Linux.Siggen.3417

Linux.Siggen.3417

Added to the Dr.Web virus database: 2020-11-21

Virus description added: 2020-11-21

Malicious functions:

Performs process tracing:

Launches processes:

/bin/sh <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
<SAMPLE_FULL_PATH>
/bin/sh <SAMPLE_FULL_PATH> -c
mkdir .sftp
chmod 777 .sh
chmod 777 .php
chmod 777 .sphp
chattr -a /etc/.bashpid
nohup ./.sphp
./.sphp
./.php
./.sh
sleep 6
cat /etc/.bashpid
sleep 1
chattr +a /etc/.bashpid
pkill -f joseph
pkill -f osama
pkill -f xm64
pkill -f obama1
pkill -f kswapd0
pkill -f jehgms
pkill -f tsm
pkill -f rig
pkill -f xmr
pkill -f playstation
pkill -f ld-linux-x86-64
pkill -f ruckusapd
pkill -f run64
pkill -f pwnrig
pkill -f phpupdate
pkill -f sysupdate
pkill -f phpguard
pkill -f firstpress
pkill -f zerocert
pkill -f masscan
pkill -f -bash
pkill -f spreadQlmnop
pkill -f cnrig
pkill -f crond
rm -rf /tmp/.bash/
rm -rf /root/.bash/
rm -rf /root/.cache/
rm -rf /tmp/.cache/
rm -rf /dev/shm/.ssh/
rm -rf /etc/.etcservice/linuxservice
rm -rf /etc/.vhost/netvhost
rm -rf /tmp/up.txt
pkill -f netvhost
pkill -f kthreadds
pkill -f kdevtmpfsi
pkill -f linuxservice
pkill -f rtmonitor
pkill -f dev
pkill -f xmrig

Attempts to kill the following processes:

Kills the following processes:

Performs operations with the file system:

Modifies file access rights:

Creates folders:

Creates or modifies files:

Deletes files:

Other:

Collects CPU information

Collects RAM information