Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/init.d/dockerlogger
Malicious functions:
Manages services:
- systemctl daemon-reload
Launches processes:
- chmod +x /bin/chattr
- chmod +x /usr/bin/chattr
- chattr -iae /tmp/iptableupdate.sh
- /bin/sh -c chmod +x /tmp/iptableupdate.sh > /dev/null 2>&1
- chmod +x /tmp/iptableupdate.sh
- chmod 777 /tmp/iptableupdate.sh
- /bin/sh -c nohup /tmp/iptableupdate.sh > /dev/null 2>&1 &
- chattr -iae /etc/iptablesupdate
- nohup /tmp/iptableupdate.sh
- /tmp/iptableupdate.sh
- /bin/sh /tmp/iptableupdate.sh
- chattr -iae /tmp/iptablesupdate
- ps -ef
- grep -w iptableupdate.sh
- grep -v grep
- wc -l
- /bin/sh -c \cp <SAMPLE_FULL_PATH> /etc/iptablesupdate > /dev/null 2>&1
- cp <SAMPLE_FULL_PATH> /etc/iptablesupdate
- /bin/sh -c \cp <SAMPLE_FULL_PATH> /tmp/iptablesupdate > /dev/null 2>&1
- cp <SAMPLE_FULL_PATH> /tmp/iptablesupdate
- chattr +ia /tmp/iptableupdate.sh
- chattr +ia /etc/iptablesupdate
- chattr +ia /tmp/iptablesupdate
- grep iptablesupdate
- chattr -iae /bin/dockerlogger
- chattr -iae /usr/bin/dockerlogger
- chmod +x /bin/dockerlogger
- chmod +x /usr/bin/dockerlogger
- /bin/sh -c \cp <SAMPLE_FULL_PATH> /etc/iptablesupdate
- /bin/sh -c \cp <SAMPLE_FULL_PATH> /usr/bin/dockerlogger
- cp <SAMPLE_FULL_PATH> /usr/bin/dockerlogger
- /bin/sh -c \cp <SAMPLE_FULL_PATH> /tmp/iptablesupdate
- chattr -ia /tmp/iptablesupdate
- /bin/sh -c \cp <SAMPLE_FULL_PATH> /bin/dockerlogger
- cp <SAMPLE_FULL_PATH> /bin/dockerlogger
- chmod +x /tmp/iptablesupdate
- sleep 5
- /tmp/iptablesupdate
- /bin/sh -c ps ux | awk '/etc\/iptablesupdate/ && !/awk/ {print $2}'
- ps ux
- awk /etc\/iptablesupdate/ && !/awk/ {print $2}
- /bin/sh -c nohup /etc/iptablesupdate > /dev/null 2>&1 &
- nohup /etc/iptablesupdate
- /etc/iptablesupdate
- chattr -iae /etc/init.d/dockerlogger
- chmod +x /etc/init.d/dockerlogger
- /bin/sh -c ln -s /etc/init.d/dockerlogger /etc/rc.d/rc0.d/S90dockerlogger
- ln -s /etc/init.d/dockerlogger /etc/rc.d/rc0.d/S90dockerlogger
- /bin/sh -c ln -s /etc/init.d/dockerlogger /etc/rc.d/rc1.d/S90dockerlogger
- ln -s /etc/init.d/dockerlogger /etc/rc.d/rc1.d/S90dockerlogger
- /bin/sh -c ln -s /etc/init.d/dockerlogger /etc/rc.d/rc2.d/S90dockerlogger
- ln -s /etc/init.d/dockerlogger /etc/rc.d/rc2.d/S90dockerlogger
- /bin/sh -c ln -s /etc/init.d/dockerlogger /etc/rc.d/rc3.d/S90dockerlogger
- ln -s /etc/init.d/dockerlogger /etc/rc.d/rc3.d/S90dockerlogger
- /bin/sh -c ln -s /etc/init.d/dockerlogger /etc/rc.d/rc4.d/S90dockerlogger
- ln -s /etc/init.d/dockerlogger /etc/rc.d/rc4.d/S90dockerlogger
- /bin/sh -c ln -s /etc/init.d/dockerlogger /etc/rc.d/rc5.d/S90dockerlogger
- ln -s /etc/init.d/dockerlogger /etc/rc.d/rc5.d/S90dockerlogger
- /bin/sh -c ln -s /etc/init.d/dockerlogger /etc/rc.d/rc6.d/S90dockerlogger
- ln -s /etc/init.d/dockerlogger /etc/rc.d/rc6.d/S90dockerlogger
- /bin/sh -c systemctl daemon-reload
- /bin/sh -c \cp /etc/iptablesupdate /etc/iptablesupdate > /dev/null 2>&1
Performs operations with the file system:
Modifies file access rights:
- /usr/bin/chattr
- /tmp/iptableupdate.sh
- /tmp/iptablesupdate
- /usr/bin/dockerlogger
- /bin/dockerlogger
Creates folders:
- /tmp/.abchello
Creates or modifies files:
- /tmp/iptableupdate.sh
- /etc/iptablesupdate
- /tmp/iptablesupdate
- /usr/bin/dockerlogger
- /bin/dockerlogger
Deletes files:
- /tmp/iptableupdate.sh
- /etc/iptablesupdate
- /root/iptablesupdate
Network activity:
Establishes connection:
- 10#.###.103.16:26800
- <LOCAL_DNS_SERVER>
- 18#.##9.111.133:9
- 18#.##9.108.133:9
- 18#.##9.110.133:9
- 18#.##9.109.133:9
- 18#.##9.111.133:443
- 18#.##9.108.133:443
DNS ASK:
- sc###cjfi.tk
- sc###cjfi.com
- sc####jfi.pages.dev
- ra#.####ubusercontent.com
Receives data from the following servers:
- <LOCAL_DNS_SERVER>
Other:
Collects CPU information
Collects RAM information
Collects information about network activity