Technical Information
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- a
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:63841
Establishes connection:
- 8.#.8.8:53
- 20#.##9.49.21:8080
- 20#.##5.10.177:8080
- 18#.##.32.59:8080
- 18#.#5.32.59:80
- 18#.###.212.199:8080
- 18#.##.58.177:8080
- 20#.###.209.115:8080
- 62.###.10.177:80
- 89.##.58.177:80
- 58.###.212.199:80
- 1.###.49.21:80
- 62.###.209.115:80
- 20#.###.170.202:7574
- 20#.##6.170.202:81
- 20#.##6.170.202:80
- 20#.###.170.202:49152
- 20#.###.170.202:8080
- 20#.###.170.202:8443
- 20#.###.170.202:5555
- 21#.##.184.17:23
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
DNS ASK:
- 13##.##idsoldier.fun
Sends data to the following servers:
- 18#.##5.234.129:23
- 13#.##4.182.143:23
- 57.###.10.254:23
- 88.##4.9.252:23
- 15#.##7.123.32:23
- 14#.##9.203.207:23
- 14.##.87.34:23
- 15#.##6.158.104:23
- 96.###.178.68:23
- 21#.##.184.17:23