Technical Information
Malicious functions:
Modifies firewall settings:
- iptables -F
Manages services:
- service iptables reload
- systemctl stop aliyun.service
- systemctl disable aliyun.service
- service bcm-agent stop
- systemctl stop bcm-agent.service
- systemctl stop c3pool_miner.service
- service apparmor stop
- systemctl stop apparmor.service
- systemctl disable apparmor
- service aliyun.service stop
Launches processes:
- bash -c
- chattr -iua /tmp/
- chattr -iua /var/tmp/
- mv /sbin/iptables /sbin/iptables__
- id -u
- sysctl kernel.nmi_watchdog=0
- ps aux
- grep -i [a]liyun
- bash
- pkill aliyun-service
- rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service /usr/local/aegis*
- apt-get remove bcm-agent -y
- /usr/bin/dpkg --print-foreign-architectures
Performs operations with the file system:
Modifies file access rights:
- /var/cache/apt/pkgcache.bin.pKj98w
Creates or modifies files:
- /sbin/iptables
- /proc/sys/kernel/nmi_watchdog
- /etc/sysctl.conf
- /var/lib/dpkg/lock
- /var/cache/apt/pkgcache.bin.pKj98w
- /etc/selinux/config
Deletes files:
- /etc/init.d/agentwatch
- /usr/sbin/aliyun-service
- /usr/local/aegis*
- /var/cache/apt/pkgcache.bin
Other:
Collects CPU information
Collects RAM information
Collects information about network activity