Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Modifies router settings:
- /bin/nvram
Launches processes:
- rm -rf /var/run/wgsh
- rm -rf /var/run/bbsh
- rm -rf /var/run/pty
- cat /tmp/.xs/*.pid
- rm -rf /tmp/.xs/*
- sh -c chmod 700 <SAMPLE_FULL_PATH> > /dev/null 2>&1 &
- sh -c touch -acmr /bin/ls <SAMPLE_FULL_PATH>
- chmod 700 <SAMPLE_FULL_PATH>
- touch -acmr /bin/ls <SAMPLE_FULL_PATH>
- sh -c (crontab -l | grep -v \"<SAMPLE_FULL_PATH>\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1
- crontab -l
- grep -v <SAMPLE_FULL_PATH>
- grep -v no cron
- grep -v lesshts/run.sh
- sh -c echo \"* * * * * <SAMPLE_FULL_PATH> > /dev/null 2>&1 &\" >> /var/run/.x001804289383
- sh -c crontab /var/run/.x001804289383
- crontab /var/run/.x001804289383
- sh -c rm -rf /var/run/.x001804289383
- rm -rf /var/run/.x001804289383
- /bin/uname -n
Attempts to kill the following processes:
- killall -9 arm
- killall -9 mips
- killall -9 mipsel
- killall -9 powerpc
- killall -9 ppc
- killall -9 daemon.armv4l.mod
- killall -9 daemon.i686.mod
- killall -9 daemon.mips.mod
- killall -9 daemon.mipsel.mod
Performs operations with the file system:
Modifies file access rights:
- <SAMPLE_FULL_PATH>
- /var/spool/cron/crontabs/tmp.SFlXGo
Creates or modifies files:
- /etc/resolv.conf
- /var/run/.x001804289383
- /run/.x001804289383
- /var/spool/cron/crontabs/tmp.SFlXGo
Deletes files:
- /var/run/wgsh
- /var/run/bbsh
- /var/run/pty
- /tmp/.xs/*
- /var/run/.x001804289383
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:64008
Establishes connection:
- 14#.##7.14.109:7888
Other:
Collects OS information
