Technical Information
Malicious functions:
Launches processes:
- /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/bash <SAMPLE_FULL_PATH> -c
- clear
- rm -r matris
- rm -r 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
- useradd -m -p 123 tardis
- nscd -i passwd
- nscd -i group
Performs operations with the file system:
Modifies file access rights:
- /home/tardis
- /home/tardis/.bashrc
- /home/tardis/.bash_logout
- /home/tardis/.profile
- /etc/passwd+
- /etc/shadow+
- /etc/group+
- /etc/gshadow+
- /etc/subuid+
- /etc/subgid+
Creates folders:
- /home/tardis
Creates symlinks:
- /etc/passwd.lock"
- /etc/group.lock"
- /etc/gshadow.lock"
- /etc/subuid.lock"
- /etc/subgid.lock"
- /etc/shadow.lock"
Creates or modifies files:
- /etc/.pwd.lock
- /etc/passwd.713
- /etc/group.713
- /etc/gshadow.713
- /etc/subuid.713
- /etc/subgid.713
- /etc/shadow.713
- /var/log/faillog
- /var/log/lastlog
- /home/tardis/.bashrc
- /home/tardis/.bash_logout
- /home/tardis/.profile
- /etc/passwd-
- /etc/passwd+
- /etc/shadow-
- /etc/shadow+
- /etc/group-
- /etc/group+
- /etc/gshadow-
- /etc/gshadow+
- /etc/subuid-
- /etc/subuid+
- /etc/subgid-
- /etc/subgid+
- /etc/hosts
Deletes files:
- /usr"/matris"
- /usr"/1"
- /usr"/2"
- /usr"/3"
- /usr"/4"
- /usr"/5"
- /usr"/6"
- /usr"/7"
- /usr"/8"
- /usr"/9"
- /usr"/10"
- /usr"/11"
- /usr"/12"
- /usr"/13"
- /usr"/14"
- /usr"/15"
- /usr"/16"
- /usr"/17"
- /usr"/18"
- /usr"/19"
- /usr"/20"
- /usr"/21"
- /usr"/22"
- /usr"/23"
- /usr"/24"
- /usr"/25"
- /usr"/26"
- /usr"/27"
- /usr"/28"
- /usr"/29"
- /usr"/30"
- /etc/passwd.713"
- /etc/group.713"
- /etc/gshadow.713"
- /etc/subuid.713"
- /etc/subgid.713"
- /etc/shadow.713"
- /etc/shadow.lock"
- /etc/passwd.lock"
- /etc/group.lock"
- /etc/gshadow.lock"
- /etc/subuid.lock"
- /etc/subgid.lock"
Other:
Collects RAM information
