Technical Information
Malicious functions:
Launches itself as a daemon
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:19354
- 0.0.0.0:52869
- 0.0.0.0:9000
Establishes connection:
- 8.#.8.8:53
- 18#.##2.64.140:8010
- <LOCAL_DNS_SERVER>
- 18#.##4.25.84:8010
- 17#.##6.21.207:23
- 11#.#29.37.4:23
- 10#.#.224.189:23
- 81.##.24.198:23
- 10#.##7.10.136:23
- 18#.##3.79.10:23
- 19#.##0.119.213:23
- 12#.##.70.245:23
- 83.##.19.87:23
- 20#.##4.226.46:23
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
HTTP GET requests:
- pa######.com/raw/ByvbTFGe
DNS ASK:
- pa###bin.com
Sends data to the following servers:
- 97.###.119.30:23
- 70.###.157.73:23
- 18#.##7.220.27:23
- 20#.##.179.218:23
- 12#.##3.16.118:23
- 72.###.100.191:23
- 9.###.145.168:23
- 20#.##.205.147:23
- 18#.##9.169.147:23
- 18#.##4.25.84:8010
Receives data from the following servers:
- 18#.##4.25.84:8010
Other:
Collects CPU information