Technical Information
Malicious functions:
Performs process tracing:
- <SAMPLE>
- <SAMPLE_FULL_PATH>
Launches processes:
- /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/bash <SAMPLE_FULL_PATH> -c
- cat /dev/urandom
- tr -cd a-f0-9
- head -c 32
- touch /dev/shm/14509c5a53d266b3c4c6967a1197df43
- chmod +x /dev/shm/14509c5a53d266b3c4c6967a1197df43
- rm -rf /dev/shm/14509c5a53d266b3c4c6967a1197df43
- whoami
- head -n1
- wget --dns-timeout 10 --user-agent=wget --connect-timeout 20 --read-timeout 30 -qO- http://ipinfo.io/ip
Kills the following processes:
- <SAMPLE>
- <SAMPLE_FULL_PATH>
Performs operations with the file system:
Modifies file access rights:
- /dev/shm/14509c5a53d266b3c4c6967a1197df43
Creates or modifies files:
- /dev/shm/14509c5a53d266b3c4c6967a1197df43
Deletes files:
- /dev/shm/14509c5a53d266b3c4c6967a1197df43
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
- 21#.#39.36.21:0
- 21#.#39.34.21:0
- 21#.#39.32.21:0
- 21#.#39.38.21:0
HTTP GET requests:
- ip###o.io/ip
DNS ASK:
- ip##fo.io
Other:
Collects RAM information