Technical Information
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- a
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:63841
Establishes connection:
- 8.#.8.8:53
- 20#.###.185.69:37215
- 76.###.32.146:37215
- 12#.###.11.213:52869
- 19.##.241.218:52869
- 23#.#.138.30:37215
- 19.##.241.218:37215
- 12#.###.11.213:37215
- 20#.###.185.69:52869
- 23#.#.138.30:52869
- 13#.#.120.247:52869
- 76.###.32.146:52869
- 21#.##5.24.38:52869
- 18#.###.106.223:52869
- 23#.#.138.30:8080
- 88.###.58.57:52869
- 17#.###.62.148:52869
- 12#.##3.11.213:8080
- 19.##.241.218:8080
- 23#.#.138.30:80
- 20#.##8.185.69:8080
- 76.###.32.146:8080
- 88.###.58.57:8080
- 13#.#.120.247:8080
- 17#.##3.62.148:8080
- 18#.###.106.223:8080
- 21#.##5.24.38:8080
- 12#.##3.11.213:7574
- 20#.##8.185.69:80
- 76.###.32.146:80
- 19.##.241.218:80
- 12#.##3.11.213:80
- 13#.#.120.247:80
- 88.##0.58.57:80
- 17#.##3.62.148:80
- 18#.##1.106.223:80
- 21#.##5.24.38:80
- 12#.##3.11.213:5555
- 21#.##.184.17:23
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
DNS ASK:
- 13##.##idsoldier.fun
Sends data to the following servers:
- 15#.##.71.243:23
- 82.###.182.121:23
- 17#.#4.4.51:23
- 84.###.75.122:23
- 43.##.187.105:23
- 16#.##0.217.19:23
- 11#.##.224.209:23
- 80.##4.75.4:23
- 13#.##6.29.120:23
- 21#.##.184.17:23