Technical Information
Malicious functions:
Substitutes application name for:
- /bin/busybox
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:51101
Establishes connection:
- 8.#.8.8:53
- 23.###.165.119:1024
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
Sends data to the following servers:
- 23.###.165.119:1024
- 16#.##7.191.182:23
- 19#.##4.157.98:23
- 13#.##5.88.156:23
- 20#.##2.70.13:23
- 27.#.142.127:23
- 20#.##2.222.34:23
- 17.###.122.11:23
- 18#.##3.120.224:23
- 27.#.243.224:23
- 11#.##8.176.119:23
- 21#.##3.212.159:23
- 16#.##1.138.160:23
- 11#.##7.23.211:23
- 11#.##2.153.251:23
- 13#.##7.126.251:23
- 27.#.232.192:23
- 27.#.73.242:23
- 19#.##5.73.94:23
- 20#.##2.66.104:23
- 11#.#8.39.55:23
- 11#.##.163.27:23
- 67.##.245.61:23
- 60.###.130.117:23
- 20#.##2.180.133:23
- 11#.#3.71.77:23
- 11#.##8.208.85:23
- 20#.##8.50.172:23
- 11#.##7.18.175:23
- 27.#.233.75:23
- 22#.##2.200.70:23
- 19#.##8.135.156:23
- 13#.##7.233.229:23
- 20#.##6.32.151:23
- 11#.##8.209.115:23
- 17#.##8.239.214:23
- 27.#.140.62:23
- 23#.##.98.153:23
- 80.###.137.195:23
- 60.###.207.42:23
- 25#.##.125.74:23
- 86.##.99.133:23
- 11#.##.112.113:23
- 60.###.157.40:23
- 42.###.126.211:23
- 60.##3.51.69:23
- 60.###.221.204:23
- 90.###.150.132:23
- 13#.#7.24.31:23
- 60.###.54.112:23
- 17#.##2.190.201:23
- 60.###.249.117:23
- 36.###.68.175:23
- 11#.##8.36.188:23
- 11#.##2.171.216:23
- 14.###.186.211:23
- 14#.#00.8.86:23
- 93.##.19.144:23
- 22#.##2.35.18:23
- 76.###.100.195:23
- 11#.##.35.230:23
- 16#.##7.41.147:23
- 87.###.131.60:23
- 71.###.245.79:23
- 11#.##.69.130:23
- 17.##.242.160:23
- 9.###.75.97:23
- 23#.##.221.200:23
- 27.#.111.243:23
- 20#.##2.80.197:23
Receives data from the following servers:
- 23.###.165.119:1024