Technical Information
Malicious functions:
Modifies firewall settings:
- iptables -P INPUT DROP
- iptables -t filter -N LOG_N_ACCEPT
- iptables -t filter -A LOG_N_ACCEPT -j LOG --log-level warning --log-prefix ACTION=INPUT-ACCEPT
- iptables -t filter -A LOG_N_ACCEPT -j ACCEPT
- iptables -A INPUT -i eno1 -j LOG_N_ACCEPT
- iptables -A INPUT -m conntrack --ctstate RELATE
- iptables -A INPUT -p tcp -m tcp --dport 22 -j LOG_N_ACCEPT
- iptables -A INPUT -p tcp -m tcp --dport http -j LOG_N_ACCEPT
- iptables -A INPUT -p tcp -m tcp --dport https -j LOG_N_ACCEPT
- iptables -P FORWARD DROP
- iptables -A INPUT -j LOG
- iptables -A INPUT -s 192.168.10.0/24 -j LOG
- iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-level 4
- iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-prefix ** SUSPECT **
- iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
- iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
- iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags FI
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags SY
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags AC
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FI
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SY
- iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
- iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
- iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
- iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
- iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
- iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
- iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
- iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
- iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
- iptables -t mangle -A PREROUTING -p icmp -j DROP
- iptables -t mangle -A PREROUTING -f -j DROP
- iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
- iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j LOG_N_ACCEPT
- iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
- iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j LOG_N_ACCEPT
- iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
- iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
- iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
- iptables -N port-scanning
- iptables -A port-scanning -p tcp --tcp-flags SY
- iptables -A port-scanning -j DROP
- iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j LOG_N_ACCEPT
- iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
- iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 1/h -j LOG_N_ACCEPT
- iptables -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 1/h -j LOG_N_ACCEPT
- iptables -I OUTPUT -m state -p tcp --state NEW ! -s 127.0.0.1 ! -d 127.0.0.1 -j LOG --log-prefix ACTION=OUTPUT-TCP
- iptables -I OUTPUT -m state -p udp -s 127.0.0.1 ! -d 127.0.0.1 -j LOG --log-prefix ACTION=OUTPUT-UDP
Launches processes:
- /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/bash <SAMPLE_FULL_PATH> -c
- apt install dnsutils
- /usr/bin/dpkg --print-foreign-architectures
- /usr/lib/apt/methods/http
- apt-get install net-tools
- apt-get install tcpdump
- apt-get install dsniff -y
Kills the following processes:
- /usr/lib/apt/methods/http
Performs operations with the file system:
Modifies file access rights:
- /var/cache/apt/pkgcache.bin.qm3h0o
Creates or modifies files:
- /var/lib/dpkg/lock
- /var/cache/apt/pkgcache.bin.qm3h0o
- /var/cache/apt/archives/lock
Deletes files:
- /var/cache/apt/pkgcache.bin
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
DNS ASK:
- ft#.##.debian.org
Other:
Collects RAM information
