Техническая информация
Для обеспечения автоматического запуска и распространения:
Создает или модифицирует следующие файлы:
- /etc/init.d/proc__bioset.sh
- /etc/cron.d/root
- /etc/cron.d/system
- /etc/cron.d/apache
- /var/spool/cron/crontabs/root
Вредоносные функции:
Компилирует программу из исходных кодов:
- gcc -Wall -fPIC -shared /usr/local/lib/pro__wlib.c -lc -ldl -o /usr/local/lib/libpro__w.so
Управляет службами:
- systemctl daemon-reload
- systemctl enable proc__sysagent
Запускает процессы:
- /bin/bash -c chattr -i /tmp/.program__temporary-storage-p-root
- chattr -i /tmp/.program__temporary-storage-p-root
- /bin/bash -c chattr +i /tmp/.program__temporary-storage-p-root
- chattr +i /tmp/.program__temporary-storage-p-root
- /bin/bash -c /bin/bash ./.pro__rkt/pro__autorkt.sh
- /bin/bash ./.pro__rkt/pro__autorkt.sh
- /bin/bash -c /bin/bash ./.pro__config/pro__automig.sh
- cp ./.pro__writeo0bB /usr/sbin/proc__bioset
- /bin/bash ./.pro__config/pro__automig.sh
- cp ./.pro__rkt/proc__bioset.sh /etc/init.d/proc__bioset.sh
- cat /tmp/.program__temporary-storage-g-root
- chmod +x /usr/sbin/proc__bioset
- chmod +x ./.pro__config/proc__o0mig
- chmod +x /etc/init.d/proc__bioset.sh
- sleep 1
- nohup ./.pro__config/proc__o0mig -c ./.pro__config/pro__cfg
- ./.pro__config/proc__o0mig -c ./.pro__config/pro__cfg
- rm -rf ./.pro__rkt/proc__bioset.sh
- cp ./.pro__writeo0bB /tmp/.kworker__flush
- chattr -i /tmp/.program__temporary-storage-g-root
- cp ./.pro__writeo0bB /var/tmp/.kworker__flush
- chattr -i /tmp/.xfs__scsi__f2
- cp ./.pro__writeo0bB /dev/shm/.kworker__flush
- chattr +i /tmp/.program__temporary-storage-g-root
- chattr +i /tmp/.xfs__scsi__f2
- cp /bin/bash /tmp/.kworker__watchdogd
- renice -1 -p 722
- cp /bin/bash /var/tmp/.kworker__watchdogd
- rm -rf ./.pro__config
- cp /bin/bash /dev/shm/.kworker__watchdogd
- /bin/bash -c /bin/bash ./.pro__lk/pro__autolk.sh
- rm -rf ./.pro__writeo0bB
- /bin/bash ./.pro__lk/pro__autolk.sh
- chmod +x /tmp/.kworker__flush
- chmod +x /var/tmp/.kworker__flush
- tee ./.program__daemonload
- chmod +x /dev/shm/.kworker__flush
- tee ./.program__kill30
- cp ./.pro__rkt/pro__wlib.c /usr/local/lib/pro__wlib.c
- cat /tmp/.program__temporary-storage-d-root
- rm -rf ./.pro__rkt/pro__wlib.c
- find ./.kworker__watchdogd
- wc -l
- find /tmp/.kworker__watchdogd
- /tmp/.kworker__watchdogd ./.program__daemonload
- chattr -i /tmp/.program__temporary-storage-d-root
- chattr +i /tmp/.program__temporary-storage-d-root
- sleep 2
- cat /tmp/.program__temporary-storage-l-root
- /tmp/.kworker__watchdogd ./.program__kill30
- chattr -i /tmp/.program__temporary-storage-l-root
- chattr +i /tmp/.program__temporary-storage-l-root
- rm -rf ./.pro__lk
- rm ./.program__daemonload
- sleep 10
- /bin/bash -c /bin/bash ./.pro__scan/pro__autoscan.sh
- rm ./.program__kill30
- sleep 5
- /bin/bash ./.pro__scan/pro__autoscan.sh
- touch /tmp/.program__temporary-storage-r-root
- nohup python ./.pro__scan/proc__scanr.py
- python ./.pro__scan/proc__scanr.py
- rm -rf ./.pro__scan
- ps aux
- grep -v proc__
- awk {if(>30.0) print }
- cat /tmp/.program__temporary-storage-p-root
- touch /etc/ld.so.preload
- rm -rf /usr/local/lib/pro__wlib.c
- touch -acmr /bin/sh /etc/cron.d/system
- touch -acmr /bin/sh /etc/cron.d/root
- touch -acmr /bin/sh /var/spool/cron/root
- cat
- mkdir -p /var/spool/cron/crontabs
- touch -acmr /bin/sh /etc/cron.d/apache
- touch -acmr /bin/sh /var/spool/cron/crontabs/root
- rm -rf ./.pro__rkt
- rm -rf ./.program__kill30
Завершает следующие процессы:
- /root/.pro__config/proc__o0mig
- /bin/bash
- /tmp/.kworker__watchdogd
- <SAMPLE>
Выполняет операции с файловой системой:
Модифицирует права доступа к файлам:
- /root/.pro__config/proc__o0mig
- /etc/init.d/proc__bioset.sh
- /usr/local/lib/libpro__w.so
Создает папки:
- /root/.pro__config
- /root/.pro__rkt
- /root/.pro__lk
- /root/.pro__scan
Создает или модифицирует файлы:
- /tmp/.program__temporary-storage-p-root
- /root/.pro__config/pro__automig.sh
- /root/.pro__rkt/pro__autorkt.sh
- /root/.pro__config/pro__cfg
- /root/.pro__rkt/pro__wlib.c
- /root/.pro__rkt/proc__bioset.sh
- /root/.pro__config/proc__o0mig
- /tmp/.program__temporary-storage-g-root
- /tmp/.xfs__scsi__f2
- /tmp/.kworker__watchdogd
- /var/tmp/.kworker__watchdogd
- /root/.pro__lk/pro__autolk.sh
- /dev/shm/.kworker__watchdogd
- /root/.program__daemonload
- /root/.program__kill30
- /usr/local/lib/pro__wlib.c
- /tmp/ccxsbdNo.s
- /tmp/.program__temporary-storage-d-root
- /tmp/.program__temporary-storage-l-root
- /root/.pro__scan/pro__autoscan.sh
- /root/.pro__scan/proc__scanr.py
- /tmp/.program__temporary-storage-r-root
- /tmp/ccDLYSK9.o
- /tmp/cczHO9TW.res
- /tmp/ccXQ9L5O.c
- /tmp/ccKYk0GC.o
- /tmp/ccO0SLiq.ld
- /tmp/cc0QT0Ud.le
- /usr/local/lib/libpro__w.so
- /etc/ld.so.preload
- /tmp/sh-thd-194211465
- /etc/systemd/system/proc__sysagent.service
- /var/spool/cron/root
- /tmp/tmpfBepvqJ
- /tmp/tmpfBepvqJ (deleted)
- /tmp/tmpfDH3UrC
- /tmp/tmpfDH3UrC (deleted)
- /var/spool/cron/.pro__lk/pro__autolk.sh
- /var/spool/cron/.program__daemonload
- /var/spool/cron/.program__kill30
- /tmp/tmpf7Sargk
- /tmp/tmpf7Sargk (deleted)
- /tmp/tmpfoT1jaf
- /tmp/tmpfoT1jaf (deleted)
Удаляет файлы:
- /root/.pro__rkt/proc__bioset.sh
- /root/proc__o0mig
- /root/pro__cfg
- /root/pro__automig.sh
- /root/.pro__writeo0bB
- /root/.pro__rkt/pro__wlib.c
- /root/pro__autolk.sh
- /root/.program__daemonload
- /root/.program__kill30
- /root/pro__autoscan.sh
- /root/proc__scanr.py
- /tmp/ccO0SLiq.ld
- /tmp/cc0QT0Ud.le
- /tmp/ccXQ9L5O.c
- /tmp/ccKYk0GC.o
- /tmp/cczHO9TW.res
- /tmp/ccDLYSK9.o
- /tmp/ccxsbdNo.s
- /usr/local/lib/pro__wlib.c
- /tmp/sh-thd-194211465
- /tmp/tmpfBepvqJ
- /var/spool/cron/pro__autorkt.sh
- /tmp/tmpfDH3UrC
- /tmp/tmpf7Sargk
- /tmp/tmpfoT1jaf
Прочее:
Собирает информацию о CPU
Собирает информацию об оперативной памяти
Собирает информацию о сетевой активности
