Technical Information
Malicious functions:
Launches itself as a daemon
Launches processes:
- /root/c855a922
- sh -c crontab -l>out.ct
- crontab -l
- sh -c cat out.ct | grep -v c855a922 >ct.out
- grep -v c855a922
- cat out.ct
- sh -c echo \"*/10 * * * * /root/c855a922 >/dev/null 2>&1\" >>ct.out
- sh -c crontab ct.out;rm -f out.ct;rm -f ct.out
- crontab ct.out
- rm -f out.ct
- rm -f ct.out
Performs operations with the file system:
Modifies file access rights:
- /var/spool/cron/crontabs/tmp.bTaaRE
Creates or modifies files:
- /root/c855a922
- /root/c855a922.o
- /root/out.ct
- /var/spool/cron"/ct.out
- /root/ct.out
- /var/spool/cron"/crontabs/tmp.bTaaRE
- /var/spool/cron/crontabs/tmp.bTaaRE
Deletes files:
- <SAMPLE_FULL_PATH>"
- /var/spool/cron"/out.ct"
- /var/spool/cron"/ct.out"
Network activity:
Connects to the following servers over the IRC protocol:
- Server: 19#.#28.235.204; Command: NICK r0ot-drp-c855a922-YJGA\nUSER XAFT localhost localhost :JCBPQD\n
- Server: 19#.#28.235.204; Command: MODE r0ot-drp-c855a922-YJGA -xi\n
- Server: 19#.#28.235.204; Command: JOIN #TT :bleh\n
DNS ASK:
- ww##.omfg.pw