Linux.Siggen.3766
Added to the Dr.Web virus database:
2021-03-15
Virus description added:
2021-03-14
Technical Information
Malicious functions:
Launches itself as a daemon
Modifies firewall settings:
Manages services:
- service iptables stop
- systemctl stop iptables.service
Launches processes:
- <SAMPLE_FULL_PATH>
- bash -c
- id -u
- chattr -i /etc/ld.so.preload
- sysctl kernel.nmi_watchdog=0
- nproc --all
- sysctl -w vm.nr_hugepages=1
- chattr -R -ia /var/spool/cron
- chattr -ia /etc/crontab
- chattr -R -ia /var/spool/cron/crontabs
- chattr -R -ia /etc/cron.d
- chattr -iua /tmp/
- chattr -iua /var/tmp/
- grep -v grep
- ps aux
- xargs -I % kill -9 %
- egrep
- awk {print $2}
- grep -E
- kill -9 706
- ps auxf
- egrep xiaoyao|xiaoxue|mine.moneropool.com|pool.t00ls.ru|xmr.crypto-pool.fr|zhuabcn@yahoo.com|monerohash.com|/tmp/a7b104c270|xmrpool.eu|stratum.f2pool.com:8888
- grep -E xiaoyao|xiaoxue|mine.moneropool.com|pool.t00ls.ru|xmr.crypto-pool.fr|zhuabcn@yahoo.com|monerohash.com|/tmp/a7b104c270|xmrpool.eu|stratum.f2pool.com:8888
- egrep wget|curl
- egrep 2mr.sh|cr5.sh|luk-cpu|ficov|he.sh|nullcrew
- grep -E 2mr.sh|cr5.sh|luk-cpu|ficov|he.sh|nullcrew
- grep -E wget|curl
Attempts to kill the following processes:
Kills the following processes:
Performs operations with the file system:
Creates or modifies files:
- /proc/sys/kernel/nmi_watchdog
- /etc/sysctl.conf
- /etc/selinux/config
- /proc/sys/vm/nr_hugepages
Network activity:
Awaits incoming connections on ports:
Establishes connection:
- 127.0.0.1:9
- [:#1]:9
- [:##]:52016
- 127.0.0.1:52016
Other:
Collects CPU information
Collects RAM information
Collects information about network activity
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
このウェブサイトを継続して訪問する場合、訪問者に関する統計データを収集するためのCookieファイルおよび他のテクノロジーを弊社が利用することに同意したものとします。詳細