Technical Information
Malicious functions:
Performs process tracing:
- <SAMPLE>
- <SAMPLE_FULL_PATH>
Manages services:
- systemctl stop pwnrigl.service
Launches processes:
- /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/bash <SAMPLE_FULL_PATH> -c
- chattr -ia /bin/-bash
- rm -rf /bin/-bash
- chattr +ia /bin/-bash
- chattr -ia /usr/bin/-bash
- rm -rf /usr/bin/-bash
- chattr +ia /usr/bin/-bash
- chattr -ia /usr/sbin/-bash
- rm -rf /usr/sbin/-bash
- chattr +ia /usr/sbin/-bash
- chattr -ia /usr/bin/dbused
- rm -rf /usr/bin/dbused
- chattr +ia /usr/bin/dbused
- chattr -ia /bin/sysmd
- rm -rf /bin/sysmd
- chattr +ia /bin/sysmd
- chattr -ia /usr/sbin/systemd
- rm -rf /usr/sbin/systemd
- chattr +ia /usr/sbin/systemd
- chattr -ia /etc/master
- rm -rf /etc/master
- chattr +ia /etc/master
- chattr -i /bin/.sh
- chattr -i /usr/lib/mysql/sh
- chattr -i /etc/.sh
- chattr -i /bin/shh
- chattr -i /sbin/https
- chattr -i /etc/spts
- chattr -i /usr/bin/.funzip
- chattr -i /etc/sphp
- rm -rf /bin/.sh
- rm -rf /usr/lib/mysql/sh
- rm -rf /etc/.sh
- rm -rf /bin/shh
- rm -rf /sbin/https
- rm -rf /etc/spts
- rm -rf /usr/bin/.funzip
- rm -rf /etc/sphp
- rm -rf /etc/.sftp
- cat /etc/.bashpid
- xargs -I % kill -9 %
- cat /etc/.qucfu.pid
- pidof .sh
Attempts to kill the following processes:
- killall .sh
Kills the following processes:
- <SAMPLE>
- <SAMPLE_FULL_PATH>
Performs operations with the file system:
Creates or modifies files:
- /bin/-bash
- /usr/bin/-bash
- /usr/sbin/-bash
- /usr/bin/dbused
- /bin/sysmd
- /usr/sbin/systemd
- /etc/master
- /etc/ld.so.preload
Deletes files:
- /bin/-bash
- /usr/bin/-bash
- /usr/sbin/-bash
- /usr/bin/dbused
- /bin/sysmd
- /usr/sbin/systemd
- /etc/master
- /bin/.sh
- /usr/lib/mysql/sh
- /etc/.sh
- /bin/shh
- /sbin/https
- /etc/spts
- /usr/bin/.funzip
- /etc/sphp
- /etc/.sftp
Other:
Collects RAM information
