Technical Information
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- vwm5qvnvzkwif
Performs operations with the file system:
Deletes folders:
- <SAMPLE_FULL_PATH>
Creates or modifies files:
- <SAMPLE_FULL_PATH>
Deletes files:
- <SAMPLE_FULL_PATH>
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:13289
Establishes connection:
- 8.#.8.8:53
- 5.###.227.65:2231
- 43.###.119.46:2223
- 12#.##.183.50:2323
- 12#.##.16.33:2323
- 90.###.129.192:2223
- 13#.##.87.134:2223
- 15#.##6.74.3:2323
- 21#.###.117.207:2223
- 22#.###.160.187:2323
- 11#.##3.153.25:2223
- 14#.##.119.128:2223
- 11#.##9.86.42:2223
- 18#.##.202.72:2323
- 11#.##2.153.22:2323
- 22#.###.204.119:2223
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
Attacks using a special dictionary (brute-force technique) via an undefined protocol.
Sends data to the following servers:
- 5.###.227.65:2231
- 96.###.105.233:2223
- 11#.##.175.163:2323
- 16#.##.96.147:2223
- 18#.##.42.125:2223
- 19.#.#53.165:2223
- 49.###.142.72:2323
- 20.###.132.20:2323
- 91.###.54.194:2223
Receives data from the following servers:
- 21#.###.117.207:2223
- 11#.##9.86.42:2223
- 5.###.227.65:2231