Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
Malicious functions:
Gets access to SSH keys
- /root/.ssh/authorized_keys
Launches processes:
- sleep 1
- rm -rf /.tempo
- crontab -r
- grep -q updat3
- chattr -R -iajtdu /var/tmp/.logs/.xmr
- chattr -R -iajtdu /var/spool/cron/crontabs
- cat /var/tmp/.logs/.xmr
- pgrep -x xmrig
- /usr/bin/mawk awk {print $1}
- chattr -iajtdu /root
- rm -rf /var/tmp/.logs/.xmr
- id -u
- mkdir /root/.ssh/
- chmod 600 /root/.ssh/authorized_keys
- <0x7c>
- crontab /.tempo
- chattr +ia /root/.ssh/authorized_keys
- sha256sum /xmrig
- crontab -l
- chattr -R -iajtdu /root/.ssh
- <SAMPLE_FULL_PATH> -c exec \x27<SAMPLE_FULL_PATH>\x27 \x22$@\x22 <SAMPLE_FULL_PATH>
Performs operations with the file system:
Modifies file access rights:
- /root/.ssh/authorized_keys
- /var/spool/cron/crontabs/tmp.HxNlQX
Creates folders:
- /root/.ssh
Creates or modifies files:
- /.tempo
- /var/spool/cron/crontabs/tmp.HxNlQX
Deletes files:
- /.tempo
- /var/spool/cron/crontabs/root
Changes time of creation/access/modification of files:
- /var/spool/cron/crontabs
Other:
Collects OS information
Collects CPU information