Malware Analysis - Ransomware Script

1. What is the malicious IP address referenced multiple times in the script? (1 points)

   Answer: 185.141.25.168

2. The script uses apt-get to retrieve two tools, and uses yum to install them. What is the command line to remove the yum logs afterwards? (1 points)

   Answer: rm -rf /var/log/yum*

3. A message is created in the file /etc/motd. What are the three first words? (1 points)

   Answer: You were hacked

4. This message also contains a contact email address to have the system fixed. What is it? (1 points)

   Answer: nationalsiense@protonmail.com

5. When files are encrypted, an unusual file extension is used. What is it? (2 points)

   Answer: .☢

6. There are 5 functions associated with the encryption process that start with ‘encrypt’. What are they, in the order they’re actually executed in the script? (do not include "()") (2 points)

   Answer: encrypt_ssh, encrypt_grep_files, encrypt_home, encrypt_root, encrypt_db

7. The script will check a text file hosted on the C2 server. What is the full URL of this file? (2 points)

   Answer: http://185.141.25.168/check_attack/0.txt

---

Tags

1. malware (Private)
2. bash (Private)
3. 10 points (Private)
4. easy (Private)