Technical Information
Malicious functions:
Removes the following system files:
- /usr/bin/rcp
Launches processes:
- rm -rf /usr/bin/lic*
- mkdir -p /home/cPanelInstall/selfgz768
- /usr/bin/perl -MFindBin -e1
- dd if=latest ibs=12000 skip=1 obs=1024 conv=sync
- tee -a /opt/system_cleaner
- dd ibs=1 obs=1024 count=19
- cut -b-32
- rm -rf /etc/cron.d/licsys*
- <SAMPLE_FULL_PATH> -c exec \x27<SAMPLE_FULL_PATH>\x27 \x22$@\x22 <SAMPLE_FULL_PATH>
- rm -rf /etc/cron.d/CSP*
- wc -c
- rm -rf /usr/bin/CPS*
- tty -s
- rm -rf /etc/cron.d/lm*
- rm -rf /usr/bin/lm*
- expr 59411 % 1024
- tar xvf -
- rm -rf /usr/bin/RC*
- <0xd3>
- /bin/bash -- latest
- rm -rf /usr/bin/Rc*
- expr 12000 + 59411
- expr 1 + 1
- tr -d
- cat /opt/email
- rm -rf /usr/bin/licsys*
- sleep 5
- rm -rf /usr/bin/rcp
- /usr/bin/md5sum
- rm -rf /etc/cron.d/lic*
- gzip -cd
- curl -s -A HFN_bypass https://mx1.hfn.ee/ip.php
- rm -rf /etc/cron.d/rc*
- expr 59411 / 1024
- rm -rf /etc/cron.d/license*
- /bin/sh /usr/bin/which md5sum
- dd ibs=1024 obs=1024 count=58
- rm -rf /etc/cron.d/CPS*
- clear
- rm -rf /usr/bin/CSP*
- head -n 497 latest
- rm -rf /usr/bin/gb*
- curl -o latest -L https://securedownloads.cpanel.net/latest
- sh latest
- cut -d -f1
Performs operations with the file system:
Creates folders:
- /home/cPanelInstall
- /home/cPanelInstall/selfgz768
Creates or modifies files:
- /opt/system_cleaner
- /root/latest
Network activity:
Establishes connection:
- 8.#.8.8:53
- [2######c0:3ea:1e9::1]:443
- (e##val)
- 2.##.246.8:443
- 10#.##.35.25:443
- 17#.##.152.231:443
DNS ASK:
- mx#.hfn.ee
- se######wnloads.cpanel.net
Sends data to the following servers:
- 2.##.246.8:443
- 10#.##.35.25:443
Receives data from the following servers:
- 2.##.246.8:443
- 10#.##.35.25:443