Malware Analysis - Ransomware Script
You can understand Ransomware is a type of cryptovirological malware that permanently block access to the victim’s personal data unless a ransom is paid.
Ok, now let’s get into the challenge
Don’t forget the warning part .-.
What is the malicious IP address referenced multiple times in the script? (1 points)
185.141.25.168
The script uses apt-get to retrieve two tools, and uses yum to install them. What is the command line to remove the yum logs afterwards? (1 points)
rm -rf /var/log/yum*
A message is created in the file /etc/motd. What are the three first words? (1 points)
You were hacked
This message also contains a contact email address to have the system fixed. What is it? (1 points)
nationalsiense@protonmail.com
When files are encrypted, an unusual file extension is used. What is it? (2 points)
☢
There are 5 functions associated with the encryption process that start with ‘encrypt’. What are they, in the order they’re actually executed in the script? (do not include “()”) (2 points)
encrypt_ssh, encrypt_grep_files, encrypt_home, encrypt_root, encrypt_db
The script will check a text file hosted on the C2 server. What is the full URL of this file? (2 points)
http://185.141.25.168/check_attack/0.txt
goodbye, thank you for reading until now //~//
This post is licensed under CC BY 4.0 by the author.