Linux.Siggen.4161

Technical Information

To ensure autorun and distribution:

Creates or modifies the following files:

/etc/cron.d/phps
/var/spool/cron/crontabs/root
/etc/profile.d/php.sh
/etc/crontab
/etc/cron.d/phpx

Malicious functions:

Performs process tracing:

<SAMPLE>
<SAMPLE_FULL_PATH>

Modifies firewall settings:

/etc/init.d/iptables stop

Manages services:

service iptables stop
systemctl stop iptables.service
systemctl restart pwnriglhttps.service
systemctl enable pwnriglhttps.service

Launches processes:

/bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
<SAMPLE_FULL_PATH>
/bin/bash <SAMPLE_FULL_PATH> -c
chmod 777 <SAMPLE> run.sh stdout.log
mv x sh
chattr -i /root/sh
chattr -i /root/mysql
chattr -i /etc/.sh
chattr -i /bin/shh
chattr -i /sbin/https
chattr -i /etc/spts
chattr -i /usr/bin/.funzip
chattr -i /etc/sphp
cp -f -- /root/libprocesshider.so /usr/local
mv /root/libprocesshider.so /usr/local/lib
chattr -ai /etc/ld.so.preload
chmod 777 /usr/local/lib/libprocesshider.so
cp -f -- /root/sh /sbin/https
chmod +x /sbin/httpss
chmod +x /etc/cron.d/phps
crontab -r
cp -f -- sh .sh
./.sh -c
rm -rf .sh
chmod +x -- mysql
./mysql
sort -
crontab -
uniq -
cp -f -- /root/sh /bin/shh
chmod 777 /etc/profile.d/php.sh
cp -f -- /root/sh /etc/.sh
cp -f -- /root/sphp /etc/sphp
chmod 777 /etc/cron.d/phpx
chmod 777 /etc/sphp
./sphp
cp -f -- /root/sh /usr/bin/.funzip
mv /root/pwnriglhttps.service /usr/lib/systemd/system
chmod 777 /usr/lib/systemd/system/pwnriglhttps.service
cp -f -- /root/sh /etc/spts
chmod +x /etc/spts
chmod 777 acpi adduser.conf adjtime aliases alternatives apache2 apt at.deny bash.bashrc bash_completion bash_completion.d bindresvport.blacklist binfmt.d ca-certificates ca-certificates.conf calendar console-setup cowpoke.conf cron.d cron.daily cron.hourly cron.monthly crontab cron.weekly dbus-1 debconf.conf debian_version default deluser.conf devscripts.conf dhcp dictionaries-common discover.conf.d discover-modprobe.conf dpkg dput.cf drirc emacs email-addresses environment exim4 fonts fstab gai.conf ghostscript groff group group- grub.d gshadow gshadow- gss gtk-2.0 host.conf hostname hosts hosts.allow hosts.deny idmapd.conf init init.d initramfs-tools inputrc insserv insserv.conf insserv.conf.d iproute2 iscsi issue issue.net kbd kernel kernel[rkmodule] [bash][PPID:0x2ae] [bash][PID:0x301] do_filp_open. Filename: \"/bin/chmod\
python setup.py install
apt install supervisor -y
/usr/bin/dpkg --print-foreign-architectures
/usr/lib/apt/methods/http

Kills the following processes:

<SAMPLE>
<SAMPLE_FULL_PATH>
/usr/lib/apt/methods/http

Performs operations with the file system:

Modifies file access rights:

<SAMPLE_FULL_PATH>
/root/run.sh
/sbin/httpss
/etc/cron.d/phps
/root/mysql
/var/spool/cron/crontabs/tmp.NHgJT5
/etc/profile.d/php.sh
/etc/cron.d/phpx
/etc/acpi
/etc/adduser.conf
/etc/adjtime
/etc/aliases
/etc/alternatives
/etc/apache2
/etc/apt
/etc/at.deny
/etc/bash.bashrc
/etc/bash_completion
/etc/bash_completion.d
/etc/bindresvport.blacklist
/etc/binfmt.d
/etc/ca-certificates
/etc/ca-certificates.conf
/etc/calendar
/etc/console-setup
/etc/cowpoke.conf
/etc/cron.d
/etc/cron.daily
/etc/cron.hourly
/etc/cron.monthly
/etc/crontab
/etc/cron.weekly
/etc/dbus-1
/etc/debconf.conf
/etc/debian_version
/etc/default
/etc/deluser.conf
/etc/devscripts.conf
/etc/dhcp
/etc/dictionaries-common
/etc/discover.conf.d
/etc/discover-modprobe.conf
/etc/dpkg
/etc/dput.cf
/etc/drirc
/etc/emacs
/etc/email-addresses
/etc/environment
/etc/exim4
/etc/fonts
/etc/fstab
/etc/gai.conf
/etc/ghostscript
/etc/groff
/etc/group
/etc/group-
/etc/grub.d
/etc/gshadow
/etc/gshadow-
/etc/gss
/etc/gtk-2.0
/etc/host.conf
/etc/hostname
/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/idmapd.conf
/etc/init
/etc/init.d
/etc/initramfs-tools
/etc/inputrc
/etc/insserv
/etc/insserv.conf
/etc/insserv.conf.d
/etc/iproute2
/etc/iscsi
/etc/issue
/etc/issue.net
/etc/kbd
/etc/kernel
/etc/kernel-img.conf
/etc/kernel-img.conf.ucf-dist
/etc/kernel-img.conf.ucf-new
/etc/kernel-pkg.conf
/etc/ldap
/etc/ld.so.cache
/etc/ld.so.conf
/etc/ld.so.conf.d
/etc/ld.so.preload
/etc/libaudit.conf
/etc/libpaper.d
/etc/lighttpd
/etc/lintianrc
/etc/locale.alias
/etc/locale.gen
/etc/localtime
/etc/logcheck
/etc/login.defs
/etc/logrotate.conf
/etc/logrotate.d
/etc/machine-id
/etc/magic
/etc/magic.mime
/etc/mailcap
/etc/mailcap.order
/etc/mailname
/etc/mail.rc
/etc/manpath.config
/etc/mime.types
/etc/mke2fs.conf
/etc/modprobe.d
/etc/modules
/etc/modules-load.d
/etc/motd
/proc/769/mounts
/etc/Muttrc
/etc/Muttrc.d
/etc/nanorc
/etc/netconfig
/etc/network
/etc/networks
/etc/newt
/etc/nsswitch.conf
/etc/opt
/usr/lib/os-release
/etc/pam.conf
/etc/pam.d
/etc/papersize
/etc/passwd
/etc/passwd-
/etc/perl
/etc/ppp
/etc/profile
/etc/profile.d
/etc/protocols
/etc/python
/etc/python2.7
/etc/python3
/etc/python3.4
/etc/rc0.d
/etc/rc1.d
/etc/rc2.d
/etc/rc3.d
/etc/rc4.d
/etc/rc5.d
/etc/rc6.d
/etc/rc.local
/etc/rcS.d
/etc/reportbug.conf
/etc/request-key.d
/etc/resolv.conf
/etc/rmt
/etc/rpc
/etc/rsyslog.conf
/etc/rsyslog.d
/etc/securetty
/etc/security
/etc/selinux
/etc/services
/etc/sgml
/etc/shadow
/etc/shadow-
/etc/shells
/etc/skel
/etc/ssh
/etc/ssl
/etc/staff-group-for-usr-local
/etc/subgid
/etc/subgid-
/etc/subuid
/etc/subuid-
/etc/sysctl.conf
/etc/sysctl.d
/etc/systemd
/etc/terminfo
/etc/texmf
/etc/timezone
/etc/tmpfiles.d
/etc/ucf.conf
/etc/udev
/etc/ufw
/etc/updatedb.conf
/etc/vim
/etc/w3m
/etc/wgetrc
/etc/X11
/etc/xdg
/etc/xml
/var/cache/apt/pkgcache.bin.9fnzVy

Creates or modifies files:

/etc/profile
/proc/sys/fs/file-max
/etc/sysctl.conf
/etc/resolv.conf
/etc/ld.so.preload
/sbin/httpss
/var/spool/cron/mysql
/root/mysql
/var/spool/cron/crontabs/tmp.NHgJT5
/var/lib/dpkg/lock
/var/cache/apt/pkgcache.bin.9fnzVy
/var/cache/apt/archives/lock

Deletes files:

/var/spool/cron/.sh
/root/.sh
/var/cache/apt/pkgcache.bin

Network activity:

Establishes connection:

<LOCAL_DNS_SERVER>
85.###.112.112:80

DNS ASK:

ft#.##.debian.org

Other:

Collects RAM information

Technologies

Begriffe

Schulung und Training

Mythen

Technical Information

Curing recommendations