Technical Information
Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
- busybox
Kills the following processes:
- rpc.statd
- dbus-daemon
- exim4
- bash
- run.sh
- <SAMPLE>
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:31573
Establishes connection:
- 8.#.8.8:53
- 20#.###.97.169:31574
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
DNS ASK:
- sc##.#witchnets.net
Sends data to the following servers:
- 13#.##0.187.73:8080
- 18#.#04.6.1:81
- 16#.###.148.148:8000
- 19#.##0.253.17:80
- 19#.#.134.155:8080
- 36.##.57.157:80
- 16#.##0.18.62:81
- 18#.###.237.239:8000
- 21#.##.149.43:5555
- 70.###.92.118:81
- 68.##.205.137:8000
- 22#.##.175.83:8000
- 15#.#3.64.60:80
- 65.###.44.106:5555
- 31.###.135.124:8080
- 37.###.119.28:81
- 15#.##8.239.31:80
- 12#.##7.224.138:81
- 58.###.6.105:8000
- 12#.##5.15.42:81
- 14#.##6.80.59:81
- 20#.##2.230.62:8080
- 20#.###.181.123:8000
- 15#.##.165.108:5555
- 19#.###.177.179:8000
- 37.##.165.106:80
- 18#.###.132.212:8000
- 16#.##.229.246:8080
- 62.###.249.117:8000
- 84.###.177.206:80
- 18#.#.242.93:5555
- 10#.###.123.146:8000
- 19#.###.153.199:8000
- 10#.##.108.228:8080
- 65.###.230.128:5555
- 15#.##.18.44:8000
- 11#.##.83.122:8080
- 19#.##.123.10:81
- 20#.###.97.169:31574
- 16#.##.142.150:81
- 19#.###.130.139:8000
- 65.##.255.30:5555
- 37.###.13.116:8080
- 35.##.196.108:81
- 11#.##.40.40:5555
- 42.###.65.7:5555
- 41.###.61.65:8000
- 10#.##4.16.199:8080
- 14#.##.31.124:5555
- 12#.##8.117.17:80
- 48.###.181.54:80
- 21#.##.146.201:8080
- 18#.##.84.124:81
- 16#.##1.62.152:81
- 17#.##.187.107:80
- 40.##0.201.4:81
- 91.##.180.20:8080
- 11#.##.201.99:8000
- 15#.##7.195.117:80
- 12#.#.110.53:81
- 17#.##.109.195:81
- 38.##5.48.15:80
- 13#.##.103.56:80
- 10#.##2.216.88:5555
- 19#.##.97.158:8000
- 46.###.144.139:81
- 22#.#5.236.0:80
- 16#.##9.24.155:81
- 20#.##.124.32:5555
- 15#.##6.32.253:8080
- 42.##.106.8:8000
- 20#.##.75.95:5555
- 12#.##8.104.104:80
- 85.###.227.254:8000
- 19.##.234.237:80
- 79.###.185.99:5555
- 20#.###.243.126:8000
- 21#.##.142.64:5555
- 85.##.211.172:5555
- 22#.##.34.63:8080
- 15#.##.111.23:80
- 15#.###.229.115:8000
- 65.##.229.248:8080
- 18#.##.107.65:81
- 97.###.179.133:8080
- 11#.##5.35.174:8080
- 18#.##.32.167:5555
- 13.###.68.49:8080
- 96.##2.24.70:81
- 35.##.186.178:5555
- 17#.##7.33.232:5555
- 18#.##3.32.24:8000
- 79.###.203.22:80
- 15#.##0.209.119:81
- 13#.###.235.167:8080
- 19#.##9.135.95:5555
- 35.###.123.69:8000
- 37.##.63.77:81
- 99.###.125.174:81
- 44.##.173.154:5555
- 78.###.1.19:5555
- 23.##.126.67:80
- 20#.##.156.56:80
- 39.###.105.21:5555
- 12#.#.159.229:8080
- 42.###.145.132:8000
- 67.###.221.151:81
- 11#.###.129.186:8000
- 48.###.79.229:8000
- 94.##.115.116:8000
- 18#.###.118.252:8000
- 11#.##4.34.123:8000
- 19#.##6.209.239:81
- 63.##3.91.20:81
- 31.##.68.146:80
- 10#.##7.125.23:81
- 17.##.227.242:81
- 15#.##8.196.166:80
- 27.##.216.59:5555
- 43.###.175.228:5555
- 20#.###.141.242:5555
- 17#.##4.43.185:80
- 88.###.96.21:5555
- 16#.##.65.104:81
- 20#.##.234.34:8000
- 17.###.147.186:8000
- 82.###.179.47:81
- 17#.##.154.43:81
- 79.##7.72.68:80
- 17#.##.119.27:5555
- 14#.##.61.84:8000
- 11#.##.213.6:8000
- 94.###.254.158:81
- 96.###.245.119:8000
- 14#.##.136.34:8080
Receives data from the following servers:
- 20#.###.97.169:31574