Technical Information
Malicious functions:
Performs process tracing:
- <SAMPLE>
Launches processes:
- chmod +x <SAMPLE> run.sh stdout.log stub.sh
- <SAMPLE_FULL_PATH> -c exec \x27<SAMPLE_FULL_PATH>\x27 \x22$@\x22 <SAMPLE_FULL_PATH>
- cat pass.temp
- sort -u usr
- rm -rf pass.temp
- cut -d: -f1
- sed -i /\x5cb\x5c(127.0\x5c)\x5cb/d rang
- cut -d . -f 1,2
- grep -oP (?<=inet\x5cs)\x5cd+(.\x5cd+){3}
- rm -rf ranges usere
- rm -rf ips scan22.log
- sort -u rang
- grep bash
- rm -rf pass
- sort -u ips
- sed -i /172.17.0.1/d ip
- <0x65>
- sed -i /\x5cb\x5c(169.254\x5c)\x5cb/d rang
- sed -i /192.168.219.50/d ip
- /usr/bin/mawk awk {print $1}
- uniq
- cat scan22.log
- rm -rf rang
- sort
- sed -i /127.0.0.1/d ip
- rm -rf usr
- ip addr
- cat /etc/passwd
- mv filterpass pass
Kills the following processes:
- <SAMPLE>
Performs operations with the file system:
Modifies file access rights:
- <SAMPLE_FULL_PATH>
- /root/run.sh
- /root/stub.sh
Modifies file owner:
- /root/sedry4h1B
- /root/sedqLDayS
- /root/sedSW7vhY
- /root/sedSa3Bn1
- /root/sedZlt6G6
Creates or modifies files:
- /root/rang
- /root/sedry4h1B
- /root/sedqLDayS
- /root/ranges
- /root/ips
- /root/ip
- /root/sedSW7vhY
- /root/sedSa3Bn1
- /root/sedZlt6G6
- /root/usr
- /root/usere
- /root/pass.temp
- /root/filterpass
Deletes files:
- /root/rang
- /root/ips
- /root/usr
- /root/pass.temp
- /root/ranges
- /root/usere
