Technical Information
Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
- d3i33o1qgesu3rmqkminf6w4q2e4u8ui
Launches processes:
- sh -c echo \"export http_proxy=http://proxy.yoyodyne.com:18023/\" >> ~/.bashrc
- ps -ef
- grep -E wget|curl|tftp|ftp
- grep -v 22820
- awk {print $2}
- xargs kill -9
- kill -9
- sh -c ps -ef|grep -E \"wget|curl|tftp|ftp\"|grep -v $$|awk '{print $2}'|xargs kill -9
- grep -v 22829
- sh -c ./thqjnbrrr16w
- ./thqjnbrrr16w
- grep -v 22842
- sh -c crontab -r
- crontab -r
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:12319
Establishes connection:
- 8.#.8.8:53
- 37.###.195.248:21
- 94.###.48.154:45700
Attacks using a special dictionary (brute-force technique) via the SSH protocol
DNS ASK:
- m.###nutman.ru
- xm#.###l.minergate.com
Sends data to the following servers:
- 94.###.48.154:45700
Receives data from the following servers:
- 94.###.48.154:45700
Other:
Collects CPU information
Collects RAM information
Collects information about network activity