Technical Information
Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
- ojsske
- [kthrtld]
Launches processes:
- sh -c /root/rfqbge brxoed
- /root/rfqbge brxoed
- sh -c /root/xoedme
- sh -c /root/fytgoe crfytg
- /root/fytgoe crfytg
- sh -c /root/lbgite
- /root/lbgite
Kills system processes:
- sshd
Kills the following processes:
- kauditd
- systemd-journal
- systemd-udevd
- kpsmoused
- kworker/0:3
- ttm_swap
- kvm-irqfd-clean
- dhclient
- rpcbind
- rpc.statd
- rpciod
- nfsiod
- rpc.idmapd
- cron
- atd
- systemd-logind
- rsyslogd
- acpid
- dbus-daemon
- agetty
- exim4
- systemd
- (sd-pam)
- bash
- run.sh
- kworker/u2:1
- /bin/sh
- Unknown process with PID: 736
Performs operations with the file system:
Modifies file access rights:
- /root/rfqbge
- /root/xoedme
- /root/fytgoe
- /root/lbgite
Creates or modifies files:
- /root/rfqbge
- /root/xoedme
- /root/fytgoe
- /root/lbgite
Deletes files:
- /root/rfqbge
- /root/xoedme
- /root/fytgoe
- /root/lbgite
Network activity:
Establishes connection:
- 95.###.153.229:80
HTTP GET requests:
- 18#.##5.169.6/d/sss
- 18#.###.169.6/d/lmmml
Sends data to the following servers:
- 95.###.153.229:80
Receives data from the following servers:
- 95.###.153.229:80