Technical Information
Malicious functions:
Removes itself
Substitutes application name for:
- [kworker/u0:6]
- [kworker/u1:1]
Manages services:
- ['systemctl', 'daemon-reload']
- ['systemctl', 'enable', 'bot.service']
- ['systemctl', 'start', 'bot.service']
Launches processes:
- chmod 700 /tmp/apt-key-gpghome.rXYSV7gA16
- rm -f /tmp/apt-key-gpghome.TeetV0fO7v/pubring.gpg
- cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
- apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
- touch /tmp/apt-key-gpghome.rXYSV7gA16/pubring.gpg
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
- mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
- cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
- /usr/lib/apt/methods/store
- rm -f /tmp/apt-key-gpghome.rXYSV7gA16/pubring.gpg
- cat /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
- /bin/sh /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.KbrnFs /tmp/apt.data.FUOaKv
- apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
- cat /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
- gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
- readlink -f /etc/apt/trusted.gpg.d/
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
- apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
- touch /tmp/apt-key-gpghome.TeetV0fO7v/pubring.gpg
- /usr/lib/apt/methods/https
- apt-config shell GPGV Apt::Key::gpgvcommand
- readlink -f /tmp/apt-key-gpghome.rXYSV7gA16
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
- gpg-connect-agent -s --no-autostart GETINFO scd_running /if ${! $?} scd killscd /end
- chmod 700 /tmp/apt-key-gpghome.TeetV0fO7v
- apt-get update
- apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
- readlink -f /tmp/apt-key-gpghome.TeetV0fO7v
- apt-get --fix-broken install
- sudo apt-get --fix-broken install
- /bin/sh /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.MtCZFt /tmp/apt.data.UxbFut
- cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
- cat /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
- gpgv --homedir /tmp/apt-key-gpghome.rXYSV7gA16 --keyring /tmp/apt-key-gpghome.rXYSV7gA16/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.MtCZFt /tmp/apt.data.UxbFut
- find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 ( -name *.gpg -o -name *.asc )
- /usr/bin/dpkg --print-foreign-architectures
- rm -rf /tmp/apt-key-gpghome.rXYSV7gA16
- sort
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
- apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
- cat /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
- cat /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
- cp -a /tmp/apt-key-gpghome.rXYSV7gA16/pubring.gpg /tmp/apt-key-gpghome.rXYSV7gA16/pubring.orig.gpg
- cat /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
- apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
- sed -e s#\x27#\x27\x22\x27\x22\x27#g
- gpgconf --kill all
- apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
- gpg-connect-agent --no-autostart KILLAGENT
- /usr/lib/apt/methods/http
- /usr/lib/apt/methods/gpgv
- sudo apt-get update
Kills the following processes:
- rcu_tasks_trace
- ata_sff
- scsi_eh_0
- scsi_tmf_0
- scsi_eh_1
- scsi_tmf_1
- ksoftirqd/0
- rcu_sched
- migration/0
- jbd2/sda1-8
- ext4-rsv-conver
- cpuhp/0
- kdevtmpfs
- netns
- kauditd
- kthreadd
- khungtaskd
- oom_reaper
- writeback
- kcompactd0
- ksmd
- khugepaged
- ttm_swap
- rcu_gp
- kworker/u2:4
- rcu_par_gp
- kintegrityd
- kblockd
- blkcg_punt_bio
- edac-poller
- devfreq_wq
- kworker/0:1H
- kworker/0:0
- kworker/0:2
- kswapd0
- kthrotld
- acpi_thermal_pm
- ipv6_addrconf
- kworker/u2:1
- kworker/0:1
- kworker/0:0H
- kworker/u2:2
- kstrp
- zswap-shrink
- kworker/u3:0
- kworker/u2:0
- 9bc2fd2a
- mm_percpu_wq
- rcu_tasks_rude_
- <SAMPLE>
- http
- gpgv
- store
Performs operations with the file system:
Modifies file access rights:
- /var/cache/apt/archives/partial
- /var/lib/apt/lists/auxfiles
- /var/lib/apt/lists/partial
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
- /tmp/apt-key-gpghome.rXYSV7gA16
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.pgjna1
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.22Qe91
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.w5wqN0
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en
- /tmp/apt-key-gpghome.TeetV0fO7v
Modifies file owner:
- /var/cache/apt/archives/partial
- /var/lib/apt/lists/auxfiles
- /var/lib/apt/lists/partial
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en
Creates folders:
- /tmp/apt-key-gpghome.rXYSV7gA16
- /tmp/apt-key-gpghome.TeetV0fO7v
Deletes folders:
- /tmp/apt-key-gpghome.rXYSV7gA16
Creates or modifies files:
- /etc/systemd/system/bot.service
- /tmp/bot-start.sh
- /tmp/#130829 (deleted)
- /var/lib/dpkg/lock-frontend
- /var/lib/dpkg/lock
- /var/cache/apt/archives/lock
- /var/lib/apt/lists/lock
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.KW54JN
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.RYRrnP
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.SdmX0P
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.omsY7P
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye_InRelease
- /tmp/apt.conf.xYxsuv
- /tmp/apt.sig.MtCZFt
- /tmp/apt.data.UxbFut
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
- /tmp/apt-key-gpghome.rXYSV7gA16/pubring.gpg
- /tmp/apt-key-gpghome.rXYSV7gA16/pubring.orig.gpg
- /tmp/apt-key-gpghome.rXYSV7gA16/gpg.1.sh
- /tmp/apt.conf.3uQxvt
- /tmp/apt.sig.KbrnFs
- /tmp/apt.data.FUOaKv
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.pgjna1
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.22Qe91
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.w5wqN0
- /tmp/apt-key-gpghome.TeetV0fO7v/pubring.gpg
Deletes files:
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.KW54JN
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.RYRrnP
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.SdmX0P
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.omsY7P
- /tmp/apt-key-gpghome.rXYSV7gA16/pubring.orig.gpg
- /tmp/apt-key-gpghome.rXYSV7gA16/pubring.gpg
- /tmp/apt-key-gpghome.rXYSV7gA16/gpg.1.sh
- /tmp/apt.conf.xYxsuv
- /tmp/apt.sig.MtCZFt
- /tmp/apt.data.UxbFut
Changes time of creation/access/modification of files:
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
- /tmp/apt-key-gpghome.rXYSV7gA16/pubring.gpg
- /tmp/apt-key-gpghome.rXYSV7gA16/pubring.orig.gpg
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en
- /tmp/apt-key-gpghome.TeetV0fO7v/pubring.gpg
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:9999
Establishes connection:
- 45.##.28.202:5111
- 8.#.8.8:53
- 14#.##.118.132:80
- [2#####e42:8d::644]:80
- [2##########490:a800:3:db06:4200:93a1]:443
- (e##val)
- [2##########490:600:3:db06:4200:93a1]:443
- [2##########490:d200:3:db06:4200:93a1]:443
- [2##########490:4c00:3:db06:4200:93a1]:443
- [2##########490:5a00:3:db06:4200:93a1]:443
- [2##########490:7400:3:db06:4200:93a1]:443
- [2##########490:1600:3:db06:4200:93a1]:443
- [2##########490:ae00:3:db06:4200:93a1]:443
- 10#.##8.7.18:443
- 10#.##8.7.33:443
- 10#.##8.7.88:443
- 10#.##8.7.48:443
DNS ASK:
- _h###.###p.security.debian.org
- _h####.##cp.download.docker.com
- _h###.##cp.deb.debian.org
- de####.#ap.fastlydns.net
- do####ad.docker.com
Sends data to the following servers:
- 14#.##.118.132:80
- 10#.##8.7.18:443
Receives data from the following servers:
- 14#.##.118.132:80
- 10#.##8.7.18:443
