BTLO : Malware Analysis – Ransomware Script

One of our web servers recently got compromised and was hit with ransomware. Luckily we had a restore point just before the files were encrypted, and managed to recover a suspicious script file that didn’t appear to have been run yet.

What is the malicious IP address referenced multiple times in the script?

The script uses apt-get to retrieve two tools, and uses yum to install them. What is the command line to remove the yum logs afterwards?

A message is created in the file /etc/motd. What are the three first words?

This message also contains a contact email address to have the system fixed. What is it?

When files are encrypted, an unusual file extension is used. What is it?

There are 5 functions associated with the encryption process that start with ‘encrypt’. What are they, in the order they’re actually executed in the script? (do not include “()”)

The script will check a text file hosted on the C2 server. What is the full URL of this file?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: