One of our web servers recently got compromised and was hit with ransomware. Luckily we had a restore point just before the files were encrypted, and managed to recover a suspicious script file that didn’t appear to have been run yet.

What is the malicious IP address referenced multiple times in the script?

The script uses apt-get to retrieve two tools, and uses yum to install them. What is the command line to remove the yum logs afterwards?

A message is created in the file /etc/motd. What are the three first words?

This message also contains a contact email address to have the system fixed. What is it?

When files are encrypted, an unusual file extension is used. What is it?

There are 5 functions associated with the encryption process that start with ‘encrypt’. What are they, in the order they’re actually executed in the script? (do not include “()”)

The script will check a text file hosted on the C2 server. What is the full URL of this file?