e42::644]:80
- [2#####e42:200::644]:80
- [2#####e42:400::644]:80
- 15#.##1.194.132:80
- 15#.##1.66.132:80
- 15#.##1.130.132:80
HTTP GET requests:
- ft#.##.######.#######ian/pool/main/c/cmake/cmake-data_3.0.2-1%2bdeb8u1_all.deb
- se######.######.#######l/updates/main/o/openssl/libssl-dev_1.0.1t-1%2bdeb8u6_amd64.deb
- se######.######.#######l/updates/main/o/openssl/libssl1.0.0_1.0.1t-1%2bdeb8u6_amd64.deb
- ft#.##.######.##########/pool/main/liba/libarchive/libarchive13_3.1.2-11%2bdeb8u3_amd64.deb
- ft#.##.######.#######ian/pool/main/c/curl/libcurl3_7.38.0-4%2bdeb8u5_amd64.deb
- ft#.##.######.######bian/pool/main/c/cmake/cmake_3.0.2-1%2bdeb8u1_amd64.deb
- se######.######.######ol/updates/main/c/curl/libcurl3_7.38.0-4%2bdeb8u5_amd64.deb
- ft#.##.######.######bian/pool/main/l/lua5.1/liblua5.1-0_5.1.5-7.1_amd64.deb
- ft#.##.######.#######ian/pool/main/libp/libpcap/libpcap0.8_1.6.2-2_amd64.deb
- ft#.##.######.########an/pool/main/a/autotools-dev/autotools-dev_20140911.1_all.deb
- ft#.##.######.######bian/pool/main/g/git/git-man_2.1.4-2.1%2bdeb8u2_all.deb
- ft#.##.######.######bian/pool/main/g/git/git_2.1.4-2.1%2bdeb8u2_amd64.deb
- se######.######.#####ool/updates/main/g/git/git-man_2.1.4-2.1%2bdeb8u2_all.deb
- ft#.##.######.#########n/pool/main/libt/libtool/libltdl-dev_2.4.2-1.11%2bb1_amd64.deb
- se######.######.#####ool/updates/main/g/git/git_2.1.4-2.1%2bdeb8u2_amd64.deb
- ft#.##.######.##########/pool/main/n/ncurses/libtinfo-dev_5.9%2b20140913-1%2bb1_amd64.deb
- ft#.##.######.#########n/pool/main/r/readline6/libreadline6-dev_6.3-8%2bb3_amd64.deb
- ft#.##.######.########an/pool/main/r/readline6/libreadline-dev_6.3-8%2bb3_amd64.deb
- ft#.##.######.#######ian/pool/main/l/lua5.1/liblua5.1-0-dev_5.1.5-7.1_amd64.deb
- ft#.##.######.######bian/pool/main/libt/libtool/libtool_2.4.2-1.11_all.deb
- ft#.##.######.#########n/pool/main/libt/libtool/libtool-bin_2.4.2-1.11%2bb1_amd64.deb
- ft#.##.######.####debian/pool/main/p/ppp/ppp_2.4.6-3.1_amd64.deb
- ft#.##.######.####debian/pool/main/r/rsync/rsync_3.1.1-3_amd64.deb
DNS ASK:
- ic###azip.com
- ft#.##.debian.org
- se####ty.debian.org
Sends data to the following servers:
- 10#.##.6.156:443
Receives data from the following servers:
- 10#.##.6.156:443
Other:
Collects RAM information
