Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
Malicious functions:
Launches processes:
- sh -c crontab -l | grep <SAMPLE_FULL_PATH>|| (crontab -l ; echo \"* * * * * <SAMPLE_FULL_PATH>\") | crontab -
- crontab -l
- grep <SAMPLE_FULL_PATH>
- crontab -
Performs operations with the file system:
Modifies file access rights:
- /var/spool/cron/crontabs/tmp.Ino9LI
Creates or modifies files:
- /var/spool/cron/crontabs/tmp.Ino9LI
- /var/spool/cron/.url
- /root/.url
Network activity:
Awaits incoming connections on ports:
- 0.0.0.0:28476
Establishes connection:
- 127.0.0.1:28476
- <LOCAL_DNS_SERVER>
- 13#.#.24.153:8080
- 19#.##.105.73:8080
- 13#.#.24.153:8081
- 13#.#.24.153:80
- 19#.##.105.73:8081
- 19#.##.105.73:80
- 11#.#.55.199:8080
- 11#.#.55.199:8081
- 11#.#.55.199:80
Attacks using a special dictionary (brute-force technique) via the SSH protocol
Connects to the following servers over the IRC protocol:
- Server: 18#.#1.146.112; Command: NICK QJKCDV\nUSER EYFJOF localhost localhost :AJCNJDR\n
- Server: 18#.#1.146.112; Command: MODE QJKCDV -xi\n
- Server: 18#.#1.146.112; Command: JOIN #x86 :\n
- Server: 18#.#1.146.112; Command: JOIN #ssh :\n
- Server: 18#.#1.146.112; Command: JOIN #ssh2 :\n
- Server: 18#.#1.146.112; Command: WHO QJKCDV\n
DNS ASK:
- 45######9416fdsqfdsqfdsq.ru
