Technical Information
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- e38387
Kills the following processes:
- systemd
- kthreadd
- ksoftirqd/0
- kworker/0:0
- kworker/0:0H
- watchdog/0
- khelper
- kdevtmpfs
- netns
- khungtaskd
- writeback
- ksmd
- crypto
- kintegrityd
- bioset
- kblockd
- kswapd0
- fsnotify_mark
- kthrotld
- ipv6_addrconf
- deferwq
- kworker/u2:1
- kpsmoused
- scsi_eh_0
- scsi_tmf_0
- kworker/0:1H
- kworker/u2:2
- jbd2/sda1-8
- ext4-rsv-conver
- kauditd
- kworker/0:3
- systemd-journal
- systemd-udevd
- rpciod
- nfsiod
- systemd-logind
- kworker/0:1
- dhclient
- lockfile-touch
- kworker/0:2
- 9bc2fd2a
- systemd-cgroups
- systemctl
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:33337
- 0.0.0.0:23153
Establishes connection:
- 8.#.8.8:53
- 45.###.232.208:33335
- 96.##.200.115:15527
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
DNS ASK:
- ro##me.xyz
Sends data to the following servers:
- 45.###.232.208:33335
- 96.##.200.115:15527
- 23#.##.131.79:23
- 63.##.237.107:23
- 40.##.38.118:23
- 12#.##0.49.216:23
- 54.###.183.116:23
- 12#.##1.188.70:23
- 77.###.159.224:23
- 23#.##.139.201:23
- 85.##.53.78:23
- 16#.##3.130.231:23
- 71.###.222.175:23
- 22#.#.179.11:23
- 42.##.182.40:23
- 20#.#51.7.46:23
- 23#.##.166.222:23
- 85.###.244.62:23
- 15#.##2.7.220:23
- 20#.#.165.164:23
- 10#.##.114.254:23
- 12#.##.184.119:23
- 88.###.218.177:23
- 12#.##2.160.69:23
- 50.###.61.144:23
- 24#.##.128.143:23
- 63.##.143.137:23
- 21#.##.87.227:23
- 4.##.247.214:23
- 99.###.163.156:23
- 82.#.64.145:23
- 50.###.204.152:23
- 17#.##4.164.173:23
- 77.##.206.186:23
- 29.###.185.52:23
- 33.###.104.188:23
- 5.##.162.107:23
- 20#.#0.9.209:23
- 75.###.154.220:23
- 14#.##9.137.142:23
- 18#.##6.156.163:23
- 16#.##0.101.106:23
- 40.##.107.98:23
- 20#.##8.213.150:23
- 63.##.82.36:23
- 10#.##.106.109:23
- 19.###.215.14:23
- 24#.##6.219.231:23
- 19#.##3.91.165:23
- 20#.##7.71.191:23
- 12#.##6.193.49:23
- 83.##2.77.56:23
- 4.###.23.165:23
- 10#.##.165.100:23
- 23#.##2.239.31:23
- 55.##.249.25:23
- 21#.##1.45.249:23
- 20#.##.173.244:23
- 52.##.14.70:23
- 37.##.146.211:23
- 44.##.21.229:23
- 58.##.7.23:23
- 22.##.113.52:23
- 13#.##2.225.57:23
- 21#.##.240.40:23
- 11#.##1.26.10:23
- 13#.##8.152.28:23
- 23#.##9.190.190:23
- 14#.##.232.240:23
- 21#.##4.108.217:23
- 53.##.164.27:23
- 21#.##2.1.149:23
- 14#.##1.207.12:23
- 81.##3.232.2:23
- 14#.##7.225.142:23
- 25#.##.236.121:23
- 17#.##4.129.14:23
- 14#.##6.31.214:23
- 14#.##.42.165:23
- 59.##4.2.105:23
- 58.###.177.222:23
- 15.###.192.193:23
- 15#.##9.173.171:23
- 24#.##5.49.175:23
- 18.##.102.225:23
- 22#.##.39.200:23
- 10#.#0.26.49:23
- 97.###.223.124:23
- 53.##7.93.28:23
- 27.##.101.189:23
- 19#.##6.25.15:23
- 11#.##.189.45:23
- 19#.##.201.232:23
- 11#.##7.119.113:23
Receives data from the following servers:
- 45.###.232.208:33335