Technical Information
Malicious functions:
Removes itself
Substitutes application name for:
- [kworker/u5:36]
- [kworker/u1:1]
Manages services:
- ['systemctl', 'daemon-reload']
- ['systemctl', 'enable', 'bot.service']
- ['systemctl', 'start', 'bot.service']
Launches processes:
- chmod 700 /tmp/apt-key-gpghome.8r1uXlECtw
- touch /tmp/apt-key-gpghome.8r1uXlECtw/pubring.gpg
- cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
- apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
- mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
- cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
- /usr/lib/apt/methods/store
- readlink -f /tmp/apt-key-gpghome.8r1uXlECtw
- cat /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
- rm -f /tmp/apt-key-gpghome.8r1uXlECtw/pubring.gpg
- chmod 700 /tmp/apt-key-gpghome.U6ezbSRUgf
- apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
- cat /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
- gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
- readlink -f /etc/apt/trusted.gpg.d/
- /bin/sh /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.AVEBFp /tmp/apt.data.rO1x9q
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
- gpgv --homedir /tmp/apt-key-gpghome.8r1uXlECtw --keyring /tmp/apt-key-gpghome.8r1uXlECtw/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.AVEBFp /tmp/apt.data.rO1x9q
- apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
- touch /tmp/apt-key-gpghome.U6ezbSRUgf/pubring.gpg
- /usr/lib/apt/methods/https
- apt-config shell GPGV Apt::Key::gpgvcommand
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
- rm -f /tmp/apt-key-gpghome.U6ezbSRUgf/pubring.gpg
- rm -rf /tmp/apt-key-gpghome.U6ezbSRUgf
- cp -a /tmp/apt-key-gpghome.8r1uXlECtw/pubring.gpg /tmp/apt-key-gpghome.8r1uXlECtw/pubring.orig.gpg
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
- gpg-connect-agent -s --no-autostart GETINFO scd_running /if ${! $?} scd killscd /end
- apt-get update
- apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
- cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
- cat /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
- find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 ( -name *.gpg -o -name *.asc )
- /usr/bin/dpkg --print-foreign-architectures
- /bin/sh /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.F9Hyeq /tmp/apt.data.Xkwu0o
- gpgv --homedir /tmp/apt-key-gpghome.U6ezbSRUgf --keyring /tmp/apt-key-gpghome.U6ezbSRUgf/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.F9Hyeq /tmp/apt.data.Xkwu0o
- sort
- cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
- cp -a /tmp/apt-key-gpghome.U6ezbSRUgf/pubring.gpg /tmp/apt-key-gpghome.U6ezbSRUgf/pubring.orig.gpg
- apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
- cat /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
- readlink -f /tmp/apt-key-gpghome.U6ezbSRUgf
- cat /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
- cat /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
- apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
- sed -e s#\x27#\x27\x22\x27\x22\x27#g
- gpgconf --kill all
- apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
- gpg-connect-agent --no-autostart KILLAGENT
- /usr/lib/apt/methods/http
- /usr/lib/apt/methods/gpgv
- sudo apt-get update
Kills the following processes:
- rcu_tasks_trace
- ata_sff
- scsi_eh_0
- scsi_tmf_0
- scsi_eh_1
- scsi_tmf_1
- ksoftirqd/0
- rcu_sched
- migration/0
- jbd2/sda1-8
- ext4-rsv-conver
- cpuhp/0
- kdevtmpfs
- netns
- kauditd
- kthreadd
- khungtaskd
- oom_reaper
- writeback
- kcompactd0
- ksmd
- khugepaged
- ttm_swap
- rcu_gp
- kworker/u2:4
- rcu_par_gp
- kintegrityd
- kblockd
- blkcg_punt_bio
- edac-poller
- devfreq_wq
- kworker/0:1H
- kworker/0:0
- kworker/0:2
- kswapd0
- kthrotld
- acpi_thermal_pm
- ipv6_addrconf
- kworker/u2:1
- kworker/0:1
- kworker/0:0H
- kstrp
- zswap-shrink
- kworker/u3:0
- 9bc2fd2a
- kworker/u2:0
- mm_percpu_wq
- rcu_tasks_rude_
- <SAMPLE>
- http
- gpgv
- store
Performs operations with the file system:
Modifies file access rights:
- /var/lib/apt/lists/partial
- /var/lib/apt/lists/auxfiles
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
- /tmp/apt-key-gpghome.U6ezbSRUgf
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.nGplBQ
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.HdqDeT
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.r2KumR
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en
- /tmp/apt-key-gpghome.8r1uXlECtw
Modifies file owner:
- /var/lib/apt/lists/partial
- /var/lib/apt/lists/auxfiles
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en
Creates folders:
- /tmp/apt-key-gpghome.U6ezbSRUgf
- /tmp/apt-key-gpghome.8r1uXlECtw
Deletes folders:
- /tmp/apt-key-gpghome.U6ezbSRUgf
Creates or modifies files:
- /etc/systemd/system/bot.service
- /tmp/bot-start.sh
- /tmp/#130834 (deleted)
- /var/lib/apt/lists/lock
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.YDDE22
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.xw0KN4
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.0fzvD4
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.NwR1y4
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye_InRelease
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
- /tmp/apt.conf.pj8Ttp
- /tmp/apt.sig.F9Hyeq
- /tmp/apt.data.Xkwu0o
- /tmp/apt-key-gpghome.U6ezbSRUgf/pubring.gpg
- /tmp/apt-key-gpghome.U6ezbSRUgf/pubring.orig.gpg
- /tmp/apt-key-gpghome.U6ezbSRUgf/gpg.1.sh
- /tmp/#130829 (deleted)
- /tmp/apt.conf.MSza3m
- /tmp/apt.sig.AVEBFp
- /tmp/apt.data.rO1x9q
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.nGplBQ
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.HdqDeT
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.r2KumR
- /tmp/apt-key-gpghome.8r1uXlECtw/pubring.gpg
- /tmp/apt-key-gpghome.8r1uXlECtw/pubring.orig.gpg
- /tmp/apt-key-gpghome.8r1uXlECtw/gpg.1.sh
Deletes files:
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.YDDE22
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.xw0KN4
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.0fzvD4
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.NwR1y4
- /tmp/apt-key-gpghome.U6ezbSRUgf/pubring.orig.gpg
- /tmp/apt-key-gpghome.U6ezbSRUgf/pubring.gpg
- /tmp/apt-key-gpghome.U6ezbSRUgf/gpg.1.sh
- /tmp/apt.conf.pj8Ttp
- /tmp/apt.sig.F9Hyeq
- /tmp/apt.data.Xkwu0o
Changes time of creation/access/modification of files:
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye_InRelease
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
- /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
- /tmp/apt-key-gpghome.U6ezbSRUgf/pubring.gpg
- /tmp/apt-key-gpghome.U6ezbSRUgf/pubring.orig.gpg
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.xz
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en
- /tmp/apt-key-gpghome.8r1uXlECtw/pubring.gpg
- /tmp/apt-key-gpghome.8r1uXlECtw/pubring.orig.gpg
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:9999
Establishes connection:
- 45.##.28.202:5111
- 8.#.8.8:53
- [2#####e42:8d::644]:80
- (e##val)
- 14#.##.118.132:80
- 10#.##8.7.33:443
- 10#.##8.7.88:443
- 10#.##8.7.48:443
- 10#.##8.7.18:443
- [2##########490:8000:3:db06:4200:93a1]:443
- [2##########490:d800:3:db06:4200:93a1]:443
- [2##########490:c00:3:db06:4200:93a1]:443
- [2##########490:9200:3:db06:4200:93a1]:443
- [2##########490:2800:3:db06:4200:93a1]:443
- [2##########490:4200:3:db06:4200:93a1]:443
- [2##########490:a00:3:db06:4200:93a1]:443
- [2##########490:f400:3:db06:4200:93a1]:443
DNS ASK:
- _h####.##cp.download.docker.com
- _h###.###p.security.debian.org
- _h###.##cp.deb.debian.org
- de####.#ap.fastlydns.net
- do####ad.docker.com
Sends data to the following servers:
- 14#.##.118.132:80
- 10#.##8.7.33:443
Receives data from the following servers:
- 14#.##.118.132:80
- 10#.##8.7.33:443