Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
- gf128mul
Launches processes:
- sh -c
- base64 -d
- bash
- xargs fuser -k
- find /root/.ddg/*
- fuser -k
- xargs chattr -i
- find /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/crontab /etc/cron.weekly
- chattr -i /etc/cron.d /etc/cron.d/.placeholder /etc/cron.daily /etc/cron.daily/passwd /etc/cron.daily/aptitude /etc/cron.daily/mlocate /etc/cron.daily/logrotate /etc/cron.daily/apt /etc/cron.daily/bsdmainutils /etc/cron.daily/.placeholder /etc/cron.daily/dpkg /etc/cron.daily/man-db /etc/cron.daily/exim4-base /etc/cron.hourly /etc/cron.hourly/.placeholder /etc/cron.monthly /etc/cron.monthly/.placeholder /etc/crontab /etc/cron.weekly /etc/cron.weekly/.placeholder /etc/cron.weekly/man-db
- xargs rm -f
- cut -f 1 -d :
- grep -RE (wget|curl) /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
- rm -f
- find /var/spool/cron
- chattr -i /var/spool/cron /var/spool/cron/atjobs /var/spool/cron/atjobs/.SEQ /var/spool/cron/atspool /var/spool/cron/crontabs
- grep -RE (wget|curl|tmp00|upd|X13) /var/spool/cron
- xargs sed -i /wget\|curl\|tmp00\|update.sh\|\/upd\|firefoxcatche\|X13-unix/d
- sed -i /wget\|curl\|tmp00\|update.sh\|\/upd\|firefoxcatche\|X13-unix/d
- grep -RE REDIS00 /var/spool/cron
- sed /curl/d
- sed /wget/d
- crontab -l
- sed /tmp00/d
- sed /\upd/d
- sed /X13/d
- sed /firefoxcatche/d
- crontab -
- pkill -9 -f sleep|kworkre|kwroker|crun|watchog|watchbog|watchbug|pastebin
- pkill -9 -f 8220|aegis_|AliHids|AliYunDun|aliyun-service|azipl|cr.sh|cronds|crun|cryptonight|ddgs|fs-manager|finJG|havegeds|hashfish|hwlh3wlh44lh|HT8s|java-c|kerberods|khugepageds|kintegrityds|kpsmouseds|kthrotlds|kworkerds|kworkre|kwroker|mewrs|miner|mr.sh|muhsti|mygit|networkservice|orgfs|pastebin|qW3xT|qwefdas|stratum|sustes|sustse|sysguard|t00ls|thisxxs|/tmp/ddgs|/tmp/java|/tmp/udevs|/tmp/update.sh|/tmp/yarn|/usr/bin/netfs|vTtHH|watchbog|watchbug|watchog|wipefs|wnTKYg|x3Wq|xig|xmr|X13-unix|zer0
- rm -rf /root/.wget-* /root/.tmp00 /tmp/.X13-unix
- grep -q rapid7 /etc/hosts
- grep -q aptget /etc/hosts
- grep -q tor2we /etc/hosts
Kills the following processes:
- run.sh
Performs operations with the file system:
Modifies file access rights:
- /var/spool/cron/crontabs/tmp.UAmaNT
Creates or modifies files:
- /tmp/.X1M-unix
- /var/spool/cron/crontabs/tmp.UAmaNT
Locks files:
- /tmp/.X1M-unix
Other:
Collects CPU information
Collects RAM information