Техническая информация
Вредоносные функции:
Подменяет имя приложения на:
- QThread
- QProcessManager
Запускает процессы:
- sh -c ps -efww | grep hpsum_service_x86 | grep -v grep | tr -s \" \" | cut -d \ -f 8 > /tmp/browseProc
- grep hpsum_service_x86
- tr -s
- ps -efww
- grep -v grep
- cut -d -f 8
- sh -c ps -efww | grep hpsum_service_x64 | grep -v grep | tr -s \" \" | cut -d \ -f 8 > /tmp/browseProc
- grep hpsum_service_x64
- sh -c ps -efww | grep SourceClient | grep -v grep | tr -s \" \" | cut -d \ -f 8 > /tmp/browseProc
- grep SourceClient
- sh -c which ip 1>&- 2>&-
- which ip
- sh -c echo $PATH
- sh -c which sed
- which sed
- sh -c which rpm
- which rpm
- sh -c which bash
- which bash
- sh -c which shutdown
- which shutdown
- sh -c which gawk
- which gawk
- sh -c which grep
- which grep
- sh -c which cat
- which cat
- sh -c which nohup
- which nohup
- sh -c which dirname
- which dirname
- sh -c which cut
- which cut
- sh -c which ls
- which ls
- sh -c which uname
- which uname
- sh -c which df
- which df
- sh -c which kill
- which kill
- sh -c which lsmod
- which lsmod
- sh -c which lspci
- which lspci
- sh -c which dmidecode
- which dmidecode
- sh -c which awk
- which awk
- sh -c which ps
- which ps
Выполняет операции с файловой системой:
Модифицирует права доступа к файлам:
- /tmp/HPSUM/7_6_0_0/hpsum.pdb
- /tmp/HPSUM/hpsum.ini
- /tmp/HPSUM/hapi
Создает папки:
- /tmp/HPSUM
- /var/hp
- /var/hp/log
- /tmp/HPSUM/7_6_0_0
- /tmp/HPSUM/Recipes
Создает или модифицирует файлы:
- /tmp/browseProc
- /var/hp/log/hpsum_execution_log_10-20-2020_18-03-15.raw
- /tmp/HPSUM/engine.log
- /var/hp/log/RunRecord0_0_0_0
- /tmp/qipc_systemsem_hpsumsharemembinaryandengineb3a94d2568268853bf4756f6fb3fef3be19a967d
- /tmp/HPSUM/audit.log
- /tmp/HPSUM/7_6_0_0/hpsum.pdb
- /tmp/HPSUM/7_6_0_0/hpsum.pdb-journal
- /tmp/HPSUM/7_6_0_0/hpsum.pdb-wal
- /tmp/HPSUM/7_6_0_0/hpsum.pdb-shm
- /var/tmp/etilqs_AtsTzEahPrPAnt3
- /var/tmp/etilqs_AtsTzEahPrPAnt3 (deleted)
- /var/tmp/etilqs_fewsr8ZUGxWwDYR
- /var/tmp/etilqs_fewsr8ZUGxWwDYR (deleted)
- /var/tmp/etilqs_7MdCkI7UJjyQ7Cl
- /var/tmp/etilqs_7MdCkI7UJjyQ7Cl (deleted)
- /var/tmp/etilqs_9eO9DWP5RJdjlFJ
- /var/tmp/etilqs_9eO9DWP5RJdjlFJ (deleted)
- /var/tmp/etilqs_4nzBanRSTrZgM9Z
- /var/tmp/etilqs_4nzBanRSTrZgM9Z (deleted)
- /var/tmp/etilqs_8H6mnWqCRQCVgBe
- /var/tmp/etilqs_8H6mnWqCRQCVgBe (deleted)
- /var/tmp/etilqs_pW0LsbjuzPvfgSA
- /var/tmp/etilqs_pW0LsbjuzPvfgSA (deleted)
- /var/tmp/etilqs_2z1jyrKw8veQPMK
- /var/tmp/etilqs_2z1jyrKw8veQPMK (deleted)
- /var/tmp/etilqs_yFnuoB8UMR3H031
- /var/tmp/etilqs_yFnuoB8UMR3H031 (deleted)
- /var/tmp/etilqs_OYi4BBI6Ry65ThH
- /var/tmp/etilqs_OYi4BBI6Ry65ThH (deleted)
- /var/tmp/etilqs_s69xVySvvB5HXQH
- /var/tmp/etilqs_s69xVySvvB5HXQH (deleted)
- /tmp/HPSUM/database.log
- /tmp/HPSUM/hpsum.ini.MTJ683
- /tmp/HPSUM/hpsum.ini
- /tmp/HPSUM/qt_temp.LhX683
- /tmp/HPSUM/ftpserverIPv4.log
- /tmp/HPSUM/ftpserverIPv6.log
- /var/hp/log/hpsum_execution_log_10-20-2020_18-03-44.log
Удаляет файлы:
- /tmp/browseProc
- /tmp/HPSUM/7_6_0_0/hpsum.pdb-wal
- /tmp/HPSUM/7_6_0_0/hpsum.pdb-journal
- /var/tmp/etilqs_AtsTzEahPrPAnt3
- /var/tmp/etilqs_fewsr8ZUGxWwDYR
- /var/tmp/etilqs_7MdCkI7UJjyQ7Cl
- /var/tmp/etilqs_9eO9DWP5RJdjlFJ
- /var/tmp/etilqs_4nzBanRSTrZgM9Z
- /var/tmp/etilqs_8H6mnWqCRQCVgBe
- /var/tmp/etilqs_pW0LsbjuzPvfgSA
- /var/tmp/etilqs_2z1jyrKw8veQPMK
- /var/tmp/etilqs_yFnuoB8UMR3H031
- /var/tmp/etilqs_OYi4BBI6Ry65ThH
- /var/tmp/etilqs_s69xVySvvB5HXQH
- /tmp/HPSUM/hpsum.ini.MTJ683
- /tmp/HPSUM/hapi
- /var/hp/log/RunRecord0_0_0_0
- /tmp/HPSUM/7_6_0_0/hpsum.pdb-shm
- /tmp/qipc_systemsem_hpsumsharemembinaryandengineb3a94d2568268853bf4756f6fb3fef3be19a967d
Прочее:
Собирает информацию о CPU
Собирает информацию об оперативной памяти
Собирает информацию о сетевой активности
