Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Launches processes:
- /usr/bin/crontab -
- mount
- ./cpu_hu
- <SAMPLE_FULL_PATH> {70d0be7374677265733a207265706c69636174696f6e206c61756e63686572}
- /memfd: (deleted) ./10 -c/tmp/...
- bash -c ./cpu_hu
- /usr/bin/crontab
- bash -c echo \x22* * * * * <SAMPLE_FULL_PATH>\x22 | /usr/bin/crontab -
- bash -c /usr/bin/crontab -r
Kills the following processes:
- memfd: (deleted
Performs operations with the file system:
Modifies file access rights:
- /var/tmp/.private-YO1lKF399NbEEUQUNDMl-login.service-CgeHDZ
- /var/spool/cron/crontabs/tmp.le1AAR
- /var/spool/cron/crontabs/tmp.hyYxIf
Creates or modifies files:
- /var/tmp/.private-YO1lKF399NbEEUQUNDMl-login.service-CgeHDZ
- /var/tmp/.private-fBUZbhy7845fgmk1Gqci-login.service-S90agO
- /var/spool/cron/crontabs/tmp.le1AAR
- /var/spool/cron/crontabs/tmp.hyYxIf
- /usr/local/lib/python2.7/dist-packages/cpu_hu
- /tmp/...
- /memfd: (deleted)
- /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
Deletes files:
- /tmp/...
Locks files:
- /var/tmp/.private-fBUZbhy7845fgmk1Gqci-login.service-S90agO
Changes time of creation/access/modification of files:
- /var/spool/cron/crontabs
Network activity:
Establishes connection:
- 127.0.0.1:5432
- [:##]:5432
- 8.#.8.8:53
- 14#.##.121.5:443
- 14#.##.121.4:443
- 18#.##9.109.133:9
- 18#.##9.110.133:9
- 18#.##9.108.133:9
- 18#.##9.111.133:9
- 18#.##9.109.133:443
- 20#.##.222.222:53
DNS ASK:
- mi##.c3pool.com
Sends data to the following servers:
- 8.#.8.8:53
- 14#.##.121.5:443
- 14#.##.121.4:443
- 18#.##9.109.133:443
Receives data from the following servers:
- 8.#.8.8:53
- 14#.##.121.5:443
- 14#.##.121.4:443
- 18#.##9.109.133:443
Other:
Collects CPU information
Collects RAM information
Collects information about network activity