Technical Information
Malicious functions:
Launches itself as a daemon
Modifies router settings:
- /bin/nvram
Launches processes:
- sh -c echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &
- sh -c chmod 700 <SAMPLE_FULL_PATH> > /dev/null 2>&1 &
- sh -c touch -acmr /bin/ls <SAMPLE_FULL_PATH>
- chmod 700 <SAMPLE_FULL_PATH>
- touch -acmr /bin/ls <SAMPLE_FULL_PATH>
- sh -c (crontab -l | grep -v \"<SAMPLE_FULL_PATH>\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1
- grep -v <SAMPLE_FULL_PATH>
- grep -v no cron
- grep -v lesshts/run.sh
- crontab -l
- sh -c echo \"* * * * * <SAMPLE_FULL_PATH> > /dev/null 2>&1 &\" >> /var/run/.x001804289383
- sh -c crontab /var/run/.x001804289383
- crontab /var/run/.x001804289383
- sh -c rm -rf /var/run/.x001804289383
- rm -rf /var/run/.x001804289383
- sh -c /bin/uname -n
- sh -c nvram get router_name
- /bin/uname -n
Performs operations with the file system:
Modifies file access rights:
- <SAMPLE_FULL_PATH>
- /var/spool/cron/crontabs/tmp.LC4UgF
Creates or modifies files:
- /tmp/.udevd25.pid
- /etc/resolv.conf
- /var/run/.x001804289383
- /run/.x001804289383
- /var/spool/cron"/crontabs/tmp.LC4UgF
- /var/spool/cron/crontabs/tmp.LC4UgF
Deletes files:
- /var/run/.x001804289383"
Network activity:
Connects to the following servers over the IRC protocol:
- Server: 15#.#9.60.149; Command: NICK x86|x|0|337844|unknown\nUSER x00 localhost localhost :sept15201s10_daem_bp\n
- Server: 15#.#9.60.149; Command: PONG :A9452548\n
- Server: 15#.#9.60.149; Command: NICK x86|x|0|337844|unknown\n
- Server: 15#.#9.60.149; Command: MODE x86|x|0|337844|unknown -xi\n
- Server: 15#.#9.60.149; Command: JOIN #error :877\n