Technical Information
Malicious functions:
Manages services:
- ['systemctl', 'daemon-reload']
- ['systemctl', 'enable', 'supdate.service']
- ['systemctl', 'start', 'supdate.service']
Launches processes:
- gpgv --homedir /tmp/apt-key-gpghome.h8hPrHhBig --keyring /tmp/apt-key-gpghome.h8hPrHhBig/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.muL5hs /tmp/apt.data.o4Cejs
- /bin/sh -c yum update -y && yum install epel-release -y && yum install screen hping3 -y
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
- /bin/sh /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.muL5hs /tmp/apt.data.o4Cejs
- readlink -f /etc/apt/trusted.gpg.d/
- crontab -l
- apt-config shell GPGV Apt::Key::gpgvcommand
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
- apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
- cat /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
- cat /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
- gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
- /usr/bin/dpkg --print-foreign-architectures
- apt update
- whoami
- apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
- readlink -f /tmp/apt-key-gpghome.h8hPrHhBig
- cat /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
- touch /tmp/installed
- sort
- /bin/sh -c apt update && apt install screen hping3 -y
- mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
- cat /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
- find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 ( -name *.gpg -o -name *.asc )
- gpg-connect-agent -s --no-autostart GETINFO scd_running /if ${! $?} scd killscd /end
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
- apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
- cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
- chmod 700 /tmp/apt-key-gpghome.h8hPrHhBig
- apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
- ps aux
- gpg-connect-agent --no-autostart KILLAGENT
- rm -rf /tmp/apt-key-gpghome.h8hPrHhBig
- touch /tmp/apt-key-gpghome.h8hPrHhBig/pubring.gpg
- cp -a /tmp/apt-key-gpghome.h8hPrHhBig/pubring.gpg /tmp/apt-key-gpghome.h8hPrHhBig/pubring.orig.gpg
- sed -e s#\x27#\x27\x22\x27\x22\x27#g
- cat /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
- gpgconf --kill all
- /usr/lib/apt/methods/https
- rm -f /tmp/apt-key-gpghome.h8hPrHhBig/pubring.gpg
- ls /tmp/installed
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
- apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
- /bin/sh -c ls /tmp/installed
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
- /bin/sh -c touch /tmp/installed
- cat /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
- /usr/lib/apt/methods/gpgv
- cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
- /bin/sh /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.ckJDAK /tmp/apt.data.Zygt8M
- apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
- cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
- /usr/lib/apt/methods/http
- apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
Kills the following processes:
- http
- gpgv
Performs operations with the file system:
Modifies file access rights:
- /var/lib/apt/lists/partial
- /var/lib/apt/lists/auxfiles
- /var/lib/apt/lists/deb.debian.org_debian_dists_bullseye_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
- /tmp/apt-key-gpghome.h8hPrHhBig
Modifies file owner:
- /var/lib/apt/lists/partial
- /var/lib/apt/lists/auxfiles
- /var/lib/apt/lists/deb.debian.org_debian_dists_bullseye_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
Creates folders:
- /tmp/apt-key-gpghome.h8hPrHhBig
Deletes folders:
- /tmp/apt-key-gpghome.h8hPrHhBig
Creates or modifies files:
- /tmp/#130834 (deleted)
- /var/lib/apt/lists/lock
- /tmp/installed
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.VRA0ZE
- /root/.bashrc
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.gEdyUC
- /etc/systemd/system/supdate.service
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.cnmwmH
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.mFqHJD
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
- /tmp/apt.conf.pAMADq
- /tmp/apt.sig.muL5hs
- /tmp/apt.data.o4Cejs
- /tmp/apt-key-gpghome.h8hPrHhBig/pubring.gpg
- /tmp/apt-key-gpghome.h8hPrHhBig/pubring.orig.gpg
- /tmp/apt-key-gpghome.h8hPrHhBig/gpg.1.sh
- /tmp/#130829 (deleted)
- /tmp/apt.conf.jYB6dN
- /tmp/apt.sig.ckJDAK
- /tmp/apt.data.Zygt8M
Deletes files:
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.VRA0ZE
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.gEdyUC
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.cnmwmH
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.mFqHJD
- /tmp/apt-key-gpghome.h8hPrHhBig/pubring.orig.gpg
- /tmp/apt-key-gpghome.h8hPrHhBig/pubring.gpg
- /tmp/apt-key-gpghome.h8hPrHhBig/gpg.1.sh
- /tmp/apt.conf.pAMADq
- /tmp/apt.sig.muL5hs
- /tmp/apt.data.o4Cejs
Changes time of creation/access/modification of files:
- /tmp/installed
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
- /tmp/apt-key-gpghome.h8hPrHhBig/pubring.gpg
- /tmp/apt-key-gpghome.h8hPrHhBig/pubring.orig.gpg
Network activity:
Establishes connection:
- 84.##.51.78:80
- 18#.##4.99.34:4444
- 8.#.8.8:53
- 15#.##1.246.132:80
- [2#####e42:3a::644]:80
- 10#.##6.22.21:443
- (e##val)
- 10#.##6.22.86:443
- 10#.##6.22.116:443
- 10#.##6.22.127:443
- [2##########368:aa00:3:db06:4200:93a1]:443
- [2##########368:4200:3:db06:4200:93a1]:443
- [2##########368:6800:3:db06:4200:93a1]:443
- [2##########368:c200:3:db06:4200:93a1]:443
- [2##########368:d200:3:db06:4200:93a1]:443
- [2##########368:ea00:3:db06:4200:93a1]:443
- [2##########368:3000:3:db06:4200:93a1]:443
- [2##########368:ec00:3:db06:4200:93a1]:443
DNS ASK:
- _h####.##cp.download.docker.com
- _h###.###p.security.debian.org
- do####ad.docker.com
- de####.#ap.fastlydns.net
- _h###.##cp.deb.debian.org
Sends data to the following servers:
- 84.##.51.78:80
- 18#.##4.99.34:4444
- 15#.##1.246.132:80
- 10#.##6.22.21:443
Receives data from the following servers:
- 84.##.51.78:80
- 18#.##4.99.34:4444
- 15#.##1.246.132:80
- 10#.##6.22.21:443
Other:
Collects OS information
Collects CPU information
Collects RAM information
Collects information about network activity
