Technical Information
Malicious functions:
Performs process tracing:
- <SAMPLE>
- <SAMPLE_FULL_PATH>
Launches processes:
- /bin/sh <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/sh <SAMPLE_FULL_PATH> -c
- cp -f /usr/bin/chattr /usr/bin/lockr
- cp -f /usr/bin/chattr /usr/bin/.locks
- cp -f /usr/bin/.locks /usr/bin/lockr
- chmod 777 /usr/bin/lockr
- chmod 777 /usr/bin/.locks
- lockr +i /usr/bin/lockr
- lockr +i /usr/bin/.locks
- lockr -i /usr/bin/dget
- chmod 777 /usr/bin/dget
- lockr +i /usr/bin/dget
- lockr -i /usr/bin/pkill
- chmod 777 /usr/bin/pkill
- lockr +i /usr/bin/pkill
- lockr -i /usr/bin/nohup
- chmod 777 /usr/bin/nohup
- lockr +i /usr/bin/nohup
- lockr -i /usr/bin/killall
- chmod 777 /usr/bin/killall
- lockr +i /usr/bin/killall
- lockr -i /usr/bin/nslookup
- chmod 777 /usr/bin/nslookup
- lockr +i /usr/bin/nslookup
- ifconfig
- grep inet
- grep -v 127.0
- xargs
- awk -F [ :] {print $3}
- grep 192.168
- /bin/echo inet addr:192.168.214.50 Bcast:192.168.214.255 Mask:255.255.255.0
Kills the following processes:
- <SAMPLE>
- <SAMPLE_FULL_PATH>
Performs operations with the file system:
Modifies file access rights:
- /usr/bin/lockr
- /usr/bin/.locks
- /usr/bin/dget
- /usr/bin/pgrep
- /usr/bin/nohup
- /usr/bin/killall
- /usr/bin/nslookup
Creates or modifies files:
- /usr/bin/lockr
- /usr/bin/.locks
