Linux.Siggen.3569

Technical Information

To ensure autorun and distribution:

Creates or modifies the following files:

/etc/init.d/proc__bioset.sh
/etc/cron.d/root
/etc/cron.d/system
/etc/cron.d/apache
/var/spool/cron/crontabs/root

Malicious functions:

Compiles a program from source codes:

gcc -Wall -fPIC -shared /usr/local/lib/pro__wlib.c -lc -ldl -o /usr/local/lib/libpro__w.so

Manages services:

systemctl daemon-reload
systemctl enable proc__sysagent

Launches processes:

/bin/bash -c chattr -i /tmp/.program__temporary-storage-p-root
chattr -i /tmp/.program__temporary-storage-p-root
/bin/bash -c chattr +i /tmp/.program__temporary-storage-p-root
chattr +i /tmp/.program__temporary-storage-p-root
/bin/bash -c /bin/bash ./.pro__rkt/pro__autorkt.sh
/bin/bash ./.pro__rkt/pro__autorkt.sh
/bin/bash -c /bin/bash ./.pro__config/pro__automig.sh
cp ./.pro__writeo0bB /usr/sbin/proc__bioset
/bin/bash ./.pro__config/pro__automig.sh
cp ./.pro__rkt/proc__bioset.sh /etc/init.d/proc__bioset.sh
cat /tmp/.program__temporary-storage-g-root
chmod +x /usr/sbin/proc__bioset
chmod +x ./.pro__config/proc__o0mig
chmod +x /etc/init.d/proc__bioset.sh
sleep 1
nohup ./.pro__config/proc__o0mig -c ./.pro__config/pro__cfg
./.pro__config/proc__o0mig -c ./.pro__config/pro__cfg
rm -rf ./.pro__rkt/proc__bioset.sh
cp ./.pro__writeo0bB /tmp/.kworker__flush
chattr -i /tmp/.program__temporary-storage-g-root
cp ./.pro__writeo0bB /var/tmp/.kworker__flush
chattr -i /tmp/.xfs__scsi__f2
cp ./.pro__writeo0bB /dev/shm/.kworker__flush
chattr +i /tmp/.program__temporary-storage-g-root
chattr +i /tmp/.xfs__scsi__f2
cp /bin/bash /tmp/.kworker__watchdogd
renice -1 -p 722
cp /bin/bash /var/tmp/.kworker__watchdogd
rm -rf ./.pro__config
cp /bin/bash /dev/shm/.kworker__watchdogd
/bin/bash -c /bin/bash ./.pro__lk/pro__autolk.sh
rm -rf ./.pro__writeo0bB
/bin/bash ./.pro__lk/pro__autolk.sh
chmod +x /tmp/.kworker__flush
chmod +x /var/tmp/.kworker__flush
tee ./.program__daemonload
chmod +x /dev/shm/.kworker__flush
tee ./.program__kill30
cp ./.pro__rkt/pro__wlib.c /usr/local/lib/pro__wlib.c
cat /tmp/.program__temporary-storage-d-root
rm -rf ./.pro__rkt/pro__wlib.c
find ./.kworker__watchdogd
wc -l
find /tmp/.kworker__watchdogd
/tmp/.kworker__watchdogd ./.program__daemonload
chattr -i /tmp/.program__temporary-storage-d-root
chattr +i /tmp/.program__temporary-storage-d-root
sleep 2
cat /tmp/.program__temporary-storage-l-root
/tmp/.kworker__watchdogd ./.program__kill30
chattr -i /tmp/.program__temporary-storage-l-root
chattr +i /tmp/.program__temporary-storage-l-root
rm -rf ./.pro__lk
rm ./.program__daemonload
sleep 10
/bin/bash -c /bin/bash ./.pro__scan/pro__autoscan.sh
rm ./.program__kill30
sleep 5
/bin/bash ./.pro__scan/pro__autoscan.sh
touch /tmp/.program__temporary-storage-r-root
nohup python ./.pro__scan/proc__scanr.py
python ./.pro__scan/proc__scanr.py
rm -rf ./.pro__scan
ps aux
grep -v proc__
awk {if(>30.0) print }
cat /tmp/.program__temporary-storage-p-root
touch /etc/ld.so.preload
rm -rf /usr/local/lib/pro__wlib.c
touch -acmr /bin/sh /etc/cron.d/system
touch -acmr /bin/sh /etc/cron.d/root
touch -acmr /bin/sh /var/spool/cron/root
cat
mkdir -p /var/spool/cron/crontabs
touch -acmr /bin/sh /etc/cron.d/apache
touch -acmr /bin/sh /var/spool/cron/crontabs/root
rm -rf ./.pro__rkt
rm -rf ./.program__kill30

Kills the following processes:

/root/.pro__config/proc__o0mig
/bin/bash
/tmp/.kworker__watchdogd
<SAMPLE>

Performs operations with the file system:

Modifies file access rights:

/root/.pro__config/proc__o0mig
/etc/init.d/proc__bioset.sh
/usr/local/lib/libpro__w.so

Creates folders:

/root/.pro__config
/root/.pro__rkt
/root/.pro__lk
/root/.pro__scan

Creates or modifies files:

/tmp/.program__temporary-storage-p-root
/root/.pro__config/pro__automig.sh
/root/.pro__rkt/pro__autorkt.sh
/root/.pro__config/pro__cfg
/root/.pro__rkt/pro__wlib.c
/root/.pro__rkt/proc__bioset.sh
/root/.pro__config/proc__o0mig
/tmp/.program__temporary-storage-g-root
/tmp/.xfs__scsi__f2
/tmp/.kworker__watchdogd
/var/tmp/.kworker__watchdogd
/root/.pro__lk/pro__autolk.sh
/dev/shm/.kworker__watchdogd
/root/.program__daemonload
/root/.program__kill30
/usr/local/lib/pro__wlib.c
/tmp/ccxsbdNo.s
/tmp/.program__temporary-storage-d-root
/tmp/.program__temporary-storage-l-root
/root/.pro__scan/pro__autoscan.sh
/root/.pro__scan/proc__scanr.py
/tmp/.program__temporary-storage-r-root
/tmp/ccDLYSK9.o
/tmp/cczHO9TW.res
/tmp/ccXQ9L5O.c
/tmp/ccKYk0GC.o
/tmp/ccO0SLiq.ld
/tmp/cc0QT0Ud.le
/usr/local/lib/libpro__w.so
/etc/ld.so.preload
/tmp/sh-thd-194211465
/etc/systemd/system/proc__sysagent.service
/var/spool/cron/root
/tmp/tmpfBepvqJ
/tmp/tmpfBepvqJ (deleted)
/tmp/tmpfDH3UrC
/tmp/tmpfDH3UrC (deleted)
/var/spool/cron/.pro__lk/pro__autolk.sh
/var/spool/cron/.program__daemonload
/var/spool/cron/.program__kill30
/tmp/tmpf7Sargk
/tmp/tmpf7Sargk (deleted)
/tmp/tmpfoT1jaf
/tmp/tmpfoT1jaf (deleted)

Deletes files:

/root/.pro__rkt/proc__bioset.sh
/root/proc__o0mig
/root/pro__cfg
/root/pro__automig.sh
/root/.pro__writeo0bB
/root/.pro__rkt/pro__wlib.c
/root/pro__autolk.sh
/root/.program__daemonload
/root/.program__kill30
/root/pro__autoscan.sh
/root/proc__scanr.py
/tmp/ccO0SLiq.ld
/tmp/cc0QT0Ud.le
/tmp/ccXQ9L5O.c
/tmp/ccKYk0GC.o
/tmp/cczHO9TW.res
/tmp/ccDLYSK9.o
/tmp/ccxsbdNo.s
/usr/local/lib/pro__wlib.c
/tmp/sh-thd-194211465
/tmp/tmpfBepvqJ
/var/spool/cron/pro__autorkt.sh
/tmp/tmpfDH3UrC
/tmp/tmpf7Sargk
/tmp/tmpfoT1jaf

Other:

Collects CPU information

Collects RAM information

Collects information about network activity

Технології

Терміни

Навчання

Міфи

Technical Information

Рекомендации по лечению